Changes to make OpenSSL a requirement.

Preprocessor conditionals dependent on definition of USE_OPENSSL have been
straightened out.

BuildOptions.cmake

@@ -50,6 +50,9 @@ set(USE_NB_DNS true
 ## Configure Dependencies for Non-Standard Paths
 ##
 
+# Uncomment to specific a custom prefix containing the OpenSSL installation.
+#set(OPENSSL_ROOT_DIR path/to/your/openssl)
+
 # Uncomment to specify a custom prefix that contains the libpcap installation.
 #set(PCAP_ROOT path/to/your/pcap)
 
@@ -66,7 +69,6 @@ set(USE_NB_DNS true
 # Perl?
 # BinPAC
 #
-# OpenSSL
 # Libmagic
 # LibGeoIP
 # Libz

CMakeLists.txt

@@ -44,9 +44,10 @@ find_package(FLEX REQUIRED)
 find_package(BISON REQUIRED)
 find_package(PCAP REQUIRED)
 include_directories(BEFORE ${PCAP_INCLUDE_DIR})
+find_package(OpenSSL REQUIRED)
+include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})
 
 # TODO: find bind8 lib?
-# TODO: require OpenSSL
 # TODO: optional libmagic
 # TODO: optional libGeoIP
 # TODO: optional libz

cmake/OpenSSLTests.cmake

@@ -1,10 +1,12 @@
-if (USE_OPENSSL)
-    check_c_source_compiles("
+include(CheckCSourceCompiles)
+include(CheckCXXSourceCompiles)
+
+check_c_source_compiles("
     #include <openssl/ssl.h>
     int main() { return 0; }
-    " including_ssl_h_works)
+" including_ssl_h_works)
 
-    if (NOT including_ssl_h_works)
+if (NOT including_ssl_h_works)
     # On Red Hat we may need to include Kerberos header.
     set(CMAKE_REQUIRED_INCLUDES "/usr/kerberos/include")
     check_c_source_compiles("
@@ -14,43 +16,54 @@ if (USE_OPENSSL)
     " NEED_KRB5_H)
     unset(CMAKE_REQUIRED_INCLUDES)
     if (NOT NEED_KRB5_H)
-            message(WARNING "Can't compile OpenSSL test; disabling OpenSSL")
-            set(USE_OPENSSL false)
+        message(FATAL_ERROR
+            "OpenSSL test failure.  See CmakeError.log for details.")
     else ()
         message(STATUS "OpenSSL requires Kerberos header")
         include_directories("/usr/kerberos/include")
     endif ()
-    endif ()
-endif()
+endif ()
 
-if (USE_OPENSSL)
-    # check for OPENSSL_add_all_algorithms_conf function
-    # and thus OpenSSL >= v0.9.7
-    set(CMAKE_REQUIRED_LIBRARIES crypto ssl)
-    check_c_source_compiles("
+# check for OPENSSL_add_all_algorithms_conf function
+# and thus OpenSSL >= v0.9.7
+set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES})
+check_c_source_compiles("
     #include <openssl/evp.h>
     int main() {
         OPENSSL_add_all_algorithms_conf();
         return 0;
     }
-    " USE_OPENSSL)
-    unset(CMAKE_REQUIRED_LIBRARIES)
-    if (NOT USE_OPENSSL)
-        message(WARNING "OpenSSL >= v0.9.7 required; disabling OpenSSL")
-    endif ()
+" openssl_greater_than_0_9_7)
+unset(CMAKE_REQUIRED_LIBRARIES)
+if (NOT openssl_greater_than_0_9_7)
+    message(FATAL_ERROR "OpenSSL >= v0.9.7 required")
 endif ()
 
-if (USE_OPENSSL)
-    set(CMAKE_REQUIRED_LIBRARIES crypto)
-    file(READ "${CONFTEST_DIR}/openssl_d2i_x509_const.c" CONFTEST)
-    check_cxx_source_compiles("${CONFTEST}" OPENSSL_D2I_X509_USES_CONST_CHAR)
-    if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR)
-        file(READ "${CONFTEST_DIR}/openssl_d2i_x509.c" CONFTEST)
-        # double check
-        check_cxx_source_compiles("${CONFTEST}" OPENSSL_D2I_X509_USES_CHAR)
+set(CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES})
+check_cxx_source_compiles("
+#include <openssl/x509.h>
+    int main() {
+        const unsigned char** cpp = 0;
+        X509** x =0;
+        d2i_X509(x, cpp, 0);
+        return 0;
+    }
+" OPENSSL_D2I_X509_USES_CONST_CHAR)
+
+if (NOT OPENSSL_D2I_X509_USES_CONST_CHAR)
+    # double check that it compiles without const
+    check_cxx_source_compiles("
+        #include <openssl/x509.h>
+        int main() {
+            unsigned char** cpp = 0;
+            X509** x =0;
+            d2i_X509(x, cpp, 0);
+            return 0;
+        }
+        " OPENSSL_D2I_X509_USES_CHAR)
     if (NOT OPENSSL_D2I_X509_USES_CHAR)
-            message(FATAL_ERROR "Can't determine if openssl_d2i_x509() takes a const char parameter")
-        endif (NOT OPENSSL_D2I_X509_USES_CHAR)
-    endif (NOT OPENSSL_D2I_X509_USES_CONST_CHAR)
-    unset(CMAKE_REQUIRED_LIBRARIES)
+        message(FATAL_ERROR
+            "Can't determine if openssl_d2i_x509() takes const char parameter")
+    endif ()
 endif ()
+unset(CMAKE_REQUIRED_LIBRARIES)

config.h.in

@@ -195,9 +195,6 @@
 /* Use libclamav */
 #undef USE_LIBCLAMAV
 
-/* Use OpenSSL */
-#undef USE_OPENSSL
-
 /* Use Google's perftools */
 #undef USE_PERFTOOLS
 

src/Analyzer.cc

@@ -113,10 +113,8 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 		SMTP_Analyzer::Available, 0, false },
 	{ AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer,
 		SSH_Analyzer::Available, 0, false },
-#ifdef USE_OPENSSL
 	{ AnalyzerTag::SSL, "SSL", SSLProxy_Analyzer::InstantiateAnalyzer,
 		SSLProxy_Analyzer::Available, 0, false },
-#endif
 	{ AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer,
 		Telnet_Analyzer::Available, 0, false },
 
@@ -167,9 +165,7 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false },
 	{ AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false },
 	{ AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false },
-#ifdef USE_OPENSSL
 	{ AnalyzerTag::Contents_SSL, "CONTENTS_SSL", 0, 0, 0, false },
-#endif
 };
 
 AnalyzerTimer::~AnalyzerTimer()

src/AnalyzerTags.h

@@ -29,9 +29,7 @@ namespace AnalyzerTag {
 		DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC,
 		Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin,
 		RPC, Rsh, SMB, SMTP, SSH,
-#ifdef USE_OPENSSL
 		SSL,
-#endif
 		Telnet,
 
 		// Application-layer analyzers, binpac-generated.
@@ -45,9 +43,7 @@ namespace AnalyzerTag {
 		Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
 		Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,
 		Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS,
-#ifdef USE_OPENSSL
 		Contents_SSL,
-#endif
 		// End-marker.
 		LastAnalyzer
 	};

src/CMakeLists.txt

@@ -193,10 +193,8 @@ if (HAVE_NB_DNS)
     set(dns_SRCS nb_dns.c nb_dns.h)
 endif ()
 
-if (USE_OPENSSL)
-    set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc
+set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc
                  SSLv2.cc SSLv3.cc SSLv3Automaton.cc)
-endif ()
 
 if (USE_NMALLOC)
     set(malloc_SRCS malloc.c)
@@ -382,6 +380,12 @@ add_executable(bro ${bro_SRCS})
 
 add_dependencies(bro make_dbg_constants)
 
-target_link_libraries(bro m binpac_lib ${PCAP_LIBRARY} resolv)
+target_link_libraries(bro
+                      m
+                      resolv
+                      binpac_lib
+                      ${PCAP_LIBRARY}
+                      ${OPENSSL_LIBRARIES}
+)
 
 install(TARGETS bro DESTINATION bin)

src/ChunkedIO.cc

@@ -7,6 +7,7 @@
 #include <sys/time.h>
 #include <netinet/in.h>
 #include <assert.h>
+#include <openssl/ssl.h>
 
 #include "config.h"
 #include "ChunkedIO.h"
@@ -650,11 +651,6 @@ void ChunkedIOFd::Stats(char* buffer, int length)
 	ChunkedIO::Stats(buffer + i, length - i);
 	}
 
-
-#ifdef USE_OPENSSL
-
-#include <openssl/ssl.h>
-
 SSL_CTX* ChunkedIOSSL::ctx;
 
 ChunkedIOSSL::ChunkedIOSSL(int arg_socket, bool arg_server)
@@ -1174,8 +1170,6 @@ void ChunkedIOSSL::Stats(char* buffer, int length)
 	ChunkedIO::Stats(buffer + i, length - i);
 	}
 
-#endif	/* USE_OPENSSL */
-
 #ifdef HAVE_LIBZ
 
 bool CompressedChunkedIO::Init()

src/ChunkedIO.h

@@ -11,6 +11,13 @@
 
 #include <list>
 
+#ifdef NEED_KRB5_H
+# include <krb5.h>
+#endif 
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
 class CompressedChunkedIO;
 
 // #define DEBUG_COMMUNICATION 10
@@ -214,17 +221,7 @@ private:
 	pid_t pid;
 };
 
-#ifdef USE_OPENSSL
-
-#ifdef NEED_KRB5_H
-# include <krb5.h>
-#endif 
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-
 // Chunked I/O using an SSL connection.
-
 class ChunkedIOSSL : public ChunkedIO {
 public:
 	// Argument is an open socket and a flag indicating whether we are the
@@ -287,8 +284,6 @@ private:
 	static SSL_CTX* ctx;
 };
 
-#endif	/* USE_OPENSSL */
-
 #ifdef HAVE_LIBZ
 
 #include <zlib.h>

src/File.cc

@@ -233,10 +233,7 @@ BroFile::~BroFile()
 
 	delete [] name;
 	delete [] access;
-
-#ifdef USE_OPENSSL
 	delete [] cipher_buffer;
-#endif
 
 #ifdef USE_PERFTOOLS
 	heap_checker->UnIgnoreObject(this);
@@ -257,12 +254,9 @@ void BroFile::Init()
 	print_hook = true;
 	raw_output = false;
 	t = 0;
-
-#ifdef USE_OPENSSL
 	pub_key = 0;
 	cipher_ctx = 0;
 	cipher_buffer = 0;
-#endif
 
 #ifdef USE_PERFTOOLS
 	heap_checker->IgnoreObject(this);
@@ -348,9 +342,7 @@ int BroFile::Close()
 	if ( ! is_open )
 		return 1;
 
-#ifdef USE_OPENSSL
 	FinishEncrypt();
-#endif
 
 	// Do not close stdout/stderr.
 	if ( f == stdout || f == stderr )
@@ -640,19 +632,6 @@ void BroFile::CloseCachedFiles()
 		}
 	}
 
-#ifndef USE_OPENSSL
-
-void BroFile::InitEncrypt(const char* keyfile)
-	{
-	if ( keyfile )
-		{
-		error("file encryption requested, but OpenSSL support not compiled in.");
-		Close();
-		}
-	}
-
-#else
-
 void BroFile::InitEncrypt(const char* keyfile)
 	{
 	if ( ! (pub_key || keyfile) )
@@ -716,14 +695,12 @@ void BroFile::InitEncrypt(const char* keyfile)
 	int buf_size = MIN_BUFFER_SIZE + EVP_CIPHER_block_size(cipher_type);
 	cipher_buffer = new unsigned char[buf_size];
 	}
-#endif
 
 void BroFile::FinishEncrypt()
 	{
 	if ( ! is_open )
 		return;
 
-#ifdef USE_OPENSSL
 	if ( ! pub_key )
 		return;
 
@@ -742,7 +719,6 @@ void BroFile::FinishEncrypt()
 		delete cipher_ctx;
 		cipher_ctx = 0;
 		}
-#endif
 	}
 
 
@@ -757,7 +733,6 @@ int BroFile::Write(const char* data, int len)
 	if ( ! len )
 		len = strlen(data);
 
-#ifdef USE_OPENSSL
 	if ( cipher_ctx )
 		{
 		while ( len )
@@ -789,7 +764,6 @@ int BroFile::Write(const char* data, int len)
 
 		return 1;
 		}
-#endif
 
 	len = fwrite(data, 1, len, f);
 	if ( len <= 0 )

src/File.h

@@ -10,7 +10,6 @@
 #include "Obj.h"
 #include "Attr.h"
 
-#ifdef USE_OPENSSL
 # ifdef NEED_KRB5_H
 #  include <krb5.h>
 # endif // NEED_KRB5_H
@@ -19,7 +18,6 @@ extern "C" {
 # include "openssl/pem.h"
 # include "openssl/err.h"
 }
-#endif
 
 class BroType;
 class RotateTimer;
@@ -149,13 +147,11 @@ protected:
 	static double default_rotation_interval;
 	static double default_rotation_size;
 
-#ifdef USE_OPENSSL
 	EVP_PKEY* pub_key;
 	EVP_CIPHER_CTX* cipher_ctx;
 
 	static const int MIN_BUFFER_SIZE = 1024;
 	unsigned char* cipher_buffer;
-#endif
 
 };
 

src/RemoteSerializer.cc

@@ -1170,14 +1170,6 @@ bool RemoteSerializer::Listen(addr_type ip, uint16 port, bool expect_ssl)
 	if ( ! using_communication )
 		return true;
 
-#ifndef USE_OPENSSL
-	if ( expect_ssl )
-		{
-		Error("listening for SSL connections requested, but SSL support is not compiled in");
-		return false;
-		}
-#endif
-
 	if ( ! initialized )
 		internal_error("remote serializer not initialized");
 
@@ -3481,13 +3473,7 @@ bool SocketComm::Connect(Peer* peer)
 		{
 		if ( peer->ssl )
 			{
-#ifdef USE_OPENSSL
 			peer->io = new ChunkedIOSSL(sockfd, false);
-#else
-			run_time("SSL connection requested, but SSL support not compiled in");
-			CloseConnection(peer, false);
-			return 0;
-#endif
 			}
 		else
 			peer->io = new ChunkedIOFd(sockfd, "child->peer");
@@ -3621,15 +3607,10 @@ bool SocketComm::AcceptConnection(int fd)
 	peer->ssl = (fd == listen_fd_ssl);
 	peer->compressor = false;
 
-#ifdef USE_OPENSSL
 	if ( peer->ssl )
 		peer->io = new ChunkedIOSSL(clientfd, true);
 	else
 		peer->io = new ChunkedIOFd(clientfd, "child->peer");
-#else
-	assert(! peer->ssl);
-	peer->io = new ChunkedIOFd(clientfd, "child->peer");
-#endif
 
 	if ( ! peer->io->Init() )
 		{

src/SSL-binpac.cc

@@ -71,10 +71,5 @@ void SSL_Analyzer_binpac::generate_warnings()
 	if ( ssl_store_key_material )
 		warn_("storage of key material (ssl_store_key_material) not supported");
 
-#ifndef USE_OPENSSL
-	if ( ssl_verify_certificates )
-		warn_("verification of certificates (ssl_verify_certificates) not supported due to non-existing OpenSSL support");
-#endif
-
 	warnings_generated = true;
 	}

src/SSLInterpreter.cc

@@ -3,9 +3,7 @@
 #include "SSLInterpreter.h"
 #include "SSLv2.h"
 
-#ifdef USE_OPENSSL
 #include "X509.h"
-#endif
 
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -173,17 +171,12 @@ void SSL_Interpreter::analyzeCertificate(SSL_InterpreterEndpoint* s,
 		int invalid = 0;
 		switch ( type ) {
 		case SSLv2_CT_X509_CERTIFICATE:
-#ifdef USE_OPENSSL
 			if ( ! isChain )
 				invalid = X509_Cert::verify(s->GetProxyEndpoint(),
 							pCert, certLength);
 			else
 				invalid = X509_Cert::verifyChain(s->GetProxyEndpoint(),
 							data, length);
-#else
-			proxy->Weak("SSL: Could not verify certificate (missing OpenSSL support)!");
-			invalid = 0;
-#endif
 			break;
 
 		default:

src/main.cc

@@ -18,9 +18,7 @@ extern "C" {
 }
 #endif
 
-#ifdef USE_OPENSSL
 extern "C" void OPENSSL_add_all_algorithms_conf(void);
-#endif
 
 #include "bsd-getopt-long.h"
 #include "input.h"
@@ -663,7 +661,6 @@ int main(int argc, char** argv)
 	// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
 	init_hash_function();
 
-#ifdef USE_OPENSSL
 	ERR_load_crypto_strings();
 	OPENSSL_add_all_algorithms_conf();
 	SSL_library_init();
@@ -672,7 +669,6 @@ int main(int argc, char** argv)
 	// FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't
 	// seed the PRNG. We should do this here (but at least Linux, FreeBSD
 	// and Solaris provide /dev/urandom).
-#endif
 
 	if ( (interfaces.length() > 0 || netflows.length() > 0) && 
 	     (read_files.length() > 0 || flow_files.length() > 0 ))

src/ssl-analyzer.pac

@@ -10,11 +10,9 @@
 
 #include "util.h"
 
-#ifdef USE_OPENSSL
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
 #include "X509.h"
-#endif
 %}
 
 
@@ -27,14 +25,11 @@
 			}
 	};
 
-#ifdef USE_OPENSSL
 	void free_X509(void *);
 	X509* d2i_X509_binpac(X509** px, const uint8** in, int len);
-#endif
 	%}
 
 %code{
-#ifdef USE_OPENSSL
 	void free_X509(void* cert)
 		{
 		X509_free((X509*) cert);
@@ -48,8 +43,6 @@
 		return d2i_X509(px, (u_char**) in, len);
 #endif
 		}
-
-#endif
 %}
 
 
@@ -123,10 +116,8 @@ refine analyzer SSLAnalyzer += {
 		version_ = -1;
 		cipher_ = -1;
 
-#ifdef USE_OPENSSL
 		if ( ! X509_Cert::bInited )
 			X509_Cert::init();
-#endif
 	%}
 
 	%eof{
@@ -172,12 +163,10 @@ refine analyzer SSLAnalyzer += {
 
 	function certificate_error(err_num : int) : void
 		%{
-#ifdef USE_OPENSSL
 		StringVal* err_str =
 			new StringVal(X509_verify_cert_error_string(err_num));
 		bro_event_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
 						err_num, err_str);
-#endif
 		%}
 
 	function proc_change_cipher_spec(msg : ChangeCipherSpec) : bool
@@ -331,7 +320,6 @@ refine analyzer SSLAnalyzer += {
 						bro_analyzer_->Conn(),
 						! current_record_is_orig_);
 
-#ifdef USE_OPENSSL
 		const bytestring& cert = (*certificates)[0];
 		const uint8* data = cert.data();
 
@@ -421,7 +409,6 @@ refine analyzer SSLAnalyzer += {
 			}
 
 		X509_free(pCert);
-#endif
 	return true;
 		%}