/* * Copyright (C) 2015 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <endian.h> #include <gtest/gtest.h> #include <hardware/gatekeeper.h> #include <gatekeeper/gatekeeper.h> // For password_handle_t #include <unistd.h> using ::testing::Test; using ::gatekeeper::password_handle_t; using ::gatekeeper::secure_id_t; class GateKeeperDeviceTest : public virtual Test { public: GateKeeperDeviceTest() {} virtual ~GateKeeperDeviceTest() {} virtual void SetUp() { gatekeeper_device_initialize(&device); } virtual void TearDown() { gatekeeper_close(device); } static void gatekeeper_device_initialize(gatekeeper_device_t **dev) { int ret; const hw_module_t *mod; ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &mod); ASSERT_EQ(0, ret); ret = gatekeeper_open(mod, dev); ASSERT_EQ(0, ret); } gatekeeper_device_t *device; }; TEST_F(GateKeeperDeviceTest, EnrollAndVerifyStress) { uint32_t password_len = 50; uint8_t password_payload[password_len]; uint8_t *password_handle; uint32_t password_handle_length; uint8_t *auth_token; uint32_t auth_token_len; int ret; ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); for (int i = 0; i < 1000; i++) { bool should_reenroll; ret = device->verify(device, 400, 0, password_handle, password_handle_length, password_payload, password_len, &auth_token, &auth_token_len, &should_reenroll); ASSERT_EQ(0, ret); } } TEST_F(GateKeeperDeviceTest, EnrollAndVerify) { uint32_t password_len = 50; uint8_t password_payload[password_len]; uint8_t *password_handle; uint32_t password_handle_length; uint8_t *auth_token; uint32_t auth_token_len; hw_auth_token_t *hat; int ret; ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); bool should_reenroll; ret = device->verify(device, 400, 0, password_handle, password_handle_length, password_payload, password_len, &auth_token, &auth_token_len, &should_reenroll); ASSERT_EQ(0, should_reenroll); ASSERT_EQ(0, ret); hat = reinterpret_cast<hw_auth_token_t *>(auth_token); ASSERT_EQ(HW_AUTH_TOKEN_VERSION, hat->version); ASSERT_EQ(htobe32(HW_AUTH_PASSWORD), hat->authenticator_type); } TEST_F(GateKeeperDeviceTest, EnrollAndVerifyTimeout) { uint32_t password_len = 50; uint8_t password_payload[password_len]; uint8_t *password_handle; uint32_t password_handle_length; uint8_t *auth_token = NULL; uint32_t auth_token_len; bool should_reenroll; int ret; ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); int payload_val = password_payload[0]; password_payload[0] = 4; int timeout = 0; for (int i = 0; i < 20; i++) { bool should_reenroll; ret = device->verify(device, 400, 0, password_handle, password_handle_length, password_payload, password_len, &auth_token, &auth_token_len, &should_reenroll); ASSERT_NE(0, ret); ASSERT_EQ(NULL, auth_token); if (ret > 0) { timeout = ret; } } ASSERT_NE(0, timeout); sleep((timeout + 999)/ 1000); password_payload[0] = payload_val; ret = device->verify(device, 400, 0, password_handle, password_handle_length, password_payload, password_len, &auth_token, &auth_token_len, &should_reenroll); ASSERT_EQ(0, ret); } TEST_F(GateKeeperDeviceTest, EnrollAndVerifyBadPassword) { uint32_t password_len = 50; uint8_t password_payload[password_len]; uint8_t *password_handle; uint32_t password_handle_length; uint8_t *auth_token = NULL; uint32_t auth_token_len; int ret; ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); password_payload[0] = 4; bool should_reenroll; ret = device->verify(device, 400, 0, password_handle, password_handle_length, password_payload, password_len, &auth_token, &auth_token_len, &should_reenroll); ASSERT_NE(0, ret); ASSERT_EQ(NULL, auth_token); } TEST_F(GateKeeperDeviceTest, MinFailedAttemptsBeforeLockout) { uint32_t password_len = 50; uint8_t password_payload[password_len]; uint8_t *password_handle; uint32_t password_handle_length; uint8_t *auth_token = NULL; uint32_t auth_token_len; int ret; ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); password_payload[0] = 4; // User should have at least 4 attempts before being locked out static const int MIN_FAILED_ATTEMPTS = 4; bool should_reenroll; for (int i = 0; i < MIN_FAILED_ATTEMPTS; i++) { ret = device->verify(device, 400, 0, password_handle, password_handle_length, password_payload, password_len, &auth_token, &auth_token_len, &should_reenroll); // shoudln't be a timeout ASSERT_LT(ret, 0); } } TEST_F(GateKeeperDeviceTest, UntrustedReEnroll) { uint32_t password_len = 50; uint8_t password_payload[password_len]; uint8_t *password_handle; uint32_t password_handle_length; int ret; ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); password_handle_t *handle = reinterpret_cast<password_handle_t *>(password_handle); secure_id_t sid = handle->user_id; ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); handle = reinterpret_cast<password_handle_t *>(password_handle); ASSERT_NE(sid, handle->user_id); } TEST_F(GateKeeperDeviceTest, TrustedReEnroll) { uint32_t password_len = 50; uint8_t password_payload[password_len]; uint8_t *password_handle; uint32_t password_handle_length; int ret; ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); password_handle_t *handle = reinterpret_cast<password_handle_t *>(password_handle); secure_id_t sid = handle->user_id; ret = device->enroll(device, 400, password_handle, password_handle_length, password_payload, password_len, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); handle = reinterpret_cast<password_handle_t *>(password_handle); ASSERT_EQ(sid, handle->user_id); }