From 979bf2076985b83612ea01c8e50e5f4bf8979513 Mon Sep 17 00:00:00 2001
From: Florian Wilkens <wilkens@informatik.uni-hamburg.de>
Date: Fri, 7 May 2021 17:04:16 +0200
Subject: [PATCH] analyzer/ssl: handle missing <openssl/kdf.h>

---
 cmake                            |  2 +-
 src/analyzer/protocol/ssl/SSL.cc | 16 ++++++++++++----
 zeek-config.h.in                 |  3 +++
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/cmake b/cmake
index 74259745de..cce53d1500 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 74259745dea5ee4889d1ac1f4ebde4e2c59c329a
+Subproject commit cce53d15008a26dcb1b7eb534a78f52f9355c676
diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc
index ec1ebffea2..072518b8ea 100644
--- a/src/analyzer/protocol/ssl/SSL.cc
+++ b/src/analyzer/protocol/ssl/SSL.cc
@@ -11,7 +11,10 @@
 
 #include <arpa/inet.h>
 #include <openssl/evp.h>
-#include <openssl/kdf.h>
+
+#ifdef OPENSSL_HAVE_KDF_H
+    #include <openssl/kdf.h>
+#endif
 
 static void print_hex(std::string name, u_char* data, int len)
 	{
@@ -146,6 +149,7 @@ void SSL_Analyzer::SetKeys(const u_char* data, int len)
 bool SSL_Analyzer::TLS12_PRF(const std::string& secret, const std::string& label,
 		const char* rnd1, size_t rnd1_len, const char* rnd2, size_t rnd2_len, u_char* out, size_t out_len)
 	{
+#ifdef OPENSSL_HAVE_KDF_H
 	// alloc buffers
 	EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
 	size_t seed_len = label.length() + rnd1_len + rnd2_len;
@@ -174,6 +178,7 @@ bool SSL_Analyzer::TLS12_PRF(const std::string& secret, const std::string& label
 
 abort:
 	EVP_PKEY_CTX_free(pctx);
+#endif
 	return false;
 	}
 
@@ -201,6 +206,8 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i
 	// Secret present, but no keys derived yet: derive keys
 	if ( secret != nullptr && secret->Len() != 0 && ( keys == nullptr || keys->Len() == 0 ) )
 		{
+#ifdef OPENSSL_HAVE_KDF_H
+		DBG_LOG(DBG_ANALYZER, "Deriving TLS keys for connection foo");
 		uint32_t ts = htonl((uint32_t) handshake_interp->gmt_unix_time());
 
 		char crand[32] = {0x00};
@@ -221,7 +228,8 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i
 
 		// save derived keys
 		SetKeys(keybuf, sizeof(keybuf));
-	}
+#endif
+		}
 
 	// Keys present: decrypt TLS application data
 	if ( keys != nullptr && keys->Len() != 0 )
@@ -302,9 +310,9 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i
 
 		delete [] decrypted;
 		return true;
-	}
+		}
 
-	// This is only reached if key derivation somehow failed
+	// This is only reached if key derivation fails or is unsupported
 	return false;
 	}
 
diff --git a/zeek-config.h.in b/zeek-config.h.in
index 8cc0c013d5..cf5d690913 100644
--- a/zeek-config.h.in
+++ b/zeek-config.h.in
@@ -77,6 +77,9 @@
 /* Compatibility for Darwin */
 #cmakedefine NEED_NAMESER_COMPAT_H
 
+/* openssl/kdf.h for TLS PRF (key derivation) */
+#cmakedefine OPENSSL_HAVE_KDF_H
+
 /* d2i_x509 uses const char** */
 #cmakedefine OPENSSL_D2I_X509_USES_CONST_CHAR