From 2bd8f42c15a7708b12dbafbf31b31c61f2d2da62 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 19 Oct 2010 12:09:10 -0500 Subject: [PATCH] Changes to make OpenSSL a requirement. Preprocessor conditionals dependent on definition of USE_OPENSSL have been straightened out. --- BuildOptions.cmake | 4 +- CMakeLists.txt | 3 +- cmake/OpenSSLTests.cmake | 105 ++++++++++++++++++++++----------------- config.h.in | 3 -- src/Analyzer.cc | 4 -- src/AnalyzerTags.h | 4 -- src/CMakeLists.txt | 14 ++++-- src/ChunkedIO.cc | 8 +-- src/ChunkedIO.h | 19 +++---- src/File.cc | 26 ---------- src/File.h | 4 -- src/RemoteSerializer.cc | 19 ------- src/SSL-binpac.cc | 5 -- src/SSLInterpreter.cc | 7 --- src/main.cc | 4 -- src/ssl-analyzer.pac | 13 ----- 16 files changed, 81 insertions(+), 161 deletions(-) diff --git a/BuildOptions.cmake b/BuildOptions.cmake index 4bb3c79d98..0a9410c3fd 100644 --- a/BuildOptions.cmake +++ b/BuildOptions.cmake @@ -50,6 +50,9 @@ set(USE_NB_DNS true ## Configure Dependencies for Non-Standard Paths ## +# Uncomment to specific a custom prefix containing the OpenSSL installation. +#set(OPENSSL_ROOT_DIR path/to/your/openssl) + # Uncomment to specify a custom prefix that contains the libpcap installation. #set(PCAP_ROOT path/to/your/pcap) @@ -66,7 +69,6 @@ set(USE_NB_DNS true # Perl? # BinPAC # -# OpenSSL # Libmagic # LibGeoIP # Libz diff --git a/CMakeLists.txt b/CMakeLists.txt index 9f7c5dfef6..7a8fe6f85e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -44,9 +44,10 @@ find_package(FLEX REQUIRED) find_package(BISON REQUIRED) find_package(PCAP REQUIRED) include_directories(BEFORE ${PCAP_INCLUDE_DIR}) +find_package(OpenSSL REQUIRED) +include_directories(BEFORE ${OPENSSL_INCLUDE_DIR}) # TODO: find bind8 lib? -# TODO: require OpenSSL # TODO: optional libmagic # TODO: optional libGeoIP # TODO: optional libz diff --git a/cmake/OpenSSLTests.cmake b/cmake/OpenSSLTests.cmake index b588cc311e..d8212ade43 100644 --- a/cmake/OpenSSLTests.cmake +++ b/cmake/OpenSSLTests.cmake @@ -1,56 +1,69 @@ -if (USE_OPENSSL) +include(CheckCSourceCompiles) +include(CheckCXXSourceCompiles) + +check_c_source_compiles(" + #include + int main() { return 0; } +" including_ssl_h_works) + +if (NOT including_ssl_h_works) + # On Red Hat we may need to include Kerberos header. + set(CMAKE_REQUIRED_INCLUDES "/usr/kerberos/include") check_c_source_compiles(" + #include #include int main() { return 0; } - " including_ssl_h_works) - - if (NOT including_ssl_h_works) - # On Red Hat we may need to include Kerberos header. - set(CMAKE_REQUIRED_INCLUDES "/usr/kerberos/include") - check_c_source_compiles(" - #include - #include - int main() { return 0; } - " NEED_KRB5_H) - unset(CMAKE_REQUIRED_INCLUDES) - if (NOT NEED_KRB5_H) - message(WARNING "Can't compile OpenSSL test; disabling OpenSSL") - set(USE_OPENSSL false) - else () - message(STATUS "OpenSSL requires Kerberos header") - include_directories("/usr/kerberos/include") - endif () + " NEED_KRB5_H) + unset(CMAKE_REQUIRED_INCLUDES) + if (NOT NEED_KRB5_H) + message(FATAL_ERROR + "OpenSSL test failure. See CmakeError.log for details.") + else () + message(STATUS "OpenSSL requires Kerberos header") + include_directories("/usr/kerberos/include") endif () -endif() +endif () -if (USE_OPENSSL) - # check for OPENSSL_add_all_algorithms_conf function - # and thus OpenSSL >= v0.9.7 - set(CMAKE_REQUIRED_LIBRARIES crypto ssl) - check_c_source_compiles(" - #include +# check for OPENSSL_add_all_algorithms_conf function +# and thus OpenSSL >= v0.9.7 +set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES}) +check_c_source_compiles(" + #include + int main() { + OPENSSL_add_all_algorithms_conf(); + return 0; + } +" openssl_greater_than_0_9_7) +unset(CMAKE_REQUIRED_LIBRARIES) +if (NOT openssl_greater_than_0_9_7) + message(FATAL_ERROR "OpenSSL >= v0.9.7 required") +endif () + +set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES}) +check_cxx_source_compiles(" +#include + int main() { + const unsigned char** cpp = 0; + X509** x =0; + d2i_X509(x, cpp, 0); + return 0; + } +" OPENSSL_D2I_X509_USES_CONST_CHAR) + +if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR) + # double check that it compiles without const + check_cxx_source_compiles(" + #include int main() { - OPENSSL_add_all_algorithms_conf(); + unsigned char** cpp = 0; + X509** x =0; + d2i_X509(x, cpp, 0); return 0; } - " USE_OPENSSL) - unset(CMAKE_REQUIRED_LIBRARIES) - if (NOT USE_OPENSSL) - message(WARNING "OpenSSL >= v0.9.7 required; disabling OpenSSL") + " OPENSSL_D2I_X509_USES_CHAR) + if (NOT OPENSSL_D2I_X509_USES_CHAR) + message(FATAL_ERROR + "Can't determine if openssl_d2i_x509() takes const char parameter") endif () endif () - -if (USE_OPENSSL) - set(CMAKE_REQUIRED_LIBRARIES crypto) - file(READ "${CONFTEST_DIR}/openssl_d2i_x509_const.c" CONFTEST) - check_cxx_source_compiles("${CONFTEST}" OPENSSL_D2I_X509_USES_CONST_CHAR) - if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR) - file(READ "${CONFTEST_DIR}/openssl_d2i_x509.c" CONFTEST) - # double check - check_cxx_source_compiles("${CONFTEST}" OPENSSL_D2I_X509_USES_CHAR) - if (NOT OPENSSL_D2I_X509_USES_CHAR) - message(FATAL_ERROR "Can't determine if openssl_d2i_x509() takes a const char parameter") - endif (NOT OPENSSL_D2I_X509_USES_CHAR) - endif (NOT OPENSSL_D2I_X509_USES_CONST_CHAR) - unset(CMAKE_REQUIRED_LIBRARIES) -endif () +unset(CMAKE_REQUIRED_LIBRARIES) diff --git a/config.h.in b/config.h.in index ca9d157ef7..109fb37ac5 100644 --- a/config.h.in +++ b/config.h.in @@ -195,9 +195,6 @@ /* Use libclamav */ #undef USE_LIBCLAMAV -/* Use OpenSSL */ -#undef USE_OPENSSL - /* Use Google's perftools */ #undef USE_PERFTOOLS diff --git a/src/Analyzer.cc b/src/Analyzer.cc index 6ad1f7998f..c323f99e23 100644 --- a/src/Analyzer.cc +++ b/src/Analyzer.cc @@ -113,10 +113,8 @@ const Analyzer::Config Analyzer::analyzer_configs[] = { SMTP_Analyzer::Available, 0, false }, { AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer, SSH_Analyzer::Available, 0, false }, -#ifdef USE_OPENSSL { AnalyzerTag::SSL, "SSL", SSLProxy_Analyzer::InstantiateAnalyzer, SSLProxy_Analyzer::Available, 0, false }, -#endif { AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer, Telnet_Analyzer::Available, 0, false }, @@ -167,9 +165,7 @@ const Analyzer::Config Analyzer::analyzer_configs[] = { { AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false }, { AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false }, { AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false }, -#ifdef USE_OPENSSL { AnalyzerTag::Contents_SSL, "CONTENTS_SSL", 0, 0, 0, false }, -#endif }; AnalyzerTimer::~AnalyzerTimer() diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h index eafa5de300..9bf3efbd3c 100644 --- a/src/AnalyzerTags.h +++ b/src/AnalyzerTags.h @@ -29,9 +29,7 @@ namespace AnalyzerTag { DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC, Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin, RPC, Rsh, SMB, SMTP, SSH, -#ifdef USE_OPENSSL SSL, -#endif Telnet, // Application-layer analyzers, binpac-generated. @@ -45,9 +43,7 @@ namespace AnalyzerTag { Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP, Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh, Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS, -#ifdef USE_OPENSSL Contents_SSL, -#endif // End-marker. LastAnalyzer }; diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index da0fe69b38..bb22005f2e 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -193,10 +193,8 @@ if (HAVE_NB_DNS) set(dns_SRCS nb_dns.c nb_dns.h) endif () -if (USE_OPENSSL) - set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc - SSLv2.cc SSLv3.cc SSLv3Automaton.cc) -endif () +set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc + SSLv2.cc SSLv3.cc SSLv3Automaton.cc) if (USE_NMALLOC) set(malloc_SRCS malloc.c) @@ -382,6 +380,12 @@ add_executable(bro ${bro_SRCS}) add_dependencies(bro make_dbg_constants) -target_link_libraries(bro m binpac_lib ${PCAP_LIBRARY} resolv) +target_link_libraries(bro + m + resolv + binpac_lib + ${PCAP_LIBRARY} + ${OPENSSL_LIBRARIES} +) install(TARGETS bro DESTINATION bin) diff --git a/src/ChunkedIO.cc b/src/ChunkedIO.cc index 7eb2158184..0db5675766 100644 --- a/src/ChunkedIO.cc +++ b/src/ChunkedIO.cc @@ -7,6 +7,7 @@ #include #include #include +#include #include "config.h" #include "ChunkedIO.h" @@ -650,11 +651,6 @@ void ChunkedIOFd::Stats(char* buffer, int length) ChunkedIO::Stats(buffer + i, length - i); } - -#ifdef USE_OPENSSL - -#include - SSL_CTX* ChunkedIOSSL::ctx; ChunkedIOSSL::ChunkedIOSSL(int arg_socket, bool arg_server) @@ -1174,8 +1170,6 @@ void ChunkedIOSSL::Stats(char* buffer, int length) ChunkedIO::Stats(buffer + i, length - i); } -#endif /* USE_OPENSSL */ - #ifdef HAVE_LIBZ bool CompressedChunkedIO::Init() diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h index 393f6c8d5d..516f0f7ddc 100644 --- a/src/ChunkedIO.h +++ b/src/ChunkedIO.h @@ -11,6 +11,13 @@ #include +#ifdef NEED_KRB5_H +# include +#endif + +#include +#include + class CompressedChunkedIO; // #define DEBUG_COMMUNICATION 10 @@ -214,17 +221,7 @@ private: pid_t pid; }; -#ifdef USE_OPENSSL - -#ifdef NEED_KRB5_H -# include -#endif - -#include -#include - // Chunked I/O using an SSL connection. - class ChunkedIOSSL : public ChunkedIO { public: // Argument is an open socket and a flag indicating whether we are the @@ -287,8 +284,6 @@ private: static SSL_CTX* ctx; }; -#endif /* USE_OPENSSL */ - #ifdef HAVE_LIBZ #include diff --git a/src/File.cc b/src/File.cc index d7bc408bdf..3d3401471f 100644 --- a/src/File.cc +++ b/src/File.cc @@ -233,10 +233,7 @@ BroFile::~BroFile() delete [] name; delete [] access; - -#ifdef USE_OPENSSL delete [] cipher_buffer; -#endif #ifdef USE_PERFTOOLS heap_checker->UnIgnoreObject(this); @@ -257,12 +254,9 @@ void BroFile::Init() print_hook = true; raw_output = false; t = 0; - -#ifdef USE_OPENSSL pub_key = 0; cipher_ctx = 0; cipher_buffer = 0; -#endif #ifdef USE_PERFTOOLS heap_checker->IgnoreObject(this); @@ -348,9 +342,7 @@ int BroFile::Close() if ( ! is_open ) return 1; -#ifdef USE_OPENSSL FinishEncrypt(); -#endif // Do not close stdout/stderr. if ( f == stdout || f == stderr ) @@ -640,19 +632,6 @@ void BroFile::CloseCachedFiles() } } -#ifndef USE_OPENSSL - -void BroFile::InitEncrypt(const char* keyfile) - { - if ( keyfile ) - { - error("file encryption requested, but OpenSSL support not compiled in."); - Close(); - } - } - -#else - void BroFile::InitEncrypt(const char* keyfile) { if ( ! (pub_key || keyfile) ) @@ -716,14 +695,12 @@ void BroFile::InitEncrypt(const char* keyfile) int buf_size = MIN_BUFFER_SIZE + EVP_CIPHER_block_size(cipher_type); cipher_buffer = new unsigned char[buf_size]; } -#endif void BroFile::FinishEncrypt() { if ( ! is_open ) return; -#ifdef USE_OPENSSL if ( ! pub_key ) return; @@ -742,7 +719,6 @@ void BroFile::FinishEncrypt() delete cipher_ctx; cipher_ctx = 0; } -#endif } @@ -757,7 +733,6 @@ int BroFile::Write(const char* data, int len) if ( ! len ) len = strlen(data); -#ifdef USE_OPENSSL if ( cipher_ctx ) { while ( len ) @@ -789,7 +764,6 @@ int BroFile::Write(const char* data, int len) return 1; } -#endif len = fwrite(data, 1, len, f); if ( len <= 0 ) diff --git a/src/File.h b/src/File.h index aa76b665b6..250729532d 100644 --- a/src/File.h +++ b/src/File.h @@ -10,7 +10,6 @@ #include "Obj.h" #include "Attr.h" -#ifdef USE_OPENSSL # ifdef NEED_KRB5_H # include # endif // NEED_KRB5_H @@ -19,7 +18,6 @@ extern "C" { # include "openssl/pem.h" # include "openssl/err.h" } -#endif class BroType; class RotateTimer; @@ -149,13 +147,11 @@ protected: static double default_rotation_interval; static double default_rotation_size; -#ifdef USE_OPENSSL EVP_PKEY* pub_key; EVP_CIPHER_CTX* cipher_ctx; static const int MIN_BUFFER_SIZE = 1024; unsigned char* cipher_buffer; -#endif }; diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 53429ff548..8577435502 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -1170,14 +1170,6 @@ bool RemoteSerializer::Listen(addr_type ip, uint16 port, bool expect_ssl) if ( ! using_communication ) return true; -#ifndef USE_OPENSSL - if ( expect_ssl ) - { - Error("listening for SSL connections requested, but SSL support is not compiled in"); - return false; - } -#endif - if ( ! initialized ) internal_error("remote serializer not initialized"); @@ -3481,13 +3473,7 @@ bool SocketComm::Connect(Peer* peer) { if ( peer->ssl ) { -#ifdef USE_OPENSSL peer->io = new ChunkedIOSSL(sockfd, false); -#else - run_time("SSL connection requested, but SSL support not compiled in"); - CloseConnection(peer, false); - return 0; -#endif } else peer->io = new ChunkedIOFd(sockfd, "child->peer"); @@ -3621,15 +3607,10 @@ bool SocketComm::AcceptConnection(int fd) peer->ssl = (fd == listen_fd_ssl); peer->compressor = false; -#ifdef USE_OPENSSL if ( peer->ssl ) peer->io = new ChunkedIOSSL(clientfd, true); else peer->io = new ChunkedIOFd(clientfd, "child->peer"); -#else - assert(! peer->ssl); - peer->io = new ChunkedIOFd(clientfd, "child->peer"); -#endif if ( ! peer->io->Init() ) { diff --git a/src/SSL-binpac.cc b/src/SSL-binpac.cc index 73f2852aa7..551861aaee 100644 --- a/src/SSL-binpac.cc +++ b/src/SSL-binpac.cc @@ -71,10 +71,5 @@ void SSL_Analyzer_binpac::generate_warnings() if ( ssl_store_key_material ) warn_("storage of key material (ssl_store_key_material) not supported"); -#ifndef USE_OPENSSL - if ( ssl_verify_certificates ) - warn_("verification of certificates (ssl_verify_certificates) not supported due to non-existing OpenSSL support"); -#endif - warnings_generated = true; } diff --git a/src/SSLInterpreter.cc b/src/SSLInterpreter.cc index 0f12915ef5..7e185c9e7f 100644 --- a/src/SSLInterpreter.cc +++ b/src/SSLInterpreter.cc @@ -3,9 +3,7 @@ #include "SSLInterpreter.h" #include "SSLv2.h" -#ifdef USE_OPENSSL #include "X509.h" -#endif #include #include @@ -173,17 +171,12 @@ void SSL_Interpreter::analyzeCertificate(SSL_InterpreterEndpoint* s, int invalid = 0; switch ( type ) { case SSLv2_CT_X509_CERTIFICATE: -#ifdef USE_OPENSSL if ( ! isChain ) invalid = X509_Cert::verify(s->GetProxyEndpoint(), pCert, certLength); else invalid = X509_Cert::verifyChain(s->GetProxyEndpoint(), data, length); -#else - proxy->Weak("SSL: Could not verify certificate (missing OpenSSL support)!"); - invalid = 0; -#endif break; default: diff --git a/src/main.cc b/src/main.cc index 21b8166267..94acddd962 100644 --- a/src/main.cc +++ b/src/main.cc @@ -18,9 +18,7 @@ extern "C" { } #endif -#ifdef USE_OPENSSL extern "C" void OPENSSL_add_all_algorithms_conf(void); -#endif #include "bsd-getopt-long.h" #include "input.h" @@ -663,7 +661,6 @@ int main(int argc, char** argv) // DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key)); init_hash_function(); -#ifdef USE_OPENSSL ERR_load_crypto_strings(); OPENSSL_add_all_algorithms_conf(); SSL_library_init(); @@ -672,7 +669,6 @@ int main(int argc, char** argv) // FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't // seed the PRNG. We should do this here (but at least Linux, FreeBSD // and Solaris provide /dev/urandom). -#endif if ( (interfaces.length() > 0 || netflows.length() > 0) && (read_files.length() > 0 || flow_files.length() > 0 )) diff --git a/src/ssl-analyzer.pac b/src/ssl-analyzer.pac index bbebdc0fa3..d08be0c886 100644 --- a/src/ssl-analyzer.pac +++ b/src/ssl-analyzer.pac @@ -10,11 +10,9 @@ #include "util.h" -#ifdef USE_OPENSSL #include #include #include "X509.h" -#endif %} @@ -27,14 +25,11 @@ } }; -#ifdef USE_OPENSSL void free_X509(void *); X509* d2i_X509_binpac(X509** px, const uint8** in, int len); -#endif %} %code{ -#ifdef USE_OPENSSL void free_X509(void* cert) { X509_free((X509*) cert); @@ -48,8 +43,6 @@ return d2i_X509(px, (u_char**) in, len); #endif } - -#endif %} @@ -123,10 +116,8 @@ refine analyzer SSLAnalyzer += { version_ = -1; cipher_ = -1; -#ifdef USE_OPENSSL if ( ! X509_Cert::bInited ) X509_Cert::init(); -#endif %} %eof{ @@ -172,12 +163,10 @@ refine analyzer SSLAnalyzer += { function certificate_error(err_num : int) : void %{ -#ifdef USE_OPENSSL StringVal* err_str = new StringVal(X509_verify_cert_error_string(err_num)); bro_event_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(), err_num, err_str); -#endif %} function proc_change_cipher_spec(msg : ChangeCipherSpec) : bool @@ -331,7 +320,6 @@ refine analyzer SSLAnalyzer += { bro_analyzer_->Conn(), ! current_record_is_orig_); -#ifdef USE_OPENSSL const bytestring& cert = (*certificates)[0]; const uint8* data = cert.data(); @@ -421,7 +409,6 @@ refine analyzer SSLAnalyzer += { } X509_free(pCert); -#endif return true; %}