fix for bitmask of permissions and remove permissions return from login

Author: JacobBarthelmeh

port/posix/posix_auth.c

@@ -232,11 +232,22 @@ int posixAuth_CheckRequestAuthorization(void* context, uint16_t user_id,
         }
         else {
             if (user->user.permissions.groupPermissions & group) {
-                /* action enum value (0,1,...) to bitmask (0x01,0x02,...) */
-                uint32_t actionBitmask = WH_AUTH_ACTION_TO_BITMASK(action);
-                if (user->user.permissions.actionPermissions[groupIndex] &
-                    actionBitmask) {
-                    rc = WH_ERROR_OK;
+                /* Check if action is within supported range */
+                if (action < WH_AUTH_ACTIONS_PER_GROUP) {
+                    /* Get word index and bitmask for this action */
+                    uint32_t wordAndBit = WH_AUTH_ACTION_TO_WORD_AND_BIT(action);
+                    uint32_t wordIndex   = WH_AUTH_ACTION_WORD(wordAndBit);
+                    uint32_t bitmask     = WH_AUTH_ACTION_BIT(wordAndBit);
+
+                    if (wordIndex < WH_AUTH_ACTION_WORDS &&
+                        (user->user.permissions.actionPermissions[groupIndex]
+                                                              [wordIndex] &
+                         bitmask)) {
+                        rc = WH_ERROR_OK;
+                    }
+                    else {
+                        rc = WH_ERROR_ACCESS;
+                    }
                 }
                 else {
                     rc = WH_ERROR_ACCESS;
@@ -495,4 +506,4 @@ int posixAuth_UserSetCredentials(void* context, uint16_t user_id,
 
     (void)auth_context;
     return rc;
-}
+}

src/wh_client_auth.c

@@ -93,8 +93,7 @@ int wh_Client_AuthLoginRequest(whClientContext* c, whAuthMethod method,
 }
 
 int wh_Client_AuthLoginResponse(whClientContext* c, int32_t* out_rc,
-                                whUserId*          out_user_id,
-                                whAuthPermissions* out_permissions)
+                                whUserId*          out_user_id)
 {
     uint8_t                      buffer[WOLFHSM_CFG_COMM_DATA_LEN] = {0};
     whMessageAuth_LoginResponse* msg = (whMessageAuth_LoginResponse*)buffer;
@@ -126,8 +125,6 @@ int wh_Client_AuthLoginResponse(whClientContext* c, int32_t* out_rc,
             if (out_user_id != NULL) {
                 *out_user_id = msg->user_id;
             }
-            /* @TODO: Set permissions */
-            (void)out_permissions;
         }
     }
     return rc;
@@ -136,8 +133,7 @@ int wh_Client_AuthLoginResponse(whClientContext* c, int32_t* out_rc,
 int wh_Client_AuthLogin(whClientContext* c, whAuthMethod method,
                         const char* username, const void* auth_data,
                         uint16_t auth_data_len, int32_t* out_rc,
-                        whUserId*          out_user_id,
-                        whAuthPermissions* out_permissions)
+                        whUserId*          out_user_id)
 {
     int rc;
 
@@ -151,8 +147,7 @@ int wh_Client_AuthLogin(whClientContext* c, whAuthMethod method,
     }
 
     do {
-        rc = wh_Client_AuthLoginResponse(c, out_rc, out_user_id,
-                                         out_permissions);
+        rc = wh_Client_AuthLoginResponse(c, out_rc, out_user_id);
     } while (rc == WH_ERROR_NOTREADY);
 
     return rc;

src/wh_message_auth.c

@@ -95,7 +95,7 @@ int wh_MessageAuth_TranslateLoginResponse(
 
     WH_T32(magic, dest, src, rc);
     WH_T16(magic, dest, src, user_id);
-    WH_T32(magic, dest, src, permissions);
+
     return 0;
 }
 
@@ -128,13 +128,16 @@ int wh_MessageAuth_FlattenPermissions(whAuthPermissions* permissions,
     buffer[idx++] = (uint8_t)(permissions->groupPermissions & 0xFF);
     buffer[idx++] = (uint8_t)((permissions->groupPermissions >> 8) & 0xFF);
 
-    /* Serialize actionPermissions array (4*WH_NUMBER_OF_GROUPS bytes) */
-    for (i = 0; i < WH_NUMBER_OF_GROUPS && (idx + 3) < buffer_len; i++) {
-        uint32_t actionPerm = permissions->actionPermissions[i];
-        buffer[idx++] = (uint8_t)(actionPerm & 0xFF);
-        buffer[idx++] = (uint8_t)((actionPerm >> 8) & 0xFF);
-        buffer[idx++] = (uint8_t)((actionPerm >> 16) & 0xFF);
-        buffer[idx++] = (uint8_t)((actionPerm >> 24) & 0xFF);
+    /* Serialize actionPermissions array (4*WH_NUMBER_OF_GROUPS*WH_AUTH_ACTION_WORDS bytes) */
+    for (i = 0; i < WH_NUMBER_OF_GROUPS; i++) {
+        int j;
+        for (j = 0; j < WH_AUTH_ACTION_WORDS; j++) {
+            uint32_t actionPerm = permissions->actionPermissions[i][j];
+            buffer[idx++] = (uint8_t)(actionPerm & 0xFF);
+            buffer[idx++] = (uint8_t)((actionPerm >> 8) & 0xFF);
+            buffer[idx++] = (uint8_t)((actionPerm >> 16) & 0xFF);
+            buffer[idx++] = (uint8_t)((actionPerm >> 24) & 0xFF);
+        }
     }
 
     /* Serialize keyIdCount (2 bytes) */
@@ -145,7 +148,7 @@ int wh_MessageAuth_FlattenPermissions(whAuthPermissions* permissions,
     buffer[idx++] = (uint8_t)((keyIdCount >> 8) & 0xFF);
 
     /* Serialize keyIds array (4*WH_AUTH_MAX_KEY_IDS bytes) */
-    for (i = 0; i < WH_AUTH_MAX_KEY_IDS && (idx + 3) < buffer_len; i++) {
+    for (i = 0; i < WH_AUTH_MAX_KEY_IDS; i++) {
         if (i < keyIdCount) {
             keyId = permissions->keyIds[i];
         }
@@ -178,14 +181,17 @@ int wh_MessageAuth_UnflattenPermissions(uint8_t* buffer, uint16_t buffer_len,
     permissions->groupPermissions = buffer[idx] | (buffer[idx + 1] << 8);
     idx += 2;
 
-    /* Deserialize actionPermissions array (4*WH_NUMBER_OF_GROUPS bytes) */
-    for (i = 0; i < WH_NUMBER_OF_GROUPS && (idx + 3) < buffer_len; i++) {
-        permissions->actionPermissions[i] =
-            buffer[idx] |
-            (buffer[idx + 1] << 8) |
-            (buffer[idx + 2] << 16) |
-            (buffer[idx + 3] << 24);
-        idx += 4;
+    /* Deserialize actionPermissions array (4*WH_NUMBER_OF_GROUPS*WH_AUTH_ACTION_WORDS bytes) */
+    for (i = 0; i < WH_NUMBER_OF_GROUPS; i++) {
+        int j;
+        for (j = 0; j < WH_AUTH_ACTION_WORDS; j++) {
+            permissions->actionPermissions[i][j] =
+                buffer[idx] |
+                (buffer[idx + 1] << 8) |
+                (buffer[idx + 2] << 16) |
+                (buffer[idx + 3] << 24);
+            idx += 4;
+        }
     }
 
     /* Deserialize keyIdCount (2 bytes) */
@@ -197,7 +203,7 @@ int wh_MessageAuth_UnflattenPermissions(uint8_t* buffer, uint16_t buffer_len,
     permissions->keyIdCount = keyIdCount;
 
     /* Deserialize keyIds array (4*WH_AUTH_MAX_KEY_IDS bytes) */
-    for (i = 0; i < WH_AUTH_MAX_KEY_IDS && (idx + 3) < buffer_len; i++) {
+    for (i = 0; i < WH_AUTH_MAX_KEY_IDS; i++) {
         keyId = buffer[idx] |
                 (buffer[idx + 1] << 8) |
                 (buffer[idx + 2] << 16) |

src/wh_server.c

@@ -50,6 +50,9 @@
 /* Server API's */
 #include "wolfhsm/wh_server.h"
 #include "wolfhsm/wh_server_nvm.h"
+#ifndef WOLFHSM_CFG_NO_AUTHENTICATION
+#include "wolfhsm/wh_auth.h"
+#endif /* WOLFHSM_CFG_NO_AUTHENTICATION */
 #include "wolfhsm/wh_server_auth.h"
 #include "wolfhsm/wh_server_crypto.h"
 #include "wolfhsm/wh_server_keystore.h"
@@ -277,6 +280,16 @@ static int _wh_Server_HandleCommRequest(whServerContext* server,
     {
         /* No message */
         /* Process the close action */
+
+#ifndef WOLFHSM_CFG_NO_AUTHENTICATION
+        /* Log out the current user when communication channel closes */
+        if (server->auth != NULL && server->auth->user.user_id !=
+                WH_USER_ID_INVALID) {
+            whUserId user_id = server->auth->user.user_id;
+            (void)wh_Auth_Logout(server->auth, user_id);
+        }
+#endif /* WOLFHSM_CFG_NO_AUTHENTICATION */
+
         wh_Server_SetConnected(server, WH_COMM_DISCONNECTED);
         *out_resp_size = 0;
 
@@ -350,7 +363,6 @@ static uint16_t _wh_Server_FormatAuthErrorResponse(uint16_t magic,
                     whMessageAuth_LoginResponse resp = {0};
                     resp.rc                          = error_code;
                     resp.user_id                     = WH_USER_ID_INVALID;
-                    resp.permissions                 = 0;
                     wh_MessageAuth_TranslateLoginResponse(
                         magic, &resp,
                         (whMessageAuth_LoginResponse*)resp_packet);

src/wh_server_auth.c

@@ -95,7 +95,6 @@ int wh_Server_HandleAuthRequest(whServerContext* server, uint16_t magic,
                     }
                 }
             }
-            /* @TODO setting of permissions */
 
             wh_MessageAuth_TranslateLoginResponse(
                 magic, &resp, (whMessageAuth_LoginResponse*)resp_packet);