1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 #include <endian.h>
17 #include <gtest/gtest.h>
18 #include <hardware/gatekeeper.h>
19 #include <gatekeeper/gatekeeper.h> // For password_handle_t
20 #include <unistd.h>
21 
22 using ::testing::Test;
23 using ::gatekeeper::password_handle_t;
24 using ::gatekeeper::secure_id_t;
25 
26 class GateKeeperDeviceTest : public virtual Test {
27 public:
GateKeeperDeviceTest()28     GateKeeperDeviceTest() {}
~GateKeeperDeviceTest()29     virtual ~GateKeeperDeviceTest() {}
30 
SetUp()31     virtual void SetUp() {
32         gatekeeper_device_initialize(&device);
33     }
34 
TearDown()35     virtual void TearDown() {
36         gatekeeper_close(device);
37     }
38 
gatekeeper_device_initialize(gatekeeper_device_t ** dev)39     static void gatekeeper_device_initialize(gatekeeper_device_t **dev) {
40         int ret;
41         const hw_module_t *mod;
42         ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &mod);
43 
44         ASSERT_EQ(0, ret);
45 
46         ret = gatekeeper_open(mod, dev);
47 
48         ASSERT_EQ(0, ret);
49     }
50 
51     gatekeeper_device_t *device;
52 };
53 
TEST_F(GateKeeperDeviceTest,EnrollAndVerifyStress)54 TEST_F(GateKeeperDeviceTest, EnrollAndVerifyStress) {
55     uint32_t password_len = 50;
56     uint8_t password_payload[password_len];
57     uint8_t *password_handle;
58     uint32_t password_handle_length;
59     uint8_t *auth_token;
60     uint32_t auth_token_len;
61     int ret;
62 
63     ret = device->enroll(device, 400, NULL, 0, NULL, 0,  password_payload, password_len,
64             &password_handle, &password_handle_length);
65 
66     ASSERT_EQ(0, ret);
67 
68     for (int i = 0; i < 1000; i++) {
69         bool should_reenroll;
70         ret = device->verify(device, 400, 0, password_handle, password_handle_length,
71                 password_payload, password_len, &auth_token, &auth_token_len, &should_reenroll);
72 
73         ASSERT_EQ(0, ret);
74     }
75 }
76 
TEST_F(GateKeeperDeviceTest,EnrollAndVerify)77 TEST_F(GateKeeperDeviceTest, EnrollAndVerify) {
78     uint32_t password_len = 50;
79     uint8_t password_payload[password_len];
80     uint8_t *password_handle;
81     uint32_t password_handle_length;
82     uint8_t *auth_token;
83     uint32_t auth_token_len;
84     hw_auth_token_t *hat;
85     int ret;
86 
87     ret = device->enroll(device, 400, NULL, 0, NULL, 0,  password_payload, password_len,
88             &password_handle, &password_handle_length);
89 
90     ASSERT_EQ(0, ret);
91 
92     bool should_reenroll;
93     ret = device->verify(device, 400, 0, password_handle, password_handle_length,
94             password_payload, password_len, &auth_token, &auth_token_len, &should_reenroll);
95     ASSERT_EQ(0, should_reenroll);
96     ASSERT_EQ(0, ret);
97 
98     hat = reinterpret_cast<hw_auth_token_t *>(auth_token);
99 
100     ASSERT_EQ(HW_AUTH_TOKEN_VERSION, hat->version);
101     ASSERT_EQ(htobe32(HW_AUTH_PASSWORD), hat->authenticator_type);
102 }
103 
TEST_F(GateKeeperDeviceTest,EnrollAndVerifyTimeout)104 TEST_F(GateKeeperDeviceTest, EnrollAndVerifyTimeout) {
105     uint32_t password_len = 50;
106     uint8_t password_payload[password_len];
107     uint8_t *password_handle;
108     uint32_t password_handle_length;
109     uint8_t *auth_token = NULL;
110     uint32_t auth_token_len;
111     bool should_reenroll;
112     int ret;
113 
114     ret = device->enroll(device, 400, NULL, 0, NULL, 0,  password_payload, password_len,
115              &password_handle, &password_handle_length);
116 
117     ASSERT_EQ(0, ret);
118 
119     int payload_val = password_payload[0];
120     password_payload[0] = 4;
121 
122     int timeout = 0;
123     for (int i = 0; i < 20; i++) {
124         bool should_reenroll;
125         ret = device->verify(device, 400, 0, password_handle, password_handle_length,
126                 password_payload, password_len, &auth_token, &auth_token_len,
127                 &should_reenroll);
128         ASSERT_NE(0, ret);
129         ASSERT_EQ(NULL, auth_token);
130 
131         if (ret > 0) {
132             timeout = ret;
133         }
134     }
135 
136     ASSERT_NE(0, timeout);
137 
138     sleep((timeout + 999)/ 1000);
139 
140     password_payload[0] = payload_val;
141 
142     ret = device->verify(device, 400, 0, password_handle, password_handle_length,
143             password_payload, password_len, &auth_token, &auth_token_len,
144             &should_reenroll);
145 
146     ASSERT_EQ(0, ret);
147 }
148 
TEST_F(GateKeeperDeviceTest,EnrollAndVerifyBadPassword)149 TEST_F(GateKeeperDeviceTest, EnrollAndVerifyBadPassword) {
150     uint32_t password_len = 50;
151     uint8_t password_payload[password_len];
152     uint8_t *password_handle;
153     uint32_t password_handle_length;
154     uint8_t *auth_token = NULL;
155     uint32_t auth_token_len;
156     int ret;
157 
158     ret = device->enroll(device, 400, NULL, 0, NULL, 0,  password_payload, password_len,
159              &password_handle, &password_handle_length);
160 
161     ASSERT_EQ(0, ret);
162 
163     password_payload[0] = 4;
164 
165     bool should_reenroll;
166     ret = device->verify(device, 400, 0, password_handle, password_handle_length,
167             password_payload, password_len, &auth_token, &auth_token_len,
168             &should_reenroll);
169 
170     ASSERT_NE(0, ret);
171     ASSERT_EQ(NULL, auth_token);
172 }
173 
TEST_F(GateKeeperDeviceTest,MinFailedAttemptsBeforeLockout)174 TEST_F(GateKeeperDeviceTest, MinFailedAttemptsBeforeLockout) {
175     uint32_t password_len = 50;
176     uint8_t password_payload[password_len];
177     uint8_t *password_handle;
178     uint32_t password_handle_length;
179     uint8_t *auth_token = NULL;
180     uint32_t auth_token_len;
181     int ret;
182 
183     ret = device->enroll(device, 400, NULL, 0, NULL, 0,  password_payload, password_len,
184              &password_handle, &password_handle_length);
185 
186     ASSERT_EQ(0, ret);
187 
188     password_payload[0] = 4;
189 
190     // User should have at least 4 attempts before being locked out
191     static const int MIN_FAILED_ATTEMPTS = 4;
192 
193     bool should_reenroll;
194     for (int i = 0; i < MIN_FAILED_ATTEMPTS; i++) {
195         ret = device->verify(device, 400, 0, password_handle, password_handle_length,
196                 password_payload, password_len, &auth_token, &auth_token_len,
197                 &should_reenroll);
198         // shoudln't be a timeout
199         ASSERT_LT(ret, 0);
200     }
201 }
202 
TEST_F(GateKeeperDeviceTest,UntrustedReEnroll)203 TEST_F(GateKeeperDeviceTest, UntrustedReEnroll) {
204     uint32_t password_len = 50;
205     uint8_t password_payload[password_len];
206     uint8_t *password_handle;
207     uint32_t password_handle_length;
208     int ret;
209 
210     ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len,
211              &password_handle, &password_handle_length);
212 
213     ASSERT_EQ(0, ret);
214 
215     password_handle_t *handle = reinterpret_cast<password_handle_t *>(password_handle);
216     secure_id_t sid = handle->user_id;
217 
218     ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len,
219             &password_handle, &password_handle_length);
220 
221     ASSERT_EQ(0, ret);
222     handle = reinterpret_cast<password_handle_t *>(password_handle);
223     ASSERT_NE(sid, handle->user_id);
224 }
225 
226 
TEST_F(GateKeeperDeviceTest,TrustedReEnroll)227 TEST_F(GateKeeperDeviceTest, TrustedReEnroll) {
228     uint32_t password_len = 50;
229     uint8_t password_payload[password_len];
230     uint8_t *password_handle;
231     uint32_t password_handle_length;
232     int ret;
233 
234     ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len,
235              &password_handle, &password_handle_length);
236 
237     ASSERT_EQ(0, ret);
238 
239     password_handle_t *handle = reinterpret_cast<password_handle_t *>(password_handle);
240     secure_id_t sid = handle->user_id;
241 
242     ret = device->enroll(device, 400, password_handle, password_handle_length, password_payload,
243             password_len, password_payload, password_len, &password_handle, &password_handle_length);
244 
245     ASSERT_EQ(0, ret);
246     handle = reinterpret_cast<password_handle_t *>(password_handle);
247     ASSERT_EQ(sid, handle->user_id);
248 }
249 
250