updates for dynmaic size of credentials and auth data

JacobBarthelmeh · JacobBarthelmeh · commit c64f0f24a59c · 2026-01-22T10:38:13.000-07:00
diff --git a/src/wh_client_auth.c b/src/wh_client_auth.c
@@ -46,19 +46,34 @@ int wh_Client_AuthLoginRequest(whClientContext* c,
         whAuthMethod method, const char* username, const void* auth_data,
         uint16_t auth_data_len)
 {
-    whMessageAuth_LoginRequest msg = {0};
+    uint8_t buffer[WOLFHSM_CFG_COMM_DATA_LEN] = {0};
+    whMessageAuth_LoginRequest* msg = (whMessageAuth_LoginRequest*)buffer;
+    uint8_t* msg_auth_data = buffer + sizeof(*msg);
+    int msg_size;
 
     if (c == NULL){
         return WH_ERROR_BADARGS;
     }
 
-    strncpy(msg.username, username, sizeof(msg.username));
-    msg.method = method;
-    msg.auth_data_len = auth_data_len;
-    memcpy(msg.auth_data, auth_data, auth_data_len);
+    if (auth_data_len > WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN) {
+        return WH_ERROR_BADARGS;
+    }
+
+    msg_size = (int)sizeof(*msg) + (int)auth_data_len;
+    if (msg_size > WOLFHSM_CFG_COMM_DATA_LEN) {
+        return WH_ERROR_BADARGS;
+    }
+
+    strncpy(msg->username, username, sizeof(msg->username));
+    msg->method = method;
+    msg->auth_data_len = auth_data_len;
+    if (auth_data_len > 0 && auth_data != NULL) {
+        memcpy(msg_auth_data, auth_data, auth_data_len);
+    }
+
     return wh_Client_SendRequest(c,
             WH_MESSAGE_GROUP_AUTH, WH_MESSAGE_AUTH_ACTION_LOGIN,
-            sizeof(msg), &msg);
+            (uint16_t)msg_size, buffer);
 }
 
 int wh_Client_AuthLoginResponse(whClientContext* c, int32_t *out_rc,
@@ -200,30 +215,38 @@ int wh_Client_AuthUserAddRequest(whClientContext* c, const char* username,
         whAuthPermissions permissions, whAuthMethod method,
         const void* credentials, uint16_t credentials_len)
 {
-    whMessageAuth_UserAddRequest msg = {0};
+    uint8_t buffer[WOLFHSM_CFG_COMM_DATA_LEN] = {0};
+    whMessageAuth_UserAddRequest* msg = (whMessageAuth_UserAddRequest*)buffer;
+    uint8_t* msg_credentials = buffer + sizeof(*msg);
+    int msg_size;
 
     if (c == NULL){
         return WH_ERROR_BADARGS;
     }
 
-    strncpy(msg.username, username, sizeof(msg.username));
+    strncpy(msg->username, username, sizeof(msg->username));
 
-    if (wh_MessageAuth_FlattenPermissions(&permissions, msg.permissions,
-        sizeof(msg.permissions)) != 0) {
+    if (wh_MessageAuth_FlattenPermissions(&permissions, msg->permissions,
+        sizeof(msg->permissions)) != 0) {
         return WH_ERROR_BUFFER_SIZE;
     }
 
-    msg.method = method;
-    msg.credentials_len = credentials_len;
+    msg->method = method;
+    msg->credentials_len = credentials_len;
     if (credentials != NULL && credentials_len > 0) {
         if (credentials_len > WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN) {
             return WH_ERROR_BUFFER_SIZE;
         }
-        memcpy(msg.credentials, credentials, credentials_len);
+        memcpy(msg_credentials, credentials, credentials_len);
+    }
+
+    msg_size = (int)sizeof(*msg) + (int)credentials_len;
+    if (msg_size > WOLFHSM_CFG_COMM_DATA_LEN) {
+        return WH_ERROR_BUFFER_SIZE;
     }
     return wh_Client_SendRequest(c,
             WH_MESSAGE_GROUP_AUTH, WH_MESSAGE_AUTH_ACTION_USER_ADD,
-            sizeof(msg), &msg);
+            (uint16_t)msg_size, buffer);
 }
 
 int wh_Client_AuthUserAddResponse(whClientContext* c, int32_t *out_rc,
diff --git a/src/wh_message_auth.c b/src/wh_message_auth.c
@@ -47,19 +47,41 @@ int wh_MessageAuth_TranslateSimpleResponse(uint16_t magic,
 }
 
 int wh_MessageAuth_TranslateLoginRequest(uint16_t magic,
-        const whMessageAuth_LoginRequest* src,
-        whMessageAuth_LoginRequest* dest)
+        const void* src_packet, uint16_t src_size,
+        whMessageAuth_LoginRequest* dest_header, uint8_t* dest_auth_data)
 {
-    if ((src == NULL) || (dest == NULL)) {
+    const whMessageAuth_LoginRequest* src_header;
+    const uint8_t* src_data;
+    uint16_t header_size = sizeof(whMessageAuth_LoginRequest);
+    uint16_t expected_size;
+
+    if ((src_packet == NULL) || (dest_header == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
-    WH_T16(magic, dest, src, method);
-    if (src != dest) {
-        memcpy(dest->username, src->username, sizeof(dest->username));
-        memcpy(dest->auth_data, src->auth_data, src->auth_data_len);
+    if (src_size < header_size) {
+        return WH_ERROR_BADARGS;
+    }
+
+    src_header = (const whMessageAuth_LoginRequest*)src_packet;
+    src_data = (const uint8_t*)src_packet + header_size;
+
+    WH_T16(magic, dest_header, src_header, method);
+    if (src_header != dest_header) {
+        memcpy(dest_header->username, src_header->username,
+               sizeof(dest_header->username));
+    }
+    WH_T16(magic, dest_header, src_header, auth_data_len);
+
+    expected_size = (uint16_t)(header_size + dest_header->auth_data_len);
+    if (dest_header->auth_data_len > WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN ||
+        src_size < expected_size) {
+        return WH_ERROR_BADARGS;
+    }
+
+    if (dest_auth_data != NULL && dest_header->auth_data_len > 0) {
+        memcpy(dest_auth_data, src_data, dest_header->auth_data_len);
     }
-    WH_T16(magic, dest, src, auth_data_len);
     return 0;
 }
 
@@ -173,24 +195,44 @@ int wh_MessageAuth_UnflattenPermissions(uint8_t* buffer, uint16_t buffer_len,
 
 
 int wh_MessageAuth_TranslateUserAddRequest(uint16_t magic,
-        const whMessageAuth_UserAddRequest* src,
-        whMessageAuth_UserAddRequest* dest)
+        const void* src_packet, uint16_t src_size,
+        whMessageAuth_UserAddRequest* dest_header, uint8_t* dest_credentials)
 {
-    if ((src == NULL) || (dest == NULL)) {
+    const whMessageAuth_UserAddRequest* src_header;
+    const uint8_t* src_data;
+    uint16_t header_size = sizeof(whMessageAuth_UserAddRequest);
+    uint16_t expected_size;
+
+    if ((src_packet == NULL) || (dest_header == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
-    if (src != dest) {
-        memcpy(dest->username, src->username, sizeof(dest->username));
-        if (src->credentials_len > WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN) {
-            return WH_ERROR_BUFFER_SIZE;
-        }
-        memcpy(dest->credentials, src->credentials, src->credentials_len);
-        memcpy(dest->permissions, src->permissions, sizeof(dest->permissions));
+    if (src_size < header_size) {
+        return WH_ERROR_BADARGS;
     }
 
-    WH_T16(magic, dest, src, method);
-    WH_T16(magic, dest, src, credentials_len);
+    src_header = (const whMessageAuth_UserAddRequest*)src_packet;
+    src_data = (const uint8_t*)src_packet + header_size;
+
+    if (src_header != dest_header) {
+        memcpy(dest_header->username, src_header->username,
+               sizeof(dest_header->username));
+        memcpy(dest_header->permissions, src_header->permissions,
+               sizeof(dest_header->permissions));
+    }
+
+    WH_T16(magic, dest_header, src_header, method);
+    WH_T16(magic, dest_header, src_header, credentials_len);
+
+    expected_size = (uint16_t)(header_size + dest_header->credentials_len);
+    if (dest_header->credentials_len > WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN ||
+        src_size < expected_size) {
+        return WH_ERROR_BUFFER_SIZE;
+    }
+
+    if (dest_credentials != NULL && dest_header->credentials_len > 0) {
+        memcpy(dest_credentials, src_data, dest_header->credentials_len);
+    }
     return 0;
 }
 
diff --git a/src/wh_server.c b/src/wh_server.c
@@ -355,11 +355,13 @@ int wh_Server_HandleRequestMessage(whServerContext* server)
          * group and action requested. When dealing with key ID's there should
          * be an additional authorization check after parsing the request and
          * translating the key ID and before it is used. */
-        rc = wh_Auth_CheckRequestAuthorization(server->auth, group, action);
-        if (rc != WH_ERROR_OK) {
-            /* Authorization failed - send error response to client but keep server running */
-            int32_t error_response = (int32_t)WH_AUTH_PERMISSION_ERROR;
-            uint16_t resp_size = sizeof(error_response);
+        /* Check authorization if auth context is configured */
+        if (server->auth != NULL) {
+            rc = wh_Auth_CheckRequestAuthorization(server->auth, group, action);
+            if (rc != WH_ERROR_OK) {
+                /* Authorization failed - send error response to client but keep server running */
+                int32_t error_response = (int32_t)WH_AUTH_PERMISSION_ERROR;
+                uint16_t resp_size = sizeof(error_response);
 
             /* Translate the error response for endian conversion */
             error_response = (int32_t)wh_Translate32(magic, (uint32_t)error_response);
@@ -375,7 +377,8 @@ int wh_Server_HandleRequestMessage(whServerContext* server)
                               "Authorization failed for (group=%d, action=%d, seq=%d)",
                               group, action, seq);
 
-            return rc;
+                return rc;
+            }
         }
 #endif /* WOLFHSM_CFG_NO_AUTHENTICATION */
 
diff --git a/src/wh_server_auth.c b/src/wh_server_auth.c
@@ -72,27 +72,29 @@ int wh_Server_HandleAuthRequest(whServerContext* server,
         whMessageAuth_LoginRequest req = {0};
         whMessageAuth_LoginResponse resp = {0};
         int loggedIn = 0;
-
-        if (req_size != sizeof(req)) {
-            /* Request is malformed */
-            resp.rc = WH_ERROR_ABORTED;
-       }
+        uint8_t auth_data[WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN] = {0};
 
         /* Parse the request */
-        wh_MessageAuth_TranslateLoginRequest(magic, req_packet, &req);
+        rc = wh_MessageAuth_TranslateLoginRequest(magic, req_packet, req_size,
+                &req, auth_data);
+        if (rc != WH_ERROR_OK) {
+            resp.rc = rc;
+        }
 
         /* Login the user */
-        rc = wh_Auth_Login(server->auth, server->comm->client_id, req.method,
-            req.username, req.auth_data, req.auth_data_len, &loggedIn);
-        resp.rc = rc;
-        if (rc == WH_ERROR_OK) {
-            if (loggedIn == 0) {
-            resp.rc = WH_AUTH_LOGIN_FAILED;
-            resp.user_id = WH_USER_ID_INVALID;
-            }
-            else {
-                /* return the current logged in user info */
-                resp.user_id = server->auth->user.user_id;
+        if (resp.rc == WH_ERROR_OK) {
+            rc = wh_Auth_Login(server->auth, server->comm->client_id, req.method,
+                req.username, auth_data, req.auth_data_len, &loggedIn);
+            resp.rc = rc;
+            if (rc == WH_ERROR_OK) {
+                if (loggedIn == 0) {
+                resp.rc = WH_AUTH_LOGIN_FAILED;
+                resp.user_id = WH_USER_ID_INVALID;
+                }
+                else {
+                    /* return the current logged in user info */
+                    resp.user_id = server->auth->user.user_id;
+                }
             }
         }
         /* @TODO setting of permissions */
@@ -129,27 +131,22 @@ int wh_Server_HandleAuthRequest(whServerContext* server,
         whMessageAuth_UserAddRequest req = {0};
         whMessageAuth_UserAddResponse resp = {0};
         whAuthPermissions permissions = {0};
+        uint8_t credentials[WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN] = {0};
 
-        if (req_size != sizeof(whMessageAuth_UserAddRequest)) {
-            /* Request is malformed */
-            resp.rc = WH_ERROR_BADARGS;
-       } else {
-            /* Parse the request */
-            wh_MessageAuth_TranslateUserAddRequest(magic, req_packet, &req);
-
-            /* Validate credentials length */
-            if (req.credentials_len > WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN) {
+        /* Parse the request */
+        rc = wh_MessageAuth_TranslateUserAddRequest(magic, req_packet, req_size,
+                &req, credentials);
+        if (rc != WH_ERROR_OK) {
+            resp.rc = rc;
+        } else {
+            if (wh_MessageAuth_UnflattenPermissions(req.permissions,
+                sizeof(req.permissions), &permissions) != 0) {
                 resp.rc = WH_ERROR_BADARGS;
             } else {
-                if (wh_MessageAuth_UnflattenPermissions(req.permissions,
-                    sizeof(req.permissions), &permissions) != 0) {
-                    resp.rc = WH_ERROR_BADARGS;
-                } else {
-                /* Add the user with credentials @TODO setting permissions */
-                    rc = wh_Auth_UserAdd(server->auth, req.username, &resp.user_id, permissions,
-                            req.method, req.credentials, req.credentials_len);
-                    resp.rc = rc;
-                }
+            /* Add the user with credentials @TODO setting permissions */
+                rc = wh_Auth_UserAdd(server->auth, req.username, &resp.user_id, permissions,
+                        req.method, credentials, req.credentials_len);
+                resp.rc = rc;
             }
         }
 
diff --git a/wolfhsm/wh_message_auth.h b/wolfhsm/wh_message_auth.h
@@ -67,12 +67,12 @@ typedef struct {
     uint16_t method;
     char username[WH_MESSAGE_AUTH_MAX_USERNAME_LEN];
     uint16_t auth_data_len;
-    uint8_t auth_data[WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN];
+    /* auth_data follows */
 } whMessageAuth_LoginRequest;
 
 int wh_MessageAuth_TranslateLoginRequest(uint16_t magic,
-        const whMessageAuth_LoginRequest* src,
-        whMessageAuth_LoginRequest* dest);
+        const void* src_packet, uint16_t src_size,
+        whMessageAuth_LoginRequest* dest_header, uint8_t* dest_auth_data);
 
 /** Login Response */
 typedef struct {
@@ -114,12 +114,12 @@ typedef struct {
     uint8_t permissions[WH_FLAT_PERRMISIONS_LEN];
     uint16_t method;
     uint16_t credentials_len;
-    uint8_t credentials[WH_MESSAGE_AUTH_MAX_CREDENTIALS_LEN];
+    /* credentials follow */
 } whMessageAuth_UserAddRequest;
 
 int wh_MessageAuth_TranslateUserAddRequest(uint16_t magic,
-        const whMessageAuth_UserAddRequest* src,
-        whMessageAuth_UserAddRequest* dest);
+        const void* src_packet, uint16_t src_size,
+        whMessageAuth_UserAddRequest* dest_header, uint8_t* dest_credentials);
 
 /** User Add Response */
 typedef struct {
