livie
/
phoenix-firestorm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SL-15211 SL-14541 Update OpenSSL library 

Moving a copy of OpenSSL 1.1.1 to D543 from D520 to have less conflicts with zlib-ng integration later
master
Andrey Kleshchev 2021-05-27 00:04:08 +03:00
parent 5af8f15a05
commit a212a862b4
11 changed files with 85 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
indra/cmake/Copy3rdPartyLibs.cmake
View File

@ -56,14 +56,21 @@ if(WINDOWS)
libapr-1.dll
libaprutil-1.dll
libapriconv-1.dll
ssleay32.dll
libeay32.dll
nghttp2.dll
glod.dll
libhunspell.dll
uriparser.dll
)
# OpenSSL
if(ADDRESS_SIZE EQUAL 64)
set(release_files ${release_files} libcrypto-1_1-x64.dll)
set(release_files ${release_files} libssl-1_1-x64.dll)
else(ADDRESS_SIZE EQUAL 64)
set(release_files ${release_files} libcrypto-1_1.dll)
set(release_files ${release_files} libssl-1_1.dll)
endif(ADDRESS_SIZE EQUAL 64)
# Filenames are different for 32/64 bit BugSplat file and we don't
# have any control over them so need to branch.
if (USE_BUGSPLAT)

2
indra/cmake/OpenSSL.cmake
View File

@ -9,7 +9,7 @@ if (USESYSTEMLIBS)
else (USESYSTEMLIBS)
use_prebuilt_binary(openssl)
if (WINDOWS)
set(OPENSSL_LIBRARIES ssleay32 libeay32)
set(OPENSSL_LIBRARIES libssl libcrypto)
else (WINDOWS)
set(OPENSSL_LIBRARIES ssl crypto)
endif (WINDOWS)

55
indra/llcorehttp/httpcommon.cpp
View File

@ -23,13 +23,6 @@
* Linden Research, Inc., 945 Battery Street, San Francisco, CA 94111 USA
* $/LicenseInfo$
*/
#if LL_WINDOWS
#define SAFE_SSL 1
#elif LL_DARWIN
#define SAFE_SSL 1
#else
#define SAFE_SSL 1
#endif
#include "linden_common.h" // Modifies curl/curl.h interfaces
#include "httpcommon.h"
@ -38,10 +31,6 @@
#include <curl/curl.h>
#include <string>
#include <sstream>
#if SAFE_SSL
#include <openssl/crypto.h>
#include <functional> // std::hash
#endif
namespace LLCore
@ -348,34 +337,6 @@ void deallocateEasyCurl(CURL *curlp)
}
#if SAFE_SSL
//static
void ssl_locking_callback(int mode, int type, const char *file, int line)
{
if (type >= sSSLMutex.size())
{
LL_WARNS() << "Attempt to get unknown MUTEX in SSL Lock." << LL_ENDL;
}
if (mode & CRYPTO_LOCK)
{
sSSLMutex[type]->lock();
}
else
{
sSSLMutex[type]->unlock();
}
}
//static
unsigned long ssl_thread_id(void)
{
// std::thread::id is very deliberately opaque, but we can hash it
return std::hash<LLThread::id_t>()(LLThread::currentID());
}
#endif
}
void initialize()
@ -387,27 +348,11 @@ void initialize()
check_curl_code(code, CURL_GLOBAL_ALL);
#if SAFE_SSL
S32 mutex_count = CRYPTO_num_locks();
for (S32 i = 0; i < mutex_count; i++)
{
sSSLMutex.push_back(LLMutex_ptr(new LLMutex()));
}
CRYPTO_set_id_callback(&ssl_thread_id);
CRYPTO_set_locking_callback(&ssl_locking_callback);
#endif
}
void cleanup()
{
#if SAFE_SSL
CRYPTO_set_id_callback(NULL);
CRYPTO_set_locking_callback(NULL);
sSSLMutex.clear();
#endif
curl_global_cleanup();
}

28
indra/llmessage/llblowfishcipher.cpp
View File

@ -52,24 +52,28 @@ U32 LLBlowfishCipher::encrypt(const U8* src, U32 src_len, U8* dst, U32 dst_len)
if (src_len > dst_len) return 0;
// OpenSSL uses "cipher contexts" to hold encryption parameters.
EVP_CIPHER_CTX context;
EVP_CIPHER_CTX_init(&context);
EVP_CIPHER_CTX *context = EVP_CIPHER_CTX_new();
if (!context)
{
LL_WARNS() << "LLBlowfishCipher::encrypt EVP_CIPHER_CTX initiation failure" << LL_ENDL;
return 0;
}
// We want a blowfish cyclic block chain cipher, but need to set
// the key length before we pass in a key, so call EncryptInit
// first with NULLs.
EVP_EncryptInit_ex(&context, EVP_bf_cbc(), NULL, NULL, NULL);
EVP_CIPHER_CTX_set_key_length(&context, (int)mSecretSize);
EVP_EncryptInit_ex(context, EVP_bf_cbc(), NULL, NULL, NULL);
EVP_CIPHER_CTX_set_key_length(context, (int)mSecretSize);
// Complete initialization. Per EVP_EncryptInit man page, the
// cipher pointer must be NULL. Apparently initial_vector must
// be 8 bytes for blowfish, as this is the block size.
unsigned char initial_vector[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
EVP_EncryptInit_ex(&context, NULL, NULL, mSecret, initial_vector);
EVP_EncryptInit_ex(context, NULL, NULL, mSecret, initial_vector);
int blocksize = EVP_CIPHER_CTX_block_size(&context);
int keylen = EVP_CIPHER_CTX_key_length(&context);
int iv_length = EVP_CIPHER_CTX_iv_length(&context);
int blocksize = EVP_CIPHER_CTX_block_size(context);
int keylen = EVP_CIPHER_CTX_key_length(context);
int iv_length = EVP_CIPHER_CTX_iv_length(context);
LL_DEBUGS() << "LLBlowfishCipher blocksize " << blocksize
<< " keylen " << keylen
<< " iv_len " << iv_length
@ -77,7 +81,7 @@ U32 LLBlowfishCipher::encrypt(const U8* src, U32 src_len, U8* dst, U32 dst_len)
int output_len = 0;
int temp_len = 0;
if (!EVP_EncryptUpdate(&context,
if (!EVP_EncryptUpdate(context,
dst,
&output_len,
src,
@ -89,18 +93,18 @@ U32 LLBlowfishCipher::encrypt(const U8* src, U32 src_len, U8* dst, U32 dst_len)
// There may be some final data left to encrypt if the input is
// not an exact multiple of the block size.
if (!EVP_EncryptFinal_ex(&context, (unsigned char*)(dst + output_len), &temp_len))
if (!EVP_EncryptFinal_ex(context, (unsigned char*)(dst + output_len), &temp_len))
{
LL_WARNS() << "LLBlowfishCipher::encrypt EVP_EncryptFinal failure" << LL_ENDL;
goto ERROR;
}
output_len += temp_len;
EVP_CIPHER_CTX_cleanup(&context);
EVP_CIPHER_CTX_free(context);
return output_len;
ERROR:
EVP_CIPHER_CTX_cleanup(&context);
EVP_CIPHER_CTX_free(context);
return 0;
}

8
indra/newview/CMakeLists.txt
View File

@ -1835,10 +1835,6 @@ if (WINDOWS)
${CMAKE_CURRENT_SOURCE_DIR}/licenses-win32.txt
${CMAKE_CURRENT_SOURCE_DIR}/featuretable.txt
${CMAKE_CURRENT_SOURCE_DIR}/featuretable_xp.txt
${ARCH_PREBUILT_DIRS_RELEASE}/libeay32.dll
${ARCH_PREBUILT_DIRS_RELEASE}/ssleay32.dll
${ARCH_PREBUILT_DIRS_DEBUG}/libeay32.dll
${ARCH_PREBUILT_DIRS_DEBUG}/ssleay32.dll
${viewer_APPSETTINGS_FILES}
SLPlugin
media_plugin_cef
@ -1851,11 +1847,15 @@ if (WINDOWS)
list(APPEND COPY_INPUT_DEPENDENCIES
${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/vivoxsdk_x64.dll
${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/ortp_x64.dll
${ARCH_PREBUILT_DIRS_RELEASE}/libcrypto-1_1-x64.dll
${ARCH_PREBUILT_DIRS_RELEASE}/libssl-1_1-x64.dll
)
else (ADDRESS_SIZE EQUAL 64)
list(APPEND COPY_INPUT_DEPENDENCIES
${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/vivoxsdk.dll
${SHARED_LIB_STAGING_DIR}/${CMAKE_CFG_INTDIR}/ortp.dll
${ARCH_PREBUILT_DIRS_RELEASE}/libcrypto-1_1.dll
${ARCH_PREBUILT_DIRS_RELEASE}/libssl-1_1.dll
)
endif (ADDRESS_SIZE EQUAL 64)

2
indra/newview/llsecapi.h
View File

@ -452,7 +452,7 @@ public:
virtual LLPointer<LLCertificate> getCertificate(X509* openssl_cert)=0;
// instantiate a chain from an X509_STORE_CTX
virtual LLPointer<LLCertificateChain> getCertificateChain(const X509_STORE_CTX* chain)=0;
virtual LLPointer<LLCertificateChain> getCertificateChain(X509_STORE_CTX* chain)=0;
// instantiate a cert store given it's id. if a persisted version
// exists, it'll be loaded. If not, one will be created (but not

48
indra/newview/llsechandler_basic.cpp
View File

@ -95,7 +95,7 @@ LLBasicCertificate::LLBasicCertificate(const std::string& pem_cert,
LLBasicCertificate::LLBasicCertificate(X509* pCert,
const LLSD* validation_params)
{
if (!pCert || !pCert->cert_info)
if (!pCert)
{
LLTHROW(LLInvalidCertificate(LLSD::emptyMap()));
}
@ -355,8 +355,8 @@ LLSD cert_name_from_X509_NAME(X509_NAME* name)
char buffer[32];
X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, entry_index);
std::string name_value = std::string((const char*)M_ASN1_STRING_data(X509_NAME_ENTRY_get_data(entry)),
M_ASN1_STRING_length(X509_NAME_ENTRY_get_data(entry)));
std::string name_value = std::string((const char*)ASN1_STRING_data(X509_NAME_ENTRY_get_data(entry)),
ASN1_STRING_length(X509_NAME_ENTRY_get_data(entry)));
ASN1_OBJECT* name_obj = X509_NAME_ENTRY_get_object(entry);
OBJ_obj2txt(buffer, sizeof(buffer), name_obj, 0);
@ -683,29 +683,29 @@ std::string LLBasicCertificateStore::storeId() const
// LLBasicCertificateChain
// This class represents a chain of certs, each cert being signed by the next cert
// in the chain. Certs must be properly signed by the parent
LLBasicCertificateChain::LLBasicCertificateChain(const X509_STORE_CTX* store)
LLBasicCertificateChain::LLBasicCertificateChain(X509_STORE_CTX* store)
{
// we're passed in a context, which contains a cert, and a blob of untrusted
// certificates which compose the chain.
if((store == NULL) || (store->cert == NULL))
if((store == NULL) || X509_STORE_CTX_get0_cert(store) == NULL)
{
LL_WARNS("SECAPI") << "An invalid store context was passed in when trying to create a certificate chain" << LL_ENDL;
return;
}
// grab the child cert
LLPointer<LLCertificate> current = new LLBasicCertificate(store->cert);
LLPointer<LLCertificate> current = new LLBasicCertificate(X509_STORE_CTX_get0_cert(store));
add(current);
if(store->untrusted != NULL)
if(X509_STORE_CTX_get0_untrusted(store) != NULL)
{
// if there are other certs in the chain, we build up a vector
// of untrusted certs so we can search for the parents of each
// consecutive cert.
LLBasicCertificateVector untrusted_certs;
for(int i = 0; i < sk_X509_num(store->untrusted); i++)
for(int i = 0; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store)); i++)
{
LLPointer<LLCertificate> cert = new LLBasicCertificate(sk_X509_value(store->untrusted, i));
LLPointer<LLCertificate> cert = new LLBasicCertificate(sk_X509_value(X509_STORE_CTX_get0_untrusted(store), i));
untrusted_certs.add(cert);
}
@ -1348,9 +1348,10 @@ void LLSecAPIBasicHandler::_readProtectedData()
// read in the rest of the file.
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
EVP_DecryptInit(&ctx, EVP_rc4(), salt, NULL);
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
// todo: ctx error handling
EVP_DecryptInit(ctx, EVP_rc4(), salt, NULL);
// allocate memory:
std::string decrypted_data;
@ -1358,14 +1359,14 @@ void LLSecAPIBasicHandler::_readProtectedData()
// read data as a block:
protected_data_stream.read((char *)buffer, BUFFER_READ_SIZE);
EVP_DecryptUpdate(&ctx, decrypted_buffer, &decrypted_length,
EVP_DecryptUpdate(ctx, decrypted_buffer, &decrypted_length,
buffer, protected_data_stream.gcount());
decrypted_data.append((const char *)decrypted_buffer, protected_data_stream.gcount());
}
// RC4 is a stream cipher, so we don't bother to EVP_DecryptFinal, as there is
// no block padding.
EVP_CIPHER_CTX_cleanup(&ctx);
EVP_CIPHER_CTX_free(ctx);
std::istringstream parse_stream(decrypted_data);
if (parser->parse(parse_stream, mProtectedDataMap,
LLSDSerialize::SIZE_UNLIMITED) == LLSDParser::PARSE_FAILURE)
@ -1401,12 +1402,14 @@ void LLSecAPIBasicHandler::_writeProtectedData()
llofstream protected_data_stream(tmp_filename.c_str(),
std::ios_base::binary);
EVP_CIPHER_CTX *ctx = NULL;
try
{
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
EVP_EncryptInit(&ctx, EVP_rc4(), salt, NULL);
ctx = EVP_CIPHER_CTX_new();
// todo: ctx error handling
EVP_EncryptInit(ctx, EVP_rc4(), salt, NULL);
unsigned char unique_id[MAC_ADDRESS_BYTES];
LLMachineID::getUniqueID(unique_id, sizeof(unique_id));
LLXORCipher cipher(unique_id, sizeof(unique_id));
@ -1421,13 +1424,13 @@ void LLSecAPIBasicHandler::_writeProtectedData()
break;
}
int encrypted_length;
EVP_EncryptUpdate(&ctx, encrypted_buffer, &encrypted_length,
EVP_EncryptUpdate(ctx, encrypted_buffer, &encrypted_length,
buffer, formatted_data_istream.gcount());
protected_data_stream.write((const char *)encrypted_buffer, encrypted_length);
}
// no EVP_EncrypteFinal, as this is a stream cipher
EVP_CIPHER_CTX_cleanup(&ctx);
EVP_CIPHER_CTX_free(ctx);
protected_data_stream.close();
}
@ -1439,6 +1442,11 @@ void LLSecAPIBasicHandler::_writeProtectedData()
// it may be, however.
LLFile::remove(tmp_filename);
if (ctx)
{
EVP_CIPHER_CTX_free(ctx);
}
// EXP-1825 crash in LLSecAPIBasicHandler::_writeProtectedData()
// Decided throwing an exception here was overkill until we figure out why this happens
//LLTHROW(LLProtectedDataException("Error writing Protected Data Store"));
@ -1491,7 +1499,7 @@ LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(X509* openssl_cert
}
// instantiate a chain from an X509_STORE_CTX
LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(const X509_STORE_CTX* chain)
LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(X509_STORE_CTX* chain)
{
LLPointer<LLCertificateChain> result = new LLBasicCertificateChain(chain);
return result;

4
indra/newview/llsechandler_basic.h
View File

@ -197,7 +197,7 @@ class LLBasicCertificateChain : virtual public LLBasicCertificateVector, public
{
public:
LLBasicCertificateChain(const X509_STORE_CTX * store);
LLBasicCertificateChain(X509_STORE_CTX * store);
virtual ~LLBasicCertificateChain() {}
@ -241,7 +241,7 @@ public:
virtual LLPointer<LLCertificate> getCertificate(X509* openssl_cert);
// instantiate a chain from an X509_STORE_CTX
virtual LLPointer<LLCertificateChain> getCertificateChain(const X509_STORE_CTX* chain);
virtual LLPointer<LLCertificateChain> getCertificateChain(X509_STORE_CTX* chain);
// instantiate a cert store given it's id. if a persisted version
// exists, it'll be loaded. If not, one will be created (but not

2
indra/newview/tests/llsecapi_test.cpp
View File

@ -57,7 +57,7 @@ void LLSecAPIBasicHandler::init() {}
LLSecAPIBasicHandler::~LLSecAPIBasicHandler() {}
LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(const std::string& pem_cert) { return NULL; }
LLPointer<LLCertificate> LLSecAPIBasicHandler::getCertificate(X509* openssl_cert) { return NULL; }
LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(const X509_STORE_CTX* chain) { return NULL; }
LLPointer<LLCertificateChain> LLSecAPIBasicHandler::getCertificateChain(X509_STORE_CTX* chain) { return NULL; }
LLPointer<LLCertificateStore> LLSecAPIBasicHandler::getCertificateStore(const std::string& store_id) { return NULL; }
void LLSecAPIBasicHandler::setProtectedData(const std::string& data_type, const std::string& data_id, const LLSD& data) {}
void LLSecAPIBasicHandler::addToProtectedMap(const std::string& data_type, const std::string& data_id, const std::string& map_elem, const LLSD& data) {}

32
indra/newview/tests/llsechandler_basic_test.cpp
View File

@ -1217,8 +1217,8 @@ namespace tut
// Single cert in the chain.
X509_STORE_CTX *test_store = X509_STORE_CTX_new();
test_store->cert = mX509ChildCert;
test_store->untrusted = NULL;
X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
X509_STORE_CTX_set0_untrusted(test_store, NULL);
test_chain = new LLBasicCertificateChain(test_store);
X509_STORE_CTX_free(test_store);
ensure_equals("two elements in store", test_chain->size(), 1);
@ -1229,9 +1229,9 @@ namespace tut
// cert + CA
test_store = X509_STORE_CTX_new();
test_store->cert = mX509ChildCert;
test_store->untrusted = sk_X509_new_null();
sk_X509_push(test_store->untrusted, mX509IntermediateCert);
X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
test_chain = new LLBasicCertificateChain(test_store);
X509_STORE_CTX_free(test_store);
ensure_equals("two elements in store", test_chain->size(), 2);
@ -1245,9 +1245,9 @@ namespace tut
// cert + nonrelated
test_store = X509_STORE_CTX_new();
test_store->cert = mX509ChildCert;
test_store->untrusted = sk_X509_new_null();
sk_X509_push(test_store->untrusted, mX509TestCert);
X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert);
test_chain = new LLBasicCertificateChain(test_store);
X509_STORE_CTX_free(test_store);
ensure_equals("two elements in store", test_chain->size(), 1);
@ -1257,10 +1257,10 @@ namespace tut
// cert + CA + nonrelated
test_store = X509_STORE_CTX_new();
test_store->cert = mX509ChildCert;
test_store->untrusted = sk_X509_new_null();
sk_X509_push(test_store->untrusted, mX509IntermediateCert);
sk_X509_push(test_store->untrusted, mX509TestCert);
X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509TestCert);
test_chain = new LLBasicCertificateChain(test_store);
X509_STORE_CTX_free(test_store);
ensure_equals("two elements in store", test_chain->size(), 2);
@ -1273,10 +1273,10 @@ namespace tut
// cert + intermediate + CA
test_store = X509_STORE_CTX_new();
test_store->cert = mX509ChildCert;
test_store->untrusted = sk_X509_new_null();
sk_X509_push(test_store->untrusted, mX509IntermediateCert);
sk_X509_push(test_store->untrusted, mX509RootCert);
X509_STORE_CTX_set_cert(test_store, mX509ChildCert);
X509_STORE_CTX_set0_untrusted(test_store, sk_X509_new_null());
sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509IntermediateCert);
sk_X509_push(X509_STORE_CTX_get0_untrusted(test_store), mX509RootCert);
test_chain = new LLBasicCertificateChain(test_store);
X509_STORE_CTX_free(test_store);
ensure_equals("three elements in store", test_chain->size(), 3);

10
indra/newview/viewer_manifest.py
View File

@ -553,9 +553,13 @@ class WindowsManifest(ViewerManifest):
self.path("vivoxsdk.dll")
self.path("ortp.dll")
# Security
self.path("ssleay32.dll")
self.path("libeay32.dll")
# OpenSSL
if (self.address_size == 64):
self.path("libcrypto-1_1-x64.dll")
self.path("libssl-1_1-x64.dll")
else:
self.path("libcrypto-1_1.dll")
self.path("libssl-1_1.dll")
# HTTP/2
self.path("nghttp2.dll")