Skip to content

Commit

Permalink
Revert "Remove dlsym indirection for SecKey APIs."
Browse files Browse the repository at this point in the history 
This reverts commit b8e90b6.

Reason for revert:

Findit (https://goo.gl/kROfz5) identified CL at revision 494191 as the
culprit for failures in the build cycles as shown on:
https://findit-for-me.appspot.com/waterfall/culprit?key=ag9zfmZpbmRpdC1mb3ItbWVyRAsSDVdmU3VzcGVjdGVkQ0wiMWNocm9taXVtL2I4ZTkwYjYyM2Q0NWMwNTg4NTUwOTM1ZjI5ZGMyYzBlMDgwNzk4YWEM

Sample Build: https://luci-milo.appspot.com/buildbot/chromium.webkit/WebKit%20Mac%20Builder/216314

Original change's description:
> Remove dlsym indirection for SecKey APIs.
> 
> Now that we are using the 10.12 SDK, we no longer need unsafe dlsym
> hacks to use SecKey APIs.
> 
> Bug: 669240
> Change-Id: I02ffed8e789f8db87ff5688181a5aff810387070
> Reviewed-on: https://chromium-review.googlesource.com/614082
> Reviewed-by: Erik Chen <erikchen@chromium.org>
> Commit-Queue: David Benjamin <davidben@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#494191}
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 669240

Change-Id: I59fdef03a3b7ec98a644bf013c84d91551262b33
Reviewed-on: https://chromium-review.googlesource.com/614469
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Commit-Queue: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#494192}
  • Loading branch information
@reillyeon
Findit authored and reillyeon committed Aug 14, 2017
1 parent b8e90b6 commit c1dd5bd
Showing 1 changed file with 89 additions and 10 deletions.
99 changes: 89 additions & 10 deletions net/ssl/ssl_platform_key_mac.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,11 @@
#include <Security/SecIdentity.h>
#include <Security/SecKey.h>
#include <Security/cssm.h>
#include <dlfcn.h>

#include <memory>

#include "base/lazy_instance.h"
#include "base/location.h"
#include "base/logging.h"
#include "base/mac/availability.h"
Expand All @@ -39,6 +41,13 @@
#include "third_party/boringssl/src/include/openssl/nid.h"
#include "third_party/boringssl/src/include/openssl/rsa.h"

#if !defined(MAC_OS_X_VERSION_10_12) || \
MAC_OS_X_VERSION_MIN_ALLOWED < MAC_OS_X_VERSION_10_12
// Redeclare typedefs that only exist in 10.12+ to suppress
// -Wpartial-availability warnings.
typedef CFStringRef SecKeyAlgorithm;
#endif

namespace net {

// CSSM functions are deprecated as of OSX 10.7, but have no replacement.
Expand Down Expand Up @@ -69,6 +78,70 @@ class ScopedCSSM_CC_HANDLE {
DISALLOW_COPY_AND_ASSIGN(ScopedCSSM_CC_HANDLE);
};

// These symbols were added in the 10.12 SDK, but we currently use an older SDK,
// so look them up with dlsym.
//
// TODO(davidben): After https://crbug.com/669240 is fixed, use the APIs
// directly.

struct API_AVAILABLE(macosx(10.12)) SecKeyAPIs {
SecKeyAPIs() { Init(); }

void Init() {
SecKeyCreateSignature = reinterpret_cast<SecKeyCreateSignatureFunc>(
dlsym(RTLD_DEFAULT, "SecKeyCreateSignature"));
if (!SecKeyCreateSignature) {
NOTREACHED();
return;
}

#define LOOKUP_ALGORITHM(name) \
do { \
SecKeyAlgorithm* algorithm = \
reinterpret_cast<SecKeyAlgorithm*>(dlsym(RTLD_DEFAULT, #name)); \
if (!algorithm) { \
NOTREACHED(); \
return; \
} \
name = *algorithm; \
} while (0)

LOOKUP_ALGORITHM(kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw);
LOOKUP_ALGORITHM(kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1);
LOOKUP_ALGORITHM(kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256);
LOOKUP_ALGORITHM(kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384);
LOOKUP_ALGORITHM(kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512);
LOOKUP_ALGORITHM(kSecKeyAlgorithmECDSASignatureDigestX962SHA1);
LOOKUP_ALGORITHM(kSecKeyAlgorithmECDSASignatureDigestX962SHA256);
LOOKUP_ALGORITHM(kSecKeyAlgorithmECDSASignatureDigestX962SHA384);
LOOKUP_ALGORITHM(kSecKeyAlgorithmECDSASignatureDigestX962SHA512);

#undef LOOKUP_ALGORITHM

valid = true;
}

using SecKeyCreateSignatureFunc = CFDataRef (*)(SecKeyRef key,
SecKeyAlgorithm algorithm,
CFDataRef dataToSign,
CFErrorRef* error);

bool valid = false;
SecKeyCreateSignatureFunc SecKeyCreateSignature = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1 = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256 = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384 = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512 = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA1 = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256 = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384 = nullptr;
SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512 = nullptr;
};

base::LazyInstance<SecKeyAPIs>::Leaky API_AVAILABLE(macosx(10.12))
g_sec_key_apis = LAZY_INSTANCE_INITIALIZER;

class SSLPlatformKeyCSSM : public ThreadedSSLPrivateKey::Delegate {
public:
SSLPlatformKeyCSSM(int type,
Expand Down Expand Up @@ -199,38 +272,44 @@ class API_AVAILABLE(macosx(10.12)) SSLPlatformKeySecKey
Error SignDigest(SSLPrivateKey::Hash hash,
const base::StringPiece& input,
std::vector<uint8_t>* signature) override {
const SecKeyAPIs& apis = g_sec_key_apis.Get();
if (!apis.valid) {
LOG(ERROR) << "SecKey APIs not found";
return ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED;
}

SecKeyAlgorithm algorithm = nullptr;
if (type_ == EVP_PKEY_RSA) {
switch (hash) {
case SSLPrivateKey::Hash::SHA512:
algorithm = kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512;
algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512;
break;
case SSLPrivateKey::Hash::SHA384:
algorithm = kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384;
algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384;
break;
case SSLPrivateKey::Hash::SHA256:
algorithm = kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256;
algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256;
break;
case SSLPrivateKey::Hash::SHA1:
algorithm = kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1;
algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1;
break;
case SSLPrivateKey::Hash::MD5_SHA1:
algorithm = kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw;
algorithm = apis.kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw;
break;
}
} else if (type_ == EVP_PKEY_EC) {
switch (hash) {
case SSLPrivateKey::Hash::SHA512:
algorithm = kSecKeyAlgorithmECDSASignatureDigestX962SHA512;
algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA512;
break;
case SSLPrivateKey::Hash::SHA384:
algorithm = kSecKeyAlgorithmECDSASignatureDigestX962SHA384;
algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA384;
break;
case SSLPrivateKey::Hash::SHA256:
algorithm = kSecKeyAlgorithmECDSASignatureDigestX962SHA256;
algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA256;
break;
case SSLPrivateKey::Hash::SHA1:
algorithm = kSecKeyAlgorithmECDSASignatureDigestX962SHA1;
algorithm = apis.kSecKeyAlgorithmECDSASignatureDigestX962SHA1;
break;
case SSLPrivateKey::Hash::MD5_SHA1:
// MD5-SHA1 is not used with ECDSA.
Expand All @@ -248,7 +327,7 @@ class API_AVAILABLE(macosx(10.12)) SSLPlatformKeySecKey
base::checked_cast<CFIndex>(input.size()), kCFAllocatorNull));

base::ScopedCFTypeRef<CFErrorRef> error;
base::ScopedCFTypeRef<CFDataRef> signature_ref(SecKeyCreateSignature(
base::ScopedCFTypeRef<CFDataRef> signature_ref(apis.SecKeyCreateSignature(
key_, algorithm, input_ref, error.InitializeInto()));
if (!signature_ref) {
LOG(ERROR) << error;
Expand Down

0 comments on commit c1dd5bd

Please sign in to comment.