Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-01 22:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/timw/remove-checks-for-very-old-openssl-versions'

Browse source 
* origin/topic/timw/remove-checks-for-very-old-openssl-versions:
  Remove checks for OpenSSL 1.x versions
  Remove some additional LibreSSL checks
This commit is contained in:
Tim Wojtulewicz 2025-09-30 19:12:05 +00:00
commit 85b4cec76e
9 changed files with 7 additions and 198 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGES
View file

@ -1,3 +1,9 @@
8.1.0-dev.615 | 2025-09-30 19:12:05 +0000
* Remove checks for OpenSSL 1.x versions (Tim Wojtulewicz, Corelight)
* Remove some additional LibreSSL checks (Tim Wojtulewicz, Corelight)
8.1.0-dev.612 | 2025-09-29 18:04:24 +0200 8.1.0-dev.612 | 2025-09-29 18:04:24 +0200
* Supervisor: Make last_signal atomic to squelch data race (Arne Welzel, Corelight) * Supervisor: Make last_signal atomic to squelch data race (Arne Welzel, Corelight)

2
VERSION
View file

@ -1 +1 @@
8.1.0-dev.612 8.1.0-dev.615

4
src/OpaqueVal.cc
View file

@ -27,10 +27,6 @@
#include "zeek/probabilistic/BloomFilter.h" #include "zeek/probabilistic/BloomFilter.h"
#include "zeek/probabilistic/CardinalityCounter.h" #include "zeek/probabilistic/CardinalityCounter.h"
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
inline void* EVP_MD_CTX_md_data(const EVP_MD_CTX* ctx) { return ctx->md_data; }
#endif
#if ( OPENSSL_VERSION_NUMBER < 0x30000000L ) #if ( OPENSSL_VERSION_NUMBER < 0x30000000L )
#include <openssl/md5.h> #include <openssl/md5.h>
#endif #endif

5
src/digest.cc
View file

@ -12,11 +12,6 @@
#include "zeek/Reporter.h" #include "zeek/Reporter.h"
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
#define EVP_MD_CTX_new EVP_MD_CTX_create
#define EVP_MD_CTX_free EVP_MD_CTX_destroy
#endif
static_assert(ZEEK_MD5_DIGEST_LENGTH == MD5_DIGEST_LENGTH); static_assert(ZEEK_MD5_DIGEST_LENGTH == MD5_DIGEST_LENGTH);
static_assert(ZEEK_SHA_DIGEST_LENGTH == SHA_DIGEST_LENGTH); static_assert(ZEEK_SHA_DIGEST_LENGTH == SHA_DIGEST_LENGTH);

54
src/file_analysis/analyzer/x509/OCSP.cc
View file

@ -26,28 +26,11 @@ namespace zeek::file_analysis::detail {
static constexpr size_t OCSP_STRING_BUF_SIZE = 2048; static constexpr size_t OCSP_STRING_BUF_SIZE = 2048;
static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio) { static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio) {
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
ASN1_OCTET_STRING* key = nullptr;
X509_NAME* name = nullptr;
if ( ! basic_resp->tbsResponseData )
return false;
auto resp_id = basic_resp->tbsResponseData->responderId;
if ( resp_id->type == V_OCSP_RESPID_NAME )
name = resp_id->value.byName;
else if ( resp_id->type == V_OCSP_RESPID_KEY )
key = resp_id->value.byKey;
else
return false;
#else
const ASN1_OCTET_STRING* key = nullptr; const ASN1_OCTET_STRING* key = nullptr;
const X509_NAME* name = nullptr; const X509_NAME* name = nullptr;
if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) ) if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) )
return false; return false;
#endif
if ( name ) if ( name )
X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE); X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE);
@ -150,8 +133,6 @@ bool OCSP::EndOfFile() {
return true; return true;
} }
#if ( OPENSSL_VERSION_NUMBER >= 0x10100000L )
struct ASN1Seq { struct ASN1Seq {
ASN1Seq(const unsigned char** der_in, long length) { decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length); } ASN1Seq(const unsigned char** der_in, long length) { decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length); }
@ -345,7 +326,6 @@ static uint64_t parse_request_version(OCSP_REQUEST* req) {
OPENSSL_free(der_req_dat); OPENSSL_free(der_req_dat);
return asn1_int; return asn1_int;
} }
#endif
void OCSP::ParseRequest(OCSP_REQUEST* req) { void OCSP::ParseRequest(OCSP_REQUEST* req) {
char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
@ -353,13 +333,8 @@ void OCSP::ParseRequest(OCSP_REQUEST* req) {
uint64_t version = 0; uint64_t version = 0;
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
if ( req->tbsRequest->version )
version = (uint64_t)ASN1_INTEGER_get(req->tbsRequest->version);
#else
version = parse_request_version(req); version = parse_request_version(req);
// TODO: try to parse out general name ? // TODO: try to parse out general name ?
#endif
if ( ocsp_request ) if ( ocsp_request )
event_mgr.Enqueue(ocsp_request, GetFile()->ToVal(), val_mgr->Count(version)); event_mgr.Enqueue(ocsp_request, GetFile()->ToVal(), val_mgr->Count(version));
@ -425,20 +400,10 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
if ( ! basic_resp ) if ( ! basic_resp )
goto clean_up; goto clean_up;
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
resp_data = basic_resp->tbsResponseData;
if ( ! resp_data )
goto clean_up;
#endif
vl.emplace_back(GetFile()->ToVal()); vl.emplace_back(GetFile()->ToVal());
vl.emplace_back(std::move(status_val)); vl.emplace_back(std::move(status_val));
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
vl.emplace_back(val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version)));
#else
vl.emplace_back(parse_basic_resp_data_version(basic_resp)); vl.emplace_back(parse_basic_resp_data_version(basic_resp));
#endif
// responderID // responderID
if ( OCSP_RESPID_bio(basic_resp, bio) ) { if ( OCSP_RESPID_bio(basic_resp, bio) ) {
@ -452,11 +417,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
} }
// producedAt // producedAt
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
produced_at = resp_data->producedAt;
#else
produced_at = OCSP_resp_get0_produced_at(basic_resp); produced_at = OCSP_resp_get0_produced_at(basic_resp);
#endif
vl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), reporter))); vl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), reporter)));
@ -477,11 +438,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
// cert id // cert id
const OCSP_CERTID* cert_id = nullptr; const OCSP_CERTID* cert_id = nullptr;
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
cert_id = single_resp->certId;
#else
cert_id = OCSP_SINGLERESP_get0_id(single_resp); cert_id = OCSP_SINGLERESP_get0_id(single_resp);
#endif
ocsp_add_cert_id(cert_id, &rvl, bio); ocsp_add_cert_id(cert_id, &rvl, bio);
BIO_reset(bio); BIO_reset(bio);
@ -550,14 +507,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
} }
} }
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
len = BIO_read(bio, buf, sizeof(buf));
vl.emplace_back(make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
#else
vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf))); vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
#endif
// i2a_ASN1_OBJECT(bio, basic_resp->signature); // i2a_ASN1_OBJECT(bio, basic_resp->signature);
// len = BIO_read(bio, buf, sizeof(buf)); // len = BIO_read(bio, buf, sizeof(buf));
@ -567,11 +517,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
certs_vector = new VectorVal(id::find_type<VectorType>("x509_opaque_vector")); certs_vector = new VectorVal(id::find_type<VectorType>("x509_opaque_vector"));
vl.emplace_back(AdoptRef{}, certs_vector); vl.emplace_back(AdoptRef{}, certs_vector);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
certs = basic_resp->certs;
#else
certs = OCSP_resp_get0_certs(basic_resp); certs = OCSP_resp_get0_certs(basic_resp);
#endif
if ( certs ) { if ( certs ) {
int num_certs = sk_X509_num(certs); int num_certs = sk_X509_num(certs);

8
src/file_analysis/analyzer/x509/X509.cc
View file

@ -161,13 +161,9 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f) {
pX509Cert->Assign(7, buf); pX509Cert->Assign(7, buf);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
i2a_ASN1_OBJECT(bio, ssl_cert->sig_alg->algorithm);
#else
const ASN1_OBJECT* alg; const ASN1_OBJECT* alg;
X509_ALGOR_get0(&alg, nullptr, nullptr, X509_get0_tbs_sigalg(ssl_cert)); X509_ALGOR_get0(&alg, nullptr, nullptr, X509_get0_tbs_sigalg(ssl_cert));
i2a_ASN1_OBJECT(bio, alg); i2a_ASN1_OBJECT(bio, alg);
#endif
len = BIO_gets(bio, buf, sizeof(buf)); len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(13, make_intrusive<StringVal>(len, buf)); pX509Cert->Assign(13, make_intrusive<StringVal>(len, buf));
BIO_free(bio); BIO_free(bio);
@ -349,11 +345,7 @@ void X509::ParseSAN(X509_EXTENSION* ext) {
} }
auto len = ASN1_STRING_length(gen->d.ia5); auto len = ASN1_STRING_length(gen->d.ia5);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
const char* name = (const char*)ASN1_STRING_data(gen->d.ia5);
#else
const char* name = (const char*)ASN1_STRING_get0_data(gen->d.ia5); const char* name = (const char*)ASN1_STRING_get0_data(gen->d.ia5);
#endif
auto bs = make_intrusive<StringVal>(len, name); auto bs = make_intrusive<StringVal>(len, name);
switch ( gen->type ) { switch ( gen->type ) {

49
src/file_analysis/analyzer/x509/X509.h
View file

@ -9,55 +9,6 @@
#include "zeek/OpaqueVal.h" #include "zeek/OpaqueVal.h"
#include "zeek/file_analysis/analyzer/x509/X509Common.h" #include "zeek/file_analysis/analyzer/x509/X509Common.h"
#if ( OPENSSL_VERSION_NUMBER < 0x10002000L )
#define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm)
#endif
#if ( OPENSSL_VERSION_NUMBER < 0x1010000fL )
#define X509_OBJECT_new() (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
#define X509_OBJECT_free(a) free(a)
#define OCSP_resp_get0_certs(x) (x)->certs
#define EVP_PKEY_get0_DSA(p) ((p)->pkey.dsa)
#define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec)
#define EVP_PKEY_get0_RSA(p) ((p)->pkey.rsa)
#if ! defined(LIBRESSL_VERSION_NUMBER) || (LIBRESSL_VERSION_NUMBER < 0x2070000fL)
#define OCSP_SINGLERESP_get0_id(s) (s)->certId
static X509* X509_OBJECT_get0_X509(const X509_OBJECT* a) {
if ( a == nullptr || a->type != X509_LU_X509 )
return nullptr;
return a->data.x509;
}
static void DSA_get0_pqg(const DSA* d, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g) {
if ( p != nullptr )
*p = d->p;
if ( q != nullptr )
*q = d->q;
if ( g != nullptr )
*g = d->g;
}
static void RSA_get0_key(const RSA* r, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d) {
if ( n != nullptr )
*n = r->n;
if ( e != nullptr )
*e = r->e;
if ( d != nullptr )
*d = r->d;
}
#endif
#endif
namespace zeek::file_analysis::detail { namespace zeek::file_analysis::detail {
class X509Val; class X509Val;

24
src/file_analysis/analyzer/x509/functions.bif
View file

@ -65,19 +65,8 @@ X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs,
const ASN1_OCTET_STRING* key = nullptr; const ASN1_OCTET_STRING* key = nullptr;
const X509_NAME* name = nullptr; const X509_NAME* name = nullptr;
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId;
if ( resp_id->type == V_OCSP_RESPID_NAME )
name = resp_id->value.byName;
else if ( resp_id->type == V_OCSP_RESPID_KEY )
key = resp_id->value.byKey;
else
return nullptr;
#else
if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) ) if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) )
return nullptr; return nullptr;
#endif
if ( name ) if ( name )
return X509_find_by_subject(const_cast<STACK_OF(X509)*>(certs), return X509_find_by_subject(const_cast<STACK_OF(X509)*>(certs),
@ -359,11 +348,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
// Because we actually want to be able to give nice error messages that show why we were // Because we actually want to be able to give nice error messages that show why we were
// not able to verify the OCSP response - do our own verification logic first. // not able to verify the OCSP response - do our own verification logic first.
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
signer = x509_get_ocsp_signer(basic->certs, basic);
#else
signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic); signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic);
#endif
/* /*
Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it. Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it.
@ -730,12 +715,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
uint32_t cert_length; uint32_t cert_length;
if ( precert ) if ( precert )
{ {
#if ( OPENSSL_VERSION_NUMBER < 0x10002000L )
x->cert_info->enc.modified = 1;
cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
#else
cert_length = i2d_re_X509_tbs(x, &cert_out); cert_length = i2d_re_X509_tbs(x, &cert_out);
#endif
data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len()); data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len());
} }
else else
@ -1058,11 +1038,7 @@ function x509_check_cert_hostname%(cert_opaque: opaque of x509, hostname: string
continue; continue;
std::size_t len = ASN1_STRING_length(gen->d.ia5); std::size_t len = ASN1_STRING_length(gen->d.ia5);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
auto* name = reinterpret_cast<const char*>(ASN1_STRING_data(gen->d.ia5));
#else
auto* name = reinterpret_cast<const char*>(ASN1_STRING_get0_data(gen->d.ia5)); auto* name = reinterpret_cast<const char*>(ASN1_STRING_get0_data(gen->d.ia5));
#endif
std::string_view nameview {name, len}; std::string_view nameview {name, len};
if ( check_hostname(hostview, nameview) ) if ( check_hostname(hostview, nameview) )
{ {

53
src/zeek-setup.cc
View file

@ -97,58 +97,6 @@ int perftools_leaks = 0;
int perftools_profile = 0; int perftools_profile = 0;
#endif #endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L
struct CRYPTO_dynlock_value {
std::mutex mtx;
};
namespace {
std::unique_ptr<std::mutex[]> ssl_mtx_tbl;
void ssl_lock_fn(int mode, int n, const char*, int) {
if ( mode & CRYPTO_LOCK )
ssl_mtx_tbl[static_cast<size_t>(n)].lock();
else
ssl_mtx_tbl[static_cast<size_t>(n)].unlock();
}
CRYPTO_dynlock_value* ssl_dynlock_create(const char*, int) { return new CRYPTO_dynlock_value; }
void ssl_dynlock_lock(int mode, CRYPTO_dynlock_value* ptr, const char*, int) {
if ( mode & CRYPTO_LOCK )
ptr->mtx.lock();
else
ptr->mtx.unlock();
}
void ssl_dynlock_destroy(CRYPTO_dynlock_value* ptr, const char*, int) { delete ptr; }
void do_ssl_init() {
ERR_load_crypto_strings();
OPENSSL_add_all_algorithms_conf();
SSL_library_init();
SSL_load_error_strings();
ssl_mtx_tbl.reset(new std::mutex[CRYPTO_num_locks()]);
CRYPTO_set_locking_callback(ssl_lock_fn);
CRYPTO_set_dynlock_create_callback(ssl_dynlock_create);
CRYPTO_set_dynlock_lock_callback(ssl_dynlock_lock);
CRYPTO_set_dynlock_destroy_callback(ssl_dynlock_destroy);
}
void do_ssl_deinit() {
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
CRYPTO_set_locking_callback(nullptr);
CRYPTO_set_dynlock_create_callback(nullptr);
CRYPTO_set_dynlock_lock_callback(nullptr);
CRYPTO_set_dynlock_destroy_callback(nullptr);
ssl_mtx_tbl.reset();
}
} // namespace
#else
namespace { namespace {
void do_ssl_init() { OPENSSL_init_ssl(0, nullptr); } void do_ssl_init() { OPENSSL_init_ssl(0, nullptr); }
@ -160,7 +108,6 @@ void do_ssl_deinit() {
} }
} // namespace } // namespace
#endif
zeek::ValManager* zeek::val_mgr = nullptr; zeek::ValManager* zeek::val_mgr = nullptr;
zeek::packet_analysis::Manager* zeek::packet_mgr = nullptr; zeek::packet_analysis::Manager* zeek::packet_mgr = nullptr;