/indra/newview/llsecapi.cpp
C++ | 192 lines | 126 code | 22 blank | 44 comment | 14 complexity | 602a363e7cb8c65777542bc7520d1fee MD5 | raw file
Possible License(s): LGPL-2.1
- /**
- * @file llsecapi.cpp
- * @brief Security API for services such as certificate handling
- * secure local storage, etc.
- *
- * $LicenseInfo:firstyear=2009&license=viewerlgpl$
- * Second Life Viewer Source Code
- * Copyright (C) 2010, Linden Research, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation;
- * version 2.1 of the License only.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Linden Research, Inc., 945 Battery Street, San Francisco, CA 94111 USA
- * $/LicenseInfo$
- */
- #include "llviewerprecompiledheaders.h"
- #include "llsecapi.h"
- #include "llsechandler_basic.h"
- #include <openssl/evp.h>
- #include <openssl/err.h>
- #include <map>
- #include "llhttpclient.h"
- std::map<std::string, LLPointer<LLSecAPIHandler> > gHandlerMap;
- LLPointer<LLSecAPIHandler> gSecAPIHandler;
- void initializeSecHandler()
- {
- ERR_load_crypto_strings();
- OpenSSL_add_all_algorithms();
- gHandlerMap[BASIC_SECHANDLER] = new LLSecAPIBasicHandler();
-
-
- // Currently, we only have the Basic handler, so we can point the main sechandler
- // pointer to the basic handler. Later, we'll create a wrapper handler that
- // selects the appropriate sechandler as needed, for instance choosing the
- // mac keyring handler, with fallback to the basic sechandler
- gSecAPIHandler = gHandlerMap[BASIC_SECHANDLER];
- // initialize all SecAPIHandlers
- std::string exception_msg;
- std::map<std::string, LLPointer<LLSecAPIHandler> >::const_iterator itr;
- for(itr = gHandlerMap.begin(); itr != gHandlerMap.end(); ++itr)
- {
- LLPointer<LLSecAPIHandler> handler = (*itr).second;
- try
- {
- handler->init();
- }
- catch (LLProtectedDataException e)
- {
- exception_msg = e.getMessage();
- }
- }
- if (!exception_msg.empty()) // an exception was thrown.
- {
- throw LLProtectedDataException(exception_msg.c_str());
- }
- }
- // start using a given security api handler. If the string is empty
- // the default is used
- LLPointer<LLSecAPIHandler> getSecHandler(const std::string& handler_type)
- {
- if (gHandlerMap.find(handler_type) != gHandlerMap.end())
- {
- return gHandlerMap[handler_type];
- }
- else
- {
- return LLPointer<LLSecAPIHandler>(NULL);
- }
- }
- // register a handler
- void registerSecHandler(const std::string& handler_type,
- LLPointer<LLSecAPIHandler>& handler)
- {
- gHandlerMap[handler_type] = handler;
- }
- std::ostream& operator <<(std::ostream& s, const LLCredential& cred)
- {
- return s << (std::string)cred;
- }
-
- // secapiSSLCertVerifyCallback
- // basic callback called when a cert verification is requested.
- // calls SECAPI to validate the context
- // not initialized in the above initialization function, due to unit tests
- // see llappviewer
- int secapiSSLCertVerifyCallback(X509_STORE_CTX *ctx, void *param)
- {
- LLURLRequest *req = (LLURLRequest *)param;
- LLPointer<LLCertificateStore> store = gSecAPIHandler->getCertificateStore("");
- LLPointer<LLCertificateChain> chain = gSecAPIHandler->getCertificateChain(ctx);
- LLSD validation_params = LLSD::emptyMap();
- LLURI uri(req->getURL());
- validation_params[CERT_HOSTNAME] = uri.hostName();
- try
- {
- // we rely on libcurl to validate the hostname, as libcurl does more extensive validation
- // leaving our hostname validation call mechanism for future additions with respect to
- // OS native (Mac keyring, windows CAPI) validation.
- store->validate(VALIDATION_POLICY_SSL & (~VALIDATION_POLICY_HOSTNAME), chain, validation_params);
- }
- catch (LLCertValidationTrustException& cert_exception)
- {
- LL_WARNS("AppInit") << "Cert not trusted: " << cert_exception.getMessage() << LL_ENDL;
- return 0;
- }
- catch (LLCertException& cert_exception)
- {
- LL_WARNS("AppInit") << "cert error " << cert_exception.getMessage() << LL_ENDL;
- return 0;
- }
- catch (...)
- {
- LL_WARNS("AppInit") << "cert error " << LL_ENDL;
- return 0;
- }
- return 1;
- }
- LLSD LLCredential::getLoginParams()
- {
- LLSD result = LLSD::emptyMap();
- try
- {
- if (mIdentifier["type"].asString() == "agent")
- {
- // legacy credential
- result["passwd"] = "$1$" + mAuthenticator["secret"].asString();
- result["first"] = mIdentifier["first_name"];
- result["last"] = mIdentifier["last_name"];
-
- }
- else if (mIdentifier["type"].asString() == "account")
- {
- result["username"] = mIdentifier["account_name"];
- result["passwd"] = mAuthenticator["secret"];
-
- }
- }
- catch (...)
- {
- // we could have corrupt data, so simply return a null login param if so
- LL_WARNS("AppInit") << "Invalid credential" << LL_ENDL;
- }
- return result;
- }
- void LLCredential::identifierType(std::string &idType)
- {
- if(mIdentifier.has("type"))
- {
- idType = mIdentifier["type"].asString();
- }
- else {
- idType = std::string();
-
- }
- }
- void LLCredential::authenticatorType(std::string &idType)
- {
- if(mAuthenticator.has("type"))
- {
- idType = mAuthenticator["type"].asString();
- }
- else {
- idType = std::string();
-
- }
- }