win: Add SHA256 impl for Sid::FromNamedCapability (fixes #3791)

The cef_sandbox build can't use the default BoringSSL implementation so we add an alternative implementation using the Crypto API.
2024-10-22 13:12:01 -04:00 · 2024-10-22 13:12:01 -04:00 · 323cbdc5ea
parent 6f44cfcb65
commit 323cbdc5ea
2 changed files with 50 additions and 27 deletions
--- a/patch/patch.cfg
+++ b/patch/patch.cfg
@ -518,6 +518,10 @@ patches = [
    # https://github.com/llvm/llvm-project/issues/57364
    #
    # Avoid usage of PartitionAlloc assertions (PA_BASE_CHECK) in raw_ptr.h.
+    #
+    # win: Add SHA256 implementation for Sid::FromNamedCapability using the
+    # Crypto API.
+    # https://github.com/chromiumembedded/cef/issues/3791
    'name': 'base_sandbox_2743',
  },
  {
--- a/patch/patches/base_sandbox_2743.patch
+++ b/patch/patches/base_sandbox_2743.patch
@ -207,18 +207,10 @@ index ea33ca66f384c..33f4cc76f76bd 100644
   return lhs.token_ == rhs.token_;
 #else
 diff --git base/win/sid.cc base/win/sid.cc
-index 2f250ba9bf79d..8a269af206051 100644
+index 2f250ba9bf79d..0af427e779266 100644
 --- base/win/sid.cc
 +++ base/win/sid.cc
-@@ -22,6 +22,7 @@
- #include <utility>
- 
- #include "base/check.h"
-+#include "base/notreached.h"
- #include "base/no_destructor.h"
- #include "base/rand_util.h"
- #include "base/ranges/algorithm.h"
-@@ -29,7 +30,11 @@
+@@ -29,12 +29,56 @@
 #include "base/win/scoped_handle.h"
 #include "base/win/scoped_localalloc.h"
 #include "base/win/windows_version.h"
@ -226,25 +218,52 @@ index 2f250ba9bf79d..8a269af206051 100644
 +
 +#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
 #include "third_party/boringssl/src/include/openssl/sha.h"
+#else
+#include <wincrypt.h>
 +#endif
 
 namespace base::win {
 
-@@ -130,6 +135,7 @@ Sid Sid::FromNamedCapability(const std::wstring& capability_name) {
-   if (known_cap != known_capabilities->end()) {
-     return FromKnownCapability(known_cap->second);
-   }
-+#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
-   static_assert((SHA256_DIGEST_LENGTH / sizeof(DWORD)) ==
-                 SECURITY_APP_PACKAGE_RID_COUNT);
-   DWORD rids[(SHA256_DIGEST_LENGTH / sizeof(DWORD)) + 2];
-@@ -141,6 +147,9 @@ Sid Sid::FromNamedCapability(const std::wstring& capability_name) {
-          reinterpret_cast<uint8_t*>(&rids[2]));
-   return FromSubAuthorities(SECURITY_APP_PACKAGE_AUTHORITY, std::size(rids),
-                             rids);
-+#else
-+  NOTREACHED();
-+#endif
- }
+ namespace {
 
- Sid Sid::FromKnownSid(WellKnownSid type) {
+#if BUILDFLAG(IS_CEF_SANDBOX_BUILD)
+
+#define SHA256_DIGEST_LENGTH 32
+
+bool SHA256(const uint8_t* InData, size_t InDataLen, uint8_t* OutHash) {
+  HCRYPTPROV hProv = 0;
+  HCRYPTHASH hHash = 0;
+
+  if (!CryptAcquireContext(&hProv, nullptr, nullptr, PROV_RSA_AES,
+                           CRYPT_VERIFYCONTEXT)) {
+    return false;
+  }
+
+  if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+    CryptReleaseContext(hProv, 0);
+    return false;
+  }
+
+  if (!CryptHashData(hHash, InData, static_cast<DWORD>(InDataLen), 0)) {
+    CryptDestroyHash(hHash);
+    CryptReleaseContext(hProv, 0);
+    return false;
+  }
+
+  DWORD dwHashLen = SHA256_DIGEST_LENGTH;
+  if (!CryptGetHashParam(hHash, HP_HASHVAL, OutHash, &dwHashLen, 0)) {
+    CryptDestroyHash(hHash);
+    CryptReleaseContext(hProv, 0);
+    return false;
+  }
+
+  CryptDestroyHash(hHash);
+  CryptReleaseContext(hProv, 0);
+  return true;
+}
+
+#endif  // BUILDFLAG(IS_CEF_SANDBOX_BUILD)
+
+ template <typename Iterator>
+ Sid FromSubAuthorities(const SID_IDENTIFIER_AUTHORITY& identifier_authority,
+                        size_t sub_authority_count,