1 /**
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define private public
18 
19 #include "../includes/common.h"
20 #include "gatekeeper.h"
21 
22 using namespace gatekeeper;
23 
24 bool isVulnerable = false;
25 const uint8_t *authTokenKey = nullptr;
26 
27 void *operator new(decltype(sizeof(0)) n) noexcept(false) { return malloc(n); }
28 
operator delete(void * ptr)29 void operator delete(void *ptr) throw() {
30     if (ptr == authTokenKey) {
31         isVulnerable = true;
32     }
33     if (!ptr) {
34         free(ptr);
35     }
36 }
37 
38 class DerivedGateKeeper : public GateKeeper {
39    protected:
GetAuthTokenKey(const uint8_t ** auth_token_key,uint32_t * length) const40     bool GetAuthTokenKey(const uint8_t **auth_token_key,
41                          uint32_t *length __attribute__((unused))) const {
42         *auth_token_key = (const uint8_t *)(new uint8_t());
43         authTokenKey = *auth_token_key;
44         return true;
45     }
GetPasswordKey(const uint8_t ** password_key,uint32_t * length)46     void GetPasswordKey(const uint8_t **password_key __attribute__((unused)),
47                         uint32_t *length __attribute__((unused))) {}
ComputePasswordSignature(uint8_t * signature,uint32_t signature_length,const uint8_t * key,uint32_t key_length,const uint8_t * password,uint32_t password_length,salt_t salt) const48     void ComputePasswordSignature(uint8_t *signature __attribute__((unused)),
49                                   uint32_t signature_length __attribute__((unused)),
50                                   const uint8_t *key __attribute__((unused)),
51                                   uint32_t key_length __attribute__((unused)),
52                                   const uint8_t *password __attribute__((unused)),
53                                   uint32_t password_length __attribute__((unused)),
54                                   salt_t salt __attribute__((unused))) const {}
GetRandom(void * random,uint32_t requested_size) const55     void GetRandom(void *random __attribute__((unused)),
56                    uint32_t requested_size __attribute__((unused))) const {}
ComputeSignature(uint8_t * signature,uint32_t signature_length,const uint8_t * key,uint32_t key_length,const uint8_t * message,const uint32_t length) const57     void ComputeSignature(uint8_t *signature __attribute__((unused)),
58                           uint32_t signature_length __attribute__((unused)),
59                           const uint8_t *key __attribute__((unused)),
60                           uint32_t key_length __attribute__((unused)),
61                           const uint8_t *message __attribute__((unused)),
62                           const uint32_t length __attribute__((unused))) const {}
GetMillisecondsSinceBoot() const63     uint64_t GetMillisecondsSinceBoot() const { return EXIT_SUCCESS; }
GetFailureRecord(uint32_t uid,secure_id_t user_id,failure_record_t * record,bool secure)64     bool GetFailureRecord(uint32_t uid __attribute__((unused)),
65                           secure_id_t user_id __attribute__((unused)),
66                           failure_record_t *record __attribute__((unused)),
67                           bool secure __attribute__((unused))) {
68         return false;
69     }
ClearFailureRecord(uint32_t uid,secure_id_t user_id,bool secure)70     bool ClearFailureRecord(uint32_t uid __attribute__((unused)),
71                             secure_id_t user_id __attribute__((unused)),
72                             bool secure __attribute__((unused))) {
73         return false;
74     }
WriteFailureRecord(uint32_t uid,failure_record_t * record,bool secure)75     bool WriteFailureRecord(uint32_t uid __attribute__((unused)),
76                             failure_record_t *record __attribute__((unused)),
77                             bool secure __attribute__((unused))) {
78         return false;
79     }
ComputeRetryTimeout(const failure_record_t * record)80     uint32_t ComputeRetryTimeout(const failure_record_t *record __attribute__((unused))) {
81         return EXIT_SUCCESS;
82     }
IsHardwareBacked() const83     virtual bool IsHardwareBacked() const { return false; }
DoVerify(const password_handle_t * expected_handle,const SizedBuffer & password)84     bool DoVerify(const password_handle_t *expected_handle __attribute__((unused)),
85                   const SizedBuffer &password __attribute__((unused))) {
86         return false;
87     }
88 };
89 
main()90 int main() {
91     uint8_t *auth_token = new uint8_t();
92     uint32_t length = sizeof(uint32_t);
93     SizedBuffer *sb = new SizedBuffer(auth_token, length);
94     uint64_t timestamp = 1;
95     secure_id_t user_id = 1;
96     secure_id_t authenticator_id = 1;
97     uint64_t challenge = 0;
98 
99     DerivedGateKeeper *object = new DerivedGateKeeper();
100     object->MintAuthToken(sb, timestamp, user_id, authenticator_id, challenge);
101 
102     delete auth_token;
103     delete object;
104     delete sb;
105     return (isVulnerable) ? EXIT_VULNERABLE : EXIT_SUCCESS;
106 }
107