From: Antti Seppälä Date: Fri, 16 May 2025 17:18:54 +0000 (+0300) Subject: adb: Switch to mbedtls X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c70f842da3303237d0adb25e69bf43830ef1d2c8;p=thirdparty%2Fopenwrt.git adb: Switch to mbedtls Currently adb uses libopenssl for certain authentication tasks between the host and the target device such as certificate generation, hashing, base64 encoding and pki signatures. Add a patch to use functionalities available in mbedtls instead. Also switch package makefile and dependency to libmbedtls and drop patches and references to lib{crypto,openssl} as they are no longer required. This conserves considerable amount of space on the device as openwrt ships with libmbedtls by default. Signed-off-by: Antti Seppälä Link: https://github.com/openwrt/openwrt/pull/18819 Signed-off-by: Robert Marko --- diff --git a/package/utils/adb/Makefile b/package/utils/adb/Makefile index f0f137c781e..ced887e9689 100644 --- a/package/utils/adb/Makefile +++ b/package/utils/adb/Makefile @@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=adb PKG_SOURCE_VERSION:=6fe92d1a3fb17545d82d020a3c995f32e6b71f9d PKG_VERSION:=5.0.2~$(call version_abbrev,$(PKG_SOURCE_VERSION)) -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://android.googlesource.com/platform/system/core @@ -25,7 +25,7 @@ define Package/adb CATEGORY:=Utilities TITLE:=Android Debug Bridge CLI tool URL:=http://tools.android.com/ - DEPENDS:=+zlib +libopenssl +libpthread + DEPENDS:=+zlib +libmbedtls +libpthread endef define Package/adb/description diff --git a/package/utils/adb/patches/001-create_Makefile.patch b/package/utils/adb/patches/001-create_Makefile.patch index d7fa00cb4c1..80db5e7f1aa 100644 --- a/package/utils/adb/patches/001-create_Makefile.patch +++ b/package/utils/adb/patches/001-create_Makefile.patch @@ -35,7 +35,7 @@ +CPPFLAGS+= -I../include +CPPFLAGS+= -D_FILE_OFFSET_BITS=64 + -+LIBS+= -lcrypto -lpthread -lz ++LIBS+= -lmbedcrypto -lpthread -lz + +OBJS= $(SRCS:.c=.o) + diff --git a/package/utils/adb/patches/010-mbedtls.patch b/package/utils/adb/patches/010-mbedtls.patch new file mode 100644 index 00000000000..084df20c089 --- /dev/null +++ b/package/utils/adb/patches/010-mbedtls.patch @@ -0,0 +1,342 @@ +--- a/adb/adb_auth_host.c ++++ b/adb/adb_auth_host.c +@@ -39,15 +39,13 @@ + + #include + +-#include +-#include +-#include +-#include +-#include +- +-#if defined(OPENSSL_IS_BORINGSSL) +-#include +-#endif ++#include ++#include ++#include ++#include ++#include ++#include ++#include + + #define TRACE_TAG TRACE_AUTH + +@@ -57,56 +55,92 @@ + + struct adb_private_key { + struct listnode node; +- RSA *rsa; ++ mbedtls_pk_context pk; + }; + + static struct listnode key_list; ++static mbedtls_ctr_drbg_context ctr_drbg; + + + /* Convert OpenSSL RSA private key to android pre-computed RSAPublicKey format */ +-static int RSA_to_RSAPublicKey(RSA *rsa, RSAPublicKey *pkey) ++static int RSA_to_RSAPublicKey(mbedtls_pk_context *pk, RSAPublicKey *pkey) + { + int ret = 1; + unsigned int i; ++ mbedtls_mpi r32, rr, r, rem, n, n0inv, e, tmp; ++ mbedtls_rsa_context *rsa; ++ unsigned char buf[sizeof(uint32_t)]; ++ ++ if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_RSA) { ++ return 0; ++ } + +- BN_CTX* ctx = BN_CTX_new(); +- BIGNUM* r32 = BN_new(); +- BIGNUM* rr = BN_new(); +- BIGNUM* r = BN_new(); +- BIGNUM* rem = BN_new(); +- BIGNUM* n = BN_new(); +- BIGNUM* n0inv = BN_new(); ++ rsa = mbedtls_pk_rsa(*pk); ++ if (!rsa) { ++ return 0; ++ } + +- if (RSA_size(rsa) != RSANUMBYTES) { ++ mbedtls_mpi_init(&r32); ++ mbedtls_mpi_init(&rr); ++ mbedtls_mpi_init(&r); ++ mbedtls_mpi_init(&rem); ++ mbedtls_mpi_init(&n); ++ mbedtls_mpi_init(&n0inv); ++ mbedtls_mpi_init(&e); ++ mbedtls_mpi_init(&tmp); ++ ++ if (mbedtls_rsa_get_len(rsa) != RSANUMBYTES) { + ret = 0; + goto out; + } + +- BN_set_bit(r32, 32); +- BN_copy(n, rsa->n); +- BN_set_bit(r, RSANUMWORDS * 32); +- BN_mod_sqr(rr, r, n, ctx); +- BN_div(NULL, rem, n, r32, ctx); +- BN_mod_inverse(n0inv, rem, r32, ctx); ++ mbedtls_rsa_export(rsa, &n, NULL, NULL, NULL, &e); ++ ++ mbedtls_mpi_lset(&r32, 1); ++ mbedtls_mpi_shift_l(&r32, 32); ++ mbedtls_mpi_lset(&r, 1); ++ mbedtls_mpi_shift_l(&r, RSANUMWORDS * 32); ++ mbedtls_mpi_mul_mpi(&rr, &r, &r); ++ mbedtls_mpi_mod_mpi(&rr, &rr, &n); ++ mbedtls_mpi_div_mpi(NULL, &rem, &n, &r32); ++ mbedtls_mpi_inv_mod(&n0inv, &rem, &r32); + + pkey->len = RSANUMWORDS; +- pkey->n0inv = 0 - BN_get_word(n0inv); ++ ++ mbedtls_mpi_write_binary(&n0inv, buf, sizeof(buf)); ++ uint32_t n0inv_val = ((buf[0] << 24) | (buf[1] << 16) | ++ (buf[2] << 8) | buf[3]); ++ pkey->n0inv = 0 - n0inv_val; ++ + for (i = 0; i < RSANUMWORDS; i++) { +- BN_div(rr, rem, rr, r32, ctx); +- pkey->rr[i] = BN_get_word(rem); +- BN_div(n, rem, n, r32, ctx); +- pkey->n[i] = BN_get_word(rem); ++ mbedtls_mpi_div_mpi(&tmp, &rem, &rr, &r32); ++ mbedtls_mpi_copy(&rr, &tmp); ++ ++ mbedtls_mpi_write_binary(&rem, buf, sizeof(buf)); ++ pkey->rr[i] = ((buf[0] << 24) | (buf[1] << 16) | ++ (buf[2] << 8) | buf[3]); ++ ++ mbedtls_mpi_div_mpi(&tmp, &rem, &n, &r32); ++ mbedtls_mpi_copy(&n, &tmp); ++ ++ mbedtls_mpi_write_binary(&rem, buf, sizeof(buf)); ++ pkey->n[i] = ((buf[0] << 24) | (buf[1] << 16) | ++ (buf[2] << 8) | buf[3]); + } +- pkey->exponent = BN_get_word(rsa->e); ++ ++ mbedtls_mpi_write_binary(&e, buf, sizeof(buf)); ++ pkey->exponent = ((buf[0] << 24) | (buf[1] << 16) | ++ (buf[2] << 8) | buf[3]); + + out: +- BN_free(n0inv); +- BN_free(n); +- BN_free(rem); +- BN_free(r); +- BN_free(rr); +- BN_free(r32); +- BN_CTX_free(ctx); ++ mbedtls_mpi_free(&tmp); ++ mbedtls_mpi_free(&e); ++ mbedtls_mpi_free(&n0inv); ++ mbedtls_mpi_free(&n); ++ mbedtls_mpi_free(&rem); ++ mbedtls_mpi_free(&r); ++ mbedtls_mpi_free(&rr); ++ mbedtls_mpi_free(&r32); + + return ret; + } +@@ -133,7 +167,7 @@ static void get_user_info(char *buf, siz + buf[len - 1] = '\0'; + } + +-static int write_public_keyfile(RSA *private_key, const char *private_key_path) ++static int write_public_keyfile(mbedtls_pk_context *private_key, const char *private_key_path) + { + RSAPublicKey pkey; + FILE *outfile = NULL; +@@ -161,16 +195,7 @@ static int write_public_keyfile(RSA *pri + + D("Writing public key to '%s'\n", path); + +-#if defined(OPENSSL_IS_BORINGSSL) +- if (!EVP_EncodedLength(&encoded_length, sizeof(pkey))) { +- D("Public key too large to base64 encode"); +- goto out; +- } +-#else +- /* While we switch from OpenSSL to BoringSSL we have to implement +- * |EVP_EncodedLength| here. */ + encoded_length = 1 + ((sizeof(pkey) + 2) / 3 * 4); +-#endif + + encoded = malloc(encoded_length); + if (encoded == NULL) { +@@ -178,7 +203,12 @@ static int write_public_keyfile(RSA *pri + goto out; + } + +- encoded_length = EVP_EncodeBlock(encoded, (uint8_t*) &pkey, sizeof(pkey)); ++ if (mbedtls_base64_encode(encoded, encoded_length, &encoded_length, ++ (unsigned char*)&pkey, sizeof(pkey)) != 0) { ++ D("Base64 encoding failed"); ++ goto out; ++ } ++ + get_user_info(info, sizeof(info)); + + if (fwrite(encoded, encoded_length, 1, outfile) != 1 || +@@ -201,23 +231,25 @@ static int write_public_keyfile(RSA *pri + + static int generate_key(const char *file) + { +- EVP_PKEY* pkey = EVP_PKEY_new(); +- BIGNUM* exponent = BN_new(); +- RSA* rsa = RSA_new(); ++ mbedtls_pk_context pk; + mode_t old_mask; + FILE *f = NULL; + int ret = 0; + + D("generate_key '%s'\n", file); + +- if (!pkey || !exponent || !rsa) { +- D("Failed to allocate key\n"); ++ mbedtls_pk_init(&pk); ++ ++ if (mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) != 0) { ++ D("Failed to setup key context\n"); + goto out; + } + +- BN_set_word(exponent, RSA_F4); +- RSA_generate_key_ex(rsa, 2048, exponent, NULL); +- EVP_PKEY_set1_RSA(pkey, rsa); ++ if (mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), mbedtls_ctr_drbg_random, &ctr_drbg, ++ 2048, 65537) != 0) { ++ D("Failed to generate key\n"); ++ goto out; ++ } + + old_mask = umask(077); + +@@ -230,12 +262,20 @@ static int generate_key(const char *file + + umask(old_mask); + +- if (!PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL)) { +- D("Failed to write key\n"); ++ unsigned char buf[16000]; ++ size_t len; ++ ++ if (mbedtls_pk_write_key_pem(&pk, buf, sizeof(buf)) != 0) { ++ D("Failed to write key to buffer\n"); + goto out; + } + +- if (!write_public_keyfile(rsa, file)) { ++ if (fwrite(buf, strlen((char*)buf), 1, f) != 1) { ++ D("Failed to write buffer to file\n"); ++ goto out; ++ } ++ ++ if (!write_public_keyfile(&pk, file)) { + D("Failed to write public key\n"); + goto out; + } +@@ -243,44 +283,32 @@ static int generate_key(const char *file + ret = 1; + + out: +- if (f) ++ if (f) { + fclose(f); +- EVP_PKEY_free(pkey); +- RSA_free(rsa); +- BN_free(exponent); ++ } ++ mbedtls_pk_free(&pk); + return ret; + } + + static int read_key(const char *file, struct listnode *list) + { + struct adb_private_key *key; +- FILE *f; +- +- D("read_key '%s'\n", file); +- +- f = fopen(file, "r"); +- if (!f) { +- D("Failed to open '%s'\n", file); +- return 0; +- } + + key = malloc(sizeof(*key)); + if (!key) { + D("Failed to alloc key\n"); +- fclose(f); + return 0; + } +- key->rsa = RSA_new(); + +- if (!PEM_read_RSAPrivateKey(f, &key->rsa, NULL, NULL)) { ++ mbedtls_pk_init(&key->pk); ++ ++ if (mbedtls_pk_parse_keyfile(&key->pk, file, NULL, mbedtls_ctr_drbg_random, &ctr_drbg) != 0) { + D("Failed to read key\n"); +- fclose(f); +- RSA_free(key->rsa); ++ mbedtls_pk_free(&key->pk); + free(key); + return 0; + } + +- fclose(f); + list_add_tail(list, &key->node); + return 1; + } +@@ -373,15 +401,20 @@ static void get_vendor_keys(struct listn + + int adb_auth_sign(void *node, void *token, size_t token_size, void *sig) + { +- unsigned int len; + struct adb_private_key *key = node_to_item(node, struct adb_private_key, node); ++ unsigned char hash[20]; ++ size_t sig_len; ++ ++ mbedtls_sha1((unsigned char*)token, token_size, hash); + +- if (!RSA_sign(NID_sha1, token, token_size, sig, &len, key->rsa)) { ++ if (mbedtls_pk_sign(&key->pk, MBEDTLS_MD_SHA1, hash, sizeof(hash), ++ sig, mbedtls_pk_get_len(&key->pk), &sig_len, ++ mbedtls_ctr_drbg_random, &ctr_drbg) != 0) { + return 0; + } + +- D("adb_auth_sign len=%d\n", len); +- return (int)len; ++ D("adb_auth_sign len=%d\n", (int)sig_len); ++ return (int)sig_len; + } + + void *adb_auth_nextkey(void *current) +@@ -439,10 +472,19 @@ int adb_auth_get_userkey(unsigned char * + void adb_auth_init(void) + { + int ret; ++ mbedtls_entropy_context entropy; + + D("adb_auth_init\n"); + + list_init(&key_list); ++ mbedtls_entropy_init(&entropy); ++ mbedtls_ctr_drbg_init(&ctr_drbg); ++ ++ if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, ++ (const unsigned char *)"adb_auth", 8) != 0) { ++ D("Failed to seed RNG\n"); ++ return; ++ } + + ret = get_user_key(&key_list); + if (!ret) { diff --git a/package/utils/adb/patches/010-openssl-1.1.patch b/package/utils/adb/patches/010-openssl-1.1.patch deleted file mode 100644 index e4df372a340..00000000000 --- a/package/utils/adb/patches/010-openssl-1.1.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/adb/adb_auth_host.c -+++ b/adb/adb_auth_host.c -@@ -83,7 +83,13 @@ static int RSA_to_RSAPublicKey(RSA *rsa, - } - - BN_set_bit(r32, 32); -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ const BIGNUM *rsa_n, *rsa_e; -+ RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL); -+ BN_copy(n, rsa_n); -+#else - BN_copy(n, rsa->n); -+#endif - BN_set_bit(r, RSANUMWORDS * 32); - BN_mod_sqr(rr, r, n, ctx); - BN_div(NULL, rem, n, r32, ctx); -@@ -97,7 +103,11 @@ static int RSA_to_RSAPublicKey(RSA *rsa, - BN_div(n, rem, n, r32, ctx); - pkey->n[i] = BN_get_word(rem); - } -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+ pkey->exponent = BN_get_word(rsa_e); -+#else - pkey->exponent = BN_get_word(rsa->e); -+#endif - - out: - BN_free(n0inv);