diff options
Diffstat (limited to 'indra/llmessage')
-rw-r--r-- | indra/llmessage/llcurl.cpp | 28 | ||||
-rw-r--r-- | indra/llmessage/llcurl.h | 12 | ||||
-rw-r--r-- | indra/llmessage/llhttpclient.cpp | 16 | ||||
-rw-r--r-- | indra/llmessage/llhttpclient.h | 11 | ||||
-rw-r--r-- | indra/llmessage/llurlrequest.cpp | 51 | ||||
-rw-r--r-- | indra/llmessage/llurlrequest.h | 68 |
6 files changed, 101 insertions, 85 deletions
diff --git a/indra/llmessage/llcurl.cpp b/indra/llmessage/llcurl.cpp index 7c6660e28b..5caf620059 100644 --- a/indra/llmessage/llcurl.cpp +++ b/indra/llmessage/llcurl.cpp @@ -90,6 +90,10 @@ S32 gCurlMultiCount = 0; std::vector<LLMutex*> LLCurl::sSSLMutex; std::string LLCurl::sCAPath; std::string LLCurl::sCAFile; +// Verify SSL certificates by default (matches libcurl default). The ability +// to alter this flag is only to allow us to suppress verification if it's +// broken for some reason. +bool LLCurl::sSSLVerify = true; //static void LLCurl::setCAPath(const std::string& path) @@ -104,6 +108,18 @@ void LLCurl::setCAFile(const std::string& file) } //static +void LLCurl::setSSLVerify(bool verify) +{ + sSSLVerify = verify; +} + +//static +bool LLCurl::getSSLVerify() +{ + return sSSLVerify; +} + +//static std::string LLCurl::getVersionString() { return std::string(curl_version()); @@ -528,7 +544,7 @@ void LLCurl::Easy::prepRequest(const std::string& url, setErrorBuffer(); setCA(); - setopt(CURLOPT_SSL_VERIFYPEER, true); + setopt(CURLOPT_SSL_VERIFYPEER, LLCurl::getSSLVerify()); //setopt(CURLOPT_SSL_VERIFYHOST, LLCurl::getSSLVerify()? 2 : 0); //don't verify host name so urls with scrubbed host names will work (improves DNS performance) @@ -999,15 +1015,6 @@ void LLCurlEasyRequest::setReadCallback(curl_read_callback callback, void* userd } } -void LLCurlEasyRequest::setSSLCtxCallback(curl_ssl_ctx_callback callback, void* userdata) -{ - if (mEasy) - { - mEasy->setopt(CURLOPT_SSL_CTX_FUNCTION, (void*)callback); - mEasy->setopt(CURLOPT_SSL_CTX_DATA, userdata); - } -} - void LLCurlEasyRequest::slist_append(const char* str) { if (mEasy) @@ -1175,4 +1182,3 @@ void LLCurl::cleanupClass() } } - diff --git a/indra/llmessage/llcurl.h b/indra/llmessage/llcurl.h index 882d036705..6ec0a5d8a7 100644 --- a/indra/llmessage/llcurl.h +++ b/indra/llmessage/llcurl.h @@ -158,6 +158,16 @@ public: static const std::string& getCAPath() { return sCAPath; } /** + * @ brief Set flag controlling whether to verify HTTPS certs. + */ + static void setSSLVerify(bool verify); + + /** + * @ brief Get flag controlling whether to verify HTTPS certs. + */ + static bool getSSLVerify(); + + /** * @ brief Initialize LLCurl class */ static void initClass(); @@ -182,6 +192,7 @@ public: private: static std::string sCAPath; static std::string sCAFile; + static bool sSSLVerify; }; namespace boost @@ -232,7 +243,6 @@ public: void setHeaderCallback(curl_header_callback callback, void* userdata); void setWriteCallback(curl_write_callback callback, void* userdata); void setReadCallback(curl_read_callback callback, void* userdata); - void setSSLCtxCallback(curl_ssl_ctx_callback callback, void* userdata); void slist_append(const char* str); void sendRequest(const std::string& url); void requestComplete(); diff --git a/indra/llmessage/llhttpclient.cpp b/indra/llmessage/llhttpclient.cpp index cdcc5b42c3..46952fa434 100644 --- a/indra/llmessage/llhttpclient.cpp +++ b/indra/llmessage/llhttpclient.cpp @@ -31,7 +31,7 @@ */ #include "linden_common.h" -#include <openssl/x509_vfy.h> + #include "llhttpclient.h" #include "llassetstorage.h" @@ -46,10 +46,7 @@ #include "message.h" #include <curl/curl.h> - const F32 HTTP_REQUEST_EXPIRY_SECS = 60.0f; -LLURLRequest::SSLCertVerifyCallback LLHTTPClient::mCertVerifyCallback = NULL; - //////////////////////////////////////////////////////////////////////////// // Responder class moved to LLCurl @@ -210,19 +207,13 @@ namespace LLPumpIO* theClientPump = NULL; } -void LLHTTPClient::setCertVerifyCallback(LLURLRequest::SSLCertVerifyCallback callback) -{ - LLHTTPClient::mCertVerifyCallback = callback; -} - static void request( const std::string& url, LLURLRequest::ERequestAction method, Injector* body_injector, LLCurl::ResponderPtr responder, const F32 timeout = HTTP_REQUEST_EXPIRY_SECS, - const LLSD& headers = LLSD() - ) + const LLSD& headers = LLSD()) { if (!LLHTTPClient::hasPump()) { @@ -232,7 +223,7 @@ static void request( LLPumpIO::chain_t chain; LLURLRequest* req = new LLURLRequest(method, url); - req->setSSLVerifyCallback(LLHTTPClient::getCertVerifyCallback(), (void *)req); + req->checkRootCertificate(LLCurl::getSSLVerify()); lldebugs << LLURLRequest::actionAsVerb(method) << " " << url << " " @@ -427,6 +418,7 @@ static LLSD blocking_request( std::string body_str; // other request method checks root cert first, we skip? + //req->checkRootCertificate(true); // * Set curl handle options curl_easy_setopt(curlp, CURLOPT_NOSIGNAL, 1); // don't use SIGALRM for timeouts diff --git a/indra/llmessage/llhttpclient.h b/indra/llmessage/llhttpclient.h index 8afbc9e0fc..3d0646e5fe 100644 --- a/indra/llmessage/llhttpclient.h +++ b/indra/llmessage/llhttpclient.h @@ -40,8 +40,7 @@ #include <string> #include <boost/intrusive_ptr.hpp> -#include <openssl/x509_vfy.h> -#include "llurlrequest.h" + #include "llassettype.h" #include "llcurl.h" #include "lliopipe.h" @@ -62,7 +61,6 @@ public: typedef LLCurl::Responder Responder; typedef LLCurl::ResponderPtr ResponderPtr; - /** @name non-blocking API */ //@{ static void head( @@ -157,12 +155,7 @@ public: static void setPump(LLPumpIO& pump); ///< must be called before any of the above calls are made static bool hasPump(); - - static void setCertVerifyCallback(LLURLRequest::SSLCertVerifyCallback callback); - static LLURLRequest::SSLCertVerifyCallback getCertVerifyCallback() { return mCertVerifyCallback; } - -protected: - static LLURLRequest::SSLCertVerifyCallback mCertVerifyCallback; + ///< for testing }; #endif // LL_LLHTTPCLIENT_H diff --git a/indra/llmessage/llurlrequest.cpp b/indra/llmessage/llurlrequest.cpp index 1e76d10828..4e7ceff984 100644 --- a/indra/llmessage/llurlrequest.cpp +++ b/indra/llmessage/llurlrequest.cpp @@ -36,8 +36,7 @@ #include "llurlrequest.h" #include <algorithm> -#include <openssl/x509_vfy.h> -#include <openssl/ssl.h> + #include "llcurl.h" #include "llioutil.h" #include "llmemtype.h" @@ -57,8 +56,6 @@ const std::string CONTEXT_TRANSFERED_BYTES("transfered_bytes"); static size_t headerCallback(void* data, size_t size, size_t nmemb, void* user); - - /** * class LLURLRequestDetail */ @@ -75,7 +72,6 @@ public: U32 mBodyLimit; S32 mByteAccumulator; bool mIsBodyLimitSet; - LLURLRequest::SSLCertVerifyCallback mSSLVerifyCallback; }; LLURLRequestDetail::LLURLRequestDetail() : @@ -84,8 +80,7 @@ LLURLRequestDetail::LLURLRequestDetail() : mLastRead(NULL), mBodyLimit(0), mByteAccumulator(0), - mIsBodyLimitSet(false), - mSSLVerifyCallback(NULL) + mIsBodyLimitSet(false) { LLMemType m1(LLMemType::MTYPE_IO_URL_REQUEST); mCurlRequest = new LLCurlEasyRequest(); @@ -99,36 +94,6 @@ LLURLRequestDetail::~LLURLRequestDetail() mLastRead = NULL; } -void LLURLRequest::setSSLVerifyCallback(SSLCertVerifyCallback callback, void *param) -{ - mDetail->mSSLVerifyCallback = callback; - mDetail->mCurlRequest->setSSLCtxCallback(LLURLRequest::_sslCtxCallback, (void *)this); - mDetail->mCurlRequest->setopt(CURLOPT_SSL_VERIFYPEER, true); - mDetail->mCurlRequest->setopt(CURLOPT_SSL_VERIFYHOST, 2); -} - - -// _sslCtxFunction -// Callback function called when an SSL Context is created via CURL -// used to configure the context for custom cert validation - -CURLcode LLURLRequest::_sslCtxCallback(CURL * curl, void *sslctx, void *param) -{ - LLURLRequest *req = (LLURLRequest *)param; - if(req == NULL || req->mDetail->mSSLVerifyCallback == NULL) - { - SSL_CTX_set_cert_verify_callback((SSL_CTX *)sslctx, NULL, NULL); - return CURLE_OK; - } - SSL_CTX * ctx = (SSL_CTX *) sslctx; - // disable any default verification for server certs - SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); - // set the verification callback. - SSL_CTX_set_cert_verify_callback(ctx, req->mDetail->mSSLVerifyCallback, (void *)req); - // the calls are void - return CURLE_OK; - -} /** * class LLURLRequest @@ -183,11 +148,6 @@ void LLURLRequest::setURL(const std::string& url) mDetail->mURL = url; } -std::string LLURLRequest::getURL() const -{ - return mDetail->mURL; -} - void LLURLRequest::addHeader(const char* header) { LLMemType m1(LLMemType::MTYPE_IO_URL_REQUEST); @@ -200,6 +160,13 @@ void LLURLRequest::setBodyLimit(U32 size) mDetail->mIsBodyLimitSet = true; } +void LLURLRequest::checkRootCertificate(bool check) +{ + mDetail->mCurlRequest->setopt(CURLOPT_SSL_VERIFYPEER, (check? TRUE : FALSE)); + mDetail->mCurlRequest->setopt(CURLOPT_SSL_VERIFYHOST, (check? 2 : 0)); + mDetail->mCurlRequest->setoptString(CURLOPT_ENCODING, ""); +} + void LLURLRequest::setCallback(LLURLRequestComplete* callback) { LLMemType m1(LLMemType::MTYPE_IO_URL_REQUEST); diff --git a/indra/llmessage/llurlrequest.h b/indra/llmessage/llurlrequest.h index 69fd22e592..cb3c466440 100644 --- a/indra/llmessage/llurlrequest.h +++ b/indra/llmessage/llurlrequest.h @@ -44,8 +44,6 @@ #include "lliopipe.h" #include "llchainio.h" #include "llerror.h" -#include <openssl/x509_vfy.h> -#include "llcurl.h" extern const std::string CONTEXT_REQUEST; @@ -74,8 +72,6 @@ class LLURLRequest : public LLIOPipe { LOG_CLASS(LLURLRequest); public: - - typedef int (* SSLCertVerifyCallback)(X509_STORE_CTX *ctx, void *param); /** * @brief This enumeration is for specifying the type of request. */ @@ -129,7 +125,7 @@ public: * */ void setURL(const std::string& url); - std::string getURL() const; + /** * @brief Add a header to the http post. * @@ -147,9 +143,8 @@ public: * Set whether request will check that remote server * certificates are signed by a known root CA when using HTTPS. */ - void setSSLVerifyCallback(SSLCertVerifyCallback callback, void * param); + void checkRootCertificate(bool check); - /** * @brief Return at most size bytes of body. * @@ -194,7 +189,6 @@ public: * @brief Give this pipe a chance to handle a generated error */ virtual EStatus handleError(EStatus status, LLPumpIO* pump); - protected: /** @@ -223,8 +217,6 @@ protected: S32 mRequestTransferedBytes; S32 mResponseTransferedBytes; - static CURLcode _sslCtxCallback(CURL * curl, void *sslctx, void *param); - private: /** * @brief Initialize the object. Called during construction. @@ -372,6 +364,62 @@ protected: }; +/** + * @class LLURLRequestClientFactory + * @brief Template class to build url request based client chains + * + * This class eases construction of a basic sd rpc client. Here is an + * example of it's use: + * <code> + * class LLUsefulService : public LLService { ... }<br> + * LLService::registerCreator(<br> + * "useful",<br> + * LLService::creator_t(new LLURLRequestClientFactory<LLUsefulService>))<br> + * </code> + * + * This class should work, but I never got around to using/testing it. + * + */ +#if 0 +template<class Client> +class LLURLRequestClientFactory : public LLChainIOFactory +{ +public: + LLURLRequestClientFactory(LLURLRequest::ERequestAction action) {} + LLURLRequestClientFactory( + LLURLRequest::ERequestAction action, + const std::string& fixed_url) : + mAction(action), + mURL(fixed_url) + { + } + virtual bool build(LLPumpIO::chain_t& chain, LLSD context) const + { + lldebugs << "LLURLRequestClientFactory::build" << llendl; + LLIOPipe::ptr_t service(new Client); + chain.push_back(service); + LLURLRequest* http(new LLURLRequest(mAction)); + LLIOPipe::ptr_t http_pipe(http); + // *FIX: how do we know the content type? + //http->addHeader("Content-Type: text/llsd"); + if(mURL.empty()) + { + chain.push_back(LLIOPipe::ptr_t(new LLContextURLExtractor(http))); + } + else + { + http->setURL(mURL); + } + chain.push_back(http_pipe); + chain.push_back(service); + return true; + } + +protected: + LLURLRequest::ERequestAction mAction; + std::string mURL; +}; +#endif /** * External constants |