diff --git a/device_attest/build/BUILD.gn b/device_attest/build/BUILD.gn index 769daba1352574a6eb781e0ea95588c93b3d9b2c..0ffb7d99edec53e46c4da06a3d287c81c70f1f0b 100644 --- a/device_attest/build/BUILD.gn +++ b/device_attest/build/BUILD.gn @@ -15,8 +15,9 @@ import("//build/ohos.gni") import("//test/xts/device_attest/build/devattestconfig.gni") group("attest_standard_packages") { + deps = [] if (is_standard_system) { - deps = [ + deps += [ "${devattest_path}/services/etc/init:devattest_etc", "${devattest_path}/services/sa_profile:devattest_sa_profile", "${devattest_path}/services/devattest_ability:devattest_service", @@ -27,4 +28,3 @@ group("attest_standard_packages") { } } } - diff --git a/device_attest/build/ohos.build b/device_attest/build/ohos.build deleted file mode 100644 index caa98434b9fa9f65e52cb944f82f0bf354a4b456..0000000000000000000000000000000000000000 --- a/device_attest/build/ohos.build +++ /dev/null @@ -1,19 +0,0 @@ -{ - "subsystem": "xts", - "parts": { - "device_attest": { - "variants": [ - "phone", - "ivi", - "intellitv", - "wearable" - ], - "module_list": [ - "//test/xts/device_attest/build:attest_standard_packages" - ], - "test_list": [ - "//test/xts/device_attest/test/unittest:unittest" - ] - } - } -} diff --git a/device_attest/bundle.json b/device_attest/bundle.json new file mode 100644 index 0000000000000000000000000000000000000000..94e636fb1b4e3dcacc54e228437ffbdabf2746de --- /dev/null +++ b/device_attest/bundle.json @@ -0,0 +1,60 @@ +{ + "name": "@ohos/devattest_service", + "version": "3.1", + "description": "", + "license": "Apache License 2.0", + "domain": "os", + "publishAs": "", + "private": false, + "scripts": {}, + "dirs": [], + "segment": { + "destPath": "test/xts/device_attest" + }, + "component": { + "name": "device_attest", + "subsystem": "xts", + "syscap": [], + "features": [], + "adapted_system_type": [ "standard" ], + "rom": "3072KB", + "ram": "", + "deps": { + "components": [ + "safwk", + "samgr", + "ipc", + "kal_timer", + "hiviewdfx_hilog_native", + "c_utils", + "napi", + "hdf_core" + ], + "third_party": [ + "bounds_checking_function", + "cjson" + ] + }, + "build": { + "sub_component": [ + "//test/xts/device_attest/build:attest_standard_packages" + ], + "inner_kits": [ + { + "header": { + "header_base":"//test/xts/device_attest/interfaces/innerkits/native_cpp/include", + "header_files": [ + "devattest_client.h", + "devattest_interface.h", + "devattest_service_proxy.h" + ] + }, + "name": "//test/xts/device_attest/interfaces/innerkits/native_cpp:devattest_sdk" + } + ], + "test": [ + "//test/xts/device_attest/test/unittest:unittest" + ] + } + } +} diff --git a/device_attest/interfaces/innerkits/native_cpp/BUILD.gn b/device_attest/interfaces/innerkits/native_cpp/BUILD.gn index 89860893e7e7f147855c18323911f3d8d9ceb168..1224679543403064dea47287a1b5b0be0af0118e 100644 --- a/device_attest/interfaces/innerkits/native_cpp/BUILD.gn +++ b/device_attest/interfaces/innerkits/native_cpp/BUILD.gn @@ -40,11 +40,10 @@ ohos_shared_library("devattest_sdk") { ":devattest_sdk_config", ] - deps = [ - "//utils/native/base:utils", - ] + deps = [] external_deps = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", "safwk:system_ability_fwk", diff --git a/device_attest/sample/client/BUILD.gn b/device_attest/sample/client/BUILD.gn index b4cae49ac466f883a18e4b9f7495a04d6ed31d1d..d2218b27332a898ea329a88305d45bfad533aa75 100644 --- a/device_attest/sample/client/BUILD.gn +++ b/device_attest/sample/client/BUILD.gn @@ -30,10 +30,10 @@ ohos_executable("attesttestclient") { deps = [ "${devattest_path}/interfaces/innerkits/native_cpp:devattest_sdk", - "//utils/native/base:utils", ] external_deps = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", "safwk:system_ability_fwk", diff --git a/device_attest/services/core/BUILD.gn b/device_attest/services/core/BUILD.gn index 456389b53fcd53a13fb503691bca6b05da137f9a..d89e708a663a91b813676ae02a78a3b630de3d44 100644 --- a/device_attest/services/core/BUILD.gn +++ b/device_attest/services/core/BUILD.gn @@ -37,6 +37,7 @@ sources_common = [ "utils/attest_utils_list.c", "utils/attest_utils.c", ] + if (enable_attest_debug_memory_leak) { sources_common += [ "utils/attest_utils_memleak.c", @@ -48,6 +49,7 @@ if (enable_attest_debug_dfx) { "dfx/attest_dfx.c", ] } + config("devattest_core_config") { visibility = [ ":*" ] cflags = [ @@ -64,6 +66,10 @@ config("devattest_core_config") { "//base/startup/syspara_lite/adapter/native/syspara/include", ] + include_dirs += [ + "//base/startup/init/interfaces/innerkits/include/syspara", + ] + defines = [ "ATTEST_HILOG_LEVEL = 1" ] if (enable_attest_network_host_debug) { defines += [ @@ -96,6 +102,10 @@ config("devattest_core_config") { "__ATTEST_NETWORK_DEBUG_LOG__", ] } + + defines += [ + "MBEDTLS_ALLOW_PRIVATE_ACCESS", + ] } ohos_shared_library("devattest_core") { @@ -116,8 +126,8 @@ ohos_shared_library("devattest_core") { external_deps = [ "hiviewdfx_hilog_native:libhilog", - "utils_base:utils", - "startup_l2:syspara", + "c_utils:utils", + "init:libbegetutil", ] subsystem_name = "xts" diff --git a/device_attest/services/core/adapter/attest_adapter.c b/device_attest/services/core/adapter/attest_adapter.c index 96b2fe403c264fbdeaeaa6e5a2e2f92680d91565..75a9b6d73de61a5a216f6eb1fc002d2254399b1c 100644 --- a/device_attest/services/core/adapter/attest_adapter.c +++ b/device_attest/services/core/adapter/attest_adapter.c @@ -102,10 +102,6 @@ int32_t AttestReadToken(TokenInfo* tokenInfo) ATTEST_LOG_ERROR("[AttestReadToken] Read oem token failed, ret = %d", ret); return ret; } - - ATTEST_LOG_INFO("[AttestReadTokenAttestReadTokenAttestReadTokenAttestReadTokenAttestReadToken] token = %s", token); - ATTEST_LOG_INFO("[AttestReadTokenAttestReadTokenAttestReadTokenAttestReadTokenAttestReadToken] token length = %d", strlen(token)); - int32_t offset = 0; if (memcpy_s(tokenInfo->tokenId, TOKEN_ID_ENCRYPT_LEN, token + offset, TOKEN_ID_ENCRYPT_LEN) != 0) { return ATTEST_ERR; @@ -115,7 +111,7 @@ int32_t AttestReadToken(TokenInfo* tokenInfo) return ATTEST_ERR; } offset += (TOKEN_VALUE_ENCRYPT_LEN + 1); - if (memcpy_s(tokenInfo->salt, SALT_ENCRYPT_LEN, token + offset, SALT_ENCRYPT_LEN) != 0) { + if (memcpy_s(tokenInfo->salt, SALT_ENCRYPT_LEN, token + offset, SALT_ENCRYPT_LEN) != 0) { return ATTEST_ERR; } offset += (SALT_ENCRYPT_LEN + 1); @@ -154,9 +150,6 @@ int32_t AttestWriteToken(TokenInfo* tokenInfo) return ATTEST_ERR; } - ATTEST_LOG_INFO("[AttestWriteTokenAttestWriteTokenAttestWriteTokenAttestWriteToken] token = %s", token); - ATTEST_LOG_INFO("[AttestWriteTokenAttestWriteTokenAttestWriteTokenAttestWriteToken] token length = %d", strlen(token)); - struct IDeviceTokenInterface *devicetoken = DeviceTokenInterfaceGet(); if (devicetoken == NULL) { ATTEST_LOG_INFO("[AttestWriteToken] devicetoken is NULL."); diff --git a/device_attest/services/core/adapter/attest_adapter_mock.c b/device_attest/services/core/adapter/attest_adapter_mock.c index b1005592b8e65587cac5066c0af2c778496c1f5d..3cc0cca97f2388856b2c2ed99b5e6db2316c4276 100644 --- a/device_attest/services/core/adapter/attest_adapter_mock.c +++ b/device_attest/services/core/adapter/attest_adapter_mock.c @@ -57,12 +57,10 @@ int32_t SendChallMsgStub(ATTEST_ACTION_TYPE actionType, char** respMsg) if (root == NULL) { return ATTEST_ERR; } - ATTEST_LOG_INFO("[SendChallMsgStub] action = %s.", root); int32_t ret = GetJsonOjectStringStub(root, ATTEST_MOCK_L2_CHALLENGE, respMsg); if (ret != ATTEST_OK) { return ATTEST_ERR; } - ATTEST_LOG_INFO("[SendChallMsgStub] respose message = %s.", *respMsg); return ret; } @@ -76,12 +74,10 @@ int32_t SendDevAttestStub(ATTEST_ACTION_TYPE actionType, char **respMsg) if (root == NULL) { return ATTEST_ERR; } - ATTEST_LOG_INFO("[SendDevAttestStub] root name = %s.", root); int32_t ret = GetJsonOjectStringStub(root, ATTEST_MOCK_L2_RESPONSE, respMsg); if (ret != ATTEST_OK) { return ATTEST_ERR; } - ATTEST_LOG_INFO("[SendDevAttestStub] respose message = %s.", *respMsg); return ret; } @@ -180,7 +176,7 @@ char* OsGetUdidStub(void) ret = ATTEST_ERR; break; } - ret = Sha256Value((const unsigned char *)udid, udidSha256, UDID_STRING_LEN + 1); + ret = Sha256Value((const unsigned char *)udid, udidSize, udidSha256, UDID_STRING_LEN + 1); } while (0); ATTEST_MEM_FREE(manufacture); ATTEST_MEM_FREE(model); diff --git a/device_attest/services/core/adapter/attest_adapter_oem.c b/device_attest/services/core/adapter/attest_adapter_oem.c index ee2f9d22565209cef19822e85bcda323b802bc2e..bfc3ad35105508f1d27ec90a38ea9e1d391c0a73 100644 --- a/device_attest/services/core/adapter/attest_adapter_oem.c +++ b/device_attest/services/core/adapter/attest_adapter_oem.c @@ -16,7 +16,6 @@ #include "attest_type.h" #include "attest_utils_file.h" #include "attest_adapter_oem.h" -#include "attest_utils_log.h" // 是否存在重置标记 bool OEMIsResetFlagExist(void) diff --git a/device_attest/services/core/attest/attest_service.c b/device_attest/services/core/attest/attest_service.c index 11e27794393d7dce18656a6adfe2af48582ac0c2..896e5d1aa6949e08ff25edfd27d07d27e7f6b023 100644 --- a/device_attest/services/core/attest/attest_service.c +++ b/device_attest/services/core/attest/attest_service.c @@ -127,7 +127,7 @@ static int32_t ActiveToken(AuthResult* authResult) ATTEST_LOG_ERROR("[ActiveToken] Invalid parameter"); return ATTEST_ERR; } - ATTEST_LOG_DEBUG("[ActiveToken] Flush token begin."); + int32_t ret = FlushToken(authResult); if (ret != ATTEST_OK) { ATTEST_LOG_ERROR("[ActiveToken] Flush Token failed, ret = %d.", ret); diff --git a/device_attest/services/core/attest/attest_service_active.c b/device_attest/services/core/attest/attest_service_active.c index eddf63916c6d4b0ea9cb95488fa56f80725e6aaa..c5d7f4b366ececc1c967aa05c190b7ffd181db84 100644 --- a/device_attest/services/core/attest/attest_service_active.c +++ b/device_attest/services/core/attest/attest_service_active.c @@ -38,7 +38,7 @@ int32_t GenActiveMsg(AuthResult* authResult, const ChallengeResult* challengeRes return ATTEST_ERR; } - if (strlen(authResult->ticket) == 0 || strlen(authResult->tokenValue) == 0 || strlen(authResult->ticket) == 0) { + if (strlen(authResult->ticket) == 0 || strlen(authResult->tokenValue) == 0 || strlen(authResult->tokenId) == 0) { ATTEST_LOG_ERROR("[GenActiveMsg] The length of token is 0."); return ATTEST_ERR; } @@ -99,7 +99,7 @@ int32_t ParseActiveResult(const char* jsonStr) ATTEST_LOG_ERROR("[ParseActiveResult] Invalid parameter"); return ATTEST_ERR; } - int32_t errorCode = (int32_t)GetObjectItemValueNumber(jsonStr, "errcode"); + uint64_t errorCode = GetObjectItemValueNumber(jsonStr, "errcode"); if (isnan(errorCode)) { ATTEST_LOG_ERROR("[ParseActiveResult] errorCode is nan."); return ATTEST_ERR; diff --git a/device_attest/services/core/attest/attest_service_auth.c b/device_attest/services/core/attest/attest_service_auth.c index c4e1f281bac705d800e3f7e68379abae8cd1c4b4..ea8fd14aee658778ccfdeb983e1c301e4d13caa0 100644 --- a/device_attest/services/core/attest/attest_service_auth.c +++ b/device_attest/services/core/attest/attest_service_auth.c @@ -30,7 +30,7 @@ bool IsAuthStatusChg(void) { ATTEST_LOG_DEBUG("[IsAuthStatusChg] Begin."); char* authStatusBase64 = NULL; - if (GetAuthStatus(&authStatusBase64) != 0) { + if (GetAuthStatus(&authStatusBase64) != ATTEST_OK) { ATTEST_LOG_ERROR("[IsAuthStatusChg] Load auth status failed or status file not exist"); return true; } @@ -344,7 +344,7 @@ uint64_t GetCurrentTime(void) uint64_t currentTime = challengeResult->currentTime; FREE_CHALLENGE_RESULT(challengeResult); - ATTEST_LOG_DEBUG("[GetCloudCurrentTime] End."); + ATTEST_LOG_DEBUG("[GetCurrentTime] End."); return currentTime; } @@ -353,12 +353,12 @@ int32_t CheckVersionChanged(AuthStatus* authStatus) ATTEST_LOG_DEBUG("[CheckVersionChanged] Begin."); if ((authStatus == NULL) || (authStatus->versionId == NULL)) { ATTEST_LOG_ERROR("[CheckVersionChanged] Invalid parameter"); - return false; + return ATTEST_ERR; } char* versionIdFromOs = AttestGetVersionId(); if (versionIdFromOs == NULL) { ATTEST_LOG_ERROR("[CheckVersionChanged] Attest GetVersionId is null"); - return false; + return ATTEST_ERR; } int32_t ret = strcmp(versionIdFromOs, authStatus->versionId); @@ -582,7 +582,7 @@ static int32_t ParseTicket(const cJSON* json, AuthResult* authResult) if (memcpy_s(authResult->ticket, len + 1, item, len + 1) != 0) { ATTEST_MEM_FREE(authResult->ticket); authResult->ticket = NULL; - ATTEST_LOG_ERROR("[ParseAuthStats] ticket memset_s or copy failed"); + ATTEST_LOG_ERROR("[ParseTicket] ticket memset_s or copy failed"); return ATTEST_ERR; } @@ -683,7 +683,7 @@ int32_t GenAuthMsg(ChallengeResult* challengeResult, DevicePacket** devPacket) int32_t ret = PackProductInfo(&devicePacket->productInfo); if (ret != ATTEST_OK) { ATTEST_LOG_ERROR("[GenAuthMsg] Pack ProductInfo failed."); - DestroyDevicePacket(&devicePacket); + FREE_DEVICE_PACKET(devicePacket); return ATTEST_ERR; } *devPacket = devicePacket; diff --git a/device_attest/services/core/attest/attest_service_challenge.c b/device_attest/services/core/attest/attest_service_challenge.c index 8f98e1e6c025ffc9c9267bc0d8a31ac39b7acf00..87db0f65d8a7894ca4e6f53a4ea07ef642266404 100644 --- a/device_attest/services/core/attest/attest_service_challenge.c +++ b/device_attest/services/core/attest/attest_service_challenge.c @@ -85,7 +85,7 @@ static int32_t ParseChallengeResult(const char* jsonStr, ChallengeResult *challe ATTEST_LOG_ERROR("[ParseChallengeResult] Invalid parameter"); return ATTEST_ERR; } - int32_t errorCode = (int32_t) GetObjectItemValueNumber(jsonStr, "errcode"); + uint64_t errorCode = GetObjectItemValueNumber(jsonStr, "errcode"); if (isnan(errorCode)) { ATTEST_LOG_WARN("[ParseChallengeResult] errorCode is nan."); ATTEST_LOG_ERROR("[ParseChallengeResult] Parse msg failed."); @@ -128,7 +128,7 @@ static int32_t SetChallenge(ChallengeResult* challengeResult, ATTEST_ACTION_TYPE char* respMsg = NULL; ret = SendChallMsg(reqMsg, &respMsg, actionType); - DestroyDevicePacket(&reqMsg); + FREE_DEVICE_PACKET(reqMsg); if (ret != ATTEST_OK) { ATTEST_LOG_ERROR("[SetChallenge] Send Challenge Msg failed"); return ret; diff --git a/device_attest/services/core/attest/attest_service_reset.c b/device_attest/services/core/attest/attest_service_reset.c index 379e0e65e4f55dc3b22fc067f91e8b69c6e9ff4f..f2b3191e985fc9e87a510d4515d0698a87e56267 100644 --- a/device_attest/services/core/attest/attest_service_reset.c +++ b/device_attest/services/core/attest/attest_service_reset.c @@ -44,7 +44,7 @@ int32_t GenResetMsg(ChallengeResult* challengeResult, DevicePacket** devPacket) if (devicePacket == NULL) { ATTEST_LOG_ERROR("[GenResetMsg] Create DevicePacket failed."); return ATTEST_ERR; - } + } devicePacket->appId = StrdupDevInfo(APP_ID); devicePacket->tenantId = StrdupDevInfo(TENANT_ID); devicePacket->randomUuid = StrdupDevInfo(RANDOM_UUID); @@ -86,7 +86,7 @@ int32_t ParseResetResult(const char* jsonStr) ATTEST_LOG_ERROR("[ParseResetResult] Invalid parameter"); return ATTEST_ERR; } - int32_t errorCode = (int32_t) GetObjectItemValueNumber(jsonStr, "errcode"); + uint64_t errorCode = GetObjectItemValueNumber(jsonStr, "errcode"); if (isnan(errorCode)) { ATTEST_LOG_ERROR("[ParseResetResult] errorCode is nan."); return ATTEST_ERR; diff --git a/device_attest/services/core/attest_entry.c b/device_attest/services/core/attest_entry.c index 079700158729c0ce6b5159ab7ca379a7859debc3..9894223eb3681c29877b44252924b457378a67f3 100644 --- a/device_attest/services/core/attest_entry.c +++ b/device_attest/services/core/attest_entry.c @@ -25,7 +25,7 @@ int32_t AttestTask(void) // 执行主流程代码 int32_t ret = ProcAttest(); if (ret != ATTEST_OK) { - ATTEST_LOG_ERROR("[AttestTask] Proc Attest failed ret = %d.", ret); + ATTEST_LOG_ERROR("[AttestTask] Proc failed ret = %d.", ret); } // 创建主流程定时器 diff --git a/device_attest/services/core/dfx/attest_dfx.c b/device_attest/services/core/dfx/attest_dfx.c index 74989db61ff30ed5a14b6900baca030fe724f929..655419ce3db94de88d4acd450198a765057170e7 100644 --- a/device_attest/services/core/dfx/attest_dfx.c +++ b/device_attest/services/core/dfx/attest_dfx.c @@ -183,7 +183,7 @@ void PrintAuthResult(AuthResult* authResult) if (authResult->authStatus == NULL) { ATTEST_LOG_WARN("authStatus = null;"); } else { - ATTEST_LOG_INFO_ANONY("authStatus = %s;", authResult->authStatus); + // authResult->authStatus 内容过长,不在打印 } ATTEST_LOG_INFO("----------------------------"); } diff --git a/device_attest/services/core/include/attest_type.h b/device_attest/services/core/include/attest_type.h index d1c92d796afca519e12b01960ad13b311fd3e8b0..3121168067030d13c7b228ab40e204799614e56a 100644 --- a/device_attest/services/core/include/attest_type.h +++ b/device_attest/services/core/include/attest_type.h @@ -88,9 +88,9 @@ typedef struct { // 认证返回结果中的authStatus结构 typedef struct { char* versionId; + char* authType; int32_t softwareResult; int32_t hardwareResult; - char* authType; uint64_t expireTime; // 项目新增字段,参考接口文档 } AuthStatus; diff --git a/device_attest/services/core/include/security/attest_security.h b/device_attest/services/core/include/security/attest_security.h index 91f806bbde7ac94bafd4733142de58045d9dc1dd..e86d69d3baae6bd33dc5c4153960228d74a14461 100644 --- a/device_attest/services/core/include/security/attest_security.h +++ b/device_attest/services/core/include/security/attest_security.h @@ -21,7 +21,6 @@ #include "ctr_drbg.h" #include "hkdf.h" #include "md.h" -#include "md_internal.h" #include "sha256.h" #include "entropy.h" diff --git a/device_attest/services/core/include/utils/attest_utils.h b/device_attest/services/core/include/utils/attest_utils.h index fcc4c52c5ef01e7171ef801a08adb5abf7e30e6a..50bd73096bf76e52a3e74dbeb10f6822b745b56f 100644 --- a/device_attest/services/core/include/utils/attest_utils.h +++ b/device_attest/services/core/include/utils/attest_utils.h @@ -49,7 +49,7 @@ int32_t ToLowerStr(char* str, int len); int32_t StrToHex(char *pbDest, char *pbSrc, int nLen); -int Sha256Value(const unsigned char *src, char *dest, int destLen); +int Sha256Value(const unsigned char *src, int srcLen, char *dest, int destLen); int32_t AnonymiseStr(char* str); diff --git a/device_attest/services/core/include/utils/attest_utils_timer.h b/device_attest/services/core/include/utils/attest_utils_timer.h index 64810ac03e4090e58bf49fb1875c5744d8f354c1..27f75ea0e65d55aa4157c74cfbbeefd848e42732 100644 --- a/device_attest/services/core/include/utils/attest_utils_timer.h +++ b/device_attest/services/core/include/utils/attest_utils_timer.h @@ -34,7 +34,7 @@ typedef int32_t (*TimerCallbackFunc)(void); typedef enum { ATTEST_TIMER_TYPE_ONCE = 0, - ATTEST_TIMER_TYPE_PERIOD, + ATTEST_TIMER_TYPE_PERIOD, } AttestTimerType; typedef struct { timer_t timerId; diff --git a/device_attest/services/core/security/attest_security.c b/device_attest/services/core/security/attest_security.c index 13b66b6d89a84e0206f719b6f483964fcb561f08..296135580743d420a2bf0e7b2545969559431461 100644 --- a/device_attest/services/core/security/attest_security.c +++ b/device_attest/services/core/security/attest_security.c @@ -42,7 +42,7 @@ int32_t Base64Encode(const uint8_t* srcData, size_t srcDataLen, uint8_t* base64E size_t outLen = 0; int32_t ret = mbedtls_base64_encode(NULL, 0, &outLen, srcData, srcDataLen); - if ((outLen == 0) || (outLen > (base64EncodeLen + 1))) { + if ((outLen == 0) || (outLen > (size_t)(base64EncodeLen + 1))) { ATTEST_LOG_ERROR("[Base64Encode] Base64 encode get outLen failed, outLen = %u, ret = -0x00%x", outLen, -ret); return ERR_ATTEST_SECURITY_BASE64_ENCODE; } @@ -183,7 +183,7 @@ int32_t GetAesKey(const SecurityParam* salt, const VersionData* versionData, co return ret; } -// AES-1238-CBC-PKCS#7加密 +// AES-128-CBC-PKCS#7加密 static int32_t EncryptAesCbc(AesCryptBufferDatas* datas, const uint8_t* aesKey, const char* iv, size_t ivLen) { @@ -240,7 +240,7 @@ static int32_t EncryptAesCbc(AesCryptBufferDatas* datas, const uint8_t* aesKey, return ret; } -// AES-1238-CBC-PKCS#7解密 +// AES-128-CBC-PKCS#7解密 static int32_t DecryptAesCbc(AesCryptBufferDatas* datas, const uint8_t* aesKey, const uint8_t* iv, size_t ivLen) { diff --git a/device_attest/services/core/security/attest_security_ticket.c b/device_attest/services/core/security/attest_security_ticket.c index 6b9ef7afc455715a7e57d43ea35b09c8f0cfd914..8633067be52197650db96050532b4f0c0ad8e771 100644 --- a/device_attest/services/core/security/attest_security_ticket.c +++ b/device_attest/services/core/security/attest_security_ticket.c @@ -28,8 +28,7 @@ int32_t WriteTicketToDevice(const char* ticket, uint8_t ticketLen) uint8_t ticketData[ENCRYPT_LEN + 1] = {0}; uint8_t encryptedData[BASE64_LEN] = {0}; uint8_t salt[SALT_LEN] = {0}; - TicketInfo ticketInfo; - + if ((ticket == NULL) || (ticketLen < MIN_TICKET_LEN) || (ticketLen >= MAX_TICKET_LEN)) { ATTEST_LOG_ERROR("[WriteTicketToDevice] Input Parameter."); return ERR_ATTEST_SECURITY_INVALID_ARG; @@ -47,17 +46,15 @@ int32_t WriteTicketToDevice(const char* ticket, uint8_t ticketLen) ATTEST_LOG_ERROR("[WriteTicketToDevice] Get AesKey fail."); return ERR_ATTEST_SECURITY_GEN_AESKEY; } - (void)memset_s(&ticketInfo, sizeof(TicketInfo), 0, sizeof(TicketInfo)); - if (ret != ATTEST_OK) { - ATTEST_LOG_ERROR("[WriteTicketToDevice] ticketInfo memset_s fail."); - return ERR_ATTEST_SECURITY_MEM_MEMSET; - } + ret = Encrypt(ticketData, ticketLen, aesKey, encryptedData, BASE64_LEN); if (ret != ATTEST_OK) { ATTEST_LOG_ERROR("[WriteTicketToDevice] ticketData Encrypt fail."); return ERR_ATTEST_SECURITY_ENCRYPT; } + TicketInfo ticketInfo; + (void)memset_s(&ticketInfo, sizeof(TicketInfo), 0, sizeof(TicketInfo)); if (memcpy_s(ticketInfo.ticket, sizeof(ticketInfo.ticket), encryptedData, BASE64_LEN) != 0 || memcpy_s(ticketInfo.salt, sizeof(ticketInfo.salt), salt, SALT_LEN) != 0) { ATTEST_LOG_ERROR("[WriteTicketToDevice] ticket or salt memcpy_s fail."); diff --git a/device_attest/services/core/utils/attest_utils.c b/device_attest/services/core/utils/attest_utils.c index c0843a8c7462460474d90381dfdc32adac64492b..6c3e9d897ecd676a95727b9edf3d64ca91df10f1 100644 --- a/device_attest/services/core/utils/attest_utils.c +++ b/device_attest/services/core/utils/attest_utils.c @@ -18,6 +18,7 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/entropy.h" #include "mbedtls/sha256.h" +#include "mbedtls/version.h" #include "attest_utils_log.h" #include "attest_utils_memleak.h" #include "attest_utils.h" @@ -25,6 +26,12 @@ #define DEV_BUF_LENGTH 3 #define HASH_LENGTH 32 +#if defined(MBEDTLS_VERSION_NUMBER) && (MBEDTLS_VERSION_NUMBER >= 0x03000000) +#define mbedtls_sha256_starts_ret mbedtls_sha256_starts +#define mbedtls_sha256_update_ret mbedtls_sha256_update +#define mbedtls_sha256_finish_ret mbedtls_sha256_finish +#endif + int32_t GetRandomNum(void) { mbedtls_ctr_drbg_context randomContext; @@ -49,9 +56,8 @@ int32_t GetRandomNum(void) break; } - int i; result = random[randomBytes - 1]; - for (i = randomBytes - 2; i >= 0; --i) { + for (int i = randomBytes - 2; i >= 0; --i) { result <<= 8; result |= random[i]; } @@ -167,8 +173,7 @@ int32_t ToLowerStr(char* str, int len) return ATTEST_ERR; } - int i; - for (i = 0; i < len; i++) { + for (int i = 0; i < len; i++) { str[i] = tolower(str[i]); } return ATTEST_OK; @@ -208,18 +213,18 @@ int32_t StrToHex(char *pbDest, char *pbSrc, int nLen) return ATTEST_OK; } -int Sha256Value(const unsigned char *src, char *dest, int destLen) +int Sha256Value(const unsigned char *src, int srcLen, char *dest, int destLen) { if (src == NULL) { return ATTEST_ERR; } - char buf[DEV_BUF_LENGTH]; - unsigned char hash[HASH_LENGTH]; + char buf[DEV_BUF_LENGTH] = {0}; + unsigned char hash[HASH_LENGTH] = {0}; mbedtls_sha256_context context; mbedtls_sha256_init(&context); mbedtls_sha256_starts_ret(&context, 0); - mbedtls_sha256_update_ret(&context, src, strlen((const char *)src)); + mbedtls_sha256_update_ret(&context, src, srcLen); mbedtls_sha256_finish_ret(&context, hash); for (size_t i = 0; i < HASH_LENGTH; i++) { diff --git a/device_attest/services/core/utils/attest_utils_log.c b/device_attest/services/core/utils/attest_utils_log.c index c4ffdea9006830640cdee19ee47e8546e836ef53..f8936ad30f0f966946a837471e3329b414cdd37f 100644 --- a/device_attest/services/core/utils/attest_utils_log.c +++ b/device_attest/services/core/utils/attest_utils_log.c @@ -56,7 +56,7 @@ void AttestLog(AttestLogLevel logLevel, const char* fmt, ...) int32_t ret = vsprintf_s(outStr, sizeof(outStr), fmt, arg); va_end(arg); if (ret < 0) { - AttestLogPrint(logLevel, "Attest log length error."); + AttestLogPrint(logLevel, "log length error."); return; } AttestLogPrint(logLevel, outStr); @@ -73,7 +73,7 @@ void AttestLogAnonyStr(AttestLogLevel logLevel, const char* fmt, const char* str } int32_t ret = AnonymiseStr(strDup); if (ret != ATTEST_OK) { - ATTEST_LOG_ERROR("[AttestLogAnony] AnonymiseStr failed, ret = %d;", ret); + ATTEST_LOG_ERROR("[AttestLogAnonyStr] AnonymiseStr failed, ret = %d;", ret); ATTEST_MEM_FREE(strDup); return; } @@ -81,7 +81,7 @@ void AttestLogAnonyStr(AttestLogLevel logLevel, const char* fmt, const char* str ret = sprintf_s(outStr, sizeof(outStr), fmt, strDup); ATTEST_MEM_FREE(strDup); if (ret < 0) { - AttestLogPrint(logLevel, "[AttestLogAnony] Attest anony str length error."); + AttestLogPrint(logLevel, "[AttestLogAnonyStr] Attest anony str length error."); return; } AttestLogPrint(logLevel, outStr); diff --git a/device_attest/services/core/utils/attest_utils_memleak.c b/device_attest/services/core/utils/attest_utils_memleak.c index 7e7dfe967885405afef6d838e8cd8c180392a081..6f595d85da6898f7f0110f8c649c57cce6108e0a 100644 --- a/device_attest/services/core/utils/attest_utils_memleak.c +++ b/device_attest/services/core/utils/attest_utils_memleak.c @@ -48,6 +48,7 @@ int32_t InitMemNodeList(void) if (list == NULL) { return ATTEST_ERR; } + (void)memset_s(list, sizeof(List), 0, sizeof(List)); list->head = NULL; g_memNodeList = list; return ATTEST_OK; diff --git a/device_attest/services/devattest_ability/BUILD.gn b/device_attest/services/devattest_ability/BUILD.gn index 3b9647ce63c45d75e213c752386924267019f779..bf6ae35c915dbcbcff1ddb463c565dfd15b6c89a 100644 --- a/device_attest/services/devattest_ability/BUILD.gn +++ b/device_attest/services/devattest_ability/BUILD.gn @@ -46,14 +46,15 @@ ohos_shared_library("devattest_service") { ] deps = [ - "//utils/native/base:utils", "${devattest_path}/services/core:devattest_core", ] external_deps = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", "safwk:system_ability_fwk", + "samgr:samgr_common", "samgr:samgr_proxy", "netmanager_base:net_conn_manager_if", ] diff --git a/device_attest/services/etc/init/devattest_service.rc b/device_attest/services/etc/init/devattest_service.rc index 8040b8b79715e0e9151fd7efbce1caf0eaa19703..eec0b91bdfcfa670c74d4319de6eabbe551a1008 100644 --- a/device_attest/services/etc/init/devattest_service.rc +++ b/device_attest/services/etc/init/devattest_service.rc @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -service devattest_service_sa /system/bin/sa_main /system/profile/devattest_service.xml +service devattest_service /system/bin/sa_main /system/profile/devattest_service.xml class z_core user root group system shell diff --git a/device_attest/services/sa_profile/BUILD.gn b/device_attest/services/sa_profile/BUILD.gn index f61040f5a6a675c9828cce5da207106af530e891..e42fbbbbfdbbacff21443f4cb7750f8adafc3f9f 100644 --- a/device_attest/services/sa_profile/BUILD.gn +++ b/device_attest/services/sa_profile/BUILD.gn @@ -11,8 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -import("//build/ohos.gni") -import("//test/xts/device_attest/build/devattestconfig.gni") +import("//build/ohos/sa_profile/sa_profile.gni") ohos_sa_profile("devattest_sa_profile") { sources = [ "7100.xml" ] diff --git a/device_attest/test/data/attest_mock_network_para b/device_attest/test/data/attest_mock_network_para index f7b07e26771f2eaee936310ce1e5d7ff46d3ed43..6efa9927f19b6b381fc0545dd6a673146153360a 100644 --- a/device_attest/test/data/attest_mock_network_para +++ b/device_attest/test/data/attest_mock_network_para @@ -20,7 +20,7 @@ "challenge": { "currentTime": 1647914836482, "challenge": "b39b752290266b95acedde9b2f89fa5ebea6e060d509b0b20d07c922bcea7b64", - "errcode": 1 + "errcode": 0 }, "response": { "ticket": "ujlrjJ6loo16/32VSKj9hZ+vDpiPgt+L", diff --git a/device_attest/test/unittest/BUILD.gn b/device_attest/test/unittest/BUILD.gn index 3fa74996a7fc19dc935eef2c385cf41c5d948de1..7bd985e9d95a226c8f218553f9517e39af44e9ec 100644 --- a/device_attest/test/unittest/BUILD.gn +++ b/device_attest/test/unittest/BUILD.gn @@ -24,6 +24,7 @@ config("module_private_config") { "${devattest_path}/services/core/include/security", "${devattest_path}/services/core/include/network", "${devattest_path}/services/core/include/utils", + "//utils/native/base/include", ] defines = [] if (enable_attest_debug_memory_leak) { @@ -38,10 +39,10 @@ deps_in = [ "//third_party/mbedtls:mbedtls_shared", "//third_party/googletest:gtest_main", "//third_party/googletest:gmock", - "//utils/native/base:utils" ] deps_ex = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", "safwk:system_ability_fwk", diff --git a/devicetoken/hal/BUILD.gn b/devicetoken/hal/BUILD.gn index f09cc1fc1eefa4fef2717fcaf5b571571eb03006..76dbc1d0f6a368a25c7823f0f299a5ef42642ea3 100644 --- a/devicetoken/hal/BUILD.gn +++ b/devicetoken/hal/BUILD.gn @@ -31,9 +31,9 @@ ohos_shared_library("hal_token") { if (is_standard_system) { external_deps = [ - "device_driver_framework:libhdf_utils", + "hdf_core:libhdf_utils", "hiviewdfx_hilog_native:libhilog", - "utils_base:utils", + "c_utils:utils", ] } else { external_deps = [ "hilog:libhilog" ] diff --git a/sepolicy/ohos_policy/xts/device_attest/system/devattest_service.te b/sepolicy/ohos_policy/xts/device_attest/system/devattest_service.te new file mode 100644 index 0000000000000000000000000000000000000000..89efc15dec991e46c540a3400fcaa7e69ce14019 --- /dev/null +++ b/sepolicy/ohos_policy/xts/device_attest/system/devattest_service.te @@ -0,0 +1,83 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type devattest_service, sadomain, domain; +type devattest_service_exec, system_file_attr, exec_attr, file_attr; + +init_daemon_domain(devattest_service); + +allow storage_daemon hmdfs:dir { mounton }; +allow foundation storage_manager:dir { open read write }; +allow foundation storage_manager:file { open read write }; +allow netsysnative netmanager:tcp_socket { create read write getopt setopt }; +allow normal_hap devattest_service:fd { use }; + +allow devattest_service data_file:dir { search }; +allow devattest_service data_data_file:dir { search getattr add_name open read remove_name search write create }; +allow devattest_service data_data_file:file { append map open read create write getattr setattr unlink lock ioctl rename }; +allow devattest_service data_ota_package:dir { append ioctl open read add_name search write remove_name }; +allow devattest_service data_ota_package:file { append create ioctl open read rename unlink }; +allow devattest_service dev_file:sock_file { write }; + +allow devattest_service netsysnative:unix_stream_socket { connectto }; +allow devattest_service port:tcp_socket { name_connect }; +allow devattest_service devattest_service:tcp_socket { connect create read setopt write getopt getattr }; +allow devattest_service devattest_service:udp_socket { create bind connect getattr read write }; + +allow devattest_service accesstoken_service:binder { call }; +allow devattest_service foundation:binder { call transfer }; +allow devattest_service netmanager:binder { call transfer }; +allow devattest_service softbus_server:binder { call }; +allow devattest_service system_basic_hap:binder { call }; +allow system_core_hap devattest_service:binder { call transfer }; +allow devattest_service system_core_hap:binder { call transfer }; +allow devattest_service normal_hap:binder { call transfer }; +allow devattest_service hdf_devmgr:binder { call transfer }; +allow devattest_service devicetoken_host:binder { call transfer }; + +allow devattest_service data_dhcp:dir { add_name remove_name search write create }; +allow devattest_service data_dhcp:file { create getattr ioctl lock open read setattr unlink write }; +allow devattest_service data_misc:dir { add_name search write }; +allow devattest_service data_misc:file { create ioctl open read write }; +allow devattest_service data_misc:sock_file { write }; +allow devattest_service accessibility_param:file { read }; +allow devattest_service dev_unix_socket:dir { search }; +allow devattest_service system_bin_file:dir { search }; +allow devattest_service system_bin_file:file { execute execute_no_trans map read open }; + +allow devattest_service node:udp_socket { node_bind }; +allow devattest_service port:udp_socket { name_bind }; +allow devattest_service wifi_hal_service:unix_stream_socket { connectto }; +allow devattest_service kernel:unix_stream_socket { connectto }; + +allow devattest_service devattest_service:netlink_route_socket { create nlmsg_read read write }; +allow devattest_service devattest_service:packet_socket { bind create read write }; +allow devattest_service devattest_service:udp_socket { bind create ioctl setopt getopt read write }; +allow devattest_service devattest_service:unix_dgram_socket { ioctl getopt setopt }; +allowxperm devattest_service data_dhcp:file ioctl { 0x5413 }; +allowxperm devattest_service data_misc:file ioctl { 0x5413 }; +allowxperm devattest_service devattest_service:udp_socket ioctl { 0x890B 0x8913 0x8915 0x8916 0x891b 0x891c 0x8927 0x8933 }; +allowxperm devattest_service devattest_service:unix_dgram_socket ioctl { 0x8910 }; + +allow devattest_service paramservice_socket:sock_file { write create setattr getattr relabelto }; +allow devattest_service attest_auth_result_param:file { map open read }; +allow devattest_service attest_auth_result_param:parameter_service { set }; + +allow devattest_service sa_devattest_service:samgr_class { add }; +allow devattest_service sa_net_conn_manager:samgr_class { get }; +allow devattest_service sa_device_service_manager:samgr_class { get }; +allow devattest_service hdf_devicetoken_driver_service:hdf_devmgr_class { get }; +allow devattest_service hdf_device_manager:hdf_devmgr_class { get }; + +# [ 18.469899] audit: type=1400 audit(1668560965.423:331): avc: denied { call } for pid=349 comm="netmanager" scontext=u:r:netmanager:s0 tcontext=u:r:devattest_service:s0 tclass=binder permissive=0 +allow netmanager devattest_service:binder { call }; diff --git a/sepolicy/ohos_policy/xts/device_attest/system/devicetoken_host.te b/sepolicy/ohos_policy/xts/device_attest/system/devicetoken_host.te new file mode 100644 index 0000000000000000000000000000000000000000..b6d391a1c1e2bace7dc4261f508f2a88286ae540 --- /dev/null +++ b/sepolicy/ohos_policy/xts/device_attest/system/devicetoken_host.te @@ -0,0 +1,23 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow devicetoken_host samgr:binder { call transfer }; +allow devicetoken_host hdf_devmgr:binder { call transfer }; + +allow devicetoken_host sa_device_service_manager:samgr_class { get }; +allow devicetoken_host hdf_devicetoken_driver_service:hdf_devmgr_class { add }; + +allow devicetoken_host dev_unix_socket:dir { search }; +allow devicetoken_host data_file:dir { search }; +allow devicetoken_host data_data_file:dir { search getattr add_name open read remove_name search write create }; +allow devicetoken_host data_data_file:file { append map open read create write getattr setattr unlink lock ioctl rename }; diff --git a/sepolicy/ohos_policy/xts/device_attest/system/hdf_devmgr.te b/sepolicy/ohos_policy/xts/device_attest/system/hdf_devmgr.te new file mode 100644 index 0000000000000000000000000000000000000000..b912e280a60e807a5e1e0d613a9297b132e225e3 --- /dev/null +++ b/sepolicy/ohos_policy/xts/device_attest/system/hdf_devmgr.te @@ -0,0 +1,22 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +allow hdf_devmgr devattest_service:binder { call transfer }; +allow hdf_devmgr devattest_service:process { getattr }; +allow hdf_devmgr devattest_service:dir { search getattr add_name open read remove_name search write create }; +allow hdf_devmgr devattest_service:file { append map open read create write getattr setattr unlink lock ioctl rename }; + +allow hdf_devmgr devicetoken_host:binder { call transfer }; +allow hdf_devmgr devicetoken_host:process { getattr }; +allow hdf_devmgr devicetoken_host:dir { search }; +allow hdf_devmgr devicetoken_host:file { open read write }; diff --git a/sepolicy/ohos_policy/xts/device_attest/system/parameter.te b/sepolicy/ohos_policy/xts/device_attest/system/parameter.te new file mode 100644 index 0000000000000000000000000000000000000000..d1e14659bd9e6cc09d27034160b5374475e71dea --- /dev/null +++ b/sepolicy/ohos_policy/xts/device_attest/system/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type attest_auth_result_param, parameter_attr; diff --git a/sepolicy/ohos_policy/xts/device_attest/system/parameter_contexts b/sepolicy/ohos_policy/xts/device_attest/system/parameter_contexts new file mode 100644 index 0000000000000000000000000000000000000000..1b9e6b8493c0cbb170b00b3f83a9d87cfe32d4ff --- /dev/null +++ b/sepolicy/ohos_policy/xts/device_attest/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +attest.auth.result u:object_r:attest_auth_result_param:s0