win: Add SHA256 impl for Sid::FromNamedCapability (fixes #3791)

The cef_sandbox build can't use the default BoringSSL implementation
so we add an alternative implementation using the Crypto API.
This commit is contained in:
Marshall Greenblatt 2024-10-22 13:12:01 -04:00
parent 6f44cfcb65
commit 323cbdc5ea
2 changed files with 50 additions and 27 deletions

View File

@ -518,6 +518,10 @@ patches = [
# https://github.com/llvm/llvm-project/issues/57364 # https://github.com/llvm/llvm-project/issues/57364
# #
# Avoid usage of PartitionAlloc assertions (PA_BASE_CHECK) in raw_ptr.h. # Avoid usage of PartitionAlloc assertions (PA_BASE_CHECK) in raw_ptr.h.
#
# win: Add SHA256 implementation for Sid::FromNamedCapability using the
# Crypto API.
# https://github.com/chromiumembedded/cef/issues/3791
'name': 'base_sandbox_2743', 'name': 'base_sandbox_2743',
}, },
{ {

View File

@ -207,18 +207,10 @@ index ea33ca66f384c..33f4cc76f76bd 100644
return lhs.token_ == rhs.token_; return lhs.token_ == rhs.token_;
#else #else
diff --git base/win/sid.cc base/win/sid.cc diff --git base/win/sid.cc base/win/sid.cc
index 2f250ba9bf79d..8a269af206051 100644 index 2f250ba9bf79d..0af427e779266 100644
--- base/win/sid.cc --- base/win/sid.cc
+++ base/win/sid.cc +++ base/win/sid.cc
@@ -22,6 +22,7 @@ @@ -29,12 +29,56 @@
#include <utility>
#include "base/check.h"
+#include "base/notreached.h"
#include "base/no_destructor.h"
#include "base/rand_util.h"
#include "base/ranges/algorithm.h"
@@ -29,7 +30,11 @@
#include "base/win/scoped_handle.h" #include "base/win/scoped_handle.h"
#include "base/win/scoped_localalloc.h" #include "base/win/scoped_localalloc.h"
#include "base/win/windows_version.h" #include "base/win/windows_version.h"
@ -226,25 +218,52 @@ index 2f250ba9bf79d..8a269af206051 100644
+ +
+#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD) +#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
#include "third_party/boringssl/src/include/openssl/sha.h" #include "third_party/boringssl/src/include/openssl/sha.h"
+#else
+#include <wincrypt.h>
+#endif +#endif
namespace base::win { namespace base::win {
@@ -130,6 +135,7 @@ Sid Sid::FromNamedCapability(const std::wstring& capability_name) { namespace {
if (known_cap != known_capabilities->end()) {
return FromKnownCapability(known_cap->second);
}
+#if !BUILDFLAG(IS_CEF_SANDBOX_BUILD)
static_assert((SHA256_DIGEST_LENGTH / sizeof(DWORD)) ==
SECURITY_APP_PACKAGE_RID_COUNT);
DWORD rids[(SHA256_DIGEST_LENGTH / sizeof(DWORD)) + 2];
@@ -141,6 +147,9 @@ Sid Sid::FromNamedCapability(const std::wstring& capability_name) {
reinterpret_cast<uint8_t*>(&rids[2]));
return FromSubAuthorities(SECURITY_APP_PACKAGE_AUTHORITY, std::size(rids),
rids);
+#else
+ NOTREACHED();
+#endif
}
Sid Sid::FromKnownSid(WellKnownSid type) { +#if BUILDFLAG(IS_CEF_SANDBOX_BUILD)
+
+#define SHA256_DIGEST_LENGTH 32
+
+bool SHA256(const uint8_t* InData, size_t InDataLen, uint8_t* OutHash) {
+ HCRYPTPROV hProv = 0;
+ HCRYPTHASH hHash = 0;
+
+ if (!CryptAcquireContext(&hProv, nullptr, nullptr, PROV_RSA_AES,
+ CRYPT_VERIFYCONTEXT)) {
+ return false;
+ }
+
+ if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+ CryptReleaseContext(hProv, 0);
+ return false;
+ }
+
+ if (!CryptHashData(hHash, InData, static_cast<DWORD>(InDataLen), 0)) {
+ CryptDestroyHash(hHash);
+ CryptReleaseContext(hProv, 0);
+ return false;
+ }
+
+ DWORD dwHashLen = SHA256_DIGEST_LENGTH;
+ if (!CryptGetHashParam(hHash, HP_HASHVAL, OutHash, &dwHashLen, 0)) {
+ CryptDestroyHash(hHash);
+ CryptReleaseContext(hProv, 0);
+ return false;
+ }
+
+ CryptDestroyHash(hHash);
+ CryptReleaseContext(hProv, 0);
+ return true;
+}
+
+#endif // BUILDFLAG(IS_CEF_SANDBOX_BUILD)
+
template <typename Iterator>
Sid FromSubAuthorities(const SID_IDENTIFIER_AUTHORITY& identifier_authority,
size_t sub_authority_count,