1 /*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define TRACE_TAG AUTH
18
19 #include "adb.h"
20 #include "adb_auth.h"
21 #include "adb_io.h"
22 #include "fdevent.h"
23 #include "sysdeps.h"
24 #include "transport.h"
25
26 #include <resolv.h>
27 #include <stdio.h>
28 #include <string.h>
29 #include <iomanip>
30
31 #include <algorithm>
32 #include <memory>
33
34 #include <android-base/file.h>
35 #include <android-base/strings.h>
36 #include <crypto_utils/android_pubkey.h>
37 #include <openssl/obj_mac.h>
38 #include <openssl/rsa.h>
39 #include <openssl/sha.h>
40
41 static fdevent* listener_fde = nullptr;
42 static fdevent* framework_fde = nullptr;
43 static auto& framework_mutex = *new std::mutex();
44 static int framework_fd GUARDED_BY(framework_mutex) = -1;
45 static auto& connected_keys GUARDED_BY(framework_mutex) = *new std::vector<std::string>;
46
47 static void adb_disconnected(void* unused, atransport* t);
48 static struct adisconnect adb_disconnect = {adb_disconnected, nullptr};
49 static atransport* adb_transport;
50 static bool needs_retry = false;
51
52 bool auth_required = true;
53
adbd_auth_verify(const char * token,size_t token_size,const std::string & sig,std::string * auth_key)54 bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig,
55 std::string* auth_key) {
56 static constexpr const char* key_paths[] = { "/adb_keys", "/data/misc/adb/adb_keys", nullptr };
57
58 for (const auto& path : key_paths) {
59 if (access(path, R_OK) == 0) {
60 LOG(INFO) << "Loading keys from " << path;
61 std::string content;
62 if (!android::base::ReadFileToString(path, &content)) {
63 PLOG(ERROR) << "Couldn't read " << path;
64 continue;
65 }
66
67 for (const auto& line : android::base::Split(content, "\n")) {
68 if (line.empty()) continue;
69 *auth_key = line;
70 // TODO: do we really have to support both ' ' and '\t'?
71 char* sep = strpbrk(const_cast<char*>(line.c_str()), " \t");
72 if (sep) *sep = '\0';
73
74 // b64_pton requires one additional byte in the target buffer for
75 // decoding to succeed. See http://b/28035006 for details.
76 uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1];
77 if (b64_pton(line.c_str(), keybuf, sizeof(keybuf)) != ANDROID_PUBKEY_ENCODED_SIZE) {
78 LOG(ERROR) << "Invalid base64 key " << line.c_str() << " in " << path;
79 continue;
80 }
81
82 RSA* key = nullptr;
83 if (!android_pubkey_decode(keybuf, ANDROID_PUBKEY_ENCODED_SIZE, &key)) {
84 LOG(ERROR) << "Failed to parse key " << line.c_str() << " in " << path;
85 continue;
86 }
87
88 bool verified =
89 (RSA_verify(NID_sha1, reinterpret_cast<const uint8_t*>(token), token_size,
90 reinterpret_cast<const uint8_t*>(sig.c_str()), sig.size(),
91 key) == 1);
92 RSA_free(key);
93 if (verified) return true;
94 }
95 }
96 }
97 auth_key->clear();
98 return false;
99 }
100
adbd_send_key_message_locked(std::string_view msg_type,std::string_view key)101 static bool adbd_send_key_message_locked(std::string_view msg_type, std::string_view key)
102 REQUIRES(framework_mutex) {
103 if (framework_fd < 0) {
104 LOG(ERROR) << "Client not connected to send msg_type " << msg_type;
105 return false;
106 }
107 std::string msg = std::string(msg_type) + std::string(key);
108 int msg_len = msg.length();
109 if (msg_len >= static_cast<int>(MAX_FRAMEWORK_PAYLOAD)) {
110 LOG(ERROR) << "Key too long (" << msg_len << ")";
111 return false;
112 }
113
114 LOG(DEBUG) << "Sending '" << msg << "'";
115 if (!WriteFdExactly(framework_fd, msg.c_str(), msg_len)) {
116 PLOG(ERROR) << "Failed to write " << msg_type;
117 return false;
118 }
119 return true;
120 }
121
adbd_auth_generate_token(void * token,size_t token_size)122 static bool adbd_auth_generate_token(void* token, size_t token_size) {
123 FILE* fp = fopen("/dev/urandom", "re");
124 if (!fp) return false;
125 bool okay = (fread(token, token_size, 1, fp) == 1);
126 fclose(fp);
127 return okay;
128 }
129
adb_disconnected(void * unused,atransport * t)130 static void adb_disconnected(void* unused, atransport* t) {
131 LOG(INFO) << "ADB disconnect";
132 adb_transport = nullptr;
133 needs_retry = false;
134 {
135 std::lock_guard<std::mutex> lock(framework_mutex);
136 if (framework_fd >= 0) {
137 adbd_send_key_message_locked("DC", t->auth_key);
138 }
139 connected_keys.erase(std::remove(connected_keys.begin(), connected_keys.end(), t->auth_key),
140 connected_keys.end());
141 }
142 }
143
framework_disconnected()144 static void framework_disconnected() {
145 LOG(INFO) << "Framework disconnect";
146 if (framework_fde) {
147 fdevent_destroy(framework_fde);
148 {
149 std::lock_guard<std::mutex> lock(framework_mutex);
150 framework_fd = -1;
151 }
152 }
153 }
154
adbd_auth_event(int fd,unsigned events,void *)155 static void adbd_auth_event(int fd, unsigned events, void*) {
156 if (events & FDE_READ) {
157 char response[2];
158 int ret = unix_read(fd, response, sizeof(response));
159 if (ret <= 0) {
160 framework_disconnected();
161 } else if (ret == 2 && response[0] == 'O' && response[1] == 'K') {
162 if (adb_transport) {
163 adbd_auth_verified(adb_transport);
164 }
165 }
166 }
167 }
168
adbd_auth_confirm_key(atransport * t)169 void adbd_auth_confirm_key(atransport* t) {
170 if (!adb_transport) {
171 adb_transport = t;
172 t->AddDisconnect(&adb_disconnect);
173 }
174
175 {
176 std::lock_guard<std::mutex> lock(framework_mutex);
177 if (framework_fd < 0) {
178 LOG(ERROR) << "Client not connected";
179 needs_retry = true;
180 return;
181 }
182
183 adbd_send_key_message_locked("PK", t->auth_key);
184 }
185 }
186
adbd_auth_listener(int fd,unsigned events,void * data)187 static void adbd_auth_listener(int fd, unsigned events, void* data) {
188 int s = adb_socket_accept(fd, nullptr, nullptr);
189 if (s < 0) {
190 PLOG(ERROR) << "Failed to accept";
191 return;
192 }
193
194 {
195 std::lock_guard<std::mutex> lock(framework_mutex);
196 if (framework_fd >= 0) {
197 LOG(WARNING) << "adb received framework auth socket connection again";
198 framework_disconnected();
199 }
200
201 framework_fd = s;
202 framework_fde = fdevent_create(framework_fd, adbd_auth_event, nullptr);
203 fdevent_add(framework_fde, FDE_READ);
204
205 if (needs_retry) {
206 needs_retry = false;
207 send_auth_request(adb_transport);
208 }
209
210 // if a client connected before the framework was available notify the framework of the
211 // connected key now.
212 if (!connected_keys.empty()) {
213 for (const auto& key : connected_keys) {
214 adbd_send_key_message_locked("CK", key);
215 }
216 }
217 }
218 }
219
adbd_notify_framework_connected_key(atransport * t)220 void adbd_notify_framework_connected_key(atransport* t) {
221 if (!adb_transport) {
222 adb_transport = t;
223 t->AddDisconnect(&adb_disconnect);
224 }
225 {
226 std::lock_guard<std::mutex> lock(framework_mutex);
227 if (std::find(connected_keys.begin(), connected_keys.end(), t->auth_key) ==
228 connected_keys.end()) {
229 connected_keys.push_back(t->auth_key);
230 }
231 if (framework_fd >= 0) {
232 adbd_send_key_message_locked("CK", t->auth_key);
233 }
234 }
235 }
236
adbd_cloexec_auth_socket()237 void adbd_cloexec_auth_socket() {
238 int fd = android_get_control_socket("adbd");
239 if (fd == -1) {
240 PLOG(ERROR) << "Failed to get adbd socket";
241 return;
242 }
243 fcntl(fd, F_SETFD, FD_CLOEXEC);
244 }
245
adbd_auth_init(void)246 void adbd_auth_init(void) {
247 int fd = android_get_control_socket("adbd");
248 if (fd == -1) {
249 PLOG(ERROR) << "Failed to get adbd socket";
250 return;
251 }
252
253 if (listen(fd, 4) == -1) {
254 PLOG(ERROR) << "Failed to listen on '" << fd << "'";
255 return;
256 }
257
258 listener_fde = fdevent_create(fd, adbd_auth_listener, nullptr);
259 fdevent_add(listener_fde, FDE_READ);
260 }
261
send_auth_request(atransport * t)262 void send_auth_request(atransport* t) {
263 LOG(INFO) << "Calling send_auth_request...";
264
265 if (!adbd_auth_generate_token(t->token, sizeof(t->token))) {
266 PLOG(ERROR) << "Error generating token";
267 return;
268 }
269
270 apacket* p = get_apacket();
271 p->msg.command = A_AUTH;
272 p->msg.arg0 = ADB_AUTH_TOKEN;
273 p->msg.data_length = sizeof(t->token);
274 p->payload.assign(t->token, t->token + sizeof(t->token));
275 send_packet(p, t);
276 }
277
adbd_auth_verified(atransport * t)278 void adbd_auth_verified(atransport* t) {
279 LOG(INFO) << "adb client authorized";
280 handle_online(t);
281 send_connect(t);
282 }
283