• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define TRACE_TAG AUTH
18 
19 #include "adb.h"
20 #include "adb_auth.h"
21 #include "adb_io.h"
22 #include "fdevent.h"
23 #include "sysdeps.h"
24 #include "transport.h"
25 
26 #include <resolv.h>
27 #include <stdio.h>
28 #include <string.h>
29 #include <iomanip>
30 
31 #include <algorithm>
32 #include <memory>
33 
34 #include <android-base/file.h>
35 #include <android-base/strings.h>
36 #include <crypto_utils/android_pubkey.h>
37 #include <openssl/obj_mac.h>
38 #include <openssl/rsa.h>
39 #include <openssl/sha.h>
40 
41 static fdevent* listener_fde = nullptr;
42 static fdevent* framework_fde = nullptr;
43 static auto& framework_mutex = *new std::mutex();
44 static int framework_fd GUARDED_BY(framework_mutex) = -1;
45 static auto& connected_keys GUARDED_BY(framework_mutex) = *new std::vector<std::string>;
46 
47 static void adb_disconnected(void* unused, atransport* t);
48 static struct adisconnect adb_disconnect = {adb_disconnected, nullptr};
49 static atransport* adb_transport;
50 static bool needs_retry = false;
51 
52 bool auth_required = true;
53 
adbd_auth_verify(const char * token,size_t token_size,const std::string & sig,std::string * auth_key)54 bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig,
55                       std::string* auth_key) {
56     static constexpr const char* key_paths[] = { "/adb_keys", "/data/misc/adb/adb_keys", nullptr };
57 
58     for (const auto& path : key_paths) {
59         if (access(path, R_OK) == 0) {
60             LOG(INFO) << "Loading keys from " << path;
61             std::string content;
62             if (!android::base::ReadFileToString(path, &content)) {
63                 PLOG(ERROR) << "Couldn't read " << path;
64                 continue;
65             }
66 
67             for (const auto& line : android::base::Split(content, "\n")) {
68                 if (line.empty()) continue;
69                 *auth_key = line;
70                 // TODO: do we really have to support both ' ' and '\t'?
71                 char* sep = strpbrk(const_cast<char*>(line.c_str()), " \t");
72                 if (sep) *sep = '\0';
73 
74                 // b64_pton requires one additional byte in the target buffer for
75                 // decoding to succeed. See http://b/28035006 for details.
76                 uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1];
77                 if (b64_pton(line.c_str(), keybuf, sizeof(keybuf)) != ANDROID_PUBKEY_ENCODED_SIZE) {
78                     LOG(ERROR) << "Invalid base64 key " << line.c_str() << " in " << path;
79                     continue;
80                 }
81 
82                 RSA* key = nullptr;
83                 if (!android_pubkey_decode(keybuf, ANDROID_PUBKEY_ENCODED_SIZE, &key)) {
84                     LOG(ERROR) << "Failed to parse key " << line.c_str() << " in " << path;
85                     continue;
86                 }
87 
88                 bool verified =
89                     (RSA_verify(NID_sha1, reinterpret_cast<const uint8_t*>(token), token_size,
90                                 reinterpret_cast<const uint8_t*>(sig.c_str()), sig.size(),
91                                 key) == 1);
92                 RSA_free(key);
93                 if (verified) return true;
94             }
95         }
96     }
97     auth_key->clear();
98     return false;
99 }
100 
adbd_send_key_message_locked(std::string_view msg_type,std::string_view key)101 static bool adbd_send_key_message_locked(std::string_view msg_type, std::string_view key)
102         REQUIRES(framework_mutex) {
103     if (framework_fd < 0) {
104         LOG(ERROR) << "Client not connected to send msg_type " << msg_type;
105         return false;
106     }
107     std::string msg = std::string(msg_type) + std::string(key);
108     int msg_len = msg.length();
109     if (msg_len >= static_cast<int>(MAX_FRAMEWORK_PAYLOAD)) {
110         LOG(ERROR) << "Key too long (" << msg_len << ")";
111         return false;
112     }
113 
114     LOG(DEBUG) << "Sending '" << msg << "'";
115     if (!WriteFdExactly(framework_fd, msg.c_str(), msg_len)) {
116         PLOG(ERROR) << "Failed to write " << msg_type;
117         return false;
118     }
119     return true;
120 }
121 
adbd_auth_generate_token(void * token,size_t token_size)122 static bool adbd_auth_generate_token(void* token, size_t token_size) {
123     FILE* fp = fopen("/dev/urandom", "re");
124     if (!fp) return false;
125     bool okay = (fread(token, token_size, 1, fp) == 1);
126     fclose(fp);
127     return okay;
128 }
129 
adb_disconnected(void * unused,atransport * t)130 static void adb_disconnected(void* unused, atransport* t) {
131     LOG(INFO) << "ADB disconnect";
132     adb_transport = nullptr;
133     needs_retry = false;
134     {
135         std::lock_guard<std::mutex> lock(framework_mutex);
136         if (framework_fd >= 0) {
137             adbd_send_key_message_locked("DC", t->auth_key);
138         }
139         connected_keys.erase(std::remove(connected_keys.begin(), connected_keys.end(), t->auth_key),
140                              connected_keys.end());
141     }
142 }
143 
framework_disconnected()144 static void framework_disconnected() {
145     LOG(INFO) << "Framework disconnect";
146     if (framework_fde) {
147         fdevent_destroy(framework_fde);
148         {
149             std::lock_guard<std::mutex> lock(framework_mutex);
150             framework_fd = -1;
151         }
152     }
153 }
154 
adbd_auth_event(int fd,unsigned events,void *)155 static void adbd_auth_event(int fd, unsigned events, void*) {
156     if (events & FDE_READ) {
157         char response[2];
158         int ret = unix_read(fd, response, sizeof(response));
159         if (ret <= 0) {
160             framework_disconnected();
161         } else if (ret == 2 && response[0] == 'O' && response[1] == 'K') {
162             if (adb_transport) {
163                 adbd_auth_verified(adb_transport);
164             }
165         }
166     }
167 }
168 
adbd_auth_confirm_key(atransport * t)169 void adbd_auth_confirm_key(atransport* t) {
170     if (!adb_transport) {
171         adb_transport = t;
172         t->AddDisconnect(&adb_disconnect);
173     }
174 
175     {
176         std::lock_guard<std::mutex> lock(framework_mutex);
177         if (framework_fd < 0) {
178             LOG(ERROR) << "Client not connected";
179             needs_retry = true;
180             return;
181         }
182 
183         adbd_send_key_message_locked("PK", t->auth_key);
184     }
185 }
186 
adbd_auth_listener(int fd,unsigned events,void * data)187 static void adbd_auth_listener(int fd, unsigned events, void* data) {
188     int s = adb_socket_accept(fd, nullptr, nullptr);
189     if (s < 0) {
190         PLOG(ERROR) << "Failed to accept";
191         return;
192     }
193 
194     {
195         std::lock_guard<std::mutex> lock(framework_mutex);
196         if (framework_fd >= 0) {
197             LOG(WARNING) << "adb received framework auth socket connection again";
198             framework_disconnected();
199         }
200 
201         framework_fd = s;
202         framework_fde = fdevent_create(framework_fd, adbd_auth_event, nullptr);
203         fdevent_add(framework_fde, FDE_READ);
204 
205         if (needs_retry) {
206             needs_retry = false;
207             send_auth_request(adb_transport);
208         }
209 
210         // if a client connected before the framework was available notify the framework of the
211         // connected key now.
212         if (!connected_keys.empty()) {
213             for (const auto& key : connected_keys) {
214                 adbd_send_key_message_locked("CK", key);
215             }
216         }
217     }
218 }
219 
adbd_notify_framework_connected_key(atransport * t)220 void adbd_notify_framework_connected_key(atransport* t) {
221     if (!adb_transport) {
222         adb_transport = t;
223         t->AddDisconnect(&adb_disconnect);
224     }
225     {
226         std::lock_guard<std::mutex> lock(framework_mutex);
227         if (std::find(connected_keys.begin(), connected_keys.end(), t->auth_key) ==
228             connected_keys.end()) {
229             connected_keys.push_back(t->auth_key);
230         }
231         if (framework_fd >= 0) {
232             adbd_send_key_message_locked("CK", t->auth_key);
233         }
234     }
235 }
236 
adbd_cloexec_auth_socket()237 void adbd_cloexec_auth_socket() {
238     int fd = android_get_control_socket("adbd");
239     if (fd == -1) {
240         PLOG(ERROR) << "Failed to get adbd socket";
241         return;
242     }
243     fcntl(fd, F_SETFD, FD_CLOEXEC);
244 }
245 
adbd_auth_init(void)246 void adbd_auth_init(void) {
247     int fd = android_get_control_socket("adbd");
248     if (fd == -1) {
249         PLOG(ERROR) << "Failed to get adbd socket";
250         return;
251     }
252 
253     if (listen(fd, 4) == -1) {
254         PLOG(ERROR) << "Failed to listen on '" << fd << "'";
255         return;
256     }
257 
258     listener_fde = fdevent_create(fd, adbd_auth_listener, nullptr);
259     fdevent_add(listener_fde, FDE_READ);
260 }
261 
send_auth_request(atransport * t)262 void send_auth_request(atransport* t) {
263     LOG(INFO) << "Calling send_auth_request...";
264 
265     if (!adbd_auth_generate_token(t->token, sizeof(t->token))) {
266         PLOG(ERROR) << "Error generating token";
267         return;
268     }
269 
270     apacket* p = get_apacket();
271     p->msg.command = A_AUTH;
272     p->msg.arg0 = ADB_AUTH_TOKEN;
273     p->msg.data_length = sizeof(t->token);
274     p->payload.assign(t->token, t->token + sizeof(t->token));
275     send_packet(p, t);
276 }
277 
adbd_auth_verified(atransport * t)278 void adbd_auth_verified(atransport* t) {
279     LOG(INFO) << "adb client authorized";
280     handle_online(t);
281     send_connect(t);
282 }
283