android: Use OpenSSL instead of curl.

KrzaQ · KrzaQ · commit 3d14eb710cf5 · 2023-02-09T06:46:28.000+01:00
Linking against libcurl.so is not guaranteed to work on newer Android
versions. That's why we're using Crashpad's SSL code instead.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -162,18 +162,25 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Set env armeabi-v7a
+        if: ${{ matrix.abi == 'armeabi-v7a' }}
+        run: echo "SSL_MODE=NONE" >> $GITHUB_ENV
+
+      - name: Set env others
+        if: ${{ matrix.abi != 'armeabi-v7a' }}
+        run: echo "SSL_MODE=OPENSSL" >> $GITHUB_ENV
+
       - name: Install NDK (optional)
         # available on GitHub Actions host (as of 7/24/22) listed below
         if: ${{ matrix.ndk }} != '21.4.7075529' && ${{ matrix.ndk }} != '23.2.8568313' && ${{ matrix.ndk }} != '24.0.8215888'
         run: |
           echo "y" | sudo $ANDROID_HOME/tools/bin/sdkmanager --install "ndk;${{ matrix.ndk }}" --sdk_root=${ANDROID_SDK_ROOT} >/dev/null 2>&1
           #ls -lsa $ANDROID_HOME/ndk/${{ matrix.ndk }}/platforms
 
-
       - name: CMake
         run: |
           mkdir cbuild
-          cmake -S . -B cbuild/ -DCMAKE_TOOLCHAIN_FILE=$ANDROID_HOME/ndk/${{ matrix.ndk }}/build/cmake/android.toolchain.cmake -DANDROID_ABI=${{ matrix.abi }} -DANDROID_PLATFORM=android-${{ matrix.apiLevel }} -DANDROID_NATIVE_API_LEVEL=${{ matrix.apiLevel }} -DANDROID_TOOLCHAIN=clang -DBUILD_EXAMPLES=TRUE
+          cmake -S . -B cbuild/ -DCMAKE_TOOLCHAIN_FILE=$ANDROID_HOME/ndk/${{ matrix.ndk }}/build/cmake/android.toolchain.cmake -DANDROID_ABI=${{ matrix.abi }} -DANDROID_PLATFORM=android-${{ matrix.apiLevel }} -DANDROID_NATIVE_API_LEVEL=${{ matrix.apiLevel }} -DANDROID_TOOLCHAIN=clang -DANDROID_SSL_MODE=${{ env.SSL_MODE }} -DBUILD_EXAMPLES=TRUE
           cmake --build cbuild/
 
       - name: Crashpad distribution ZIP
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1,5 +1,6 @@
 cmake_minimum_required(VERSION 3.12)
 project(backtrace_crashpad LANGUAGES C CXX)
+cmake_policy(SET CMP0077 NEW)
 
 if (UNIX AND NOT APPLE)
     set(LINUX TRUE)
@@ -42,7 +43,10 @@ target_compile_definitions(backtrace_common INTERFACE
     CRASHPAD_LSS_SOURCE_EMBEDDED)
 
 if (ANDROID)
-    add_subdirectory(third_party/openssl-android-binary)
+    option(ANDROID_SSL_MODE "Android SSL mode" "OPENSSL")
+    if (ANDROID_SSL_MODE STREQUAL "OPENSSL")
+        add_subdirectory(third_party/openssl-android-binary)
+    endif()
 elseif (APPLE)
     # do nothing
 elseif (LINUX)
diff --git a/client/crash_report_database.h b/client/crash_report_database.h
@@ -176,6 +176,11 @@ class CrashReportDatabase {
       return attachment_map_;
     }
 
+#if BUILDFLAG(IS_ANDROID)
+    //! \brief Returns the database that this report belongs to.
+    CrashReportDatabase* GetDatabase() const { return database_; }
+#endif
+
    private:
     friend class CrashReportDatabase;
     friend class CrashReportDatabaseGeneric;
diff --git a/client/crashpad_client_linux.cc b/client/crashpad_client_linux.cc
@@ -50,6 +50,10 @@
 #include "util/posix/signals.h"
 #include "util/posix/spawn_subprocess.h"
 
+#if defined(CRASHPAD_USE_BORINGSSL) && BUILDFLAG(IS_ANDROID)
+#include "util/backtrace/android_cert_store.h"
+#endif
+
 namespace crashpad {
 
 namespace {
@@ -449,6 +453,10 @@ bool CrashpadClient::StartHandler(
     const std::vector<base::FilePath>& attachments) {
   DCHECK(!asynchronous_start);
 
+#if defined(CRASHPAD_USE_BORINGSSL) && BUILDFLAG(IS_ANDROID)
+  backtrace::android_cert_store::create(database);
+#endif
+
   ScopedFileHandle client_sock, handler_sock;
   if (!UnixCredentialSocket::CreateCredentialSocketpair(&client_sock,
                                                         &handler_sock)) {
@@ -727,6 +735,10 @@ bool CrashpadClient::StartHandlerAtCrash(
   std::vector<std::string> argv = BuildHandlerArgvStrings(
       handler, database, metrics_dir, url, annotations, arguments, attachments);
 
+#if defined(CRASHPAD_USE_BORINGSSL) && BUILDFLAG(IS_ANDROID)
+  backtrace::android_cert_store::create(database);
+#endif
+
   if (crash_loop_detection_) {
     namespace clc = backtrace::crash_loop_detection;
     bool ok = clc::CrashLoopDetectionAppend(database, run_uuid_);
diff --git a/handler/crash_report_upload_thread.cc b/handler/crash_report_upload_thread.cc
@@ -341,6 +341,13 @@ CrashReportUploadThread::UploadResult CrashReportUploadThread::UploadReport(
   // TODO(mark): The timeout should be configurable by the client.
   http_transport->SetTimeout(internal::kUploadReportTimeoutSeconds);
 
+#if defined(CRASHPAD_USE_BORINGSSL)
+#if BUILDFLAG(IS_ANDROID)
+  http_transport->SetRootCACertificatePath(
+    report->GetDatabase()->DatabasePath());
+#endif // BUILDFLAG(IS_ANDROID)
+#endif // defined(CRASHPAD_USE_BORINGSSL)
+
   std::string url = url_;
   if (options_.identify_client_via_url) {
     // Add parameters to the URL which identify the client to the server.
diff --git a/third_party/openssl-android-binary b/third_party/openssl-android-binary
@@ -1 +1 @@
-Subproject commit 638a558860fb64278cef598b5b24ea633935c3f4
+Subproject commit 1201f923955d3ad15a4a77288a787e7947adb850
diff --git a/util/CMakeLists.txt b/util/CMakeLists.txt
@@ -230,7 +230,6 @@ if (LINUX)
         ./misc/capture_context_linux.S
         ./misc/paths_linux.cc
         ./misc/time_linux.cc
-        ./net/http_transport_libcurl.cc
         ./net/http_transport_socket.cc
         ./posix/process_info_linux.cc
         ./posix/scoped_mmap.cc
@@ -310,6 +309,13 @@ if (WIN32)
     endif ()
 endif (WIN32)
 
+if (ANDROID)
+    list(APPEND CRASHPAD_UTIL_LIBRARY_FILES
+        ./backtrace/android_cert_store.cc
+        ./backtrace/android_cert_store.h
+        ./backtrace/certs_pem.h
+    )
+endif (ANDROID)
 
 add_library(util OBJECT ${CRASHPAD_UTIL_LIBRARY_FILES})
 target_compile_features(util PUBLIC cxx_std_17)
@@ -362,7 +368,10 @@ if (APPLE)
 endif (APPLE)
 
 if (ANDROID)
-    target_link_libraries(util PUBLIC openssl-android-binary)
+    if (ANDROID_SSL_MODE STREQUAL "OPENSSL")
+        target_link_libraries(util PUBLIC openssl-android-binary)
+    elseif(ANDROID_SSL_MODE STREQUAL "NONE")
+    endif ()
 endif (ANDROID)
 
 if (UNIX)
@@ -377,16 +386,22 @@ target_include_directories(util PUBLIC ..)
 target_link_libraries(util PUBLIC mini_chromium ZLIB::ZLIB backtrace_common)
 
 if (LINUX AND NOT ANDROID)
-    if (CURL_FOUND)
-        target_link_libraries(util PUBLIC curl)
-    endif (CURL_FOUND)
-
     if (OPENSSL_FOUND)
         target_compile_definitions(util PUBLIC CRASHPAD_USE_BORINGSSL)
         target_link_libraries(util PUBLIC OpenSSL::SSL OpenSSL::Crypto)
     endif (OPENSSL_FOUND)
 endif (LINUX AND NOT ANDROID)
 
+if (ANDROID)
+    if (ANDROID_SSL_MODE STREQUAL "OPENSSL")
+        target_link_libraries(util PUBLIC openssl-android-binary)
+        target_compile_definitions(util PUBLIC CRASHPAD_USE_BORINGSSL)
+    elseif(ANDROID_SSL_MODE STREQUAL "NONE")
+    else()
+        message(FATAL_ERROR "Unknown value for ANDROID_SSL_MODE: ${ANDROID_SSL_MODE}")
+    endif ()
+endif (ANDROID)
+
 if (${CMAKE_CXX_COMPILER_ID} STREQUAL "GNU")
     target_compile_options(util PUBLIC -Wno-multichar)
 endif ()
diff --git a/util/backtrace/android_cert_store.cc b/util/backtrace/android_cert_store.cc
@@ -0,0 +1,57 @@
+#include "android_cert_store.h"
+
+#if !BUILDFLAG(IS_ANDROID)
+#error "This file is only for Android"
+#endif // !BUILDFLAG(IS_ANDROID)
+
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/stat.h>
+
+namespace crashpad {
+namespace backtrace {
+namespace android_cert_store {
+
+#include "certs_pem.h"
+
+namespace {
+
+bool file_exists(const base::FilePath& path) {
+  return access(path.value().c_str(), F_OK) != -1;
+}
+
+size_t file_size(const base::FilePath& path) {
+  struct stat st;
+  if (stat(path.value().c_str(), &st) == -1)
+    return 0;
+  return st.st_size;
+}
+
+} // anonymous namespace
+
+create_result create(const base::FilePath& database) {
+
+  auto certs_file = database.Append("/backtrace-cacert.pem");
+
+  if (file_exists(certs_file) && file_size(certs_file) == certs_pem_len)
+    return create_result::already_exists;
+
+  int file_handle = open(certs_file.value().c_str(),
+    O_CREAT | O_TRUNC | O_WRONLY, 0644);
+
+  if (file_handle == -1)
+    return create_result::failure;
+
+  auto written = write(file_handle, certs_pem, certs_pem_len);
+  if (written != certs_pem_len){
+      close(file_handle);
+      return create_result::failure;
+  }
+
+  close(file_handle);
+  return create_result::success;
+}
+
+} // android_cert_store
+} // backtrace
+} // crashpad
diff --git a/util/backtrace/android_cert_store.h b/util/backtrace/android_cert_store.h
@@ -0,0 +1,34 @@
+// Copyright 2023 Sauce Labs. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#pragma once
+
+#include "base/files/file_path.h"
+#include "util/misc/uuid.h"
+
+namespace crashpad {
+namespace backtrace {
+namespace android_cert_store {
+
+enum class create_result {
+  success,
+  failure,
+  already_exists,
+};
+
+create_result create(const base::FilePath& database);
+
+} // android_cert_store
+} // backtrace
+} // crashpad
diff --git a/util/net/http_transport_socket.cc b/util/net/http_transport_socket.cc
@@ -36,6 +36,9 @@
 
 #if defined(CRASHPAD_USE_BORINGSSL)
 #include <openssl/ssl.h>
+#if BUILDFLAG(IS_ANDROID)
+#include "util/backtrace/android_cert_store.h"
+#endif
 #endif
 
 namespace crashpad {
@@ -121,14 +124,41 @@ class SSLStream : public Stream {
     SSL_CTX_set_verify(ctx_.get(), SSL_VERIFY_PEER, nullptr);
     SSL_CTX_set_verify_depth(ctx_.get(), 5);
 
+#if BUILDFLAG(IS_ANDROID)
+    {
+      namespace cs = crashpad::backtrace::android_cert_store;
+      auto result = cs::create(root_cert_path);
+      if (result == cs::create_result::failure) {
+        LOG(ERROR) << "Failed to create AndroidCertStore";
+        return false;
+      }
+    }
+#endif
+
     if (!root_cert_path.empty()) {
+#if BUILDFLAG(IS_ANDROID)
+      auto path = root_cert_path.value() + "/backtrace-cacert.pem";
+      if (SSL_CTX_load_verify_locations(
+              ctx_.get(), path.c_str(), nullptr) <= 0) {
+        LOG(ERROR) << "SSL_CTX_load_verify_locations";
+        return false;
+      }
+#else
       if (SSL_CTX_load_verify_locations(
               ctx_.get(), root_cert_path.value().c_str(), nullptr) <= 0) {
         LOG(ERROR) << "SSL_CTX_load_verify_locations";
         return false;
       }
+#endif
     } else {
-#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+#if BUILDFLAG(IS_ANDROID)
+      auto path = root_cert_path.value() + "/backtrace-cacert.pem";
+      if (SSL_CTX_load_verify_locations(
+              ctx_.get(), path.c_str(), nullptr) <= 0) {
+        LOG(ERROR) << "SSL_CTX_load_verify_locations";
+        return false;
+      }
+#elif BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
       if (SSL_CTX_load_verify_locations(
               ctx_.get(), nullptr, "/etc/ssl/certs") <= 0) {
         LOG(ERROR) << "SSL_CTX_load_verify_locations";
@@ -165,7 +195,8 @@ class SSLStream : public Stream {
       return false;
     }
 
-    if (SSL_connect(ssl_.get()) <= 0) {
+    int connect = SSL_connect(ssl_.get());
+    if (connect <= 0) {
       LOG(ERROR) << "SSL_connect";
       return false;
     }
