Andres Morales | ae24292 | 2015-05-18 09:26:19 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2015 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
Dan Albert | 460f6b1 | 2015-06-09 20:09:26 -0700 | [diff] [blame] | 17 | #include <arpa/inet.h> |
Andres Morales | ae24292 | 2015-05-18 09:26:19 -0700 | [diff] [blame] | 18 | #include <iostream> |
| 19 | |
Dan Albert | 460f6b1 | 2015-06-09 20:09:26 -0700 | [diff] [blame] | 20 | #include <gtest/gtest.h> |
Andres Morales | ae24292 | 2015-05-18 09:26:19 -0700 | [diff] [blame] | 21 | #include <hardware/hw_auth_token.h> |
Dan Albert | 460f6b1 | 2015-06-09 20:09:26 -0700 | [diff] [blame] | 22 | #include <UniquePtr.h> |
Andres Morales | ae24292 | 2015-05-18 09:26:19 -0700 | [diff] [blame] | 23 | |
| 24 | #include "../SoftGateKeeper.h" |
| 25 | |
| 26 | using ::gatekeeper::SizedBuffer; |
| 27 | using ::testing::Test; |
| 28 | using ::gatekeeper::EnrollRequest; |
| 29 | using ::gatekeeper::EnrollResponse; |
| 30 | using ::gatekeeper::VerifyRequest; |
| 31 | using ::gatekeeper::VerifyResponse; |
| 32 | using ::gatekeeper::SoftGateKeeper; |
| 33 | using ::gatekeeper::secure_id_t; |
| 34 | |
| 35 | static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) { |
| 36 | SizedBuffer password; |
| 37 | |
| 38 | password.buffer.reset(new uint8_t[16]); |
| 39 | password.length = 16; |
| 40 | memset(password.buffer.get(), 0, 16); |
| 41 | EnrollRequest request(0, NULL, &password, NULL); |
| 42 | |
| 43 | gatekeeper.Enroll(request, response); |
| 44 | } |
| 45 | |
| 46 | TEST(GateKeeperTest, EnrollSuccess) { |
| 47 | SoftGateKeeper gatekeeper; |
| 48 | EnrollResponse response; |
| 49 | do_enroll(gatekeeper, &response); |
| 50 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| 51 | } |
| 52 | |
| 53 | TEST(GateKeeperTest, EnrollBogusData) { |
| 54 | SoftGateKeeper gatekeeper; |
| 55 | SizedBuffer password; |
| 56 | EnrollResponse response; |
| 57 | |
| 58 | EnrollRequest request(0, NULL, &password, NULL); |
| 59 | |
| 60 | gatekeeper.Enroll(request, &response); |
| 61 | |
| 62 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error); |
| 63 | } |
| 64 | |
| 65 | TEST(GateKeeperTest, VerifySuccess) { |
| 66 | SoftGateKeeper gatekeeper; |
| 67 | SizedBuffer provided_password; |
| 68 | EnrollResponse enroll_response; |
| 69 | |
| 70 | provided_password.buffer.reset(new uint8_t[16]); |
| 71 | provided_password.length = 16; |
| 72 | memset(provided_password.buffer.get(), 0, 16); |
| 73 | |
| 74 | do_enroll(gatekeeper, &enroll_response); |
| 75 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| 76 | VerifyRequest request(0, 1, &enroll_response.enrolled_password_handle, |
| 77 | &provided_password); |
| 78 | VerifyResponse response; |
| 79 | |
| 80 | gatekeeper.Verify(request, &response); |
| 81 | |
| 82 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| 83 | |
| 84 | hw_auth_token_t *auth_token = |
| 85 | reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); |
| 86 | |
| 87 | ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type)); |
| 88 | ASSERT_EQ((uint64_t) 1, auth_token->challenge); |
| 89 | ASSERT_NE(~((uint32_t) 0), auth_token->timestamp); |
| 90 | ASSERT_NE((uint64_t) 0, auth_token->user_id); |
| 91 | ASSERT_NE((uint64_t) 0, auth_token->authenticator_id); |
| 92 | } |
| 93 | |
| 94 | TEST(GateKeeperTest, TrustedReEnroll) { |
| 95 | SoftGateKeeper gatekeeper; |
| 96 | SizedBuffer provided_password; |
| 97 | EnrollResponse enroll_response; |
| 98 | SizedBuffer password_handle; |
| 99 | |
| 100 | // do_enroll enrolls an all 0 password |
| 101 | provided_password.buffer.reset(new uint8_t[16]); |
| 102 | provided_password.length = 16; |
| 103 | memset(provided_password.buffer.get(), 0, 16); |
| 104 | do_enroll(gatekeeper, &enroll_response); |
| 105 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| 106 | |
| 107 | // keep a copy of the handle |
| 108 | password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]); |
| 109 | password_handle.length = enroll_response.enrolled_password_handle.length; |
| 110 | memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(), |
| 111 | password_handle.length); |
| 112 | |
| 113 | // verify first password |
| 114 | VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle, |
| 115 | &provided_password); |
| 116 | VerifyResponse response; |
| 117 | gatekeeper.Verify(request, &response); |
| 118 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| 119 | hw_auth_token_t *auth_token = |
| 120 | reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); |
| 121 | |
| 122 | secure_id_t secure_id = auth_token->user_id; |
| 123 | |
| 124 | // enroll new password |
| 125 | provided_password.buffer.reset(new uint8_t[16]); |
| 126 | provided_password.length = 16; |
| 127 | memset(provided_password.buffer.get(), 0, 16); |
| 128 | SizedBuffer password; |
| 129 | password.buffer.reset(new uint8_t[16]); |
| 130 | memset(password.buffer.get(), 1, 16); |
| 131 | password.length = 16; |
| 132 | EnrollRequest enroll_request(0, &password_handle, &password, &provided_password); |
| 133 | gatekeeper.Enroll(enroll_request, &enroll_response); |
| 134 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| 135 | |
| 136 | // verify new password |
| 137 | password.buffer.reset(new uint8_t[16]); |
| 138 | memset(password.buffer.get(), 1, 16); |
| 139 | password.length = 16; |
| 140 | VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle, |
| 141 | &password); |
| 142 | gatekeeper.Verify(new_request, &response); |
| 143 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| 144 | ASSERT_EQ(secure_id, |
| 145 | reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id); |
| 146 | } |
| 147 | |
| 148 | |
| 149 | TEST(GateKeeperTest, UntrustedReEnroll) { |
| 150 | SoftGateKeeper gatekeeper; |
| 151 | SizedBuffer provided_password; |
| 152 | EnrollResponse enroll_response; |
| 153 | |
| 154 | // do_enroll enrolls an all 0 password |
| 155 | provided_password.buffer.reset(new uint8_t[16]); |
| 156 | provided_password.length = 16; |
| 157 | memset(provided_password.buffer.get(), 0, 16); |
| 158 | do_enroll(gatekeeper, &enroll_response); |
| 159 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| 160 | |
| 161 | // verify first password |
| 162 | VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle, |
| 163 | &provided_password); |
| 164 | VerifyResponse response; |
| 165 | gatekeeper.Verify(request, &response); |
| 166 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| 167 | hw_auth_token_t *auth_token = |
| 168 | reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); |
| 169 | |
| 170 | secure_id_t secure_id = auth_token->user_id; |
| 171 | |
| 172 | // enroll new password |
| 173 | SizedBuffer password; |
| 174 | password.buffer.reset(new uint8_t[16]); |
| 175 | memset(password.buffer.get(), 1, 16); |
| 176 | password.length = 16; |
| 177 | EnrollRequest enroll_request(0, NULL, &password, NULL); |
| 178 | gatekeeper.Enroll(enroll_request, &enroll_response); |
| 179 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| 180 | |
| 181 | // verify new password |
| 182 | password.buffer.reset(new uint8_t[16]); |
| 183 | memset(password.buffer.get(), 1, 16); |
| 184 | password.length = 16; |
| 185 | VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle, |
| 186 | &password); |
| 187 | gatekeeper.Verify(new_request, &response); |
| 188 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| 189 | ASSERT_NE(secure_id, |
| 190 | reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id); |
| 191 | } |
| 192 | |
| 193 | |
| 194 | TEST(GateKeeperTest, VerifyBogusData) { |
| 195 | SoftGateKeeper gatekeeper; |
| 196 | SizedBuffer provided_password; |
| 197 | SizedBuffer password_handle; |
| 198 | VerifyResponse response; |
| 199 | |
| 200 | VerifyRequest request(0, 0, &provided_password, &password_handle); |
| 201 | |
| 202 | gatekeeper.Verify(request, &response); |
| 203 | |
| 204 | ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error); |
| 205 | } |