1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <arpa/inet.h>
18 #include <iostream>
19 
20 #include <gtest/gtest.h>
21 #include <hardware/hw_auth_token.h>
22 
23 #include "../SoftGateKeeper.h"
24 
25 using ::gatekeeper::EnrollRequest;
26 using ::gatekeeper::EnrollResponse;
27 using ::gatekeeper::secure_id_t;
28 using ::gatekeeper::SizedBuffer;
29 using ::gatekeeper::SoftGateKeeper;
30 using ::gatekeeper::VerifyRequest;
31 using ::gatekeeper::VerifyResponse;
32 using ::testing::Test;
33 
makePasswordBuffer(int init=0)34 static SizedBuffer makePasswordBuffer(int init = 0) {
35     constexpr const uint32_t pw_buffer_size = 16;
36     auto pw_buffer = new uint8_t[pw_buffer_size];
37     memset(pw_buffer, init, pw_buffer_size);
38 
39     return {pw_buffer, pw_buffer_size};
40 }
41 
makeAndInitializeSizedBuffer(const uint8_t * data,uint32_t size)42 static SizedBuffer makeAndInitializeSizedBuffer(const uint8_t* data, uint32_t size) {
43     auto buffer = new uint8_t[size];
44     memcpy(buffer, data, size);
45     return {buffer, size};
46 }
47 
copySizedBuffer(const SizedBuffer & rhs)48 static SizedBuffer copySizedBuffer(const SizedBuffer& rhs) {
49     return makeAndInitializeSizedBuffer(rhs.Data<uint8_t>(), rhs.size());
50 }
51 
do_enroll(SoftGateKeeper & gatekeeper,EnrollResponse * response)52 static void do_enroll(SoftGateKeeper& gatekeeper, EnrollResponse* response) {
53     EnrollRequest request(0, {}, makePasswordBuffer(), {});
54 
55     gatekeeper.Enroll(request, response);
56 }
57 
TEST(GateKeeperTest,EnrollSuccess)58 TEST(GateKeeperTest, EnrollSuccess) {
59     SoftGateKeeper gatekeeper;
60     EnrollResponse response;
61     do_enroll(gatekeeper, &response);
62     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
63 }
64 
TEST(GateKeeperTest,EnrollBogusData)65 TEST(GateKeeperTest, EnrollBogusData) {
66     SoftGateKeeper gatekeeper;
67     EnrollResponse response;
68 
69     EnrollRequest request(0, {}, {}, {});
70 
71     gatekeeper.Enroll(request, &response);
72 
73     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
74 }
75 
TEST(GateKeeperTest,VerifySuccess)76 TEST(GateKeeperTest, VerifySuccess) {
77     SoftGateKeeper gatekeeper;
78     EnrollResponse enroll_response;
79 
80     do_enroll(gatekeeper, &enroll_response);
81     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
82     VerifyRequest request(0, 1, std::move(enroll_response.enrolled_password_handle),
83                           makePasswordBuffer());
84     VerifyResponse response;
85 
86     gatekeeper.Verify(request, &response);
87 
88     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
89 
90     auto auth_token = response.auth_token.Data<hw_auth_token_t>();
91 
92     ASSERT_NE(nullptr, auth_token);
93     ASSERT_EQ((uint32_t)HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type));
94     ASSERT_EQ((uint64_t)1, auth_token->challenge);
95     ASSERT_NE(~((uint32_t)0), auth_token->timestamp);
96     ASSERT_NE((uint64_t)0, auth_token->user_id);
97     ASSERT_NE((uint64_t)0, auth_token->authenticator_id);
98 }
99 
TEST(GateKeeperTest,TrustedReEnroll)100 TEST(GateKeeperTest, TrustedReEnroll) {
101     SoftGateKeeper gatekeeper;
102     EnrollResponse enroll_response;
103 
104     // do_enroll enrolls an all 0 password
105     do_enroll(gatekeeper, &enroll_response);
106     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
107 
108     // verify first password
109     VerifyRequest request(0, 0, copySizedBuffer(enroll_response.enrolled_password_handle),
110                           makePasswordBuffer());
111     VerifyResponse response;
112     gatekeeper.Verify(request, &response);
113     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
114     auto auth_token = response.auth_token.Data<hw_auth_token_t>();
115     ASSERT_NE(nullptr, auth_token);
116 
117     secure_id_t secure_id = auth_token->user_id;
118 
119     // enroll new password
120     EnrollRequest enroll_request(0, std::move(enroll_response.enrolled_password_handle),
121                                  makePasswordBuffer(1) /* new password */,
122                                  makePasswordBuffer() /* old password */);
123     gatekeeper.Enroll(enroll_request, &enroll_response);
124     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
125 
126     // verify new password
127     VerifyRequest new_request(0, 0, std::move(enroll_response.enrolled_password_handle),
128                               makePasswordBuffer(1));
129     gatekeeper.Verify(new_request, &response);
130     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
131     ASSERT_NE(nullptr, response.auth_token.Data<hw_auth_token_t>());
132     ASSERT_EQ(secure_id, response.auth_token.Data<hw_auth_token_t>()->user_id);
133 }
134 
TEST(GateKeeperTest,UntrustedReEnroll)135 TEST(GateKeeperTest, UntrustedReEnroll) {
136     SoftGateKeeper gatekeeper;
137     SizedBuffer provided_password;
138     EnrollResponse enroll_response;
139 
140     // do_enroll enrolls an all 0 password
141     provided_password = makePasswordBuffer();
142     do_enroll(gatekeeper, &enroll_response);
143     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
144 
145     // verify first password
146     VerifyRequest request(0, 0, std::move(enroll_response.enrolled_password_handle),
147                           std::move(provided_password));
148     VerifyResponse response;
149     gatekeeper.Verify(request, &response);
150     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
151     auto auth_token = response.auth_token.Data<hw_auth_token_t>();
152     ASSERT_NE(nullptr, auth_token);
153 
154     secure_id_t secure_id = auth_token->user_id;
155 
156     EnrollRequest enroll_request(0, {}, makePasswordBuffer(1), {});
157     gatekeeper.Enroll(enroll_request, &enroll_response);
158     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
159 
160     // verify new password
161     VerifyRequest new_request(0, 0, std::move(enroll_response.enrolled_password_handle),
162                               makePasswordBuffer(1));
163     gatekeeper.Verify(new_request, &response);
164     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
165     ASSERT_NE(nullptr, response.auth_token.Data<hw_auth_token_t>());
166     ASSERT_NE(secure_id, response.auth_token.Data<hw_auth_token_t>()->user_id);
167 }
168 
TEST(GateKeeperTest,VerifyBogusData)169 TEST(GateKeeperTest, VerifyBogusData) {
170     SoftGateKeeper gatekeeper;
171     VerifyResponse response;
172 
173     VerifyRequest request(0, 0, {}, {});
174 
175     gatekeeper.Verify(request, &response);
176 
177     ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
178 }
179