SL-16514 store mfa hash in protected data using LLSecAPIBasicHandler

4 files changed, 26 insertions, 5 deletions

diff --git a/indra/newview/app_settings/settings_per_account.xml b/indra/newview/app_settings/settings_per_account.xml
index d7d008689c..7d4af7db7f 100644
--- a/indra/newview/app_settings/settings_per_account.xml
+++ b/indra/newview/app_settings/settings_per_account.xml
@@ -441,7 +441,7 @@
         <key>Comment</key>
         <string>MFA state hash for authentication</string>
         <key>Persist</key>
-        <integer>1</integer>
+        <integer>0</integer>
         <key>Type</key>
         <string>String</string>
         <key>Value</key>
diff --git a/indra/newview/lllogininstance.cpp b/indra/newview/lllogininstance.cpp
index 902510c294..a4c001ad8b 100644
--- a/indra/newview/lllogininstance.cpp
+++ b/indra/newview/lllogininstance.cpp
@@ -228,11 +228,20 @@ void LLLoginInstance::constructAuthParams(LLPointer<LLCredential> user_credentia
 	request_params["host_id"] = gSavedSettings.getString("HostID");
 	request_params["extended_errors"] = true; // request message_id and message_args
 	request_params["token"] = "";
-	request_params["slmfa_hash"] = gSavedPerAccountSettings.getString("SLMFAHash");
 
-    // log request_params _before_ adding the credentials   
+    // log request_params _before_ adding the credentials or sensitive MFA hash data
     LL_DEBUGS("LLLogin") << "Login parameters: " << LLSDOStreamer<LLSDNotationFormatter>(request_params) << LL_ENDL;
 
+    std::string slmfa_hash = gSavedPerAccountSettings.getString("SLMFAHash"); //non-persistent to enable testing
+    if(slmfa_hash.empty())
+    {
+        LLPointer<LLSecAPIHandler> basic_secure_store = getSecHandler(BASIC_SECHANDLER);
+        std::string grid(LLGridManager::getInstance()->getGridId());
+        slmfa_hash = basic_secure_store->getProtectedData("slmfa_hash", grid).asString();
+    }
+
+    request_params["slmfa_hash"] = slmfa_hash;
+
     // Copy the credentials into the request after logging the rest
     LLSD credentials(user_credential->getLoginParams());
     for (LLSD::map_const_iterator it = credentials.beginMap();
@@ -417,7 +426,7 @@ void LLLoginInstance::handleLoginFailure(const LLSD& event)
 
         LLSD data(LLSD::emptyMap());
         data["message"] = message_response;
-        data["reply_pump"] = MFA_REPLY_PUMP;
+        data["reply_pump"] = MFA_REPLY_PUMP
         if (gViewerWindow)
         {
             gViewerWindow->setShowProgress(FALSE);
diff --git a/indra/newview/llstartup.cpp b/indra/newview/llstartup.cpp
index 8e81843153..956ed2d212 100644
--- a/indra/newview/llstartup.cpp
+++ b/indra/newview/llstartup.cpp
@@ -133,6 +133,7 @@
 #include "llproxy.h"
 #include "llproductinforequest.h"
 #include "llqueryflags.h"
+#include "llsecapi.h"
 #include "llselectmgr.h"
 #include "llsky.h"
 #include "llstatview.h"
@@ -3599,7 +3600,9 @@ bool process_login_success_response()
 
 	if(response.has("slmfa_hash"))
 	{
-		gSavedPerAccountSettings.setString("SLMFAHash", response["slmfa_hash"]);
+		LLPointer<LLSecAPIHandler> basic_secure_store = getSecHandler(BASIC_SECHANDLER);
+		std::string grid(LLGridManager::getInstance()->getGridId());
+		basic_secure_store->setProtectedData("slmfa_hash", grid, response["slmfa_hash"]);
 	}
 
 	bool success = false;
diff --git a/indra/newview/tests/lllogininstance_test.cpp b/indra/newview/tests/lllogininstance_test.cpp
index 43f0e89222..9253516411 100644
--- a/indra/newview/tests/lllogininstance_test.cpp
+++ b/indra/newview/tests/lllogininstance_test.cpp
@@ -186,6 +186,15 @@ std::string LLGridManager::getAppSLURLBase(const std::string& grid_name)
 {
 	return "myappslurl";
 }
+std::string LLGridManager::getGridId(const std::string& grid)
+{
+    return std::string();
+}
+
+LLPointer<LLSecAPIHandler> getSecHandler(const std::string& handler_type)
+{
+    return nullptr;
+}
 
 //-----------------------------------------------------------------------------
 #include "../llviewercontrol.h"