Verify token length before adb signs it
Currently, a host running adb will sign a token of any length passed
to it by a device, effectively acting as a signing oracle. If the
ADB_VENDOR_KEYS environment variable is used to specify an additional
key to use, this behavior is not only unexpected, but probably also
unwanted. Further discussion can be found from this thread:
http://www.metzdowd.com/pipermail/cryptography/2015-January/024423.html
This change adds a check to ensure token length matches TOKEN_SIZE
before it's signed, which prevents an attacker from signing longer
messages.
Change-Id: I7b2cc1f051941bf9b66e1c02980850bede501793
diff --git a/adb_auth_host.c b/adb_auth_host.c
index a859199..1d48667 100644
--- a/adb_auth_host.c
+++ b/adb_auth_host.c
@@ -395,6 +395,11 @@
unsigned int len;
struct adb_private_key *key = node_to_item(node, struct adb_private_key, node);
+ if (token_size != TOKEN_SIZE) {
+ D("Unexpected token size %zd\n", token_size);
+ return 0;
+ }
+
if (!RSA_sign(NID_sha1, token, token_size, sig, &len, key->rsa)) {
return 0;
}