summaryrefslogtreecommitdiff
path: root/gatekeeperd
diff options
context:
space:
mode:
authorAndres Morales <anmorales@google.com>2015-04-10 21:03:07 -0700
committerAndres Morales <anmorales@google.com>2015-04-11 18:29:04 -0700
commitc828ae87768f3539cefadb7e485b877995918299 (patch)
treef9dc4f6a289ec1d684172ed419483cf5829cba53 /gatekeeperd
parent851b57c1f81bd3572cf5908611ba029be934c706 (diff)
Update verify API to return auth token blob
Change-Id: I853e61815458b54fb3b2f29e12a147b3b9aa3788
Diffstat (limited to 'gatekeeperd')
-rw-r--r--gatekeeperd/IGateKeeperService.cpp34
-rw-r--r--gatekeeperd/IGateKeeperService.h14
-rw-r--r--gatekeeperd/gatekeeperd.cpp21
3 files changed, 59 insertions, 10 deletions
diff --git a/gatekeeperd/IGateKeeperService.cpp b/gatekeeperd/IGateKeeperService.cpp
index 933b975de..b1e4811a9 100644
--- a/gatekeeperd/IGateKeeperService.cpp
+++ b/gatekeeperd/IGateKeeperService.cpp
@@ -68,7 +68,6 @@ status_t BnGateKeeperService::onTransact(
case VERIFY: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
uint32_t uid = data.readInt32();
- uint64_t challenge = data.readInt64();
ssize_t currentPasswordHandleSize = data.readInt32();
const uint8_t *currentPasswordHandle =
static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
@@ -79,12 +78,43 @@ status_t BnGateKeeperService::onTransact(
static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
if (!currentPassword) currentPasswordSize = 0;
- status_t ret = verify(uid, challenge, (uint8_t *) currentPasswordHandle,
+ status_t ret = verify(uid, (uint8_t *) currentPasswordHandle,
currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize);
reply->writeNoException();
reply->writeInt32(ret == NO_ERROR ? 1 : 0);
return NO_ERROR;
}
+ case VERIFY_CHALLENGE: {
+ CHECK_INTERFACE(IGateKeeperService, data, reply);
+ uint32_t uid = data.readInt32();
+ uint64_t challenge = data.readInt64();
+ ssize_t currentPasswordHandleSize = data.readInt32();
+ const uint8_t *currentPasswordHandle =
+ static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
+ if (!currentPasswordHandle) currentPasswordHandleSize = 0;
+
+ ssize_t currentPasswordSize = data.readInt32();
+ const uint8_t *currentPassword =
+ static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
+ if (!currentPassword) currentPasswordSize = 0;
+
+
+ uint8_t *out = NULL;
+ uint32_t outSize = 0;
+ status_t ret = verifyChallenge(uid, challenge, (uint8_t *) currentPasswordHandle,
+ currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize,
+ &out, &outSize);
+ reply->writeNoException();
+ if (ret == NO_ERROR && outSize > 0 && out != NULL) {
+ reply->writeInt32(outSize);
+ void *buf = reply->writeInplace(outSize);
+ memcpy(buf, out, outSize);
+ free(out);
+ } else {
+ reply->writeInt32(-1);
+ }
+ return NO_ERROR;
+ }
default:
return BBinder::onTransact(code, data, reply, flags);
}
diff --git a/gatekeeperd/IGateKeeperService.h b/gatekeeperd/IGateKeeperService.h
index 90d302907..10b1b4310 100644
--- a/gatekeeperd/IGateKeeperService.h
+++ b/gatekeeperd/IGateKeeperService.h
@@ -30,6 +30,7 @@ public:
enum {
ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0,
VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1,
+ VERIFY_CHALLENGE = IBinder::FIRST_CALL_TRANSACTION + 2,
};
// DECLARE_META_INTERFACE - C++ client interface not needed
@@ -51,9 +52,18 @@ public:
* Verifies a password previously enrolled with the GateKeeper.
* Returns 0 on success, negative on failure.
*/
- virtual status_t verify(uint32_t uid, uint64_t challenge,
- const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
+ virtual status_t verify(uint32_t uid, const uint8_t *enrolled_password_handle,
+ uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length) = 0;
+
+ /**
+ * Verifies a password previously enrolled with the GateKeeper.
+ * Returns 0 on success, negative on failure.
+ */
+ virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
+ const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
+ const uint8_t *provided_password, uint32_t provided_password_length,
+ uint8_t **auth_token, uint32_t *auth_token_length) = 0;
};
// ----------------------------------------------------------------------------
diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp
index 2a435a9c7..ea7016e6e 100644
--- a/gatekeeperd/gatekeeperd.cpp
+++ b/gatekeeperd/gatekeeperd.cpp
@@ -71,9 +71,20 @@ public:
return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
}
- virtual status_t verify(uint32_t uid, uint64_t challenge,
+ virtual status_t verify(uint32_t uid,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length) {
+ uint8_t *auth_token;
+ uint32_t auth_token_length;
+ return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
+ provided_password, provided_password_length,
+ &auth_token, &auth_token_length);
+ }
+
+ virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
+ const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
+ const uint8_t *provided_password, uint32_t provided_password_length,
+ uint8_t **auth_token, uint32_t *auth_token_length) {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
@@ -85,19 +96,17 @@ public:
if ((enrolled_password_handle_length | provided_password_length) == 0)
return -EINVAL;
- uint8_t *auth_token;
- uint32_t auth_token_length;
int ret = device->verify(device, uid, challenge,
enrolled_password_handle, enrolled_password_handle_length,
- provided_password, provided_password_length, &auth_token, &auth_token_length);
+ provided_password, provided_password_length, auth_token, auth_token_length);
- if (ret >= 0 && auth_token != NULL && auth_token_length > 0) {
+ if (ret >= 0 && *auth_token != NULL && *auth_token_length > 0) {
// TODO: cache service?
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
if (service != NULL) {
- if (service->addAuthToken(auth_token, auth_token_length) != NO_ERROR) {
+ if (service->addAuthToken(*auth_token, *auth_token_length) != NO_ERROR) {
ALOGE("Falure sending auth token to KeyStore");
}
} else {