• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "RemoteGateKeeper"
18 
19 #include "remote_gatekeeper.h"
20 
21 #include <endian.h>
22 #include <limits>
23 
24 #include <android-base/logging.h>
25 #include <gatekeeper/password_handle.h>
26 #include <hardware/hw_auth_token.h>
27 
28 namespace aidl::android::hardware::gatekeeper {
29 
30 using ::gatekeeper::ERROR_INVALID;
31 using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;
32 using ::gatekeeper::ERROR_NONE;
33 using ::gatekeeper::ERROR_RETRY;
34 using ::gatekeeper::ERROR_UNKNOWN;
35 using ::gatekeeper::SizedBuffer;
36 
RemoteGateKeeperDevice(cuttlefish::SharedFdGatekeeperChannel * channel)37 RemoteGateKeeperDevice::RemoteGateKeeperDevice(
38     cuttlefish::SharedFdGatekeeperChannel* channel)
39     : gatekeeper_channel_(channel), error_(0) {}
40 
~RemoteGateKeeperDevice()41 RemoteGateKeeperDevice::~RemoteGateKeeperDevice() {}
42 
vec2sized_buffer(const std::vector<uint8_t> & vec)43 SizedBuffer vec2sized_buffer(const std::vector<uint8_t>& vec) {
44     if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};
45     auto unused = new uint8_t[vec.size()];
46     std::copy(vec.begin(), vec.end(), unused);
47     return {unused, static_cast<uint32_t>(vec.size())};
48 }
49 
sizedBuffer2AidlHWToken(SizedBuffer & buffer,android::hardware::security::keymint::HardwareAuthToken * aidlToken)50 void sizedBuffer2AidlHWToken(SizedBuffer& buffer,
51                              android::hardware::security::keymint::HardwareAuthToken* aidlToken) {
52     const hw_auth_token_t* authToken =
53         reinterpret_cast<const hw_auth_token_t*>(buffer.Data<uint8_t>());
54     aidlToken->challenge = authToken->challenge;
55     aidlToken->userId = authToken->user_id;
56     aidlToken->authenticatorId = authToken->authenticator_id;
57     // these are in network order: translate to host
58     aidlToken->authenticatorType =
59         static_cast<android::hardware::security::keymint::HardwareAuthenticatorType>(
60             be32toh(authToken->authenticator_type));
61     aidlToken->timestamp.milliSeconds = be64toh(authToken->timestamp);
62     aidlToken->mac.insert(aidlToken->mac.begin(), std::begin(authToken->hmac),
63                           std::end(authToken->hmac));
64 }
65 
66 ::ndk::ScopedAStatus
enroll(int32_t uid,const std::vector<uint8_t> & currentPasswordHandle,const std::vector<uint8_t> & currentPassword,const std::vector<uint8_t> & desiredPassword,GatekeeperEnrollResponse * rsp)67 RemoteGateKeeperDevice::enroll(int32_t uid, const std::vector<uint8_t>& currentPasswordHandle,
68                                const std::vector<uint8_t>& currentPassword,
69                                const std::vector<uint8_t>& desiredPassword,
70                                GatekeeperEnrollResponse* rsp) {
71     if (error_ != 0) {
72         LOG(ERROR) << "Gatekeeper in invalid state";
73         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
74     }
75 
76     if (desiredPassword.size() == 0) {
77         LOG(ERROR) << "Desired password size is 0";
78         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
79     }
80 
81     if (currentPasswordHandle.size() > 0) {
82         if (currentPasswordHandle.size() != sizeof(::gatekeeper::password_handle_t)) {
83             LOG(ERROR) << "Password handle has wrong length";
84             return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
85         }
86     }
87 
88     EnrollRequest request(uid, vec2sized_buffer(currentPasswordHandle),
89                           vec2sized_buffer(desiredPassword), vec2sized_buffer(currentPassword));
90     EnrollResponse response;
91     auto error = Send(request, &response);
92     if (error != ERROR_NONE) {
93         LOG(ERROR) << "Enroll request gave error: " << error;
94         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
95     } else if (response.error == ERROR_RETRY) {
96         LOG(ERROR) << "Enroll response has a retry error";
97         *rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), 0, {}};
98         return ndk::ScopedAStatus::ok();
99     } else if (response.error != ERROR_NONE) {
100         LOG(ERROR) << "Enroll response has an error: " << response.error;
101         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
102     } else {
103         const ::gatekeeper::password_handle_t* password_handle =
104             response.enrolled_password_handle.Data<::gatekeeper::password_handle_t>();
105         *rsp = {STATUS_OK,
106                 0,
107                 static_cast<int64_t>(password_handle->user_id),
108                 {response.enrolled_password_handle.Data<uint8_t>(),
109                  (response.enrolled_password_handle.Data<uint8_t>() +
110                   response.enrolled_password_handle.size())}};
111     }
112     return ndk::ScopedAStatus::ok();
113 }
114 
verify(int32_t uid,int64_t challenge,const std::vector<uint8_t> & enrolledPasswordHandle,const std::vector<uint8_t> & providedPassword,GatekeeperVerifyResponse * rsp)115 ::ndk::ScopedAStatus RemoteGateKeeperDevice::verify(
116     int32_t uid, int64_t challenge, const std::vector<uint8_t>& enrolledPasswordHandle,
117     const std::vector<uint8_t>& providedPassword, GatekeeperVerifyResponse* rsp) {
118     if (error_ != 0) {
119         LOG(ERROR) << "Gatekeeper in invalid state";
120         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
121     }
122 
123     if (enrolledPasswordHandle.size() == 0) {
124         LOG(ERROR) << "Enrolled password size is 0";
125         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
126     }
127 
128     if (enrolledPasswordHandle.size() > 0) {
129         if (enrolledPasswordHandle.size() != sizeof(::gatekeeper::password_handle_t)) {
130             LOG(ERROR) << "Password handle has wrong length";
131             return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
132         }
133     }
134 
135     VerifyRequest request(uid, challenge, vec2sized_buffer(enrolledPasswordHandle),
136                           vec2sized_buffer(providedPassword));
137     VerifyResponse response;
138 
139     auto error = Send(request, &response);
140     if (error != ERROR_NONE) {
141         LOG(ERROR) << "Verify request gave error: " << error;
142         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
143     } else if (response.error == ERROR_RETRY) {
144         LOG(ERROR) << "Verify request response gave retry error";
145         *rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), {}};
146         return ndk::ScopedAStatus::ok();
147     } else if (response.error != ERROR_NONE) {
148         LOG(ERROR) << "Verify request response gave error: " << response.error;
149         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
150     } else {
151         // On Success, return GatekeeperVerifyResponse with Success Status, timeout{0} and
152         // valid HardwareAuthToken.
153         *rsp = {response.request_reenroll ? STATUS_REENROLL : STATUS_OK, 0, {}};
154         // Convert the hw_auth_token_t to HardwareAuthToken in the response.
155         sizedBuffer2AidlHWToken(response.auth_token, &rsp->hardwareAuthToken);
156     }
157     return ndk::ScopedAStatus::ok();
158 }
159 
deleteUser(int32_t)160 ::ndk::ScopedAStatus RemoteGateKeeperDevice::deleteUser(int32_t /*uid*/) {
161     LOG(ERROR) << "deleteUser is unimplemented";
162     return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));
163 }
164 
deleteAllUsers()165 ::ndk::ScopedAStatus RemoteGateKeeperDevice::deleteAllUsers() {
166     LOG(ERROR) << "deleteAllUsers is unimplemented";
167     return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));
168 }
169 
Send(uint32_t command,const GateKeeperMessage & request,GateKeeperMessage * response)170 gatekeeper_error_t RemoteGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,
171                                                 GateKeeperMessage* response) {
172     if (!gatekeeper_channel_->SendRequest(command, request)) {
173         LOG(ERROR) << "Failed to send request";
174         return ERROR_UNKNOWN;
175     }
176     auto remote_response = gatekeeper_channel_->ReceiveMessage();
177     if (!remote_response) {
178         LOG(ERROR) << "Failed to receive response";
179         return ERROR_UNKNOWN;
180     }
181     const uint8_t* buffer = remote_response->payload;
182     const uint8_t* buffer_end = remote_response->payload + remote_response->payload_size;
183     auto rc = response->Deserialize(buffer, buffer_end);
184     if (rc != ERROR_NONE) {
185         LOG(ERROR) << "Failed to deserialize keymaster response: " << command;
186         return ERROR_UNKNOWN;
187     }
188     return rc;
189 }
190 
191 };  // namespace aidl::android::hardware::gatekeeper
192