OpenWrt/xiaomi-ax3600
1
0
Fork 0
mirror of https://github.com/immortalwrt/immortalwrt.git synced 2025-08-11 06:11:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

adb: Switch to mbedtls

Browse Source 
Currently adb uses libopenssl for certain authentication tasks between
the host and the target device such as certificate generation, hashing,
base64 encoding and pki signatures.

Add a patch to use functionalities available in mbedtls instead.

Also switch package makefile and dependency to libmbedtls and drop
patches and references to lib{crypto,openssl} as they are no longer
required.

This conserves considerable amount of space on the device as openwrt
ships with libmbedtls by default.

Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/18819
Signed-off-by: Robert Marko <robimarko@gmail.com>
This commit is contained in:
Antti Seppälä
2025-05-16 20:18:54 +03:00
committed by Robert Marko
parent cd808d9997
commit c70f842da3
4 changed files with 345 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
package/utils/adb/Makefile
View File

@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=adb
PKG_SOURCE_VERSION:=6fe92d1a3fb17545d82d020a3c995f32e6b71f9d
PKG_VERSION:=5.0.2~$(call version_abbrev,$(PKG_SOURCE_VERSION))
PKG_RELEASE:=3
PKG_RELEASE:=4
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://android.googlesource.com/platform/system/core
@ -25,7 +25,7 @@ define Package/adb
CATEGORY:=Utilities
TITLE:=Android Debug Bridge CLI tool
URL:=http://tools.android.com/
DEPENDS:=+zlib +libopenssl +libpthread
DEPENDS:=+zlib +libmbedtls +libpthread
endef
define Package/adb/description

2
package/utils/adb/patches/001-create_Makefile.patch
View File

@ -35,7 +35,7 @@
+CPPFLAGS+= -I../include
+CPPFLAGS+= -D_FILE_OFFSET_BITS=64
+
+LIBS+= -lcrypto -lpthread -lz
+LIBS+= -lmbedcrypto -lpthread -lz
+
+OBJS= $(SRCS:.c=.o)
+

342
package/utils/adb/patches/010-mbedtls.patch Normal file
View File

@ -0,0 +1,342 @@
--- a/adb/adb_auth_host.c
+++ b/adb/adb_auth_host.c
@@ -39,15 +39,13 @@
#include <cutils/list.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/pem.h>
-#include <openssl/rsa.h>
-#include <openssl/sha.h>
-
-#if defined(OPENSSL_IS_BORINGSSL)
-#include <openssl/base64.h>
-#endif
+#include <mbedtls/rsa.h>
+#include <mbedtls/sha1.h>
+#include <mbedtls/base64.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/pem.h>
#define TRACE_TAG TRACE_AUTH
@@ -57,56 +55,92 @@
struct adb_private_key {
struct listnode node;
- RSA *rsa;
+ mbedtls_pk_context pk;
};
static struct listnode key_list;
+static mbedtls_ctr_drbg_context ctr_drbg;
/* Convert OpenSSL RSA private key to android pre-computed RSAPublicKey format */
-static int RSA_to_RSAPublicKey(RSA *rsa, RSAPublicKey *pkey)
+static int RSA_to_RSAPublicKey(mbedtls_pk_context *pk, RSAPublicKey *pkey)
{
int ret = 1;
unsigned int i;
+ mbedtls_mpi r32, rr, r, rem, n, n0inv, e, tmp;
+ mbedtls_rsa_context *rsa;
+ unsigned char buf[sizeof(uint32_t)];
+
+ if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_RSA) {
+ return 0;
+ }
- BN_CTX* ctx = BN_CTX_new();
- BIGNUM* r32 = BN_new();
- BIGNUM* rr = BN_new();
- BIGNUM* r = BN_new();
- BIGNUM* rem = BN_new();
- BIGNUM* n = BN_new();
- BIGNUM* n0inv = BN_new();
+ rsa = mbedtls_pk_rsa(*pk);
+ if (!rsa) {
+ return 0;
+ }
- if (RSA_size(rsa) != RSANUMBYTES) {
+ mbedtls_mpi_init(&r32);
+ mbedtls_mpi_init(&rr);
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&rem);
+ mbedtls_mpi_init(&n);
+ mbedtls_mpi_init(&n0inv);
+ mbedtls_mpi_init(&e);
+ mbedtls_mpi_init(&tmp);
+
+ if (mbedtls_rsa_get_len(rsa) != RSANUMBYTES) {
ret = 0;
goto out;
}
- BN_set_bit(r32, 32);
- BN_copy(n, rsa->n);
- BN_set_bit(r, RSANUMWORDS * 32);
- BN_mod_sqr(rr, r, n, ctx);
- BN_div(NULL, rem, n, r32, ctx);
- BN_mod_inverse(n0inv, rem, r32, ctx);
+ mbedtls_rsa_export(rsa, &n, NULL, NULL, NULL, &e);
+
+ mbedtls_mpi_lset(&r32, 1);
+ mbedtls_mpi_shift_l(&r32, 32);
+ mbedtls_mpi_lset(&r, 1);
+ mbedtls_mpi_shift_l(&r, RSANUMWORDS * 32);
+ mbedtls_mpi_mul_mpi(&rr, &r, &r);
+ mbedtls_mpi_mod_mpi(&rr, &rr, &n);
+ mbedtls_mpi_div_mpi(NULL, &rem, &n, &r32);
+ mbedtls_mpi_inv_mod(&n0inv, &rem, &r32);
pkey->len = RSANUMWORDS;
- pkey->n0inv = 0 - BN_get_word(n0inv);
+
+ mbedtls_mpi_write_binary(&n0inv, buf, sizeof(buf));
+ uint32_t n0inv_val = ((buf[0] << 24) | (buf[1] << 16) |
+ (buf[2] << 8) | buf[3]);
+ pkey->n0inv = 0 - n0inv_val;
+
for (i = 0; i < RSANUMWORDS; i++) {
- BN_div(rr, rem, rr, r32, ctx);
- pkey->rr[i] = BN_get_word(rem);
- BN_div(n, rem, n, r32, ctx);
- pkey->n[i] = BN_get_word(rem);
+ mbedtls_mpi_div_mpi(&tmp, &rem, &rr, &r32);
+ mbedtls_mpi_copy(&rr, &tmp);
+
+ mbedtls_mpi_write_binary(&rem, buf, sizeof(buf));
+ pkey->rr[i] = ((buf[0] << 24) | (buf[1] << 16) |
+ (buf[2] << 8) | buf[3]);
+
+ mbedtls_mpi_div_mpi(&tmp, &rem, &n, &r32);
+ mbedtls_mpi_copy(&n, &tmp);
+
+ mbedtls_mpi_write_binary(&rem, buf, sizeof(buf));
+ pkey->n[i] = ((buf[0] << 24) | (buf[1] << 16) |
+ (buf[2] << 8) | buf[3]);
}
- pkey->exponent = BN_get_word(rsa->e);
+
+ mbedtls_mpi_write_binary(&e, buf, sizeof(buf));
+ pkey->exponent = ((buf[0] << 24) | (buf[1] << 16) |
+ (buf[2] << 8) | buf[3]);
out:
- BN_free(n0inv);
- BN_free(n);
- BN_free(rem);
- BN_free(r);
- BN_free(rr);
- BN_free(r32);
- BN_CTX_free(ctx);
+ mbedtls_mpi_free(&tmp);
+ mbedtls_mpi_free(&e);
+ mbedtls_mpi_free(&n0inv);
+ mbedtls_mpi_free(&n);
+ mbedtls_mpi_free(&rem);
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&rr);
+ mbedtls_mpi_free(&r32);
return ret;
}
@@ -133,7 +167,7 @@ static void get_user_info(char *buf, siz
buf[len - 1] = '\0';
}
-static int write_public_keyfile(RSA *private_key, const char *private_key_path)
+static int write_public_keyfile(mbedtls_pk_context *private_key, const char *private_key_path)
{
RSAPublicKey pkey;
FILE *outfile = NULL;
@@ -161,16 +195,7 @@ static int write_public_keyfile(RSA *pri
D("Writing public key to '%s'\n", path);
-#if defined(OPENSSL_IS_BORINGSSL)
- if (!EVP_EncodedLength(&encoded_length, sizeof(pkey))) {
- D("Public key too large to base64 encode");
- goto out;
- }
-#else
- /* While we switch from OpenSSL to BoringSSL we have to implement
- * |EVP_EncodedLength| here. */
encoded_length = 1 + ((sizeof(pkey) + 2) / 3 * 4);
-#endif
encoded = malloc(encoded_length);
if (encoded == NULL) {
@@ -178,7 +203,12 @@ static int write_public_keyfile(RSA *pri
goto out;
}
- encoded_length = EVP_EncodeBlock(encoded, (uint8_t*) &pkey, sizeof(pkey));
+ if (mbedtls_base64_encode(encoded, encoded_length, &encoded_length,
+ (unsigned char*)&pkey, sizeof(pkey)) != 0) {
+ D("Base64 encoding failed");
+ goto out;
+ }
+
get_user_info(info, sizeof(info));
if (fwrite(encoded, encoded_length, 1, outfile) != 1 ||
@@ -201,23 +231,25 @@ static int write_public_keyfile(RSA *pri
static int generate_key(const char *file)
{
- EVP_PKEY* pkey = EVP_PKEY_new();
- BIGNUM* exponent = BN_new();
- RSA* rsa = RSA_new();
+ mbedtls_pk_context pk;
mode_t old_mask;
FILE *f = NULL;
int ret = 0;
D("generate_key '%s'\n", file);
- if (!pkey || !exponent || !rsa) {
- D("Failed to allocate key\n");
+ mbedtls_pk_init(&pk);
+
+ if (mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) != 0) {
+ D("Failed to setup key context\n");
goto out;
}
- BN_set_word(exponent, RSA_F4);
- RSA_generate_key_ex(rsa, 2048, exponent, NULL);
- EVP_PKEY_set1_RSA(pkey, rsa);
+ if (mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk), mbedtls_ctr_drbg_random, &ctr_drbg,
+ 2048, 65537) != 0) {
+ D("Failed to generate key\n");
+ goto out;
+ }
old_mask = umask(077);
@@ -230,12 +262,20 @@ static int generate_key(const char *file
umask(old_mask);
- if (!PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL)) {
- D("Failed to write key\n");
+ unsigned char buf[16000];
+ size_t len;
+
+ if (mbedtls_pk_write_key_pem(&pk, buf, sizeof(buf)) != 0) {
+ D("Failed to write key to buffer\n");
goto out;
}
- if (!write_public_keyfile(rsa, file)) {
+ if (fwrite(buf, strlen((char*)buf), 1, f) != 1) {
+ D("Failed to write buffer to file\n");
+ goto out;
+ }
+
+ if (!write_public_keyfile(&pk, file)) {
D("Failed to write public key\n");
goto out;
}
@@ -243,44 +283,32 @@ static int generate_key(const char *file
ret = 1;
out:
- if (f)
+ if (f) {
fclose(f);
- EVP_PKEY_free(pkey);
- RSA_free(rsa);
- BN_free(exponent);
+ }
+ mbedtls_pk_free(&pk);
return ret;
}
static int read_key(const char *file, struct listnode *list)
{
struct adb_private_key *key;
- FILE *f;
-
- D("read_key '%s'\n", file);
-
- f = fopen(file, "r");
- if (!f) {
- D("Failed to open '%s'\n", file);
- return 0;
- }
key = malloc(sizeof(*key));
if (!key) {
D("Failed to alloc key\n");
- fclose(f);
return 0;
}
- key->rsa = RSA_new();
- if (!PEM_read_RSAPrivateKey(f, &key->rsa, NULL, NULL)) {
+ mbedtls_pk_init(&key->pk);
+
+ if (mbedtls_pk_parse_keyfile(&key->pk, file, NULL, mbedtls_ctr_drbg_random, &ctr_drbg) != 0) {
D("Failed to read key\n");
- fclose(f);
- RSA_free(key->rsa);
+ mbedtls_pk_free(&key->pk);
free(key);
return 0;
}
- fclose(f);
list_add_tail(list, &key->node);
return 1;
}
@@ -373,15 +401,20 @@ static void get_vendor_keys(struct listn
int adb_auth_sign(void *node, void *token, size_t token_size, void *sig)
{
- unsigned int len;
struct adb_private_key *key = node_to_item(node, struct adb_private_key, node);
+ unsigned char hash[20];
+ size_t sig_len;
+
+ mbedtls_sha1((unsigned char*)token, token_size, hash);
- if (!RSA_sign(NID_sha1, token, token_size, sig, &len, key->rsa)) {
+ if (mbedtls_pk_sign(&key->pk, MBEDTLS_MD_SHA1, hash, sizeof(hash),
+ sig, mbedtls_pk_get_len(&key->pk), &sig_len,
+ mbedtls_ctr_drbg_random, &ctr_drbg) != 0) {
return 0;
}
- D("adb_auth_sign len=%d\n", len);
- return (int)len;
+ D("adb_auth_sign len=%d\n", (int)sig_len);
+ return (int)sig_len;
}
void *adb_auth_nextkey(void *current)
@@ -439,10 +472,19 @@ int adb_auth_get_userkey(unsigned char *
void adb_auth_init(void)
{
int ret;
+ mbedtls_entropy_context entropy;
D("adb_auth_init\n");
list_init(&key_list);
+ mbedtls_entropy_init(&entropy);
+ mbedtls_ctr_drbg_init(&ctr_drbg);
+
+ if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
+ (const unsigned char *)"adb_auth", 8) != 0) {
+ D("Failed to seed RNG\n");
+ return;
+ }
ret = get_user_key(&key_list);
if (!ret) {

28
package/utils/adb/patches/010-openssl-1.1.patch
View File

@ -1,28 +0,0 @@
--- a/adb/adb_auth_host.c
+++ b/adb/adb_auth_host.c
@@ -83,7 +83,13 @@ static int RSA_to_RSAPublicKey(RSA *rsa,
}
BN_set_bit(r32, 32);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const BIGNUM *rsa_n, *rsa_e;
+ RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL);
+ BN_copy(n, rsa_n);
+#else
BN_copy(n, rsa->n);
+#endif
BN_set_bit(r, RSANUMWORDS * 32);
BN_mod_sqr(rr, r, n, ctx);
BN_div(NULL, rem, n, r32, ctx);
@@ -97,7 +103,11 @@ static int RSA_to_RSAPublicKey(RSA *rsa,
BN_div(n, rem, n, r32, ctx);
pkey->n[i] = BN_get_word(rem);
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ pkey->exponent = BN_get_word(rsa_e);
+#else
pkey->exponent = BN_get_word(rsa->e);
+#endif
out:
BN_free(n0inv);