adb_auth_host.cpp revision 2e671202c38a9b17b0b034438a305e3067abb4ab
1/* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#define TRACE_TAG AUTH 18 19#include <dirent.h> 20#include <stdio.h> 21#include <stdlib.h> 22#include <string.h> 23#if defined(__linux__) 24#include <sys/inotify.h> 25#endif 26 27#include <map> 28#include <mutex> 29#include <set> 30#include <string> 31 32#include <android-base/errors.h> 33#include <android-base/file.h> 34#include <android-base/stringprintf.h> 35#include <android-base/strings.h> 36#include <crypto_utils/android_pubkey.h> 37#include <openssl/base64.h> 38#include <openssl/evp.h> 39#include <openssl/objects.h> 40#include <openssl/pem.h> 41#include <openssl/rsa.h> 42#include <openssl/sha.h> 43 44#include "adb.h" 45#include "adb_auth.h" 46#include "adb_utils.h" 47#include "sysdeps.h" 48#include "sysdeps/mutex.h" 49 50static std::mutex& g_keys_mutex = *new std::mutex; 51static std::map<std::string, std::shared_ptr<RSA>>& g_keys = 52 *new std::map<std::string, std::shared_ptr<RSA>>; 53static std::map<int, std::string>& g_monitored_paths = *new std::map<int, std::string>; 54 55static std::string get_user_info() { 56 LOG(INFO) << "get_user_info..."; 57 58 std::string hostname; 59 if (getenv("HOSTNAME")) hostname = getenv("HOSTNAME"); 60#if !defined(_WIN32) 61 char buf[64]; 62 if (hostname.empty() && gethostname(buf, sizeof(buf)) != -1) hostname = buf; 63#endif 64 if (hostname.empty()) hostname = "unknown"; 65 66 std::string username; 67 if (getenv("LOGNAME")) username = getenv("LOGNAME"); 68#if !defined _WIN32 && !defined ADB_HOST_ON_TARGET 69 if (username.empty() && getlogin()) username = getlogin(); 70#endif 71 if (username.empty()) hostname = "unknown"; 72 73 return " " + username + "@" + hostname; 74} 75 76static bool write_public_keyfile(RSA* private_key, const std::string& private_key_path) { 77 LOG(INFO) << "write_public_keyfile..."; 78 79 uint8_t binary_key_data[ANDROID_PUBKEY_ENCODED_SIZE]; 80 if (!android_pubkey_encode(private_key, binary_key_data, sizeof(binary_key_data))) { 81 LOG(ERROR) << "Failed to convert to public key"; 82 return false; 83 } 84 85 size_t base64_key_length; 86 if (!EVP_EncodedLength(&base64_key_length, sizeof(binary_key_data))) { 87 LOG(ERROR) << "Public key too large to base64 encode"; 88 return false; 89 } 90 91 std::string content; 92 content.resize(base64_key_length); 93 base64_key_length = EVP_EncodeBlock(reinterpret_cast<uint8_t*>(&content[0]), binary_key_data, 94 sizeof(binary_key_data)); 95 96 content += get_user_info(); 97 98 std::string path(private_key_path + ".pub"); 99 if (!android::base::WriteStringToFile(content, path)) { 100 PLOG(ERROR) << "Failed to write public key to '" << path << "'"; 101 return false; 102 } 103 104 return true; 105} 106 107static int generate_key(const std::string& file) { 108 LOG(INFO) << "generate_key(" << file << ")..."; 109 110 mode_t old_mask; 111 FILE *f = NULL; 112 int ret = 0; 113 114 EVP_PKEY* pkey = EVP_PKEY_new(); 115 BIGNUM* exponent = BN_new(); 116 RSA* rsa = RSA_new(); 117 if (!pkey || !exponent || !rsa) { 118 LOG(ERROR) << "Failed to allocate key"; 119 goto out; 120 } 121 122 BN_set_word(exponent, RSA_F4); 123 RSA_generate_key_ex(rsa, 2048, exponent, NULL); 124 EVP_PKEY_set1_RSA(pkey, rsa); 125 126 old_mask = umask(077); 127 128 f = fopen(file.c_str(), "w"); 129 if (!f) { 130 PLOG(ERROR) << "Failed to open " << file; 131 umask(old_mask); 132 goto out; 133 } 134 135 umask(old_mask); 136 137 if (!PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL)) { 138 D("Failed to write key"); 139 goto out; 140 } 141 142 if (!write_public_keyfile(rsa, file)) { 143 D("Failed to write public key"); 144 goto out; 145 } 146 147 ret = 1; 148 149out: 150 if (f) fclose(f); 151 EVP_PKEY_free(pkey); 152 RSA_free(rsa); 153 BN_free(exponent); 154 return ret; 155} 156 157static std::string hash_key(RSA* key) { 158 unsigned char* pubkey = nullptr; 159 int len = i2d_RSA_PUBKEY(key, &pubkey); 160 if (len < 0) { 161 LOG(ERROR) << "failed to encode RSA public key"; 162 return std::string(); 163 } 164 165 std::string result; 166 result.resize(SHA256_DIGEST_LENGTH); 167 SHA256(pubkey, len, reinterpret_cast<unsigned char*>(&result[0])); 168 OPENSSL_free(pubkey); 169 return result; 170} 171 172static bool read_key_file(const std::string& file) { 173 LOG(INFO) << "read_key_file '" << file << "'..."; 174 175 std::unique_ptr<FILE, decltype(&fclose)> fp(fopen(file.c_str(), "r"), fclose); 176 if (!fp) { 177 PLOG(ERROR) << "Failed to open '" << file << "'"; 178 return false; 179 } 180 181 RSA* key = RSA_new(); 182 if (!PEM_read_RSAPrivateKey(fp.get(), &key, nullptr, nullptr)) { 183 LOG(ERROR) << "Failed to read key"; 184 RSA_free(key); 185 return false; 186 } 187 188 std::lock_guard<std::mutex> lock(g_keys_mutex); 189 std::string fingerprint = hash_key(key); 190 if (g_keys.find(fingerprint) != g_keys.end()) { 191 LOG(INFO) << "ignoring already-loaded key: " << file; 192 RSA_free(key); 193 } else { 194 g_keys[fingerprint] = std::shared_ptr<RSA>(key, RSA_free); 195 } 196 197 return true; 198} 199 200static bool read_keys(const std::string& path, bool allow_dir = true) { 201 LOG(INFO) << "read_keys '" << path << "'..."; 202 203 struct stat st; 204 if (stat(path.c_str(), &st) != 0) { 205 PLOG(ERROR) << "failed to stat '" << path << "'"; 206 return false; 207 } 208 209 if (S_ISREG(st.st_mode)) { 210 if (!android::base::EndsWith(path, ".adb_key")) { 211 LOG(INFO) << "skipping non-adb_key '" << path << "'"; 212 return false; 213 } 214 215 return read_key_file(path); 216 } else if (S_ISDIR(st.st_mode)) { 217 if (!allow_dir) { 218 // inotify isn't recursive. It would break expectations to load keys in nested 219 // directories but not monitor them for new keys. 220 LOG(WARNING) << "refusing to recurse into directory '" << path << "'"; 221 return false; 222 } 223 224 std::unique_ptr<DIR, decltype(&closedir)> dir(opendir(path.c_str()), closedir); 225 if (!dir) { 226 PLOG(ERROR) << "failed to open directory '" << path << "'"; 227 return false; 228 } 229 230 bool result = false; 231 while (struct dirent* dent = readdir(dir.get())) { 232 std::string name = dent->d_name; 233 234 // We can't use dent->d_type here because it's not available on Windows. 235 if (name == "." || name == "..") { 236 continue; 237 } 238 239 result |= read_keys((path + OS_PATH_SEPARATOR + name).c_str(), false); 240 } 241 return result; 242 } 243 244 LOG(ERROR) << "unexpected type for '" << path << "': 0x" << std::hex << st.st_mode; 245 return false; 246} 247 248static std::string get_user_key_path() { 249 const std::string home = adb_get_homedir_path(true); 250 LOG(DEBUG) << "adb_get_homedir_path returned '" << home << "'"; 251 252 const std::string android_dir = android::base::StringPrintf("%s%c.android", home.c_str(), 253 OS_PATH_SEPARATOR); 254 255 struct stat buf; 256 if (stat(android_dir.c_str(), &buf) == -1) { 257 if (adb_mkdir(android_dir.c_str(), 0750) == -1) { 258 PLOG(ERROR) << "Cannot mkdir '" << android_dir << "'"; 259 return ""; 260 } 261 } 262 263 return android_dir + OS_PATH_SEPARATOR + "adbkey"; 264} 265 266static bool get_user_key() { 267 std::string path = get_user_key_path(); 268 if (path.empty()) { 269 PLOG(ERROR) << "Error getting user key filename"; 270 return false; 271 } 272 273 struct stat buf; 274 if (stat(path.c_str(), &buf) == -1) { 275 LOG(INFO) << "User key '" << path << "' does not exist..."; 276 if (!generate_key(path)) { 277 LOG(ERROR) << "Failed to generate new key"; 278 return false; 279 } 280 } 281 282 return read_key_file(path); 283} 284 285static std::set<std::string> get_vendor_keys() { 286 const char* adb_keys_path = getenv("ADB_VENDOR_KEYS"); 287 if (adb_keys_path == nullptr) { 288 return std::set<std::string>(); 289 } 290 291 std::set<std::string> result; 292 for (const auto& path : android::base::Split(adb_keys_path, ENV_PATH_SEPARATOR_STR)) { 293 result.emplace(path); 294 } 295 return result; 296} 297 298std::deque<std::shared_ptr<RSA>> adb_auth_get_private_keys() { 299 std::deque<std::shared_ptr<RSA>> result; 300 301 // Copy all the currently known keys. 302 std::lock_guard<std::mutex> lock(g_keys_mutex); 303 for (const auto& it : g_keys) { 304 result.push_back(it.second); 305 } 306 307 // Add a sentinel to the list. Our caller uses this to mean "out of private keys, 308 // but try using the public key" (the empty deque could otherwise mean this _or_ 309 // that this function hasn't been called yet to request the keys). 310 result.push_back(nullptr); 311 312 return result; 313} 314 315int adb_auth_sign(RSA* key, const unsigned char* token, size_t token_size, unsigned char* sig) { 316 if (token_size != TOKEN_SIZE) { 317 D("Unexpected token size %zd", token_size); 318 return 0; 319 } 320 321 unsigned int len; 322 if (!RSA_sign(NID_sha1, token, token_size, sig, &len, key)) { 323 return 0; 324 } 325 326 D("adb_auth_sign len=%d", len); 327 return (int)len; 328} 329 330std::string adb_auth_get_userkey() { 331 std::string path = get_user_key_path(); 332 if (path.empty()) { 333 PLOG(ERROR) << "Error getting user key filename"; 334 return ""; 335 } 336 path += ".pub"; 337 338 std::string content; 339 if (!android::base::ReadFileToString(path, &content)) { 340 PLOG(ERROR) << "Can't load '" << path << "'"; 341 return ""; 342 } 343 return content; 344} 345 346int adb_auth_keygen(const char* filename) { 347 return (generate_key(filename) == 0); 348} 349 350#if defined(__linux__) 351static void adb_auth_inotify_update(int fd, unsigned fd_event, void*) { 352 LOG(INFO) << "adb_auth_inotify_update called"; 353 if (!(fd_event & FDE_READ)) { 354 return; 355 } 356 357 char buf[sizeof(struct inotify_event) + NAME_MAX + 1]; 358 while (true) { 359 ssize_t rc = TEMP_FAILURE_RETRY(unix_read(fd, buf, sizeof(buf))); 360 if (rc == -1) { 361 if (errno == EAGAIN) { 362 LOG(INFO) << "done reading inotify fd"; 363 break; 364 } 365 PLOG(FATAL) << "read of inotify event failed"; 366 } 367 368 // The read potentially returned multiple events. 369 char* start = buf; 370 char* end = buf + rc; 371 372 while (start < end) { 373 inotify_event* event = reinterpret_cast<inotify_event*>(start); 374 auto root_it = g_monitored_paths.find(event->wd); 375 if (root_it == g_monitored_paths.end()) { 376 LOG(FATAL) << "observed inotify event for unmonitored path, wd = " << event->wd; 377 } 378 379 std::string path = root_it->second; 380 if (event->len > 0) { 381 path += '/'; 382 path += event->name; 383 } 384 385 if (event->mask & (IN_CREATE | IN_MOVED_TO)) { 386 if (event->mask & IN_ISDIR) { 387 LOG(INFO) << "ignoring new directory at '" << path << "'"; 388 } else { 389 LOG(INFO) << "observed new file at '" << path << "'"; 390 read_keys(path, false); 391 } 392 } else { 393 LOG(WARNING) << "unmonitored event for " << path << ": 0x" << std::hex 394 << event->mask; 395 } 396 397 start += sizeof(struct inotify_event) + event->len; 398 } 399 } 400} 401 402static void adb_auth_inotify_init(const std::set<std::string>& paths) { 403 LOG(INFO) << "adb_auth_inotify_init..."; 404 int infd = inotify_init1(IN_CLOEXEC | IN_NONBLOCK); 405 for (const std::string& path : paths) { 406 int wd = inotify_add_watch(infd, path.c_str(), IN_CREATE | IN_MOVED_TO); 407 if (wd < 0) { 408 PLOG(ERROR) << "failed to inotify_add_watch on path '" << path; 409 continue; 410 } 411 412 g_monitored_paths[wd] = path; 413 LOG(INFO) << "watch descriptor " << wd << " registered for " << path; 414 } 415 416 fdevent* event = fdevent_create(infd, adb_auth_inotify_update, nullptr); 417 fdevent_add(event, FDE_READ); 418} 419#endif 420 421void adb_auth_init() { 422 LOG(INFO) << "adb_auth_init..."; 423 424 if (!get_user_key()) { 425 LOG(ERROR) << "Failed to get user key"; 426 return; 427 } 428 429 const auto& key_paths = get_vendor_keys(); 430 431#if defined(__linux__) 432 adb_auth_inotify_init(key_paths); 433#endif 434 435 for (const std::string& path : key_paths) { 436 read_keys(path.c_str()); 437 } 438} 439