Check that the PNaCl cache hash is truly derived from the bitcode content.

ppapi/native_client/src/trusted/plugin/pnacl_coordinator.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "native_client/src/trusted/plugin/pnacl_coordinator.h"
 
 #include <utility>
 #include <vector>
 
 #include "native_client/src/include/checked_cast.h"
@@ skipping 347 matching lines @@
     error_already_reported_(false),
     off_the_record_(false),
     pnacl_init_time_(0),
     pexe_size_(0),
     pexe_bytes_compiled_(0),
     expected_pexe_size_(-1) {
   PLUGIN_PRINTF(("PnaclCoordinator::PnaclCoordinator (this=%p, plugin=%p)\n",
                  static_cast<void*>(this), static_cast<void*>(plugin)));
   callback_factory_.Initialize(this);
   ld_manifest_.reset(new PnaclLDManifest(plugin_->manifest(), manifest_.get()));
+  pp::Module *module = pp::Module::Get();
+  DCHECK(module);
+  nacl_hash_private_interface_ = static_cast<const PPB_NaCl_Hash_Private*>(
+      module->GetBrowserInterface(PPB_NACL_HASH_PRIVATE_INTERFACE));
+  bitcode_hash_verifier_ = nacl_hash_private_interface_->CreateSHA256Hasher();
 }
 
 PnaclCoordinator::~PnaclCoordinator() {
   PLUGIN_PRINTF(("PnaclCoordinator::~PnaclCoordinator (this=%p, "
                  "translate_thread=%p\n",
                  static_cast<void*>(this), translate_thread_.get()));
   // Stopping the translate thread will cause the translate thread to try to
   // run translation_complete_callback_ on the main thread.  This destructor is
   // running from the main thread, and by the time it exits, callback_factory_
   // will have been destroyed.  This will result in the cancellation of
   // translation_complete_callback_, so no notification will be delivered.
   if (translate_thread_.get() != NULL) {
     translate_thread_->AbortSubprocesses();
   }
+  nacl_hash_private_interface_->Delete(bitcode_hash_verifier_);
 }
 
 void PnaclCoordinator::ReportNonPpapiError(enum PluginErrorCode err_code,
                                            const nacl::string& message) {
   error_info_.SetReport(err_code,
                         nacl::string("PnaclCoordinator: ") + message);
   ExitWithError();
 }
 
 void PnaclCoordinator::ReportPpapiError(enum PluginErrorCode err_code,
@@ skipping 71 matching lines @@
                     static_cast<int64_t>(nexe_size / 1024));
     HistogramRatio("NaCl.Perf.Size.PexeNexeSizePct", pexe_size_, nexe_size);
   }
 
   // The nexe is written to the temp_nexe_file_.  We must Reset() the file
   // pointer to be able to read it again from the beginning.
   temp_nexe_file_->Reset();
 
   if (pnacl_options_.HasCacheKey() && cached_nexe_file_ != NULL) {
     // We are using a cache, but had a cache miss, which is why we did the
-    // translation.  Reset cached_nexe_file_ to have a random name,
-    // for scratch purposes, before renaming to the final cache_identity.
-    cached_nexe_file_.reset(new LocalTempFile(plugin_, file_system_.get(),
-                                              nacl::string(kPnaclTempDir)));
-    pp::CompletionCallback cb = callback_factory_.NewCallback(
-        &PnaclCoordinator::CachedNexeOpenedForWrite);
-    cached_nexe_file_->OpenWrite(cb);
+    // translation.
+    if (BitcodeHashMatchesContents()) {
+      // Reset cached_nexe_file_ to have a random name, for scratch purposes,
+      // before renaming to the final cache_identity.
+      cached_nexe_file_.reset(new LocalTempFile(plugin_, file_system_.get(),
+                                                nacl::string(kPnaclTempDir)));
+      pp::CompletionCallback cb = callback_factory_.NewCallback(
+          &PnaclCoordinator::CachedNexeOpenedForWrite);
+      cached_nexe_file_->OpenWrite(cb);
+    } else {
+      ReportNonPpapiError(
+          ERROR_PNACL_CACHE_HASH_MISMATCH,
+          "Bitcode hash does not match bitcode contents.");
+    }
   } else {
     // For now, tolerate bitcode that is missing a cache identity, and
     // tolerate the lack of caching in incognito mode.
     PLUGIN_PRINTF(("PnaclCoordinator -- not caching.\n"));
     NexeReadDidOpen(PP_OK);
   }
 }
 
+bool PnaclCoordinator::BitcodeHashMatchesContents() {
+  const nacl::string& expected_hash = pnacl_options_.GetBitcodeHash();
+  nacl::string actual_hash;
+  uint8_t hash_digest[32];
+  nacl_hash_private_interface_->Finish(bitcode_hash_verifier_,
+                                       &hash_digest,
+                                       sizeof hash_digest);
+  // Convert 32-byte binary digest to 64-byte hex digest for comparison.
+  for (size_t i = 0; i < sizeof hash_digest; i+=8) {
+    char buf[17]; // do 16 chars + a null byte at a time.
+    SNPRINTF(buf, sizeof buf, "%02x%02x%02x%02x%02x%02x%02x%02x",
+             hash_digest[i  ], hash_digest[i+1],
+             hash_digest[i+2], hash_digest[i+3],
+             hash_digest[i+4], hash_digest[i+5],
+             hash_digest[i+6], hash_digest[i+7]);
+    actual_hash.append(buf);
+  }
+  if (expected_hash.size() != actual_hash.size()) {
+    return false;
+  }
+  return nacl_hash_private_interface_->SecureMemEqual(expected_hash.c_str(),
+                                                      actual_hash.c_str(),
+                                                      expected_hash.size());
+}
+
 void PnaclCoordinator::CachedNexeOpenedForWrite(int32_t pp_error) {
   if (pp_error != PP_OK) {
     if (pp_error == PP_ERROR_NOACCESS) {
       ReportPpapiError(
           ERROR_PNACL_CACHE_FILEOPEN_NOACCESS,
           pp_error,
           "PNaCl translation cache failed to open file for write "
           "(no access).");
       return;
     }
@@ skipping 405 matching lines @@
     HistogramRatio("NaCl.Perf.PNaClLoadTime.PctCompiledWhenFullyDownloaded",
                    pexe_bytes_compiled_, pexe_size_);
   }
 }
 
 void PnaclCoordinator::BitcodeStreamGotData(int32_t pp_error,
                                             FileStreamData data) {
   PLUGIN_PRINTF(("PnaclCoordinator::BitcodeStreamGotData (pp_error=%"
                  NACL_PRId32", data=%p)\n", pp_error, data ? &(*data)[0] : 0));
   DCHECK(translate_thread_.get());
+  // If pp_error > 0, then it represents the number of bytes received.
+  if (pp_error > 0) {
+    pexe_size_ += pp_error;
+    // Update hash for verification before data is taken by PutBytes.
+    if (pnacl_options_.HasCacheKey()) {
+      nacl_hash_private_interface_->Update(bitcode_hash_verifier_,
+                                           &(*data)[0],
+                                           pp_error);
+    }
+  }
   translate_thread_->PutBytes(data, pp_error);
-  // If pp_error > 0, then it represents the number of bytes received.
-  if (data && pp_error > 0) {
-    pexe_size_ += pp_error;
-  }
 }
 
 StreamCallback PnaclCoordinator::GetCallback() {
   return callback_factory_.NewCallbackWithOutput(
       &PnaclCoordinator::BitcodeStreamGotData);
 }
 
 void PnaclCoordinator::BitcodeGotCompiled(int32_t pp_error,
                                           int64_t bytes_compiled) {
   // If we don't know the expected total yet, ask.
@@ skipping 57 matching lines @@
                                   obj_file_.get(),
                                   temp_nexe_file_.get(),
                                   &error_info_,
                                   resources_.get(),
                                   &pnacl_options_,
                                   this,
                                   plugin_);
 }
 
 }  // namespace plugin