From 4e98602746d513ec82a9264a814a05a23ea22d5b Mon Sep 17 00:00:00 2001
From: Andrey Kleshchev <andreykproductengine@lindenlab.com>
Date: Thu, 5 Mar 2020 13:43:58 +0200
Subject: SL-12421 Don't fail silently, show an error

---
 indra/newview/llsechandler_basic.cpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'indra/newview/llsechandler_basic.cpp')

diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp
index 55e49100c3..8e52480644 100644
--- a/indra/newview/llsechandler_basic.cpp
+++ b/indra/newview/llsechandler_basic.cpp
@@ -78,16 +78,14 @@ LLBasicCertificate::LLBasicCertificate(const std::string& pem_cert,
 	BIO * pem_bio = BIO_new_mem_buf((void*)pem_cert.c_str(), pem_cert.length());
 	if(pem_bio == NULL)
 	{
-		LL_WARNS("SECAPI") << "Could not allocate an openssl memory BIO." << LL_ENDL;
-		LLTHROW(LLInvalidCertificate(LLSD::emptyMap()));
+		LL_ERRS("SECAPI") << "Could not allocate an openssl memory BIO." << LL_ENDL;
 	}
 	mCert = NULL;
 	PEM_read_bio_X509(pem_bio, &mCert, 0, NULL);
 	BIO_free(pem_bio);
 	if (!mCert)
 	{
-		LL_WARNS("SECAPI") << "Could not decode certificate to x509." << LL_ENDL;
-		LLTHROW(LLInvalidCertificate(LLSD::emptyMap()));
+		LL_ERRS("SECAPI") << "Could not decode certificate to x509." << LL_ENDL;
 	}
 }
 
-- 
cgit v1.2.3


From b856745048212175eac19536e40cf563b874f6b4 Mon Sep 17 00:00:00 2001
From: Andrey Kleshchev <andreykproductengine@lindenlab.com>
Date: Fri, 21 Aug 2020 20:14:26 +0300
Subject: SL-13835 SSL verification should not crash on invalid certificate

---
 indra/newview/llsechandler_basic.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'indra/newview/llsechandler_basic.cpp')

diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp
index 8e52480644..8a922aee4f 100644
--- a/indra/newview/llsechandler_basic.cpp
+++ b/indra/newview/llsechandler_basic.cpp
@@ -78,14 +78,16 @@ LLBasicCertificate::LLBasicCertificate(const std::string& pem_cert,
 	BIO * pem_bio = BIO_new_mem_buf((void*)pem_cert.c_str(), pem_cert.length());
 	if(pem_bio == NULL)
 	{
-		LL_ERRS("SECAPI") << "Could not allocate an openssl memory BIO." << LL_ENDL;
+        LL_WARNS("SECAPI") << "Could not allocate an openssl memory BIO." << LL_ENDL;
+        LLTHROW(LLAllocationCertException(LLSD::emptyMap()));
 	}
 	mCert = NULL;
 	PEM_read_bio_X509(pem_bio, &mCert, 0, NULL);
 	BIO_free(pem_bio);
 	if (!mCert)
 	{
-		LL_ERRS("SECAPI") << "Could not decode certificate to x509." << LL_ENDL;
+        LL_WARNS("SECAPI") << "Could not decode certificate to x509." << LL_ENDL;
+        LLTHROW(LLInvalidCertificate(LLSD::emptyMap()));
 	}
 }
 
-- 
cgit v1.2.3


From 645393c5e976a9a6164453bf7df588ec745f04c5 Mon Sep 17 00:00:00 2001
From: Andrey Lihatskiy <alihatskiy@productengine.com>
Date: Fri, 4 Sep 2020 17:34:57 +0300
Subject: SL-13910 Added the TLS Web Server Authentication certificate check

---
 indra/newview/llsechandler_basic.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'indra/newview/llsechandler_basic.cpp')

diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp
index 55e49100c3..109a2133b8 100644
--- a/indra/newview/llsechandler_basic.cpp
+++ b/indra/newview/llsechandler_basic.cpp
@@ -925,8 +925,11 @@ void _validateCert(int validation_policy,
 		}
 		// only validate EKU if the cert has it
 		if(current_cert_info.has(CERT_EXTENDED_KEY_USAGE) && current_cert_info[CERT_EXTENDED_KEY_USAGE].isArray() &&	   
-		   (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], 
-									LLSD((std::string)CERT_EKU_SERVER_AUTH))))
+		   (  (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], 
+                                         LLSD((std::string)CERT_EKU_SERVER_AUTH)))
+           || (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], 
+                                        LLSD((std::string)CERT_EKU_TLS_SERVER_AUTH)))
+            ))
 		{
 			LLTHROW(LLCertKeyUsageValidationException(current_cert_info));
 		}
-- 
cgit v1.2.3


From 4eefce9767784742cd394ddf948d345cfbced8c8 Mon Sep 17 00:00:00 2001
From: Andrey Kleshchev <andreykproductengine@lindenlab.com>
Date: Wed, 9 Sep 2020 18:05:11 +0300
Subject: SL-13921 Only one of extended key usages is needed

LN (EKU_TLS) is more likely to be present thus should be checked first
---
 indra/newview/llsechandler_basic.cpp | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'indra/newview/llsechandler_basic.cpp')

diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp
index 656a2cf8cf..737ef30ada 100644
--- a/indra/newview/llsechandler_basic.cpp
+++ b/indra/newview/llsechandler_basic.cpp
@@ -924,12 +924,13 @@ void _validateCert(int validation_policy,
 			LLTHROW(LLCertKeyUsageValidationException(current_cert_info));
 		}
 		// only validate EKU if the cert has it
-		if(current_cert_info.has(CERT_EXTENDED_KEY_USAGE) && current_cert_info[CERT_EXTENDED_KEY_USAGE].isArray() &&	   
-		   (  (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], 
+        if(current_cert_info.has(CERT_EXTENDED_KEY_USAGE)
+           && current_cert_info[CERT_EXTENDED_KEY_USAGE].isArray()
+           && (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE],
+                                         LLSD((std::string)CERT_EKU_TLS_SERVER_AUTH)))
+           && (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], 
                                          LLSD((std::string)CERT_EKU_SERVER_AUTH)))
-           || (!_LLSDArrayIncludesValue(current_cert_info[CERT_EXTENDED_KEY_USAGE], 
-                                        LLSD((std::string)CERT_EKU_TLS_SERVER_AUTH)))
-            ))
+           )
 		{
 			LLTHROW(LLCertKeyUsageValidationException(current_cert_info));
 		}
-- 
cgit v1.2.3