diff options
| -rw-r--r-- | autobuild.xml | 28 | ||||
| -rw-r--r-- | indra/cmake/Copy3rdPartyLibs.cmake | 11 | ||||
| -rw-r--r-- | indra/cmake/OpenSSL.cmake | 2 | ||||
| -rw-r--r-- | indra/llmessage/llblowfishcipher.cpp | 28 | ||||
| -rw-r--r-- | indra/newview/CMakeLists.txt | 8 | ||||
| -rw-r--r-- | indra/newview/llsecapi.h | 2 | ||||
| -rw-r--r-- | indra/newview/llsechandler_basic.cpp | 48 | ||||
| -rw-r--r-- | indra/newview/llsechandler_basic.h | 4 | ||||
| -rw-r--r-- | indra/newview/tests/llsecapi_test.cpp | 2 | ||||
| -rwxr-xr-x | indra/newview/viewer_manifest.py | 10 |
10 files changed, 83 insertions, 60 deletions
diff --git a/autobuild.xml b/autobuild.xml index b7a2f0a132..fc7226c346 100644 --- a/autobuild.xml +++ b/autobuild.xml @@ -398,9 +398,9 @@ <key>archive</key> <map> <key>hash</key> - <string>52fc837a5840f5e6991842cf2f73a9d7</string> + <string>13f74f43a6363ec998569f731fd869c5</string> <key>url</key> - <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/80409/758717/curl-7.54.1.558452-darwin64-558452.tar.bz2</string> + <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/82637/774617/curl-7.54.1.560191-darwin64-560191.tar.bz2</string> </map> <key>name</key> <string>darwin64</string> @@ -434,11 +434,11 @@ <key>archive</key> <map> <key>hash</key> - <string>8de0af7c8168406bf18bdcd5bc44e40e</string> + <string>0df99bd685dc3561ca8ea347b2921987</string> <key>hash_algorithm</key> <string>md5</string> <key>url</key> - <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/80411/758714/curl-7.54.1.558452-windows-558452.tar.bz2</string> + <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/82639/774610/curl-7.54.1.560191-windows-560191.tar.bz2</string> </map> <key>name</key> <string>windows</string> @@ -448,16 +448,16 @@ <key>archive</key> <map> <key>hash</key> - <string>dc633acdbd3595db4f904e68e48b4744</string> + <string>50db2a9e6b74ec4b0c38b1ea8f135735</string> <key>url</key> - <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/80410/758715/curl-7.54.1.558452-windows64-558452.tar.bz2</string> + <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/82638/774608/curl-7.54.1.560191-windows64-560191.tar.bz2</string> </map> <key>name</key> <string>windows64</string> </map> </map> <key>version</key> - <string>7.54.1.558452</string> + <string>7.54.1.560191</string> </map> <key>db</key> <map> @@ -2738,9 +2738,9 @@ Copyright (c) 2012, 2014, 2015, 2016 nghttp2 contributors</string> <key>archive</key> <map> <key>hash</key> - <string>166aa05b379b13156de5821252040498</string> + <string>5503e4928bcdb0a29685b3242c4a409b</string> <key>url</key> - <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/78582/743936/openssl-1.0.2l.557043-darwin64-557043.tar.bz2</string> + <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/82619/774464/openssl-1.1.1l.560177-darwin64-560177.tar.bz2</string> </map> <key>name</key> <string>darwin64</string> @@ -2774,9 +2774,9 @@ Copyright (c) 2012, 2014, 2015, 2016 nghttp2 contributors</string> <key>archive</key> <map> <key>hash</key> - <string>68aae05216c035283c79aad6dd88d8da</string> + <string>d2153f20dc2d35c609b876a9f019a748</string> <key>url</key> - <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/78590/743992/openssl-1.0.2l.557043-windows-557043.tar.bz2</string> + <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/82623/774521/openssl-1.1.1l.560177-windows-560177.tar.bz2</string> </map> <key>name</key> <string>windows</string> @@ -2786,16 +2786,16 @@ Copyright (c) 2012, 2014, 2015, 2016 nghttp2 contributors</string> <key>archive</key> <map> <key>hash</key> - <string>d2576a386559cefb654154d8f0de6337</string> + <string>f40b8622ba38084b0962e273988d748f</string> <key>url</key> - <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/78588/743976/openssl-1.0.2l.557043-windows64-557043.tar.bz2</string> + <string>https://automated-builds-secondlife-com.s3.amazonaws.com/ct2/82624/774520/openssl-1.1.1l.560177-windows64-560177.tar.bz2</string> </map> <key>name</key> <string>windows64</string> </map> </map> <key>version</key> - <string>1.0.2l.557043</string> + <string>1.1.1l.560177</string> </map> <key>pcre</key> <map> diff --git a/indra/cmake/Copy3rdPartyLibs.cmake b/indra/cmake/Copy3rdPartyLibs.cmake index 9978de6eba..848547f2a2 100644 --- a/indra/cmake/Copy3rdPartyLibs.cmake +++ b/indra/cmake/Copy3rdPartyLibs.cmake @@ -56,14 +56,21 @@ if(WINDOWS) libapr-1.dll libaprutil-1.dll libapriconv-1.dll - ssleay32.dll - libeay32.dll nghttp2.dll glod.dll libhunspell.dll uriparser.dll ) + # OpenSSL + if(ADDRESS_SIZE EQUAL 64) + set(release_files ${release_files} libcrypto-1_1-x64.dll) + set(release_files ${release_files} libssl-1_1-x64.dll) + else(ADDRESS_SIZE EQUAL 64) + set(release_files ${release_files} libcrypto-1_1.dll) + set(release_files ${release_files} libssl-1_1.dll) + endif(ADDRESS_SIZE EQUAL 64) + # Filenames are different for 32/64 bit BugSplat file and we don't # have any control over them so need to branch. if (BUGSPLAT_DB) diff --git a/indra/cmake/OpenSSL.cmake b/indra/cmake/OpenSSL.cmake index eb548bdcc1..32400f5e4e 100644 --- a/indra/cmake/OpenSSL.cmake +++ b/indra/cmake/OpenSSL.cmake @@ -9,7 +9,7 @@ if (USESYSTEMLIBS) else (USESYSTEMLIBS) use_prebuilt_binary(openssl) if (WINDOWS) - set(OPENSSL_LIBRARIES ssleay32 libeay32) + set(OPENSSL_LIBRARIES libssl libcrypto) else (WINDOWS) set(OPENSSL_LIBRARIES ssl crypto) endif (WINDOWS) diff --git a/indra/llmessage/llblowfishcipher.cpp b/indra/llmessage/llblowfishcipher.cpp index 0b5025a422..949d4cc0c7 100644 --- a/indra/llmessage/llblowfishcipher.cpp +++ b/indra/llmessage/llblowfishcipher.cpp @@ -52,24 +52,28 @@ U32 LLBlowfishCipher::encrypt(const U8* src, U32 src_len, U8* dst, U32 dst_len) if (src_len > dst_len) return 0; // OpenSSL uses "cipher contexts" to hold encryption parameters. - EVP_CIPHER_CTX context; - EVP_CIPHER_CTX_init(&context); + EVP_CIPHER_CTX *context = EVP_CIPHER_CTX_new(); + if (!context) + { + LL_WARNS() << "LLBlowfishCipher::encrypt EVP_CIPHER_CTX initiation failure" << LL_ENDL; + return 0; + } // We want a blowfish cyclic block chain cipher, but need to set // the key length before we pass in a key, so call EncryptInit // first with NULLs. - EVP_EncryptInit_ex(&context, EVP_bf_cbc(), NULL, NULL, NULL); - EVP_CIPHER_CTX_set_key_length(&context, (int)mSecretSize); + EVP_EncryptInit_ex(context, EVP_bf_cbc(), NULL, NULL, NULL); + EVP_CIPHER_CTX_set_key_length(context, (int)mSecretSize); // Complete initialization. Per EVP_EncryptInit man page, the // cipher pointer must be NULL. Apparently initial_vector must // be 8 bytes for blowfish, as this is the block size. unsigned char initial_vector[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; - EVP_EncryptInit_ex(&context, NULL, NULL, mSecret, initial_vector); + EVP_EncryptInit_ex(context, NULL, NULL, mSecret, initial_vector); - int blocksize = EVP_CIPHER_CTX_block_size(&context); - int keylen = EVP_CIPHER_CTX_key_length(&context); - int iv_length = EVP_CIPHER_CTX_iv_length(&context); + int blocksize = EVP_CIPHER_CTX_block_size(context); + int keylen = EVP_CIPHER_CTX_key_length(context); + int iv_length = EVP_CIPHER_CTX_iv_length(context); LL_DEBUGS() << "LLBlowfishCipher blocksize " << blocksize << " keylen " << keylen << " iv_len " << iv_length @@ -77,7 +81,7 @@ U32 LLBlowfishCipher::encrypt(const U8* src, U32 src_len, U8* dst, U32 dst_len) int output_len = 0; int temp_len = 0; - if (!EVP_EncryptUpdate(&context, + if (!EVP_EncryptUpdate(context, dst, &output_len, src, @@ -89,18 +93,18 @@ U32 LLBlowfishCipher::encrypt(const U8* src, U32 src_len, U8* dst, U32 dst_len) // There may be some final data left to encrypt if the input is // not an exact multiple of the block size. - if (!EVP_EncryptFinal_ex(&context, (unsigned char*)(dst + output_len), &temp_len)) + if (!EVP_EncryptFinal_ex(context, (unsigned char*)(dst + output_len), &temp_len)) { LL_WARNS() << "LLBlowfishCipher::encrypt EVP_EncryptFinal failure" << LL_ENDL; goto ERROR; } output_len += temp_len; - EVP_CIPHER_CTX_cleanup(&context); + EVP_CIPHER_CTX_free(context); return output_len; ERROR: - EVP_CIPHER_CTX_cleanup(&context); + EVP_CIPHER_CTX_free(context); return 0; } diff --git a/indra/newview/CMakeLists.txt b/indra/newview/CMakeLists.txt index 63045502c9..41b3b1d30f 100644 --- a/indra/newview/CMakeLists.txt +++ b/indra/newview/CMakeLists.txt @@ -1828,10 +1828,6 @@ if (WINDOWS) ${CMAKE_CURRENT_SOURCE_DIR}/licenses-win32.txt ${CMAKE_CURRENT_SOURCE_DIR}/featuretable.txt ${CMAKE_CURRENT_SOURCE_DIR}/featuretable_xp.txt - ${ARCH_PREBUILT_DIRS_RELEASE}/libeay32.dll - ${ARCH_PREBUILT_DIRS_RELEASE}/ssleay32.dll - ${ARCH_PREBUILT_DIRS_DEBUG}/libeay32.dll - ${ARCH_PREBUILT_DIRS_DEBUG}/ssleay32.dll ${viewer_APPSETTINGS_FILES} SLPlugin media_plugin_cef @@ -1844,11 +1840,15 @@ if (WINDOWS) list(APPEND COPY_INPUT_DEPENDENCIES ${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/vivoxsdk_x64.dll ${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/ortp_x64.dll + ${ARCH_PREBUILT_DIRS_RELEASE}/libcrypto-1_1-x64.dll + ${ARCH_PREBUILT_DIRS_RELEASE}/libssl-1_1-x64.dll ) else (ADDRESS_SIZE EQUAL 64) list(APPEND COPY_INPUT_DEPENDENCIES ${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/vivoxsdk.dll ${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/ortp.dll + ${ARCH_PREBUILT_DIRS_RELEASE}/libcrypto-1_1.dll + ${ARCH_PREBUILT_DIRS_RELEASE}/libssl-1_1.dll ) endif (ADDRESS_SIZE EQUAL 64) diff --git a/indra/newview/llsecapi.h b/indra/newview/llsecapi.h index 14059f828a..1e6f2154bc 100644 --- a/indra/newview/llsecapi.h +++ b/indra/newview/llsecapi.h @@ -452,7 +452,7 @@ public: virtual LLPointer<LLCertificate> getCertificate(X509* openssl_cert)=0; // instantiate a chain from an X509_STORE_CTX - virtual LLPointer<LLCertificateChain> getCertificateChain(const X509_STORE_CTX* chain)=0; + virtual LLPointer<LLCertificateChain> getCertificateChain(X509_STORE_CTX* chain)=0; // instantiate a cert store given it's id. if a persisted version // exists, it'll be loaded. If not, one will be created (but not diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp index 737ef30ada..94331fddfa 100644 --- a/indra/newview/llsechandler_basic.cpp +++ b/indra/newview/llsechandler_basic.cpp @@ -95,7 +95,7 @@ LLBasicCertificate::LLBasicCertificate(const std::string& pem_cert, LLBasicCertificate::LLBasicCertificate(X509* pCert, const LLSD* validation_params) { - if (!pCert || !pCert->cert_info) + if (!pCert) { LLTHROW(LLInvalidCertificate(LLSD::emptyMap())); } @@ -355,8 +355,8 @@ LLSD cert_name_from_X509_NAME(X509_NAME* name) char buffer[32]; X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, entry_index); - std::string name_value = std::string((const char*)M_ASN1_STRING_data(X509_NAME_ENTRY_get_data(entry)), - M_ASN1_STRING_length(X509_NAME_ENTRY_get_data(entry))); + std::string name_value = std::string((const char*)ASN1_STRING_data(X509_NAME_ENTRY_get_data(entry)), + ASN1_STRING_length(X509_NAME_ENTRY_get_data(entry))); ASN1_OBJECT* name_obj = X509_NAME_ENTRY_get_object(entry); OBJ_obj2txt(buffer, sizeof(buffer), name_obj, 0); @@ -683,29 +683,29 @@ std::string LLBasicCertificateStore::storeId() const // LLBasicCertificateChain // This class represents a chain of certs, each cert being signed by the next cert // in the chain. Certs must be properly signed by the parent -LLBasicCertificateChain::LLBasicCertificateChain(const X509_STORE_CTX* store) +LLBasicCertificateChain::LLBasicCertificateChain(X509_STORE_CTX* store) { // we're passed in a context, which contains a cert, and a blob of untrusted // certificates which compose the chain. - if((store == NULL) || (store->cert == NULL)) + if((store == NULL) || X509_STORE_CTX_get0_cert(store) == NULL) { LL_WARNS("SECAPI") << "An invalid store context was passed in when trying to create a certificate chain" << LL_ENDL; return; } // grab the child cert - LLPointer<LLCertificate> current = new LLBasicCertificate(store->cert); + LLPointer<LLCertificate> current = new LLBasicCertificate(X509_STORE_CTX_get0_cert(store)); add(current); - if(store->untrusted != NULL) + if(X509_STORE_CTX_get0_untrusted(store) != NULL) { // if there are other certs in the chain, we build up a vector // of untrusted certs so we can search for the parents of each // consecutive cert. LLBasicCertificateVector untrusted_certs; - for(int i = 0; i < sk_X509_num(store->untrusted); i++) + for(int i = 0; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store)); i++) { - LLPointer<LLCertificate> cert = new LLBasicCertificate(sk_X509_value(store->untrusted, i)); + LLPointer<LLCertificate> cert = new LLBasicCertificate(sk_X509_value(X509_STORE_CTX_get0_untrusted(store), i)); untrusted_certs.add(cert); } @@ -1340,9 +1340,10 @@ void LLSecAPIBasicHandler::_readProtectedData() // read in the rest of the file. - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - EVP_DecryptInit(&ctx, EVP_rc4(), salt, NULL); + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + // todo: ctx error handling + + EVP_DecryptInit(ctx, EVP_rc4(), salt, NULL); // allocate memory: std::string decrypted_data; @@ -1350,14 +1351,14 @@ void LLSecAPIBasicHandler::_readProtectedData() // read data as a block: protected_data_stream.read((char *)buffer, BUFFER_READ_SIZE); - EVP_DecryptUpdate(&ctx, decrypted_buffer, &decrypted_length, + EVP_DecryptUpdate(ctx, decrypted_buffer, &decrypted_length, buffer, protected_data_stream.gcount()); decrypted_data.append((const char *)decrypted_buffer, protected_data_stream.gcount()); } // RC4 is a stream cipher, so we don't bother to EVP_DecryptFinal, as there is // no block padding. - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); std::istringstream parse_stream(decrypted_data); if (parser->parse(parse_stream, mProtectedDataMap, LLSDSerialize::SIZE_UNLIMITED) == LLSDParser::PARSE_FAILURE) @@ -1393,12 +1394,14 @@ void LLSecAPIBasicHandler::_writeProtectedData() llofstream protected_data_stream(tmp_filename.c_str(), std::ios_base::binary); + EVP_CIPHER_CTX *ctx = NULL; try { - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - EVP_EncryptInit(&ctx, EVP_rc4(), salt, NULL); + ctx = EVP_CIPHER_CTX_new(); + // todo: ctx error handling + + EVP_EncryptInit(ctx, EVP_rc4(), salt, NULL); unsigned char unique_id[MAC_ADDRESS_BYTES]; LLMachineID::getUniqueID(unique_id, sizeof(unique_id)); LLXORCipher cipher(unique_id, sizeof(unique_id)); @@ -1413,13 +1416,13 @@ void LLSecAPIBasicHandler::_writeProtectedData() break; } int encrypted_length; - EVP_EncryptUpdate(&ctx, encrypted_buffer, &encrypted_length, + EVP_EncryptUpdate(ctx, encrypted_buffer, &encrypted_length, buffer, formatted_data_istream.gcount()); protected_data_stream.write((const char *)encrypted_buffer, encrypted_length); } // no EVP_EncrypteFinal, as this is a stream cipher - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); protected_data_stream.close(); } @@ -1431,6 +1434,11 @@ void LLSecAPIBasicHandler::_writeProtectedData() // it may be, however. LLFile::remove(tmp_filename); + if (ctx) + { + EVP_CIPHER_CTX_free(ctx); + } + // EXP-1825 crash in LLSecAPIBasicHandler::_writeProtectedData() // Decided throwing an exception here was overkill until we figure out why this happens //LLTHROW(LLProtectedDataException("Error writing Protected Data Store")); @@ -1483,7 +1491,7 @@ LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(X509* openssl_cert } // instantiate a chain from an X509_STORE_CTX -LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(const X509_STORE_CTX* chain) +LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(X509_STORE_CTX* chain) { LLPointer<LLCertificateChain> result = new LLBasicCertificateChain(chain); return result; diff --git a/indra/newview/llsechandler_basic.h b/indra/newview/llsechandler_basic.h index 0bc7f5230f..82670f9083 100644 --- a/indra/newview/llsechandler_basic.h +++ b/indra/newview/llsechandler_basic.h @@ -197,7 +197,7 @@ class LLBasicCertificateChain : virtual public LLBasicCertificateVector, public { public: - LLBasicCertificateChain(const X509_STORE_CTX * store); + LLBasicCertificateChain(X509_STORE_CTX * store); virtual ~LLBasicCertificateChain() {} @@ -241,7 +241,7 @@ public: virtual LLPointer<LLCertificate> getCertificate(X509* openssl_cert); // instantiate a chain from an X509_STORE_CTX - virtual LLPointer<LLCertificateChain> getCertificateChain(const X509_STORE_CTX* chain); + virtual LLPointer<LLCertificateChain> getCertificateChain(X509_STORE_CTX* chain); // instantiate a cert store given it's id. if a persisted version // exists, it'll be loaded. If not, one will be created (but not diff --git a/indra/newview/tests/llsecapi_test.cpp b/indra/newview/tests/llsecapi_test.cpp index caa3016d2e..37fbbb449b 100644 --- a/indra/newview/tests/llsecapi_test.cpp +++ b/indra/newview/tests/llsecapi_test.cpp @@ -57,7 +57,7 @@ void LLSecAPIBasicHandler::init() {} LLSecAPIBasicHandler::~LLSecAPIBasicHandler() {} LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(const std::string& pem_cert) { return NULL; } LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(X509* openssl_cert) { return NULL; } -LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(const X509_STORE_CTX* chain) { return NULL; } +LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(X509_STORE_CTX* chain) { return NULL; } LLPointer<LLCertificateStore> LLSecAPIBasicHandler::getCertificateStore(const std::string& store_id) { return NULL; } void LLSecAPIBasicHandler::setProtectedData(const std::string& data_type, const std::string& data_id, const LLSD& data) {} void LLSecAPIBasicHandler::addToProtectedMap(const std::string& data_type, const std::string& data_id, const std::string& map_elem, const LLSD& data) {} diff --git a/indra/newview/viewer_manifest.py b/indra/newview/viewer_manifest.py index 80f6b2aa9f..c0a0a7ec46 100755 --- a/indra/newview/viewer_manifest.py +++ b/indra/newview/viewer_manifest.py @@ -553,9 +553,13 @@ class WindowsManifest(ViewerManifest): self.path("vivoxsdk.dll") self.path("ortp.dll") - # Security - self.path("ssleay32.dll") - self.path("libeay32.dll") + # OpenSSL + if (self.address_size == 64): + self.path("libcrypto-1_1-x64.dll") + self.path("libssl-1_1-x64.dll") + else: + self.path("libcrypto-1_1.dll") + self.path("libssl-1_1.dll") # HTTP/2 self.path("nghttp2.dll") |