/** * Copyright (C) 2021 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #define private public #include "../includes/common.h" #include "gatekeeper.h" using namespace gatekeeper; bool isVulnerable = false; const uint8_t *authTokenKey = nullptr; void *operator new(decltype(sizeof(0)) n) noexcept(false) { return malloc(n); } void operator delete(void *ptr) throw() { if (ptr == authTokenKey) { isVulnerable = true; } if (!ptr) { free(ptr); } } class DerivedGateKeeper : public GateKeeper { protected: bool GetAuthTokenKey(const uint8_t **auth_token_key, uint32_t *length __attribute__((unused))) const { *auth_token_key = (const uint8_t *)(new uint8_t()); authTokenKey = *auth_token_key; return true; } void GetPasswordKey(const uint8_t **password_key __attribute__((unused)), uint32_t *length __attribute__((unused))) {} void ComputePasswordSignature(uint8_t *signature __attribute__((unused)), uint32_t signature_length __attribute__((unused)), const uint8_t *key __attribute__((unused)), uint32_t key_length __attribute__((unused)), const uint8_t *password __attribute__((unused)), uint32_t password_length __attribute__((unused)), salt_t salt __attribute__((unused))) const {} void GetRandom(void *random __attribute__((unused)), uint32_t requested_size __attribute__((unused))) const {} void ComputeSignature(uint8_t *signature __attribute__((unused)), uint32_t signature_length __attribute__((unused)), const uint8_t *key __attribute__((unused)), uint32_t key_length __attribute__((unused)), const uint8_t *message __attribute__((unused)), const uint32_t length __attribute__((unused))) const {} uint64_t GetMillisecondsSinceBoot() const { return EXIT_SUCCESS; } bool GetFailureRecord(uint32_t uid __attribute__((unused)), secure_id_t user_id __attribute__((unused)), failure_record_t *record __attribute__((unused)), bool secure __attribute__((unused))) { return false; } bool ClearFailureRecord(uint32_t uid __attribute__((unused)), secure_id_t user_id __attribute__((unused)), bool secure __attribute__((unused))) { return false; } bool WriteFailureRecord(uint32_t uid __attribute__((unused)), failure_record_t *record __attribute__((unused)), bool secure __attribute__((unused))) { return false; } uint32_t ComputeRetryTimeout(const failure_record_t *record __attribute__((unused))) { return EXIT_SUCCESS; } virtual bool IsHardwareBacked() const { return false; } bool DoVerify(const password_handle_t *expected_handle __attribute__((unused)), const SizedBuffer &password __attribute__((unused))) { return false; } }; int main() { uint8_t *auth_token = new uint8_t(); uint32_t length = sizeof(uint32_t); SizedBuffer *sb = new SizedBuffer(auth_token, length); uint64_t timestamp = 1; secure_id_t user_id = 1; secure_id_t authenticator_id = 1; uint64_t challenge = 0; DerivedGateKeeper *object = new DerivedGateKeeper(); object->MintAuthToken(sb, timestamp, user_id, authenticator_id, challenge); delete auth_token; delete object; delete sb; return (isVulnerable) ? EXIT_VULNERABLE : EXIT_SUCCESS; }