From 1b160cd57d7a723b6d00a85357b864a29167f4fd Mon Sep 17 00:00:00 2001 From: Dongik Lee Date: Mon, 24 Feb 2025 12:52:06 +0900 Subject: [PATCH] Add Security Auth HAL API&Document Change-Id: I1369211b2fc7a2375791ad86e6225f55db7f5ab4 --- CMakeLists.txt | 1 + doc/hal_security_auth_doc.h | 65 ++++++++ doc/hal_security_doc.h | 4 + include/hal-security-auth-interface-1.h | 129 +++++++++++++++ include/hal-security-auth-interface.h | 22 +++ include/hal-security-auth-types.h | 46 ++++++ include/hal-security-auth.h | 90 ++++++++++ packaging/hal-api-security-manifest.xml | 4 + packaging/hal-api-security.spec | 1 + src/hal-api-security-auth.c | 211 ++++++++++++++++++++++++ 10 files changed, 573 insertions(+) create mode 100644 doc/hal_security_auth_doc.h create mode 100644 include/hal-security-auth-interface-1.h create mode 100644 include/hal-security-auth-interface.h create mode 100644 include/hal-security-auth-types.h create mode 100644 include/hal-security-auth.h create mode 100644 src/hal-api-security-auth.c diff --git a/CMakeLists.txt b/CMakeLists.txt index 8cc2497..a2b8057 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -19,6 +19,7 @@ SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SECURITY_DEPS_CFLAGS} ${EXTRA_CFLAGS}") SET( SRCS src/hal-api-security-certs.c + src/hal-api-security-auth.c ) LINK_DIRECTORIES(${SECURITY_DEPS_LIBRARY_DIRS}) diff --git a/doc/hal_security_auth_doc.h b/doc/hal_security_auth_doc.h new file mode 100644 index 0000000..2e0bd32 --- /dev/null +++ b/doc/hal_security_auth_doc.h @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the License); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +#ifndef __TIZEN_HAL_SECURITY_AUTH_DOC_H__ +#define __TIZEN_HAL_SECURITY_AUTH_DOC_H__ + + +/** + * @file hal_security_auth_doc.h + * @brief This file contains high level documentation of the HAL Security Auth module. + */ + +/** + * @ingroup HALAPI_HAL_SECURITY + * @defgroup HALAPI_HAL_SECURITY_AUTH_MODULE Security Auth + * @brief The @ref HALAPI_HAL_SECURITY_AUTH_MODULE provides functions to handle the authentication per user. + * + * @section HALAPI_HAL_SECURITY_AUTH_MODULE_HEADER Required Header + * \#include + * + * @section HALAPI_HAL_SECURITY_AUTH_MODULE_OVERVIEW Overview + * The Security Auth provides functions to handle the authentication per user. + * + * The Security Auth functions provide methods to: + * - Create password file + * - Write password auth parameters from memory to file + * - Write the number of attempts to enter password auth till now + * - Set a new password auth context + * - Check if the entered password auth context is the same as the current password + * - Set the maximum number of history size to store password context in the past + * - Get the maximum number of history size + * - Get the expire time period in days + * - Set the expire time period in days + * - Get the expire time left in seconds + * - Set the expire time left in seconds + * - Get the accumulated attempt number for user's password auth tries + * - Reset the accumulated attempt number for user's password auth tries + * - Increase the accumulated attempt number for user's password auth tries + * - Get the limited maximum attempt number of user's password auth tries + * - Set the limited maximum attempt number of user's password auth tries + * - Get the active status of user's password auth context + * - Check if the entered password context has the previously-used history + * - Check if the password auth context has expired + * - Check if the accumulated attempt number for user's password auth try exceeds the limited maximum attempt + * - Check if the new attempt interval elapsed the ignore period(ex. RETRY_TIMEOUT = 0.5 secs) + * - Check if the history for storing the previous password context is activated + * - Get the password type regarding to the user + * For more information on the Security Auth features and the macros, see HAL Security programming guides and tutorials. + */ + +#endif /* __TIZEN_HAL_SECURITY_AUTH_DOC_H__ */ diff --git a/doc/hal_security_doc.h b/doc/hal_security_doc.h index 277f695..7041f2a 100644 --- a/doc/hal_security_doc.h +++ b/doc/hal_security_doc.h @@ -37,6 +37,10 @@ * @ref HALAPI_HAL_SECURITY_CERTS_MODULE * Provides functions to handle device certificates and signing operations * + * + * @ref HALAPI_HAL_SECURITY_AUTH_MODULE + * Provides functions to handle the authentication per user + * * * * For more information on the HAL Security submodule features, see HAL Security Guide. diff --git a/include/hal-security-auth-interface-1.h b/include/hal-security-auth-interface-1.h new file mode 100644 index 0000000..c7ddbb2 --- /dev/null +++ b/include/hal-security-auth-interface-1.h @@ -0,0 +1,129 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the License); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __HAL_SECURITY_AUTH_INTERFACE_1_H__ +#define __HAL_SECURITY_AUTH_INTERFACE_1_H__ + +#include "hal-security-auth-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @addtogroup HALAPI_HAL_SECURITY_AUTH_MODULE + * @{ + */ + +/** + * @brief Structure for security auth-fw functions. + * @since HAL_MODULE_SECURITY_AUTH 1.0 + */ + +typedef struct _hal_backend_security_auth_funcs { + /** Create password file */ + int (*create_password_file)(uid_t user_id, + hal_security_auth_password_type_e type); + + /** Write password auth parameters from memory to file */ + int (*write_memory_to_file)(uid_t user_id); + + /** Write the number of attempts to enter password auth till now */ + int (*write_attempt_to_file)(uid_t user_id); + + /** Set a new password auth context */ + int (*set_password)(uid_t user_id, + const char* password); + + /** Check if the entered password auth context is the same as the current password */ + int (*check_password)(uid_t user_id, + const char* password); + + /** Set the maximum number of history size to store password context in the past */ + int (*set_max_history_size)(uid_t user_id, + unsigned int history_size); + + /** Get the maximum number of history size */ + int (*get_max_history_size)(uid_t user_id, + unsigned int *history_size); + + /** Get the expire time period in days */ + int (*get_expire_time)(uid_t user_id, + unsigned int *expire_time); + + /** Set the expire time period in days */ + int (*set_expire_time)(uid_t user_id, + unsigned int expire_time); + + /** Get the expire time left in seconds */ + int (*get_expire_time_left)(uid_t user_id, + unsigned int *expire_time_left); + + /** Set the expire time left in seconds */ + int (*set_expire_time_left)(uid_t user_id, + unsigned int expire_time_left); + + /** Get the accumulated attempt number for user's password auth trys */ + int (*get_attempt)(uid_t user_id, + unsigned int *attempt); + + /** Reset the accumulated attempt number for user's password auth trys */ + int (*reset_attempt)(uid_t user_id); + + /** Increase the accumulated attempt number for user's password auth trys */ + int (*increment_attempt)(uid_t user_id); + + /** Get the limited maximum attempt number of user's password auth trys */ + int (*get_max_attempt)(uid_t user_id, + unsigned int *max_attempt); + + /** Set the limited maximum attempt number of user's password auth trys */ + int (*set_max_attempt)(uid_t user_id, + unsigned int max_attempt); + + /** Get the active status of user's password auth context */ + int (*is_password_active)(uid_t user_id); + + /** Check if the entered password context has the previously-used history */ + int (*is_password_reused)(uid_t user_id, + const char* password); + + /** Check if the password auth context has expired */ + int (*check_expiration)(uid_t user_id); + + /** Check if the accumulated attempt number for user's password auth try exceeds the limited maximum attempt */ + int (*check_attempt_exceeded)(uid_t user_id); + + /** Check if the new attempt interval elapsed the ignore period(ex. RETRY_TIMEOUT = 0.5 secs) */ + int (*is_ignore_period)(uid_t user_id); + + /** Check if the history for storing the previous password context is activated */ + int (*is_history_active)(uid_t user_id); + + /** Get the password type regarding to user_id */ + int (*get_password_type)(uid_t user_id, + hal_security_auth_password_type_e *password_type); + +} hal_backend_security_auth_funcs; + +/** + * @} + */ + +#ifdef __cplusplus +} +#endif +#endif /* __HAL_SECURITY_AUTH_INTERFACE_1_H__ */ diff --git a/include/hal-security-auth-interface.h b/include/hal-security-auth-interface.h new file mode 100644 index 0000000..ad4a91a --- /dev/null +++ b/include/hal-security-auth-interface.h @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the License); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __HAL_SECURITY_AUTH_INTERFACE_H__ +#define __HAL_SECURITY_AUTH_INTERFACE_H__ + +#include "hal-security-auth-interface-1.h" + +#endif /* __HAL_SECURITY_AUTH_INTERFACE_H__ */ diff --git a/include/hal-security-auth-types.h b/include/hal-security-auth-types.h new file mode 100644 index 0000000..fe9b7fd --- /dev/null +++ b/include/hal-security-auth-types.h @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the License); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __HAL_SECURITY_AUTH_TYPES_H__ +#define __HAL_SECURITY_AUTH_TYPES_H__ + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @addtogroup HALAPI_HAL_SECURITY_AUTH_MODULE + * @{ + */ + +/** + * @brief Enumeration for auth password type + * @since HAL_MODULE_SECURITY_AUTH 1.0 + */ +typedef enum { + HAL_SECURITY_AUTH_PASSWORD_NORMAL = 0, /**< Character string for normal password */ + HAL_SECURITY_AUTH_PASSWORD_PIN = 1, /**< Numeric character string for personal identification number */ + HAL_SECURITY_AUTH_PASSWORD_PATTERN = 2, /**< Numeric character string for pattern match */ +} hal_security_auth_password_type_e; + +/** + * @} + */ + +#ifdef __cplusplus +} +#endif +#endif /* __HAL_SECURITY_AUTH_TYPES_H__ */ \ No newline at end of file diff --git a/include/hal-security-auth.h b/include/hal-security-auth.h new file mode 100644 index 0000000..5b8ed0f --- /dev/null +++ b/include/hal-security-auth.h @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the License); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __HAL_SECURITY_AUTH_H__ +#define __HAL_SECURITY_AUTH_H__ + +#include "hal-security-auth-types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +int hal_security_auth_create_password_file(uid_t user_id, + hal_security_auth_password_type_e password_type); + +int hal_security_auth_write_memory_to_file(uid_t user_id); + +int hal_security_auth_write_attempt_to_file(uid_t user_id); + +int hal_security_auth_set_password(uid_t user_id, + const char* password); + +int hal_security_auth_check_password(uid_t user_id, + const char* password); + +int hal_security_auth_set_max_history_size(uid_t user_id, + unsigned int history_size); + +int hal_security_auth_get_max_history_size(uid_t user_id, + unsigned int *history_size); + +int hal_security_auth_get_expire_time(uid_t user_id, + unsigned int *expire_time); + +int hal_security_auth_set_expire_time(uid_t user_id, + unsigned int expire_time); + +int hal_security_auth_get_expire_time_left(uid_t user_id, + unsigned int *expire_time_left); + +int hal_security_auth_set_expire_time_left(uid_t user_id, + unsigned int expire_time_left); + +int hal_security_auth_get_attempt(uid_t user_id, + unsigned int *attempt); + +int hal_security_auth_reset_attempt(uid_t user_id); + +int hal_security_auth_increment_attempt(uid_t user_id); + +int hal_security_auth_get_max_attempt(uid_t user_id, + unsigned int *max_attempt); + +int hal_security_auth_set_max_attempt(uid_t user_id, + unsigned int max_attempt); + +int hal_security_auth_is_password_active(uid_t user_id); + +int hal_security_auth_is_password_reused(uid_t user_id, + const char* password); + +int hal_security_auth_check_expiration(uid_t user_id); + +int hal_security_auth_check_attempt_exceeded(uid_t user_id); + +int hal_security_auth_is_ignore_period(uid_t user_id); + +int hal_security_auth_is_history_active(uid_t user_id); + +int hal_security_auth_get_password_type(uid_t user_id, + hal_security_auth_password_type_e *password_type); + +#ifdef __cplusplus +} +#endif + +#endif /* __HAL_SECURITY_AUTH_H__ */ \ No newline at end of file diff --git a/packaging/hal-api-security-manifest.xml b/packaging/hal-api-security-manifest.xml index 320597d..9946b3c 100644 --- a/packaging/hal-api-security-manifest.xml +++ b/packaging/hal-api-security-manifest.xml @@ -4,5 +4,9 @@ HAL_MODULE_SECURITY_CERTS 1.0 + + HAL_MODULE_SECURITY_AUTH + 1.0 + diff --git a/packaging/hal-api-security.spec b/packaging/hal-api-security.spec index 022f4c3..7b08f9b 100644 --- a/packaging/hal-api-security.spec +++ b/packaging/hal-api-security.spec @@ -78,6 +78,7 @@ rm -rf %{buildroot} %defattr(-,root,root,-) %manifest %{name}.manifest %license LICENSE.Apache-2.0 +%{_includedir}/hal/hal-security-auth*.h %{_includedir}/hal/hal-security-certs*.h %{_libdir}/pkgconfig/hal-api-security.pc %{_libdir}/hal/lib%{name}.so diff --git a/src/hal-api-security-auth.c b/src/hal-api-security-auth.c new file mode 100644 index 0000000..5a8f514 --- /dev/null +++ b/src/hal-api-security-auth.c @@ -0,0 +1,211 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the License); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include + +#include + +#include "hal-security-auth-interface.h" +#include "hal-security-auth.h" +#ifndef EXPORT +#define EXPORT __attribute__ ((visibility("default"))) +#endif + +static hal_backend_security_auth_funcs *g_security_auth_funcs = NULL; + +EXPORT int hal_security_auth_get_backend(void) +{ + int ret; + + if (g_security_auth_funcs) + return 0; + + g_security_auth_funcs = calloc(1, sizeof(hal_backend_security_auth_funcs)); + if (!g_security_auth_funcs) + return -ENOMEM; + + ret = hal_common_get_backend(HAL_MODULE_SECURITY_AUTH, (void **)&g_security_auth_funcs); + if (ret < 0) { + free(g_security_auth_funcs); + g_security_auth_funcs = NULL; + return -ENOTSUP; + } + + return 0; +} + +EXPORT int hal_security_auth_put_backend(void) +{ + if (!g_security_auth_funcs) + return -EINVAL; + + hal_common_put_backend(HAL_MODULE_SECURITY_AUTH, (void *)g_security_auth_funcs); + + free(g_security_auth_funcs); + g_security_auth_funcs = NULL; + + return 0; +} + +EXPORT int hal_security_auth_create_password_file(uid_t user_id, hal_security_auth_password_type_e password_type) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->create_password_file(user_id, password_type); +} + +EXPORT int hal_security_auth_write_memory_to_file(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->write_memory_to_file(user_id); +} + +EXPORT int hal_security_auth_write_attempt_to_file(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->write_attempt_to_file(user_id); +} + +EXPORT int hal_security_auth_set_password(uid_t user_id, const char* password) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->set_password(user_id, password); +} + +EXPORT int hal_security_auth_check_password(uid_t user_id, const char* password) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->check_password(user_id, password); +} + +EXPORT int hal_security_auth_set_max_history_size(uid_t user_id, unsigned int history_size) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->set_max_history_size(user_id, history_size); +} + +EXPORT int hal_security_auth_get_max_history_size(uid_t user_id, unsigned int *history_size) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->get_max_history_size(user_id, history_size); +} + +EXPORT int hal_security_auth_get_expire_time(uid_t user_id, unsigned int *expire_time) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->get_expire_time(user_id, expire_time); +} + +EXPORT int hal_security_auth_set_expire_time(uid_t user_id, unsigned int expire_time) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->set_expire_time(user_id, expire_time); +} + +EXPORT int hal_security_auth_get_attempt(uid_t user_id, unsigned int *attempt) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->get_attempt(user_id, attempt); +} + +EXPORT int hal_security_auth_reset_attempt(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->reset_attempt(user_id); +} + +EXPORT int hal_security_auth_increment_attempt(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->increment_attempt(user_id); +} + +EXPORT int hal_security_auth_get_max_attempt(uid_t user_id, unsigned int *max_attempt) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->get_max_attempt(user_id, max_attempt); +} + +EXPORT int hal_security_auth_set_max_attempt(uid_t user_id, unsigned int max_attempt) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->set_max_attempt(user_id, max_attempt); +} + +EXPORT int hal_security_auth_is_password_active(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->is_password_active(user_id); +} + +EXPORT int hal_security_auth_is_password_reused(uid_t user_id, const char* password) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->is_password_reused(user_id, password); +} + +EXPORT int hal_security_auth_check_expiration(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->check_expiration(user_id); +} + +EXPORT int hal_security_auth_check_attempt_exceeded(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->check_attempt_exceeded(user_id); +} + +EXPORT int hal_security_auth_is_ignore_period(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->is_ignore_period(user_id); +} + +EXPORT int hal_security_auth_is_history_active(uid_t user_id) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->is_history_active(user_id); +} + +EXPORT int hal_security_auth_get_password_type(uid_t user_id, hal_security_auth_password_type_e *password_type) +{ + if (!g_security_auth_funcs) + return -ENOTSUP; + return g_security_auth_funcs->get_password_type(user_id, password_type); +} \ No newline at end of file -- 2.34.1