diff options
Diffstat (limited to 'indra/newview/llsechandler_basic.cpp')
-rw-r--r-- | indra/newview/llsechandler_basic.cpp | 98 |
1 files changed, 58 insertions, 40 deletions
diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp index d6fb801cc0..bf7faff13a 100644 --- a/indra/newview/llsechandler_basic.cpp +++ b/indra/newview/llsechandler_basic.cpp @@ -588,8 +588,7 @@ LLPointer<LLCertificate> LLBasicCertificateVector::erase(iterator _iter) // // LLBasicCertificateStore // This class represents a store of CA certificates. The basic implementation -// uses a pem file such as the legacy CA.pem stored in the existing -// SL implementation. +// uses a crt file such as the ca-bundle.crt in the existing SL implementation. LLBasicCertificateStore::LLBasicCertificateStore(const std::string& filename) { mFilename = filename; @@ -598,39 +597,51 @@ LLBasicCertificateStore::LLBasicCertificateStore(const std::string& filename) void LLBasicCertificateStore::load_from_file(const std::string& filename) { + int loaded = 0; + // scan the PEM file extracting each certificate - if (!LLFile::isfile(filename)) - { - return; - } - - BIO* file_bio = BIO_new(BIO_s_file()); - if(file_bio) - { - if (BIO_read_filename(file_bio, filename.c_str()) > 0) - { - X509 *cert_x509 = NULL; - while((PEM_read_bio_X509(file_bio, &cert_x509, 0, NULL)) && - (cert_x509 != NULL)) - { - try - { - add(new LLBasicCertificate(cert_x509)); - } - catch (...) - { + if (LLFile::isfile(filename)) + { + BIO* file_bio = BIO_new(BIO_s_file()); + if(file_bio) + { + if (BIO_read_filename(file_bio, filename.c_str()) > 0) + { + X509 *cert_x509 = NULL; + while((PEM_read_bio_X509(file_bio, &cert_x509, 0, NULL)) && + (cert_x509 != NULL)) + { + try + { + add(new LLBasicCertificate(cert_x509)); + loaded++; + } + catch (...) + { LOG_UNHANDLED_EXCEPTION("creating certificate from the certificate store file"); - } - X509_free(cert_x509); - cert_x509 = NULL; - } - BIO_free(file_bio); - } - } - else - { - LL_WARNS("SECAPI") << "Could not allocate a file BIO" << LL_ENDL; - } + } + X509_free(cert_x509); + cert_x509 = NULL; + } + BIO_free(file_bio); + } + else + { + LL_WARNS("SECAPI") << "BIO read failed for " << filename << LL_ENDL; + } + + LL_INFOS("SECAPI") << "loaded " << loaded << " certificates from " << filename << LL_ENDL; + } + else + { + LL_WARNS("SECAPI") << "Could not allocate a file BIO" << LL_ENDL; + } + } + else + { + // since the user certificate store may not be there, this is not a warning + LL_INFOS("SECAPI") << "Certificate store not found at " << filename << LL_ENDL; + } } @@ -666,7 +677,7 @@ void LLBasicCertificateStore::save() // return the store id std::string LLBasicCertificateStore::storeId() const { - // this is the basic handler which uses the CA.pem store, + // this is the basic handler which uses the ca-bundle.crt store, // so we ignore this. return std::string(""); } @@ -1016,7 +1027,11 @@ void LLBasicCertificateStore::validate(int validation_policy, const LLSD& validation_params) { // If --no-verify-ssl-cert was passed on the command line, stop right now. - if (gSavedSettings.getBOOL("NoVerifySSLCert")) return; + if (gSavedSettings.getBOOL("NoVerifySSLCert")) + { + LL_WARNS_ONCE("SECAPI") << "All Certificate validation disabled; viewer operation is insecure" << LL_ENDL; + return; + } if(cert_chain->size() < 1) { @@ -1064,7 +1079,6 @@ void LLBasicCertificateStore::validate(int validation_policy, t_cert_cache::iterator cache_entry = mTrustedCertCache.find(sha1_hash); if(cache_entry != mTrustedCertCache.end()) { - LL_DEBUGS("SECAPI") << "Found cert in cache" << LL_ENDL; // this cert is in the cache, so validate the time. if (validation_policy & VALIDATION_POLICY_TIME) { @@ -1081,6 +1095,7 @@ void LLBasicCertificateStore::validate(int validation_policy, } } // successfully found in cache + LL_DEBUGS("SECAPI") << "Valid cert for " << validation_params[CERT_HOSTNAME].asString() << " found in cache" << LL_ENDL; return; } if(current_cert_info.isUndefined()) @@ -1125,6 +1140,7 @@ void LLBasicCertificateStore::validate(int validation_policy, if(found_store_cert != end()) { mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time); + LL_DEBUGS("SECAPI") << "Valid cert for " << validation_params[CERT_HOSTNAME].asString() << " found in cert store" << LL_ENDL; return; } @@ -1162,6 +1178,7 @@ void LLBasicCertificateStore::validate(int validation_policy, } // successfully validated. mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time); + LL_DEBUGS("SECAPI") << "Valid CA cert for " << validation_params[CERT_HOSTNAME].asString() << " found in cert store" << LL_ENDL; return; } previous_cert = (*current_cert); @@ -1178,6 +1195,7 @@ void LLBasicCertificateStore::validate(int validation_policy, LLTHROW(LLCertValidationTrustException((*cert_chain)[cert_chain->size()-1])); } + LL_DEBUGS("SECAPI") << "Valid ? cert for " << validation_params[CERT_HOSTNAME].asString() << " found in cert store" << LL_ENDL; mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time); } @@ -1216,13 +1234,13 @@ void LLSecAPIBasicHandler::init() "CA.pem"); - LL_DEBUGS("SECAPI") << "Loading certificate store from " << store_file << LL_ENDL; + LL_INFOS("SECAPI") << "Loading user certificate store from " << store_file << LL_ENDL; mStore = new LLBasicCertificateStore(store_file); - // grab the application CA.pem file that contains the well-known certs shipped + // grab the application ca-bundle.crt file that contains the well-known certs shipped // with the product - std::string ca_file_path = gDirUtilp->getExpandedFilename(LL_PATH_APP_SETTINGS, "CA.pem"); - LL_INFOS() << "app path " << ca_file_path << LL_ENDL; + std::string ca_file_path = gDirUtilp->getExpandedFilename(LL_PATH_APP_SETTINGS, "ca-bundle.crt"); + LL_INFOS("SECAPI") << "Loading application certificate store from " << ca_file_path << LL_ENDL; LLPointer<LLBasicCertificateStore> app_ca_store = new LLBasicCertificateStore(ca_file_path); // push the applicate CA files into the store, therefore adding any new CA certs that |