Insulate the legacy Android client auth code from OpenSSL ABI changes.

net/android/keystore_openssl.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/android/keystore_openssl.h"
 
 #include <jni.h>
 #include <openssl/bn.h>
 // This include is required to get the ECDSA_METHOD structure definition
 // which isn't currently part of the OpenSSL official ABI. This should
 // not be a concern for Chromium which always links against its own
 // version of the library on Android.
 #include <openssl/crypto/ecdsa/ecs_locl.h>
 // And this one is needed for the EC_GROUP definition.
 #include <openssl/crypto/ec/ec_lcl.h>
 #include <openssl/dsa.h>
 #include <openssl/ec.h>
 #include <openssl/engine.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
 #include "base/android/build_info.h"
 #include "base/android/jni_android.h"
 #include "base/android/scoped_java_ref.h"
 #include "base/basictypes.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "crypto/openssl_util.h"
 #include "net/android/keystore.h"
+#include "net/android/legacy_openssl.h"
 #include "net/ssl/ssl_client_cert_type.h"
 
 // IMPORTANT NOTE: The following code will currently only work when used
 // to implement client certificate support with OpenSSL. That's because
 // only the signing operations used in this use case are implemented here.
 //
 // Generally speaking, OpenSSL provides many different ways to sign
 // digests. This code doesn't support all these cases, only the ones that
 // are required to sign the digest during the OpenSSL handshake for TLS.
 //
@@ skipping 48 matching lines @@
 // DSA_size() and ECDSA_size() work properly with the wrapper EVP_PKEY.
 //
 // Note that there is no need to define an OpenSSL ENGINE here. These
 // are objects that can be used to expose custom methods (i.e. either
 // RSA_METHOD, DSA_METHOD, ECDSA_METHOD, and a large number of other ones
 // for types not related to this source file), and make them used by
 // default for a lot of operations. Very fortunately, this is not needed
 // here, which saves a lot of complexity.
 
 using base::android::ScopedJavaGlobalRef;
+using base::android::ScopedJavaLocalRef;
 
 namespace net {
 namespace android {
 
 namespace {
 
 typedef crypto::ScopedOpenSSL<EVP_PKEY, EVP_PKEY_free> ScopedEVP_PKEY;
 typedef crypto::ScopedOpenSSL<RSA, RSA_free> ScopedRSA;
 typedef crypto::ScopedOpenSSL<DSA, DSA_free> ScopedDSA;
 typedef crypto::ScopedOpenSSL<EC_KEY, EC_KEY_free> ScopedEC_KEY;
 typedef crypto::ScopedOpenSSL<EC_GROUP, EC_GROUP_free> ScopedEC_GROUP;
 
 // Custom RSA_METHOD that uses the platform APIs.
 // Note that for now, only signing through RSA_sign() is really supported.
 // all other method pointers are either stubs returning errors, or no-ops.
 // See <openssl/rsa.h> for exact declaration of RSA_METHOD.
 
+struct RsaAppData {
+  jobject private_key;
+  AndroidRSA* legacy_rsa;
+};
+
 int RsaMethodPubEnc(int flen,
                     const unsigned char* from,
                     unsigned char* to,
                     RSA* rsa,
                     int padding) {
   NOTIMPLEMENTED();
   RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
   return -1;
 }
 
@@ skipping 22 matching lines @@
     // "RSA/ECB/NoPadding" or "RSA/ECB/PKCS1Padding" transformation as
     // appropriate. I believe support for both of these was added in
     // the same Android version as the "NONEwithRSA"
     // java.security.Signature algorithm, so the same version checks
     // for GetRsaLegacyKey should work.
     RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
     return -1;
   }
 
   // Retrieve private key JNI reference.
-  jobject private_key = reinterpret_cast<jobject>(RSA_get_app_data(rsa));
-  if (!private_key) {
+  RsaAppData* app_data = static_cast<RsaAppData*>(RSA_get_app_data(rsa));
+  if (!app_data || !app_data->private_key) {
     LOG(WARNING) << "Null JNI reference passed to RsaMethodPrivEnc!";
     RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
     return -1;
   }
 
+  // Pre-4.2 legacy codepath.
+  if (app_data->legacy_rsa) {
+    int ret = app_data->legacy_rsa->meth->rsa_priv_enc(
+        flen, from, to, app_data->legacy_rsa, ANDROID_RSA_PKCS1_PADDING);
+    if (ret < 0) {
+      LOG(WARNING) << "Could not sign message in RsaMethodPrivEnc!";
+      // System OpenSSL will use a separate error queue, so it is still
+      // necessary to push a new error.
+      RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);

[agl, 2014/07/10 16:33:44]

Do we need to clear the system's error queue?

[davidben, 2014/07/10 21:47:07]

Added a TODO, but doing so seems to be difficult. I tried dlopen("libcrypto.so")
to get at the function, but libcrypto doesn't get loaded through dlopen, so we
end up with two copies of the library. I got some bizarre hangs that didn't
occur without the CL, so I assume something broke from that.

The other option I can see is to find some random Java function to call which
happens to dump the error queue as a side effect.

+      return -1;
+    }
+    return ret;
+  }
+
   base::StringPiece from_piece(reinterpret_cast<const char*>(from), flen);
   std::vector<uint8> result;
   // For RSA keys, this function behaves as RSA_private_encrypt with
   // PKCS#1 padding.
-  if (!RawSignDigestWithPrivateKey(private_key, from_piece, &result)) {
+  if (!RawSignDigestWithPrivateKey(app_data->private_key,
+                                   from_piece, &result)) {
     LOG(WARNING) << "Could not sign message in RsaMethodPrivEnc!";
     RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
     return -1;
   }
 
   size_t expected_size = static_cast<size_t>(RSA_size(rsa));
   if (result.size() > expected_size) {
     LOG(ERROR) << "RSA Signature size mismatch, actual: "
                <<  result.size() << ", expected <= " << expected_size;
     RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
@@ skipping 19 matching lines @@
   return -1;
 }
 
 int RsaMethodInit(RSA* rsa) {
   return 0;
 }
 
 int RsaMethodFinish(RSA* rsa) {
   // Ensure the global JNI reference created with this wrapper is
   // properly destroyed with it.
-  jobject key = reinterpret_cast<jobject>(RSA_get_app_data(rsa));
-  if (key != NULL) {
+  RsaAppData* app_data = static_cast<RsaAppData*>(RSA_get_app_data(rsa));
+  if (app_data != NULL) {
     RSA_set_app_data(rsa, NULL);
-    ReleaseKey(key);
+    ReleaseKey(app_data->private_key);
+    delete app_data;
   }
   // Actual return value is ignored by OpenSSL. There are no docs
   // explaining what this is supposed to be.
   return 0;
 }
 
 const RSA_METHOD android_rsa_method = {
   /* .name = */ "Android signing-only RSA method",
   /* .rsa_pub_enc = */ RsaMethodPubEnc,
   /* .rsa_pub_dec = */ RsaMethodPubDec,
@@ skipping 45 matching lines @@
       old_num);
   if (new_num == NULL)
     return false;
 
   if (old_num == NULL)
     *num_ptr = new_num;
   return true;
 }
 
 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object.
 // |private_key| is the JNI reference (local or global) to the object.

[agl, 2014/07/10 16:33:44]

Probably needs to mention |legacy_rsa|.

[davidben, 2014/07/10 21:47:07]

Done.

 // |pkey| is the EVP_PKEY to setup as a wrapper.
 // Returns true on success, false otherwise.
 // On success, this creates a new global JNI reference to the object
 // that is owned by and destroyed with the EVP_PKEY. I.e. caller can
 // free |private_key| after the call.
 // IMPORTANT: The EVP_PKEY will *only* work on Android >= 4.2. For older
 // platforms, use GetRsaLegacyKey() instead.
-bool GetRsaPkeyWrapper(jobject private_key, EVP_PKEY* pkey) {
+bool GetRsaPkeyWrapper(jobject private_key,
+                       AndroidRSA* legacy_rsa,
+                       EVP_PKEY* pkey) {
   ScopedRSA rsa(RSA_new());
   RSA_set_method(rsa.get(), &android_rsa_method);
 
   // HACK: RSA_size() doesn't work with custom RSA_METHODs. To ensure that
   // it will return the right value, set the 'n' field of the RSA object
   // to match the private key's modulus.
+  //
+  // TODO(davidben): After switching to BoringSSL, consider making RSA_size call
+  // into an RSA_METHOD hook.
   std::vector<uint8> modulus;
   if (!GetRSAKeyModulus(private_key, &modulus)) {
     LOG(ERROR) << "Failed to get private key modulus";
     return false;
   }
   if (!SwapBigNumPtrFromBytes(modulus, &rsa.get()->n)) {
     LOG(ERROR) << "Failed to decode private key modulus";
     return false;
   }
 
   ScopedJavaGlobalRef<jobject> global_key;
   global_key.Reset(NULL, private_key);
   if (global_key.is_null()) {
     LOG(ERROR) << "Could not create global JNI reference";
     return false;
   }
-  RSA_set_app_data(rsa.get(), global_key.Release());
+  RsaAppData* app_data = new RsaAppData();
+  app_data->private_key = global_key.Release();
+  app_data->legacy_rsa = legacy_rsa;
+  RSA_set_app_data(rsa.get(), app_data);
   EVP_PKEY_assign_RSA(pkey, rsa.release());
   return true;
 }
 
 // On Android < 4.2, the libkeystore.so ENGINE uses CRYPTO_EX_DATA and is not
 // added to the global engine list. If all references to it are dropped, OpenSSL
 // will dlclose the module, leaving a dangling function pointer in the RSA
 // CRYPTO_EX_DATA class. To work around this, leak an extra reference to the
 // ENGINE we extract in GetRsaLegacyKey.
 //
 // In 4.2, this change avoids the problem:
 // https://android.googlesource.com/platform/libcore/+/106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61
 //
 // https://crbug.com/381465
 class KeystoreEngineWorkaround {
  public:
-  KeystoreEngineWorkaround() : leaked_engine_(false) {}
+  KeystoreEngineWorkaround() {}
 
-  void LeakRsaEngine(EVP_PKEY* pkey) {
-    if (leaked_engine_)
+  void LeakEngine(jobject private_key) {
+    if (!engine_.is_null())
       return;
-    ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey));
-    if (!rsa.get() ||
-        !rsa.get()->engine ||
-        strcmp(ENGINE_get_id(rsa.get()->engine), "keystore") ||
-        !ENGINE_init(rsa.get()->engine)) {
+    ScopedJavaLocalRef<jobject> engine =
+        GetOpenSSLEngineForPrivateKey(private_key);
+    if (engine.is_null()) {
       NOTREACHED();
       return;
     }
-    leaked_engine_ = true;
+    engine_.Reset(engine);
   }
 
  private:
-  bool leaked_engine_;
+  ScopedJavaGlobalRef<jobject> engine_;
 };
 
-void LeakRsaEngine(EVP_PKEY* pkey) {
+void LeakEngine(jobject private_key) {
   static base::LazyInstance<KeystoreEngineWorkaround>::Leaky s_instance =
       LAZY_INSTANCE_INITIALIZER;
-  s_instance.Get().LeakRsaEngine(pkey);
+  s_instance.Get().LeakEngine(private_key);
 }
 
 // Setup an EVP_PKEY to wrap an existing platform RSA PrivateKey object
 // for Android 4.0 to 4.1.x. Must only be used on Android < 4.2.
 // |private_key| is a JNI reference (local or global) to the object.
 // |pkey| is the EVP_PKEY to setup as a wrapper.
 // Returns true on success, false otherwise.
 EVP_PKEY* GetRsaLegacyKey(jobject private_key) {
-  EVP_PKEY* sys_pkey =
+  AndroidEVP_PKEY* sys_pkey =
       GetOpenSSLSystemHandleForPrivateKey(private_key);
   if (sys_pkey != NULL) {
-    CRYPTO_add(&sys_pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
-    LeakRsaEngine(sys_pkey);
-  } else {
-    // GetOpenSSLSystemHandleForPrivateKey() will fail on Android
-    // 4.0.3 and earlier. However, it is possible to get the key
-    // content with PrivateKey.getEncoded() on these platforms.
-    // Note that this method may return NULL on 4.0.4 and later.
-    std::vector<uint8> encoded;
-    if (!GetPrivateKeyEncodedBytes(private_key, &encoded)) {
-      LOG(ERROR) << "Can't get private key data!";
+    if (sys_pkey->type != ANDROID_EVP_PKEY_RSA) {
+      LOG(ERROR) << "Private key has wrong type!";
       return NULL;
     }
-    const unsigned char* p =
-        reinterpret_cast<const unsigned char*>(&encoded[0]);
-    int len = static_cast<int>(encoded.size());
-    sys_pkey = d2i_AutoPrivateKey(NULL, &p, len);
-    if (sys_pkey == NULL) {
-      LOG(ERROR) << "Can't convert private key data!";
+
+    AndroidRSA* sys_rsa = sys_pkey->pkey.rsa;
+    if (sys_rsa->engine) {
+      // |private_key| may not have an engine if the PrivateKey did not come
+      // from the key store, such as in unit tests.
+      if (!strcmp(sys_rsa->engine->id, "keystore")) {
+        LeakEngine(private_key);
+      } else {
+        NOTREACHED();
+      }
+    }
+
+    ScopedEVP_PKEY pkey(EVP_PKEY_new());
+    if (!GetRsaPkeyWrapper(private_key, sys_rsa, pkey.get()))
       return NULL;
-    }
+    return pkey.release();
   }
-  return sys_pkey;
+
+  // GetOpenSSLSystemHandleForPrivateKey() will fail on Android 4.0.3 and
+  // earlier. However, it is possible to get the key content with
+  // PrivateKey.getEncoded() on these platforms.  Note that this method may
+  // return NULL on 4.0.4 and later.
+  std::vector<uint8> encoded;
+  if (!GetPrivateKeyEncodedBytes(private_key, &encoded)) {
+    LOG(ERROR) << "Can't get private key data!";
+    return NULL;
+  }
+  const unsigned char* p =
+      reinterpret_cast<const unsigned char*>(&encoded[0]);
+  int len = static_cast<int>(encoded.size());
+  EVP_PKEY* pkey = d2i_AutoPrivateKey(NULL, &p, len);
+  if (pkey == NULL) {
+    LOG(ERROR) << "Can't convert private key data!";
+    return NULL;
+  }
+  return pkey;
 }
 
 // Custom DSA_METHOD that uses the platform APIs.
 // Note that for now, only signing through DSA_sign() is really supported.
 // all other method pointers are either stubs returning errors, or no-ops.
 // See <openssl/dsa.h> for exact declaration of DSA_METHOD.
 //
 // Note: There is no DSA_set_app_data() and DSA_get_app_data() functions,
 //       but RSA_set_app_data() is defined as a simple macro that calls
 //       RSA_set_ex_data() with a hard-coded index of 0, so this code
@@ skipping 311 matching lines @@
         // backing this PrivateKey object.
         const int kAndroid42ApiLevel = 17;
         if (base::android::BuildInfo::GetInstance()->sdk_int() <
             kAndroid42ApiLevel) {
           EVP_PKEY* legacy_key = GetRsaLegacyKey(private_key);
           if (legacy_key == NULL)
             return NULL;
           pkey.reset(legacy_key);
         } else {
           // Running on Android 4.2.
-          if (!GetRsaPkeyWrapper(private_key, pkey.get()))
+          if (!GetRsaPkeyWrapper(private_key, NULL, pkey.get()))
             return NULL;
         }
       }
       break;
     case PRIVATE_KEY_TYPE_DSA:
       if (!GetDsaPkeyWrapper(private_key, pkey.get()))
         return NULL;
       break;
     case PRIVATE_KEY_TYPE_ECDSA:
       if (!GetEcdsaPkeyWrapper(private_key, pkey.get()))
         return NULL;
       break;
     default:
       LOG(WARNING)
           << "GetOpenSSLPrivateKeyWrapper() called with invalid key type";
       return NULL;
   }
   return pkey.release();
 }
 
 }  // namespace android
 }  // namespace net