| Andres Morales | 2d08dce | 2015-04-03 16:40:15 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2015 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #define LOG_TAG "gatekeeperd" |
| 18 | |
| 19 | #include "IGateKeeperService.h" |
| 20 | |
| 21 | #include <cutils/log.h> |
| 22 | #include <utils/Log.h> |
| 23 | |
| 24 | #include <binder/IPCThreadState.h> |
| 25 | #include <binder/IServiceManager.h> |
| 26 | #include <binder/PermissionCache.h> |
| 27 | #include <utils/String16.h> |
| 28 | |
| 29 | #include <keystore/IKeystoreService.h> |
| Andres Morales | 2ae8b4c | 2015-04-13 09:20:09 -0700 | [diff] [blame^] | 30 | #include <keystore/keystore.h> // For error code |
| Andres Morales | 2d08dce | 2015-04-03 16:40:15 -0700 | [diff] [blame] | 31 | #include <hardware/gatekeeper.h> |
| 32 | |
| 33 | namespace android { |
| 34 | |
| 35 | static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE"); |
| 36 | static const String16 DUMP_PERMISSION("android.permission.DUMP"); |
| 37 | |
| 38 | class GateKeeperProxy : public BnGateKeeperService { |
| 39 | public: |
| 40 | GateKeeperProxy() { |
| 41 | int ret = hw_get_module_by_class(GATEKEEPER_HARDWARE_MODULE_ID, NULL, &module); |
| 42 | if (ret < 0) |
| 43 | LOG_ALWAYS_FATAL_IF(ret < 0, "Unable to find GateKeeper HAL"); |
| 44 | ret = gatekeeper_open(module, &device); |
| 45 | if (ret < 0) |
| 46 | LOG_ALWAYS_FATAL_IF(ret < 0, "Unable to open GateKeeper HAL"); |
| 47 | } |
| 48 | |
| 49 | virtual ~GateKeeperProxy() { |
| 50 | gatekeeper_close(device); |
| 51 | } |
| 52 | |
| 53 | virtual status_t enroll(uint32_t uid, |
| 54 | const uint8_t *current_password_handle, uint32_t current_password_handle_length, |
| 55 | const uint8_t *current_password, uint32_t current_password_length, |
| 56 | const uint8_t *desired_password, uint32_t desired_password_length, |
| 57 | uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) { |
| 58 | IPCThreadState* ipc = IPCThreadState::self(); |
| 59 | const int calling_pid = ipc->getCallingPid(); |
| 60 | const int calling_uid = ipc->getCallingUid(); |
| 61 | if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { |
| 62 | return PERMISSION_DENIED; |
| 63 | } |
| 64 | |
| 65 | // need a desired password to enroll |
| 66 | if (desired_password_length == 0) return -EINVAL; |
| 67 | int ret = device->enroll(device, uid, |
| 68 | current_password_handle, current_password_handle_length, |
| 69 | current_password, current_password_length, |
| 70 | desired_password, desired_password_length, |
| 71 | enrolled_password_handle, enrolled_password_handle_length); |
| 72 | return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR; |
| 73 | } |
| 74 | |
| Andres Morales | c828ae8 | 2015-04-10 21:03:07 -0700 | [diff] [blame] | 75 | virtual status_t verify(uint32_t uid, |
| Andres Morales | 2d08dce | 2015-04-03 16:40:15 -0700 | [diff] [blame] | 76 | const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, |
| 77 | const uint8_t *provided_password, uint32_t provided_password_length) { |
| Andres Morales | c828ae8 | 2015-04-10 21:03:07 -0700 | [diff] [blame] | 78 | uint8_t *auth_token; |
| 79 | uint32_t auth_token_length; |
| 80 | return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length, |
| 81 | provided_password, provided_password_length, |
| 82 | &auth_token, &auth_token_length); |
| 83 | } |
| 84 | |
| 85 | virtual status_t verifyChallenge(uint32_t uid, uint64_t challenge, |
| 86 | const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, |
| 87 | const uint8_t *provided_password, uint32_t provided_password_length, |
| 88 | uint8_t **auth_token, uint32_t *auth_token_length) { |
| Andres Morales | 2d08dce | 2015-04-03 16:40:15 -0700 | [diff] [blame] | 89 | IPCThreadState* ipc = IPCThreadState::self(); |
| 90 | const int calling_pid = ipc->getCallingPid(); |
| 91 | const int calling_uid = ipc->getCallingUid(); |
| 92 | if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { |
| 93 | return PERMISSION_DENIED; |
| 94 | } |
| 95 | |
| 96 | // can't verify if we're missing either param |
| 97 | if ((enrolled_password_handle_length | provided_password_length) == 0) |
| 98 | return -EINVAL; |
| 99 | |
| Andres Morales | 851b57c | 2015-04-09 19:23:48 -0700 | [diff] [blame] | 100 | int ret = device->verify(device, uid, challenge, |
| Andres Morales | 2d08dce | 2015-04-03 16:40:15 -0700 | [diff] [blame] | 101 | enrolled_password_handle, enrolled_password_handle_length, |
| Andres Morales | c828ae8 | 2015-04-10 21:03:07 -0700 | [diff] [blame] | 102 | provided_password, provided_password_length, auth_token, auth_token_length); |
| Andres Morales | 2d08dce | 2015-04-03 16:40:15 -0700 | [diff] [blame] | 103 | |
| Andres Morales | c828ae8 | 2015-04-10 21:03:07 -0700 | [diff] [blame] | 104 | if (ret >= 0 && *auth_token != NULL && *auth_token_length > 0) { |
| Andres Morales | 2d08dce | 2015-04-03 16:40:15 -0700 | [diff] [blame] | 105 | // TODO: cache service? |
| 106 | sp<IServiceManager> sm = defaultServiceManager(); |
| 107 | sp<IBinder> binder = sm->getService(String16("android.security.keystore")); |
| 108 | sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder); |
| 109 | if (service != NULL) { |
| Andres Morales | 2ae8b4c | 2015-04-13 09:20:09 -0700 | [diff] [blame^] | 110 | status_t ret = service->addAuthToken(*auth_token, *auth_token_length); |
| 111 | if (ret != ResponseCode::NO_ERROR) { |
| 112 | ALOGE("Falure sending auth token to KeyStore: %d", ret); |
| Andres Morales | 2d08dce | 2015-04-03 16:40:15 -0700 | [diff] [blame] | 113 | } |
| 114 | } else { |
| 115 | ALOGE("Unable to communicate with KeyStore"); |
| 116 | } |
| 117 | } |
| 118 | |
| 119 | return ret >= 0 ? NO_ERROR : UNKNOWN_ERROR; |
| 120 | } |
| 121 | |
| 122 | virtual status_t dump(int fd, const Vector<String16> &) { |
| 123 | IPCThreadState* ipc = IPCThreadState::self(); |
| 124 | const int pid = ipc->getCallingPid(); |
| 125 | const int uid = ipc->getCallingUid(); |
| 126 | if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) { |
| 127 | return PERMISSION_DENIED; |
| 128 | } |
| 129 | |
| 130 | if (device == NULL) { |
| 131 | const char *result = "Device not available"; |
| 132 | write(fd, result, strlen(result) + 1); |
| 133 | } else { |
| 134 | const char *result = "OK"; |
| 135 | write(fd, result, strlen(result) + 1); |
| 136 | } |
| 137 | |
| 138 | return NO_ERROR; |
| 139 | } |
| 140 | |
| 141 | private: |
| 142 | gatekeeper_device_t *device; |
| 143 | const hw_module_t *module; |
| 144 | }; |
| 145 | }// namespace android |
| 146 | |
| 147 | int main() { |
| 148 | ALOGI("Starting gatekeeperd..."); |
| 149 | android::sp<android::IServiceManager> sm = android::defaultServiceManager(); |
| 150 | android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy(); |
| 151 | android::status_t ret = sm->addService( |
| 152 | android::String16("android.service.gatekeeper.IGateKeeperService"), proxy); |
| 153 | if (ret != android::OK) { |
| 154 | ALOGE("Couldn't register binder service!"); |
| 155 | return -1; |
| 156 | } |
| 157 | |
| 158 | /* |
| 159 | * We're the only thread in existence, so we're just going to process |
| 160 | * Binder transaction as a single-threaded program. |
| 161 | */ |
| 162 | android::IPCThreadState::self()->joinThreadPool(); |
| 163 | return 0; |
| 164 | } |