From df7e5dd1dc491e6f2a8bcff44d75f8e2113b8b6f Mon Sep 17 00:00:00 2001 From: Nat Goodspeed Date: Wed, 20 Jan 2010 15:48:13 -0500 Subject: DEV-35248: Allow NoVerifySSLCert to uniformly disable verification Introduce static LLCurl SSL verification flag, default 'true', accessed by LLCurl::setSSLVerify() and getSSLVerify(). Make LLCurl::Easy::prepRequest() check LLCurl::getSSLVerify() instead of unconditionally setting CURLOPT_SSL_VERIFYPEER 'true'. Also set CURLOPT_SSL_VERIFYHOST to match. Make LLXMLRPCTransaction::Impl::init() examine LLCurl::getSSLVerify(), instead of directly examining gSavedSettings.getBOOL("NoVerifySSLCert"). Make LLURLRequest::checkRootCertificate() set CURLOPT_SSL_VERIFYHOST as well as CURLOPT_SSL_VERIFYPEER. Make request() in llhttpclient.cpp (used by LLHTTPClient::getByteRange(), head(), get(), getHeaderOnly(), put(), post(), postRaw(), postFile(), del(), move()) pass LLCurl::getSSLVerify() to checkRootCertificate(), rather than constant 'true'. Make LLAppViewer::mainLoop() call LLCurl::setSSLVerify(! gSavedSettings.getBOOL("NoVerifySSLCert")) at the same time it calls LLCurl::setCAFile(), a comparable bit of static setup. --- indra/llmessage/llcurl.cpp | 20 ++++++++++++++++++-- indra/llmessage/llcurl.h | 11 +++++++++++ indra/llmessage/llhttpclient.cpp | 2 +- indra/llmessage/llurlrequest.cpp | 1 + 4 files changed, 31 insertions(+), 3 deletions(-) (limited to 'indra/llmessage') diff --git a/indra/llmessage/llcurl.cpp b/indra/llmessage/llcurl.cpp index dc02367a62..024e17a777 100644 --- a/indra/llmessage/llcurl.cpp +++ b/indra/llmessage/llcurl.cpp @@ -89,6 +89,10 @@ S32 gCurlMultiCount = 0; std::vector LLCurl::sSSLMutex; std::string LLCurl::sCAPath; std::string LLCurl::sCAFile; +// Verify SSL certificates by default (matches libcurl default). The ability +// to alter this flag is only to allow us to suppress verification if it's +// broken for some reason. +bool LLCurl::sSSLVerify = true; //static void LLCurl::setCAPath(const std::string& path) @@ -102,6 +106,18 @@ void LLCurl::setCAFile(const std::string& file) sCAFile = file; } +//static +void LLCurl::setSSLVerify(bool verify) +{ + sSSLVerify = verify; +} + +//static +bool LLCurl::getSSLVerify() +{ + return sSSLVerify; +} + //static std::string LLCurl::getVersionString() { @@ -465,7 +481,8 @@ void LLCurl::Easy::prepRequest(const std::string& url, setErrorBuffer(); setCA(); - setopt(CURLOPT_SSL_VERIFYPEER, true); + setopt(CURLOPT_SSL_VERIFYPEER, LLCurl::getSSLVerify()); + setopt(CURLOPT_SSL_VERIFYHOST, LLCurl::getSSLVerify()? 2 : 0); setopt(CURLOPT_TIMEOUT, CURL_REQUEST_TIMEOUT); setoptString(CURLOPT_URL, url); @@ -1044,4 +1061,3 @@ void LLCurl::cleanupClass() #endif curl_global_cleanup(); } - diff --git a/indra/llmessage/llcurl.h b/indra/llmessage/llcurl.h index 1bc1767966..caf02cccd9 100644 --- a/indra/llmessage/llcurl.h +++ b/indra/llmessage/llcurl.h @@ -157,6 +157,16 @@ public: */ static const std::string& getCAPath() { return sCAPath; } + /** + * @ brief Set flag controlling whether to verify HTTPS certs. + */ + static void setSSLVerify(bool verify); + + /** + * @ brief Get flag controlling whether to verify HTTPS certs. + */ + static bool getSSLVerify(); + /** * @ brief Initialize LLCurl class */ @@ -182,6 +192,7 @@ public: private: static std::string sCAPath; static std::string sCAFile; + static bool sSSLVerify; }; namespace boost diff --git a/indra/llmessage/llhttpclient.cpp b/indra/llmessage/llhttpclient.cpp index 12ecbb36eb..dd56e18caf 100644 --- a/indra/llmessage/llhttpclient.cpp +++ b/indra/llmessage/llhttpclient.cpp @@ -222,7 +222,7 @@ static void request( LLPumpIO::chain_t chain; LLURLRequest* req = new LLURLRequest(method, url); - req->checkRootCertificate(true); + req->checkRootCertificate(LLCurl::getSSLVerify()); lldebugs << LLURLRequest::actionAsVerb(method) << " " << url << " " diff --git a/indra/llmessage/llurlrequest.cpp b/indra/llmessage/llurlrequest.cpp index 81b7761ed5..4e7ceff984 100644 --- a/indra/llmessage/llurlrequest.cpp +++ b/indra/llmessage/llurlrequest.cpp @@ -163,6 +163,7 @@ void LLURLRequest::setBodyLimit(U32 size) void LLURLRequest::checkRootCertificate(bool check) { mDetail->mCurlRequest->setopt(CURLOPT_SSL_VERIFYPEER, (check? TRUE : FALSE)); + mDetail->mCurlRequest->setopt(CURLOPT_SSL_VERIFYHOST, (check? 2 : 0)); mDetail->mCurlRequest->setoptString(CURLOPT_ENCODING, ""); } -- cgit v1.2.3 From c69ee5ced1ba3b8e96a08e2f0344eedd971ef3c1 Mon Sep 17 00:00:00 2001 From: Tofu Linden Date: Wed, 27 Jan 2010 13:18:49 -0800 Subject: CID-100 Checker: INVALIDATE_ITERATOR Function: buildBlock(unsigned char *, int, const LLMessageBlock *, LLMsgData *) File: /indra/llmessage/lltemplatemessagebuilder.cpp --- indra/llmessage/lltemplatemessagebuilder.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'indra/llmessage') diff --git a/indra/llmessage/lltemplatemessagebuilder.cpp b/indra/llmessage/lltemplatemessagebuilder.cpp index 6400310c46..55379fc6fd 100644 --- a/indra/llmessage/lltemplatemessagebuilder.cpp +++ b/indra/llmessage/lltemplatemessagebuilder.cpp @@ -737,10 +737,14 @@ static S32 buildBlock(U8* buffer, S32 buffer_size, const LLMessageBlock* templat } --block_count; - ++block_iter; + if (block_iter != message_data->mMemberBlocks.end()) { - mbci = block_iter->second; + ++block_iter; + if (block_iter != message_data->mMemberBlocks.end()) + { + mbci = block_iter->second; + } } } -- cgit v1.2.3 From e67d2bb5556adbccedc9e75443f7ac873c8d8259 Mon Sep 17 00:00:00 2001 From: Tofu Linden Date: Wed, 27 Jan 2010 13:37:45 -0800 Subject: CID-110 Checker: MISSING_BREAK Function: LLTransferSourceChannel::updateTransfers() File: /indra/llmessage/lltransfermanager.cpp not a bug, commented. --- indra/llmessage/lltransfermanager.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'indra/llmessage') diff --git a/indra/llmessage/lltransfermanager.cpp b/indra/llmessage/lltransfermanager.cpp index d67911e8e2..0a71ad95f2 100644 --- a/indra/llmessage/lltransfermanager.cpp +++ b/indra/llmessage/lltransfermanager.cpp @@ -855,6 +855,7 @@ void LLTransferSourceChannel::updateTransfers() break; case LLTS_ERROR: llwarns << "Error in transfer dataCallback!" << llendl; + // fall through case LLTS_DONE: // We need to clean up this transfer source. //llinfos << "LLTransferSourceChannel::updateTransfers() " << tsp->getID() << " done" << llendl; -- cgit v1.2.3 From 4421a51cfeb43b3be6de520acb9f94052fc7e2df Mon Sep 17 00:00:00 2001 From: Tofu Linden Date: Wed, 27 Jan 2010 13:39:59 -0800 Subject: CID-109 Checker: MISSING_BREAK Function: operator <<(std::basic_ostream>&, const LLNameValue &) File: /indra/llmessage/llnamevalue.cpp --- indra/llmessage/llnamevalue.cpp | 1 + 1 file changed, 1 insertion(+) (limited to 'indra/llmessage') diff --git a/indra/llmessage/llnamevalue.cpp b/indra/llmessage/llnamevalue.cpp index 01e922eba2..43429b0ab3 100644 --- a/indra/llmessage/llnamevalue.cpp +++ b/indra/llmessage/llnamevalue.cpp @@ -963,6 +963,7 @@ std::ostream& operator<<(std::ostream& s, const LLNameValue &a) U64_to_str(*a.mNameValueReference.u64, u64_string, sizeof(u64_string)); s << u64_string; } + break; case NVT_VEC3: s << *(a.mNameValueReference.vec3); break; -- cgit v1.2.3 From c5abe04923c8968c38fbca67182d7e3fbd0723d9 Mon Sep 17 00:00:00 2001 From: Tofu Linden Date: Wed, 27 Jan 2010 15:07:04 -0800 Subject: CID-188 Checker: RESOURCE_LEAK Function: LLTemplateParser::LLTemplateParser(LLTemplateTokenizer &) File: /indra/llmessage/llmessagetemplateparser.cpp --- indra/llmessage/llmessagetemplateparser.cpp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'indra/llmessage') diff --git a/indra/llmessage/llmessagetemplateparser.cpp b/indra/llmessage/llmessagetemplateparser.cpp index 283547ea00..2ddbf3e0df 100644 --- a/indra/llmessage/llmessagetemplateparser.cpp +++ b/indra/llmessage/llmessagetemplateparser.cpp @@ -403,6 +403,10 @@ LLTemplateParser::LLTemplateParser(LLTemplateTokenizer & tokens): { mMessages.push_back(templatep); } + else + { + delete templatep; + } } if(!tokens.wantEOF()) -- cgit v1.2.3 From b3c1d0dc07a16b47626968ae55b5e6a725d8d722 Mon Sep 17 00:00:00 2001 From: Tofu Linden Date: Wed, 27 Jan 2010 15:59:56 -0800 Subject: CID-254 Checker: UNINIT Function: LLCacheName::Impl::processUUIDRequest(LLMessageSystem *, bool) File: /indra/llmessage/llcachename.cpp --- indra/llmessage/llcachename.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'indra/llmessage') diff --git a/indra/llmessage/llcachename.cpp b/indra/llmessage/llcachename.cpp index 3078d80552..dbec2816c8 100644 --- a/indra/llmessage/llcachename.cpp +++ b/indra/llmessage/llcachename.cpp @@ -125,7 +125,7 @@ private: }; ReplySender::ReplySender(LLMessageSystem* msg) - : mMsg(msg), mPending(false) + : mMsg(msg), mPending(false), mCurrIsGroup(false) { } ReplySender::~ReplySender() -- cgit v1.2.3