Force crypto::AppleKeychain access to be guarded by a Big Global Lock

net/base/x509_certificate_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 #include <time.h>
 
 #include <vector>
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/mac/mac_logging.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/memory/singleton.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
+#include "base/synchronization/lock.h"
 #include "base/sys_string_conversions.h"
 #include "crypto/cssm_init.h"
+#include "crypto/mac_security_services_lock.h"
 #include "crypto/nss_util.h"
 #include "crypto/rsa_private_key.h"
 #include "net/base/x509_util_mac.h"
 #include "third_party/nss/mozilla/security/nss/lib/certdb/cert.h"
 
 using base::mac::ScopedCFTypeRef;
 using base::Time;
 
 namespace net {
 
@@ skipping 53 matching lines @@
 
 // Gets the issuer for a given cert, starting with the cert itself and
 // including the intermediate and finally root certificates (if any).
 // This function calls SecTrust but doesn't actually pay attention to the trust
 // result: it shouldn't be used to determine trust, just to traverse the chain.
 // Caller is responsible for releasing the value stored into *out_cert_chain.
 OSStatus CopyCertChain(SecCertificateRef cert_handle,
                        CFArrayRef* out_cert_chain) {
   DCHECK(cert_handle);
   DCHECK(out_cert_chain);
+
   // Create an SSL policy ref configured for client cert evaluation.
   SecPolicyRef ssl_policy;
   OSStatus result = x509_util::CreateSSLClientPolicy(&ssl_policy);
   if (result)
     return result;
   ScopedCFTypeRef<SecPolicyRef> scoped_ssl_policy(ssl_policy);
 
   // Create a SecTrustRef.
   ScopedCFTypeRef<CFArrayRef> input_certs(CFArrayCreate(
       NULL, const_cast<const void**>(reinterpret_cast<void**>(&cert_handle)),
       1, &kCFTypeArrayCallBacks));
   SecTrustRef trust_ref = NULL;
-  result = SecTrustCreateWithCertificates(input_certs, ssl_policy, &trust_ref);
+  {
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+    result = SecTrustCreateWithCertificates(input_certs, ssl_policy,
+                                            &trust_ref);
+  }
   if (result)
     return result;
   ScopedCFTypeRef<SecTrustRef> trust(trust_ref);
 
   // Evaluate trust, which creates the cert chain.
   SecTrustResultType status;
   CSSM_TP_APPLE_EVIDENCE_INFO* status_chain;
-  result = SecTrustEvaluate(trust, &status);
+  {
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+    result = SecTrustEvaluate(trust, &status);
+  }
   if (result)
     return result;
-  return SecTrustGetResult(trust, &status, out_cert_chain, &status_chain);
+  {
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+    result = SecTrustGetResult(trust, &status, out_cert_chain, &status_chain);
+  }
+  return result;
 }
 
 // Returns true if |purpose| is listed as allowed in |usage|. This
 // function also considers the "Any" purpose. If the attribute is
 // present and empty, we return false.
 bool ExtendedKeyUsageAllows(const CE_ExtendedKeyUsage* usage,
                             const CSSM_OID* purpose) {
   for (unsigned p = 0; p < usage->numPurposes; ++p) {
     if (CSSMOIDEqual(&usage->purposes[p], purpose))
       return true;
@@ skipping 25 matching lines @@
 // within are stored into |output|.
 void AddCertificatesFromBytes(const char* data, size_t length,
                               SecExternalFormat format,
                               X509Certificate::OSCertHandles* output) {
   SecExternalFormat input_format = format;
   ScopedCFTypeRef<CFDataRef> local_data(CFDataCreateWithBytesNoCopy(
       kCFAllocatorDefault, reinterpret_cast<const UInt8*>(data), length,
       kCFAllocatorNull));
 
   CFArrayRef items = NULL;
-  OSStatus status = SecKeychainItemImport(local_data, NULL, &input_format,
-                                          NULL, 0, NULL, NULL, &items);
+  OSStatus status;
+  {
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+    status = SecKeychainItemImport(local_data, NULL, &input_format,
+                                   NULL, 0, NULL, NULL, &items);
+  }
+
   if (status) {
     OSSTATUS_DLOG(WARNING, status)
         << "Unable to import items from data of length " << length;
     return;
   }
 
   ScopedCFTypeRef<CFArrayRef> scoped_items(items);
   CFTypeID cert_type_id = SecCertificateGetTypeID();
 
   for (CFIndex i = 0; i < CFArrayGetCount(items); ++i) {
@@ skipping 509 matching lines @@
   if (!server_domain.empty()) {
     // See if there's an identity preference for this domain:
     ScopedCFTypeRef<CFStringRef> domain_str(
         base::SysUTF8ToCFStringRef("https://" + server_domain));
     SecIdentityRef identity = NULL;
     // While SecIdentityCopyPreferences appears to take a list of CA issuers
     // to restrict the identity search to, within Security.framework the
     // argument is ignored and filtering unimplemented. See
     // SecIdentity.cpp in libsecurity_keychain, specifically
     // _SecIdentityCopyPreferenceMatchingName().
-    if (SecIdentityCopyPreference(domain_str, 0, NULL, &identity) == noErr)
-      preferred_identity.reset(identity);
+    {
+      base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+      if (SecIdentityCopyPreference(domain_str, 0, NULL, &identity) == noErr)
+        preferred_identity.reset(identity);
+    }
   }
 
   // Now enumerate the identities in the available keychains.
-  SecIdentitySearchRef search = nil;
-  OSStatus err = SecIdentitySearchCreate(NULL, CSSM_KEYUSE_SIGN, &search);
+  SecIdentitySearchRef search = NULL;
+  OSStatus err;
+  {
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+    err = SecIdentitySearchCreate(NULL, CSSM_KEYUSE_SIGN, &search);
+  }
+  if (err)
+    return false;
   ScopedCFTypeRef<SecIdentitySearchRef> scoped_search(search);
   while (!err) {
     SecIdentityRef identity = NULL;
-    err = SecIdentitySearchCopyNext(search, &identity);
+    {
+      base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+      err = SecIdentitySearchCopyNext(search, &identity);
+    }
     if (err)
       break;
     ScopedCFTypeRef<SecIdentityRef> scoped_identity(identity);
 
     SecCertificateRef cert_handle;
     err = SecIdentityCopyCertificate(identity, &cert_handle);
     if (err != noErr)
       continue;
     ScopedCFTypeRef<SecCertificateRef> scoped_cert_handle(cert_handle);
 
@@ skipping 31 matching lines @@
   if (err != errSecItemNotFound) {
     OSSTATUS_LOG(ERROR, err) << "SecIdentitySearch error";
     return false;
   }
   return true;
 }
 
 CFArrayRef X509Certificate::CreateClientCertificateChain() const {
   // Initialize the result array with just the IdentityRef of the receiver:
   SecIdentityRef identity;
-  OSStatus result =
-      SecIdentityCreateWithCertificate(NULL, cert_handle_, &identity);
+  OSStatus result;
+  {
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+    result = SecIdentityCreateWithCertificate(NULL, cert_handle_, &identity);
+  }
   if (result) {
     OSSTATUS_LOG(ERROR, result) << "SecIdentityCreateWithCertificate error";
     return NULL;
   }
   ScopedCFTypeRef<CFMutableArrayRef> chain(
       CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks));
   CFArrayAppendValue(chain, identity);
 
   CFArrayRef cert_chain = NULL;
   result = CopyCertChain(cert_handle_, &cert_chain);
@@ skipping 92 matching lines @@
       *type = kPublicKeyTypeDH;
       break;
     default:
       *type = kPublicKeyTypeUnknown;
       *size_bits = 0;
       break;
   }
 }
 
 }  // namespace net