From 550c7eb0a758f0ff0e4b7c2af1621819e8dc7c12 Mon Sep 17 00:00:00 2001 From: Vern Paxson Date: Wed, 24 Sep 2025 17:34:35 -0700 Subject: [PATCH 1/8] Fixes for -O gen-standalone-C++ for tracking BiFs, lambdas, attribute types, and independent globals --- src/script_opt/CPP/Driver.cc | 13 +++++++++++++ src/script_opt/ProfileFunc.cc | 36 ++++++++++++++++++++++++++++------- src/script_opt/ProfileFunc.h | 11 +++++++++++ 3 files changed, 53 insertions(+), 7 deletions(-) diff --git a/src/script_opt/CPP/Driver.cc b/src/script_opt/CPP/Driver.cc index b7cfd4a625..06037eeb42 100644 --- a/src/script_opt/CPP/Driver.cc +++ b/src/script_opt/CPP/Driver.cc @@ -83,9 +83,22 @@ void CPPCompile::Compile(bool report_uncompilable) { accessed_globals.insert(g); for ( auto& ag : pf->AllGlobals() ) all_accessed_globals.insert(ag); + for ( auto& l : pf->Lambdas() ) + // We might not have profiled this previously if none + // of the functions refer to the global. This can + // happen for example for a global "const" table that's + // made available for external lookup use. + pfs->ProfileLambda(l); } } + for ( auto& g : pfs->BiFGlobals() ) + all_accessed_globals.insert(g); + + for ( auto& t : pfs->MainTypes() ) + if ( obj_matches_opt_files(t) == AnalyzeDecision::SHOULD ) + rep_types.insert(TypeRep(t)); + for ( auto& l : pfs->Lambdas() ) if ( obj_matches_opt_files(l) == AnalyzeDecision::SHOULD ) accessed_lambdas.insert(l); diff --git a/src/script_opt/ProfileFunc.cc b/src/script_opt/ProfileFunc.cc index 95bcd405e6..0bf0d7ff96 100644 --- a/src/script_opt/ProfileFunc.cc +++ b/src/script_opt/ProfileFunc.cc @@ -622,6 +622,20 @@ ProfileFuncs::ProfileFuncs(std::vector& funcs, is_compilable_pred pred ComputeSideEffects(); } +void ProfileFuncs::ProfileLambda(const LambdaExpr* l) { + if ( lambdas.contains(l) ) + return; + + lambdas.insert(l); + pending_exprs.push_back(l); + + do + DrainPendingExprs(); + while ( ! pending_exprs.empty() ); + + AnalyzeLambdaProfile(l); +} + bool ProfileFuncs::IsTableWithDefaultAggr(const Type* t) { auto analy = tbl_has_aggr_default.find(t); if ( analy != tbl_has_aggr_default.end() ) @@ -848,14 +862,22 @@ void ProfileFuncs::ComputeBodyHashes(std::vector& funcs) { ComputeProfileHash(f.ProfilePtr()); } - for ( auto& l : lambdas ) { - auto pf = ExprProf(l); - func_profs[l->PrimaryFunc().get()] = pf; - lambda_primaries[l->Name()] = l->PrimaryFunc().get(); + for ( auto& l : lambdas ) + AnalyzeLambdaProfile(l); +} - if ( compute_func_hashes || ! pf->HasHashVal() ) - ComputeProfileHash(pf); - } +void ProfileFuncs::AnalyzeLambdaProfile(const LambdaExpr* l) { + if ( processed_lambdas.contains(l) ) + return; + + processed_lambdas.insert(l); + + auto pf = ExprProf(l); + func_profs[l->PrimaryFunc().get()] = pf; + lambda_primaries[l->Name()] = l->PrimaryFunc().get(); + + if ( compute_func_hashes || ! pf->HasHashVal() ) + ComputeProfileHash(pf); } void ProfileFuncs::ComputeProfileHash(std::shared_ptr pf) { diff --git a/src/script_opt/ProfileFunc.h b/src/script_opt/ProfileFunc.h index d4ad16300e..7b6186eb06 100644 --- a/src/script_opt/ProfileFunc.h +++ b/src/script_opt/ProfileFunc.h @@ -366,6 +366,10 @@ public: ProfileFuncs(std::vector& funcs, is_compilable_pred pred, bool compute_func_hashes, bool full_record_hashes); + // Used to profile additional lambdas that (potentially) weren't part + // of the overall function profiling. + void ProfileLambda(const LambdaExpr* l); + // The following accessors provide a global profile across all of // the (non-skipped) functions in "funcs". See the comments for // the associated member variables for documentation. @@ -449,6 +453,9 @@ protected: // Compute hashes to associate with each function void ComputeBodyHashes(std::vector& funcs); + // For a given lambda, completes analysis of its profile. + void AnalyzeLambdaProfile(const LambdaExpr* l); + // Compute the hash associated with a single function profile. void ComputeProfileHash(std::shared_ptr pf); @@ -540,6 +547,10 @@ protected: // And for lambda's. std::unordered_set lambdas; + // Lambdas that we have already processed. An optimization to avoid + // unnecessary work. + std::unordered_set processed_lambdas; + // Names of generated events. std::unordered_set events; From 01666df3d78e1c1abe416749714d6171bee788e2 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 25 Sep 2025 18:48:34 +0200 Subject: [PATCH 2/8] cluster/zeromq: Fix Cluster::subscribe() block if not initialized If Cluster::init() hasn't been invoked yet, Cluster::subscribe() with the ZeroMQ backend would block because the main_inproc socket didn't yet have a connection from the child thread. Prevent this by connecting the main and child socket pair at construction time. This will queue the subscriptions and start processing them once the child thread has started. --- src/cluster/backend/zeromq/ZeroMQ.cc | 20 ++++--- .../..manager.out | 2 + .../cluster/zeromq/subscribe-before-init.zeek | 55 +++++++++++++++++++ 3 files changed, 68 insertions(+), 9 deletions(-) create mode 100644 testing/btest/Baseline/cluster.zeromq.subscribe-before-init/..manager.out create mode 100644 testing/btest/cluster/zeromq/subscribe-before-init.zeek diff --git a/src/cluster/backend/zeromq/ZeroMQ.cc b/src/cluster/backend/zeromq/ZeroMQ.cc index 4085179b8b..4ce1525987 100644 --- a/src/cluster/backend/zeromq/ZeroMQ.cc +++ b/src/cluster/backend/zeromq/ZeroMQ.cc @@ -85,6 +85,7 @@ ZeroMQBackend::ZeroMQBackend(std::unique_ptr es, std::unique_pt : ThreadedBackend("ZeroMQ", std::move(es), std::move(ls), std::move(ehs), new zeek::detail::OnLoopProcess(this, "ZeroMQ", onloop_queue_hwm)), main_inproc(zmq::socket_t(ctx, zmq::socket_type::pair)), + child_inproc(zmq::socket_t(ctx, zmq::socket_type::pair)), // Counters for block and drop metrics. total_xpub_drops( zeek::telemetry_mgr->CounterInstance("zeek", "cluster_zeromq_xpub_drops", {}, @@ -94,7 +95,13 @@ ZeroMQBackend::ZeroMQBackend(std::unique_ptr es, std::unique_pt "Number of received events dropped due to OnLoop queue full.")), total_msg_errors( zeek::telemetry_mgr->CounterInstance("zeek", "cluster_zeromq_msg_errors", {}, - "Number of events with the wrong number of message parts.")) {} + "Number of events with the wrong number of message parts.")) { + // Establish the socket connection between main thread and child thread + // already in the constructor. This allows Subscribe() and Unsubscribe() + // calls to be delayed until DoInit() was called. + main_inproc.bind("inproc://inproc-bridge"); + child_inproc.connect("inproc://inproc-bridge"); +} ZeroMQBackend::~ZeroMQBackend() { try { @@ -169,10 +176,11 @@ void ZeroMQBackend::DoTerminate() { ctx.shutdown(); // Close the sockets that are used from the main thread, - // the remaining sockets were closed by self_thread during - // shutdown already. + // the remaining sockets except for the child_inproc one + // were closed by self_thread during shutdown already. log_push.close(); main_inproc.close(); + child_inproc.close(); ZEROMQ_DEBUG("Closing ctx"); ctx.close(); @@ -197,7 +205,6 @@ bool ZeroMQBackend::DoInit() { xpub = zmq::socket_t(ctx, zmq::socket_type::xpub); log_push = zmq::socket_t(ctx, zmq::socket_type::push); log_pull = zmq::socket_t(ctx, zmq::socket_type::pull); - child_inproc = zmq::socket_t(ctx, zmq::socket_type::pair); xpub.set(zmq::sockopt::linger, linger_ms); @@ -286,10 +293,6 @@ bool ZeroMQBackend::DoInit() { // // https://funcptr.net/2012/09/10/zeromq---edge-triggered-notification/ - // Setup connectivity between main and child thread. - main_inproc.bind("inproc://inproc-bridge"); - child_inproc.connect("inproc://inproc-bridge"); - // Thread is joined in backend->DoTerminate(), backend outlives it. self_thread = std::thread([](auto* backend) { backend->Run(); }, this); @@ -634,7 +637,6 @@ void ZeroMQBackend::Run() { // Called when Run() terminates. auto deferred_close = util::Deferred([this]() { - child_inproc.close(); xpub.close(); xsub.close(); log_pull.close(); diff --git a/testing/btest/Baseline/cluster.zeromq.subscribe-before-init/..manager.out b/testing/btest/Baseline/cluster.zeromq.subscribe-before-init/..manager.out new file mode 100644 index 0000000000..e4f236ab1a --- /dev/null +++ b/testing/btest/Baseline/cluster.zeromq.subscribe-before-init/..manager.out @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +test(), 42 diff --git a/testing/btest/cluster/zeromq/subscribe-before-init.zeek b/testing/btest/cluster/zeromq/subscribe-before-init.zeek new file mode 100644 index 0000000000..4040fd2399 --- /dev/null +++ b/testing/btest/cluster/zeromq/subscribe-before-init.zeek @@ -0,0 +1,55 @@ +# @TEST-DOC: Regression test Cluster::subscribe() blocking if called in a high-priority zeek_init() handler +# +# @TEST-REQUIRES: have-zeromq +# +# @TEST-GROUP: cluster-zeromq +# +# @TEST-PORT: XPUB_PORT +# @TEST-PORT: XSUB_PORT +# @TEST-PORT: LOG_PULL_PORT +# +# @TEST-EXEC: cp $FILES/zeromq/cluster-layout-simple.zeek cluster-layout.zeek +# @TEST-EXEC: cp $FILES/zeromq/test-bootstrap.zeek zeromq-test-bootstrap.zeek +# +# @TEST-EXEC: zeek --parse-only ./manager.zeek ./worker.zeek +# +# @TEST-EXEC: btest-bg-run manager "ZEEKPATH=$ZEEKPATH:.. && CLUSTER_NODE=manager zeek -b ../manager.zeek >out" +# @TEST-EXEC: btest-bg-run worker "ZEEKPATH=$ZEEKPATH:.. && CLUSTER_NODE=worker-1 zeek -b ../worker.zeek >out" +# +# @TEST-EXEC: btest-bg-wait 30 +# @TEST-EXEC: btest-diff ./manager/out + +# @TEST-START-FILE common.zeek +@load ./zeromq-test-bootstrap + +global test: event(c: count) &is_used; + +# @TEST-END-FILE + +# @TEST-START-FILE manager.zeek +@load ./common.zeek + +event zeek_init() &priority=1000000 + { + Cluster::subscribe("test.early"); + } + +event test(c: count) + { + print "test()", c; + } + +event Cluster::node_down(name: string, id: string) + { + terminate(); + } +# @TEST-END-FILE + +# @TEST-START-FILE worker.zeek +@load ./common.zeek +event Cluster::node_up(name: string, id: string) + { + Cluster::publish("test.early", test, 42); + terminate(); + } +# @TEST-END-FILE From 01b4aec0e197db104dfa9a70239ae9311108ce66 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 26 Sep 2025 11:45:32 -0700 Subject: [PATCH 3/8] Remove some additional LibreSSL checks --- src/digest.cc | 2 +- src/file_analysis/analyzer/x509/X509.cc | 2 +- src/file_analysis/analyzer/x509/X509.h | 30 ------------------- src/file_analysis/analyzer/x509/functions.bif | 2 +- 4 files changed, 3 insertions(+), 33 deletions(-) diff --git a/src/digest.cc b/src/digest.cc index 75b8bc0511..68c6747bc0 100644 --- a/src/digest.cc +++ b/src/digest.cc @@ -12,7 +12,7 @@ #include "zeek/Reporter.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) +#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) #define EVP_MD_CTX_new EVP_MD_CTX_create #define EVP_MD_CTX_free EVP_MD_CTX_destroy #endif diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index f80856f3cc..0a62cdcf3e 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -349,7 +349,7 @@ void X509::ParseSAN(X509_EXTENSION* ext) { } auto len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) +#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) const char* name = (const char*)ASN1_STRING_data(gen->d.ia5); #else const char* name = (const char*)ASN1_STRING_get0_data(gen->d.ia5); diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index 7fffb6729a..c6d1a317f9 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -26,36 +26,6 @@ #define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec) #define EVP_PKEY_get0_RSA(p) ((p)->pkey.rsa) -#if ! defined(LIBRESSL_VERSION_NUMBER) || (LIBRESSL_VERSION_NUMBER < 0x2070000fL) - -#define OCSP_SINGLERESP_get0_id(s) (s)->certId - -static X509* X509_OBJECT_get0_X509(const X509_OBJECT* a) { - if ( a == nullptr || a->type != X509_LU_X509 ) - return nullptr; - return a->data.x509; -} - -static void DSA_get0_pqg(const DSA* d, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g) { - if ( p != nullptr ) - *p = d->p; - if ( q != nullptr ) - *q = d->q; - if ( g != nullptr ) - *g = d->g; -} - -static void RSA_get0_key(const RSA* r, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d) { - if ( n != nullptr ) - *n = r->n; - if ( e != nullptr ) - *e = r->e; - if ( d != nullptr ) - *d = r->d; -} - -#endif - #endif namespace zeek::file_analysis::detail { diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index b5b097f09c..a5a79d48db 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -1058,7 +1058,7 @@ function x509_check_cert_hostname%(cert_opaque: opaque of x509, hostname: string continue; std::size_t len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) +#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) auto* name = reinterpret_cast(ASN1_STRING_data(gen->d.ia5)); #else auto* name = reinterpret_cast(ASN1_STRING_get0_data(gen->d.ia5)); From 55c6e748ac0468cbadca28b3d73e4f231f2ecac8 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 26 Sep 2025 11:47:02 -0700 Subject: [PATCH 4/8] Remove checks for OpenSSL 1.x versions --- src/OpaqueVal.cc | 4 -- src/digest.cc | 5 -- src/file_analysis/analyzer/x509/OCSP.cc | 54 ------------------- src/file_analysis/analyzer/x509/X509.cc | 8 --- src/file_analysis/analyzer/x509/X509.h | 19 ------- src/file_analysis/analyzer/x509/functions.bif | 24 --------- src/zeek-setup.cc | 53 ------------------ 7 files changed, 167 deletions(-) diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index f318f4bdb7..5fe6956956 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -27,10 +27,6 @@ #include "zeek/probabilistic/BloomFilter.h" #include "zeek/probabilistic/CardinalityCounter.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) -inline void* EVP_MD_CTX_md_data(const EVP_MD_CTX* ctx) { return ctx->md_data; } -#endif - #if ( OPENSSL_VERSION_NUMBER < 0x30000000L ) #include #endif diff --git a/src/digest.cc b/src/digest.cc index 68c6747bc0..aaab7d5cda 100644 --- a/src/digest.cc +++ b/src/digest.cc @@ -12,11 +12,6 @@ #include "zeek/Reporter.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) -#define EVP_MD_CTX_new EVP_MD_CTX_create -#define EVP_MD_CTX_free EVP_MD_CTX_destroy -#endif - static_assert(ZEEK_MD5_DIGEST_LENGTH == MD5_DIGEST_LENGTH); static_assert(ZEEK_SHA_DIGEST_LENGTH == SHA_DIGEST_LENGTH); diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index d46eb72b2e..c1c6f6d473 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -26,28 +26,11 @@ namespace zeek::file_analysis::detail { static constexpr size_t OCSP_STRING_BUF_SIZE = 2048; static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio) { -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - ASN1_OCTET_STRING* key = nullptr; - X509_NAME* name = nullptr; - - if ( ! basic_resp->tbsResponseData ) - return false; - - auto resp_id = basic_resp->tbsResponseData->responderId; - - if ( resp_id->type == V_OCSP_RESPID_NAME ) - name = resp_id->value.byName; - else if ( resp_id->type == V_OCSP_RESPID_KEY ) - key = resp_id->value.byKey; - else - return false; -#else const ASN1_OCTET_STRING* key = nullptr; const X509_NAME* name = nullptr; if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) ) return false; -#endif if ( name ) X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE); @@ -150,8 +133,6 @@ bool OCSP::EndOfFile() { return true; } -#if ( OPENSSL_VERSION_NUMBER >= 0x10100000L ) - struct ASN1Seq { ASN1Seq(const unsigned char** der_in, long length) { decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length); } @@ -345,7 +326,6 @@ static uint64_t parse_request_version(OCSP_REQUEST* req) { OPENSSL_free(der_req_dat); return asn1_int; } -#endif void OCSP::ParseRequest(OCSP_REQUEST* req) { char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions @@ -353,13 +333,8 @@ void OCSP::ParseRequest(OCSP_REQUEST* req) { uint64_t version = 0; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - if ( req->tbsRequest->version ) - version = (uint64_t)ASN1_INTEGER_get(req->tbsRequest->version); -#else version = parse_request_version(req); // TODO: try to parse out general name ? -#endif if ( ocsp_request ) event_mgr.Enqueue(ocsp_request, GetFile()->ToVal(), val_mgr->Count(version)); @@ -425,20 +400,10 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { if ( ! basic_resp ) goto clean_up; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - resp_data = basic_resp->tbsResponseData; - if ( ! resp_data ) - goto clean_up; -#endif - vl.emplace_back(GetFile()->ToVal()); vl.emplace_back(std::move(status_val)); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - vl.emplace_back(val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version))); -#else vl.emplace_back(parse_basic_resp_data_version(basic_resp)); -#endif // responderID if ( OCSP_RESPID_bio(basic_resp, bio) ) { @@ -452,11 +417,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { } // producedAt -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - produced_at = resp_data->producedAt; -#else produced_at = OCSP_resp_get0_produced_at(basic_resp); -#endif vl.emplace_back(make_intrusive(GetTimeFromAsn1(produced_at, GetFile(), reporter))); @@ -477,11 +438,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { // cert id const OCSP_CERTID* cert_id = nullptr; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - cert_id = single_resp->certId; -#else cert_id = OCSP_SINGLERESP_get0_id(single_resp); -#endif ocsp_add_cert_id(cert_id, &rvl, bio); BIO_reset(bio); @@ -550,14 +507,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { } } -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); - len = BIO_read(bio, buf, sizeof(buf)); - vl.emplace_back(make_intrusive(len, buf)); - BIO_reset(bio); -#else vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf))); -#endif // i2a_ASN1_OBJECT(bio, basic_resp->signature); // len = BIO_read(bio, buf, sizeof(buf)); @@ -567,11 +517,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { certs_vector = new VectorVal(id::find_type("x509_opaque_vector")); vl.emplace_back(AdoptRef{}, certs_vector); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - certs = basic_resp->certs; -#else certs = OCSP_resp_get0_certs(basic_resp); -#endif if ( certs ) { int num_certs = sk_X509_num(certs); diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 0a62cdcf3e..6ca730956f 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -161,13 +161,9 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f) { pX509Cert->Assign(7, buf); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - i2a_ASN1_OBJECT(bio, ssl_cert->sig_alg->algorithm); -#else const ASN1_OBJECT* alg; X509_ALGOR_get0(&alg, nullptr, nullptr, X509_get0_tbs_sigalg(ssl_cert)); i2a_ASN1_OBJECT(bio, alg); -#endif len = BIO_gets(bio, buf, sizeof(buf)); pX509Cert->Assign(13, make_intrusive(len, buf)); BIO_free(bio); @@ -349,11 +345,7 @@ void X509::ParseSAN(X509_EXTENSION* ext) { } auto len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - const char* name = (const char*)ASN1_STRING_data(gen->d.ia5); -#else const char* name = (const char*)ASN1_STRING_get0_data(gen->d.ia5); -#endif auto bs = make_intrusive(len, name); switch ( gen->type ) { diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index c6d1a317f9..42e1d01e5d 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -9,25 +9,6 @@ #include "zeek/OpaqueVal.h" #include "zeek/file_analysis/analyzer/x509/X509Common.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) - -#define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm) - -#endif - -#if ( OPENSSL_VERSION_NUMBER < 0x1010000fL ) - -#define X509_OBJECT_new() (X509_OBJECT*)malloc(sizeof(X509_OBJECT)) -#define X509_OBJECT_free(a) free(a) - -#define OCSP_resp_get0_certs(x) (x)->certs - -#define EVP_PKEY_get0_DSA(p) ((p)->pkey.dsa) -#define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec) -#define EVP_PKEY_get0_RSA(p) ((p)->pkey.rsa) - -#endif - namespace zeek::file_analysis::detail { class X509Val; diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index a5a79d48db..4718579a6f 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -65,19 +65,8 @@ X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs, const ASN1_OCTET_STRING* key = nullptr; const X509_NAME* name = nullptr; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId; - - if ( resp_id->type == V_OCSP_RESPID_NAME ) - name = resp_id->value.byName; - else if ( resp_id->type == V_OCSP_RESPID_KEY ) - key = resp_id->value.byKey; - else - return nullptr; -#else if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) ) return nullptr; -#endif if ( name ) return X509_find_by_subject(const_cast(certs), @@ -359,11 +348,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c // Because we actually want to be able to give nice error messages that show why we were // not able to verify the OCSP response - do our own verification logic first. -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - signer = x509_get_ocsp_signer(basic->certs, basic); -#else signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic); -#endif /* Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it. @@ -730,12 +715,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa uint32_t cert_length; if ( precert ) { -#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) - x->cert_info->enc.modified = 1; - cert_length = i2d_X509_CINF(x->cert_info, &cert_out); -#else cert_length = i2d_re_X509_tbs(x, &cert_out); -#endif data.append(reinterpret_cast(issuer_key_hash->Bytes()), issuer_key_hash->Len()); } else @@ -1058,11 +1038,7 @@ function x509_check_cert_hostname%(cert_opaque: opaque of x509, hostname: string continue; std::size_t len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - auto* name = reinterpret_cast(ASN1_STRING_data(gen->d.ia5)); -#else auto* name = reinterpret_cast(ASN1_STRING_get0_data(gen->d.ia5)); -#endif std::string_view nameview {name, len}; if ( check_hostname(hostview, nameview) ) { diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index 070aad5308..83d8f7ea63 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -97,58 +97,6 @@ int perftools_leaks = 0; int perftools_profile = 0; #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L -struct CRYPTO_dynlock_value { - std::mutex mtx; -}; - -namespace { - -std::unique_ptr ssl_mtx_tbl; - -void ssl_lock_fn(int mode, int n, const char*, int) { - if ( mode & CRYPTO_LOCK ) - ssl_mtx_tbl[static_cast(n)].lock(); - else - ssl_mtx_tbl[static_cast(n)].unlock(); -} - -CRYPTO_dynlock_value* ssl_dynlock_create(const char*, int) { return new CRYPTO_dynlock_value; } - -void ssl_dynlock_lock(int mode, CRYPTO_dynlock_value* ptr, const char*, int) { - if ( mode & CRYPTO_LOCK ) - ptr->mtx.lock(); - else - ptr->mtx.unlock(); -} - -void ssl_dynlock_destroy(CRYPTO_dynlock_value* ptr, const char*, int) { delete ptr; } - -void do_ssl_init() { - ERR_load_crypto_strings(); - OPENSSL_add_all_algorithms_conf(); - SSL_library_init(); - SSL_load_error_strings(); - ssl_mtx_tbl.reset(new std::mutex[CRYPTO_num_locks()]); - CRYPTO_set_locking_callback(ssl_lock_fn); - CRYPTO_set_dynlock_create_callback(ssl_dynlock_create); - CRYPTO_set_dynlock_lock_callback(ssl_dynlock_lock); - CRYPTO_set_dynlock_destroy_callback(ssl_dynlock_destroy); -} - -void do_ssl_deinit() { - ERR_free_strings(); - EVP_cleanup(); - CRYPTO_cleanup_all_ex_data(); - CRYPTO_set_locking_callback(nullptr); - CRYPTO_set_dynlock_create_callback(nullptr); - CRYPTO_set_dynlock_lock_callback(nullptr); - CRYPTO_set_dynlock_destroy_callback(nullptr); - ssl_mtx_tbl.reset(); -} - -} // namespace -#else namespace { void do_ssl_init() { OPENSSL_init_ssl(0, nullptr); } @@ -160,7 +108,6 @@ void do_ssl_deinit() { } } // namespace -#endif zeek::ValManager* zeek::val_mgr = nullptr; zeek::packet_analysis::Manager* zeek::packet_mgr = nullptr; From 31d7df915e20b855d5b78f04d9e3ac096d2fa7e3 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 29 Sep 2025 14:41:11 +0200 Subject: [PATCH 5/8] Supervisor: Make last_signal atomic to squelch data race When the stem process terminates and SIGCHLD is sent to the supervisor, the signal might be handled by the main thread or any other threads that aren't blocking SIGCHLD explicitly. Convert last_signal to a std::atomic such that non-main threads can safely set last_signal without triggering data race as reported by TSAN. This doesn't make it less racy to work last_signal, but it appears we only use it for debug printing anyhow and another option might have been to just remove last_signal altogether. Follow-up for #4849 --- src/supervisor/Supervisor.cc | 2 +- src/supervisor/Supervisor.h | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/supervisor/Supervisor.cc b/src/supervisor/Supervisor.cc index 48894d1f0e..974367c87c 100644 --- a/src/supervisor/Supervisor.cc +++ b/src/supervisor/Supervisor.cc @@ -415,7 +415,7 @@ static ForkResult fork_with_stdio_redirect(const char* where) { void Supervisor::HandleChildSignal() { if ( last_signal >= 0 ) { - DBG_LOG(DBG_SUPERVISOR, "Supervisor received signal %d", last_signal); + DBG_LOG(DBG_SUPERVISOR, "Supervisor received signal %d", last_signal.load()); last_signal = -1; } diff --git a/src/supervisor/Supervisor.h b/src/supervisor/Supervisor.h index c433c0536a..84c5595138 100644 --- a/src/supervisor/Supervisor.h +++ b/src/supervisor/Supervisor.h @@ -3,6 +3,7 @@ #pragma once #include +#include #include #include #include @@ -323,7 +324,7 @@ private: Config config; pid_t stem_pid; - int last_signal = -1; + std::atomic last_signal = -1; std::unique_ptr stem_pipe; detail::LineBufferedPipe stem_stdout; detail::LineBufferedPipe stem_stderr; From 3c16ee9667debc2aaba6458d2e6c699f8fc7f3f8 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 29 Sep 2025 08:21:01 -0700 Subject: [PATCH 6/8] Update docs submodule [nomail] --- CHANGES | 4 ++++ VERSION | 2 +- doc | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 071e2ed187..c30086ef64 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +8.1.0-dev.610 | 2025-09-29 08:21:01 -0700 + + * Update docs submodule [nomail] (Tim Wojtulewicz, Corelight) + 8.1.0-dev.609 | 2025-09-29 13:08:15 +0200 * cluster/zeromq: Fix Cluster::subscribe() block if not initialized (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index 4b178aee4a..041d214e50 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -8.1.0-dev.609 +8.1.0-dev.610 diff --git a/doc b/doc index 2731def915..8f38ae2fd5 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 2731def9159247e6da8a3191783c89683363689c +Subproject commit 8f38ae2fd563314393eb1ca58c827d26e9966520 From 686f100f0d681941594922f4d2b914a37bb665d5 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 26 Sep 2025 11:45:32 -0700 Subject: [PATCH 7/8] Remove some additional LibreSSL checks --- src/digest.cc | 2 +- src/file_analysis/analyzer/x509/X509.cc | 2 +- src/file_analysis/analyzer/x509/X509.h | 30 ------------------- src/file_analysis/analyzer/x509/functions.bif | 2 +- 4 files changed, 3 insertions(+), 33 deletions(-) diff --git a/src/digest.cc b/src/digest.cc index 75b8bc0511..68c6747bc0 100644 --- a/src/digest.cc +++ b/src/digest.cc @@ -12,7 +12,7 @@ #include "zeek/Reporter.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) +#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) #define EVP_MD_CTX_new EVP_MD_CTX_create #define EVP_MD_CTX_free EVP_MD_CTX_destroy #endif diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index f80856f3cc..0a62cdcf3e 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -349,7 +349,7 @@ void X509::ParseSAN(X509_EXTENSION* ext) { } auto len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) +#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) const char* name = (const char*)ASN1_STRING_data(gen->d.ia5); #else const char* name = (const char*)ASN1_STRING_get0_data(gen->d.ia5); diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index 7fffb6729a..c6d1a317f9 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -26,36 +26,6 @@ #define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec) #define EVP_PKEY_get0_RSA(p) ((p)->pkey.rsa) -#if ! defined(LIBRESSL_VERSION_NUMBER) || (LIBRESSL_VERSION_NUMBER < 0x2070000fL) - -#define OCSP_SINGLERESP_get0_id(s) (s)->certId - -static X509* X509_OBJECT_get0_X509(const X509_OBJECT* a) { - if ( a == nullptr || a->type != X509_LU_X509 ) - return nullptr; - return a->data.x509; -} - -static void DSA_get0_pqg(const DSA* d, const BIGNUM** p, const BIGNUM** q, const BIGNUM** g) { - if ( p != nullptr ) - *p = d->p; - if ( q != nullptr ) - *q = d->q; - if ( g != nullptr ) - *g = d->g; -} - -static void RSA_get0_key(const RSA* r, const BIGNUM** n, const BIGNUM** e, const BIGNUM** d) { - if ( n != nullptr ) - *n = r->n; - if ( e != nullptr ) - *e = r->e; - if ( d != nullptr ) - *d = r->d; -} - -#endif - #endif namespace zeek::file_analysis::detail { diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index b5b097f09c..a5a79d48db 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -1058,7 +1058,7 @@ function x509_check_cert_hostname%(cert_opaque: opaque of x509, hostname: string continue; std::size_t len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) +#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) auto* name = reinterpret_cast(ASN1_STRING_data(gen->d.ia5)); #else auto* name = reinterpret_cast(ASN1_STRING_get0_data(gen->d.ia5)); From a27cc8933559e1ae6637d6d3dca0d6f9b4860828 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 26 Sep 2025 11:47:02 -0700 Subject: [PATCH 8/8] Remove checks for OpenSSL 1.x versions --- src/OpaqueVal.cc | 4 -- src/digest.cc | 5 -- src/file_analysis/analyzer/x509/OCSP.cc | 54 ------------------- src/file_analysis/analyzer/x509/X509.cc | 8 --- src/file_analysis/analyzer/x509/X509.h | 19 ------- src/file_analysis/analyzer/x509/functions.bif | 24 --------- src/zeek-setup.cc | 53 ------------------ 7 files changed, 167 deletions(-) diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc index f318f4bdb7..5fe6956956 100644 --- a/src/OpaqueVal.cc +++ b/src/OpaqueVal.cc @@ -27,10 +27,6 @@ #include "zeek/probabilistic/BloomFilter.h" #include "zeek/probabilistic/CardinalityCounter.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) -inline void* EVP_MD_CTX_md_data(const EVP_MD_CTX* ctx) { return ctx->md_data; } -#endif - #if ( OPENSSL_VERSION_NUMBER < 0x30000000L ) #include #endif diff --git a/src/digest.cc b/src/digest.cc index 68c6747bc0..aaab7d5cda 100644 --- a/src/digest.cc +++ b/src/digest.cc @@ -12,11 +12,6 @@ #include "zeek/Reporter.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) -#define EVP_MD_CTX_new EVP_MD_CTX_create -#define EVP_MD_CTX_free EVP_MD_CTX_destroy -#endif - static_assert(ZEEK_MD5_DIGEST_LENGTH == MD5_DIGEST_LENGTH); static_assert(ZEEK_SHA_DIGEST_LENGTH == SHA_DIGEST_LENGTH); diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index d46eb72b2e..c1c6f6d473 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -26,28 +26,11 @@ namespace zeek::file_analysis::detail { static constexpr size_t OCSP_STRING_BUF_SIZE = 2048; static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio) { -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - ASN1_OCTET_STRING* key = nullptr; - X509_NAME* name = nullptr; - - if ( ! basic_resp->tbsResponseData ) - return false; - - auto resp_id = basic_resp->tbsResponseData->responderId; - - if ( resp_id->type == V_OCSP_RESPID_NAME ) - name = resp_id->value.byName; - else if ( resp_id->type == V_OCSP_RESPID_KEY ) - key = resp_id->value.byKey; - else - return false; -#else const ASN1_OCTET_STRING* key = nullptr; const X509_NAME* name = nullptr; if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) ) return false; -#endif if ( name ) X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE); @@ -150,8 +133,6 @@ bool OCSP::EndOfFile() { return true; } -#if ( OPENSSL_VERSION_NUMBER >= 0x10100000L ) - struct ASN1Seq { ASN1Seq(const unsigned char** der_in, long length) { decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length); } @@ -345,7 +326,6 @@ static uint64_t parse_request_version(OCSP_REQUEST* req) { OPENSSL_free(der_req_dat); return asn1_int; } -#endif void OCSP::ParseRequest(OCSP_REQUEST* req) { char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions @@ -353,13 +333,8 @@ void OCSP::ParseRequest(OCSP_REQUEST* req) { uint64_t version = 0; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - if ( req->tbsRequest->version ) - version = (uint64_t)ASN1_INTEGER_get(req->tbsRequest->version); -#else version = parse_request_version(req); // TODO: try to parse out general name ? -#endif if ( ocsp_request ) event_mgr.Enqueue(ocsp_request, GetFile()->ToVal(), val_mgr->Count(version)); @@ -425,20 +400,10 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { if ( ! basic_resp ) goto clean_up; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - resp_data = basic_resp->tbsResponseData; - if ( ! resp_data ) - goto clean_up; -#endif - vl.emplace_back(GetFile()->ToVal()); vl.emplace_back(std::move(status_val)); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - vl.emplace_back(val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version))); -#else vl.emplace_back(parse_basic_resp_data_version(basic_resp)); -#endif // responderID if ( OCSP_RESPID_bio(basic_resp, bio) ) { @@ -452,11 +417,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { } // producedAt -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - produced_at = resp_data->producedAt; -#else produced_at = OCSP_resp_get0_produced_at(basic_resp); -#endif vl.emplace_back(make_intrusive(GetTimeFromAsn1(produced_at, GetFile(), reporter))); @@ -477,11 +438,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { // cert id const OCSP_CERTID* cert_id = nullptr; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - cert_id = single_resp->certId; -#else cert_id = OCSP_SINGLERESP_get0_id(single_resp); -#endif ocsp_add_cert_id(cert_id, &rvl, bio); BIO_reset(bio); @@ -550,14 +507,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { } } -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm); - len = BIO_read(bio, buf, sizeof(buf)); - vl.emplace_back(make_intrusive(len, buf)); - BIO_reset(bio); -#else vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf))); -#endif // i2a_ASN1_OBJECT(bio, basic_resp->signature); // len = BIO_read(bio, buf, sizeof(buf)); @@ -567,11 +517,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) { certs_vector = new VectorVal(id::find_type("x509_opaque_vector")); vl.emplace_back(AdoptRef{}, certs_vector); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - certs = basic_resp->certs; -#else certs = OCSP_resp_get0_certs(basic_resp); -#endif if ( certs ) { int num_certs = sk_X509_num(certs); diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 0a62cdcf3e..6ca730956f 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -161,13 +161,9 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f) { pX509Cert->Assign(7, buf); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - i2a_ASN1_OBJECT(bio, ssl_cert->sig_alg->algorithm); -#else const ASN1_OBJECT* alg; X509_ALGOR_get0(&alg, nullptr, nullptr, X509_get0_tbs_sigalg(ssl_cert)); i2a_ASN1_OBJECT(bio, alg); -#endif len = BIO_gets(bio, buf, sizeof(buf)); pX509Cert->Assign(13, make_intrusive(len, buf)); BIO_free(bio); @@ -349,11 +345,7 @@ void X509::ParseSAN(X509_EXTENSION* ext) { } auto len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - const char* name = (const char*)ASN1_STRING_data(gen->d.ia5); -#else const char* name = (const char*)ASN1_STRING_get0_data(gen->d.ia5); -#endif auto bs = make_intrusive(len, name); switch ( gen->type ) { diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index c6d1a317f9..42e1d01e5d 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -9,25 +9,6 @@ #include "zeek/OpaqueVal.h" #include "zeek/file_analysis/analyzer/x509/X509Common.h" -#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) - -#define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm) - -#endif - -#if ( OPENSSL_VERSION_NUMBER < 0x1010000fL ) - -#define X509_OBJECT_new() (X509_OBJECT*)malloc(sizeof(X509_OBJECT)) -#define X509_OBJECT_free(a) free(a) - -#define OCSP_resp_get0_certs(x) (x)->certs - -#define EVP_PKEY_get0_DSA(p) ((p)->pkey.dsa) -#define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec) -#define EVP_PKEY_get0_RSA(p) ((p)->pkey.rsa) - -#endif - namespace zeek::file_analysis::detail { class X509Val; diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index a5a79d48db..4718579a6f 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -65,19 +65,8 @@ X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs, const ASN1_OCTET_STRING* key = nullptr; const X509_NAME* name = nullptr; -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId; - - if ( resp_id->type == V_OCSP_RESPID_NAME ) - name = resp_id->value.byName; - else if ( resp_id->type == V_OCSP_RESPID_KEY ) - key = resp_id->value.byKey; - else - return nullptr; -#else if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) ) return nullptr; -#endif if ( name ) return X509_find_by_subject(const_cast(certs), @@ -359,11 +348,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c // Because we actually want to be able to give nice error messages that show why we were // not able to verify the OCSP response - do our own verification logic first. -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - signer = x509_get_ocsp_signer(basic->certs, basic); -#else signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic); -#endif /* Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it. @@ -730,12 +715,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa uint32_t cert_length; if ( precert ) { -#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) - x->cert_info->enc.modified = 1; - cert_length = i2d_X509_CINF(x->cert_info, &cert_out); -#else cert_length = i2d_re_X509_tbs(x, &cert_out); -#endif data.append(reinterpret_cast(issuer_key_hash->Bytes()), issuer_key_hash->Len()); } else @@ -1058,11 +1038,7 @@ function x509_check_cert_hostname%(cert_opaque: opaque of x509, hostname: string continue; std::size_t len = ASN1_STRING_length(gen->d.ia5); -#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) - auto* name = reinterpret_cast(ASN1_STRING_data(gen->d.ia5)); -#else auto* name = reinterpret_cast(ASN1_STRING_get0_data(gen->d.ia5)); -#endif std::string_view nameview {name, len}; if ( check_hostname(hostview, nameview) ) { diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index 070aad5308..83d8f7ea63 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -97,58 +97,6 @@ int perftools_leaks = 0; int perftools_profile = 0; #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L -struct CRYPTO_dynlock_value { - std::mutex mtx; -}; - -namespace { - -std::unique_ptr ssl_mtx_tbl; - -void ssl_lock_fn(int mode, int n, const char*, int) { - if ( mode & CRYPTO_LOCK ) - ssl_mtx_tbl[static_cast(n)].lock(); - else - ssl_mtx_tbl[static_cast(n)].unlock(); -} - -CRYPTO_dynlock_value* ssl_dynlock_create(const char*, int) { return new CRYPTO_dynlock_value; } - -void ssl_dynlock_lock(int mode, CRYPTO_dynlock_value* ptr, const char*, int) { - if ( mode & CRYPTO_LOCK ) - ptr->mtx.lock(); - else - ptr->mtx.unlock(); -} - -void ssl_dynlock_destroy(CRYPTO_dynlock_value* ptr, const char*, int) { delete ptr; } - -void do_ssl_init() { - ERR_load_crypto_strings(); - OPENSSL_add_all_algorithms_conf(); - SSL_library_init(); - SSL_load_error_strings(); - ssl_mtx_tbl.reset(new std::mutex[CRYPTO_num_locks()]); - CRYPTO_set_locking_callback(ssl_lock_fn); - CRYPTO_set_dynlock_create_callback(ssl_dynlock_create); - CRYPTO_set_dynlock_lock_callback(ssl_dynlock_lock); - CRYPTO_set_dynlock_destroy_callback(ssl_dynlock_destroy); -} - -void do_ssl_deinit() { - ERR_free_strings(); - EVP_cleanup(); - CRYPTO_cleanup_all_ex_data(); - CRYPTO_set_locking_callback(nullptr); - CRYPTO_set_dynlock_create_callback(nullptr); - CRYPTO_set_dynlock_lock_callback(nullptr); - CRYPTO_set_dynlock_destroy_callback(nullptr); - ssl_mtx_tbl.reset(); -} - -} // namespace -#else namespace { void do_ssl_init() { OPENSSL_init_ssl(0, nullptr); } @@ -160,7 +108,6 @@ void do_ssl_deinit() { } } // namespace -#endif zeek::ValManager* zeek::val_mgr = nullptr; zeek::packet_analysis::Manager* zeek::packet_mgr = nullptr;