crypto: Load libchaps.so with RTLD_DEEPBIND

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 
 #include <nss.h>
 #include <pk11pub.h>
 #include <plarena.h>
 #include <prerror.h>
 #include <prinit.h>
 #include <prtime.h>
 #include <secmod.h>
 
 #if defined(OS_OPENBSD)
 #include <sys/mount.h>
 #include <sys/param.h>
 #endif
 
+#if defined(OS_CHROMEOS)
+#include <dlfcn.h>
+#endif
+
 #include <map>
 #include <vector>
 
 #include "base/base_paths.h"
 #include "base/bind.h"
 #include "base/cpu.h"
 #include "base/debug/alias.h"
 #include "base/debug/stack_trace.h"
 #include "base/environment.h"
 #include "base/files/file_path.h"
@@ skipping 229 matching lines @@
  private:
   ScopedPK11Slot public_slot_;
   ScopedPK11Slot private_slot_;
 
   bool private_slot_initialization_started_;
 
   typedef std::vector<base::Callback<void(ScopedPK11Slot)> >
       SlotReadyCallbackList;
   SlotReadyCallbackList tpm_ready_callback_list_;
 };
+
+class ScopedChapsLoadFixup {
+  public:
+    ScopedChapsLoadFixup();
+    ~ScopedChapsLoadFixup();
+
+  private:
+#if defined(COMPONENT_BUILD)
+    void *chaps_handle_;
+#endif
+};
+
+#if defined(COMPONENT_BUILD)
+
+ScopedChapsLoadFixup::ScopedChapsLoadFixup() {
+  // HACK: libchaps links the system protobuf and there are symbol conflicts
+  // with the bundled copy. Load chaps with RTLD_DEEPBIND to workaround.
+  chaps_handle_ = dlopen(kChapsPath, RTLD_LOCAL | RTLD_NOW | RTLD_DEEPBIND);
+}
+
+ScopedChapsLoadFixup::~ScopedChapsLoadFixup() {
+  // LoadModule() will have taken a 2nd reference.
+  if (chaps_handle_)
+    dlclose(chaps_handle_);
+}
+
+#else
+
+ScopedChapsLoadFixup::ScopedChapsLoadFixup() {}
+ScopedChapsLoadFixup::~ScopedChapsLoadFixup() {}
+
+#endif  // defined(COMPONENT_BUILD)
 #endif  // defined(OS_CHROMEOS)
 
 class NSSInitSingleton {
  public:
 #if defined(OS_CHROMEOS)
   // Used with PostTaskAndReply to pass handles to worker thread and back.
   struct TPMModuleAndSlot {
     explicit TPMModuleAndSlot(SECMODModule* init_chaps_module)
         : chaps_module(init_chaps_module) {}
     SECMODModule* chaps_module;
@@ skipping 73 matching lines @@
       base::MessageLoop::current()->PostTask(FROM_HERE,
                                              base::Bind(callback, false));
     }
   }
 
   static void InitializeTPMTokenOnWorkerThread(CK_SLOT_ID token_slot_id,
                                                TPMModuleAndSlot* tpm_args) {
     // This tries to load the Chaps module so NSS can talk to the hardware
     // TPM.
     if (!tpm_args->chaps_module) {
+      ScopedChapsLoadFixup chaps_loader;
+
       DVLOG(3) << "Loading chaps...";
       tpm_args->chaps_module = LoadModule(
           kChapsModuleName,
           kChapsPath,
           // For more details on these parameters, see:
           // https://developer.mozilla.org/en/PKCS11_Module_Specs
           // slotFlags=[PublicCerts] -- Certificates and public keys can be
           //   read from this slot without requiring a call to C_Login.
           // askpw=only -- Only authenticate to the token when necessary.
           "NSS=\"slotParams=(0={slotFlags=[PublicCerts] askpw=only})\"");
@@ skipping 722 matching lines @@
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
 #if !defined(OS_CHROMEOS)
 PK11SlotInfo* GetPersistentNSSKeySlot() {
   return g_nss_singleton.Get().GetPersistentNSSKeySlot();
 }
 #endif
 
 }  // namespace crypto