ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update verify API to return auth token blob

Browse source 
Change-Id: I853e61815458b54fb3b2f29e12a147b3b9aa3788
This commit is contained in:
Andres Morales 2015-04-10 21:03:07 -07:00
parent 851b57c1f8
commit c828ae8776
3 changed files with 60 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
gatekeeperd/IGateKeeperService.cpp
View file

@ -66,6 +66,25 @@ status_t BnGateKeeperService::onTransact(
return NO_ERROR;
}
case VERIFY: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
uint32_t uid = data.readInt32();
ssize_t currentPasswordHandleSize = data.readInt32();
const uint8_t *currentPasswordHandle =
static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
if (!currentPasswordHandle) currentPasswordHandleSize = 0;
ssize_t currentPasswordSize = data.readInt32();
const uint8_t *currentPassword =
static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
if (!currentPassword) currentPasswordSize = 0;
status_t ret = verify(uid, (uint8_t *) currentPasswordHandle,
currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize);
reply->writeNoException();
reply->writeInt32(ret == NO_ERROR ? 1 : 0);
return NO_ERROR;
}
case VERIFY_CHALLENGE: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
uint32_t uid = data.readInt32();
uint64_t challenge = data.readInt64();
@ -79,10 +98,21 @@ status_t BnGateKeeperService::onTransact(
static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
if (!currentPassword) currentPasswordSize = 0;
status_t ret = verify(uid, challenge, (uint8_t *) currentPasswordHandle,
currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize);
uint8_t *out = NULL;
uint32_t outSize = 0;
status_t ret = verifyChallenge(uid, challenge, (uint8_t *) currentPasswordHandle,
currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize,
&out, &outSize);
reply->writeNoException();
reply->writeInt32(ret == NO_ERROR ? 1 : 0);
if (ret == NO_ERROR && outSize > 0 && out != NULL) {
reply->writeInt32(outSize);
void *buf = reply->writeInplace(outSize);
memcpy(buf, out, outSize);
free(out);
} else {
reply->writeInt32(-1);
}
return NO_ERROR;
}
default:

14
gatekeeperd/IGateKeeperService.h
View file

@ -30,6 +30,7 @@ public:
enum {
ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0,
VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1,
VERIFY_CHALLENGE = IBinder::FIRST_CALL_TRANSACTION + 2,
};
// DECLARE_META_INTERFACE - C++ client interface not needed
@ -51,9 +52,18 @@ public:
* Verifies a password previously enrolled with the GateKeeper.
* Returns 0 on success, negative on failure.
*/
virtual status_t verify(uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
virtual status_t verify(uint32_t uid, const uint8_t *enrolled_password_handle,
uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length) = 0;
/**
* Verifies a password previously enrolled with the GateKeeper.
* Returns 0 on success, negative on failure.
*/
virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
uint8_t **auth_token, uint32_t *auth_token_length) = 0;
};
// ----------------------------------------------------------------------------

21
gatekeeperd/gatekeeperd.cpp
View file

@ -71,9 +71,20 @@ public:
return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
}
virtual status_t verify(uint32_t uid, uint64_t challenge,
virtual status_t verify(uint32_t uid,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length) {
uint8_t *auth_token;
uint32_t auth_token_length;
return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
provided_password, provided_password_length,
&auth_token, &auth_token_length);
}
virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
uint8_t **auth_token, uint32_t *auth_token_length) {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
@ -85,19 +96,17 @@ public:
if ((enrolled_password_handle_length | provided_password_length) == 0)
return -EINVAL;
uint8_t *auth_token;
uint32_t auth_token_length;
int ret = device->verify(device, uid, challenge,
enrolled_password_handle, enrolled_password_handle_length,
provided_password, provided_password_length, &auth_token, &auth_token_length);
provided_password, provided_password_length, auth_token, auth_token_length);
if (ret >= 0 && auth_token != NULL && auth_token_length > 0) {
if (ret >= 0 && *auth_token != NULL && *auth_token_length > 0) {
// TODO: cache service?
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
if (service != NULL) {
if (service->addAuthToken(auth_token, auth_token_length) != NO_ERROR) {
if (service->addAuthToken(*auth_token, *auth_token_length) != NO_ERROR) {
ALOGE("Falure sending auth token to KeyStore");
}
} else {