From: Jason Ish Date: Tue, 22 Dec 2020 22:18:01 +0000 (-0600) Subject: filestore: remove requirement of nss for filestore X-Git-Tag: suricata-7.0.0-beta1~1905 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e50ee7eb6251ab82097e19a84fdfeba6e7f0c1a3;p=thirdparty%2Fsuricata.git filestore: remove requirement of nss for filestore Required including NSS header in places that depended on util-file.h including it. All filestore suricata-verify tests now pass without libnss. Also enabled detect-file{md5,sha1,sha256} without NSS support. --- diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 99701b4d66..bc012e3a4f 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -54,6 +54,10 @@ #include "flow-private.h" #include "util-validate.h" +#ifdef HAVE_NSS +#include +#endif + SCEnumCharMap tls_decoder_event_table[ ] = { /* TLS protocol messages */ { "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER }, diff --git a/src/detect-file-hash-common.c b/src/detect-file-hash-common.c index cdd766bc23..27636618a1 100644 --- a/src/detect-file-hash-common.c +++ b/src/detect-file-hash-common.c @@ -32,8 +32,6 @@ #include "app-layer-htp.h" -#ifdef HAVE_NSS - /** * \brief Read the bytes of a hash from an hexadecimal string * @@ -379,5 +377,3 @@ void DetectFileHashFree(DetectEngineCtx *de_ctx, void *ptr) SCFree(filehash); } } - -#endif /* HAVE_NSS */ diff --git a/src/detect-filemd5.c b/src/detect-filemd5.c index 5ca10ee159..12c1d19081 100644 --- a/src/detect-filemd5.c +++ b/src/detect-filemd5.c @@ -31,29 +31,6 @@ #include "detect-filemd5.h" -#ifndef HAVE_NSS - -static int DetectFileMd5SetupNoSupport (DetectEngineCtx *a, Signature *b, const char *c) -{ - SCLogError(SC_ERR_NO_MD5_SUPPORT, "no MD5 calculation support built in, needed for filemd5 keyword"); - return -1; -} - -/** - * \brief Registration function for keyword: filemd5 - */ -void DetectFileMd5Register(void) -{ - sigmatch_table[DETECT_FILEMD5].name = "filemd5"; - sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5SetupNoSupport; - sigmatch_table[DETECT_FILEMD5].flags = SIGMATCH_NOT_BUILT; - - SCLogDebug("registering filemd5 rule option"); - return; -} - -#else /* HAVE_NSS */ - static int g_file_match_list_id = 0; static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, const char *); @@ -159,6 +136,3 @@ void DetectFileMd5RegisterTests(void) UtRegisterTest("MD5MatchTest01", MD5MatchTest01); } #endif - -#endif /* HAVE_NSS */ - diff --git a/src/detect-filesha1.c b/src/detect-filesha1.c index 153d4e2cbe..6eef33c608 100644 --- a/src/detect-filesha1.c +++ b/src/detect-filesha1.c @@ -32,29 +32,6 @@ #include "detect-filesha1.h" -#ifndef HAVE_NSS - -static int DetectFileSha1SetupNoSupport (DetectEngineCtx *a, Signature *b, const char *c) -{ - SCLogError(SC_ERR_NO_SHA1_SUPPORT, "no SHA-1 calculation support built in, needed for filesha1 keyword"); - return -1; -} - -/** - * \brief Registration function for keyword: filesha1 - */ -void DetectFileSha1Register(void) -{ - sigmatch_table[DETECT_FILESHA1].name = "filesha1"; - sigmatch_table[DETECT_FILESHA1].Setup = DetectFileSha1SetupNoSupport; - sigmatch_table[DETECT_FILESHA1].flags = SIGMATCH_NOT_BUILT; - - SCLogDebug("registering filesha1 rule option"); - return; -} - -#else /* HAVE_NSS */ - static int DetectFileSha1Setup (DetectEngineCtx *, Signature *, const char *); #ifdef UNITTESTS static void DetectFileSha1RegisterTests(void); @@ -145,4 +122,3 @@ static void DetectFileSha1RegisterTests(void) UtRegisterTest("SHA1MatchTest01", SHA1MatchTest01); } #endif -#endif /* HAVE_NSS */ diff --git a/src/detect-filesha256.c b/src/detect-filesha256.c index d76e97442c..e5656a3149 100644 --- a/src/detect-filesha256.c +++ b/src/detect-filesha256.c @@ -32,29 +32,6 @@ #include "detect-filesha256.h" -#ifndef HAVE_NSS - -static int DetectFileSha256SetupNoSupport (DetectEngineCtx *a, Signature *b, const char *c) -{ - SCLogError(SC_ERR_NO_SHA256_SUPPORT, "no SHA-256 calculation support built in, needed for filesha256 keyword"); - return -1; -} - -/** - * \brief Registration function for keyword: filesha256 - */ -void DetectFileSha256Register(void) -{ - sigmatch_table[DETECT_FILESHA256].name = "filesha256"; - sigmatch_table[DETECT_FILESHA256].Setup = DetectFileSha256SetupNoSupport; - sigmatch_table[DETECT_FILESHA256].flags = SIGMATCH_NOT_BUILT; - - SCLogDebug("registering filesha256 rule option"); - return; -} - -#else /* HAVE_NSS */ - static int DetectFileSha256Setup (DetectEngineCtx *, Signature *, const char *); #ifdef UNITTESTS static void DetectFileSha256RegisterTests(void); @@ -160,4 +137,3 @@ void DetectFileSha256RegisterTests(void) UtRegisterTest("SHA256MatchTest01", SHA256MatchTest01); } #endif -#endif /* HAVE_NSS */ diff --git a/src/detect-transform-md5.c b/src/detect-transform-md5.c index d8817252dd..be896e3014 100644 --- a/src/detect-transform-md5.c +++ b/src/detect-transform-md5.c @@ -34,6 +34,10 @@ #include "util-unittest.h" #include "util-print.h" +#ifdef HAVE_NSS +#include +#endif + static int DetectTransformToMd5Setup (DetectEngineCtx *, Signature *, const char *); #ifdef HAVE_NSS #ifdef UNITTESTS diff --git a/src/detect-transform-sha1.c b/src/detect-transform-sha1.c index 33df794d2c..8de1cb3896 100644 --- a/src/detect-transform-sha1.c +++ b/src/detect-transform-sha1.c @@ -34,6 +34,10 @@ #include "util-unittest.h" #include "util-print.h" +#ifdef HAVE_NSS +#include +#endif + static int DetectTransformToSha1Setup (DetectEngineCtx *, Signature *, const char *); #ifdef HAVE_NSS #ifdef UNITTESTS diff --git a/src/detect-transform-sha256.c b/src/detect-transform-sha256.c index f7088746a1..0c6a15c3a4 100644 --- a/src/detect-transform-sha256.c +++ b/src/detect-transform-sha256.c @@ -34,6 +34,10 @@ #include "util-unittest.h" #include "util-print.h" +#ifdef HAVE_NSS +#include +#endif + static int DetectTransformToSha256Setup (DetectEngineCtx *, Signature *, const char *); #ifdef HAVE_NSS #ifdef UNITTESTS diff --git a/src/output-filestore.c b/src/output-filestore.c index a3f95c2362..00ae764a27 100644 --- a/src/output-filestore.c +++ b/src/output-filestore.c @@ -32,13 +32,11 @@ #include "util-print.h" #include "util-misc.h" -#ifdef HAVE_NSS - #define MODULE_NAME "OutputFilestore" /* Create a filestore specific PATH_MAX that is less than the system * PATH_MAX to prevent newer gcc truncation warnings with snprint. */ -#define SHA256_STRING_LEN (SHA256_LENGTH * 2) +#define SHA256_STRING_LEN (SC_SHA256_LEN * 2) #define LEAF_DIR_MAX_LEN 4 #define FILESTORE_PREFIX_MAX (PATH_MAX - SHA256_STRING_LEN - LEAF_DIR_MAX_LEN) @@ -129,7 +127,7 @@ static void OutputFilestoreFinalizeFiles(ThreadVars *tv, const Packet *p, File *ff, uint8_t dir) { /* Stringify the SHA256 which will be used in the final * filename. */ - char sha256string[(SHA256_LENGTH * 2) + 1]; + char sha256string[(SC_SHA256_LEN * 2) + 1]; PrintHexString(sha256string, sizeof(sha256string), ff->sha256, sizeof(ff->sha256)); @@ -535,11 +533,8 @@ static OutputInitResult OutputFilestoreLogInitCtx(ConfNode *conf) SCReturnCT(result, "OutputInitResult"); } -#endif /* HAVE_NSS */ - void OutputFilestoreRegister(void) { -#ifdef HAVE_NSS OutputRegisterFiledataModule(LOGGER_FILE_STORE, MODULE_NAME, "file-store", OutputFilestoreLogInitCtx, OutputFilestoreLogger, OutputFilestoreLogThreadInit, OutputFilestoreLogThreadDeinit, @@ -547,5 +542,4 @@ void OutputFilestoreRegister(void) SC_ATOMIC_INIT(filestore_open_file_cnt); SC_ATOMIC_SET(filestore_open_file_cnt, 0); -#endif } diff --git a/src/output-json.c b/src/output-json.c index 1c1bda58b5..c13eef6fc0 100644 --- a/src/output-json.c +++ b/src/output-json.c @@ -156,7 +156,6 @@ void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored) switch (ff->state) { case FILE_STATE_CLOSED: JB_SET_STRING(jb, "state", "CLOSED"); -#ifdef HAVE_NSS if (ff->flags & FILE_MD5) { size_t x; int i; @@ -175,7 +174,6 @@ void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored) } jb_set_string(jb, "sha1", str); } -#endif break; case FILE_STATE_TRUNCATED: JB_SET_STRING(jb, "state", "TRUNCATED"); @@ -188,7 +186,6 @@ void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored) break; } -#ifdef HAVE_NSS if (ff->flags & FILE_SHA256) { size_t x; int i; @@ -198,7 +195,6 @@ void EveFileInfo(JsonBuilder *jb, const File *ff, const bool stored) } jb_set_string(jb, "sha256", str); } -#endif if (stored) { JB_SET_TRUE(jb, "stored"); diff --git a/src/util-decode-mime.h b/src/util-decode-mime.h index 29dd75bc2c..c070748f5e 100644 --- a/src/util-decode-mime.h +++ b/src/util-decode-mime.h @@ -25,6 +25,10 @@ #ifndef MIME_DECODE_H_ #define MIME_DECODE_H_ +#ifdef HAVE_NSS +#include +#endif + #include #include #include diff --git a/src/util-file.c b/src/util-file.c index fa3e40a082..ea9fe2a456 100644 --- a/src/util-file.c +++ b/src/util-file.c @@ -88,9 +88,7 @@ static uint32_t g_file_store_reassembly_depth = 0; /* prototypes */ static void FileFree(File *); -#ifdef HAVE_NSS static void FileEndSha256(File *ff); -#endif void FileForceFilestoreEnable(void) { @@ -183,12 +181,8 @@ void FileForceHashParseCfg(ConfNode *conf) "found. Please use 'force-hash: [md5]' instead"); if (ConfValIsTrue(force_md5)) { -#ifdef HAVE_NSS FileForceMd5Enable(); SCLogInfo("forcing md5 calculation for logged files"); -#else - SCLogInfo("md5 calculation requires linking against libnss"); -#endif } } @@ -200,30 +194,18 @@ void FileForceHashParseCfg(ConfNode *conf) TAILQ_FOREACH(field, &forcehash_node->head, next) { if (strcasecmp("md5", field->val) == 0) { -#ifdef HAVE_NSS FileForceMd5Enable(); SCLogConfig("forcing md5 calculation for logged or stored files"); -#else - SCLogInfo("md5 calculation requires linking against libnss"); -#endif } if (strcasecmp("sha1", field->val) == 0) { -#ifdef HAVE_NSS FileForceSha1Enable(); SCLogConfig("forcing sha1 calculation for logged or stored files"); -#else - SCLogInfo("sha1 calculation requires linking against libnss"); -#endif } if (strcasecmp("sha256", field->val) == 0) { -#ifdef HAVE_NSS FileForceSha256Enable(); SCLogConfig("forcing sha256 calculation for logged or stored files"); -#else - SCLogInfo("sha256 calculation requires linking against libnss"); -#endif } } } @@ -526,14 +508,12 @@ static void FileFree(File *ff) StreamingBufferFree(ff->sb); } -#ifdef HAVE_NSS if (ff->md5_ctx) SCMd5Free(ff->md5_ctx); if (ff->sha1_ctx) SCSha1Free(ff->sha1_ctx); if (ff->sha256_ctx) SCSha256Free(ff->sha256_ctx); -#endif SCFree(ff); } @@ -612,7 +592,6 @@ static int AppendData(File *file, const uint8_t *data, uint32_t data_len) SCReturnInt(-1); } -#ifdef HAVE_NSS if (file->md5_ctx) { SCMd5Update(file->md5_ctx, data, data_len); } @@ -622,7 +601,6 @@ static int AppendData(File *file, const uint8_t *data, uint32_t data_len) if (file->sha256_ctx) { SCSha256Update(file->sha256_ctx, data, data_len); } -#endif SCReturnInt(0); } @@ -670,7 +648,6 @@ static int FileAppendDataDo(File *ff, const uint8_t *data, uint32_t data_len) if ((ff->flags & FILE_USE_DETECT) == 0 && FileStoreNoStoreCheck(ff) == 1) { -#ifdef HAVE_NSS int hash_done = 0; /* no storage but forced hashing */ if (ff->md5_ctx) { @@ -688,7 +665,7 @@ static int FileAppendDataDo(File *ff, const uint8_t *data, uint32_t data_len) if (hash_done) SCReturnInt(0); -#endif + if (g_file_force_tracking || (!(ff->flags & FILE_NOTRACK))) SCReturnInt(0); @@ -886,7 +863,6 @@ static File *FileOpenFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg ff->flags |= FILE_USE_DETECT; } -#ifdef HAVE_NSS if (!(ff->flags & FILE_NOMD5) || g_file_force_md5) { ff->md5_ctx = SCMd5New(); } @@ -896,7 +872,6 @@ static File *FileOpenFile(FileContainer *ffc, const StreamingBufferConfig *sbcfg if (!(ff->flags & FILE_NOSHA256) || g_file_force_sha256) { ff->sha256_ctx = SCSha256New(); } -#endif ff->state = FILE_STATE_OPENED; SCLogDebug("flowfile state transitioned to FILE_STATE_OPENED"); @@ -950,7 +925,6 @@ int FileCloseFilePtr(File *ff, const uint8_t *data, if (data != NULL) { ff->size += data_len; if (ff->flags & FILE_NOSTORE) { -#ifdef HAVE_NSS /* no storage but hashing */ if (ff->md5_ctx) SCMd5Update(ff->md5_ctx, data, data_len); @@ -958,7 +932,6 @@ int FileCloseFilePtr(File *ff, const uint8_t *data, SCSha1Update(ff->sha1_ctx, data, data_len); if (ff->sha256_ctx) SCSha256Update(ff->sha256_ctx, data, data_len); -#endif } else { if (AppendData(ff, data, data_len) != 0) { ff->state = FILE_STATE_ERROR; @@ -975,17 +948,14 @@ int FileCloseFilePtr(File *ff, const uint8_t *data, SCLogDebug("not storing this file"); ff->flags |= FILE_NOSTORE; } else { -#ifdef HAVE_NSS if (g_file_force_sha256 && ff->sha256_ctx) { FileEndSha256(ff); } -#endif } } else { ff->state = FILE_STATE_CLOSED; SCLogDebug("flowfile state transitioned to FILE_STATE_CLOSED"); -#ifdef HAVE_NSS if (ff->md5_ctx) { SCMd5Finalize(ff->md5_ctx, ff->md5, sizeof(ff->md5)); ff->md5_ctx = NULL; @@ -999,7 +969,6 @@ int FileCloseFilePtr(File *ff, const uint8_t *data, if (ff->sha256_ctx) { FileEndSha256(ff); } -#endif } SCReturnInt(0); @@ -1080,14 +1049,12 @@ void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction if (set_file_flags & (FLOWFILE_NO_MAGIC_TS|FLOWFILE_NO_MAGIC_TC)) per_file_flags |= FILE_NOMAGIC; #endif -#ifdef HAVE_NSS if (set_file_flags & (FLOWFILE_NO_MD5_TS|FLOWFILE_NO_MD5_TC)) per_file_flags |= FILE_NOMD5; if (set_file_flags & (FLOWFILE_NO_SHA1_TS|FLOWFILE_NO_SHA1_TC)) per_file_flags |= FILE_NOSHA1; if (set_file_flags & (FLOWFILE_NO_SHA256_TS|FLOWFILE_NO_SHA256_TC)) per_file_flags |= FILE_NOSHA256; -#endif if (set_file_flags & (FLOWFILE_NO_SIZE_TS|FLOWFILE_NO_SIZE_TC)) per_file_flags |= FILE_NOTRACK; if (set_file_flags & (FLOWFILE_NO_STORE_TS|FLOWFILE_NO_STORE_TC)) @@ -1098,7 +1065,6 @@ void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction for (File *ptr = ffc->head; ptr != NULL; ptr = ptr->next) { ptr->flags |= per_file_flags; -#ifdef HAVE_NSS /* destroy any ctx we may have so far */ if ((per_file_flags & FILE_NOSHA256) && ptr->sha256_ctx != NULL) @@ -1118,7 +1084,6 @@ void FileUpdateFlowFileFlags(Flow *f, uint16_t set_file_flags, uint8_t direction SCMd5Free(ptr->md5_ctx); ptr->md5_ctx = NULL; } -#endif } } } @@ -1250,7 +1215,6 @@ void FileTruncateAllOpenFiles(FileContainer *fc) /** * \brief Finish the SHA256 calculation. */ -#ifdef HAVE_NSS static void FileEndSha256(File *ff) { if (!(ff->flags & FILE_SHA256) && ff->sha256_ctx) { @@ -1259,4 +1223,3 @@ static void FileEndSha256(File *ff) ff->flags |= FILE_SHA256; } } -#endif diff --git a/src/util-file.h b/src/util-file.h index f084f71461..940a53046e 100644 --- a/src/util-file.h +++ b/src/util-file.h @@ -25,10 +25,6 @@ #ifndef __UTIL_FILE_H__ #define __UTIL_FILE_H__ -#ifdef HAVE_NSS -#include -#endif - #include "conf.h" #include "util-streaming-buffer.h" @@ -88,14 +84,12 @@ typedef struct File_ { char *magic; #endif struct File_ *next; -#ifdef HAVE_NSS SCMd5 *md5_ctx; uint8_t md5[SC_MD5_LEN]; SCSha1 *sha1_ctx; uint8_t sha1[SC_SHA1_LEN]; SCSha256 *sha256_ctx; uint8_t sha256[SC_SHA256_LEN]; -#endif uint64_t content_inspected; /**< used in pruning if FILE_USE_DETECT * flag is set */ uint64_t content_stored; diff --git a/src/util-ja3.c b/src/util-ja3.c index c937920009..743ec97bd0 100644 --- a/src/util-ja3.c +++ b/src/util-ja3.c @@ -28,6 +28,10 @@ #include "util-validate.h" #include "util-ja3.h" +#ifdef HAVE_NSS +#include +#endif + #define MD5_STRING_LENGTH 33 /**