platform_hardware_libhardware/include/hardware/gatekeeper.h
Andres Morales c65adc73e3 add request re-enroll to HAL API
devices may want to request an upgrade to a newer pasword
handle version

Change-Id: I34c731c81406e29961cff1fcccdefad02cff1237
2015-05-27 01:35:20 +00:00

161 lines
6.8 KiB
C

/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef ANDROID_HARDWARE_GATEKEEPER_H
#define ANDROID_HARDWARE_GATEKEEPER_H
#include <sys/cdefs.h>
#include <sys/types.h>
#include <hardware/hardware.h>
__BEGIN_DECLS
#define GATEKEEPER_HARDWARE_MODULE_ID "gatekeeper"
#define GATEKEEPER_MODULE_API_VERSION_0_1 HARDWARE_MODULE_API_VERSION(0, 1)
#define HARDWARE_GATEKEEPER "gatekeeper"
struct gatekeeper_module {
/**
* Comon methods of the gatekeeper module. This *must* be the first member of
* gatekeeper_module as users of this structure will cast a hw_module_t to
* a gatekeeper_module pointer in the appropriate context.
*/
hw_module_t common;
};
struct gatekeeper_device {
/**
* Common methods of the gatekeeper device. As above, this must be the first
* member of keymaster_device.
*/
hw_device_t common;
/**
* Enrolls desired_password, which should be derived from a user selected pin or password,
* with the authentication factor private key used only for enrolling authentication
* factor data.
*
* If there was already a password enrolled, it should be provided in
* current_password_handle, along with the current password in current_password
* that should validate against current_password_handle.
*
* Parameters:
* - dev: pointer to gatekeeper_device acquired via calls to gatekeeper_open
* - uid: the Android user identifier
*
* - current_password_handle: the currently enrolled password handle the user
* wants to replace. May be null if there's no currently enrolled password.
* - current_password_handle_length: the length in bytes of the buffer pointed
* at by current_password_handle. Must be 0 if current_password_handle is NULL.
*
* - current_password: the user's current password in plain text. If presented,
* it MUST verify against current_password_handle.
* - current_password_length: the size in bytes of the buffer pointed at by
* current_password. Must be 0 if the current_password is NULL.
*
* - desired_password: the new password the user wishes to enroll in plain-text.
* Cannot be NULL.
* - desired_password_length: the length in bytes of the buffer pointed at by
* desired_password.
*
* - enrolled_password_handle: on success, a buffer will be allocated with the
* new password handle referencing the password provided in desired_password.
* This buffer can be used on subsequent calls to enroll or verify.
* The caller is responsible for deallocating this buffer via a call to delete[]
* - enrolled_password_handle_length: pointer to the length in bytes of the buffer allocated
* by this function and pointed to by *enrolled_password_handle_length.
*
* Returns:
* - 0 on success
* - An error code < 0 on failure, or
* - A timeout value T > 0 if the call should not be re-attempted until T milliseconds
* have elapsed.
*
* On error, enrolled_password_handle will not be allocated.
*/
int (*enroll)(const struct gatekeeper_device *dev, uint32_t uid,
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
const uint8_t *current_password, uint32_t current_password_length,
const uint8_t *desired_password, uint32_t desired_password_length,
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length);
/**
* Verifies provided_password matches enrolled_password_handle.
*
* Implementations of this module may retain the result of this call
* to attest to the recency of authentication.
*
* On success, writes the address of a verification token to auth_token,
* usable to attest password verification to other trusted services. Clients
* may pass NULL for this value.
*
* Parameters:
* - dev: pointer to gatekeeper_device acquired via calls to gatekeeper_open
* - uid: the Android user identifier
*
* - challenge: An optional challenge to authenticate against, or 0. Used when a separate
* authenticator requests password verification, or for transactional
* password authentication.
*
* - enrolled_password_handle: the currently enrolled password handle that the
* user wishes to verify against.
* - enrolled_password_handle_length: the length in bytes of the buffer pointed
* to by enrolled_password_handle
*
* - provided_password: the plaintext password to be verified against the
* enrolled_password_handle
* - provided_password_length: the length in bytes of the buffer pointed to by
* provided_password
*
* - auth_token: on success, a buffer containing the authentication token
* resulting from this verification is assigned to *auth_token. The caller
* is responsible for deallocating this memory via a call to delete[]
* - auth_token_length: on success, the length in bytes of the authentication
* token assigned to *auth_token will be assigned to *auth_token_length
*
* - request_reenroll: a request to the upper layers to re-enroll the verified
* password due to a version change. Not set if verification fails.
*
* Returns:
* - 0 on success
* - An error code < 0 on failure, or
* - A timeout value T > 0 if the call should not be re-attempted until T milliseconds
* have elapsed.
* On error, auth token will not be allocated
*/
int (*verify)(const struct gatekeeper_device *dev, uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll);
};
typedef struct gatekeeper_device gatekeeper_device_t;
static inline int gatekeeper_open(const struct hw_module_t *module,
gatekeeper_device_t **device) {
return module->methods->open(module, HARDWARE_GATEKEEPER,
(struct hw_device_t **) device);
}
static inline int gatekeeper_close(gatekeeper_device_t *device) {
return device->common.close(&device->common);
}
__END_DECLS
#endif // ANDROID_HARDWARE_GATEKEEPER_H