mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Remove checks for OpenSSL 1.x versions
This commit is contained in:
Tim Wojtulewicz
parent
01b4aec0e1
commit
55c6e748ac
7 changed files with 0 additions and 167 deletions
|
|
@ -27,10 +27,6 @@
|
|||
#include "zeek/probabilistic/BloomFilter.h"
|
||||
#include "zeek/probabilistic/CardinalityCounter.h"
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
inline void* EVP_MD_CTX_md_data(const EVP_MD_CTX* ctx) { return ctx->md_data; }
|
||||
#endif
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x30000000L )
|
||||
#include <openssl/md5.h>
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -12,11 +12,6 @@
|
|||
|
||||
#include "zeek/Reporter.h"
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
#define EVP_MD_CTX_new EVP_MD_CTX_create
|
||||
#define EVP_MD_CTX_free EVP_MD_CTX_destroy
|
||||
#endif
|
||||
|
||||
static_assert(ZEEK_MD5_DIGEST_LENGTH == MD5_DIGEST_LENGTH);
|
||||
|
||||
static_assert(ZEEK_SHA_DIGEST_LENGTH == SHA_DIGEST_LENGTH);
|
||||
|
|
|
|||
|
|
@ -26,28 +26,11 @@ namespace zeek::file_analysis::detail {
|
|||
static constexpr size_t OCSP_STRING_BUF_SIZE = 2048;
|
||||
|
||||
static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio) {
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
ASN1_OCTET_STRING* key = nullptr;
|
||||
X509_NAME* name = nullptr;
|
||||
|
||||
if ( ! basic_resp->tbsResponseData )
|
||||
return false;
|
||||
|
||||
auto resp_id = basic_resp->tbsResponseData->responderId;
|
||||
|
||||
if ( resp_id->type == V_OCSP_RESPID_NAME )
|
||||
name = resp_id->value.byName;
|
||||
else if ( resp_id->type == V_OCSP_RESPID_KEY )
|
||||
key = resp_id->value.byKey;
|
||||
else
|
||||
return false;
|
||||
#else
|
||||
const ASN1_OCTET_STRING* key = nullptr;
|
||||
const X509_NAME* name = nullptr;
|
||||
|
||||
if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) )
|
||||
return false;
|
||||
#endif
|
||||
|
||||
if ( name )
|
||||
X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE);
|
||||
|
|
@ -150,8 +133,6 @@ bool OCSP::EndOfFile() {
|
|||
return true;
|
||||
}
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER >= 0x10100000L )
|
||||
|
||||
struct ASN1Seq {
|
||||
ASN1Seq(const unsigned char** der_in, long length) { decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length); }
|
||||
|
||||
|
|
@ -345,7 +326,6 @@ static uint64_t parse_request_version(OCSP_REQUEST* req) {
|
|||
OPENSSL_free(der_req_dat);
|
||||
return asn1_int;
|
||||
}
|
||||
#endif
|
||||
|
||||
void OCSP::ParseRequest(OCSP_REQUEST* req) {
|
||||
char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
|
||||
|
|
@ -353,13 +333,8 @@ void OCSP::ParseRequest(OCSP_REQUEST* req) {
|
|||
|
||||
uint64_t version = 0;
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
if ( req->tbsRequest->version )
|
||||
version = (uint64_t)ASN1_INTEGER_get(req->tbsRequest->version);
|
||||
#else
|
||||
version = parse_request_version(req);
|
||||
// TODO: try to parse out general name ?
|
||||
#endif
|
||||
|
||||
if ( ocsp_request )
|
||||
event_mgr.Enqueue(ocsp_request, GetFile()->ToVal(), val_mgr->Count(version));
|
||||
|
|
@ -425,20 +400,10 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
|
|||
if ( ! basic_resp )
|
||||
goto clean_up;
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
resp_data = basic_resp->tbsResponseData;
|
||||
if ( ! resp_data )
|
||||
goto clean_up;
|
||||
#endif
|
||||
|
||||
vl.emplace_back(GetFile()->ToVal());
|
||||
vl.emplace_back(std::move(status_val));
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
vl.emplace_back(val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version)));
|
||||
#else
|
||||
vl.emplace_back(parse_basic_resp_data_version(basic_resp));
|
||||
#endif
|
||||
|
||||
// responderID
|
||||
if ( OCSP_RESPID_bio(basic_resp, bio) ) {
|
||||
|
|
@ -452,11 +417,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
|
|||
}
|
||||
|
||||
// producedAt
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
produced_at = resp_data->producedAt;
|
||||
#else
|
||||
produced_at = OCSP_resp_get0_produced_at(basic_resp);
|
||||
#endif
|
||||
|
||||
vl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), reporter)));
|
||||
|
||||
|
|
@ -477,11 +438,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
|
|||
// cert id
|
||||
const OCSP_CERTID* cert_id = nullptr;
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
cert_id = single_resp->certId;
|
||||
#else
|
||||
cert_id = OCSP_SINGLERESP_get0_id(single_resp);
|
||||
#endif
|
||||
|
||||
ocsp_add_cert_id(cert_id, &rvl, bio);
|
||||
BIO_reset(bio);
|
||||
|
|
@ -550,14 +507,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
|
|||
}
|
||||
}
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
|
||||
len = BIO_read(bio, buf, sizeof(buf));
|
||||
vl.emplace_back(make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
#else
|
||||
vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
|
||||
#endif
|
||||
|
||||
// i2a_ASN1_OBJECT(bio, basic_resp->signature);
|
||||
// len = BIO_read(bio, buf, sizeof(buf));
|
||||
|
|
@ -567,11 +517,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
|
|||
certs_vector = new VectorVal(id::find_type<VectorType>("x509_opaque_vector"));
|
||||
vl.emplace_back(AdoptRef{}, certs_vector);
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
certs = basic_resp->certs;
|
||||
#else
|
||||
certs = OCSP_resp_get0_certs(basic_resp);
|
||||
#endif
|
||||
|
||||
if ( certs ) {
|
||||
int num_certs = sk_X509_num(certs);
|
||||
|
|
|
|||
|
|
@ -161,13 +161,9 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f) {
|
|||
|
||||
pX509Cert->Assign(7, buf);
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
i2a_ASN1_OBJECT(bio, ssl_cert->sig_alg->algorithm);
|
||||
#else
|
||||
const ASN1_OBJECT* alg;
|
||||
X509_ALGOR_get0(&alg, nullptr, nullptr, X509_get0_tbs_sigalg(ssl_cert));
|
||||
i2a_ASN1_OBJECT(bio, alg);
|
||||
#endif
|
||||
len = BIO_gets(bio, buf, sizeof(buf));
|
||||
pX509Cert->Assign(13, make_intrusive<StringVal>(len, buf));
|
||||
BIO_free(bio);
|
||||
|
|
@ -349,11 +345,7 @@ void X509::ParseSAN(X509_EXTENSION* ext) {
|
|||
}
|
||||
|
||||
auto len = ASN1_STRING_length(gen->d.ia5);
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
const char* name = (const char*)ASN1_STRING_data(gen->d.ia5);
|
||||
#else
|
||||
const char* name = (const char*)ASN1_STRING_get0_data(gen->d.ia5);
|
||||
#endif
|
||||
auto bs = make_intrusive<StringVal>(len, name);
|
||||
|
||||
switch ( gen->type ) {
|
||||
|
|
|
|||
|
|
@ -9,25 +9,6 @@
|
|||
#include "zeek/OpaqueVal.h"
|
||||
#include "zeek/file_analysis/analyzer/x509/X509Common.h"
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10002000L )
|
||||
|
||||
#define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm)
|
||||
|
||||
#endif
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x1010000fL )
|
||||
|
||||
#define X509_OBJECT_new() (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
|
||||
#define X509_OBJECT_free(a) free(a)
|
||||
|
||||
#define OCSP_resp_get0_certs(x) (x)->certs
|
||||
|
||||
#define EVP_PKEY_get0_DSA(p) ((p)->pkey.dsa)
|
||||
#define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec)
|
||||
#define EVP_PKEY_get0_RSA(p) ((p)->pkey.rsa)
|
||||
|
||||
#endif
|
||||
|
||||
namespace zeek::file_analysis::detail {
|
||||
|
||||
class X509Val;
|
||||
|
|
|
|||
|
|
@ -65,19 +65,8 @@ X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs,
|
|||
const ASN1_OCTET_STRING* key = nullptr;
|
||||
const X509_NAME* name = nullptr;
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId;
|
||||
|
||||
if ( resp_id->type == V_OCSP_RESPID_NAME )
|
||||
name = resp_id->value.byName;
|
||||
else if ( resp_id->type == V_OCSP_RESPID_KEY )
|
||||
key = resp_id->value.byKey;
|
||||
else
|
||||
return nullptr;
|
||||
#else
|
||||
if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) )
|
||||
return nullptr;
|
||||
#endif
|
||||
|
||||
if ( name )
|
||||
return X509_find_by_subject(const_cast<STACK_OF(X509)*>(certs),
|
||||
|
|
@ -359,11 +348,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
|
|||
|
||||
// Because we actually want to be able to give nice error messages that show why we were
|
||||
// not able to verify the OCSP response - do our own verification logic first.
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
signer = x509_get_ocsp_signer(basic->certs, basic);
|
||||
#else
|
||||
signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic);
|
||||
#endif
|
||||
|
||||
/*
|
||||
Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it.
|
||||
|
|
@ -730,12 +715,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
|
|||
uint32_t cert_length;
|
||||
if ( precert )
|
||||
{
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10002000L )
|
||||
x->cert_info->enc.modified = 1;
|
||||
cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
|
||||
#else
|
||||
cert_length = i2d_re_X509_tbs(x, &cert_out);
|
||||
#endif
|
||||
data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len());
|
||||
}
|
||||
else
|
||||
|
|
@ -1058,11 +1038,7 @@ function x509_check_cert_hostname%(cert_opaque: opaque of x509, hostname: string
|
|||
continue;
|
||||
|
||||
std::size_t len = ASN1_STRING_length(gen->d.ia5);
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||
auto* name = reinterpret_cast<const char*>(ASN1_STRING_data(gen->d.ia5));
|
||||
#else
|
||||
auto* name = reinterpret_cast<const char*>(ASN1_STRING_get0_data(gen->d.ia5));
|
||||
#endif
|
||||
std::string_view nameview {name, len};
|
||||
if ( check_hostname(hostview, nameview) )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -97,58 +97,6 @@ int perftools_leaks = 0;
|
|||
int perftools_profile = 0;
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
struct CRYPTO_dynlock_value {
|
||||
std::mutex mtx;
|
||||
};
|
||||
|
||||
namespace {
|
||||
|
||||
std::unique_ptr<std::mutex[]> ssl_mtx_tbl;
|
||||
|
||||
void ssl_lock_fn(int mode, int n, const char*, int) {
|
||||
if ( mode & CRYPTO_LOCK )
|
||||
ssl_mtx_tbl[static_cast<size_t>(n)].lock();
|
||||
else
|
||||
ssl_mtx_tbl[static_cast<size_t>(n)].unlock();
|
||||
}
|
||||
|
||||
CRYPTO_dynlock_value* ssl_dynlock_create(const char*, int) { return new CRYPTO_dynlock_value; }
|
||||
|
||||
void ssl_dynlock_lock(int mode, CRYPTO_dynlock_value* ptr, const char*, int) {
|
||||
if ( mode & CRYPTO_LOCK )
|
||||
ptr->mtx.lock();
|
||||
else
|
||||
ptr->mtx.unlock();
|
||||
}
|
||||
|
||||
void ssl_dynlock_destroy(CRYPTO_dynlock_value* ptr, const char*, int) { delete ptr; }
|
||||
|
||||
void do_ssl_init() {
|
||||
ERR_load_crypto_strings();
|
||||
OPENSSL_add_all_algorithms_conf();
|
||||
SSL_library_init();
|
||||
SSL_load_error_strings();
|
||||
ssl_mtx_tbl.reset(new std::mutex[CRYPTO_num_locks()]);
|
||||
CRYPTO_set_locking_callback(ssl_lock_fn);
|
||||
CRYPTO_set_dynlock_create_callback(ssl_dynlock_create);
|
||||
CRYPTO_set_dynlock_lock_callback(ssl_dynlock_lock);
|
||||
CRYPTO_set_dynlock_destroy_callback(ssl_dynlock_destroy);
|
||||
}
|
||||
|
||||
void do_ssl_deinit() {
|
||||
ERR_free_strings();
|
||||
EVP_cleanup();
|
||||
CRYPTO_cleanup_all_ex_data();
|
||||
CRYPTO_set_locking_callback(nullptr);
|
||||
CRYPTO_set_dynlock_create_callback(nullptr);
|
||||
CRYPTO_set_dynlock_lock_callback(nullptr);
|
||||
CRYPTO_set_dynlock_destroy_callback(nullptr);
|
||||
ssl_mtx_tbl.reset();
|
||||
}
|
||||
|
||||
} // namespace
|
||||
#else
|
||||
namespace {
|
||||
|
||||
void do_ssl_init() { OPENSSL_init_ssl(0, nullptr); }
|
||||
|
|
@ -160,7 +108,6 @@ void do_ssl_deinit() {
|
|||
}
|
||||
|
||||
} // namespace
|
||||
#endif
|
||||
|
||||
zeek::ValManager* zeek::val_mgr = nullptr;
|
||||
zeek::packet_analysis::Manager* zeek::packet_mgr = nullptr;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue