Deprecate EventMgr::QueueEvent() and update usages to Enqueue()

src/file_analysis/analyzer/x509/OCSP.cc

@@ -75,7 +75,7 @@ static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio)
 	return true;
 	}
 
-bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
+static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bio)
 	{
 	ASN1_OBJECT*       hash_alg         = nullptr;
 	ASN1_OCTET_STRING* issuer_name_hash = nullptr;
@@ -89,10 +89,10 @@ bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
 	if ( ! res )
 		{
 		reporter->Weird("OpenSSL failed to get OCSP_CERTID info");
-		vl->push_back(val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		return false;
 		}
 
@@ -101,22 +101,22 @@ bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
 
 	i2a_ASN1_OBJECT(bio, hash_alg);
 	int len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 
 	i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 
 	i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 
 	i2a_ASN1_INTEGER(bio, serial_number);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 
 	return true;
@@ -430,14 +430,17 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 	int req_count = OCSP_request_onereq_count(req);
 	for ( int i=0; i<req_count; i++ )
 		{
-		val_list rvl(5);
-		rvl.push_back(GetFile()->GetVal()->Ref());
+		zeek::Args rvl;
+		rvl.reserve(5);
+		rvl.emplace_back(NewRef{}, GetFile()->GetVal());
 
 		OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
 		OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
 
 		ocsp_add_cert_id(cert_id, &rvl, bio);
-		mgr.QueueEvent(ocsp_request_certificate, std::move(rvl));
+
+		if ( ocsp_request_certificate )
+			mgr.Enqueue(ocsp_request_certificate, std::move(rvl));
 		}
 
 	BIO_free(bio);
@@ -479,7 +482,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	//int len = BIO_read(bio, buf, sizeof(buf));
 	//BIO_reset(bio);
 
-	val_list vl(8);
+	zeek::Args vl;
+	vl.reserve(8);
 
 	// get the basic response
 	basic_resp = OCSP_response_get1_basic(resp);
@@ -498,26 +502,26 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 		}
 #endif
 
-	vl.push_back(GetFile()->GetVal()->Ref());
-	vl.push_back(status_val);
+	vl.emplace_back(NewRef{}, GetFile()->GetVal());
+	vl.emplace_back(AdoptRef{}, status_val);
 
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
-	vl.push_back(val_mgr->GetCount((uint64_t)ASN1_INTEGER_get(resp_data->version)));
+	vl.emplace_back(AdoptRef{}, val_mgr->GetCount((uint64_t)ASN1_INTEGER_get(resp_data->version)));
 #else
-	vl.push_back(parse_basic_resp_data_version(basic_resp));
+	vl.emplace_back(AdoptRef{}, parse_basic_resp_data_version(basic_resp));
 #endif
 
 	// responderID
 	if ( OCSP_RESPID_bio(basic_resp, bio) )
 		{
 		len = BIO_read(bio, buf, sizeof(buf));
-		vl.push_back(new StringVal(len, buf));
+		vl.emplace_back(make_intrusive<StringVal>(len, buf));
 		BIO_reset(bio);
 		}
 	else
 		{
 		reporter->Weird("OpenSSL failed to get OCSP responder id");
-		vl.push_back(val_mgr->GetEmptyString());
+		vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		}
 
 	// producedAt
@@ -527,7 +531,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	produced_at = OCSP_resp_get0_produced_at(basic_resp);
 #endif
 
-	vl.push_back(new Val(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME));
+	vl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME));
 
 	// responses
 
@@ -540,8 +544,9 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 		if ( !single_resp )
 			continue;
 
-		val_list rvl(10);
-		rvl.push_back(GetFile()->GetVal()->Ref());
+		zeek::Args rvl;
+		rvl.reserve(10);
+		rvl.emplace_back(NewRef{}, GetFile()->GetVal());
 
 		// cert id
 		const OCSP_CERTID* cert_id = nullptr;
@@ -569,38 +574,39 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 			reporter->Weird("OpenSSL failed to find status of OCSP response");
 
 		const char* cert_status_str = OCSP_cert_status_str(status);
-		rvl.push_back(new StringVal(strlen(cert_status_str), cert_status_str));
+		rvl.emplace_back(make_intrusive<StringVal>(strlen(cert_status_str), cert_status_str));
 
 		// revocation time and reason if revoked
 		if ( status == V_OCSP_CERTSTATUS_REVOKED )
 			{
-			rvl.push_back(new Val(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME));
 
 			if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
 				{
 				const char* revoke_reason = OCSP_crl_reason_str(reason);
-				rvl.push_back(new StringVal(strlen(revoke_reason), revoke_reason));
+				rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
 				}
 			else
-				rvl.push_back(new StringVal(0, ""));
+				rvl.emplace_back(make_intrusive<StringVal>(0, ""));
 			}
 		else
 			{
-			rvl.push_back(new Val(0.0, TYPE_TIME));
-			rvl.push_back(new StringVal(0, ""));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<StringVal>(0, ""));
 			}
 
 		if ( this_update )
-			rvl.push_back(new Val(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME));
 		else
-			rvl.push_back(new Val(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));
 
 		if ( next_update )
-			rvl.push_back(new Val(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME));
 		else
-			rvl.push_back(new Val(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));
 
-		mgr.QueueEvent(ocsp_response_certificate, std::move(rvl));
+		if ( ocsp_response_certificate )
+			mgr.Enqueue(ocsp_response_certificate, std::move(rvl));
 
 		num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
 		for ( int k = 0; k < num_ext; ++k )
@@ -616,10 +622,10 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl.push_back(new StringVal(len, buf));
+	vl.emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 #else
-	vl.push_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
+	vl.emplace_back(AdoptRef{}, parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
 #endif
 
 	//i2a_ASN1_OBJECT(bio, basic_resp->signature);
@@ -628,7 +634,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	//BIO_reset(bio);
 
 	certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
-	vl.push_back(certs_vector);
+	vl.emplace_back(AdoptRef{}, certs_vector);
 
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 	certs = basic_resp->certs;
@@ -650,7 +656,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 			}
 	  }
 
-	mgr.QueueEvent(ocsp_response_bytes, std::move(vl));
+	if ( ocsp_response_bytes )
+		mgr.Enqueue(ocsp_response_bytes, std::move(vl));
 
 	// ok, now that we are done with the actual certificate - let's parse extensions :)
 	num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);

src/file_analysis/analyzer/x509/X509.cc

@@ -82,11 +82,11 @@ bool file_analysis::X509::EndOfFile()
 	RecordVal* cert_record = ParseCertificate(cert_val, GetFile());
 
 	// and send the record on to scriptland
-	mgr.QueueEvent(x509_certificate, {
-		GetFile()->GetVal()->Ref(),
-		cert_val->Ref(),
-		cert_record->Ref(), // we Ref it here, because we want to keep a copy around for now...
-	});
+	if ( x509_certificate )
+		mgr.Enqueue(x509_certificate,
+		            IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		            IntrusivePtr{NewRef{}, cert_val},
+		            IntrusivePtr{NewRef{}, cert_record});
 
 	// after parsing the certificate - parse the extensions...
 
@@ -420,7 +420,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 			}
 		}
 
-		RecordVal* sanExt = new RecordVal(BifType::Record::X509::SubjectAlternativeName);
+		auto sanExt = make_intrusive<RecordVal>(BifType::Record::X509::SubjectAlternativeName);
 
 		if ( names != 0 )
 			sanExt->Assign(0, names);
@@ -436,10 +436,9 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 
 		sanExt->Assign(4, val_mgr->GetBool(otherfields));
 
-		mgr.QueueEvent(x509_ext_subject_alternative_name, {
-			GetFile()->GetVal()->Ref(),
-			sanExt,
-		});
+		mgr.Enqueue(x509_ext_subject_alternative_name,
+		            IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		            std::move(sanExt));
 	GENERAL_NAMES_free(altname);
 	}
 

src/file_analysis/analyzer/x509/X509Common.cc

@@ -257,12 +257,19 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
 			}
 		}
 
-	StringVal* ext_val = GetExtensionFromBIO(bio, GetFile());
+	auto ext_val = GetExtensionFromBIO(bio, GetFile());
+
+	if ( ! h )
+		{
+		// let individual analyzers parse more.
+		ParseExtensionsSpecific(ex, global, ext_asn, oid);
+		return;
+		}
 
 	if ( ! ext_val )
-		ext_val = new StringVal(0, "");
+		ext_val = make_intrusive<StringVal>(0, "");
 
-	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
+	auto pX509Ext = make_intrusive<RecordVal>(BifType::Record::X509::Extension);
 	pX509Ext->Assign(0, make_intrusive<StringVal>(name));
 
 	if ( short_name and strlen(short_name) > 0 )
@@ -280,22 +287,18 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
 	// but I am not sure if there is a better way to do it...
 
 	if ( h == ocsp_extension )
-		mgr.QueueEvent(h, {
-			GetFile()->GetVal()->Ref(),
-			pX509Ext,
-			val_mgr->GetBool(global ? 1 : 0),
-		});
+		mgr.Enqueue(h, IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+					std::move(pX509Ext),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(global)});
 	else
-		mgr.QueueEvent(h, {
-			GetFile()->GetVal()->Ref(),
-			pX509Ext,
-		});
+		mgr.Enqueue(h, IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		            std::move(pX509Ext));
 
 	// let individual analyzers parse more.
 	ParseExtensionsSpecific(ex, global, ext_asn, oid);
 	}
 
-StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
+IntrusivePtr<StringVal> file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 	{
 	BIO_flush(bio);
 	ERR_clear_error();
@@ -313,7 +316,7 @@ StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 	if ( length == 0 )
 		{
 		BIO_free_all(bio);
-		return val_mgr->GetEmptyString();
+		return {AdoptRef{}, val_mgr->GetEmptyString()};
 		}
 
 	char* buffer = (char*) malloc(length);
@@ -328,7 +331,7 @@ StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 		}
 
 	BIO_read(bio, (void*) buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
+	auto ext_val = make_intrusive<StringVal>(length, buffer);
 
 	free(buffer);
 	BIO_free_all(bio);

src/file_analysis/analyzer/x509/X509Common.h

@@ -13,6 +13,7 @@
 class EventHandlerPtr;
 class Reporter;
 class StringVal;
+template <class T> class IntrusivePtr;
 
 namespace file_analysis {
 
@@ -34,7 +35,7 @@ public:
 	 *
 	 * @return The X509 extension value.
 	 */
-	static StringVal* GetExtensionFromBIO(BIO* bio, File* f = 0);
+	static IntrusivePtr<StringVal> GetExtensionFromBIO(BIO* bio, File* f = 0);
 
 	static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter);
 

src/file_analysis/analyzer/x509/functions.bif

@@ -189,12 +189,12 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	else
 		i2d_X509_bio(bio, h->GetCertificate());
 
-	StringVal* ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
+	auto ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
 
 	if ( ! ext_val )
-		ext_val = val_mgr->GetEmptyString();
+		ext_val = {AdoptRef{}, val_mgr->GetEmptyString()};
 
-	return ext_val;
+	return ext_val.release();
 	%}
 
 ## Verifies an OCSP reply.