Update verify API to return auth token blob

Change-Id: I853e61815458b54fb3b2f29e12a147b3b9aa3788
author: Andres Morales <anmorales@google.com> 2015-04-10 21:03:07 -0700
committer: Andres Morales <anmorales@google.com> 2015-04-11 18:29:04 -0700
commit: c828ae87768f3539cefadb7e485b877995918299 (patch)
tree: f9dc4f6a289ec1d684172ed419483cf5829cba53 /gatekeeperd
parent: 851b57c1f81bd3572cf5908611ba029be934c706 (diff)
download: system_core-c828ae87768f3539cefadb7e485b877995918299.zip
system_core-c828ae87768f3539cefadb7e485b877995918299.tar.gz
system_core-c828ae87768f3539cefadb7e485b877995918299.tar.bz2
3 files changed, 59 insertions, 10 deletions
diff --git a/gatekeeperd/IGateKeeperService.cpp b/gatekeeperd/IGateKeeperService.cpp
index 933b975..b1e4811 100644
--- a/gatekeeperd/IGateKeeperService.cpp
+++ b/gatekeeperd/IGateKeeperService.cpp
@@ -68,7 +68,6 @@ status_t BnGateKeeperService::onTransact(
         case VERIFY: {
             CHECK_INTERFACE(IGateKeeperService, data, reply);
             uint32_t uid = data.readInt32();
-            uint64_t challenge = data.readInt64();
             ssize_t currentPasswordHandleSize = data.readInt32();
             const uint8_t *currentPasswordHandle =
                     static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
@@ -79,12 +78,43 @@ status_t BnGateKeeperService::onTransact(
                 static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
             if (!currentPassword) currentPasswordSize = 0;
 
-            status_t ret = verify(uid, challenge, (uint8_t *) currentPasswordHandle,
+            status_t ret = verify(uid, (uint8_t *) currentPasswordHandle,
                     currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize);
             reply->writeNoException();
             reply->writeInt32(ret == NO_ERROR ? 1 : 0);
             return NO_ERROR;
         }
+        case VERIFY_CHALLENGE: {
+            CHECK_INTERFACE(IGateKeeperService, data, reply);
+            uint32_t uid = data.readInt32();
+            uint64_t challenge = data.readInt64();
+            ssize_t currentPasswordHandleSize = data.readInt32();
+            const uint8_t *currentPasswordHandle =
+                    static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
+            if (!currentPasswordHandle) currentPasswordHandleSize = 0;
+
+            ssize_t currentPasswordSize = data.readInt32();
+            const uint8_t *currentPassword =
+                static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
+            if (!currentPassword) currentPasswordSize = 0;
+
+
+            uint8_t *out = NULL;
+            uint32_t outSize = 0;
+            status_t ret = verifyChallenge(uid, challenge, (uint8_t *) currentPasswordHandle,
+                    currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize,
+                    &out, &outSize);
+            reply->writeNoException();
+            if (ret == NO_ERROR && outSize > 0 && out != NULL) {
+                reply->writeInt32(outSize);
+                void *buf = reply->writeInplace(outSize);
+                memcpy(buf, out, outSize);
+                free(out);
+            } else {
+                reply->writeInt32(-1);
+            }
+            return NO_ERROR;
+        }
         default:
             return BBinder::onTransact(code, data, reply, flags);
     }
diff --git a/gatekeeperd/IGateKeeperService.h b/gatekeeperd/IGateKeeperService.h
index 90d3029..10b1b43 100644
--- a/gatekeeperd/IGateKeeperService.h
+++ b/gatekeeperd/IGateKeeperService.h
@@ -30,6 +30,7 @@ public:
     enum {
         ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0,
         VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1,
+        VERIFY_CHALLENGE = IBinder::FIRST_CALL_TRANSACTION + 2,
     };
 
     // DECLARE_META_INTERFACE - C++ client interface not needed
@@ -51,9 +52,18 @@ public:
      * Verifies a password previously enrolled with the GateKeeper.
      * Returns 0 on success, negative on failure.
      */
-    virtual status_t verify(uint32_t uid, uint64_t challenge,
-            const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
+    virtual status_t verify(uint32_t uid, const uint8_t *enrolled_password_handle,
+            uint32_t enrolled_password_handle_length,
             const uint8_t *provided_password, uint32_t provided_password_length) = 0;
+
+    /**
+     * Verifies a password previously enrolled with the GateKeeper.
+     * Returns 0 on success, negative on failure.
+     */
+    virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
+            const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
+            const uint8_t *provided_password, uint32_t provided_password_length,
+            uint8_t **auth_token, uint32_t *auth_token_length) = 0;
 };
 
 // ----------------------------------------------------------------------------
diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp
index 2a435a9..ea7016e 100644
--- a/gatekeeperd/gatekeeperd.cpp
+++ b/gatekeeperd/gatekeeperd.cpp
@@ -71,9 +71,20 @@ public:
         return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
     }
 
-    virtual status_t verify(uint32_t uid, uint64_t challenge,
+    virtual status_t verify(uint32_t uid,
             const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
             const uint8_t *provided_password, uint32_t provided_password_length) {
+        uint8_t *auth_token;
+        uint32_t auth_token_length;
+        return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
+                provided_password, provided_password_length,
+                &auth_token, &auth_token_length);
+    }
+
+    virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
+            const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
+            const uint8_t *provided_password, uint32_t provided_password_length,
+            uint8_t **auth_token, uint32_t *auth_token_length) {
         IPCThreadState* ipc = IPCThreadState::self();
         const int calling_pid = ipc->getCallingPid();
         const int calling_uid = ipc->getCallingUid();
@@ -85,19 +96,17 @@ public:
         if ((enrolled_password_handle_length | provided_password_length) == 0)
             return -EINVAL;
 
-        uint8_t *auth_token;
-        uint32_t auth_token_length;
         int ret = device->verify(device, uid, challenge,
                 enrolled_password_handle, enrolled_password_handle_length,
-                provided_password, provided_password_length, &auth_token, &auth_token_length);
+                provided_password, provided_password_length, auth_token, auth_token_length);
 
-        if (ret >= 0 && auth_token != NULL && auth_token_length > 0) {
+        if (ret >= 0 && *auth_token != NULL && *auth_token_length > 0) {
             // TODO: cache service?
             sp<IServiceManager> sm = defaultServiceManager();
             sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
             sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
             if (service != NULL) {
-                if (service->addAuthToken(auth_token, auth_token_length) != NO_ERROR) {
+                if (service->addAuthToken(*auth_token, *auth_token_length) != NO_ERROR) {
                     ALOGE("Falure sending auth token to KeyStore");
                 }
             } else {
author	Andres Morales <anmorales@google.com>	2015-04-10 21:03:07 -0700
committer	Andres Morales <anmorales@google.com>	2015-04-11 18:29:04 -0700
commit	c828ae87768f3539cefadb7e485b877995918299 (patch)
tree	f9dc4f6a289ec1d684172ed419483cf5829cba53 /gatekeeperd
parent	851b57c1f81bd3572cf5908611ba029be934c706 (diff)
download	system_core-c828ae87768f3539cefadb7e485b877995918299.zip system_core-c828ae87768f3539cefadb7e485b877995918299.tar.gz system_core-c828ae87768f3539cefadb7e485b877995918299.tar.bz2