livie
/
phoenix-firestorm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SL-429: Use a new certificate authority bundle based on data from Mozilla

master
Oz Linden 2016-07-21 17:14:07 -04:00
parent 9260fbe0bd
commit 4bf583aaa2
12 changed files with 118 additions and 5639 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
autobuild.xml
View File

@ -212,9 +212,9 @@
<key>archive</key>
<map>
<key>hash</key>
<string>ad0061db7188a1b9a974eb0512eeeb8d</string>
<string>6fb1d3c448fb40ba45b81fe4495cf563</string>
<key>url</key>
<string>http://automated-builds-secondlife-com.s3.amazonaws.com/hg/repo/3p-curl/rev/312763/arch/Darwin/installer/curl-7.47.0.312763-darwin-312763.tar.bz2</string>
<string>http://automated-builds-secondlife-com.s3.amazonaws.com/hg/repo/3p-curl/rev/317905/arch/Darwin/installer/curl-7.47.0.317905-darwin-317905.tar.bz2</string>
</map>
<key>name</key>
<string>darwin</string>
@ -224,9 +224,9 @@
<key>archive</key>
<map>
<key>hash</key>
<string>f49d4ed203b03852a3f6b01b18319f7a</string>
<string>dc094009bdbade0ae348bb4cacb437e0</string>
<key>url</key>
<string>http://automated-builds-secondlife-com.s3.amazonaws.com/hg/repo/3p-curl/rev/312763/arch/Linux/installer/curl-7.47.0.312763-linux-312763.tar.bz2</string>
<string>http://automated-builds-secondlife-com.s3.amazonaws.com/hg/repo/3p-curl/rev/317905/arch/Linux/installer/curl-7.47.0.317905-linux-317905.tar.bz2</string>
</map>
<key>name</key>
<string>linux</string>
@ -236,18 +236,18 @@
<key>archive</key>
<map>
<key>hash</key>
<string>5e0d4f4a5a5bbcba610aafbb91c30b2b</string>
<string>f906f15db6160867b55edfb2a975e3c8</string>
<key>hash_algorithm</key>
<string>md5</string>
<key>url</key>
<string>http://automated-builds-secondlife-com.s3.amazonaws.com/hg/repo/3p-curl/rev/312763/arch/CYGWIN/installer/curl-7.47.0.312763-windows-312763.tar.bz2</string>
<string>http://automated-builds-secondlife-com.s3.amazonaws.com/hg/repo/3p-curl/rev/317905/arch/CYGWIN/installer/curl-7.47.0.317905-windows-317905.tar.bz2</string>
</map>
<key>name</key>
<string>windows</string>
</map>
</map>
<key>version</key>
<string>7.47.0.312763</string>
<string>7.47.0.317905</string>
</map>
<key>db</key>
<map>
@ -1465,6 +1465,46 @@
<key>version</key>
<string>0.0.1</string>
</map>
<key>llca</key>
<map>
<key>copyright</key>
<string>Copyright (c) 2016, Linden Research, Inc.</string>
<key>license</key>
<string>mit</string>
<key>license_file</key>
<string>LICENSES/ca-license.txt</string>
<key>name</key>
<string>llca</string>
<key>platforms</key>
<map>
<key>common</key>
<map>
<key>archive</key>
<map>
<key>hash</key>
<string>0a336cc09ab757feb560b9e3fab2e0ec</string>
<key>url</key>
<string>http://automated-builds-secondlife-com.s3.amazonaws.com/hg/repo/ll-ca/rev/317913/arch/Linux/installer/llca-2016.07.20.317913-common-317913.tar.bz2</string>
</map>
<key>name</key>
<string>common</string>
</map>
<key>darwin</key>
<map>
<key>archive</key>
<map>
<key>hash</key>
<string>6d4d8efee8b7a5893b693c8f06a5d17b</string>
<key>url</key>
<string>http://automated-builds-secondlife-com.s3.amazonaws.com/hg/repo/llca/rev/317939/arch/Darwin/installer/llca-2016.07.21.317939-darwin-317939.tar.bz2</string>
</map>
<key>name</key>
<string>darwin</string>
</map>
</map>
<key>version</key>
<string>2016.07.21.317939</string>
</map>
<key>llceflib</key>
<map>
<key>copyright</key>

7
indra/cmake/Copy3rdPartyLibs.cmake
View File

@ -20,11 +20,8 @@ if(WINDOWS)
set(vivox_src_dir "${ARCH_PREBUILT_DIRS_RELEASE}")
set(vivox_files
SLVoice.exe
ca-bundle.crt
libsndfile-1.dll
vivoxsdk.dll
ortp.dll
vivoxoal.dll
)
#*******************************
@ -158,9 +155,6 @@ elseif(DARWIN)
set(vivox_src_dir "${ARCH_PREBUILT_DIRS_RELEASE}")
set(vivox_files
SLVoice
ca-bundle.crt
libsndfile.dylib
libvivoxoal.dylib
libortp.dylib
libvivoxplatform.dylib
libvivoxsdk.dylib
@ -202,7 +196,6 @@ elseif(LINUX)
libvivoxplatform.so
libvivoxsdk.so
SLVoice
# ca-bundle.crt #No cert for linux. It is actually still 3.2SDK.
)
# *TODO - update this to use LIBS_PREBUILT_DIR and LL_ARCH_DIR variables
# or ARCH_PREBUILT_DIRS

4
indra/cmake/LLCA.cmake Normal file
View File

@ -0,0 +1,4 @@
# -*- cmake -*-
include(Prebuilt)
use_prebuilt_binary(llca)

2
indra/llvfs/lldir_linux.cpp
View File

@ -220,7 +220,7 @@ void LLDir_Linux::initAppDirs(const std::string &app_name,
}
}
mCAFile = getExpandedFilename(LL_PATH_APP_SETTINGS, "CA.pem");
mCAFile = getExpandedFilename(LL_PATH_APP_SETTINGS, "ca-bundle.crt");
}
U32 LLDir_Linux::countFilesInDir(const std::string &dirname, const std::string &mask)

2
indra/llvfs/lldir_mac.cpp
View File

@ -173,7 +173,7 @@ void LLDir_Mac::initAppDirs(const std::string &app_name,
mAppRODataDir = app_read_only_data_dir;
mSkinBaseDir = mAppRODataDir + mDirDelimiter + "skins";
}
mCAFile = getExpandedFilename(LL_PATH_APP_SETTINGS, "CA.pem");
mCAFile = getExpandedFilename(LL_PATH_APP_SETTINGS, "ca-bundle.crt");
}
std::string LLDir_Mac::getCurPath()

2
indra/llvfs/lldir_solaris.cpp
View File

@ -238,7 +238,7 @@ void LLDir_Solaris::initAppDirs(const std::string &app_name,
}
}
mCAFile = getExpandedFilename(LL_PATH_APP_SETTINGS, "CA.pem");
mCAFile = getExpandedFilename(LL_PATH_APP_SETTINGS, "ca-bundle.crt");
}
U32 LLDir_Solaris::countFilesInDir(const std::string &dirname, const std::string &mask)

2
indra/newview/CMakeLists.txt
View File

@ -18,6 +18,7 @@ include(Hunspell)
include(JsonCpp)
include(LLAppearance)
include(LLAudio)
include(LLCA)
include(LLCharacter)
include(LLCommon)
include(LLCoreHttp)
@ -1601,6 +1602,7 @@ set(viewer_APPSETTINGS_FILES
app_settings/viewerart.xml
${CMAKE_SOURCE_DIR}/../etc/message.xml
${CMAKE_SOURCE_DIR}/../scripts/messages/message_template.msg
${AUTOBUILD_INSTALL_DIR}/ca-bundle.crt
packages-info.txt
)

5573
indra/newview/app_settings/CA.pem
View File

File diff suppressed because it is too large Load Diff

98
indra/newview/llsechandler_basic.cpp
View File

@ -586,8 +586,7 @@ LLPointer<LLCertificate> LLBasicCertificateVector::erase(iterator _iter)
//
// LLBasicCertificateStore
// This class represents a store of CA certificates. The basic implementation
// uses a pem file such as the legacy CA.pem stored in the existing
// SL implementation.
// uses a crt file such as the ca-bundle.crt in the existing SL implementation.
LLBasicCertificateStore::LLBasicCertificateStore(const std::string& filename)
{
mFilename = filename;
@ -596,39 +595,51 @@ LLBasicCertificateStore::LLBasicCertificateStore(const std::string& filename)
void LLBasicCertificateStore::load_from_file(const std::string& filename)
{
int loaded = 0;
// scan the PEM file extracting each certificate
if (!LLFile::isfile(filename))
if (LLFile::isfile(filename))
{
return;
}
BIO* file_bio = BIO_new(BIO_s_file());
if(file_bio)
{
if (BIO_read_filename(file_bio, filename.c_str()) > 0)
{
X509 *cert_x509 = NULL;
while((PEM_read_bio_X509(file_bio, &cert_x509, 0, NULL)) &&
(cert_x509 != NULL))
{
try
{
add(new LLBasicCertificate(cert_x509));
}
catch (...)
{
LL_WARNS("SECAPI") << "Failure creating certificate from the certificate store file." << LL_ENDL;
}
X509_free(cert_x509);
cert_x509 = NULL;
}
BIO_free(file_bio);
}
}
else
{
LL_WARNS("SECAPI") << "Could not allocate a file BIO" << LL_ENDL;
}
BIO* file_bio = BIO_new(BIO_s_file());
if(file_bio)
{
if (BIO_read_filename(file_bio, filename.c_str()) > 0)
{
X509 *cert_x509 = NULL;
while((PEM_read_bio_X509(file_bio, &cert_x509, 0, NULL)) &&
(cert_x509 != NULL))
{
try
{
add(new LLBasicCertificate(cert_x509));
loaded++;
}
catch (...)
{
LL_WARNS("SECAPI") << "Failure creating certificate from the certificate store file." << LL_ENDL;
}
X509_free(cert_x509);
cert_x509 = NULL;
}
BIO_free(file_bio);
}
else
{
LL_WARNS("SECAPI") << "BIO read failed for " << filename << LL_ENDL;
}
LL_INFOS("SECAPI") << "loaded " << loaded << " certificates from " << filename << LL_ENDL;
}
else
{
LL_WARNS("SECAPI") << "Could not allocate a file BIO" << LL_ENDL;
}
}
else
{
// since the user certificate store may not be there, this is not a warning
LL_INFOS("SECAPI") << "Certificate store not found at " << filename << LL_ENDL;
}
}
@ -664,7 +675,7 @@ void LLBasicCertificateStore::save()
// return the store id
std::string LLBasicCertificateStore::storeId() const
{
// this is the basic handler which uses the CA.pem store,
// this is the basic handler which uses the ca-bundle.crt store,
// so we ignore this.
return std::string("");
}
@ -1014,7 +1025,11 @@ void LLBasicCertificateStore::validate(int validation_policy,
const LLSD& validation_params)
{
// If --no-verify-ssl-cert was passed on the command line, stop right now.
if (gSavedSettings.getBOOL("NoVerifySSLCert")) return;
if (gSavedSettings.getBOOL("NoVerifySSLCert"))
{
LL_WARNS_ONCE("SECAPI") << "All Certificate validation disabled; viewer operation is insecure" << LL_ENDL;
return;
}
if(cert_chain->size() < 1)
{
@ -1062,7 +1077,6 @@ void LLBasicCertificateStore::validate(int validation_policy,
t_cert_cache::iterator cache_entry = mTrustedCertCache.find(sha1_hash);
if(cache_entry != mTrustedCertCache.end())
{
LL_DEBUGS("SECAPI") << "Found cert in cache" << LL_ENDL;
// this cert is in the cache, so validate the time.
if (validation_policy & VALIDATION_POLICY_TIME)
{
@ -1079,6 +1093,7 @@ void LLBasicCertificateStore::validate(int validation_policy,
}
}
// successfully found in cache
LL_DEBUGS("SECAPI") << "Valid cert for " << validation_params[CERT_HOSTNAME].asString() << " found in cache" << LL_ENDL;
return;
}
if(current_cert_info.isUndefined())
@ -1123,6 +1138,7 @@ void LLBasicCertificateStore::validate(int validation_policy,
if(found_store_cert != end())
{
mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time);
LL_DEBUGS("SECAPI") << "Valid cert for " << validation_params[CERT_HOSTNAME].asString() << " found in cert store" << LL_ENDL;
return;
}
@ -1160,6 +1176,7 @@ void LLBasicCertificateStore::validate(int validation_policy,
}
// successfully validated.
mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time);
LL_DEBUGS("SECAPI") << "Valid CA cert for " << validation_params[CERT_HOSTNAME].asString() << " found in cert store" << LL_ENDL;
return;
}
previous_cert = (*current_cert);
@ -1176,6 +1193,7 @@ void LLBasicCertificateStore::validate(int validation_policy,
throw LLCertValidationTrustException((*cert_chain)[cert_chain->size()-1]);
}
LL_DEBUGS("SECAPI") << "Valid ? cert for " << validation_params[CERT_HOSTNAME].asString() << " found in cert store" << LL_ENDL;
mTrustedCertCache[sha1_hash] = std::pair<LLDate, LLDate>(from_time, to_time);
}
@ -1214,13 +1232,13 @@ void LLSecAPIBasicHandler::init()
"CA.pem");
LL_DEBUGS("SECAPI") << "Loading certificate store from " << store_file << LL_ENDL;
LL_INFOS("SECAPI") << "Loading user certificate store from " << store_file << LL_ENDL;
mStore = new LLBasicCertificateStore(store_file);
// grab the application CA.pem file that contains the well-known certs shipped
// grab the application ca-bundle.crt file that contains the well-known certs shipped
// with the product
std::string ca_file_path = gDirUtilp->getExpandedFilename(LL_PATH_APP_SETTINGS, "CA.pem");
LL_INFOS() << "app path " << ca_file_path << LL_ENDL;
std::string ca_file_path = gDirUtilp->getExpandedFilename(LL_PATH_APP_SETTINGS, "ca-bundle.crt");
LL_INFOS("SECAPI") << "Loading application certificate store from " << ca_file_path << LL_ENDL;
LLPointer<LLBasicCertificateStore> app_ca_store = new LLBasicCertificateStore(ca_file_path);
// push the applicate CA files into the store, therefore adding any new CA certs that

6
indra/newview/llviewermedia.cpp
View File

@ -1921,11 +1921,9 @@ bool LLViewerMediaImpl::initializePlugin(const std::string& media_type)
media_source->ignore_ssl_cert_errors(true);
}
// the correct way to deal with certs it to load ours from CA.pem and append them to the ones
// the correct way to deal with certs it to load ours from ca-bundle.crt and append them to the ones
// Qt/WebKit loads from your system location.
// Note: This needs the new CA.pem file with the Equifax Secure Certificate Authority
// cert at the bottom: (MIIDIDCCAomgAwIBAgIENd70zzANBg)
std::string ca_path = gDirUtilp->getExpandedFilename( LL_PATH_APP_SETTINGS, "CA.pem" );
std::string ca_path = gDirUtilp->getExpandedFilename( LL_PATH_APP_SETTINGS, "ca-bundle.crt" );
media_source->addCertificateFilePath( ca_path );
media_source->proxy_setup(gSavedSettings.getBOOL("BrowserProxyEnabled"), gSavedSettings.getString("BrowserProxyAddress"), gSavedSettings.getS32("BrowserProxyPort"));

2
indra/newview/llvoicevivox.cpp
View File

@ -2825,7 +2825,7 @@ void LLVivoxVoiceClient::connectorCreateResponse(int statusCode, std::string &st
if(statusCode != 0)
{
LL_WARNS("Voice") << "Connector.Create response failure: " << statusString << LL_ENDL;
LL_WARNS("Voice") << "Connector.Create response failure ("<< statusCode << "): " << statusString << LL_ENDL;
LLSD args;
std::stringstream errs;
errs << mVoiceAccountServerURI << "\n:UDP: 3478, 3479, 5060, 5062, 12000-17000";

5
indra/newview/viewer_manifest.py
View File

@ -63,7 +63,6 @@ class ViewerManifest(LLManifest):
if self.prefix(src="app_settings"):
self.exclude("logcontrol.xml")
self.exclude("logcontrol-dev.xml")
self.path("*.pem")
self.path("*.ini")
self.path("*.xml")
self.path("*.db2")
@ -85,11 +84,11 @@ class ViewerManifest(LLManifest):
pkgdir = os.path.join(self.args['build'], os.pardir, 'packages')
if self.prefix(src=pkgdir,dst=""):
self.path("dictionaries")
self.path("ca-bundle.crt")
self.end_prefix(pkgdir)
# include the extracted packages information (see BuildPackagesInfo.cmake)
self.path(src=os.path.join(self.args['build'],"packages-info.txt"), dst="packages-info.txt")
# CHOP-955: If we have "sourceid" or "viewer_channel" in the
# build process environment, generate it into
# settings_install.xml.
@ -402,7 +401,6 @@ class Windows_i686_Manifest(ViewerManifest):
self.path("ortp.dll")
self.path("libsndfile-1.dll")
self.path("vivoxoal.dll")
self.path("ca-bundle.crt")
# Security
self.path("ssleay32.dll")
@ -787,7 +785,6 @@ class Darwin_i386_Manifest(ViewerManifest):
'libvivoxoal.dylib',
'libvivoxsdk.dylib',
'libvivoxplatform.dylib',
'ca-bundle.crt',
'SLVoice',
):
self.path2basename(relpkgdir, libfile)