1 /*
2 * Copyright 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <arpa/inet.h>
18 #include <iostream>
19
20 #include <gtest/gtest.h>
21 #include <UniquePtr.h>
22
23 #include <hardware/hw_auth_token.h>
24
25 #include "../SoftGateKeeper.h"
26
27 using ::gatekeeper::SizedBuffer;
28 using ::testing::Test;
29 using ::gatekeeper::EnrollRequest;
30 using ::gatekeeper::EnrollResponse;
31 using ::gatekeeper::VerifyRequest;
32 using ::gatekeeper::VerifyResponse;
33 using ::gatekeeper::SoftGateKeeper;
34 using ::gatekeeper::secure_id_t;
35
do_enroll(SoftGateKeeper & gatekeeper,EnrollResponse * response)36 static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) {
37 SizedBuffer password;
38
39 password.buffer.reset(new uint8_t[16]);
40 password.length = 16;
41 memset(password.buffer.get(), 0, 16);
42 EnrollRequest request(0, NULL, &password, NULL);
43
44 gatekeeper.Enroll(request, response);
45 }
46
TEST(GateKeeperTest,EnrollSuccess)47 TEST(GateKeeperTest, EnrollSuccess) {
48 SoftGateKeeper gatekeeper;
49 EnrollResponse response;
50 do_enroll(gatekeeper, &response);
51 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
52 }
53
TEST(GateKeeperTest,EnrollBogusData)54 TEST(GateKeeperTest, EnrollBogusData) {
55 SoftGateKeeper gatekeeper;
56 SizedBuffer password;
57 EnrollResponse response;
58
59 EnrollRequest request(0, NULL, &password, NULL);
60
61 gatekeeper.Enroll(request, &response);
62
63 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
64 }
65
TEST(GateKeeperTest,VerifySuccess)66 TEST(GateKeeperTest, VerifySuccess) {
67 SoftGateKeeper gatekeeper;
68 SizedBuffer provided_password;
69 EnrollResponse enroll_response;
70
71 provided_password.buffer.reset(new uint8_t[16]);
72 provided_password.length = 16;
73 memset(provided_password.buffer.get(), 0, 16);
74
75 do_enroll(gatekeeper, &enroll_response);
76 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
77 VerifyRequest request(0, 1, &enroll_response.enrolled_password_handle,
78 &provided_password);
79 VerifyResponse response;
80
81 gatekeeper.Verify(request, &response);
82
83 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
84
85 hw_auth_token_t *auth_token =
86 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
87
88 ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type));
89 ASSERT_EQ((uint64_t) 1, auth_token->challenge);
90 ASSERT_NE(~((uint32_t) 0), auth_token->timestamp);
91 ASSERT_NE((uint64_t) 0, auth_token->user_id);
92 ASSERT_NE((uint64_t) 0, auth_token->authenticator_id);
93 }
94
TEST(GateKeeperTest,TrustedReEnroll)95 TEST(GateKeeperTest, TrustedReEnroll) {
96 SoftGateKeeper gatekeeper;
97 SizedBuffer provided_password;
98 EnrollResponse enroll_response;
99 SizedBuffer password_handle;
100
101 // do_enroll enrolls an all 0 password
102 provided_password.buffer.reset(new uint8_t[16]);
103 provided_password.length = 16;
104 memset(provided_password.buffer.get(), 0, 16);
105 do_enroll(gatekeeper, &enroll_response);
106 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
107
108 // keep a copy of the handle
109 password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]);
110 password_handle.length = enroll_response.enrolled_password_handle.length;
111 memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(),
112 password_handle.length);
113
114 // verify first password
115 VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
116 &provided_password);
117 VerifyResponse response;
118 gatekeeper.Verify(request, &response);
119 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
120 hw_auth_token_t *auth_token =
121 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
122
123 secure_id_t secure_id = auth_token->user_id;
124
125 // enroll new password
126 provided_password.buffer.reset(new uint8_t[16]);
127 provided_password.length = 16;
128 memset(provided_password.buffer.get(), 0, 16);
129 SizedBuffer password;
130 password.buffer.reset(new uint8_t[16]);
131 memset(password.buffer.get(), 1, 16);
132 password.length = 16;
133 EnrollRequest enroll_request(0, &password_handle, &password, &provided_password);
134 gatekeeper.Enroll(enroll_request, &enroll_response);
135 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
136
137 // verify new password
138 password.buffer.reset(new uint8_t[16]);
139 memset(password.buffer.get(), 1, 16);
140 password.length = 16;
141 VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
142 &password);
143 gatekeeper.Verify(new_request, &response);
144 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
145 ASSERT_EQ(secure_id,
146 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
147 }
148
149
TEST(GateKeeperTest,UntrustedReEnroll)150 TEST(GateKeeperTest, UntrustedReEnroll) {
151 SoftGateKeeper gatekeeper;
152 SizedBuffer provided_password;
153 EnrollResponse enroll_response;
154
155 // do_enroll enrolls an all 0 password
156 provided_password.buffer.reset(new uint8_t[16]);
157 provided_password.length = 16;
158 memset(provided_password.buffer.get(), 0, 16);
159 do_enroll(gatekeeper, &enroll_response);
160 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
161
162 // verify first password
163 VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
164 &provided_password);
165 VerifyResponse response;
166 gatekeeper.Verify(request, &response);
167 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
168 hw_auth_token_t *auth_token =
169 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
170
171 secure_id_t secure_id = auth_token->user_id;
172
173 // enroll new password
174 SizedBuffer password;
175 password.buffer.reset(new uint8_t[16]);
176 memset(password.buffer.get(), 1, 16);
177 password.length = 16;
178 EnrollRequest enroll_request(0, NULL, &password, NULL);
179 gatekeeper.Enroll(enroll_request, &enroll_response);
180 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
181
182 // verify new password
183 password.buffer.reset(new uint8_t[16]);
184 memset(password.buffer.get(), 1, 16);
185 password.length = 16;
186 VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
187 &password);
188 gatekeeper.Verify(new_request, &response);
189 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
190 ASSERT_NE(secure_id,
191 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
192 }
193
194
TEST(GateKeeperTest,VerifyBogusData)195 TEST(GateKeeperTest, VerifyBogusData) {
196 SoftGateKeeper gatekeeper;
197 SizedBuffer provided_password;
198 SizedBuffer password_handle;
199 VerifyResponse response;
200
201 VerifyRequest request(0, 0, &provided_password, &password_handle);
202
203 gatekeeper.Verify(request, &response);
204
205 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
206 }
207