Changes to make OpenSSL a requirement.

Preprocessor conditionals dependent on definition of USE_OPENSSL have been straightened out.
2025-10-02 14:48:21 +00:00 · 2010-10-19 12:09:10 -05:00 · 2010-10-19 12:09:10 -05:00 · 2bd8f42c15
commit 2bd8f42c15
parent efc8b24576
16 changed files with 81 additions and 161 deletions
--- a/BuildOptions.cmake
+++ b/BuildOptions.cmake
@ -50,6 +50,9 @@ set(USE_NB_DNS true
 ## Configure Dependencies for Non-Standard Paths
 ##
 # Uncomment to specific a custom prefix containing the OpenSSL installation.
 #set(OPENSSL_ROOT_DIR path/to/your/openssl)
 # Uncomment to specify a custom prefix that contains the libpcap installation.
 #set(PCAP_ROOT path/to/your/pcap)
@ -66,7 +69,6 @@ set(USE_NB_DNS true
 # Perl?
 # BinPAC
 #
 # OpenSSL
 # Libmagic
 # LibGeoIP
 # Libz
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -44,9 +44,10 @@ find_package(FLEX REQUIRED)
 find_package(BISON REQUIRED)
 find_package(PCAP REQUIRED)
 include_directories(BEFORE ${PCAP_INCLUDE_DIR})
 find_package(OpenSSL REQUIRED)
 include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})
 # TODO: find bind8 lib?
 # TODO: require OpenSSL
 # TODO: optional libmagic
 # TODO: optional libGeoIP
 # TODO: optional libz
--- a/cmake/OpenSSLTests.cmake
+++ b/cmake/OpenSSLTests.cmake
@ -1,56 +1,69 @@
-if (USE_OPENSSL)
+include(CheckCSourceCompiles)
 include(CheckCXXSourceCompiles)
 check_c_source_compiles("
    #include <openssl/ssl.h>
    int main() { return 0; }
 " including_ssl_h_works)
 if (NOT including_ssl_h_works)
    # On Red Hat we may need to include Kerberos header.
    set(CMAKE_REQUIRED_INCLUDES "/usr/kerberos/include")
    check_c_source_compiles("
        #include <krb5.h>
        #include <openssl/ssl.h>
        int main() { return 0; }
-    " including_ssl_h_works)
+    " NEED_KRB5_H)
-
+    unset(CMAKE_REQUIRED_INCLUDES)
-    if (NOT including_ssl_h_works)
+    if (NOT NEED_KRB5_H)
-        # On Red Hat we may need to include Kerberos header.
+        message(FATAL_ERROR
-        set(CMAKE_REQUIRED_INCLUDES "/usr/kerberos/include")
+            "OpenSSL test failure.  See CmakeError.log for details.")
-        check_c_source_compiles("
+    else ()
-            #include <krb5.h>
+        message(STATUS "OpenSSL requires Kerberos header")
-            #include <openssl/ssl.h>
+        include_directories("/usr/kerberos/include")
            int main() { return 0; }
        " NEED_KRB5_H)
        unset(CMAKE_REQUIRED_INCLUDES)
        if (NOT NEED_KRB5_H)
            message(WARNING "Can't compile OpenSSL test; disabling OpenSSL")
            set(USE_OPENSSL false)
        else ()
            message(STATUS "OpenSSL requires Kerberos header")
            include_directories("/usr/kerberos/include")
        endif ()
    endif ()
-endif()
+endif ()
-if (USE_OPENSSL)
+# check for OPENSSL_add_all_algorithms_conf function
-    # check for OPENSSL_add_all_algorithms_conf function
+# and thus OpenSSL >= v0.9.7
-    # and thus OpenSSL >= v0.9.7
+set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES})
-    set(CMAKE_REQUIRED_LIBRARIES crypto ssl)
+check_c_source_compiles("
-    check_c_source_compiles("
+    #include <openssl/evp.h>
-        #include <openssl/evp.h>
+    int main() {
        OPENSSL_add_all_algorithms_conf();
        return 0;
    }
 " openssl_greater_than_0_9_7)
 unset(CMAKE_REQUIRED_LIBRARIES)
 if (NOT openssl_greater_than_0_9_7)
    message(FATAL_ERROR "OpenSSL >= v0.9.7 required")
 endif ()
 set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES})
 check_cxx_source_compiles("
 #include <openssl/x509.h>
    int main() {
        const unsigned char** cpp = 0;
        X509** x =0;
        d2i_X509(x, cpp, 0);
        return 0;
    }
 " OPENSSL_D2I_X509_USES_CONST_CHAR)
 if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR)
    # double check that it compiles without const
    check_cxx_source_compiles("
        #include <openssl/x509.h>
        int main() {
-            OPENSSL_add_all_algorithms_conf();
+            unsigned char** cpp = 0;
            X509** x =0;
            d2i_X509(x, cpp, 0);
            return 0;
        }
-    " USE_OPENSSL)
+        " OPENSSL_D2I_X509_USES_CHAR)
-    unset(CMAKE_REQUIRED_LIBRARIES)
+    if (NOT OPENSSL_D2I_X509_USES_CHAR)
-    if (NOT USE_OPENSSL)
+        message(FATAL_ERROR
-        message(WARNING "OpenSSL >= v0.9.7 required; disabling OpenSSL")
+            "Can't determine if openssl_d2i_x509() takes const char parameter")
    endif ()
 endif ()
-
+unset(CMAKE_REQUIRED_LIBRARIES)
 if (USE_OPENSSL)
    set(CMAKE_REQUIRED_LIBRARIES crypto)
    file(READ "${CONFTEST_DIR}/openssl_d2i_x509_const.c" CONFTEST)
    check_cxx_source_compiles("${CONFTEST}" OPENSSL_D2I_X509_USES_CONST_CHAR)
    if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR)
        file(READ "${CONFTEST_DIR}/openssl_d2i_x509.c" CONFTEST)
        # double check
        check_cxx_source_compiles("${CONFTEST}" OPENSSL_D2I_X509_USES_CHAR)
        if (NOT OPENSSL_D2I_X509_USES_CHAR)
            message(FATAL_ERROR "Can't determine if openssl_d2i_x509() takes a const char parameter")
        endif (NOT OPENSSL_D2I_X509_USES_CHAR)
    endif (NOT OPENSSL_D2I_X509_USES_CONST_CHAR)
    unset(CMAKE_REQUIRED_LIBRARIES)
 endif ()
--- a/config.h.in
+++ b/config.h.in
@ -195,9 +195,6 @@
 /* Use libclamav */
 #undef USE_LIBCLAMAV
 /* Use OpenSSL */
 #undef USE_OPENSSL
 /* Use Google's perftools */
 #undef USE_PERFTOOLS
--- a/src/Analyzer.cc
+++ b/src/Analyzer.cc
@ -113,10 +113,8 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 		SMTP_Analyzer::Available, 0, false },
 	{ AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer,
 		SSH_Analyzer::Available, 0, false },
 #ifdef USE_OPENSSL
 	{ AnalyzerTag::SSL, "SSL", SSLProxy_Analyzer::InstantiateAnalyzer,
 		SSLProxy_Analyzer::Available, 0, false },
 #endif
 	{ AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer,
 		Telnet_Analyzer::Available, 0, false },
@ -167,9 +165,7 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false },
 	{ AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false },
 	{ AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false },
 #ifdef USE_OPENSSL
 	{ AnalyzerTag::Contents_SSL, "CONTENTS_SSL", 0, 0, 0, false },
 #endif
 };
 AnalyzerTimer::~AnalyzerTimer()
--- a/src/AnalyzerTags.h
+++ b/src/AnalyzerTags.h
@ -29,9 +29,7 @@ namespace AnalyzerTag {
 		DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC,
 		Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin,
 		RPC, Rsh, SMB, SMTP, SSH,
 #ifdef USE_OPENSSL
 		SSL,
 #endif
 		Telnet,
 		// Application-layer analyzers, binpac-generated.
@ -45,9 +43,7 @@ namespace AnalyzerTag {
 		Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
 		Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,
 		Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS,
 #ifdef USE_OPENSSL
 		Contents_SSL,
 #endif
 		// End-marker.
 		LastAnalyzer
 	};
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -193,10 +193,8 @@ if (HAVE_NB_DNS)
    set(dns_SRCS nb_dns.c nb_dns.h)
 endif ()
-if (USE_OPENSSL)
+set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc
-    set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc
+                 SSLv2.cc SSLv3.cc SSLv3Automaton.cc)
                     SSLv2.cc SSLv3.cc SSLv3Automaton.cc)
 endif ()
 if (USE_NMALLOC)
    set(malloc_SRCS malloc.c)
@ -382,6 +380,12 @@ add_executable(bro ${bro_SRCS})
 add_dependencies(bro make_dbg_constants)
-target_link_libraries(bro m binpac_lib ${PCAP_LIBRARY} resolv)
+target_link_libraries(bro
                      m
                      resolv
                      binpac_lib
                      ${PCAP_LIBRARY}
                      ${OPENSSL_LIBRARIES}
 )
 install(TARGETS bro DESTINATION bin)
--- a/src/ChunkedIO.cc
+++ b/src/ChunkedIO.cc
@ -7,6 +7,7 @@
 #include <sys/time.h>
 #include <netinet/in.h>
 #include <assert.h>
 #include <openssl/ssl.h>
 #include "config.h"
 #include "ChunkedIO.h"
@ -650,11 +651,6 @@ void ChunkedIOFd::Stats(char* buffer, int length)
 	ChunkedIO::Stats(buffer + i, length - i);
 	}
 #ifdef USE_OPENSSL
 #include <openssl/ssl.h>
 SSL_CTX* ChunkedIOSSL::ctx;
 ChunkedIOSSL::ChunkedIOSSL(int arg_socket, bool arg_server)
@ -1174,8 +1170,6 @@ void ChunkedIOSSL::Stats(char* buffer, int length)
 	ChunkedIO::Stats(buffer + i, length - i);
 	}
 #endif	/* USE_OPENSSL */
 #ifdef HAVE_LIBZ
 bool CompressedChunkedIO::Init()
--- a/src/ChunkedIO.h
+++ b/src/ChunkedIO.h
@ -11,6 +11,13 @@
 #include <list>
 #ifdef NEED_KRB5_H
 # include <krb5.h>
 #endif 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 class CompressedChunkedIO;
 // #define DEBUG_COMMUNICATION 10
@ -214,17 +221,7 @@ private:
 	pid_t pid;
 };
 #ifdef USE_OPENSSL
 #ifdef NEED_KRB5_H
 # include <krb5.h>
 #endif 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 // Chunked I/O using an SSL connection.
 class ChunkedIOSSL : public ChunkedIO {
 public:
 	// Argument is an open socket and a flag indicating whether we are the
@ -287,8 +284,6 @@ private:
 	static SSL_CTX* ctx;
 };
 #endif	/* USE_OPENSSL */
 #ifdef HAVE_LIBZ
 #include <zlib.h>
--- a/src/File.cc
+++ b/src/File.cc
@ -233,10 +233,7 @@ BroFile::~BroFile()
 	delete [] name;
 	delete [] access;
 #ifdef USE_OPENSSL
 	delete [] cipher_buffer;
 #endif
 #ifdef USE_PERFTOOLS
 	heap_checker->UnIgnoreObject(this);
@ -257,12 +254,9 @@ void BroFile::Init()
 	print_hook = true;
 	raw_output = false;
 	t = 0;
 #ifdef USE_OPENSSL
 	pub_key = 0;
 	cipher_ctx = 0;
 	cipher_buffer = 0;
 #endif
 #ifdef USE_PERFTOOLS
 	heap_checker->IgnoreObject(this);
@ -348,9 +342,7 @@ int BroFile::Close()
 	if ( ! is_open )
 		return 1;
 #ifdef USE_OPENSSL
 	FinishEncrypt();
 #endif
 	// Do not close stdout/stderr.
 	if ( f == stdout || f == stderr )
@ -640,19 +632,6 @@ void BroFile::CloseCachedFiles()
 		}
 	}
 #ifndef USE_OPENSSL
 void BroFile::InitEncrypt(const char* keyfile)
 	{
 	if ( keyfile )
 		{
 		error("file encryption requested, but OpenSSL support not compiled in.");
 		Close();
 		}
 	}
 #else
 void BroFile::InitEncrypt(const char* keyfile)
 	{
 	if ( ! (pub_key || keyfile) )
@ -716,14 +695,12 @@ void BroFile::InitEncrypt(const char* keyfile)
 	int buf_size = MIN_BUFFER_SIZE + EVP_CIPHER_block_size(cipher_type);
 	cipher_buffer = new unsigned char[buf_size];
 	}
 #endif
 void BroFile::FinishEncrypt()
 	{
 	if ( ! is_open )
 		return;
 #ifdef USE_OPENSSL
 	if ( ! pub_key )
 		return;
@ -742,7 +719,6 @@ void BroFile::FinishEncrypt()
 		delete cipher_ctx;
 		cipher_ctx = 0;
 		}
 #endif
 	}
@ -757,7 +733,6 @@ int BroFile::Write(const char* data, int len)
 	if ( ! len )
 		len = strlen(data);
 #ifdef USE_OPENSSL
 	if ( cipher_ctx )
 		{
 		while ( len )
@ -789,7 +764,6 @@ int BroFile::Write(const char* data, int len)
 		return 1;
 		}
 #endif
 	len = fwrite(data, 1, len, f);
 	if ( len <= 0 )
--- a/src/File.h
+++ b/src/File.h
@ -10,7 +10,6 @@
 #include "Obj.h"
 #include "Attr.h"
 #ifdef USE_OPENSSL
 # ifdef NEED_KRB5_H
 #  include <krb5.h>
 # endif // NEED_KRB5_H
@ -19,7 +18,6 @@ extern "C" {
 # include "openssl/pem.h"
 # include "openssl/err.h"
 }
 #endif
 class BroType;
 class RotateTimer;
@ -149,13 +147,11 @@ protected:
 	static double default_rotation_interval;
 	static double default_rotation_size;
 #ifdef USE_OPENSSL
 	EVP_PKEY* pub_key;
 	EVP_CIPHER_CTX* cipher_ctx;
 	static const int MIN_BUFFER_SIZE = 1024;
 	unsigned char* cipher_buffer;
 #endif
 };
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@ -1170,14 +1170,6 @@ bool RemoteSerializer::Listen(addr_type ip, uint16 port, bool expect_ssl)
 	if ( ! using_communication )
 		return true;
 #ifndef USE_OPENSSL
 	if ( expect_ssl )
 		{
 		Error("listening for SSL connections requested, but SSL support is not compiled in");
 		return false;
 		}
 #endif
 	if ( ! initialized )
 		internal_error("remote serializer not initialized");
@ -3481,13 +3473,7 @@ bool SocketComm::Connect(Peer* peer)
 		{
 		if ( peer->ssl )
 			{
 #ifdef USE_OPENSSL
 			peer->io = new ChunkedIOSSL(sockfd, false);
 #else
 			run_time("SSL connection requested, but SSL support not compiled in");
 			CloseConnection(peer, false);
 			return 0;
 #endif
 			}
 		else
 			peer->io = new ChunkedIOFd(sockfd, "child->peer");
@ -3621,15 +3607,10 @@ bool SocketComm::AcceptConnection(int fd)
 	peer->ssl = (fd == listen_fd_ssl);
 	peer->compressor = false;
 #ifdef USE_OPENSSL
 	if ( peer->ssl )
 		peer->io = new ChunkedIOSSL(clientfd, true);
 	else
 		peer->io = new ChunkedIOFd(clientfd, "child->peer");
 #else
 	assert(! peer->ssl);
 	peer->io = new ChunkedIOFd(clientfd, "child->peer");
 #endif
 	if ( ! peer->io->Init() )
 		{
--- a/src/SSL-binpac.cc
+++ b/src/SSL-binpac.cc
@ -71,10 +71,5 @@ void SSL_Analyzer_binpac::generate_warnings()
 	if ( ssl_store_key_material )
 		warn_("storage of key material (ssl_store_key_material) not supported");
 #ifndef USE_OPENSSL
 	if ( ssl_verify_certificates )
 		warn_("verification of certificates (ssl_verify_certificates) not supported due to non-existing OpenSSL support");
 #endif
 	warnings_generated = true;
 	}
--- a/src/SSLInterpreter.cc
+++ b/src/SSLInterpreter.cc
@ -3,9 +3,7 @@
 #include "SSLInterpreter.h"
 #include "SSLv2.h"
 #ifdef USE_OPENSSL
 #include "X509.h"
 #endif
 #include <sys/socket.h>
 #include <netinet/in.h>
@ -173,17 +171,12 @@ void SSL_Interpreter::analyzeCertificate(SSL_InterpreterEndpoint* s,
 		int invalid = 0;
 		switch ( type ) {
 		case SSLv2_CT_X509_CERTIFICATE:
 #ifdef USE_OPENSSL
 			if ( ! isChain )
 				invalid = X509_Cert::verify(s->GetProxyEndpoint(),
 							pCert, certLength);
 			else
 				invalid = X509_Cert::verifyChain(s->GetProxyEndpoint(),
 							data, length);
 #else
 			proxy->Weak("SSL: Could not verify certificate (missing OpenSSL support)!");
 			invalid = 0;
 #endif
 			break;
 		default:
--- a/src/main.cc
+++ b/src/main.cc
@ -18,9 +18,7 @@ extern "C" {
 }
 #endif
 #ifdef USE_OPENSSL
 extern "C" void OPENSSL_add_all_algorithms_conf(void);
 #endif
 #include "bsd-getopt-long.h"
 #include "input.h"
@ -663,7 +661,6 @@ int main(int argc, char** argv)
 	// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
 	init_hash_function();
 #ifdef USE_OPENSSL
 	ERR_load_crypto_strings();
 	OPENSSL_add_all_algorithms_conf();
 	SSL_library_init();
@ -672,7 +669,6 @@ int main(int argc, char** argv)
 	// FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't
 	// seed the PRNG. We should do this here (but at least Linux, FreeBSD
 	// and Solaris provide /dev/urandom).
 #endif
 	if ( (interfaces.length() > 0 || netflows.length() > 0) && 
 	     (read_files.length() > 0 || flow_files.length() > 0 ))
--- a/src/ssl-analyzer.pac
+++ b/src/ssl-analyzer.pac
@ -10,11 +10,9 @@
 #include "util.h"
 #ifdef USE_OPENSSL
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
 #include "X509.h"
 #endif
 %}
@ -27,14 +25,11 @@
 			}
 	};
 #ifdef USE_OPENSSL
 	void free_X509(void *);
 	X509* d2i_X509_binpac(X509** px, const uint8** in, int len);
 #endif
 	%}
 %code{
 #ifdef USE_OPENSSL
 	void free_X509(void* cert)
 		{
 		X509_free((X509*) cert);
@ -48,8 +43,6 @@
 		return d2i_X509(px, (u_char**) in, len);
 #endif
 		}
 #endif
 %}
@ -123,10 +116,8 @@ refine analyzer SSLAnalyzer += {
 		version_ = -1;
 		cipher_ = -1;
 #ifdef USE_OPENSSL
 		if ( ! X509_Cert::bInited )
 			X509_Cert::init();
 #endif
 	%}
 	%eof{
@ -172,12 +163,10 @@ refine analyzer SSLAnalyzer += {
 	function certificate_error(err_num : int) : void
 		%{
 #ifdef USE_OPENSSL
 		StringVal* err_str =
 			new StringVal(X509_verify_cert_error_string(err_num));
 		bro_event_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
 						err_num, err_str);
 #endif
 		%}
 	function proc_change_cipher_spec(msg : ChangeCipherSpec) : bool
@ -331,7 +320,6 @@ refine analyzer SSLAnalyzer += {
 						bro_analyzer_->Conn(),
 						! current_record_is_orig_);
 #ifdef USE_OPENSSL
 		const bytestring& cert = (*certificates)[0];
 		const uint8* data = cert.data();
@ -421,7 +409,6 @@ refine analyzer SSLAnalyzer += {
 			}
 		X509_free(pCert);
 #endif
 	return true;
 		%}