Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / a5c24c323d63a289cb55aeae447f546abc8bd2aa / . / adb / daemon / auth.cpp
blob: 1a1e4ad62d226424241363411135b5f00ce0fad9 [file] [log] [blame]
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]1/*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Yabin Cuiaed3c612015-09-22 15:52:57 -0700[diff] [blame]17#define TRACE_TAG AUTH
Dan Albert33134262015-03-19 15:21:08 -0700[diff] [blame]18
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]19#include "sysdeps.h"
Dan Albert33134262015-03-19 15:21:08 -0700[diff] [blame]20
Dan Albert76649012015-02-24 15:51:19 -0800[diff] [blame]21#include <resolv.h>
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]22#include <stdio.h>
23#include <string.h>
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]24
Michael Groover7eeda6b2019-04-25 18:33:35 -0700[diff] [blame]25#include <algorithm>
Joshua Duong5cf78682020-01-21 13:19:42 -0800[diff] [blame]26#include <chrono>
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]27#include <iomanip>
28#include <map>
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]29#include <memory>
Joshua Duong5cf78682020-01-21 13:19:42 -0800[diff] [blame]30#include <thread>
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]31
Joshua Duong5cf78682020-01-21 13:19:42 -0800[diff] [blame]32#include <adb/crypto/rsa_2048_key.h>
33#include <adb/tls/adb_ca_list.h>
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]34#include <adbd_auth.h>
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]35#include <android-base/file.h>
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]36#include <android-base/no_destructor.h>
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]37#include <android-base/strings.h>
38#include <crypto_utils/android_pubkey.h>
Mattias Nissler097b6bb2016-03-31 16:32:09 +0200[diff] [blame]39#include <openssl/obj_mac.h>
40#include <openssl/rsa.h>
41#include <openssl/sha.h>
Joshua Duongd85f5c02019-11-20 14:18:43 -0800[diff] [blame]42#include <openssl/ssl.h>
Mattias Nissler097b6bb2016-03-31 16:32:09 +0200[diff] [blame]43
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]44#include "adb.h"
45#include "adb_auth.h"
46#include "adb_io.h"
Joshua Duongd85f5c02019-11-20 14:18:43 -0800[diff] [blame]47#include "adb_wifi.h"
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]48#include "fdevent/fdevent.h"
49#include "transport.h"
50#include "types.h"
51
Joshua Duong5cf78682020-01-21 13:19:42 -0800[diff] [blame]52using namespace adb::crypto;
53using namespace adb::tls;
54using namespace std::chrono_literals;
55
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]56static AdbdAuthContext* auth_ctx;
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]57
Joshua Duong5cf78682020-01-21 13:19:42 -0800[diff] [blame]58static RSA* rsa_pkey = nullptr;
59
Michael Groover3857dea2018-12-28 20:35:37 -0800[diff] [blame]60static void adb_disconnected(void* unused, atransport* t);
61static struct adisconnect adb_disconnect = {adb_disconnected, nullptr};
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]62
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]63static android::base::NoDestructor<std::map<uint32_t, weak_ptr<atransport>>> transports;
64static uint32_t transport_auth_id = 0;
65
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]66bool auth_required = true;
67
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]68static void* transport_to_callback_arg(atransport* transport) {
69 uint32_t id = transport_auth_id++;
70 (*transports)[id] = transport->weak();
71 return reinterpret_cast<void*>(id);
72}
73
74static atransport* transport_from_callback_arg(void* id) {
75 uint64_t id_u64 = reinterpret_cast<uint64_t>(id);
76 if (id_u64 > std::numeric_limits<uint32_t>::max()) {
77 LOG(FATAL) << "transport_from_callback_arg called on out of range value: " << id_u64;
78 }
79
80 uint32_t id_u32 = static_cast<uint32_t>(id_u64);
81 auto it = transports->find(id_u32);
82 if (it == transports->end()) {
83 LOG(ERROR) << "transport_from_callback_arg failed to find transport for id " << id_u32;
84 return nullptr;
85 }
86
87 atransport* t = it->second.get();
88 if (!t) {
89 LOG(WARNING) << "transport_from_callback_arg found already destructed transport";
90 return nullptr;
91 }
92
93 transports->erase(it);
94 return t;
95}
96
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]97static void IteratePublicKeys(std::function<bool(std::string_view public_key)> f) {
98 adbd_auth_get_public_keys(
99 auth_ctx,
Joshua Duong51378f42020-02-18 18:29:25 -0800[diff] [blame]100 [](void* opaque, const char* public_key, size_t len) {
101 return (*static_cast<decltype(f)*>(opaque))(std::string_view(public_key, len));
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]102 },
103 &f);
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]104}
105
Joshua Duong5cf78682020-01-21 13:19:42 -0800[diff] [blame]106bssl::UniquePtr<STACK_OF(X509_NAME)> adbd_tls_client_ca_list() {
107 if (!auth_required) {
108 return nullptr;
109 }
110
111 bssl::UniquePtr<STACK_OF(X509_NAME)> ca_list(sk_X509_NAME_new_null());
112
113 IteratePublicKeys([&](std::string_view public_key) {
114 // TODO: do we really have to support both ' ' and '\t'?
115 std::vector<std::string> split = android::base::Split(std::string(public_key), " \t");
116 uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1];
117 const std::string& pubkey = split[0];
118 if (b64_pton(pubkey.c_str(), keybuf, sizeof(keybuf)) != ANDROID_PUBKEY_ENCODED_SIZE) {
119 LOG(ERROR) << "Invalid base64 key " << pubkey;
120 return true;
121 }
122
123 RSA* key = nullptr;
124 if (!android_pubkey_decode(keybuf, ANDROID_PUBKEY_ENCODED_SIZE, &key)) {
125 LOG(ERROR) << "Failed to parse key " << pubkey;
126 return true;
127 }
128 bssl::UniquePtr<RSA> rsa_key(key);
129
130 unsigned char* dkey = nullptr;
131 int len = i2d_RSA_PUBKEY(rsa_key.get(), &dkey);
132 if (len <= 0 || dkey == nullptr) {
133 LOG(ERROR) << "Failed to encode RSA public key";
134 return true;
135 }
136
137 uint8_t digest[SHA256_DIGEST_LENGTH];
138 // Put the encoded key in the commonName attribute of the issuer name.
139 // Note that the commonName has a max length of 64 bytes, which is less
140 // than the SHA256_DIGEST_LENGTH.
141 SHA256(dkey, len, digest);
142 OPENSSL_free(dkey);
143
144 auto digest_str = SHA256BitsToHexString(
145 std::string_view(reinterpret_cast<const char*>(&digest[0]), sizeof(digest)));
146 LOG(INFO) << "fingerprint=[" << digest_str << "]";
147 auto issuer = CreateCAIssuerFromEncodedKey(digest_str);
148 CHECK(bssl::PushToStack(ca_list.get(), std::move(issuer)));
149 return true;
150 });
151
152 return ca_list;
153}
154
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]155bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig,
156 std::string* auth_key) {
157 bool authorized = false;
158 auth_key->clear();
Michael Groover7eeda6b2019-04-25 18:33:35 -0700[diff] [blame]159
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]160 IteratePublicKeys([&](std::string_view public_key) {
161 // TODO: do we really have to support both ' ' and '\t'?
162 std::vector<std::string> split = android::base::Split(std::string(public_key), " \t");
163 uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1];
164 const std::string& pubkey = split[0];
165 if (b64_pton(pubkey.c_str(), keybuf, sizeof(keybuf)) != ANDROID_PUBKEY_ENCODED_SIZE) {
166 LOG(ERROR) << "Invalid base64 key " << pubkey;
167 return true;
168 }
169
170 RSA* key = nullptr;
171 if (!android_pubkey_decode(keybuf, ANDROID_PUBKEY_ENCODED_SIZE, &key)) {
172 LOG(ERROR) << "Failed to parse key " << pubkey;
173 return true;
174 }
175
176 bool verified =
177 (RSA_verify(NID_sha1, reinterpret_cast<const uint8_t*>(token), token_size,
178 reinterpret_cast<const uint8_t*>(sig.c_str()), sig.size(), key) == 1);
179 RSA_free(key);
180 if (verified) {
181 *auth_key = public_key;
182 authorized = true;
183 return false;
184 }
185
186 return true;
187 });
188
189 return authorized;
Michael Groover7eeda6b2019-04-25 18:33:35 -0700[diff] [blame]190}
191
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]192static bool adbd_auth_generate_token(void* token, size_t token_size) {
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]193 FILE* fp = fopen("/dev/urandom", "re");
194 if (!fp) return false;
195 bool okay = (fread(token, token_size, 1, fp) == 1);
196 fclose(fp);
197 return okay;
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]198}
199
Pavel Labath64d9adc2015-03-17 11:03:36 -0700[diff] [blame]200void adbd_cloexec_auth_socket() {
201 int fd = android_get_control_socket("adbd");
202 if (fd == -1) {
Elliott Hughes0aeb5052016-06-29 17:42:01 -0700[diff] [blame]203 PLOG(ERROR) << "Failed to get adbd socket";
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]204 return;
205 }
Nick Kralevichfe8d7f42014-07-18 20:57:35 -0700[diff] [blame]206 fcntl(fd, F_SETFD, FD_CLOEXEC);
Pavel Labath64d9adc2015-03-17 11:03:36 -0700[diff] [blame]207}
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]208
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]209static void adbd_auth_key_authorized(void* arg, uint64_t id) {
Josh Gaoa5c24c32020-06-24 16:25:49 -0700[diff] [blame^]210 LOG(INFO) << "adb client " << id << " authorized";
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]211 fdevent_run_on_main_thread([=]() {
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]212 auto* transport = transport_from_callback_arg(arg);
213 if (!transport) {
Josh Gaoa5c24c32020-06-24 16:25:49 -0700[diff] [blame^]214 LOG(ERROR) << "authorization received for deleted transport (" << id << "), ignoring";
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]215 return;
216 }
Josh Gaoa5c24c32020-06-24 16:25:49 -0700[diff] [blame^]217
218 if (transport->auth_id.has_value()) {
219 if (transport->auth_id.value() != id) {
220 LOG(ERROR)
221 << "authorization received, but auth id doesn't match, ignoring (expected "
222 << transport->auth_id.value() << ", got " << id << ")";
223 return;
224 }
225 } else {
226 // Older versions (i.e. dogfood/beta builds) of libadbd_auth didn't pass the initial
227 // auth id to us, so we'll just have to trust it until R ships and we can retcon this.
228 transport->auth_id = id;
229 }
230
Josh Gao607fd542019-12-09 15:44:57 -0800[diff] [blame]231 adbd_auth_verified(transport);
232 });
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]233}
234
Joshua Duongd85f5c02019-11-20 14:18:43 -0800[diff] [blame]235static void adbd_key_removed(const char* public_key, size_t len) {
236 // The framework removed the key from its keystore. We need to disconnect all
237 // devices using that key. Search by t->auth_key
238 std::string_view auth_key(public_key, len);
239 kick_all_transports_by_auth_key(auth_key);
240}
241
Pavel Labath64d9adc2015-03-17 11:03:36 -0700[diff] [blame]242void adbd_auth_init(void) {
Joshua Duong51378f42020-02-18 18:29:25 -0800[diff] [blame]243 AdbdAuthCallbacksV1 cb;
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]244 cb.version = 1;
Joshua Duong51378f42020-02-18 18:29:25 -0800[diff] [blame]245 cb.key_authorized = adbd_auth_key_authorized;
Joshua Duongd85f5c02019-11-20 14:18:43 -0800[diff] [blame]246 cb.key_removed = adbd_key_removed;
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]247 auth_ctx = adbd_auth_new(&cb);
Joshua Duongd85f5c02019-11-20 14:18:43 -0800[diff] [blame]248 adbd_wifi_init(auth_ctx);
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]249 std::thread([]() {
250 adb_thread_setname("adbd auth");
251 adbd_auth_run(auth_ctx);
252 LOG(FATAL) << "auth thread terminated";
253 }).detach();
Benoit Gobyd5fcafa2012-04-12 12:23:49 -0700[diff] [blame]254}
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]255
256void send_auth_request(atransport* t) {
257 LOG(INFO) << "Calling send_auth_request...";
258
259 if (!adbd_auth_generate_token(t->token, sizeof(t->token))) {
260 PLOG(ERROR) << "Error generating token";
261 return;
262 }
263
264 apacket* p = get_apacket();
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]265 p->msg.command = A_AUTH;
266 p->msg.arg0 = ADB_AUTH_TOKEN;
267 p->msg.data_length = sizeof(t->token);
Josh Gaof571fcb2018-02-05 18:49:10 -0800[diff] [blame]268 p->payload.assign(t->token, t->token + sizeof(t->token));
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]269 send_packet(p, t);
270}
271
Josh Gao184f5712017-07-26 11:06:55 -0700[diff] [blame]272void adbd_auth_verified(atransport* t) {
273 LOG(INFO) << "adb client authorized";
Josh Gao3bd28792016-10-05 19:02:29 -0700[diff] [blame]274 handle_online(t);
275 send_connect(t);
276}
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]277
278static void adb_disconnected(void* unused, atransport* t) {
279 LOG(INFO) << "ADB disconnect";
Josh Gaoa5c24c32020-06-24 16:25:49 -0700[diff] [blame^]280 CHECK(t->auth_id.has_value());
281 adbd_auth_notify_disconnect(auth_ctx, t->auth_id.value());
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]282}
283
284void adbd_auth_confirm_key(atransport* t) {
285 LOG(INFO) << "prompting user to authorize key";
286 t->AddDisconnect(&adb_disconnect);
Josh Gaoa5c24c32020-06-24 16:25:49 -0700[diff] [blame^]287 if (adbd_auth_prompt_user_with_id) {
288 t->auth_id = adbd_auth_prompt_user_with_id(auth_ctx, t->auth_key.data(), t->auth_key.size(),
289 transport_to_callback_arg(t));
290 } else {
291 adbd_auth_prompt_user(auth_ctx, t->auth_key.data(), t->auth_key.size(),
292 transport_to_callback_arg(t));
293 }
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]294}
295
296void adbd_notify_framework_connected_key(atransport* t) {
Joshua Duong5cf78682020-01-21 13:19:42 -0800[diff] [blame]297 t->auth_id = adbd_auth_notify_auth(auth_ctx, t->auth_key.data(), t->auth_key.size());
298}
299
300int adbd_tls_verify_cert(X509_STORE_CTX* ctx, std::string* auth_key) {
301 if (!auth_required) {
302 // Any key will do.
303 LOG(INFO) << __func__ << ": auth not required";
304 return 1;
305 }
306
307 bool authorized = false;
308 X509* cert = X509_STORE_CTX_get0_cert(ctx);
309 if (cert == nullptr) {
310 LOG(INFO) << "got null x509 certificate";
311 return 0;
312 }
313 bssl::UniquePtr<EVP_PKEY> evp_pkey(X509_get_pubkey(cert));
314 if (evp_pkey == nullptr) {
315 LOG(INFO) << "got null evp_pkey from x509 certificate";
316 return 0;
317 }
318
319 IteratePublicKeys([&](std::string_view public_key) {
320 // TODO: do we really have to support both ' ' and '\t'?
321 std::vector<std::string> split = android::base::Split(std::string(public_key), " \t");
322 uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1];
323 const std::string& pubkey = split[0];
324 if (b64_pton(pubkey.c_str(), keybuf, sizeof(keybuf)) != ANDROID_PUBKEY_ENCODED_SIZE) {
325 LOG(ERROR) << "Invalid base64 key " << pubkey;
326 return true;
327 }
328
329 RSA* key = nullptr;
330 if (!android_pubkey_decode(keybuf, ANDROID_PUBKEY_ENCODED_SIZE, &key)) {
331 LOG(ERROR) << "Failed to parse key " << pubkey;
332 return true;
333 }
334
335 bool verified = false;
336 bssl::UniquePtr<EVP_PKEY> known_evp(EVP_PKEY_new());
337 EVP_PKEY_set1_RSA(known_evp.get(), key);
338 if (EVP_PKEY_cmp(known_evp.get(), evp_pkey.get())) {
339 LOG(INFO) << "Matched auth_key=" << public_key;
340 verified = true;
341 } else {
342 LOG(INFO) << "auth_key doesn't match [" << public_key << "]";
343 }
344 RSA_free(key);
345 if (verified) {
346 *auth_key = public_key;
347 authorized = true;
348 return false;
349 }
350
351 return true;
352 });
353
354 return authorized ? 1 : 0;
355}
356
357void adbd_auth_tls_handshake(atransport* t) {
358 if (rsa_pkey == nullptr) {
359 // Generate a random RSA key to feed into the X509 certificate
360 auto rsa_2048 = CreateRSA2048Key();
361 CHECK(rsa_2048.has_value());
362 rsa_pkey = EVP_PKEY_get1_RSA(rsa_2048->GetEvpPkey());
363 CHECK(rsa_pkey);
364 }
365
366 std::thread([t]() {
367 std::string auth_key;
368 if (t->connection()->DoTlsHandshake(rsa_pkey, &auth_key)) {
369 LOG(INFO) << "auth_key=" << auth_key;
370 if (t->IsTcpDevice()) {
371 t->auth_key = auth_key;
372 adbd_wifi_secure_connect(t);
373 } else {
374 adbd_auth_verified(t);
375 adbd_notify_framework_connected_key(t);
376 }
377 } else {
378 // Only allow one attempt at the handshake.
379 t->Kick();
380 }
381 }).detach();
Josh Gao27523262019-10-22 12:30:39 -0700[diff] [blame]382}