From 7b9c20d3b2aad8b2f67de9478d3d44cc6deff52c Mon Sep 17 00:00:00 2001
From: Sami Tolvanen
Date: Tue, 27 Jan 2015 16:48:35 +0000
Subject: Verify token length before adb signs it

Currently, a host running adb will sign a token of any length passed
to it by a device, effectively acting as a signing oracle. If the
ADB_VENDOR_KEYS environment variable is used to specify an additional
key to use, this behavior is not only unexpected, but probably also
unwanted. Further discussion can be found from this thread:

  http://www.metzdowd.com/pipermail/cryptography/2015-January/024423.html

This change adds a check to ensure token length matches TOKEN_SIZE
before it's signed, which prevents an attacker from signing longer
messages.

Change-Id: I7b2cc1f051941bf9b66e1c02980850bede501793
---
 adb/adb_auth_host.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'adb')

diff --git a/adb/adb_auth_host.c b/adb/adb_auth_host.c
index a85919989..1d486676e 100644
--- a/adb/adb_auth_host.c
+++ b/adb/adb_auth_host.c
@@ -395,6 +395,11 @@ int adb_auth_sign(void *node, void *token, size_t token_size, void *sig)
     unsigned int len;
     struct adb_private_key *key = node_to_item(node, struct adb_private_key, node);
 
+    if (token_size != TOKEN_SIZE) {
+        D("Unexpected token size %zd\n", token_size);
+        return 0;
+    }
+
     if (!RSA_sign(NID_sha1, token, token_size, sig, &len, key->rsa)) {
         return 0;
     }
-- 
cgit v1.2.3-54-g00ecf