tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_core/adb/daemon/auth.cpp

211 lines
6.4 KiB
C++
Raw Normal View History

adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
/*
* Copyright (C) 2012 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
Adb: use VLOG() to replace D() for verbose logging. As there are too many D(), we can keep both VLOG() and D() now, and get rid of D() gradually. Change-Id: I2f1cb70bcab3e82c99fed939341d03f6b2216076
2015-09-23 00:52:57 +02:00
#define TRACE_TAG AUTH
File header cleanup. * sysdeps.h should always be included first. * TRACE_TAG needs to be defined before anything is included. * Some files were missing copyright headers. * Save precious bytes on my SSD by removing useless whitespace. Change-Id: I88980e6e00b5be1093806cf286740d9e4a033b94
2015-03-19 23:21:08 +01:00
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
#include "sysdeps.h"
File header cleanup. * sysdeps.h should always be included first. * TRACE_TAG needs to be defined before anything is included. * Some files were missing copyright headers. * Save precious bytes on my SSD by removing useless whitespace. Change-Id: I88980e6e00b5be1093806cf286740d9e4a033b94
2015-03-19 23:21:08 +01:00
Move transport declarations into transport.h. There are a few cloexec issues in here as an added bonus. Change-Id: I1699d719d733f47878bdba0454230cf5ab6a60b6
2015-02-25 00:51:19 +01:00
#include <resolv.h>
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
#include <stdio.h>
#include <string.h>
Notify the framework when an adb key is authorized Bug: 124076524 Test: atest AdbDebuggingManagerTest Change-Id: If73b81ca73ba4d64763cf49c1bbe42de81fa1cb6
2019-04-26 03:33:35 +02:00
#include <algorithm>
adb: fix use after free of atransport. libadbd_auth might report authentication success for a transport that's already been destroyed. Fix this by storing a weak pointer to the atransport that gets cleared upon destruction instead of a raw pointer. Bug: http://b/144704376 Test: ./test_adb.py Test: ./test_device.py Change-Id: Idffe027381e6b2e37f06aa0166e97cafc98eaf3b
2019-12-10 00:44:57 +01:00
#include <iomanip>
#include <map>
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
#include <memory>
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
#include <adbd_auth.h>
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
#include <android-base/file.h>
adb: fix use after free of atransport. libadbd_auth might report authentication success for a transport that's already been destroyed. Fix this by storing a weak pointer to the atransport that gets cleared upon destruction instead of a raw pointer. Bug: http://b/144704376 Test: ./test_adb.py Test: ./test_device.py Change-Id: Idffe027381e6b2e37f06aa0166e97cafc98eaf3b
2019-12-10 00:44:57 +01:00
#include <android-base/no_destructor.h>
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
#include <android-base/strings.h>
#include <crypto_utils/android_pubkey.h>
Switch fs_mgr and adb to libcrypto_utils. Update code and dependencies to use BoringSSL + libcrypto_utils instead of mincrypt. Change-Id: Ic75164bd50c84b81b6310e27a67d4b3c174984f9
2016-03-31 16:32:09 +02:00
#include <openssl/obj_mac.h>
#include <openssl/rsa.h>
#include <openssl/sha.h>
adb: fix use after free of atransport. libadbd_auth might report authentication success for a transport that's already been destroyed. Fix this by storing a weak pointer to the atransport that gets cleared upon destruction instead of a raw pointer. Bug: http://b/144704376 Test: ./test_adb.py Test: ./test_device.py Change-Id: Idffe027381e6b2e37f06aa0166e97cafc98eaf3b
2019-12-10 00:44:57 +01:00
#include "adb.h"
#include "adb_auth.h"
#include "adb_io.h"
#include "fdevent/fdevent.h"
#include "transport.h"
#include "types.h"
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
static AdbdAuthContext* auth_ctx;
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
Notify framework on adb disconnect Bug: 111656592 Test: atest AdbDebuggingManagerTest Change-Id: I84f0b076799b0628663fde1a14609bc71c5a9ed3
2018-12-29 05:35:37 +01:00
static void adb_disconnected(void* unused, atransport* t);
static struct adisconnect adb_disconnect = {adb_disconnected, nullptr};
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
adb: fix use after free of atransport. libadbd_auth might report authentication success for a transport that's already been destroyed. Fix this by storing a weak pointer to the atransport that gets cleared upon destruction instead of a raw pointer. Bug: http://b/144704376 Test: ./test_adb.py Test: ./test_device.py Change-Id: Idffe027381e6b2e37f06aa0166e97cafc98eaf3b
2019-12-10 00:44:57 +01:00
static android::base::NoDestructor<std::map<uint32_t, weak_ptr<atransport>>> transports;
static uint32_t transport_auth_id = 0;
adb: split up adb_auth.cpp. All of the functions in adb_auth.cpp were used in only one of adb/adbd. Split up them up into adb_auth_host.cpp and adbd_auth.cpp respectively. Bug: http://b/29273531 Test: built and flashed bullhead, adb still works Change-Id: Ib610c5157522634cc273511175152f1306cc52a7
2016-10-06 04:02:29 +02:00
bool auth_required = true;
adb: fix use after free of atransport. libadbd_auth might report authentication success for a transport that's already been destroyed. Fix this by storing a weak pointer to the atransport that gets cleared upon destruction instead of a raw pointer. Bug: http://b/144704376 Test: ./test_adb.py Test: ./test_device.py Change-Id: Idffe027381e6b2e37f06aa0166e97cafc98eaf3b
2019-12-10 00:44:57 +01:00
static void* transport_to_callback_arg(atransport* transport) {
uint32_t id = transport_auth_id++;
(*transports)[id] = transport->weak();
return reinterpret_cast<void*>(id);
}
static atransport* transport_from_callback_arg(void* id) {
uint64_t id_u64 = reinterpret_cast<uint64_t>(id);
if (id_u64 > std::numeric_limits<uint32_t>::max()) {
LOG(FATAL) << "transport_from_callback_arg called on out of range value: " << id_u64;
}
uint32_t id_u32 = static_cast<uint32_t>(id_u64);
auto it = transports->find(id_u32);
if (it == transports->end()) {
LOG(ERROR) << "transport_from_callback_arg failed to find transport for id " << id_u32;
return nullptr;
}
atransport* t = it->second.get();
if (!t) {
LOG(WARNING) << "transport_from_callback_arg found already destructed transport";
return nullptr;
}
transports->erase(it);
return t;
}
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
static void IteratePublicKeys(std::function<bool(std::string_view public_key)> f) {
adbd_auth_get_public_keys(
auth_ctx,
[](const char* public_key, size_t len, void* arg) {
return (*static_cast<decltype(f)*>(arg))(std::string_view(public_key, len));
},
&f);
}
Notify the framework when an adb key is authorized Bug: 124076524 Test: atest AdbDebuggingManagerTest Change-Id: If73b81ca73ba4d64763cf49c1bbe42de81fa1cb6
2019-04-26 03:33:35 +02:00
bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig,
std::string* auth_key) {
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
bool authorized = false;
auth_key->clear();
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
IteratePublicKeys([&](std::string_view public_key) {
// TODO: do we really have to support both ' ' and '\t'?
std::vector<std::string> split = android::base::Split(std::string(public_key), " \t");
uint8_t keybuf[ANDROID_PUBKEY_ENCODED_SIZE + 1];
const std::string& pubkey = split[0];
if (b64_pton(pubkey.c_str(), keybuf, sizeof(keybuf)) != ANDROID_PUBKEY_ENCODED_SIZE) {
LOG(ERROR) << "Invalid base64 key " << pubkey;
return true;
}
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
RSA* key = nullptr;
if (!android_pubkey_decode(keybuf, ANDROID_PUBKEY_ENCODED_SIZE, &key)) {
LOG(ERROR) << "Failed to parse key " << pubkey;
return true;
}
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
bool verified =
(RSA_verify(NID_sha1, reinterpret_cast<const uint8_t*>(token), token_size,
reinterpret_cast<const uint8_t*>(sig.c_str()), sig.size(), key) == 1);
RSA_free(key);
if (verified) {
*auth_key = public_key;
authorized = true;
return false;
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
}
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
return true;
});
Notify the framework when an adb key is authorized Bug: 124076524 Test: atest AdbDebuggingManagerTest Change-Id: If73b81ca73ba4d64763cf49c1bbe42de81fa1cb6
2019-04-26 03:33:35 +02:00
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
return authorized;
Notify the framework when an adb key is authorized Bug: 124076524 Test: atest AdbDebuggingManagerTest Change-Id: If73b81ca73ba4d64763cf49c1bbe42de81fa1cb6
2019-04-26 03:33:35 +02:00
}
adb: split up adb_auth.cpp. All of the functions in adb_auth.cpp were used in only one of adb/adbd. Split up them up into adb_auth_host.cpp and adbd_auth.cpp respectively. Bug: http://b/29273531 Test: built and flashed bullhead, adb still works Change-Id: Ib610c5157522634cc273511175152f1306cc52a7
2016-10-06 04:02:29 +02:00
static bool adbd_auth_generate_token(void* token, size_t token_size) {
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
FILE* fp = fopen("/dev/urandom", "re");
if (!fp) return false;
bool okay = (fread(token, token_size, 1, fp) == 1);
fclose(fp);
return okay;
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
}
Fix file descriptor leakage in adbd adb_auth_init in adb_auth_client.cpp sets FD_CLOEXEC on the control socket, which prevents the leakage. However if ro.adb.secure property is unset (as it is on the emulator), adb_auth_init is not invoked, which results in the control socket fd leaking into any process started by the deamon (specifically, any command executed through adb shell). Split the fd cleanup into a separate function that is called unconditionally. Change-Id: I73ea84977542ddfc4ac20599593ecf3745ae9108
2015-03-17 19:03:36 +01:00
void adbd_cloexec_auth_socket() {
int fd = android_get_control_socket("adbd");
if (fd == -1) {
Clean up key handling in adb. This includes the locking we need to be able to re-load the keys at runtime. We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or "adbd_auth.cpp" in a later change. Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8 Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without. Bug: http://b/29273531
2016-06-30 02:42:01 +02:00
PLOG(ERROR) << "Failed to get adbd socket";
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
return;
}
adb: set O_CLOEXEC on lots of file descriptors Too many leaking FDs. Fixes bug: https://code.google.com/p/android/issues/detail?id=65857 (and more) Change-Id: I67d8683244e54288a8105f6f65ee40abe2378d7e
2014-07-19 05:57:35 +02:00
fcntl(fd, F_SETFD, FD_CLOEXEC);
Fix file descriptor leakage in adbd adb_auth_init in adb_auth_client.cpp sets FD_CLOEXEC on the control socket, which prevents the leakage. However if ro.adb.secure property is unset (as it is on the emulator), adb_auth_init is not invoked, which results in the control socket fd leaking into any process started by the deamon (specifically, any command executed through adb shell). Split the fd cleanup into a separate function that is called unconditionally. Change-Id: I73ea84977542ddfc4ac20599593ecf3745ae9108
2015-03-17 19:03:36 +01:00
}
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
static void adbd_auth_key_authorized(void* arg, uint64_t id) {
LOG(INFO) << "adb client authorized";
adb: fix use after free of atransport. libadbd_auth might report authentication success for a transport that's already been destroyed. Fix this by storing a weak pointer to the atransport that gets cleared upon destruction instead of a raw pointer. Bug: http://b/144704376 Test: ./test_adb.py Test: ./test_device.py Change-Id: Idffe027381e6b2e37f06aa0166e97cafc98eaf3b
2019-12-10 00:44:57 +01:00
fdevent_run_on_main_thread([=]() {
LOG(INFO) << "arg = " << reinterpret_cast<uintptr_t>(arg);
auto* transport = transport_from_callback_arg(arg);
if (!transport) {
LOG(ERROR) << "authorization received for deleted transport, ignoring";
return;
}
transport->auth_id = id;
adbd_auth_verified(transport);
});
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
}
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
void adbd_auth_init(void) {
AdbdAuthCallbacks cb;
cb.version = 1;
cb.callbacks.v1.key_authorized = adbd_auth_key_authorized;
auth_ctx = adbd_auth_new(&cb);
std::thread([]() {
adb_thread_setname("adbd auth");
adbd_auth_run(auth_ctx);
LOG(FATAL) << "auth thread terminated";
}).detach();
adb: Add public key authentification Secure adb using a public key authentication, to allow USB debugging only from authorized hosts. When a device is connected to an unauthorized host, the adb daemon sends the user public key to the device. A popup is shown to ask the user to allow debugging once or permanantly from the host. The public key is installed on the device in the later case. Other keys may be installed at build time. On the host, the user public/private key pair is automatically generated, if it does not exist, when the adb daemon starts and is stored in $HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed, the ADB_KEYS_PATH env variable may be set to a :-separated (; under Windows) list of private keys, e.g. company-wide or vendor keys. On the device, vendors public keys are installed at build time in /adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys. ADB Protocol change: If the device needs to authenticate the host, it replies to CNXN packets with an AUTH packet. The AUTH packet payload is a random token. The host signs the token with one of its private keys and sends an AUTH(0) packet. If the signature verification succeeds, the device replies with a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so that the host can retry with another private key. Once the host has tried all its keys, it can send an AUTH(1) packet with a public key as payload. adbd then sends the public key to the framework (if it has been started) for confirmation. Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
2012-04-12 21:23:49 +02:00
}
adb: split up adb_auth.cpp. All of the functions in adb_auth.cpp were used in only one of adb/adbd. Split up them up into adb_auth_host.cpp and adbd_auth.cpp respectively. Bug: http://b/29273531 Test: built and flashed bullhead, adb still works Change-Id: Ib610c5157522634cc273511175152f1306cc52a7
2016-10-06 04:02:29 +02:00
void send_auth_request(atransport* t) {
LOG(INFO) << "Calling send_auth_request...";
if (!adbd_auth_generate_token(t->token, sizeof(t->token))) {
PLOG(ERROR) << "Error generating token";
return;
}
apacket* p = get_apacket();
p->msg.command = A_AUTH;
p->msg.arg0 = ADB_AUTH_TOKEN;
p->msg.data_length = sizeof(t->token);
adb: switch apacket over to a std::string payload. Test: python test_device.py with walleye/x86_64 emulator Change-Id: I0a18941af1cb2279e5019a24ace25741def1202f
2018-02-06 03:49:10 +01:00
p->payload.assign(t->token, t->token + sizeof(t->token));
adb: split up adb_auth.cpp. All of the functions in adb_auth.cpp were used in only one of adb/adbd. Split up them up into adb_auth_host.cpp and adbd_auth.cpp respectively. Bug: http://b/29273531 Test: built and flashed bullhead, adb still works Change-Id: Ib610c5157522634cc273511175152f1306cc52a7
2016-10-06 04:02:29 +02:00
send_packet(p, t);
}
adbd: add logging to troubleshoot usb issues. Bug: http://b/63899881 Bug: http://b/63901259 Bug: http://b/63904904 Test: treehugger Change-Id: Ifbc3caa6b416093bf8e127194003747c910352dc
2017-07-26 20:06:55 +02:00
void adbd_auth_verified(atransport* t) {
LOG(INFO) << "adb client authorized";
adb: split up adb_auth.cpp. All of the functions in adb_auth.cpp were used in only one of adb/adbd. Split up them up into adb_auth_host.cpp and adbd_auth.cpp respectively. Bug: http://b/29273531 Test: built and flashed bullhead, adb still works Change-Id: Ib610c5157522634cc273511175152f1306cc52a7
2016-10-06 04:02:29 +02:00
handle_online(t);
send_connect(t);
}
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
static void adb_disconnected(void* unused, atransport* t) {
LOG(INFO) << "ADB disconnect";
adbd_auth_notify_disconnect(auth_ctx, t->auth_id);
}
void adbd_auth_confirm_key(atransport* t) {
LOG(INFO) << "prompting user to authorize key";
t->AddDisconnect(&adb_disconnect);
adb: fix use after free of atransport. libadbd_auth might report authentication success for a transport that's already been destroyed. Fix this by storing a weak pointer to the atransport that gets cleared upon destruction instead of a raw pointer. Bug: http://b/144704376 Test: ./test_adb.py Test: ./test_device.py Change-Id: Idffe027381e6b2e37f06aa0166e97cafc98eaf3b
2019-12-10 00:44:57 +01:00
adbd_auth_prompt_user(auth_ctx, t->auth_key.data(), t->auth_key.size(),
transport_to_callback_arg(t));
adbd: use libadbd_auth for authentication. Bug: http://b/137798163 Test: for i in `seq 1 100000`; do echo $i; adb wait-for-device shell "su 0 stop; su 0 start; sleep 10"; adb disconnect; done Change-Id: Ie481e79a48c4aabf18ef797317ba18f207808c63
2019-10-22 21:30:39 +02:00
}
void adbd_notify_framework_connected_key(atransport* t) {
adbd_auth_notify_auth(auth_ctx, t->auth_key.data(), t->auth_key.size());
}
Reference in a new issue Copy permalink