Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / 275232667d26fd5d77dc3c2654fd02b043e82ebc / . / adb / daemon / auth.cpp
blob: 2e84ce6b9157a38b09fd0bcf356ba69c1cf66b84 [file] [log] [blame]
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]1/*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Yabin Cuiaed3c612015-09-22 15:52:57 -0700[diff] [blame]17#define TRACE_TAG AUTH
Dan Albert33134262015-03-19 15:21:08 -0700[diff] [blame]18
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]19#include "adb.h"
Dan Albert33134262015-03-19 15:21:08 -0700[diff] [blame]20#include "adb_auth.h"
Michael Groover3857dea2018-12-28 20:35:37 -0800[diff] [blame]21#include "adb_io.h"
Josh Gao57e09b12019-06-28 13:50:37 -0700[diff] [blame]22#include "fdevent/fdevent.h"
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]23#include "sysdeps.h"
24#include "transport.h"
Dan Albert33134262015-03-19 15:21:08 -0700[diff] [blame]25
Dan Albert76649012015-02-24 15:51:19 -0800[diff] [blame]26#include <resolv.h>
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]27#include <stdio.h>
28#include <string.h>
Michael Groover7eeda6b2019-04-25 18:33:35 -0700[diff] [blame]29#include <iomanip>
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]30
Michael Groover7eeda6b2019-04-25 18:33:35 -0700[diff] [blame]31#include <algorithm>
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]32#include <memory>
33
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame^]34#include <adbd_auth.h>
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]35#include <android-base/file.h>
36#include <android-base/strings.h>
37#include <crypto_utils/android_pubkey.h>
Mattias Nissler097b6bb2016-03-31 16:32:09 +0200[diff] [blame]38#include <openssl/obj_mac.h>
39#include <openssl/rsa.h>
40#include <openssl/sha.h>
41
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame^]42static AdbdAuthContext* auth_ctx;
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]43
Michael Groover3857dea2018-12-28 20:35:37 -0800[diff] [blame]44static void adb_disconnected(void* unused, atransport* t);
45static struct adisconnect adb_disconnect = {adb_disconnected, nullptr};
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]46
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]47bool auth_required = true;
48
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame^]49static void IteratePublicKeys(std::function<bool(std::string_view public_key)> f) {
50 adbd_auth_get_public_keys(
51 auth_ctx,
52 [](const char* public_key, size_t len, void* arg) {
53 return (*static_cast<decltype(f)*>(arg))(std::string_view(public_key, len));
54 },
55 &f);
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]56}
57
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame^]58bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig,
59 std::string* auth_key) {
60 bool authorized = false;
61 auth_key->clear();
Michael Groover7eeda6b2019-04-25 18:33:35 -0700[diff] [blame]62
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame^]63 IteratePublicKeys([&](std::string_view public_key) {
64 // TODO: do we really have to support both ' ' and '\t'?
65 std::vector<std::string> split = android::base::Split(std::string(public_key), " \t");
66 uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1];
67 const std::string& pubkey = split[0];
68 if (b64_pton(pubkey.c_str(), keybuf, sizeof(keybuf)) != ANDROID_PUBKEY_ENCODED_SIZE) {
69 LOG(ERROR) << "Invalid base64 key " << pubkey;
70 return true;
71 }
72
73 RSA* key = nullptr;
74 if (!android_pubkey_decode(keybuf, ANDROID_PUBKEY_ENCODED_SIZE, &key)) {
75 LOG(ERROR) << "Failed to parse key " << pubkey;
76 return true;
77 }
78
79 bool verified =
80 (RSA_verify(NID_sha1, reinterpret_cast<const uint8_t*>(token), token_size,
81 reinterpret_cast<const uint8_t*>(sig.c_str()), sig.size(), key) == 1);
82 RSA_free(key);
83 if (verified) {
84 *auth_key = public_key;
85 authorized = true;
86 return false;
87 }
88
89 return true;
90 });
91
92 return authorized;
Michael Groover7eeda6b2019-04-25 18:33:35 -0700[diff] [blame]93}
94
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]95static bool adbd_auth_generate_token(void* token, size_t token_size) {
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]96 FILE* fp = fopen("/dev/urandom", "re");
97 if (!fp) return false;
98 bool okay = (fread(token, token_size, 1, fp) == 1);
99 fclose(fp);
100 return okay;
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]101}
102
Pavel Labath64d9adc2015-03-17 11:03:36 -0700[diff] [blame]103void adbd_cloexec_auth_socket() {
104 int fd = android_get_control_socket("adbd");
105 if (fd == -1) {
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]106 PLOG(ERROR) << "Failed to get adbd socket";
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]107 return;
108 }
Nick Kralevichfe8d7f42014-07-18 20:57:35 -0700[diff] [blame]109 fcntl(fd, F_SETFD, FD_CLOEXEC);
Pavel Labath64d9adc2015-03-17 11:03:36 -0700[diff] [blame]110}
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]111
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame^]112static void adbd_auth_key_authorized(void* arg, uint64_t id) {
113 LOG(INFO) << "adb client authorized";
114 auto* transport = static_cast<atransport*>(arg);
115 transport->auth_id = id;
116 adbd_auth_verified(transport);
117}
118
Pavel Labath64d9adc2015-03-17 11:03:36 -0700[diff] [blame]119void adbd_auth_init(void) {
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame^]120 AdbdAuthCallbacks cb;
121 cb.version = 1;
122 cb.callbacks.v1.key_authorized = adbd_auth_key_authorized;
123 auth_ctx = adbd_auth_new(&cb);
124 std::thread([]() {
125 adb_thread_setname("adbd auth");
126 adbd_auth_run(auth_ctx);
127 LOG(FATAL) << "auth thread terminated";
128 }).detach();
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]129}
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]130
131void send_auth_request(atransport* t) {
132 LOG(INFO) << "Calling send_auth_request...";
133
134 if (!adbd_auth_generate_token(t->token, sizeof(t->token))) {
135 PLOG(ERROR) << "Error generating token";
136 return;
137 }
138
139 apacket* p = get_apacket();
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]140 p->msg.command = A_AUTH;
141 p->msg.arg0 = ADB_AUTH_TOKEN;
142 p->msg.data_length = sizeof(t->token);
Josh Gaof571fcb2018-02-05 18:49:10 -0800[diff] [blame]143 p->payload.assign(t->token, t->token + sizeof(t->token));
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]144 send_packet(p, t);
145}
146
Josh Gao184f5712017-07-26 11:06:55 -0700[diff] [blame]147void adbd_auth_verified(atransport* t) {
148 LOG(INFO) << "adb client authorized";
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]149 handle_online(t);
150 send_connect(t);
151}
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame^]152
153static void adb_disconnected(void* unused, atransport* t) {
154 LOG(INFO) << "ADB disconnect";
155 adbd_auth_notify_disconnect(auth_ctx, t->auth_id);
156}
157
158void adbd_auth_confirm_key(atransport* t) {
159 LOG(INFO) << "prompting user to authorize key";
160 t->AddDisconnect(&adb_disconnect);
161 adbd_auth_prompt_user(auth_ctx, t->auth_key.data(), t->auth_key.size(), t);
162}
163
164void adbd_notify_framework_connected_key(atransport* t) {
165 adbd_auth_notify_auth(auth_ctx, t->auth_key.data(), t->auth_key.size());
166}