An adbkey/adbkey.pub pair that doesn't match up results in a
hard-to-diagnose scenario where "Always allow from this computer"
doesn't work. The private key contains all of the information that's
in the public key, so just extract the public key out of the private
key instead of storing them separately.
Bug: http://b/119634232
Test: rm ~/.android/adbkey.pub; adb kill-server; adb shell true
Test: rm ~/.android/adbkey*; adb kill-server; adb shell true
Change-Id: I0ae9033dbcd119c12cfb2b3977f1f1954ac800c1
Use fixed length types for structs going over the wire, constify
arguments where possible, use char* instead of unsigned char* for
apacket data, and assorted other refactoring.
Bug: http://b/29273531
Test: python test_device.py with every combination of old/new adb and adbd
Change-Id: I0b6f818a32be5386985aa4519f542003cf427f9d
All of the functions in adb_auth.cpp were used in only one of
adb/adbd. Split up them up into adb_auth_host.cpp and adbd_auth.cpp
respectively.
Bug: http://b/29273531
Test: built and flashed bullhead, adb still works
Change-Id: Ib610c5157522634cc273511175152f1306cc52a7
Allow directories to be specified in ADB_VENDOR_KEYS. On Linux, monitor
this directory for new keys to be added.
Additionally, deduplicate keys by hashing their public key.
Bug: http://b/29273531
Bug: http://b/30927527
Change-Id: I8d3312b216b7f2c11900f2235f1f1b1d1c7aa767
Test: manually tested by adding a key to a directory, and verifying
that devices became authorized after replugging.
This includes the locking we need to be able to re-load the keys at runtime.
We should rename "adb_auth_client.cpp" to "adb_auth_adbd.cpp" or
"adbd_auth.cpp" in a later change.
Change-Id: I9e1d5b6b7d0497d6f6e5d9c4fb660118cdff05a8
Test: "adb devices" works against a non-AOSP device with $ADB_VENDOR_KEYS set, says "unauthorized" without.
Bug: http://b/29273531
Require authorization by default, and remove the ability to override
that in user builds. (userdebug and eng are still free to do whatever
they want.)
Bug: http://b/21862859
Change-Id: Ibf8af375be5bf1141c1ad481eee7a59fb10a7adb
* sysdeps.h should always be included first.
* TRACE_TAG needs to be defined before anything is included.
* Some files were missing copyright headers.
* Save precious bytes on my SSD by removing useless whitespace.
Change-Id: I88980e6e00b5be1093806cf286740d9e4a033b94
adb_auth_init in adb_auth_client.cpp sets FD_CLOEXEC on the control
socket, which prevents the leakage. However if ro.adb.secure
property is unset (as it is on the emulator), adb_auth_init is not
invoked, which results in the control socket fd leaking into any
process started by the deamon (specifically, any command executed
through adb shell).
Split the fd cleanup into a separate function that is called
unconditionally.
Change-Id: I73ea84977542ddfc4ac20599593ecf3745ae9108
I keep trying to clean things up and needing std::strings. Might as
well just do this now.
usb_linux_client.c is going to stay as C because GCC isn't smart
enough to deal with the designated initializers it uses (though for
some reason it is in C mode).
The Darwin files are staying as C because I don't have a way to test
that they build.
The Windows files are staying as C because while I can actually build
for them, it's slow and painful.
Change-Id: I75367d29205a9049d34460032b3bb36384f43941
Introduce the "adb keygen" command.
Usage: adb keygen <filename>
This command creates an adb public/private key pair in a user
specified file. This can be used to create new adb keys, or rotate
existing keys.
Modify adb's key generation routines to use the HOSTNAME/LOGNAME
environment variables if available. This allows someone to override
the username/hostname embedded within the adb public key file if
desired. Fallback to the old mechanisms if those environment
variables aren't available.
Bug: 18342715
Change-Id: Ibccee6088d4609aa05ad6687d3a1d8a8689d3e8a
(cherry picked from commit af782b9f2a)
Change-Id: Ic76ffc9412171dddc879af0bbf6e20fbe1a8f057
When booting with usb attached, the secure adb authentication happens
long before the framework is done booting, so adb can't notify the
framework to install the public key.
Change-Id: Id2af6cebece345022f56cb0c4b5af24e1d7a425c
The framework can now clear the user key list, so we need to reload the
key list on every auth request instead of loading it once when adbd
starts.
This also fixes issues with encrypted devices, where the user key file
is only readable after the user has unlocked the device.
Change-Id: I350c5aab986f8ca86b95f316398d03012553e581
Secure adb using a public key authentication, to allow USB debugging
only from authorized hosts.
When a device is connected to an unauthorized host, the adb daemon sends
the user public key to the device. A popup is shown to ask the user to
allow debugging once or permanantly from the host. The public key is
installed on the device in the later case. Other keys may be installed
at build time.
On the host, the user public/private key pair is automatically generated,
if it does not exist, when the adb daemon starts and is stored in
$HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed,
the ADB_KEYS_PATH env variable may be set to a :-separated (; under
Windows) list of private keys, e.g. company-wide or vendor keys.
On the device, vendors public keys are installed at build time in
/adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys.
ADB Protocol change:
If the device needs to authenticate the host, it replies to CNXN
packets with an AUTH packet. The AUTH packet payload is a random token.
The host signs the token with one of its private keys and sends an AUTH(0)
packet. If the signature verification succeeds, the device replies with
a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so
that the host can retry with another private key. Once the host has tried
all its keys, it can send an AUTH(1) packet with a public key as
payload. adbd then sends the public key to the framework (if it has been
started) for confirmation.
Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
Secure adb using a public key authentication, to allow USB debugging
only from authorized hosts.
When a device is connected to an unauthorized host, the adb daemon sends
the user public key to the device. A popup is shown to ask the user to
allow debugging once or permanantly from the host. The public key is
installed on the device in the later case. Other keys may be installed
at build time.
On the host, the user public/private key pair is automatically generated,
if it does not exist, when the adb daemon starts and is stored in
$HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed,
the ADB_KEYS_PATH env variable may be set to a ;-separated list of private
keys, e.g. company-wide or vendor keys.
On the device, vendors public keys are installed at build time in
/adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys.
ADB Protocol change:
If the device needs to authenticate the host, it replies to CNXN
packets with an AUTH packet. The AUTH packet payload is a random token.
The host signs the token with one of its private keys and sends an AUTH(0)
packet. If the signature verification succeeds, the device replies with
a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so
that the host can retry with another private key. Once the host has tried
all its keys, it can send an AUTH(1) packet with a public key as
payload. adbd then sends the public key to the framework (if it has been
started) for confirmation.
Change-Id: Idce931a7bfe4ce878428eaa47838e5184ac6073f
