update action permissions and method in message layer

Author: JacobBarthelmeh

examples/demo/client/wh_demo_client_all.c

@@ -11,6 +11,23 @@
 int wh_DemoClient_All(whClientContext* clientContext)
 {
     int rc = 0;
+    whUserId userId = WH_USER_ID_INVALID;
+    whAuthPermissions permissions;
+
+    /* Auth demos */
+    rc = wh_DemoClient_Auth(clientContext);
+    if (rc != 0) {
+        return rc;
+    }
+
+    /* Log in as an admin user for the rest of the tests */
+    if (wh_Client_AuthLogin(clientContext, WH_AUTH_METHOD_PIN, "admin", "1234",
+        4, &rc, &userId, &permissions) != 0) {
+        return -1;
+    }
+    if (rc != 0) {
+        return rc;
+    }
 
     /* wolfCrypt test and benchmark */
 #ifdef WH_DEMO_WCTEST
@@ -31,12 +48,6 @@ int wh_DemoClient_All(whClientContext* clientContext)
         return rc;
     }
 
-    /* Auth demos */
-    rc = wh_DemoClient_Auth(clientContext);
-    if (rc != 0) {
-        return rc;
-    }
-
     /* Keystore demos */
     rc = wh_DemoClient_KeystoreBasic(clientContext);
     if (rc != 0) {

port/posix/posix_auth.c

@@ -206,17 +206,14 @@ int posixAuth_CheckRequestAuthorization(void* context, uint16_t user_id,
     int rc;
 
     if (user_id == WH_USER_ID_INVALID) {
-        /* allow user login request attempt */
-        if (group == WH_MESSAGE_GROUP_AUTH) {
-            if (action == WH_MESSAGE_AUTH_ACTION_LOGIN) {
-                rc = WH_ERROR_OK;
-            }
-            else {
-                rc = WH_ERROR_ACCESS;
-            }
+        /* allow user login request attempt and comm */
+        if (group == WH_MESSAGE_GROUP_COMM ||
+            (group == WH_MESSAGE_GROUP_AUTH &&
+                action == WH_MESSAGE_AUTH_ACTION_LOGIN)) {
+            rc = WH_ERROR_OK;
         }
         else {
-            rc = WH_ERROR_OK; /*rc = WH_ERROR_ACCESS;*/
+            rc = WH_ERROR_ACCESS;
         }
     }
     else {
@@ -235,8 +232,10 @@ int posixAuth_CheckRequestAuthorization(void* context, uint16_t user_id,
         }
         else {
             if (user->user.permissions.groupPermissions & group) {
+                /* action enum value (0,1,...) to bitmask (0x01,0x02,...) */
+                uint32_t actionBitmask = WH_AUTH_ACTION_TO_BITMASK(action);
                 if (user->user.permissions.actionPermissions[groupIndex] &
-                    action) {
+                    actionBitmask) {
                     rc = WH_ERROR_OK;
                 }
                 else {
@@ -342,7 +341,8 @@ int posixAuth_UserAdd(void* context, const char* username,
             new_user->user.permissions.keyIds[j] = 0;
         }
     }
-    strcpy(new_user->user.username, username);
+    strncpy(new_user->user.username, username,
+        sizeof(new_user->user.username) - 1);
     new_user->user.is_active       = false;
     new_user->user.failed_attempts = 0;
     new_user->user.lockout_until   = 0;

src/wh_client_auth.c

@@ -599,7 +599,6 @@ int wh_Client_AuthUserSetCredentialsRequest(
     /* Build message header */
     msg->user_id                 = user_id;
     msg->method                  = method;
-    msg->WH_PAD[0]               = 0;
     msg->current_credentials_len = current_credentials_len;
     msg->new_credentials_len     = new_credentials_len;
 

src/wh_message_auth.c

@@ -128,15 +128,14 @@ int wh_MessageAuth_FlattenPermissions(whAuthPermissions* permissions,
     buffer[idx++] = (uint8_t)(permissions->groupPermissions & 0xFF);
     buffer[idx++] = (uint8_t)((permissions->groupPermissions >> 8) & 0xFF);
 
-    /* Serialize actionPermissions array (2*WH_NUMBER_OF_GROUPS bytes) */
-    for (i = 0; i < WH_NUMBER_OF_GROUPS && (idx + (i * 2) + 1) < buffer_len;
-         i++) {
-        buffer[idx + (i * 2)] =
-            (uint8_t)(permissions->actionPermissions[i] & 0xFF);
-        buffer[idx + (i * 2) + 1] =
-            (uint8_t)((permissions->actionPermissions[i] >> 8) & 0xFF);
+    /* Serialize actionPermissions array (4*WH_NUMBER_OF_GROUPS bytes) */
+    for (i = 0; i < WH_NUMBER_OF_GROUPS && (idx + 3) < buffer_len; i++) {
+        uint32_t actionPerm = permissions->actionPermissions[i];
+        buffer[idx++] = (uint8_t)(actionPerm & 0xFF);
+        buffer[idx++] = (uint8_t)((actionPerm >> 8) & 0xFF);
+        buffer[idx++] = (uint8_t)((actionPerm >> 16) & 0xFF);
+        buffer[idx++] = (uint8_t)((actionPerm >> 24) & 0xFF);
     }
-    idx += (2 * WH_NUMBER_OF_GROUPS);
 
     /* Serialize keyIdCount (2 bytes) */
     keyIdCount    = (permissions->keyIdCount > WH_AUTH_MAX_KEY_IDS)
@@ -146,15 +145,17 @@ int wh_MessageAuth_FlattenPermissions(whAuthPermissions* permissions,
     buffer[idx++] = (uint8_t)((keyIdCount >> 8) & 0xFF);
 
     /* Serialize keyIds array (4*WH_AUTH_MAX_KEY_IDS bytes) */
-    for (i = 0; i < WH_AUTH_MAX_KEY_IDS && (idx + (i * 4) + 3) < buffer_len;
-         i++) {
+    for (i = 0; i < WH_AUTH_MAX_KEY_IDS && (idx + 3) < buffer_len; i++) {
         if (i < keyIdCount) {
             keyId = permissions->keyIds[i];
         }
         else {
             keyId = 0; /* Pad with zeros */
         }
-        memcpy(&buffer[idx + (i * 4)], &keyId, sizeof(keyId));
+        buffer[idx++] = (uint8_t)(keyId & 0xFF);
+        buffer[idx++] = (uint8_t)((keyId >> 8) & 0xFF);
+        buffer[idx++] = (uint8_t)((keyId >> 16) & 0xFF);
+        buffer[idx++] = (uint8_t)((keyId >> 24) & 0xFF);
     }
 
     return 0;
@@ -177,13 +178,15 @@ int wh_MessageAuth_UnflattenPermissions(uint8_t* buffer, uint16_t buffer_len,
     permissions->groupPermissions = buffer[idx] | (buffer[idx + 1] << 8);
     idx += 2;
 
-    /* Deserialize actionPermissions array (2*WH_NUMBER_OF_GROUPS bytes) */
-    for (i = 0; i < WH_NUMBER_OF_GROUPS && (idx + (i * 2) + 1) < buffer_len;
-         i++) {
+    /* Deserialize actionPermissions array (4*WH_NUMBER_OF_GROUPS bytes) */
+    for (i = 0; i < WH_NUMBER_OF_GROUPS && (idx + 3) < buffer_len; i++) {
         permissions->actionPermissions[i] =
-            buffer[idx + (i * 2)] | (buffer[idx + (i * 2) + 1] << 8);
+            buffer[idx] |
+            (buffer[idx + 1] << 8) |
+            (buffer[idx + 2] << 16) |
+            (buffer[idx + 3] << 24);
+        idx += 4;
     }
-    idx += (2 * WH_NUMBER_OF_GROUPS);
 
     /* Deserialize keyIdCount (2 bytes) */
     keyIdCount = buffer[idx] | (buffer[idx + 1] << 8);
@@ -194,10 +197,13 @@ int wh_MessageAuth_UnflattenPermissions(uint8_t* buffer, uint16_t buffer_len,
     permissions->keyIdCount = keyIdCount;
 
     /* Deserialize keyIds array (4*WH_AUTH_MAX_KEY_IDS bytes) */
-    for (i = 0; i < WH_AUTH_MAX_KEY_IDS && (idx + (i * 4) + 3) < buffer_len;
-         i++) {
-        memcpy(&keyId, &buffer[idx + (i * 4)], sizeof(keyId));
+    for (i = 0; i < WH_AUTH_MAX_KEY_IDS && (idx + 3) < buffer_len; i++) {
+        keyId = buffer[idx] |
+                (buffer[idx + 1] << 8) |
+                (buffer[idx + 2] << 16) |
+                (buffer[idx + 3] << 24);
         permissions->keyIds[i] = keyId;
+        idx += 4;
     }
 
     return 0;

test/wh_test_auth.c

@@ -850,8 +850,9 @@ int whTest_AuthSetPermissions(whClientContext* client)
     WH_TEST_PRINT("  Test: Set user permissions success\n");
     memset(&new_perms, 0, sizeof(new_perms));
     new_perms.groupPermissions = WH_MESSAGE_GROUP_AUTH;
+    /* Convert action enum value to bitmask: action 0x04 -> bit 4 -> 0x10 */
     new_perms.actionPermissions[(WH_MESSAGE_GROUP_AUTH >> 8) & 0xFF] =
-        WH_MESSAGE_AUTH_ACTION_USER_ADD;
+        WH_AUTH_ACTION_TO_BITMASK(WH_MESSAGE_AUTH_ACTION_USER_ADD);
     server_rc = 0;
     WH_TEST_RETURN_ON_FAIL(
         _whTest_Auth_UserSetPermsOp(client, user_id, new_perms, &server_rc));
@@ -1082,8 +1083,9 @@ int whTest_AuthRequestAuthorization(whClientContext* client)
 
     memset(&perms, 0, sizeof(perms));
     perms.groupPermissions = WH_MESSAGE_GROUP_AUTH;
+    /* Convert action enum value to bitmask: action 0x04 -> bit 4 -> 0x10 */
     perms.actionPermissions[(WH_MESSAGE_GROUP_AUTH >> 8) & 0xFF] =
-        WH_MESSAGE_AUTH_ACTION_USER_ADD;
+        WH_AUTH_ACTION_TO_BITMASK(WH_MESSAGE_AUTH_ACTION_USER_ADD);
     WH_TEST_RETURN_ON_FAIL(
         _whTest_Auth_UserAddOp(client, "alloweduser", perms, WH_AUTH_METHOD_PIN,
                                "pass", 4, &server_rc, &allowed_user_id));

wolfhsm/wh_auth.h

@@ -57,9 +57,14 @@ typedef enum {
 #define WH_NUMBER_OF_GROUPS 14
 #define WH_AUTH_MAX_KEY_IDS \
     2 /* Maximum number of key IDs a user can have access to */
+
+/* Convert action enum value (0,1,2,3...) to bitmask (0x01,0x02,0x04,0x08...) */
+#define WH_AUTH_ACTION_TO_BITMASK(_action) \
+    (((_action) < 32) ? (1UL << (_action)) : 0)
+
 typedef struct {
     uint16_t groupPermissions; /* bit mask of if allowed for use in group */
-    uint16_t
+    uint32_t
         actionPermissions[WH_NUMBER_OF_GROUPS]; /* array of action permissions
                                                    for each group */
     uint16_t keyIdCount; /* Number of key IDs in the keyIds array (0 to

wolfhsm/wh_message_auth.h

@@ -133,11 +133,11 @@ int wh_MessageAuth_TranslateLogoutRequest(
 /** Logout Response (SimpleResponse) */
 
 /* whAuthPermissions struct
- * uint16_t (groupPermissions) + uint16_t[WH_NUMBER_OF_GROUPS]
+ * uint16_t (groupPermissions) + uint32_t[WH_NUMBER_OF_GROUPS]
  * (actionPermissions) + uint16_t (keyIdCount) + uint32_t[WH_AUTH_MAX_KEY_IDS]
  * (keyIds) */
 #define WH_FLAT_PERMISSIONS_LEN \
-    (2 + (2 * WH_NUMBER_OF_GROUPS) + 2 + (4 * WH_AUTH_MAX_KEY_IDS))
+    (2 + (4 * WH_NUMBER_OF_GROUPS) + 2 + (4 * WH_AUTH_MAX_KEY_IDS))
 
 /**
  * @brief Flatten permissions structure into a byte buffer.
@@ -287,8 +287,7 @@ int wh_MessageAuth_TranslateUserSetPermissionsRequest(
 /* Header structure - credentials follow as variable-length data */
 typedef struct {
     uint16_t user_id;
-    uint8_t  method;
-    uint8_t  WH_PAD[1]; /* Padding for alignment */
+    uint16_t method;
     uint16_t current_credentials_len;
     uint16_t new_credentials_len;
     /* Variable-length data follows:
@@ -315,44 +314,4 @@ int wh_MessageAuth_TranslateUserSetCredentialsRequest(
 
 /** User Set Credentials Response */
 /* Use SimpleResponse */
-
-/** Check Authorization Request */
-typedef struct {
-    uint32_t session_id;
-    uint8_t  action; /* whAuthAction */
-    uint8_t  WH_PAD[3];
-    uint32_t object_id;
-} whMessageAuth_CheckAuthorizationRequest;
-
-/**
- * @brief Translate a check authorization request message between different magic numbers.
- *
- * @param[in] magic The magic number for translation.
- * @param[in] src Pointer to the source check authorization request message.
- * @param[out] dest Pointer to the destination check authorization request message.
- * @return int Returns 0 on success, or a negative error code on failure.
- */
-int wh_MessageAuth_TranslateCheckAuthorizationRequest(
-    uint16_t magic, const whMessageAuth_CheckAuthorizationRequest* src,
-    whMessageAuth_CheckAuthorizationRequest* dest);
-
-/** Check Authorization Response */
-typedef struct {
-    int32_t rc;
-    uint8_t authorized;
-    uint8_t WH_PAD[3];
-} whMessageAuth_CheckAuthorizationResponse;
-
-/**
- * @brief Translate a check authorization response message between different magic numbers.
- *
- * @param[in] magic The magic number for translation.
- * @param[in] src Pointer to the source check authorization response message.
- * @param[out] dest Pointer to the destination check authorization response message.
- * @return int Returns 0 on success, or a negative error code on failure.
- */
-int wh_MessageAuth_TranslateCheckAuthorizationResponse(
-    uint16_t magic, const whMessageAuth_CheckAuthorizationResponse* src,
-    whMessageAuth_CheckAuthorizationResponse* dest);
-
 #endif /* !WOLFHSM_WH_MESSAGE_AUTH_H_ */