diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index f318f4bdb7..5fe6956956 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -27,10 +27,6 @@ #include "zeek/probabilistic/BloomFilter.h" #include "zeek/probabilistic/CardinalityCounter.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) -inline void* EVP_MD_CTX_md_data(const EVP_MD_CTX* ctx) { return ctx->md_data; } -#endif - #if ( OPENSSL_VERSION_NUMBER < 0x30000000L ) #include #endif diff --git a/src/digest.cc b/src/digest.cc index 68c6747bc0..aaab7d5cda 100644 --- a/src/digest.cc +++ b/src/digest.cc @@ -12,11 +12,6 @@ #include "zeek/Reporter.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) -#define EVP_MD_CTX_new EVP_MD_CTX_create -#define EVP_MD_CTX_free EVP_MD_CTX_destroy -#endif - static_assert(ZEEK_MD5_DIGEST_LENGTH == MD5_DIGEST_LENGTH); static_assert(ZEEK_SHA_DIGEST_LENGTH == SHA_DIGEST_LENGTH); diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index d46eb72b2e..c1c6f6d473 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -26,28 +26,11 @@ namespace zeek::file_analysis::detail { static constexpr size_t OCSP_STRING_BUF_SIZE = 2048; static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio) { -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - ASN1_OCTET_STRING* key = nullptr; - X509_NAME* name = nullptr; - - if ( ! basic_resp->tbsResponseData ) - return false; - - auto resp_id = basic_resp->tbsResponseData->responderId; - - if ( resp_id->type == V_OCSP_RESPID_NAME ) - name = resp_id->value.byName; - else if ( resp_id->type == V_OCSP_RESPID_KEY ) - key = resp_id->value.byKey; - else - return false; -#else const ASN1_OCTET_STRING* key = nullptr; const X509_NAME* name = nullptr; if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) ) return false; -#endif if ( name ) X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE); @@ -150,8 +133,6 @@ bool OCSP::EndOfFile() { return true; } -#if ( OPENSSL_VERSION_NUMBER >= 0x10100000L ) - struct ASN1Seq { ASN1Seq(const unsigned char** der_in, long length) { decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length); } @@ -345,7 +326,6 @@ static uint64_t parse_request_version(OCSP_REQUEST* req) { OPENSSL_free(der_req_dat); return asn1_int; } -#endif void OCSP::ParseRequest(OCSP_REQUEST* req) { char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions @@ -353,13 +333,8 @@ void OCSP::ParseRequest(OCSP_REQUEST* req) { uint64_t version = 0; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - if ( req->tbsRequest->version ) - version = (uint64_t)ASN1_INTEGER_get(req->tbsRequest->version); -#else version = parse_request_version(req); // TODO: try to parse out general name ? -#endif if ( ocsp_request ) event_mgr.Enqueue(ocsp_request, GetFile()->ToVal(), val_mgr->Count(version)); @@ -425,20 +400,10 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { if ( ! basic_resp ) goto clean_up; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - resp_data = basic_resp->tbsResponseData; - if ( ! resp_data ) - goto clean_up; -#endif - vl.emplace_back(GetFile()->ToVal()); vl.emplace_back(std::move(status_val)); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - vl.emplace_back(val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version))); -#else vl.emplace_back(parse_basic_resp_data_version(basic_resp)); -#endif // responderID if ( OCSP_RESPID_bio(basic_resp, bio) ) { @@ -452,11 +417,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { } // producedAt -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - produced_at = resp_data->producedAt; -#else produced_at = OCSP_resp_get0_produced_at(basic_resp); -#endif vl.emplace_back(make_intrusive(GetTimeFromAsn1(produced_at, GetFile(), reporter))); @@ -477,11 +438,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { // cert id const OCSP_CERTID* cert_id = nullptr; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - cert_id = single_resp->certId; -#else cert_id = OCSP_SINGLERESP_get0_id(single_resp); -#endif ocsp_add_cert_id(cert_id, &rvl, bio); BIO_reset(bio); @@ -550,14 +507,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { } } -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); - len = BIO_read(bio, buf, sizeof(buf)); - vl.emplace_back(make_intrusive(len, buf)); - BIO_reset(bio); -#else vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf))); -#endif // i2a_ASN1_OBJECT(bio, basic_resp->signature); // len = BIO_read(bio, buf, sizeof(buf)); @@ -567,11 +517,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { certs_vector = new VectorVal(id::find_type("x509_opaque_vector")); vl.emplace_back(AdoptRef{}, certs_vector); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - certs = basic_resp->certs; -#else certs = OCSP_resp_get0_certs(basic_resp); -#endif if ( certs ) { int num_certs = sk_X509_num(certs); diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 0a62cdcf3e..6ca730956f 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -161,13 +161,9 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f) { pX509Cert->Assign(7, buf); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - i2a_ASN1_OBJECT(bio, ssl_cert->sig_alg->algorithm); -#else const ASN1_OBJECT* alg; X509_ALGOR_get0(&alg, nullptr, nullptr, X509_get0_tbs_sigalg(ssl_cert)); i2a_ASN1_OBJECT(bio, alg); -#endif len = BIO_gets(bio, buf, sizeof(buf)); pX509Cert->Assign(13, make_intrusive(len, buf)); BIO_free(bio); @@ -349,11 +345,7 @@ void X509::ParseSAN(X509_EXTENSION* ext) { } auto len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - const char* name = (const char*)ASN1_STRING_data(gen->d.ia5); -#else const char* name = (const char*)ASN1_STRING_get0_data(gen->d.ia5); -#endif auto bs = make_intrusive(len, name); switch ( gen->type ) { diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index c6d1a317f9..42e1d01e5d 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -9,25 +9,6 @@ #include "zeek/OpaqueVal.h" #include "zeek/file_analysis/analyzer/x509/X509Common.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) - -#define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm) - -#endif - -#if ( OPENSSL_VERSION_NUMBER < 0x1010000fL ) - -#define X509_OBJECT_new() (X509_OBJECT*)malloc(sizeof(X509_OBJECT)) -#define X509_OBJECT_free(a) free(a) - -#define OCSP_resp_get0_certs(x) (x)->certs - -#define EVP_PKEY_get0_DSA(p) ((p)->pkey.dsa) -#define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec) -#define EVP_PKEY_get0_RSA(p) ((p)->pkey.rsa) - -#endif - namespace zeek::file_analysis::detail { class X509Val; diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index a5a79d48db..4718579a6f 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -65,19 +65,8 @@ X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs, const ASN1_OCTET_STRING* key = nullptr; const X509_NAME* name = nullptr; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId; - - if ( resp_id->type == V_OCSP_RESPID_NAME ) - name = resp_id->value.byName; - else if ( resp_id->type == V_OCSP_RESPID_KEY ) - key = resp_id->value.byKey; - else - return nullptr; -#else if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) ) return nullptr; -#endif if ( name ) return X509_find_by_subject(const_cast(certs), @@ -359,11 +348,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c // Because we actually want to be able to give nice error messages that show why we were // not able to verify the OCSP response - do our own verification logic first. -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - signer = x509_get_ocsp_signer(basic->certs, basic); -#else signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic); -#endif /* Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it. @@ -730,12 +715,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa uint32_t cert_length; if ( precert ) { -#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) - x->cert_info->enc.modified = 1; - cert_length = i2d_X509_CINF(x->cert_info, &cert_out); -#else cert_length = i2d_re_X509_tbs(x, &cert_out); -#endif data.append(reinterpret_cast(issuer_key_hash->Bytes()), issuer_key_hash->Len()); } else @@ -1058,11 +1038,7 @@ function x509_check_cert_hostname%(cert_opaque: opaque of x509, hostname: string continue; std::size_t len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - auto* name = reinterpret_cast(ASN1_STRING_data(gen->d.ia5)); -#else auto* name = reinterpret_cast(ASN1_STRING_get0_data(gen->d.ia5)); -#endif std::string_view nameview {name, len}; if ( check_hostname(hostview, nameview) ) { diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index 070aad5308..83d8f7ea63 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -97,58 +97,6 @@ int perftools_leaks = 0; int perftools_profile = 0; #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L -struct CRYPTO_dynlock_value { - std::mutex mtx; -}; - -namespace { - -std::unique_ptr ssl_mtx_tbl; - -void ssl_lock_fn(int mode, int n, const char*, int) { - if ( mode & CRYPTO_LOCK ) - ssl_mtx_tbl[static_cast(n)].lock(); - else - ssl_mtx_tbl[static_cast(n)].unlock(); -} - -CRYPTO_dynlock_value* ssl_dynlock_create(const char*, int) { return new CRYPTO_dynlock_value; } - -void ssl_dynlock_lock(int mode, CRYPTO_dynlock_value* ptr, const char*, int) { - if ( mode & CRYPTO_LOCK ) - ptr->mtx.lock(); - else - ptr->mtx.unlock(); -} - -void ssl_dynlock_destroy(CRYPTO_dynlock_value* ptr, const char*, int) { delete ptr; } - -void do_ssl_init() { - ERR_load_crypto_strings(); - OPENSSL_add_all_algorithms_conf(); - SSL_library_init(); - SSL_load_error_strings(); - ssl_mtx_tbl.reset(new std::mutex[CRYPTO_num_locks()]); - CRYPTO_set_locking_callback(ssl_lock_fn); - CRYPTO_set_dynlock_create_callback(ssl_dynlock_create); - CRYPTO_set_dynlock_lock_callback(ssl_dynlock_lock); - CRYPTO_set_dynlock_destroy_callback(ssl_dynlock_destroy); -} - -void do_ssl_deinit() { - ERR_free_strings(); - EVP_cleanup(); - CRYPTO_cleanup_all_ex_data(); - CRYPTO_set_locking_callback(nullptr); - CRYPTO_set_dynlock_create_callback(nullptr); - CRYPTO_set_dynlock_lock_callback(nullptr); - CRYPTO_set_dynlock_destroy_callback(nullptr); - ssl_mtx_tbl.reset(); -} - -} // namespace -#else namespace { void do_ssl_init() { OPENSSL_init_ssl(0, nullptr); } @@ -160,7 +108,6 @@ void do_ssl_deinit() { } } // namespace -#endif zeek::ValManager* zeek::val_mgr = nullptr; zeek::packet_analysis::Manager* zeek::packet_mgr = nullptr;