1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "RemoteGateKeeper"
18 
19 #include "remote_gatekeeper.h"
20 
21 #include <limits>
22 
23 #include <android-base/logging.h>
24 
25 using ::android::hardware::hidl_vec;
26 using ::android::hardware::Return;
27 using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
28 using ::gatekeeper::EnrollRequest;
29 using ::gatekeeper::EnrollResponse;
30 using ::gatekeeper::ERROR_INVALID;
31 using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;
32 using ::gatekeeper::ERROR_NONE;
33 using ::gatekeeper::ERROR_RETRY;
34 using ::gatekeeper::SizedBuffer;
35 using ::gatekeeper::VerifyRequest;
36 using ::gatekeeper::VerifyResponse;
37 
38 namespace gatekeeper {
39 
RemoteGateKeeperDevice(cuttlefish::GatekeeperChannel * channel)40 RemoteGateKeeperDevice::RemoteGateKeeperDevice(cuttlefish::GatekeeperChannel* channel)
41     : gatekeeper_channel_(channel), error_(0) {
42 }
43 
~RemoteGateKeeperDevice()44 RemoteGateKeeperDevice::~RemoteGateKeeperDevice() {
45 }
46 
hidl_vec2sized_buffer(const hidl_vec<uint8_t> & vec)47 SizedBuffer hidl_vec2sized_buffer(const hidl_vec<uint8_t>& vec) {
48     if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};
49     auto unused = new uint8_t[vec.size()];
50     std::copy(vec.begin(), vec.end(), unused);
51     return {unused, static_cast<uint32_t>(vec.size())};
52 }
53 
enroll(uint32_t uid,const hidl_vec<uint8_t> & currentPasswordHandle,const hidl_vec<uint8_t> & currentPassword,const hidl_vec<uint8_t> & desiredPassword,enroll_cb _hidl_cb)54 Return<void> RemoteGateKeeperDevice::enroll(uint32_t uid,
55                                             const hidl_vec<uint8_t>& currentPasswordHandle,
56                                             const hidl_vec<uint8_t>& currentPassword,
57                                             const hidl_vec<uint8_t>& desiredPassword,
58                                             enroll_cb _hidl_cb) {
59     if (error_ != 0) {
60         LOG(ERROR) << "Gatekeeper in invalid state";
61         _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
62         return {};
63     }
64 
65     if (desiredPassword.size() == 0) {
66         LOG(ERROR) << "Desired password size is 0";
67         _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
68         return {};
69     }
70 
71     EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle),
72                           hidl_vec2sized_buffer(desiredPassword),
73                           hidl_vec2sized_buffer(currentPassword));
74     EnrollResponse response;
75     auto error = Send(request, &response);
76     if (error != ERROR_NONE) {
77         LOG(ERROR) << "Enroll request gave error: " << error;
78         _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
79     } else if (response.error == ERROR_RETRY) {
80         LOG(ERROR) << "Enroll response has a retry error";
81         _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
82     } else if (response.error != ERROR_NONE) {
83         LOG(ERROR) << "Enroll response has an error: " << response.error;
84         _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
85     } else {
86         hidl_vec<uint8_t> new_handle(response.enrolled_password_handle.Data<uint8_t>(),
87                                      response.enrolled_password_handle.Data<uint8_t>() +
88                                              response.enrolled_password_handle.size());
89         _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle});
90     }
91     return {};
92 }
93 
verify(uint32_t uid,uint64_t challenge,const::android::hardware::hidl_vec<uint8_t> & enrolledPasswordHandle,const::android::hardware::hidl_vec<uint8_t> & providedPassword,verify_cb _hidl_cb)94 Return<void> RemoteGateKeeperDevice::verify(
95         uint32_t uid, uint64_t challenge,
96         const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
97         const ::android::hardware::hidl_vec<uint8_t>& providedPassword, verify_cb _hidl_cb) {
98     if (error_ != 0) {
99         LOG(ERROR) << "Gatekeeper in invalid state";
100         _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
101         return {};
102     }
103 
104     if (enrolledPasswordHandle.size() == 0) {
105         LOG(ERROR) << "Enrolled password size is 0";
106         _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
107         return {};
108     }
109 
110     VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle),
111                           hidl_vec2sized_buffer(providedPassword));
112     VerifyResponse response;
113 
114     auto error = Send(request, &response);
115     if (error != ERROR_NONE) {
116         LOG(ERROR) << "Verify request gave error: " << error;
117         _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
118     } else if (response.error == ERROR_RETRY) {
119         LOG(ERROR) << "Verify request response gave retry error";
120         _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
121     } else if (response.error != ERROR_NONE) {
122         LOG(ERROR) << "Verify request response gave error: " << response.error;
123         _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
124     } else {
125         hidl_vec<uint8_t> auth_token(
126                 response.auth_token.Data<uint8_t>(),
127                 response.auth_token.Data<uint8_t>() + response.auth_token.size());
128 
129         _hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL
130                                             : GatekeeperStatusCode::STATUS_OK,
131                   response.retry_timeout, auth_token});
132     }
133     return {};
134 }
135 
deleteUser(uint32_t,deleteUser_cb _hidl_cb)136 Return<void> RemoteGateKeeperDevice::deleteUser(uint32_t /*uid*/, deleteUser_cb _hidl_cb) {
137     LOG(ERROR) << "deleteUser is unimplemented";
138     _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
139     return {};
140 }
141 
deleteAllUsers(deleteAllUsers_cb _hidl_cb)142 Return<void> RemoteGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) {
143     LOG(ERROR) << "deleteAllUsers is unimplemented";
144     _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
145     return {};
146 }
147 
Send(uint32_t command,const GateKeeperMessage & request,GateKeeperMessage * response)148 gatekeeper_error_t RemoteGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,
149         GateKeeperMessage *response) {
150     if (!gatekeeper_channel_->SendRequest(command, request)) {
151       LOG(ERROR) << "Failed to send request";
152       return ERROR_UNKNOWN;
153     }
154     auto remote_response = gatekeeper_channel_->ReceiveMessage();
155     if (!remote_response) {
156       LOG(ERROR) << "Failed to receive response";
157       return ERROR_UNKNOWN;
158     }
159     const uint8_t* buffer = remote_response->payload;
160     const uint8_t* buffer_end = remote_response->payload + remote_response->payload_size;
161     auto rc = response->Deserialize(buffer, buffer_end);
162     if (rc != ERROR_NONE) {
163         LOG(ERROR) << "Failed to deserialize keymaster response: " << command;
164         return ERROR_UNKNOWN;
165     }
166     return rc;
167 }
168 
169 };
170