Update verify API to return auth token blob (c828ae87) · Commits · e / os / android_system_core

gatekeeperd/IGateKeeperService.cpp

+32 −2

Original line number	Diff line number	Diff line
		@@ -68,7 +68,6 @@ status_t BnGateKeeperService::onTransact(
		case VERIFY: {
		CHECK_INTERFACE(IGateKeeperService, data, reply);
		uint32_t uid = data.readInt32();
		uint64_t challenge = data.readInt64();
		ssize_t currentPasswordHandleSize = data.readInt32();
		const uint8_t *currentPasswordHandle =
		static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
		@@ -79,12 +78,43 @@ status_t BnGateKeeperService::onTransact(
		static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
		if (!currentPassword) currentPasswordSize = 0;

		status_t ret = verify(uid, challenge, (uint8_t *) currentPasswordHandle,
		status_t ret = verify(uid, (uint8_t *) currentPasswordHandle,
		currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize);
		reply->writeNoException();
		reply->writeInt32(ret == NO_ERROR ? 1 : 0);
		return NO_ERROR;
		}
		case VERIFY_CHALLENGE: {
		CHECK_INTERFACE(IGateKeeperService, data, reply);
		uint32_t uid = data.readInt32();
		uint64_t challenge = data.readInt64();
		ssize_t currentPasswordHandleSize = data.readInt32();
		const uint8_t *currentPasswordHandle =
		static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
		if (!currentPasswordHandle) currentPasswordHandleSize = 0;

		ssize_t currentPasswordSize = data.readInt32();
		const uint8_t *currentPassword =
		static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
		if (!currentPassword) currentPasswordSize = 0;


		uint8_t *out = NULL;
		uint32_t outSize = 0;
		status_t ret = verifyChallenge(uid, challenge, (uint8_t *) currentPasswordHandle,
		currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize,
		&out, &outSize);
		reply->writeNoException();
		if (ret == NO_ERROR && outSize > 0 && out != NULL) {
		reply->writeInt32(outSize);
		void *buf = reply->writeInplace(outSize);
		memcpy(buf, out, outSize);
		free(out);
		} else {
		reply->writeInt32(-1);
		}
		return NO_ERROR;
		}
		default:
		return BBinder::onTransact(code, data, reply, flags);
		}

gatekeeperd/IGateKeeperService.h

+12 −2

Original line number	Diff line number	Diff line
		@@ -30,6 +30,7 @@ public:
		enum {
		ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0,
		VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1,
		VERIFY_CHALLENGE = IBinder::FIRST_CALL_TRANSACTION + 2,
		};

		// DECLARE_META_INTERFACE - C++ client interface not needed
		@@ -51,9 +52,18 @@ public:
		* Verifies a password previously enrolled with the GateKeeper.
		* Returns 0 on success, negative on failure.
		*/
		virtual status_t verify(uint32_t uid, uint64_t challenge,
		const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
		virtual status_t verify(uint32_t uid, const uint8_t *enrolled_password_handle,
		uint32_t enrolled_password_handle_length,
		const uint8_t *provided_password, uint32_t provided_password_length) = 0;

		/**
		* Verifies a password previously enrolled with the GateKeeper.
		* Returns 0 on success, negative on failure.
		*/
		virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
		const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
		const uint8_t *provided_password, uint32_t provided_password_length,
		uint8_t *auth_token, uint32_t auth_token_length) = 0;
		};

		// ----------------------------------------------------------------------------

gatekeeperd/gatekeeperd.cpp

+15 −6

Original line number	Diff line number	Diff line
		@@ -71,9 +71,20 @@ public:
		return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR;
		}

		virtual status_t verify(uint32_t uid, uint64_t challenge,
		virtual status_t verify(uint32_t uid,
		const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
		const uint8_t *provided_password, uint32_t provided_password_length) {
		uint8_t *auth_token;
		uint32_t auth_token_length;
		return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
		provided_password, provided_password_length,
		&auth_token, &auth_token_length);
		}

		virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge,
		const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
		const uint8_t *provided_password, uint32_t provided_password_length,
		uint8_t *auth_token, uint32_t auth_token_length) {
		IPCThreadState* ipc = IPCThreadState::self();
		const int calling_pid = ipc->getCallingPid();
		const int calling_uid = ipc->getCallingUid();
		@@ -85,19 +96,17 @@ public:
		if ((enrolled_password_handle_length \| provided_password_length) == 0)
		return -EINVAL;

		uint8_t *auth_token;
		uint32_t auth_token_length;
		int ret = device->verify(device, uid, challenge,
		enrolled_password_handle, enrolled_password_handle_length,
		provided_password, provided_password_length, &auth_token, &auth_token_length);
		provided_password, provided_password_length, auth_token, auth_token_length);

		if (ret >= 0 && auth_token != NULL && auth_token_length > 0) {
		if (ret >= 0 && auth_token != NULL && auth_token_length > 0) {
		// TODO: cache service?
		sp<IServiceManager> sm = defaultServiceManager();
		sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
		sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
		if (service != NULL) {
		if (service->addAuthToken(auth_token, auth_token_length) != NO_ERROR) {
		if (service->addAuthToken(auth_token, auth_token_length) != NO_ERROR) {
		ALOGE("Falure sending auth token to KeyStore");
		}
		} else {