diff options
author | Andres Morales <anmorales@google.com> | 2015-03-12 13:30:15 -0700 |
---|---|---|
committer | Andres Morales <anmorales@google.com> | 2015-03-19 17:31:25 -0700 |
commit | edd3e3dc860ff3d99c0320a6ee7d66347b4dd1c3 (patch) | |
tree | b7fc1b8d21a0aad3e57c505c858aaaac5dc30f4f /tests | |
parent | 99482129e592892ef40613195d2cbcd640e031cd (diff) | |
download | gatekeeper-edd3e3dc860ff3d99c0320a6ee7d66347b4dd1c3.tar.gz |
add SIDs and password storage support to Keyguard base
Change-Id: I2b1bb41a5e40e45e810f2bd299edb6b8765df9e6
Diffstat (limited to 'tests')
-rw-r--r-- | tests/keyguard_device_test.cpp | 6 | ||||
-rw-r--r-- | tests/keyguard_messages_test.cpp | 77 | ||||
-rw-r--r-- | tests/keyguard_test.cpp | 179 |
3 files changed, 240 insertions, 22 deletions
diff --git a/tests/keyguard_device_test.cpp b/tests/keyguard_device_test.cpp index 0bc7db9..b3f3b21 100644 --- a/tests/keyguard_device_test.cpp +++ b/tests/keyguard_device_test.cpp @@ -55,7 +55,7 @@ TEST_F(KeyguardDeviceTest, EnrollAndVerify) { size_t auth_token_len; int ret; - ret = device->enroll(device, 0, password_payload, password_len, + ret = device->enroll(device, 0, NULL, 0, NULL, 0, password_payload, password_len, &password_handle, &password_handle_length); ASSERT_EQ(0, ret); @@ -75,8 +75,8 @@ TEST_F(KeyguardDeviceTest, EnrollAndVerifyBadPassword) { size_t auth_token_len; int ret; - ret = device->enroll(device, 0, password_payload, password_len, - &password_handle, &password_handle_length); + ret = device->enroll(device, 0, NULL, 0, NULL, 0, password_payload, password_len, + &password_handle, &password_handle_length); ASSERT_EQ(0, ret); diff --git a/tests/keyguard_messages_test.cpp b/tests/keyguard_messages_test.cpp index 10f81bd..fd70c07 100644 --- a/tests/keyguard_messages_test.cpp +++ b/tests/keyguard_messages_test.cpp @@ -46,12 +46,12 @@ static SizedBuffer *make_buffer(size_t size) { return result; } -TEST(RoundTripTest, EnrollRequest) { +TEST(RoundTripTest, EnrollRequestNullEnrolledNullHandle) { const size_t password_size = 512; SizedBuffer *provided_password = make_buffer(password_size); const SizedBuffer *deserialized_password; // create request, serialize, deserialize, and validate - EnrollRequest req(USER_ID, provided_password); + EnrollRequest req(USER_ID, NULL, provided_password, NULL); uint8_t *serialized_req = req.Serialize(); EnrollRequest deserialized_req; deserialized_req.Deserialize(serialized_req, serialized_req + req.GetSerializedSize()); @@ -64,9 +64,74 @@ TEST(RoundTripTest, EnrollRequest) { ASSERT_EQ(USER_ID, deserialized_req.user_id); ASSERT_EQ((uint32_t) password_size, deserialized_password->length); ASSERT_EQ(0, memcmp(req.provided_password.buffer.get(), deserialized_password->buffer.get(), password_size)); + ASSERT_EQ((size_t) 0, deserialized_req.enrolled_password.length); + ASSERT_EQ(NULL, deserialized_req.enrolled_password.buffer.get()); + ASSERT_EQ((size_t) 0, deserialized_req.password_handle.length); + ASSERT_EQ(NULL, deserialized_req.password_handle.buffer.get()); delete provided_password; } +TEST(RoundTripTest, EnrollRequestEmptyEnrolledEmptyHandle) { + const size_t password_size = 512; + SizedBuffer *provided_password = make_buffer(password_size); + SizedBuffer enrolled; + SizedBuffer handle; + const SizedBuffer *deserialized_password; + // create request, serialize, deserialize, and validate + EnrollRequest req(USER_ID, &handle, provided_password, &enrolled); + uint8_t *serialized_req = req.Serialize(); + EnrollRequest deserialized_req; + deserialized_req.Deserialize(serialized_req, serialized_req + req.GetSerializedSize()); + delete[] serialized_req; + + ASSERT_EQ(keyguard::keyguard_error_t::KG_ERROR_OK, + deserialized_req.error); + + deserialized_password = &deserialized_req.provided_password; + ASSERT_EQ(USER_ID, deserialized_req.user_id); + ASSERT_EQ((uint32_t) password_size, deserialized_password->length); + ASSERT_EQ(0, memcmp(req.provided_password.buffer.get(), deserialized_password->buffer.get(), password_size)); + ASSERT_EQ((size_t) 0, deserialized_req.enrolled_password.length); + ASSERT_EQ(NULL, deserialized_req.enrolled_password.buffer.get()); + ASSERT_EQ((size_t) 0, deserialized_req.password_handle.length); + ASSERT_EQ(NULL, deserialized_req.password_handle.buffer.get()); + delete provided_password; +} + +TEST(RoundTripTest, EnrollRequestNonNullEnrolledOrHandle) { + const size_t password_size = 512; + SizedBuffer *provided_password = make_buffer(password_size); + SizedBuffer *enrolled_password = make_buffer(password_size); + SizedBuffer *password_handle = make_buffer(password_size); + const SizedBuffer *deserialized_password; + const SizedBuffer *deserialized_enrolled; + const SizedBuffer *deserialized_handle; + // create request, serialize, deserialize, and validate + EnrollRequest req(USER_ID, password_handle, provided_password, enrolled_password); + uint8_t *serialized_req = req.Serialize(); + EnrollRequest deserialized_req; + deserialized_req.Deserialize(serialized_req, serialized_req + req.GetSerializedSize()); + delete[] serialized_req; + + ASSERT_EQ(keyguard::keyguard_error_t::KG_ERROR_OK, + deserialized_req.error); + + deserialized_password = &deserialized_req.provided_password; + deserialized_enrolled = &deserialized_req.enrolled_password; + deserialized_handle = &deserialized_req.password_handle; + ASSERT_EQ(USER_ID, deserialized_req.user_id); + ASSERT_EQ((uint32_t) password_size, deserialized_password->length); + ASSERT_EQ(0, memcmp(req.provided_password.buffer.get(), deserialized_password->buffer.get(), password_size)); + ASSERT_EQ((uint32_t) password_size, deserialized_enrolled->length); + ASSERT_EQ(0, memcmp(req.enrolled_password.buffer.get(), deserialized_enrolled->buffer.get(), password_size)); + ASSERT_EQ((uint32_t) password_size, deserialized_handle->length); + ASSERT_EQ(0, memcmp(req.password_handle.buffer.get(), deserialized_handle->buffer.get(), password_size)); + delete provided_password; + delete enrolled_password; + delete password_handle; +} + + TEST(RoundTripTest, EnrollResponse) { const size_t password_size = 512; SizedBuffer *enrolled_password = make_buffer(password_size); @@ -116,10 +181,10 @@ TEST(RoundTripTest, VerifyRequest) { TEST(RoundTripTest, VerifyResponse) { const size_t password_size = 512; - SizedBuffer *verification_token = make_buffer(password_size); + SizedBuffer *auth_token = make_buffer(password_size); const SizedBuffer *deserialized_password; // create request, serialize, deserialize, and validate - VerifyResponse req(USER_ID, verification_token); + VerifyResponse req(USER_ID, auth_token); uint8_t *serialized_req = req.Serialize(); VerifyResponse deserialized_req; deserialized_req.Deserialize(serialized_req, serialized_req + req.GetSerializedSize()); @@ -129,9 +194,9 @@ TEST(RoundTripTest, VerifyResponse) { deserialized_req.error); ASSERT_EQ(USER_ID, deserialized_req.user_id); - deserialized_password = &deserialized_req.verification_token; + deserialized_password = &deserialized_req.auth_token; ASSERT_EQ((uint32_t) password_size, deserialized_password->length); - ASSERT_EQ(0, memcmp(req.verification_token.buffer.get(), deserialized_password->buffer.get(), + ASSERT_EQ(0, memcmp(req.auth_token.buffer.get(), deserialized_password->buffer.get(), password_size)); } diff --git a/tests/keyguard_test.cpp b/tests/keyguard_test.cpp index 4ee09ba..02a6c34 100644 --- a/tests/keyguard_test.cpp +++ b/tests/keyguard_test.cpp @@ -16,6 +16,7 @@ #include <gtest/gtest.h> #include <UniquePtr.h> +#include <iostream> #include <keyguard/soft_keyguard.h> @@ -27,6 +28,33 @@ using ::keyguard::VerifyRequest; using ::keyguard::VerifyResponse; using ::keyguard::SoftKeyguard; using ::keyguard::AuthToken; +using ::keyguard::secure_id_t; + +class TestKeyguardFileIo : public ::keyguard::KeyguardFileIo { +public: + TestKeyguardFileIo() { + bytes_.length = 0; + } + + virtual void Write(const char *filename, const uint8_t *bytes, size_t length) { + bytes_.buffer.reset(new uint8_t[length]); + memcpy(bytes_.buffer.get(), bytes, length); + bytes_.length = length; + } + + virtual size_t Read(const char *filename, UniquePtr<uint8_t> *bytes) const { + if (!bytes_.buffer.get() || bytes_.length == 0) { + bytes->reset(); + } else { + bytes->reset(new uint8_t[bytes_.length]); + memcpy(bytes->get(), bytes_.buffer.get(), bytes_.length); + } + + return bytes_.length; + } + + SizedBuffer bytes_; +}; static void do_enroll(SoftKeyguard &keyguard, EnrollResponse *response) { SizedBuffer password; @@ -34,24 +62,24 @@ static void do_enroll(SoftKeyguard &keyguard, EnrollResponse *response) { password.buffer.reset(new uint8_t[16]); password.length = 16; memset(password.buffer.get(), 0, 16); - EnrollRequest request(0, &password); + EnrollRequest request(0, NULL, &password, NULL); keyguard.Enroll(request, response); } TEST(KeyguardTest, EnrollSuccess) { - SoftKeyguard keyguard; + SoftKeyguard keyguard(new TestKeyguardFileIo()); EnrollResponse response; do_enroll(keyguard, &response); ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, response.error); } TEST(KeyguardTest, EnrollBogusData) { - SoftKeyguard keyguard; + SoftKeyguard keyguard(new TestKeyguardFileIo()); SizedBuffer password; EnrollResponse response; - EnrollRequest request(0, &password); + EnrollRequest request(0, NULL, &password, NULL); keyguard.Enroll(request, &response); @@ -59,7 +87,7 @@ TEST(KeyguardTest, EnrollBogusData) { } TEST(KeyguardTest, VerifySuccess) { - SoftKeyguard keyguard; + SoftKeyguard keyguard(new TestKeyguardFileIo()); SizedBuffer provided_password; EnrollResponse enroll_response; @@ -78,19 +106,144 @@ TEST(KeyguardTest, VerifySuccess) { ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, response.error); AuthToken *auth_token = - reinterpret_cast<AuthToken *>(response.verification_token.buffer.get()); + reinterpret_cast<AuthToken *>(response.auth_token.buffer.get()); + + ASSERT_EQ((uint32_t) 0, auth_token->authenticator_id); + ASSERT_NE(~((uint32_t) 0), auth_token->timestamp); + ASSERT_NE((uint64_t) 0, auth_token->root_secure_user_id); + ASSERT_NE((uint64_t) 0, auth_token->auxiliary_secure_user_id); +} + +TEST(KeyguardTest, VerifyBadPwFile) { + TestKeyguardFileIo *fw = new TestKeyguardFileIo(); + SoftKeyguard keyguard(fw); + SizedBuffer provided_password; + EnrollResponse enroll_response; + + provided_password.buffer.reset(new uint8_t[16]); + provided_password.length = 16; + memset(provided_password.buffer.get(), 0, 16); + do_enroll(keyguard, &enroll_response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, enroll_response.error); + + VerifyRequest request(0, &enroll_response.enrolled_password_handle, + &provided_password); + VerifyResponse response; + fw->bytes_.buffer.reset(); + keyguard.Verify(request, &response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, response.error); + + AuthToken *auth_token = + reinterpret_cast<AuthToken *>(response.auth_token.buffer.get()); + + ASSERT_EQ((uint32_t) 0, auth_token->authenticator_id); + ASSERT_NE(~((uint32_t) 0), auth_token->timestamp); + ASSERT_EQ((uint64_t) 0, auth_token->root_secure_user_id); + ASSERT_EQ((uint64_t) 0, auth_token->auxiliary_secure_user_id); +} + +TEST(KeyguardTest, TrustedReEnroll) { + SoftKeyguard keyguard(new TestKeyguardFileIo()); + SizedBuffer provided_password; + EnrollResponse enroll_response; + SizedBuffer password_handle; + + // do_enroll enrolls an all 0 password + provided_password.buffer.reset(new uint8_t[16]); + provided_password.length = 16; + memset(provided_password.buffer.get(), 0, 16); + do_enroll(keyguard, &enroll_response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, enroll_response.error); + + // keep a copy of the handle + password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]); + password_handle.length = enroll_response.enrolled_password_handle.length; + memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(), + password_handle.length); + + // verify first password + VerifyRequest request(0, &enroll_response.enrolled_password_handle, + &provided_password); + VerifyResponse response; + keyguard.Verify(request, &response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, response.error); + AuthToken *auth_token = + reinterpret_cast<AuthToken *>(response.auth_token.buffer.get()); + + secure_id_t secure_id = auth_token->root_secure_user_id; + + // enroll new password + provided_password.buffer.reset(new uint8_t[16]); + provided_password.length = 16; + memset(provided_password.buffer.get(), 0, 16); + SizedBuffer password; + password.buffer.reset(new uint8_t[16]); + memset(password.buffer.get(), 1, 16); + password.length = 16; + EnrollRequest enroll_request(0, &password_handle, &password, &provided_password); + keyguard.Enroll(enroll_request, &enroll_response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, enroll_response.error); + + // verify new password + password.buffer.reset(new uint8_t[16]); + memset(password.buffer.get(), 1, 16); + password.length = 16; + VerifyRequest new_request(0, &enroll_response.enrolled_password_handle, + &password); + keyguard.Verify(new_request, &response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, response.error); + ASSERT_EQ(secure_id, + reinterpret_cast<AuthToken *>(response.auth_token.buffer.get())->root_secure_user_id); +} + + +TEST(KeyguardTest, UntrustedReEnroll) { + SoftKeyguard keyguard(new TestKeyguardFileIo()); + SizedBuffer provided_password; + EnrollResponse enroll_response; + + // do_enroll enrolls an all 0 password + provided_password.buffer.reset(new uint8_t[16]); + provided_password.length = 16; + memset(provided_password.buffer.get(), 0, 16); + do_enroll(keyguard, &enroll_response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, enroll_response.error); + + // verify first password + VerifyRequest request(0, &enroll_response.enrolled_password_handle, + &provided_password); + VerifyResponse response; + keyguard.Verify(request, &response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, response.error); + AuthToken *auth_token = + reinterpret_cast<AuthToken *>(response.auth_token.buffer.get()); + + secure_id_t secure_id = auth_token->root_secure_user_id; - ASSERT_EQ((uint8_t) 1, auth_token->auth_token_tag); - ASSERT_EQ((uint8_t) 2, auth_token->user_id_tag); - ASSERT_EQ((uint8_t) 3, auth_token->authenticator_id_tag); - ASSERT_EQ((uint8_t) 4, auth_token->timestamp_tag); + // enroll new password + SizedBuffer password; + password.buffer.reset(new uint8_t[16]); + memset(password.buffer.get(), 1, 16); + password.length = 16; + EnrollRequest enroll_request(0, NULL, &password, NULL); + keyguard.Enroll(enroll_request, &enroll_response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, enroll_response.error); - ASSERT_EQ((uint32_t)0, auth_token->user_id); - ASSERT_EQ((uint32_t)0, auth_token->authenticator_id); + // verify new password + password.buffer.reset(new uint8_t[16]); + memset(password.buffer.get(), 1, 16); + password.length = 16; + VerifyRequest new_request(0, &enroll_response.enrolled_password_handle, + &password); + keyguard.Verify(new_request, &response); + ASSERT_EQ(::keyguard::keyguard_error_t::KG_ERROR_OK, response.error); + ASSERT_NE(secure_id, + reinterpret_cast<AuthToken *>(response.auth_token.buffer.get())->root_secure_user_id); } + TEST(KeyguardTest, VerifyBogusData) { - SoftKeyguard keyguard; + SoftKeyguard keyguard(new TestKeyguardFileIo()); SizedBuffer provided_password; SizedBuffer password_handle; VerifyResponse response; |