1 /*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define TRACE_TAG AUTH
18
19 #include "adb.h"
20 #include "adb_auth.h"
21 #include "fdevent.h"
22 #include "sysdeps.h"
23 #include "transport.h"
24
25 #include <resolv.h>
26 #include <stdio.h>
27 #include <string.h>
28
29 #include <memory>
30
31 #include <android-base/file.h>
32 #include <android-base/strings.h>
33 #include <crypto_utils/android_pubkey.h>
34 #include <openssl/obj_mac.h>
35 #include <openssl/rsa.h>
36 #include <openssl/sha.h>
37
38 static fdevent listener_fde;
39 static fdevent framework_fde;
40 static int framework_fd = -1;
41
42 static void usb_disconnected(void* unused, atransport* t);
43 static struct adisconnect usb_disconnect = { usb_disconnected, nullptr};
44 static atransport* usb_transport;
45 static bool needs_retry = false;
46
47 bool auth_required = true;
48
adbd_auth_verify(const char * token,size_t token_size,const std::string & sig)49 bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig) {
50 static constexpr const char* key_paths[] = { "/adb_keys", "/data/misc/adb/adb_keys", nullptr };
51
52 for (const auto& path : key_paths) {
53 if (access(path, R_OK) == 0) {
54 LOG(INFO) << "Loading keys from " << path;
55
56 std::string content;
57 if (!android::base::ReadFileToString(path, &content)) {
58 PLOG(ERROR) << "Couldn't read " << path;
59 continue;
60 }
61
62 for (const auto& line : android::base::Split(content, "\n")) {
63 // TODO: do we really have to support both ' ' and '\t'?
64 char* sep = strpbrk(const_cast<char*>(line.c_str()), " \t");
65 if (sep) *sep = '\0';
66
67 // b64_pton requires one additional byte in the target buffer for
68 // decoding to succeed. See http://b/28035006 for details.
69 uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1];
70 if (__b64_pton(line.c_str(), keybuf, sizeof(keybuf)) != ANDROID_PUBKEY_ENCODED_SIZE) {
71 LOG(ERROR) << "Invalid base64 key " << line.c_str() << " in " << path;
72 continue;
73 }
74
75 RSA* key = nullptr;
76 if (!android_pubkey_decode(keybuf, ANDROID_PUBKEY_ENCODED_SIZE, &key)) {
77 LOG(ERROR) << "Failed to parse key " << line.c_str() << " in " << path;
78 continue;
79 }
80
81 bool verified =
82 (RSA_verify(NID_sha1, reinterpret_cast<const uint8_t*>(token), token_size,
83 reinterpret_cast<const uint8_t*>(sig.c_str()), sig.size(),
84 key) == 1);
85 RSA_free(key);
86 if (verified) return true;
87 }
88 }
89 }
90 return false;
91 }
92
adbd_auth_generate_token(void * token,size_t token_size)93 static bool adbd_auth_generate_token(void* token, size_t token_size) {
94 FILE* fp = fopen("/dev/urandom", "re");
95 if (!fp) return false;
96 bool okay = (fread(token, token_size, 1, fp) == 1);
97 fclose(fp);
98 return okay;
99 }
100
usb_disconnected(void * unused,atransport * t)101 static void usb_disconnected(void* unused, atransport* t) {
102 LOG(INFO) << "USB disconnect";
103 usb_transport = NULL;
104 needs_retry = false;
105 }
106
framework_disconnected()107 static void framework_disconnected() {
108 LOG(INFO) << "Framework disconnect";
109 fdevent_remove(&framework_fde);
110 framework_fd = -1;
111 }
112
adbd_auth_event(int fd,unsigned events,void *)113 static void adbd_auth_event(int fd, unsigned events, void*) {
114 if (events & FDE_READ) {
115 char response[2];
116 int ret = unix_read(fd, response, sizeof(response));
117 if (ret <= 0) {
118 framework_disconnected();
119 } else if (ret == 2 && response[0] == 'O' && response[1] == 'K') {
120 if (usb_transport) {
121 adbd_auth_verified(usb_transport);
122 }
123 }
124 }
125 }
126
adbd_auth_confirm_key(const char * key,size_t len,atransport * t)127 void adbd_auth_confirm_key(const char* key, size_t len, atransport* t) {
128 if (!usb_transport) {
129 usb_transport = t;
130 t->AddDisconnect(&usb_disconnect);
131 }
132
133 if (framework_fd < 0) {
134 LOG(ERROR) << "Client not connected";
135 needs_retry = true;
136 return;
137 }
138
139 if (key[len - 1] != '\0') {
140 LOG(ERROR) << "Key must be a null-terminated string";
141 return;
142 }
143
144 char msg[MAX_PAYLOAD_V1];
145 int msg_len = snprintf(msg, sizeof(msg), "PK%s", key);
146 if (msg_len >= static_cast<int>(sizeof(msg))) {
147 LOG(ERROR) << "Key too long (" << msg_len << ")";
148 return;
149 }
150 LOG(DEBUG) << "Sending '" << msg << "'";
151
152 if (unix_write(framework_fd, msg, msg_len) == -1) {
153 PLOG(ERROR) << "Failed to write PK";
154 return;
155 }
156 }
157
adbd_auth_listener(int fd,unsigned events,void * data)158 static void adbd_auth_listener(int fd, unsigned events, void* data) {
159 int s = adb_socket_accept(fd, nullptr, nullptr);
160 if (s < 0) {
161 PLOG(ERROR) << "Failed to accept";
162 return;
163 }
164
165 if (framework_fd >= 0) {
166 LOG(WARNING) << "adb received framework auth socket connection again";
167 framework_disconnected();
168 }
169
170 framework_fd = s;
171 fdevent_install(&framework_fde, framework_fd, adbd_auth_event, nullptr);
172 fdevent_add(&framework_fde, FDE_READ);
173
174 if (needs_retry) {
175 needs_retry = false;
176 send_auth_request(usb_transport);
177 }
178 }
179
adbd_cloexec_auth_socket()180 void adbd_cloexec_auth_socket() {
181 int fd = android_get_control_socket("adbd");
182 if (fd == -1) {
183 PLOG(ERROR) << "Failed to get adbd socket";
184 return;
185 }
186 fcntl(fd, F_SETFD, FD_CLOEXEC);
187 }
188
adbd_auth_init(void)189 void adbd_auth_init(void) {
190 int fd = android_get_control_socket("adbd");
191 if (fd == -1) {
192 PLOG(ERROR) << "Failed to get adbd socket";
193 return;
194 }
195
196 if (listen(fd, 4) == -1) {
197 PLOG(ERROR) << "Failed to listen on '" << fd << "'";
198 return;
199 }
200
201 fdevent_install(&listener_fde, fd, adbd_auth_listener, NULL);
202 fdevent_add(&listener_fde, FDE_READ);
203 }
204
send_auth_request(atransport * t)205 void send_auth_request(atransport* t) {
206 LOG(INFO) << "Calling send_auth_request...";
207
208 if (!adbd_auth_generate_token(t->token, sizeof(t->token))) {
209 PLOG(ERROR) << "Error generating token";
210 return;
211 }
212
213 apacket* p = get_apacket();
214 p->msg.command = A_AUTH;
215 p->msg.arg0 = ADB_AUTH_TOKEN;
216 p->msg.data_length = sizeof(t->token);
217 p->payload.assign(t->token, t->token + sizeof(t->token));
218 send_packet(p, t);
219 }
220
adbd_auth_verified(atransport * t)221 void adbd_auth_verified(atransport* t) {
222 LOG(INFO) << "adb client authorized";
223 handle_online(t);
224 send_connect(t);
225 }
226