summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--gatekeeperd/IGateKeeperService.cpp34
-rw-r--r--gatekeeperd/IGateKeeperService.h14
-rw-r--r--gatekeeperd/gatekeeperd.cpp21
3 files changed, 59 insertions, 10 deletions
diff --git a/gatekeeperd/IGateKeeperService.cpp b/gatekeeperd/IGateKeeperService.cpp
index 933b975de..b1e4811a9 100644
--- a/gatekeeperd/IGateKeeperService.cpp
+++ b/gatekeeperd/IGateKeeperService.cpp
@@ -68,7 +68,6 @@ status_t BnGateKeeperService::onTransact(
68 case VERIFY: { 68 case VERIFY: {
69 CHECK_INTERFACE(IGateKeeperService, data, reply); 69 CHECK_INTERFACE(IGateKeeperService, data, reply);
70 uint32_t uid = data.readInt32(); 70 uint32_t uid = data.readInt32();
71 uint64_t challenge = data.readInt64();
72 ssize_t currentPasswordHandleSize = data.readInt32(); 71 ssize_t currentPasswordHandleSize = data.readInt32();
73 const uint8_t *currentPasswordHandle = 72 const uint8_t *currentPasswordHandle =
74 static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize)); 73 static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
@@ -79,12 +78,43 @@ status_t BnGateKeeperService::onTransact(
79 static_cast<const uint8_t *>(data.readInplace(currentPasswordSize)); 78 static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
80 if (!currentPassword) currentPasswordSize = 0; 79 if (!currentPassword) currentPasswordSize = 0;
81 80
82 status_t ret = verify(uid, challenge, (uint8_t *) currentPasswordHandle, 81 status_t ret = verify(uid, (uint8_t *) currentPasswordHandle,
83 currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize); 82 currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize);
84 reply->writeNoException(); 83 reply->writeNoException();
85 reply->writeInt32(ret == NO_ERROR ? 1 : 0); 84 reply->writeInt32(ret == NO_ERROR ? 1 : 0);
86 return NO_ERROR; 85 return NO_ERROR;
87 } 86 }
87 case VERIFY_CHALLENGE: {
88 CHECK_INTERFACE(IGateKeeperService, data, reply);
89 uint32_t uid = data.readInt32();
90 uint64_t challenge = data.readInt64();
91 ssize_t currentPasswordHandleSize = data.readInt32();
92 const uint8_t *currentPasswordHandle =
93 static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
94 if (!currentPasswordHandle) currentPasswordHandleSize = 0;
95
96 ssize_t currentPasswordSize = data.readInt32();
97 const uint8_t *currentPassword =
98 static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
99 if (!currentPassword) currentPasswordSize = 0;
100
101
102 uint8_t *out = NULL;
103 uint32_t outSize = 0;
104 status_t ret = verifyChallenge(uid, challenge, (uint8_t *) currentPasswordHandle,
105 currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize,
106 &out, &outSize);
107 reply->writeNoException();
108 if (ret == NO_ERROR && outSize > 0 && out != NULL) {
109 reply->writeInt32(outSize);
110 void *buf = reply->writeInplace(outSize);
111 memcpy(buf, out, outSize);
112 free(out);
113 } else {
114 reply->writeInt32(-1);
115 }
116 return NO_ERROR;
117 }
88 default: 118 default:
89 return BBinder::onTransact(code, data, reply, flags); 119 return BBinder::onTransact(code, data, reply, flags);
90 } 120 }
diff --git a/gatekeeperd/IGateKeeperService.h b/gatekeeperd/IGateKeeperService.h
index 90d302907..10b1b4310 100644
--- a/gatekeeperd/IGateKeeperService.h
+++ b/gatekeeperd/IGateKeeperService.h
@@ -30,6 +30,7 @@ public:
30 enum { 30 enum {
31 ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0, 31 ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0,
32 VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1, 32 VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1,
33 VERIFY_CHALLENGE = IBinder::FIRST_CALL_TRANSACTION + 2,
33 }; 34 };
34 35
35 // DECLARE_META_INTERFACE - C++ client interface not needed 36 // DECLARE_META_INTERFACE - C++ client interface not needed
@@ -51,9 +52,18 @@ public:
51 * Verifies a password previously enrolled with the GateKeeper. 52 * Verifies a password previously enrolled with the GateKeeper.
52 * Returns 0 on success, negative on failure. 53 * Returns 0 on success, negative on failure.
53 */ 54 */
54 virtual status_t verify(uint32_t uid, uint64_t challenge, 55 virtual status_t verify(uint32_t uid, const uint8_t *enrolled_password_handle,
55 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 56 uint32_t enrolled_password_handle_length,
56 const uint8_t *provided_password, uint32_t provided_password_length) = 0; 57 const uint8_t *provided_password, uint32_t provided_password_length) = 0;
58
59 /**
60 * Verifies a password previously enrolled with the GateKeeper.
61 * Returns 0 on success, negative on failure.
62 */
63 virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
64 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
65 const uint8_t *provided_password, uint32_t provided_password_length,
66 uint8_t **auth_token, uint32_t *auth_token_length) = 0;
57}; 67};
58 68
59// ---------------------------------------------------------------------------- 69// ----------------------------------------------------------------------------
diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp
index 2a435a9c7..ea7016e6e 100644
--- a/gatekeeperd/gatekeeperd.cpp
+++ b/gatekeeperd/gatekeeperd.cpp
@@ -71,9 +71,20 @@ public:
71 return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR; 71 return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
72 } 72 }
73 73
74 virtual status_t verify(uint32_t uid, uint64_t challenge, 74 virtual status_t verify(uint32_t uid,
75 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 75 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
76 const uint8_t *provided_password, uint32_t provided_password_length) { 76 const uint8_t *provided_password, uint32_t provided_password_length) {
77 uint8_t *auth_token;
78 uint32_t auth_token_length;
79 return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
80 provided_password, provided_password_length,
81 &auth_token, &auth_token_length);
82 }
83
84 virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
85 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
86 const uint8_t *provided_password, uint32_t provided_password_length,
87 uint8_t **auth_token, uint32_t *auth_token_length) {
77 IPCThreadState* ipc = IPCThreadState::self(); 88 IPCThreadState* ipc = IPCThreadState::self();
78 const int calling_pid = ipc->getCallingPid(); 89 const int calling_pid = ipc->getCallingPid();
79 const int calling_uid = ipc->getCallingUid(); 90 const int calling_uid = ipc->getCallingUid();
@@ -85,19 +96,17 @@ public:
85 if ((enrolled_password_handle_length | provided_password_length) == 0) 96 if ((enrolled_password_handle_length | provided_password_length) == 0)
86 return -EINVAL; 97 return -EINVAL;
87 98
88 uint8_t *auth_token;
89 uint32_t auth_token_length;
90 int ret = device->verify(device, uid, challenge, 99 int ret = device->verify(device, uid, challenge,
91 enrolled_password_handle, enrolled_password_handle_length, 100 enrolled_password_handle, enrolled_password_handle_length,
92 provided_password, provided_password_length, &auth_token, &auth_token_length); 101 provided_password, provided_password_length, auth_token, auth_token_length);
93 102
94 if (ret >= 0 && auth_token != NULL && auth_token_length > 0) { 103 if (ret >= 0 && *auth_token != NULL && *auth_token_length > 0) {
95 // TODO: cache service? 104 // TODO: cache service?
96 sp<IServiceManager> sm = defaultServiceManager(); 105 sp<IServiceManager> sm = defaultServiceManager();
97 sp<IBinder> binder = sm->getService(String16("android.security.keystore")); 106 sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
98 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder); 107 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
99 if (service != NULL) { 108 if (service != NULL) {
100 if (service->addAuthToken(auth_token, auth_token_length) != NO_ERROR) { 109 if (service->addAuthToken(*auth_token, *auth_token_length) != NO_ERROR) {
101 ALOGE("Falure sending auth token to KeyStore"); 110 ALOGE("Falure sending auth token to KeyStore");
102 } 111 }
103 } else { 112 } else {