| /* |
| * Copyright 2015 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <arpa/inet.h> |
| #include <iostream> |
| |
| #include <gtest/gtest.h> |
| #include <UniquePtr.h> |
| |
| #include <hardware/hw_auth_token.h> |
| |
| #include "../SoftGateKeeper.h" |
| |
| using ::gatekeeper::SizedBuffer; |
| using ::testing::Test; |
| using ::gatekeeper::EnrollRequest; |
| using ::gatekeeper::EnrollResponse; |
| using ::gatekeeper::VerifyRequest; |
| using ::gatekeeper::VerifyResponse; |
| using ::gatekeeper::SoftGateKeeper; |
| using ::gatekeeper::secure_id_t; |
| |
| static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) { |
| SizedBuffer password; |
| |
| password.buffer.reset(new uint8_t[16]); |
| password.length = 16; |
| memset(password.buffer.get(), 0, 16); |
| EnrollRequest request(0, NULL, &password, NULL); |
| |
| gatekeeper.Enroll(request, response); |
| } |
| |
| TEST(GateKeeperTest, EnrollSuccess) { |
| SoftGateKeeper gatekeeper; |
| EnrollResponse response; |
| do_enroll(gatekeeper, &response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| } |
| |
| TEST(GateKeeperTest, EnrollBogusData) { |
| SoftGateKeeper gatekeeper; |
| SizedBuffer password; |
| EnrollResponse response; |
| |
| EnrollRequest request(0, NULL, &password, NULL); |
| |
| gatekeeper.Enroll(request, &response); |
| |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error); |
| } |
| |
| TEST(GateKeeperTest, VerifySuccess) { |
| SoftGateKeeper gatekeeper; |
| SizedBuffer provided_password; |
| EnrollResponse enroll_response; |
| |
| provided_password.buffer.reset(new uint8_t[16]); |
| provided_password.length = 16; |
| memset(provided_password.buffer.get(), 0, 16); |
| |
| do_enroll(gatekeeper, &enroll_response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| VerifyRequest request(0, 1, &enroll_response.enrolled_password_handle, |
| &provided_password); |
| VerifyResponse response; |
| |
| gatekeeper.Verify(request, &response); |
| |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| |
| hw_auth_token_t *auth_token = |
| reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); |
| |
| ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type)); |
| ASSERT_EQ((uint64_t) 1, auth_token->challenge); |
| ASSERT_NE(~((uint32_t) 0), auth_token->timestamp); |
| ASSERT_NE((uint64_t) 0, auth_token->user_id); |
| ASSERT_NE((uint64_t) 0, auth_token->authenticator_id); |
| } |
| |
| TEST(GateKeeperTest, TrustedReEnroll) { |
| SoftGateKeeper gatekeeper; |
| SizedBuffer provided_password; |
| EnrollResponse enroll_response; |
| SizedBuffer password_handle; |
| |
| // do_enroll enrolls an all 0 password |
| provided_password.buffer.reset(new uint8_t[16]); |
| provided_password.length = 16; |
| memset(provided_password.buffer.get(), 0, 16); |
| do_enroll(gatekeeper, &enroll_response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| |
| // keep a copy of the handle |
| password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]); |
| password_handle.length = enroll_response.enrolled_password_handle.length; |
| memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(), |
| password_handle.length); |
| |
| // verify first password |
| VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle, |
| &provided_password); |
| VerifyResponse response; |
| gatekeeper.Verify(request, &response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| hw_auth_token_t *auth_token = |
| reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); |
| |
| secure_id_t secure_id = auth_token->user_id; |
| |
| // enroll new password |
| provided_password.buffer.reset(new uint8_t[16]); |
| provided_password.length = 16; |
| memset(provided_password.buffer.get(), 0, 16); |
| SizedBuffer password; |
| password.buffer.reset(new uint8_t[16]); |
| memset(password.buffer.get(), 1, 16); |
| password.length = 16; |
| EnrollRequest enroll_request(0, &password_handle, &password, &provided_password); |
| gatekeeper.Enroll(enroll_request, &enroll_response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| |
| // verify new password |
| password.buffer.reset(new uint8_t[16]); |
| memset(password.buffer.get(), 1, 16); |
| password.length = 16; |
| VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle, |
| &password); |
| gatekeeper.Verify(new_request, &response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| ASSERT_EQ(secure_id, |
| reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id); |
| } |
| |
| |
| TEST(GateKeeperTest, UntrustedReEnroll) { |
| SoftGateKeeper gatekeeper; |
| SizedBuffer provided_password; |
| EnrollResponse enroll_response; |
| |
| // do_enroll enrolls an all 0 password |
| provided_password.buffer.reset(new uint8_t[16]); |
| provided_password.length = 16; |
| memset(provided_password.buffer.get(), 0, 16); |
| do_enroll(gatekeeper, &enroll_response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| |
| // verify first password |
| VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle, |
| &provided_password); |
| VerifyResponse response; |
| gatekeeper.Verify(request, &response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| hw_auth_token_t *auth_token = |
| reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get()); |
| |
| secure_id_t secure_id = auth_token->user_id; |
| |
| // enroll new password |
| SizedBuffer password; |
| password.buffer.reset(new uint8_t[16]); |
| memset(password.buffer.get(), 1, 16); |
| password.length = 16; |
| EnrollRequest enroll_request(0, NULL, &password, NULL); |
| gatekeeper.Enroll(enroll_request, &enroll_response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error); |
| |
| // verify new password |
| password.buffer.reset(new uint8_t[16]); |
| memset(password.buffer.get(), 1, 16); |
| password.length = 16; |
| VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle, |
| &password); |
| gatekeeper.Verify(new_request, &response); |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error); |
| ASSERT_NE(secure_id, |
| reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id); |
| } |
| |
| |
| TEST(GateKeeperTest, VerifyBogusData) { |
| SoftGateKeeper gatekeeper; |
| SizedBuffer provided_password; |
| SizedBuffer password_handle; |
| VerifyResponse response; |
| |
| VerifyRequest request(0, 0, &provided_password, &password_handle); |
| |
| gatekeeper.Verify(request, &response); |
| |
| ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error); |
| } |