1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <arpa/inet.h> 18 #include <iostream> 19 20 #include <gtest/gtest.h> 21 #include <hardware/hw_auth_token.h> 22 23 #include "../SoftGateKeeper.h" 24 25 using ::gatekeeper::SizedBuffer; 26 using ::testing::Test; 27 using ::gatekeeper::EnrollRequest; 28 using ::gatekeeper::EnrollResponse; 29 using ::gatekeeper::VerifyRequest; 30 using ::gatekeeper::VerifyResponse; 31 using ::gatekeeper::SoftGateKeeper; 32 using ::gatekeeper::secure_id_t; 33 34 static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) { 35 SizedBuffer password; 36 37 password.buffer.reset(new uint8_t[16]); 38 password.length = 16; 39 memset(password.buffer.get(), 0, 16); 40 EnrollRequest request(0, NULL, &password, NULL); 41 42 gatekeeper.Enroll(request, response); 43 } 44 45 TEST(GateKeeperTest, EnrollSuccess) { 46 SoftGateKeeper gatekeeper; 47 EnrollResponse response; 48 do_enroll(gatekeeper, &response); 49 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); 50 } 51 52 TEST(GateKeeperTest, EnrollBogusData) { 53 SoftGateKeeper gatekeeper; 54 SizedBuffer password; 55 EnrollResponse response; 56 57 EnrollRequest request(0, NULL, &password, NULL); 58 59 gatekeeper.Enroll(request, &response); 60 61 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error); 62 } 63 64 TEST(GateKeeperTest, VerifySuccess) { 65 SoftGateKeeper gatekeeper; 66 SizedBuffer provided_password; 67 EnrollResponse enroll_response; 68 69 provided_password.buffer.reset(new uint8_t[16]); 70 provided_password.length = 16; 71 memset(provided_password.buffer.get(), 0, 16); 72 73 do_enroll(gatekeeper, &enroll_response); 74 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); 75 VerifyRequest request(0, 1, &enroll_response.enrolled_password_handle, 76 &provided_password); 77 VerifyResponse response; 78 79 gatekeeper.Verify(request, &response); 80 81 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); 82 83 hw_auth_token_t *auth_token = 84 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); 85 86 ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type)); 87 ASSERT_EQ((uint64_t) 1, auth_token->challenge); 88 ASSERT_NE(~((uint32_t) 0), auth_token->timestamp); 89 ASSERT_NE((uint64_t) 0, auth_token->user_id); 90 ASSERT_NE((uint64_t) 0, auth_token->authenticator_id); 91 } 92 93 TEST(GateKeeperTest, TrustedReEnroll) { 94 SoftGateKeeper gatekeeper; 95 SizedBuffer provided_password; 96 EnrollResponse enroll_response; 97 SizedBuffer password_handle; 98 99 // do_enroll enrolls an all 0 password 100 provided_password.buffer.reset(new uint8_t[16]); 101 provided_password.length = 16; 102 memset(provided_password.buffer.get(), 0, 16); 103 do_enroll(gatekeeper, &enroll_response); 104 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); 105 106 // keep a copy of the handle 107 password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]); 108 password_handle.length = enroll_response.enrolled_password_handle.length; 109 memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(), 110 password_handle.length); 111 112 // verify first password 113 VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle, 114 &provided_password); 115 VerifyResponse response; 116 gatekeeper.Verify(request, &response); 117 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); 118 hw_auth_token_t *auth_token = 119 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); 120 121 secure_id_t secure_id = auth_token->user_id; 122 123 // enroll new password 124 provided_password.buffer.reset(new uint8_t[16]); 125 provided_password.length = 16; 126 memset(provided_password.buffer.get(), 0, 16); 127 SizedBuffer password; 128 password.buffer.reset(new uint8_t[16]); 129 memset(password.buffer.get(), 1, 16); 130 password.length = 16; 131 EnrollRequest enroll_request(0, &password_handle, &password, &provided_password); 132 gatekeeper.Enroll(enroll_request, &enroll_response); 133 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); 134 135 // verify new password 136 password.buffer.reset(new uint8_t[16]); 137 memset(password.buffer.get(), 1, 16); 138 password.length = 16; 139 VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle, 140 &password); 141 gatekeeper.Verify(new_request, &response); 142 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); 143 ASSERT_EQ(secure_id, 144 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id); 145 } 146 147 148 TEST(GateKeeperTest, UntrustedReEnroll) { 149 SoftGateKeeper gatekeeper; 150 SizedBuffer provided_password; 151 EnrollResponse enroll_response; 152 153 // do_enroll enrolls an all 0 password 154 provided_password.buffer.reset(new uint8_t[16]); 155 provided_password.length = 16; 156 memset(provided_password.buffer.get(), 0, 16); 157 do_enroll(gatekeeper, &enroll_response); 158 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); 159 160 // verify first password 161 VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle, 162 &provided_password); 163 VerifyResponse response; 164 gatekeeper.Verify(request, &response); 165 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); 166 hw_auth_token_t *auth_token = 167 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); 168 169 secure_id_t secure_id = auth_token->user_id; 170 171 // enroll new password 172 SizedBuffer password; 173 password.buffer.reset(new uint8_t[16]); 174 memset(password.buffer.get(), 1, 16); 175 password.length = 16; 176 EnrollRequest enroll_request(0, NULL, &password, NULL); 177 gatekeeper.Enroll(enroll_request, &enroll_response); 178 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); 179 180 // verify new password 181 password.buffer.reset(new uint8_t[16]); 182 memset(password.buffer.get(), 1, 16); 183 password.length = 16; 184 VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle, 185 &password); 186 gatekeeper.Verify(new_request, &response); 187 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); 188 ASSERT_NE(secure_id, 189 reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id); 190 } 191 192 193 TEST(GateKeeperTest, VerifyBogusData) { 194 SoftGateKeeper gatekeeper; 195 SizedBuffer provided_password; 196 SizedBuffer password_handle; 197 VerifyResponse response; 198 199 VerifyRequest request(0, 0, &provided_password, &password_handle); 200 201 gatekeeper.Verify(request, &response); 202 203 ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error); 204 } 205