From 645393c5e976a9a6164453bf7df588ec745f04c5 Mon Sep 17 00:00:00 2001 From: Andrey Lihatskiy Date: Fri, 4 Sep 2020 17:34:57 +0300 Subject: SL-13910 Added the TLS Web Server Authentication certificate check --- indra/newview/llsecapi.h | 1 + indra/newview/llsechandler_basic.cpp | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/indra/newview/llsecapi.h b/indra/newview/llsecapi.h index 69b6b32923..c2fdbeb8e9 100644 --- a/indra/newview/llsecapi.h +++ b/indra/newview/llsecapi.h @@ -75,6 +75,7 @@ #define CERT_EXTENDED_KEY_USAGE "extendedKeyUsage" #define CERT_EKU_SERVER_AUTH SN_server_auth +#define CERT_EKU_TLS_SERVER_AUTH LN_server_auth #define CERT_SUBJECT_KEY_IDENTFIER "subjectKeyIdentifier" #define CERT_AUTHORITY_KEY_IDENTIFIER "authorityKeyIdentifier" diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp index 55e49100c3..109a2133b8 100644 --- a/indra/newview/llsechandler_basic.cpp +++ b/indra/newview/llsechandler_basic.cpp @@ -925,8 +925,11 @@ void _validateCert(int validation_policy, } // only validate EKU if the cert has it if(current_cert_info.has(CERT_EXTENDED_KEY_USAGE) && current_cert_info[CERT_EXTENDED_KEY_USAGE].isArray() && - (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], - LLSD((std::string)CERT_EKU_SERVER_AUTH)))) + ( (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], + LLSD((std::string)CERT_EKU_SERVER_AUTH))) + || (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], + LLSD((std::string)CERT_EKU_TLS_SERVER_AUTH))) + )) { LLTHROW(LLCertKeyUsageValidationException(current_cert_info)); } -- cgit v1.2.3 From 786de05651f25d42aacc92c4905375bf1fbd6562 Mon Sep 17 00:00:00 2001 From: Andrey Lihatskiy Date: Sat, 5 Sep 2020 00:20:49 +0300 Subject: SL-13910 Moved the LLCertException constructor to .cpp --- indra/newview/llsecapi.cpp | 7 +++++++ indra/newview/llsecapi.h | 6 +----- indra/newview/tests/llsechandler_basic_test.cpp | 8 ++++++++ 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/indra/newview/llsecapi.cpp b/indra/newview/llsecapi.cpp index 10e510b842..26a2df8270 100644 --- a/indra/newview/llsecapi.cpp +++ b/indra/newview/llsecapi.cpp @@ -154,3 +154,10 @@ void LLCredential::authenticatorType(std::string &idType) } } + +LLCertException::LLCertException(const LLSD& cert_data, const std::string& msg) + : LLException(msg), + mCertData(cert_data) +{ + LL_WARNS("SECAPI") << "Certificate Error: " << msg << LL_ENDL; +} diff --git a/indra/newview/llsecapi.h b/indra/newview/llsecapi.h index c2fdbeb8e9..9c9c16d5d7 100644 --- a/indra/newview/llsecapi.h +++ b/indra/newview/llsecapi.h @@ -335,11 +335,7 @@ std::ostream& operator <<(std::ostream& s, const LLCredential& cred); class LLCertException: public LLException { public: - LLCertException(const LLSD& cert_data, const std::string& msg): LLException(msg), - mCertData(cert_data) - { - LL_WARNS("SECAPI") << "Certificate Error: " << msg << LL_ENDL; - } + LLCertException(const LLSD& cert_data, const std::string& msg); virtual ~LLCertException() throw() {} LLSD getCertData() const { return mCertData; } protected: diff --git a/indra/newview/tests/llsechandler_basic_test.cpp b/indra/newview/tests/llsechandler_basic_test.cpp index 63967fae37..e5d226a2a4 100644 --- a/indra/newview/tests/llsechandler_basic_test.cpp +++ b/indra/newview/tests/llsechandler_basic_test.cpp @@ -124,6 +124,14 @@ S32 LLMachineID::getUniqueID(unsigned char *unique_id, size_t len) S32 LLMachineID::init() { return 1; } +LLCertException::LLCertException(const LLSD& cert_data, const std::string& msg) + : LLException(msg), + mCertData(cert_data) +{ + LL_WARNS("SECAPI") << "Certificate Error: " << msg << LL_ENDL; +} + + // ------------------------------------------------------------------------------------------- // TUT // ------------------------------------------------------------------------------------------- -- cgit v1.2.3