diff --git a/src/Reporter.h b/src/Reporter.h index 264761aa7a..decc2696c7 100644 --- a/src/Reporter.h +++ b/src/Reporter.h @@ -16,7 +16,7 @@ #include "net_util.h" ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer); -namespace file_analysis { class File; } +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(RecordVal, zeek); diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc index f0a9a3f7ca..22cb3486c3 100644 --- a/src/analyzer/protocol/file/File.cc +++ b/src/analyzer/protocol/file/File.cc @@ -33,11 +33,11 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } if ( orig ) - file_id_orig = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), - orig, file_id_orig); + file_id_orig = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), + orig, file_id_orig); else - file_id_resp = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), - orig, file_id_resp); + file_id_resp = zeek::file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), + orig, file_id_resp); } void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig) @@ -45,11 +45,11 @@ void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig) TCP_ApplicationAnalyzer::Undelivered(seq, len, orig); if ( orig ) - file_id_orig = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, - file_id_orig); + file_id_orig = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, + file_id_orig); else - file_id_resp = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, - file_id_resp); + file_id_resp = zeek::file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, + file_id_resp); } void File_Analyzer::Done() @@ -60,23 +60,23 @@ void File_Analyzer::Done() Identify(); if ( ! file_id_orig.empty() ) - file_mgr->EndOfFile(file_id_orig); + zeek::file_mgr->EndOfFile(file_id_orig); else - file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); + zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); if ( ! file_id_resp.empty() ) - file_mgr->EndOfFile(file_id_resp); + zeek::file_mgr->EndOfFile(file_id_resp); else - file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); + zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); } void File_Analyzer::Identify() { zeek::detail::RuleMatcher::MIME_Matches matches; - file_mgr->DetectMIME(reinterpret_cast(buffer), buffer_len, - &matches); + zeek::file_mgr->DetectMIME(reinterpret_cast(buffer), buffer_len, + &matches); std::string match = matches.empty() ? "" - : *(matches.begin()->second.begin()); + : *(matches.begin()->second.begin()); if ( file_transferred ) EnqueueConnEvent( diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc index 8c0c0556b3..d3e4f4fe3d 100644 --- a/src/analyzer/protocol/http/HTTP.cc +++ b/src/analyzer/protocol/http/HTTP.cc @@ -248,18 +248,21 @@ bool HTTP_Entity::Undelivered(int64_t len) if ( is_partial_content ) { - precomputed_file_id = file_mgr->Gap(body_length, len, - http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), - http_message->MyHTTP_Analyzer()->Conn(), - http_message->IsOrig(), precomputed_file_id); + precomputed_file_id = zeek::file_mgr->Gap( + body_length, len, + http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), + http_message->MyHTTP_Analyzer()->Conn(), + http_message->IsOrig(), precomputed_file_id); + offset += len; } else - precomputed_file_id = file_mgr->Gap(body_length, len, - http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), - http_message->MyHTTP_Analyzer()->Conn(), - http_message->IsOrig(), - precomputed_file_id); + precomputed_file_id = zeek::file_mgr->Gap( + body_length, len, + http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), + http_message->MyHTTP_Analyzer()->Conn(), + http_message->IsOrig(), + precomputed_file_id); if ( chunked_transfer_state != NON_CHUNKED_TRANSFER ) { @@ -313,33 +316,37 @@ void HTTP_Entity::SubmitData(int len, const char* buf) if ( is_partial_content ) { if ( send_size && instance_length > 0 ) - precomputed_file_id = file_mgr->SetSize(instance_length, - http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), - http_message->MyHTTP_Analyzer()->Conn(), - http_message->IsOrig(), precomputed_file_id); + precomputed_file_id = zeek::file_mgr->SetSize( + instance_length, + http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), + http_message->MyHTTP_Analyzer()->Conn(), + http_message->IsOrig(), precomputed_file_id); - precomputed_file_id = file_mgr->DataIn(reinterpret_cast(buf), len, offset, - http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), - http_message->MyHTTP_Analyzer()->Conn(), - http_message->IsOrig(), precomputed_file_id); + precomputed_file_id = zeek::file_mgr->DataIn( + reinterpret_cast(buf), len, offset, + http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), + http_message->MyHTTP_Analyzer()->Conn(), + http_message->IsOrig(), precomputed_file_id); offset += len; } else { if ( send_size && content_length > 0 ) - precomputed_file_id = file_mgr->SetSize(content_length, - http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), - http_message->MyHTTP_Analyzer()->Conn(), - http_message->IsOrig(), - precomputed_file_id); + precomputed_file_id = zeek::file_mgr->SetSize( + content_length, + http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), + http_message->MyHTTP_Analyzer()->Conn(), + http_message->IsOrig(), + precomputed_file_id); - precomputed_file_id = file_mgr->DataIn(reinterpret_cast(buf), - len, - http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), - http_message->MyHTTP_Analyzer()->Conn(), - http_message->IsOrig(), - precomputed_file_id); + precomputed_file_id = zeek::file_mgr->DataIn( + reinterpret_cast(buf), + len, + http_message->MyHTTP_Analyzer()->GetAnalyzerTag(), + http_message->MyHTTP_Analyzer()->Conn(), + http_message->IsOrig(), + precomputed_file_id); } send_size = false; @@ -643,10 +650,10 @@ void HTTP_Message::Done(bool interrupted, const char* detail) HTTP_Entity* he = dynamic_cast(top_level); if ( he && ! he->FileID().empty() ) - file_mgr->EndOfFile(he->FileID()); + zeek::file_mgr->EndOfFile(he->FileID()); else - file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(), - MyHTTP_Analyzer()->Conn(), is_orig); + zeek::file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(), + MyHTTP_Analyzer()->Conn(), is_orig); } if ( http_message_done ) @@ -723,10 +730,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity) HTTP_Entity* he = dynamic_cast(entity); if ( he && ! he->FileID().empty() ) - file_mgr->EndOfFile(he->FileID()); + zeek::file_mgr->EndOfFile(he->FileID()); else - file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(), - MyHTTP_Analyzer()->Conn(), is_orig); + zeek::file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(), + MyHTTP_Analyzer()->Conn(), is_orig); } } @@ -879,12 +886,12 @@ void HTTP_Analyzer::Done() unanswered_requests = {}; - file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); + zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true); /* TODO: this might be nice to have, but reply code is cleared by now. if ( HTTP_ReplyCode() != 206 ) // multipart/byteranges may span multiple connections - file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); + zeek::file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false); */ } diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac index 15f1c185a1..1e54f37cde 100644 --- a/src/analyzer/protocol/krb/krb-padata.pac +++ b/src/analyzer/protocol/krb/krb-padata.pac @@ -73,12 +73,13 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz file_handle.Add(common.Description()); file_handle.Add(0); - string file_id = file_mgr->HashHandle(file_handle.Description()); + string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); - file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert"); - file_mgr->EndOfFile(file_id); + zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), + cert.length(), bro_analyzer->GetAnalyzerTag(), + bro_analyzer->Conn(), true, file_id, + "application/x-x509-user-cert"); + zeek::file_mgr->EndOfFile(file_id); break; } @@ -97,12 +98,13 @@ zeek::VectorValPtr proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyz file_handle.Add(common.Description()); file_handle.Add(1); - string file_id = file_mgr->HashHandle(file_handle.Description()); + string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); - file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer->GetAnalyzerTag(), - bro_analyzer->Conn(), false, file_id, "application/x-x509-user-cert"); - file_mgr->EndOfFile(file_id); + zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), + cert.length(), bro_analyzer->GetAnalyzerTag(), + bro_analyzer->Conn(), false, file_id, + "application/x-x509-user-cert"); + zeek::file_mgr->EndOfFile(file_id); break; } diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc index baf98e57be..fac89ebc64 100644 --- a/src/analyzer/protocol/mime/MIME.cc +++ b/src/analyzer/protocol/mime/MIME.cc @@ -150,9 +150,9 @@ int fputs(zeek::data_chunk_t b, FILE* fp) void MIME_Mail::Undelivered(int len) { - cur_entity_id = file_mgr->Gap(cur_entity_len, len, - analyzer->GetAnalyzerTag(), analyzer->Conn(), - is_orig, cur_entity_id); + cur_entity_id = zeek::file_mgr->Gap(cur_entity_len, len, + analyzer->GetAnalyzerTag(), analyzer->Conn(), + is_orig, cur_entity_id); } bool istrequal(zeek::data_chunk_t s, const char* t) @@ -1387,7 +1387,7 @@ void MIME_Mail::Done() MIME_Message::Done(); - file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); + zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); } MIME_Mail::~MIME_Mail() @@ -1433,7 +1433,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */) if ( mime_end_entity ) analyzer->EnqueueConnEvent(mime_end_entity, analyzer->ConnVal()); - file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); + zeek::file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn()); cur_entity_id.clear(); } @@ -1492,9 +1492,10 @@ void MIME_Mail::SubmitData(int len, const char* buf) ); } - cur_entity_id = file_mgr->DataIn(reinterpret_cast(buf), len, - analyzer->GetAnalyzerTag(), analyzer->Conn(), is_orig, - cur_entity_id); + cur_entity_id = zeek::file_mgr->DataIn( + reinterpret_cast(buf), len, + analyzer->GetAnalyzerTag(), analyzer->Conn(), is_orig, + cur_entity_id); cur_entity_len += len; buffer_start = (buf + len) - (char*)data_buffer->Bytes(); diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac index 039196a7c4..a1f11e7cdb 100644 --- a/src/analyzer/protocol/rdp/rdp-analyzer.pac +++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac @@ -212,15 +212,15 @@ refine flow RDP_Flow += { file_handle.AddRaw("Analyzer::ANALYZER_RDP"); file_handle.Add(connection()->bro_analyzer()->Conn()->StartTime()); connection()->bro_analyzer()->Conn()->IDString(&file_handle); - string file_id = file_mgr->HashHandle(file_handle.Description()); + string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); - file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), - connection()->bro_analyzer()->GetAnalyzerTag(), - connection()->bro_analyzer()->Conn(), - false, // It seems there are only server certs? - file_id, "application/x-x509-user-cert"); - file_mgr->EndOfFile(file_id); + zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), + cert.length(), + connection()->bro_analyzer()->GetAnalyzerTag(), + connection()->bro_analyzer()->Conn(), + false, // It seems there are only server certs? + file_id, "application/x-x509-user-cert"); + zeek::file_mgr->EndOfFile(file_id); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-close.pac b/src/analyzer/protocol/smb/smb1-com-close.pac index 8e85de4685..abd42c828b 100644 --- a/src/analyzer/protocol/smb/smb1-com-close.pac +++ b/src/analyzer/protocol/smb/smb1-com-close.pac @@ -8,8 +8,8 @@ refine connection SMB_Conn += { SMBHeaderVal(h), ${val.file_id}); - file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); return true; %} diff --git a/src/analyzer/protocol/smb/smb1-com-read-andx.pac b/src/analyzer/protocol/smb/smb1-com-read-andx.pac index 79317a3450..a785875e82 100644 --- a/src/analyzer/protocol/smb/smb1-com-read-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-read-andx.pac @@ -33,9 +33,9 @@ refine connection SMB_Conn += { uint64 offset = read_offsets[${h.mid}]; read_offsets.erase(${h.mid}); - file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, - bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, + bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); } return true; diff --git a/src/analyzer/protocol/smb/smb1-com-write-andx.pac b/src/analyzer/protocol/smb/smb1-com-write-andx.pac index 8831d730df..7bb7bcb12f 100644 --- a/src/analyzer/protocol/smb/smb1-com-write-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-write-andx.pac @@ -12,10 +12,10 @@ refine connection SMB_Conn += { if ( ! ${h.is_pipe} && ${val.data}.length() > 0 ) { - file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), - ${val.write_offset}, - bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data}.length(), + ${val.write_offset}, + bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); } return true; diff --git a/src/analyzer/protocol/smb/smb2-com-close.pac b/src/analyzer/protocol/smb/smb2-com-close.pac index 103572544d..c843bbb4e5 100644 --- a/src/analyzer/protocol/smb/smb2-com-close.pac +++ b/src/analyzer/protocol/smb/smb2-com-close.pac @@ -10,8 +10,8 @@ refine connection SMB_Conn += { BuildSMB2GUID(${val.file_id})); } - file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek::file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); return true; %} diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac index 07eafcbabc..03a384cd8e 100644 --- a/src/analyzer/protocol/smb/smb2-com-read.pac +++ b/src/analyzer/protocol/smb/smb2-com-read.pac @@ -50,9 +50,9 @@ refine connection SMB_Conn += { if ( ! ${h.is_pipe} && ${val.data_len} > 0 ) { - file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, - bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, offset, + bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); } return true; diff --git a/src/analyzer/protocol/smb/smb2-com-write.pac b/src/analyzer/protocol/smb/smb2-com-write.pac index 91cbd1988d..34904478fe 100644 --- a/src/analyzer/protocol/smb/smb2-com-write.pac +++ b/src/analyzer/protocol/smb/smb2-com-write.pac @@ -14,9 +14,9 @@ refine connection SMB_Conn += { if ( ! ${h.is_pipe} && ${val.data}.length() > 0 ) { - file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset}, - bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), h->is_orig()); + zeek::file_mgr->DataIn(${val.data}.begin(), ${val.data_len}, ${val.offset}, + bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), h->is_orig()); } return true; diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac index fd725ee4dc..167476999c 100644 --- a/src/analyzer/protocol/ssl/proc-certificate.pac +++ b/src/analyzer/protocol/ssl/proc-certificate.pac @@ -26,12 +26,13 @@ file_handle.Add(common.Description()); file_handle.Add(i); - string file_id = file_mgr->HashHandle(file_handle.Description()); + string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); - file_mgr->DataIn(reinterpret_cast(cert.data()), - cert.length(), bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime); - file_mgr->EndOfFile(file_id); + zeek::file_mgr->DataIn(reinterpret_cast(cert.data()), + cert.length(), bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), is_orig, + file_id, i == 0 ? user_mime : ca_mime); + zeek::file_mgr->EndOfFile(file_id); } return true; %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 9194994709..6089e42eb7 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -307,11 +307,11 @@ refine connection Handshake_Conn += { file_handle.Add(common.Description()); file_handle.Add("ocsp"); - string file_id = file_mgr->HashHandle(file_handle.Description()); + string file_id = zeek::file_mgr->HashHandle(file_handle.Description()); - file_mgr->DataIn(reinterpret_cast(response.data()), - response.length(), bro_analyzer()->GetAnalyzerTag(), - bro_analyzer()->Conn(), false, file_id, "application/ocsp-response"); + zeek::file_mgr->DataIn(reinterpret_cast(response.data()), + response.length(), bro_analyzer()->GetAnalyzerTag(), + bro_analyzer()->Conn(), false, file_id, "application/ocsp-response"); if ( ssl_stapled_ocsp ) zeek::BifEvent::enqueue_ssl_stapled_ocsp(bro_analyzer(), @@ -319,7 +319,7 @@ refine connection Handshake_Conn += { ${rec.is_orig}, zeek::make_intrusive(response.length(), (const char*) response.data())); - file_mgr->EndOfFile(file_id); + zeek::file_mgr->EndOfFile(file_id); } else if ( response.length() == 0 ) { diff --git a/src/binpac_bro.h b/src/binpac_bro.h index 73b984967a..92535700b7 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -12,7 +12,7 @@ namespace binpac { using BroAnalyzer = zeek::analyzer::Analyzer*; -using BroFileAnalyzer = file_analysis::Analyzer; + using BroFileAnalyzer = zeek::file_analysis::Analyzer; using BroVal = zeek::Val*; using BroPortVal = zeek::PortVal*; using BroStringVal = zeek::StringVal*; diff --git a/src/file_analysis/Analyzer.cc b/src/file_analysis/Analyzer.cc index 79d1f91101..b7b156003e 100644 --- a/src/file_analysis/Analyzer.cc +++ b/src/file_analysis/Analyzer.cc @@ -4,23 +4,25 @@ #include "Manager.h" #include "Val.h" -file_analysis::ID file_analysis::Analyzer::id_counter = 0; +namespace zeek::file_analysis { -file_analysis::Analyzer::~Analyzer() +ID Analyzer::id_counter = 0; + +Analyzer::~Analyzer() { DBG_LOG(zeek::DBG_FILE_ANALYSIS, "Destroy file analyzer %s", file_mgr->GetComponentName(tag).c_str()); } -void file_analysis::Analyzer::SetAnalyzerTag(const file_analysis::Tag& arg_tag) +void Analyzer::SetAnalyzerTag(const zeek::file_analysis::Tag& arg_tag) { assert(! tag || tag == arg_tag); tag = arg_tag; } -file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag, - zeek::RecordValPtr arg_args, - File* arg_file) +Analyzer::Analyzer(zeek::file_analysis::Tag arg_tag, + zeek::RecordValPtr arg_args, + File* arg_file) : tag(arg_tag), args(std::move(arg_args)), file(arg_file), @@ -30,16 +32,18 @@ file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag, id = ++id_counter; } -file_analysis::Analyzer::Analyzer(zeek::RecordValPtr arg_args, File* arg_file) +Analyzer::Analyzer(zeek::RecordValPtr arg_args, File* arg_file) : Analyzer({}, std::move(arg_args), arg_file) {} -file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag, - zeek::RecordVal* arg_args, - File* arg_file) +Analyzer::Analyzer(zeek::file_analysis::Tag arg_tag, + zeek::RecordVal* arg_args, + File* arg_file) : Analyzer(arg_tag, {zeek::NewRef{}, arg_args}, arg_file) {} -file_analysis::Analyzer::Analyzer(zeek::RecordVal* arg_args, File* arg_file) +Analyzer::Analyzer(zeek::RecordVal* arg_args, File* arg_file) : Analyzer({}, {zeek::NewRef{}, arg_args}, arg_file) {} + +} // namespace zeek::file_analysis diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h index 8858b17a7c..c83578720b 100644 --- a/src/file_analysis/Analyzer.h +++ b/src/file_analysis/Analyzer.h @@ -11,11 +11,11 @@ namespace zeek { using RecordValPtr = zeek::IntrusivePtr; } -namespace file_analysis { +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); -class File; +namespace zeek::file_analysis { -typedef uint32_t ID; +using ID = uint32_t; /** * Base class for analyzers that can be attached to file_analysis::File objects. @@ -185,4 +185,11 @@ private: static ID id_counter; }; +} // namespace zeek::file_analysis + +namespace file_analysis { + + using ID [[deprecated("Remove in v4.1. Use zeek::file_analysis::ID.")]] = zeek::file_analysis::ID; + using Analyzer [[deprecated("Remove in v4.1. Use zeek::file_analysis::Analyzer.")]] = zeek::file_analysis::Analyzer; + } // namespace file_analysis diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc index 51261e9e63..585db7d0c4 100644 --- a/src/file_analysis/AnalyzerSet.cc +++ b/src/file_analysis/AnalyzerSet.cc @@ -8,7 +8,7 @@ #include "Val.h" #include "file_analysis/file_analysis.bif.h" -using namespace file_analysis; +namespace zeek::file_analysis::detail { static void analyzer_del_func(void* v) { @@ -210,3 +210,5 @@ void AnalyzerSet::DrainModifications() DBG_LOG(zeek::DBG_FILE_ANALYSIS, "[%s] End flushing analyzer mod queue.", file->GetID().c_str()); } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h index f1ae1dad61..6590688922 100644 --- a/src/file_analysis/AnalyzerSet.h +++ b/src/file_analysis/AnalyzerSet.h @@ -14,10 +14,10 @@ namespace zeek { using RecordValPtr = zeek::IntrusivePtr; } -namespace file_analysis { +ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, file_analysis); +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); -class Analyzer; -class File; +namespace zeek::file_analysis::detail { /** * A set of file analysis analyzers indexed by an \c AnalyzerArgs (script-layer @@ -212,4 +212,8 @@ private: ModQueue mod_queue; /**< A queue of analyzer additions/removals requests. */ }; -} // namespace file_analysiss +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + using AnalyzerSet [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::AnalyzerSet.")]] = zeek::file_analysis::detail::AnalyzerSet; +} // namespace file_analysis diff --git a/src/file_analysis/Component.cc b/src/file_analysis/Component.cc index eb26589760..100ba6b465 100644 --- a/src/file_analysis/Component.cc +++ b/src/file_analysis/Component.cc @@ -6,11 +6,11 @@ #include "../Desc.h" #include "../util.h" -using namespace file_analysis; +namespace zeek::file_analysis { Component::Component(const std::string& name, factory_callback arg_factory, Tag::subtype_t subtype) : zeek::plugin::Component(zeek::plugin::component::FILE_ANALYZER, name), - plugin::TaggedComponent(subtype) + zeek::plugin::TaggedComponent(subtype) { factory = arg_factory; factory_func = nullptr; @@ -18,7 +18,7 @@ Component::Component(const std::string& name, factory_callback arg_factory, Tag: Component::Component(const std::string& name, factory_function arg_factory, Tag::subtype_t subtype) : zeek::plugin::Component(zeek::plugin::component::FILE_ANALYZER, name), - plugin::TaggedComponent(subtype) + zeek::plugin::TaggedComponent(subtype) { factory = nullptr; factory_func = arg_factory; @@ -42,3 +42,5 @@ void Component::DoDescribe(zeek::ODesc* d) const d->Add(CanonicalName()); } } + +} // namespace zeek::file_analysis diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h index 769ea4e34f..2ce7fc7d4b 100644 --- a/src/file_analysis/Component.h +++ b/src/file_analysis/Component.h @@ -13,11 +13,11 @@ namespace zeek { using RecordValPtr = zeek::IntrusivePtr; } -namespace file_analysis { +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); +ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, file_analysis); +ZEEK_FORWARD_DECLARE_NAMESPACED(Manager, zeek, file_analysis); -class File; -class Analyzer; -class Manager; +namespace zeek::file_analysis { /** * Component description for plugins providing file analyzers. @@ -26,7 +26,7 @@ class Manager; * analyzer component, describing the analyzer. */ class Component : public zeek::plugin::Component, - public plugin::TaggedComponent { + public zeek::plugin::TaggedComponent { public: typedef Analyzer* (*factory_callback)(zeek::RecordVal* args, File* file); using factory_function = Analyzer* (*)(zeek::RecordValPtr args, File* file); @@ -83,10 +83,14 @@ protected: void DoDescribe(zeek::ODesc* d) const override; private: - friend class file_analysis::Manager; + friend class zeek::file_analysis::Manager; factory_callback factory; // The analyzer's factory callback (deprecated). factory_function factory_func; // The analyzer's factory callback. }; -} +} // namespace zeek::file_analysis + +namespace file_analysis { + using Component [[deprecated("Remove in v4.1. Use zeek::file_analysis::Component.")]] = zeek::file_analysis::Component; +} // namespace file_analysis diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 10baa0454f..fc6f4b0758 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -19,7 +19,7 @@ #include "analyzer/extract/Extract.h" -using namespace file_analysis; +namespace zeek::file_analysis { static zeek::TableValPtr empty_connection_table() { @@ -214,7 +214,7 @@ bool File::SetExtractionLimit(zeek::RecordValPtr args, uint64_t bytes) if ( ! a ) return false; - Extract* e = dynamic_cast(a); + auto* e = dynamic_cast(a); if ( ! e ) return false; @@ -250,7 +250,7 @@ bool File::IsComplete() const void File::ScheduleInactivityTimer() const { - zeek::detail::timer_mgr->Add(new FileTimer(network_time, id, GetTimeoutInterval())); + zeek::detail::timer_mgr->Add(new detail::FileTimer(network_time, id, GetTimeoutInterval())); } bool File::AddAnalyzer(file_analysis::Tag tag, zeek::RecordVal* args) @@ -655,3 +655,5 @@ bool File::PermitWeird(const char* name, uint64_t threshold, uint64_t rate, { return zeek::detail::PermitWeird(weird_state, name, threshold, rate, duration); } + +} // namespace zeek::file_analysis diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index da47e10cff..2ee8418e36 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -22,10 +22,10 @@ using RecordValPtr = zeek::IntrusivePtr; using RecordTypePtr = zeek::IntrusivePtr; } -namespace file_analysis { +ZEEK_FORWARD_DECLARE_NAMESPACED(FileReassembler, zeek, file_analysis); +ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis); -class FileReassembler; -class Tag; +namespace zeek::file_analysis { /** * Wrapper class around \c fa_file record values from script layer. @@ -359,7 +359,7 @@ protected: bool reassembly_enabled; /**< Whether file stream reassembly is needed. */ bool postpone_timeout; /**< Whether postponing timeout is requested. */ bool done; /**< If this object is about to be deleted. */ - AnalyzerSet analyzers; /**< A set of attached file analyzers. */ + detail::AnalyzerSet analyzers; /**< A set of attached file analyzers. */ std::list done_analyzers; /**< Analyzers we're done with, remembered here until they can be safely deleted. */ struct BOF_Buffer { @@ -396,3 +396,7 @@ protected: }; } // namespace file_analysis + +namespace file_analysis { + using File [[deprecated("Remove in v4.1. Use zeek::file_analysis::File.")]] = zeek::file_analysis::File; +} // namespace zeek::file_analysis diff --git a/src/file_analysis/FileReassembler.cc b/src/file_analysis/FileReassembler.cc index 629f366de8..c4847f31b7 100644 --- a/src/file_analysis/FileReassembler.cc +++ b/src/file_analysis/FileReassembler.cc @@ -1,11 +1,11 @@ +// See the file "COPYING" in the main distribution directory for copyright. #include "FileReassembler.h" #include "File.h" +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); -namespace file_analysis { - -class File; +namespace zeek::file_analysis { FileReassembler::FileReassembler(File *f, uint64_t starting_offset) : zeek::Reassembler(starting_offset, zeek::REASSEM_FILE), the_file(f), flushing(false) diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h index 0924198235..ae8ca70ce3 100644 --- a/src/file_analysis/FileReassembler.h +++ b/src/file_analysis/FileReassembler.h @@ -1,3 +1,5 @@ +// See the file "COPYING" in the main distribution directory for copyright. + #pragma once #include "Reassem.h" @@ -6,10 +8,9 @@ namespace zeek { class File; } using BroFile [[deprecated("Remove in v4.1. Use zeek::File.")]] = zeek::File; ZEEK_FORWARD_DECLARE_NAMESPACED(Connection, zeek); +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); -namespace file_analysis { - -class File; +namespace zeek::file_analysis { class FileReassembler final : public zeek::Reassembler { public: @@ -58,4 +59,8 @@ protected: bool flushing; }; -} // namespace analyzer::* +} // namespace zeek::file_analysis + +namespace file_analysis { + using FileReassembler [[deprecated("Remove in v4.1. Use zeek::file_analysis::FileReassembler.")]] = zeek::file_analysis::FileReassembler; +} // namespace file_analysis diff --git a/src/file_analysis/FileTimer.cc b/src/file_analysis/FileTimer.cc index dce4d46d33..80d72bbbc1 100644 --- a/src/file_analysis/FileTimer.cc +++ b/src/file_analysis/FileTimer.cc @@ -4,7 +4,7 @@ #include "File.h" #include "Manager.h" -using namespace file_analysis; +namespace zeek::file_analysis::detail { FileTimer::FileTimer(double t, const std::string& id, double interval) : zeek::detail::Timer(t + interval, zeek::detail::TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id) @@ -39,3 +39,5 @@ void FileTimer::Dispatch(double t, bool is_expire) else if ( ! is_expire ) file->ScheduleInactivityTimer(); } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/FileTimer.h b/src/file_analysis/FileTimer.h index 529498d317..552cc13e20 100644 --- a/src/file_analysis/FileTimer.h +++ b/src/file_analysis/FileTimer.h @@ -5,7 +5,7 @@ #include #include "Timer.h" -namespace file_analysis { +namespace zeek::file_analysis::detail { /** * Timer to periodically check if file analysis for a given file is inactive. @@ -33,4 +33,8 @@ private: std::string file_id; }; +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + using FileTimer [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::FileTimer.")]] = zeek::file_analysis::detail::FileTimer; } // namespace file_analysis diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 09bb527bc6..2af24f522d 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -13,12 +13,13 @@ #include -using namespace file_analysis; using namespace std; +namespace zeek::file_analysis { + Manager::Manager() - : plugin::ComponentManager("Files", "Tag"), + : plugin::ComponentManager("Files", "Tag"), current_file_id(), magic_state(), cumulative_files(0), max_files(0) { } @@ -273,11 +274,11 @@ bool Manager::SetExtractionLimit(const string& file_id, return file->SetExtractionLimit(std::move(args), n); } -bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag, +bool Manager::AddAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag, zeek::RecordVal* args) const { return AddAnalyzer(file_id, tag, {zeek::NewRef{}, args}); } -bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag, +bool Manager::AddAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag, zeek::RecordValPtr args) const { File* file = LookupFile(file_id); @@ -288,11 +289,11 @@ bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag, return file->AddAnalyzer(tag, std::move(args)); } -bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag, +bool Manager::RemoveAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag, zeek::RecordVal* args) const { return RemoveAnalyzer(file_id, tag, {zeek::NewRef{}, args}); } -bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag, +bool Manager::RemoveAnalyzer(const string& file_id, const zeek::file_analysis::Tag& tag, zeek::RecordValPtr args) const { File* file = LookupFile(file_id); @@ -518,7 +519,7 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const return *(matches.begin()->second.begin()); } -zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m) +zeek::VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m) { static auto mime_matches = zeek::id::find_type("mime_matches"); static auto mime_match = zeek::id::find_type("mime_match"); @@ -541,3 +542,5 @@ zeek::VectorValPtr file_analysis::GenMIMEMatchesVal(const zeek::detail::RuleMatc return rval; } + +} // namespace zeek::file_analysis diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index dc5a667942..2f0aea579f 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -11,23 +11,23 @@ #include "RuleMatcher.h" #include "plugin/ComponentManager.h" - #include "analyzer/Tag.h" +#include "FileTimer.h" ZEEK_FORWARD_DECLARE_NAMESPACED(TableVal, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(VectorVal, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Analyzer, zeek, analyzer); ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, analyzer); +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); +ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis); +namespace zeek { namespace file_analysis { -class File; -class Tag; - /** * Main entry point for interacting with file analysis. */ -class Manager : public plugin::ComponentManager { +class Manager : public zeek::plugin::ComponentManager { public: /** @@ -349,7 +349,7 @@ public: { return cumulative_files; } protected: - friend class FileTimer; + friend class zeek::file_analysis::detail::FileTimer; /** * Create a new file to be analyzed or retrieve an existing one. @@ -441,3 +441,11 @@ zeek::VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Match } // namespace file_analysis extern file_analysis::Manager* file_mgr; + +} // namespace zeek + +namespace file_analysis { + using Manager [[deprecated("Remove in v4.1. Use zeek::file_analysis::Manager.")]] = zeek::file_analysis::Manager; +} + +extern zeek::file_analysis::Manager*& file_mgr [[deprecated("Remove in v4.1. Use zeek::file_mgr.")]]; diff --git a/src/file_analysis/Tag.cc b/src/file_analysis/Tag.cc index 30a8728f1a..ef933f9b1f 100644 --- a/src/file_analysis/Tag.cc +++ b/src/file_analysis/Tag.cc @@ -3,35 +3,37 @@ #include "Tag.h" #include "Manager.h" -using namespace file_analysis; +namespace zeek::file_analysis { -const file_analysis::Tag file_analysis::Tag::Error; +const Tag Tag::Error; -file_analysis::Tag::Tag(type_t type, subtype_t subtype) +Tag::Tag(type_t type, subtype_t subtype) : ::Tag(file_mgr->GetTagType(), type, subtype) { } -file_analysis::Tag& file_analysis::Tag::operator=(const file_analysis::Tag& other) +Tag& Tag::operator=(const Tag& other) { zeek::Tag::operator=(other); return *this; } -const zeek::EnumValPtr& file_analysis::Tag::AsVal() const +const zeek::EnumValPtr& Tag::AsVal() const { return zeek::Tag::AsVal(file_mgr->GetTagType()); } -zeek::EnumVal* file_analysis::Tag::AsEnumVal() const +zeek::EnumVal* Tag::AsEnumVal() const { return AsVal().get(); } -file_analysis::Tag::Tag(zeek::EnumValPtr val) +Tag::Tag(zeek::EnumValPtr val) : zeek::Tag(std::move(val)) { } -file_analysis::Tag::Tag(zeek::EnumVal* val) +Tag::Tag(zeek::EnumVal* val) : zeek::Tag({zeek::NewRef{}, val}) { } + +} // namespace zeek::file_analysis diff --git a/src/file_analysis/Tag.h b/src/file_analysis/Tag.h index ad4fcf2960..caf75a334d 100644 --- a/src/file_analysis/Tag.h +++ b/src/file_analysis/Tag.h @@ -20,9 +20,9 @@ namespace plugin { zeek::plugin::ComponentManager; } -namespace file_analysis { +ZEEK_FORWARD_DECLARE_NAMESPACED(Component, zeek, file_analysis); -class Component; +namespace zeek::file_analysis { /** * Class to identify a file analyzer type. @@ -122,4 +122,8 @@ protected: explicit Tag(zeek::EnumVal* val); }; -} +} // namespace zeek::file_analysis + +namespace file_analysis { + using Tag [[deprecated("Remove in v4.1. Use zeek::file_analysis::Tag.")]] = zeek::file_analysis::Tag; +} // namespace file_analysis diff --git a/src/file_analysis/analyzer/data_event/DataEvent.cc b/src/file_analysis/analyzer/data_event/DataEvent.cc index c55c4c9386..d7b599a6db 100644 --- a/src/file_analysis/analyzer/data_event/DataEvent.cc +++ b/src/file_analysis/analyzer/data_event/DataEvent.cc @@ -9,18 +9,18 @@ #include "util.h" #include "file_analysis/Manager.h" -using namespace file_analysis; +namespace zeek::file_analysis::detail { -DataEvent::DataEvent(zeek::RecordValPtr args, File* file, +DataEvent::DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file, zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se) - : file_analysis::Analyzer(file_mgr->GetComponentTag("DATA_EVENT"), + : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("DATA_EVENT"), std::move(args), file), chunk_event(ce), stream_event(se) { } -file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args, - File* file) +zeek::file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { const auto& chunk_val = args->GetField("chunk_event"); const auto& stream_val = args->GetField("stream_event"); @@ -63,3 +63,5 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len) return true; } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/data_event/DataEvent.h b/src/file_analysis/analyzer/data_event/DataEvent.h index ddc4a9dcc1..46d0b61679 100644 --- a/src/file_analysis/analyzer/data_event/DataEvent.h +++ b/src/file_analysis/analyzer/data_event/DataEvent.h @@ -9,12 +9,12 @@ #include "Analyzer.h" #include "EventHandler.h" -namespace file_analysis { +namespace zeek::file_analysis::detail { /** * An analyzer to send file data to script-layer via events. */ -class DataEvent : public file_analysis::Analyzer { +class DataEvent : public zeek::file_analysis::Analyzer { public: /** @@ -43,8 +43,8 @@ public: * @return the new DataEvent analyzer instance or a null pointer if * no "chunk_event" or "stream_event" field was specfied in \a args. */ - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - File* file); + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file); protected: @@ -57,7 +57,7 @@ protected: * @param se pointer to event handler which will be called to receive * sequential file data. */ - DataEvent(zeek::RecordValPtr args, File* file, + DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file, zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se); private: @@ -65,4 +65,10 @@ private: zeek::EventHandlerPtr stream_event; }; +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + + using DataEvent [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::DataEvent.")]] = zeek::file_analysis::detail::DataEvent; + } // namespace file_analysis diff --git a/src/file_analysis/analyzer/data_event/Plugin.cc b/src/file_analysis/analyzer/data_event/Plugin.cc index e90e628c4e..48be7fe92d 100644 --- a/src/file_analysis/analyzer/data_event/Plugin.cc +++ b/src/file_analysis/analyzer/data_event/Plugin.cc @@ -4,14 +4,13 @@ #include "plugin/Plugin.h" #include "file_analysis/Component.h" -namespace plugin { -namespace Zeek_FileDataEvent { +namespace zeek::plugin::detail::Zeek_FileDataEvent { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new ::file_analysis::Component("DATA_EVENT", ::file_analysis::DataEvent::Instantiate)); + AddComponent(new zeek::file_analysis::Component("DATA_EVENT", zeek::file_analysis::detail::DataEvent::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::FileDataEvent"; @@ -20,5 +19,4 @@ public: } } plugin; -} -} +} // namespace zeek::plugin::detail::Zeek_FileDataEvent diff --git a/src/file_analysis/analyzer/entropy/Entropy.cc b/src/file_analysis/analyzer/entropy/Entropy.cc index 32f8d702ed..56dd45c20b 100644 --- a/src/file_analysis/analyzer/entropy/Entropy.cc +++ b/src/file_analysis/analyzer/entropy/Entropy.cc @@ -7,13 +7,12 @@ #include "Event.h" #include "file_analysis/Manager.h" -using namespace file_analysis; +namespace zeek::file_analysis::detail { -Entropy::Entropy(zeek::RecordValPtr args, File* file) - : file_analysis::Analyzer(file_mgr->GetComponentTag("ENTROPY"), - std::move(args), file) +Entropy::Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file) + : zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("ENTROPY"), + std::move(args), file) { - //entropy->Init(); entropy = new zeek::EntropyVal; fed = false; } @@ -23,8 +22,8 @@ Entropy::~Entropy() Unref(entropy); } -file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args, - File* file) +zeek::file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return new Entropy(std::move(args), file); } @@ -51,7 +50,6 @@ bool Entropy::Undelivered(uint64_t offset, uint64_t len) void Entropy::Finalize() { - //if ( ! entropy->IsValid() || ! fed ) if ( ! fed ) return; @@ -75,3 +73,5 @@ void Entropy::Finalize() std::move(ent_result) ); } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/entropy/Entropy.h b/src/file_analysis/analyzer/entropy/Entropy.h index 0614e10df7..4898a8a25c 100644 --- a/src/file_analysis/analyzer/entropy/Entropy.h +++ b/src/file_analysis/analyzer/entropy/Entropy.h @@ -11,12 +11,12 @@ #include "events.bif.h" -namespace file_analysis { +namespace zeek::file_analysis::detail { /** * An analyzer to produce entropy of file contents. */ -class Entropy : public file_analysis::Analyzer { +class Entropy : public zeek::file_analysis::Analyzer { public: /** @@ -31,8 +31,8 @@ public: * @return the new Entropy analyzer instance or a null pointer if the * the "extraction_file" field of \a args wasn't set. */ - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - File* file); + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file); /** * Calculate entropy of next chunk of file contents. @@ -66,7 +66,7 @@ protected: * @param hv specific hash calculator object. * @param kind human readable name of the hash algorithm to use. */ - Entropy(zeek::RecordValPtr args, File* file); + Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file); /** * If some file contents have been seen, finalizes the entropy of them and @@ -79,4 +79,10 @@ private: bool fed; }; +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + + using Entropy [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Entropy.")]] = zeek::file_analysis::detail::Entropy; + } // namespace file_analysis diff --git a/src/file_analysis/analyzer/entropy/Plugin.cc b/src/file_analysis/analyzer/entropy/Plugin.cc index 1592ce7a95..3a14c3e190 100644 --- a/src/file_analysis/analyzer/entropy/Plugin.cc +++ b/src/file_analysis/analyzer/entropy/Plugin.cc @@ -4,14 +4,13 @@ #include "plugin/Plugin.h" #include "file_analysis/Component.h" -namespace plugin { -namespace Zeek_FileEntropy { +namespace zeek::plugin::detail::Zeek_FileEntropy { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new ::file_analysis::Component("ENTROPY", ::file_analysis::Entropy::Instantiate)); + AddComponent(new zeek::file_analysis::Component("ENTROPY", zeek::file_analysis::detail::Entropy::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::FileEntropy"; @@ -20,5 +19,4 @@ public: } } plugin; -} -} +} // namespace zeek::plugin::detail::Zeek_FileEntropy diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc index a84f78e377..6d9f4de30c 100644 --- a/src/file_analysis/analyzer/extract/Extract.cc +++ b/src/file_analysis/analyzer/extract/Extract.cc @@ -8,11 +8,11 @@ #include "Event.h" #include "file_analysis/Manager.h" -using namespace file_analysis; +namespace zeek::file_analysis::detail { -Extract::Extract(zeek::RecordValPtr args, File* file, +Extract::Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file, const std::string& arg_filename, uint64_t arg_limit) - : file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"), + : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("EXTRACT"), std::move(args), file), filename(arg_filename), limit(arg_limit), depth(0) { @@ -44,7 +44,8 @@ static const zeek::ValPtr& get_extract_field_val(const zeek::RecordValPtr& args, return rval; } -file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args, File* file) +zeek::file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { const auto& fname = get_extract_field_val(args, "extract_filename"); const auto& limit = get_extract_field_val(args, "extract_limit"); @@ -92,7 +93,7 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len) if ( limit_exceeded && file_extraction_limit ) { - File* f = GetFile(); + zeek::file_analysis::File* f = GetFile(); f->FileEvent(file_extraction_limit, { f->ToVal(), GetArgs(), @@ -125,3 +126,5 @@ bool Extract::Undelivered(uint64_t offset, uint64_t len) return true; } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/extract/Extract.h b/src/file_analysis/analyzer/extract/Extract.h index 3d146dba68..6251a55442 100644 --- a/src/file_analysis/analyzer/extract/Extract.h +++ b/src/file_analysis/analyzer/extract/Extract.h @@ -10,12 +10,12 @@ #include "analyzer/extract/events.bif.h" -namespace file_analysis { +namespace zeek::file_analysis::detail { /** * An analyzer to extract content of files to local disk. */ -class Extract : public file_analysis::Analyzer { +class Extract : public zeek::file_analysis::Analyzer { public: /** @@ -47,8 +47,8 @@ public: * @return the new Extract analyzer instance or a null pointer if the * the "extraction_file" field of \a args wasn't set. */ - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - File* file); + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file); /** * Sets the maximum allowed extracted file size. A value of zero means @@ -67,7 +67,7 @@ protected: * to which the contents of the file will be extracted/written. * @param arg_limit the maximum allowed file size. */ - Extract(zeek::RecordValPtr args, File* file, + Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file, const std::string& arg_filename, uint64_t arg_limit); private: @@ -77,4 +77,10 @@ private: uint64_t depth; }; +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + + using Extract [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Extract.")]] = zeek::file_analysis::detail::Extract; + } // namespace file_analysis diff --git a/src/file_analysis/analyzer/extract/Plugin.cc b/src/file_analysis/analyzer/extract/Plugin.cc index 8b9d442c40..6ac9223b24 100644 --- a/src/file_analysis/analyzer/extract/Plugin.cc +++ b/src/file_analysis/analyzer/extract/Plugin.cc @@ -4,14 +4,13 @@ #include "plugin/Plugin.h" #include "file_analysis/Component.h" -namespace plugin { -namespace Zeek_FileExtract { +namespace zeek::plugin::detail::Zeek_FileExtract { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new ::file_analysis::Component("EXTRACT", ::file_analysis::Extract::Instantiate)); + AddComponent(new zeek::file_analysis::Component("EXTRACT", zeek::file_analysis::detail::Extract::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::FileExtract"; @@ -20,5 +19,4 @@ public: } } plugin; -} -} +} // namespace zeek::plugin::detail::Zeek_FileExtract diff --git a/src/file_analysis/analyzer/extract/functions.bif b/src/file_analysis/analyzer/extract/functions.bif index 60efadffbf..8155c1f1dc 100644 --- a/src/file_analysis/analyzer/extract/functions.bif +++ b/src/file_analysis/analyzer/extract/functions.bif @@ -12,8 +12,8 @@ function FileExtract::__set_limit%(file_id: string, args: any, n: count%): bool %{ using zeek::BifType::Record::Files::AnalyzerArgs; auto rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs); - bool result = file_mgr->SetExtractionLimit(file_id->CheckString(), - std::move(rv), n); + bool result = zeek::file_mgr->SetExtractionLimit(file_id->CheckString(), + std::move(rv), n); return zeek::val_mgr->Bool(result); %} diff --git a/src/file_analysis/analyzer/hash/Hash.cc b/src/file_analysis/analyzer/hash/Hash.cc index f44aa13ce7..97f7008047 100644 --- a/src/file_analysis/analyzer/hash/Hash.cc +++ b/src/file_analysis/analyzer/hash/Hash.cc @@ -7,11 +7,12 @@ #include "Event.h" #include "file_analysis/Manager.h" -using namespace file_analysis; +namespace zeek::file_analysis::detail { -Hash::Hash(zeek::RecordValPtr args, File* file, zeek::HashVal* hv, const char* arg_kind) - : file_analysis::Analyzer(file_mgr->GetComponentTag(to_upper(arg_kind).c_str()), - std::move(args), file), +Hash::Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file, + zeek::HashVal* hv, const char* arg_kind) + : zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag(to_upper(arg_kind).c_str()), + std::move(args), file), hash(hv), fed(false), kind(arg_kind) { hash->Init(); @@ -59,3 +60,5 @@ void Hash::Finalize() hash->Get() ); } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/hash/Hash.h b/src/file_analysis/analyzer/hash/Hash.h index 3a87e00182..8834d948e5 100644 --- a/src/file_analysis/analyzer/hash/Hash.h +++ b/src/file_analysis/analyzer/hash/Hash.h @@ -11,12 +11,12 @@ #include "events.bif.h" -namespace file_analysis { +namespace zeek::file_analysis::detail { /** * An analyzer to produce a hash of file contents. */ -class Hash : public file_analysis::Analyzer { +class Hash : public zeek::file_analysis::Analyzer { public: /** @@ -56,7 +56,7 @@ protected: * @param hv specific hash calculator object. * @param kind human readable name of the hash algorithm to use. */ - Hash(zeek::RecordValPtr args, File* file, zeek::HashVal* hv, const char* kind); + Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file, zeek::HashVal* hv, const char* kind); /** * If some file contents have been seen, finalizes the hash of them and @@ -83,8 +83,8 @@ public: * @return the new MD5 analyzer instance or a null pointer if there's no * handler for the "file_hash" event. */ - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - File* file) + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return file_hash ? new MD5(std::move(args), file) : nullptr; } protected: @@ -94,7 +94,7 @@ protected: * @param args the \c AnalyzerArgs value which represents the analyzer. * @param file the file to which the analyzer will be attached. */ - MD5(zeek::RecordValPtr args, File* file) + MD5(zeek::RecordValPtr args, zeek::file_analysis::File* file) : Hash(std::move(args), file, new zeek::MD5Val(), "md5") {} }; @@ -112,8 +112,8 @@ public: * @return the new MD5 analyzer instance or a null pointer if there's no * handler for the "file_hash" event. */ - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - File* file) + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return file_hash ? new SHA1(std::move(args), file) : nullptr; } protected: @@ -123,7 +123,7 @@ protected: * @param args the \c AnalyzerArgs value which represents the analyzer. * @param file the file to which the analyzer will be attached. */ - SHA1(zeek::RecordValPtr args, File* file) + SHA1(zeek::RecordValPtr args, zeek::file_analysis::File* file) : Hash(std::move(args), file, new zeek::SHA1Val(), "sha1") {} }; @@ -141,8 +141,8 @@ public: * @return the new MD5 analyzer instance or a null pointer if there's no * handler for the "file_hash" event. */ - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - File* file) + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return file_hash ? new SHA256(std::move(args), file) : nullptr; } protected: @@ -152,9 +152,18 @@ protected: * @param args the \c AnalyzerArgs value which represents the analyzer. * @param file the file to which the analyzer will be attached. */ - SHA256(zeek::RecordValPtr args, File* file) + SHA256(zeek::RecordValPtr args, zeek::file_analysis::File* file) : Hash(std::move(args), file, new zeek::SHA256Val(), "sha256") {} }; +} // namespace zeek::file_analysis + +namespace file_analysis { + + using Hash [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Hash.")]] = zeek::file_analysis::detail::Hash; + using MD5 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::MD5.")]] = zeek::file_analysis::detail::MD5; + using SHA1 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::SHA1.")]] = zeek::file_analysis::detail::SHA1; + using SHA256 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::SHA256.")]] = zeek::file_analysis::detail::SHA256; + } // namespace file_analysis diff --git a/src/file_analysis/analyzer/hash/Plugin.cc b/src/file_analysis/analyzer/hash/Plugin.cc index e7c09c5417..d889308d35 100644 --- a/src/file_analysis/analyzer/hash/Plugin.cc +++ b/src/file_analysis/analyzer/hash/Plugin.cc @@ -4,16 +4,15 @@ #include "plugin/Plugin.h" #include "file_analysis/Component.h" -namespace plugin { -namespace Zeek_FileHash { +namespace zeek::plugin::detail::Zeek_FileHash { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new ::file_analysis::Component("MD5", ::file_analysis::MD5::Instantiate)); - AddComponent(new ::file_analysis::Component("SHA1", ::file_analysis::SHA1::Instantiate)); - AddComponent(new ::file_analysis::Component("SHA256", ::file_analysis::SHA256::Instantiate)); + AddComponent(new zeek::file_analysis::Component("MD5", zeek::file_analysis::detail::MD5::Instantiate)); + AddComponent(new zeek::file_analysis::Component("SHA1", zeek::file_analysis::detail::SHA1::Instantiate)); + AddComponent(new zeek::file_analysis::Component("SHA256", zeek::file_analysis::detail::SHA256::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::FileHash"; @@ -22,5 +21,4 @@ public: } } plugin; -} -} +} // namespace zeek::plugin::detail::Zeek_FileHash diff --git a/src/file_analysis/analyzer/pe/PE.cc b/src/file_analysis/analyzer/pe/PE.cc index 5217f4e107..e34b99c169 100644 --- a/src/file_analysis/analyzer/pe/PE.cc +++ b/src/file_analysis/analyzer/pe/PE.cc @@ -1,11 +1,12 @@ #include "PE.h" #include "file_analysis/Manager.h" -using namespace file_analysis; +namespace zeek::file_analysis::detail { -PE::PE(zeek::RecordValPtr args, File* file) - : file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), std::move(args), - file) +PE::PE(zeek::RecordValPtr args, zeek::file_analysis::File* file) + : zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("PE"), + std::move(args), + file) { conn = new binpac::PE::MockConnection(this); interp = new binpac::PE::File(conn); @@ -39,3 +40,5 @@ bool PE::EndOfFile() { return false; } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/pe/PE.h b/src/file_analysis/analyzer/pe/PE.h index ef14744c3f..4a3ac5bad5 100644 --- a/src/file_analysis/analyzer/pe/PE.h +++ b/src/file_analysis/analyzer/pe/PE.h @@ -6,17 +6,17 @@ #include "../File.h" #include "pe_pac.h" -namespace file_analysis { +namespace zeek::file_analysis::detail { /** * Analyze Portable Executable files */ -class PE : public file_analysis::Analyzer { +class PE : public zeek::file_analysis::Analyzer { public: ~PE(); - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - File* file) + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return new PE(std::move(args), file); } virtual bool DeliverStream(const u_char* data, uint64_t len); @@ -24,10 +24,16 @@ public: virtual bool EndOfFile(); protected: - PE(zeek::RecordValPtr args, File* file); + PE(zeek::RecordValPtr args, zeek::file_analysis::File* file); binpac::PE::File* interp; binpac::PE::MockConnection* conn; bool done; }; +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + + using PE [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::PE.")]] = zeek::file_analysis::detail::PE; + } // namespace file_analysis diff --git a/src/file_analysis/analyzer/pe/Plugin.cc b/src/file_analysis/analyzer/pe/Plugin.cc index 5e7800c9c7..77663c2e80 100644 --- a/src/file_analysis/analyzer/pe/Plugin.cc +++ b/src/file_analysis/analyzer/pe/Plugin.cc @@ -4,14 +4,13 @@ #include "plugin/Plugin.h" #include "file_analysis/Component.h" -namespace plugin { -namespace Zeek_PE { +namespace zeek::plugin::detail::Zeek_PE { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new ::file_analysis::Component("PE", ::file_analysis::PE::Instantiate)); + AddComponent(new zeek::file_analysis::Component("PE", zeek::file_analysis::detail::PE::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::PE"; @@ -20,5 +19,4 @@ public: } } plugin; -} -} +} // namespace zeek::plugin::detail::Zeek_PE diff --git a/src/file_analysis/analyzer/unified2/Plugin.cc b/src/file_analysis/analyzer/unified2/Plugin.cc index 2e33ed0881..b01e24e8a5 100644 --- a/src/file_analysis/analyzer/unified2/Plugin.cc +++ b/src/file_analysis/analyzer/unified2/Plugin.cc @@ -6,14 +6,13 @@ #include "plugin/Plugin.h" #include "file_analysis/Component.h" -namespace plugin { -namespace Zeek_Unified2 { +namespace zeek::plugin::detail::Zeek_Unified2 { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new ::file_analysis::Component("UNIFIED2", ::file_analysis::Unified2::Instantiate)); + AddComponent(new zeek::file_analysis::Component("UNIFIED2", zeek::file_analysis::detail::Unified2::Instantiate)); zeek::plugin::Configuration config; config.name = "Zeek::Unified2"; @@ -22,5 +21,4 @@ public: } } plugin; -} -} +} // namespace zeek::plugin::detail::Zeek_Unified2 diff --git a/src/file_analysis/analyzer/unified2/Unified2.cc b/src/file_analysis/analyzer/unified2/Unified2.cc index 0fdde8f668..ecf09aa708 100644 --- a/src/file_analysis/analyzer/unified2/Unified2.cc +++ b/src/file_analysis/analyzer/unified2/Unified2.cc @@ -3,10 +3,11 @@ #include "Unified2.h" #include "file_analysis/Manager.h" -using namespace file_analysis; +namespace zeek::file_analysis::detail { -Unified2::Unified2(zeek::RecordValPtr args, File* file) - : file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), std::move(args), file) +Unified2::Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file) + : file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("UNIFIED2"), + std::move(args), file) { interp = new binpac::Unified2::Unified2_Analyzer(this); } @@ -16,7 +17,8 @@ Unified2::~Unified2() delete interp; } -file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args, File* file) +zeek::file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return new Unified2(std::move(args), file); } @@ -35,3 +37,5 @@ bool Unified2::DeliverStream(const u_char* data, uint64_t len) return true; } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/unified2/Unified2.h b/src/file_analysis/analyzer/unified2/Unified2.h index 479ac96e84..a844846097 100644 --- a/src/file_analysis/analyzer/unified2/Unified2.h +++ b/src/file_analysis/analyzer/unified2/Unified2.h @@ -9,21 +9,22 @@ #include "Analyzer.h" #include "unified2_pac.h" -namespace file_analysis { +namespace zeek::file_analysis::detail { /** * An analyzer to extract content of files from local disk. */ -class Unified2 : public file_analysis::Analyzer { +class Unified2 : public zeek::file_analysis::Analyzer { public: ~Unified2() override; bool DeliverStream(const u_char* data, uint64_t len) override; - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, File* file); + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file); protected: - Unified2(zeek::RecordValPtr args, File* file); + Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file); private: binpac::Unified2::Unified2_Analyzer* interp; @@ -31,4 +32,10 @@ private: string filename; }; +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + + using Unified2 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Unified2.")]] = zeek::file_analysis::detail::Unified2; + } // namespace file_analysis diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 454cdec3a4..b13081f77a 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -29,7 +29,7 @@ X509* helper_sk_X509_value(const STACK_OF(X509)* certs, int i) return sk_X509_value(certs, i); } -using namespace file_analysis; +namespace zeek::file_analysis::detail { #define OCSP_STRING_BUF_SIZE 2048 @@ -113,38 +113,40 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi return true; } -file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args, File* file) +zeek::file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return new OCSP(std::move(args), file, true); } -file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args, File* file) +zeek::file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return new OCSP(std::move(args), file, false); } -file_analysis::OCSP::OCSP(zeek::RecordValPtr args, file_analysis::File* file, +OCSP::OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file, bool arg_request) - : file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), - std::move(args), file), + : X509Common::X509Common(zeek::file_mgr->GetComponentTag("OCSP"), + std::move(args), file), request(arg_request) { } -bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64_t len) +bool OCSP::DeliverStream(const u_char* data, uint64_t len) { ocsp_data.append(reinterpret_cast(data), len); return true; } -bool file_analysis::OCSP::Undelivered(uint64_t offset, uint64_t len) +bool OCSP::Undelivered(uint64_t offset, uint64_t len) { return false; } // we parse the entire OCSP response in EOF, because we just pass it on // to OpenSSL. -bool file_analysis::OCSP::EndOfFile() +bool OCSP::EndOfFile() { const unsigned char* ocsp_char = reinterpret_cast(ocsp_data.data()); @@ -399,7 +401,7 @@ static uint64_t parse_request_version(OCSP_REQUEST* req) } #endif -void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req) +void OCSP::ParseRequest(OCSP_REQUEST* req) { char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions memset(buf, 0, sizeof(buf)); @@ -441,7 +443,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req) BIO_free(bio); } -void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp) +void OCSP::ParseResponse(OCSP_RESPONSE *resp) { //OCSP_RESPBYTES *resp_bytes = resp->responseBytes; OCSP_BASICRESP *basic_resp = nullptr; @@ -636,7 +638,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp) ::X509 *this_cert = X509_dup(helper_sk_X509_value(certs, i)); //::X509 *this_cert = X509_dup(sk_X509_value(certs, i)); if (this_cert) - certs_vector->Assign(i, zeek::make_intrusive(this_cert)); + certs_vector->Assign(i, zeek::make_intrusive(this_cert)); else zeek::reporter->Weird("OpenSSL returned null certificate"); } @@ -662,7 +664,7 @@ clean_up: BIO_free(bio); } -void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) +void OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { // In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts. // In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually @@ -674,3 +676,5 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa #endif ParseSignedCertificateTimestamps(ex); } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index e0ebc8eca8..b9cd0bd8a4 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -3,28 +3,27 @@ #pragma once #include +#include #include "X509Common.h" -#include +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); -namespace file_analysis { +namespace zeek::file_analysis::detail { -class File; - -class OCSP : public file_analysis::X509Common { +class OCSP : public zeek::file_analysis::detail::X509Common { public: bool DeliverStream(const u_char* data, uint64_t len) override; bool Undelivered(uint64_t offset, uint64_t len) override; bool EndOfFile() override; - static file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args, - File* file); - static file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args, - File* file); + static zeek::file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args, + zeek::file_analysis::File* file); + static zeek::file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args, + zeek::file_analysis::File* file); protected: - OCSP(zeek::RecordValPtr args, File* file, bool request); + OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file, bool request); private: void ParseResponse(OCSP_RESPONSE*); @@ -35,4 +34,10 @@ private: bool request = false; // true if ocsp request, false if reply }; -} +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + + using OCSP [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::OCSP.")]] = zeek::file_analysis::detail::OCSP; + +} // namespace file_analysis diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc index e52be3f8d5..4b6ac5a52e 100644 --- a/src/file_analysis/analyzer/x509/Plugin.cc +++ b/src/file_analysis/analyzer/x509/Plugin.cc @@ -5,16 +5,15 @@ #include "plugin/Plugin.h" #include "file_analysis/Component.h" -namespace plugin { -namespace Zeek_X509 { +namespace zeek::plugin::detail::Zeek_X509 { class Plugin : public zeek::plugin::Plugin { public: zeek::plugin::Configuration Configure() override { - AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate)); - AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest)); - AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply)); + AddComponent(new zeek::file_analysis::Component("X509", zeek::file_analysis::detail::X509::Instantiate)); + AddComponent(new zeek::file_analysis::Component("OCSP_REQUEST", zeek::file_analysis::detail::OCSP::InstantiateRequest)); + AddComponent(new zeek::file_analysis::Component("OCSP_REPLY", zeek::file_analysis::detail::OCSP::InstantiateReply)); zeek::plugin::Configuration config; config.name = "Zeek::X509"; @@ -25,9 +24,8 @@ public: void Done() override { zeek::plugin::Plugin::Done(); - ::file_analysis::X509::FreeRootStore(); + zeek::file_analysis::detail::X509::FreeRootStore(); } } plugin; -} -} +} // namespace zeek::plugin::detail::Zeek_X509 diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index ac3c293f4c..398eef65f8 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -21,28 +21,28 @@ #include #include -using namespace file_analysis; +namespace zeek::file_analysis::detail { -file_analysis::X509::X509(zeek::RecordValPtr args, file_analysis::File* file) - : file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"), - std::move(args), file) +X509::X509(zeek::RecordValPtr args, zeek::file_analysis::File* file) + : X509Common::X509Common(zeek::file_mgr->GetComponentTag("X509"), + std::move(args), file) { cert_data.clear(); } -bool file_analysis::X509::DeliverStream(const u_char* data, uint64_t len) +bool X509::DeliverStream(const u_char* data, uint64_t len) { // just add it to the data we have so far, since we cannot do anything else anyways... cert_data.append(reinterpret_cast(data), len); return true; } -bool file_analysis::X509::Undelivered(uint64_t offset, uint64_t len) +bool X509::Undelivered(uint64_t offset, uint64_t len) { return false; } -bool file_analysis::X509::EndOfFile() +bool X509::EndOfFile() { const unsigned char* cert_char = reinterpret_cast(cert_data.data()); if ( certificate_cache ) @@ -113,7 +113,8 @@ bool file_analysis::X509::EndOfFile() return false; } -zeek::RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f) +zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val, + zeek::file_analysis::File* f) { ::X509* ssl_cert = cert_val->GetCertificate(); @@ -240,7 +241,7 @@ zeek::RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File return pX509Cert; } -X509_STORE* file_analysis::X509::GetRootStore(zeek::TableVal* root_certs) +X509_STORE* X509::GetRootStore(zeek::TableVal* root_certs) { // If this certificate store was built previously, just reuse the old one. if ( x509_stores.count(root_certs) > 0 ) @@ -274,13 +275,13 @@ X509_STORE* file_analysis::X509::GetRootStore(zeek::TableVal* root_certs) return ctx; } -void file_analysis::X509::FreeRootStore() +void X509::FreeRootStore() { for ( const auto& e : x509_stores ) X509_STORE_free(e.second); } -void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) +void X509::ParseBasicConstraints(X509_EXTENSION* ex) { assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints); @@ -309,7 +310,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) zeek::reporter->Weird(GetFile(), "x509_invalid_basic_constraint"); } -void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) +void X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { // look if we have a specialized handler for this event... if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) @@ -329,7 +330,7 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa ParseSignedCertificateTimestamps(ex); } -void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) +void X509::ParseSAN(X509_EXTENSION* ext) { assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name); @@ -443,7 +444,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) GENERAL_NAMES_free(altname); } -zeek::StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key) +zeek::StringValPtr X509::KeyCurve(EVP_PKEY* key) { assert(key != nullptr); @@ -476,7 +477,7 @@ zeek::StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key) #endif } -unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key) +unsigned int X509::KeyLength(EVP_PKEY *key) { assert(key != NULL); @@ -583,3 +584,5 @@ bool X509Val::DoUnserialize(const broker::data& data) certificate = d2i_X509(NULL, &opensslbuf, s->size()); return (certificate != nullptr); } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index 884e1402d1..3b48a48012 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -63,11 +63,11 @@ static void RSA_get0_key(const RSA *r, #endif -namespace file_analysis { +namespace zeek::file_analysis::detail { class X509Val; -class X509 : public file_analysis::X509Common { +class X509 : public zeek::file_analysis::detail::X509Common { public: bool DeliverStream(const u_char* data, uint64_t len) override; bool Undelivered(uint64_t offset, uint64_t len) override; @@ -86,10 +86,10 @@ public: * @param Returns the new record value and passes ownership to * caller. */ - static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, File* file = nullptr); + static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, zeek::file_analysis::File* file = nullptr); - static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, - File* file) + static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, + zeek::file_analysis::File* file) { return new X509(std::move(args), file); } /** @@ -127,7 +127,7 @@ public: { cache_hit_callback = std::move(func); } protected: - X509(zeek::RecordValPtr args, File* file); + X509(zeek::RecordValPtr args, zeek::file_analysis::File* file); private: void ParseBasicConstraints(X509_EXTENSION* ex); @@ -196,4 +196,11 @@ private: ::X509* certificate; // the wrapped certificate }; -} +} // namespace zeek::file_analysis::detail + +namespace file_analysis { + + using X509 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509.")]] = zeek::file_analysis::detail::X509; + using X509Val [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509Val.")]] = zeek::file_analysis::detail::X509Val; + +} // namespace file_analysis diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc index a0f2bb97f4..a35c6aa1ed 100644 --- a/src/file_analysis/analyzer/x509/X509Common.cc +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -14,15 +14,16 @@ #include #include -using namespace file_analysis; +namespace zeek::file_analysis::detail { -X509Common::X509Common(const file_analysis::Tag& arg_tag, - zeek::RecordValPtr arg_args, File* arg_file) - : file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file) +X509Common::X509Common(const zeek::file_analysis::Tag& arg_tag, + zeek::RecordValPtr arg_args, + zeek::file_analysis::File* arg_file) + : zeek::file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file) { } -static void EmitWeird(const char* name, File* file, const char* addl = "") +static void EmitWeird(const char* name, zeek::file_analysis::File* file, const char* addl = "") { if ( file ) zeek::reporter->Weird(file, name, addl); @@ -30,7 +31,7 @@ static void EmitWeird(const char* name, File* file, const char* addl = "") zeek::reporter->Weird(name); } -double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Reporter* reporter) +double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f, zeek::Reporter* reporter) { time_t lResult = 0; @@ -187,7 +188,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Report return lResult; } -void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) +void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) { // Ok, signed certificate timestamps are a bit of an odd case out; we don't // want to use the (basically nonexistant) OpenSSL functionality to parse them. @@ -231,7 +232,7 @@ void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* delete conn; } -void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global) +void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global) { char name[256]; char oid[256]; @@ -298,7 +299,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::E ParseExtensionsSpecific(ex, global, ext_asn, oid); } -zeek::StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f) +zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f) { BIO_flush(bio); ERR_clear_error(); @@ -338,3 +339,5 @@ zeek::StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File return ext_val; } + +} // namespace zeek::file_analysis::detail diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h index 4503799984..206bf8829d 100644 --- a/src/file_analysis/analyzer/x509/X509Common.h +++ b/src/file_analysis/analyzer/x509/X509Common.h @@ -13,18 +13,17 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(Reporter, zeek); ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek); +ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis); +ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis); namespace zeek { template class IntrusivePtr; using StringValPtr = zeek::IntrusivePtr; } -namespace file_analysis { +namespace zeek::file_analysis::detail { -class Tag; -class File; - -class X509Common : public file_analysis::Analyzer { +class X509Common : public zeek::file_analysis::Analyzer { public: ~X509Common() override {}; @@ -39,17 +38,25 @@ public: * * @return The X509 extension value. */ - static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, File* f = nullptr); + static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f = nullptr); - static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Reporter* reporter); + static double GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f, + zeek::Reporter* reporter); protected: - X509Common(const file_analysis::Tag& arg_tag, - zeek::RecordValPtr arg_args, File* arg_file); + X509Common(const zeek::file_analysis::Tag& arg_tag, + zeek::RecordValPtr arg_args, + zeek::file_analysis::File* arg_file); void ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global); void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0; }; -} +} // namespace zeek:file_analysis + +namespace file_analysis { + + using X509Common [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509Common.")]] = zeek::file_analysis::detail::X509Common; + +} // namespace file_analysis diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 05d06bf9b2..9e6687b256 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -42,7 +42,7 @@ STACK_OF(X509)* x509_get_untrusted_stack(zeek::VectorVal* certs_vec) continue; // Fixme: check type - X509* x = ((file_analysis::X509Val*) sv.get())->GetCertificate(); + X509* x = ((zeek::file_analysis::detail::X509Val*) sv.get())->GetCertificate(); if ( ! x ) { sk_X509_free(untrusted_certs); @@ -147,9 +147,9 @@ const EVP_MD* hash_to_evp(int hash) function x509_parse%(cert: opaque of x509%): X509::Certificate %{ assert(cert); - file_analysis::X509Val* h = (file_analysis::X509Val*) cert; + auto* h = (zeek::file_analysis::detail::X509Val*) cert; - return file_analysis::X509::ParseCertificate(h); + return zeek::file_analysis::detail::X509::ParseCertificate(h); %} ## Constructs an opaque of X509 from a der-formatted string. @@ -162,7 +162,7 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate function x509_from_der%(der: string%): opaque of x509 %{ const u_char* data = der->Bytes(); - return zeek::make_intrusive(d2i_X509(nullptr, &data, der->Len())); + return zeek::make_intrusive(d2i_X509(nullptr, &data, der->Len())); %} ## Returns the string form of a certificate. @@ -180,7 +180,7 @@ function x509_from_der%(der: string%): opaque of x509 function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F%): string %{ assert(cert); - file_analysis::X509Val* h = (file_analysis::X509Val*) cert; + auto* h = (zeek::file_analysis::detail::X509Val*) cert; BIO *bio = BIO_new(BIO_s_mem()); @@ -190,7 +190,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F else i2d_X509_bio(bio, h->GetCertificate()); - auto ext_val = file_analysis::X509::GetExtensionFromBIO(bio); + auto ext_val = zeek::file_analysis::detail::X509::GetExtensionFromBIO(bio); if ( ! ext_val ) ext_val = zeek::val_mgr->EmptyString(); @@ -217,7 +217,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result %{ zeek::RecordValPtr rval; - X509_STORE* ctx = ::file_analysis::X509::GetRootStore(root_certs->AsTableVal()); + X509_STORE* ctx = zeek::file_analysis::detail::X509::GetRootStore(root_certs->AsTableVal()); if ( ! ctx ) return x509_result_record(-1, "Problem initializing root store"); @@ -238,7 +238,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c return x509_result_record(-1, "undefined value in certificate vector"); } - file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv.get(); + auto* cert_handle = (zeek::file_analysis::detail::X509Val*) sv.get(); X509* cert = cert_handle->GetCertificate(); if ( ! cert ) @@ -503,7 +503,7 @@ x509_ocsp_cleanup: ## x509_get_certificate_string x509_ocsp_verify sct_verify function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result %{ - X509_STORE* ctx = ::file_analysis::X509::GetRootStore(root_certs->AsTableVal()); + X509_STORE* ctx = zeek::file_analysis::detail::X509::GetRootStore(root_certs->AsTableVal()); if ( ! ctx ) return x509_result_record(-1, "Problem initializing root store"); @@ -523,7 +523,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str zeek::emit_builtin_error("undefined value in certificate vector"); return x509_result_record(-1, "undefined value in certificate vector"); } - file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv.get(); + auto* cert_handle = (zeek::file_analysis::detail::X509Val*) sv.get(); X509* cert = cert_handle->GetCertificate(); if ( ! cert ) @@ -565,7 +565,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str if ( currcert ) // X509Val takes ownership of currcert. - chainVector->Assign(i, zeek::make_intrusive(currcert)); + chainVector->Assign(i, zeek::make_intrusive(currcert)); else { zeek::reporter->InternalWarning("OpenSSL returned null certificate"); @@ -614,8 +614,8 @@ x509_verify_chainerror: function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool %{ assert(cert); - file_analysis::X509Val* h = (file_analysis::X509Val*) cert; - X509* x = ((file_analysis::X509Val*) h)->GetCertificate(); + auto* h = (zeek::file_analysis::detail::X509Val*) cert; + X509* x = ((zeek::file_analysis::detail::X509Val*) h)->GetCertificate(); assert(sizeof(timestamp) >= 8); uint64_t timestamp_network = htonll(timestamp); @@ -762,7 +762,7 @@ sct_verify_err: * 1 -> issuer name * 2 -> pubkey */ -zeek::StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type) +zeek::StringValPtr x509_entity_hash(zeek::file_analysis::detail::X509Val *cert_handle, unsigned int hash_alg, unsigned int type) { assert(cert_handle); @@ -842,7 +842,7 @@ zeek::StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigne ## x509_verify sct_verify function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ - file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert; return x509_entity_hash(cert_handle, hash_alg, 0); %} @@ -860,7 +860,7 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string ## x509_verify sct_verify function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string %{ - file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert; return x509_entity_hash(cert_handle, hash_alg, 1); %} @@ -878,7 +878,7 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string ## x509_verify sct_verify function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string %{ - file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert; + auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert; return x509_entity_hash(cert_handle, hash_alg, 2); %} @@ -901,7 +901,7 @@ function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string ## .. zeek:see:: x509_set_certificate_cache_hit_callback function x509_set_certificate_cache%(tbl: string_any_table%) : bool %{ - file_analysis::X509::SetCertificateCache({zeek::NewRef{}, tbl->AsTableVal()}); + zeek::file_analysis::detail::X509::SetCertificateCache({zeek::NewRef{}, tbl->AsTableVal()}); return zeek::val_mgr->True(); %} @@ -919,7 +919,7 @@ function x509_set_certificate_cache%(tbl: string_any_table%) : bool ## .. zeek:see:: x509_set_certificate_cache function x509_set_certificate_cache_hit_callback%(f: string_any_file_hook%) : bool %{ - file_analysis::X509::SetCertificateCacheHitCallback({zeek::NewRef{}, f->AsFunc()}); + zeek::file_analysis::detail::X509::SetCertificateCacheHitCallback({zeek::NewRef{}, f->AsFunc()}); return zeek::val_mgr->True(); %} diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif index c79e23fcac..2dae1e1856 100644 --- a/src/file_analysis/file_analysis.bif +++ b/src/file_analysis/file_analysis.bif @@ -13,28 +13,28 @@ type AnalyzerArgs: record; ## :zeek:see:`Files::set_timeout_interval`. function Files::__set_timeout_interval%(file_id: string, t: interval%): bool %{ - bool result = file_mgr->SetTimeoutInterval(file_id->CheckString(), t); + bool result = zeek::file_mgr->SetTimeoutInterval(file_id->CheckString(), t); return zeek::val_mgr->Bool(result); %} ## :zeek:see:`Files::enable_reassembly`. function Files::__enable_reassembly%(file_id: string%): bool %{ - bool result = file_mgr->EnableReassembly(file_id->CheckString()); + bool result = zeek::file_mgr->EnableReassembly(file_id->CheckString()); return zeek::val_mgr->Bool(result); %} ## :zeek:see:`Files::disable_reassembly`. function Files::__disable_reassembly%(file_id: string%): bool %{ - bool result = file_mgr->DisableReassembly(file_id->CheckString()); + bool result = zeek::file_mgr->DisableReassembly(file_id->CheckString()); return zeek::val_mgr->Bool(result); %} ## :zeek:see:`Files::set_reassembly_buffer_size`. function Files::__set_reassembly_buffer%(file_id: string, max: count%): bool %{ - bool result = file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); + bool result = zeek::file_mgr->SetReassemblyBuffer(file_id->CheckString(), max); return zeek::val_mgr->Bool(result); %} @@ -43,9 +43,10 @@ function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): b %{ using zeek::BifType::Record::Files::AnalyzerArgs; auto rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs); - bool result = file_mgr->AddAnalyzer(file_id->CheckString(), - file_mgr->GetComponentTag(tag), - std::move(rv)); + bool result = zeek::file_mgr->AddAnalyzer( + file_id->CheckString(), + zeek::file_mgr->GetComponentTag(tag), + std::move(rv)); return zeek::val_mgr->Bool(result); %} @@ -54,30 +55,31 @@ function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%) %{ using zeek::BifType::Record::Files::AnalyzerArgs; auto rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs); - bool result = file_mgr->RemoveAnalyzer(file_id->CheckString(), - file_mgr->GetComponentTag(tag), - std::move(rv)); + bool result = zeek::file_mgr->RemoveAnalyzer( + file_id->CheckString(), + zeek::file_mgr->GetComponentTag(tag), + std::move(rv)); return zeek::val_mgr->Bool(result); %} ## :zeek:see:`Files::stop`. function Files::__stop%(file_id: string%): bool %{ - bool result = file_mgr->IgnoreFile(file_id->CheckString()); + bool result = zeek::file_mgr->IgnoreFile(file_id->CheckString()); return zeek::val_mgr->Bool(result); %} ## :zeek:see:`Files::analyzer_name`. function Files::__analyzer_name%(tag: Files::Tag%) : string %{ - const auto& n = file_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, tag->AsEnumVal()}); + const auto& n = zeek::file_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, tag->AsEnumVal()}); return zeek::make_intrusive(n); %} ## :zeek:see:`Files::file_exists`. function Files::__file_exists%(fuid: string%): bool %{ - if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr ) + if ( zeek::file_mgr->LookupFile(fuid->CheckString()) != nullptr ) return zeek::val_mgr->True(); else return zeek::val_mgr->False(); @@ -86,7 +88,7 @@ function Files::__file_exists%(fuid: string%): bool ## :zeek:see:`Files::lookup_file`. function Files::__lookup_file%(fuid: string%): fa_file %{ - auto f = file_mgr->LookupFile(fuid->CheckString()); + auto f = zeek::file_mgr->LookupFile(fuid->CheckString()); if ( f != nullptr ) return f->ToVal(); @@ -108,6 +110,6 @@ function set_file_handle%(handle: string%): any %{ auto bytes = reinterpret_cast(handle->Bytes()); auto h = std::string(bytes, handle->Len()); - file_mgr->SetHandle(h); + zeek::file_mgr->SetHandle(h); return nullptr; %} diff --git a/src/input/Manager.cc b/src/input/Manager.cc index d0c8250997..d9540a554f 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -783,7 +783,7 @@ bool Manager::CreateAnalysisStream(zeek::RecordVal* fval) return false; } - stream->file_id = file_mgr->HashHandle(stream->name); + stream->file_id = zeek::file_mgr->HashHandle(stream->name); assert(stream->reader); @@ -1099,9 +1099,9 @@ void Manager::SendEntry(ReaderFrontend* reader, Value* *vals) { readFields = 1; assert(vals[0]->type == zeek::TYPE_STRING); - file_mgr->DataIn(reinterpret_cast(vals[0]->val.string_val.data), - vals[0]->val.string_val.length, - static_cast(i)->file_id, i->name); + zeek::file_mgr->DataIn(reinterpret_cast(vals[0]->val.string_val.data), + vals[0]->val.string_val.length, + static_cast(i)->file_id, i->name); } else @@ -1437,7 +1437,7 @@ void Manager::SendEndOfData(const Stream *i) new zeek::StringVal(i->reader->Info().source)); if ( i->stream_type == ANALYSIS_STREAM ) - file_mgr->EndOfFile(static_cast(i)->file_id); + zeek::file_mgr->EndOfFile(static_cast(i)->file_id); } void Manager::Put(ReaderFrontend* reader, Value* *vals) @@ -1469,9 +1469,9 @@ void Manager::Put(ReaderFrontend* reader, Value* *vals) { readFields = 1; assert(vals[0]->type == zeek::TYPE_STRING); - file_mgr->DataIn(reinterpret_cast(vals[0]->val.string_val.data), - vals[0]->val.string_val.length, - static_cast(i)->file_id, i->name); + zeek::file_mgr->DataIn(reinterpret_cast(vals[0]->val.string_val.data), + vals[0]->val.string_val.length, + static_cast(i)->file_id, i->name); } else diff --git a/src/reporter.bif b/src/reporter.bif index d557f6364c..f83c35ea84 100644 --- a/src/reporter.bif +++ b/src/reporter.bif @@ -149,7 +149,7 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul function Reporter::file_weird%(name: string, f: fa_file, addl: string &default=""%): bool %{ auto fuid = f->AsRecordVal()->GetField(0)->AsStringVal(); - auto file = file_mgr->LookupFile(fuid->CheckString()); + auto file = zeek::file_mgr->LookupFile(fuid->CheckString()); if ( ! file ) return zeek::val_mgr->False(); diff --git a/src/stats.bif b/src/stats.bif index 86d2350e0e..53c64fcf09 100644 --- a/src/stats.bif +++ b/src/stats.bif @@ -311,9 +311,9 @@ function get_file_analysis_stats%(%): FileAnalysisStats auto r = zeek::make_intrusive(FileAnalysisStats); int n = 0; - r->Assign(n++, zeek::val_mgr->Count(file_mgr->CurrentFiles())); - r->Assign(n++, zeek::val_mgr->Count(file_mgr->MaxFiles())); - r->Assign(n++, zeek::val_mgr->Count(file_mgr->CumulativeFiles())); + r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->CurrentFiles())); + r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->MaxFiles())); + r->Assign(n++, zeek::val_mgr->Count(zeek::file_mgr->CumulativeFiles())); return r; %} diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index 6c31e5ae32..89d508804f 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -105,7 +105,8 @@ zeek::detail::TimerMgr*& timer_mgr = zeek::detail::timer_mgr; logging::Manager* log_mgr = nullptr; threading::Manager* thread_mgr = nullptr; input::Manager* input_mgr = nullptr; -file_analysis::Manager* file_mgr = nullptr; +zeek::file_analysis::Manager* zeek::file_mgr = nullptr; +zeek::file_analysis::Manager*& file_mgr = zeek::file_mgr; zeekygen::Manager* zeekygen_mgr = nullptr; iosource::Manager* iosource_mgr = nullptr; bro_broker::Manager* broker_mgr = nullptr; @@ -280,7 +281,7 @@ void terminate_bro() // File analysis termination may produce events, so do it early on in // the termination process. - file_mgr->Terminate(); + zeek::file_mgr->Terminate(); zeek::detail::script_coverage_mgr.WriteStats(); @@ -315,7 +316,7 @@ void terminate_bro() delete zeekygen_mgr; delete zeek::analyzer_mgr; - delete file_mgr; + delete zeek::file_mgr; // broker_mgr, timer_mgr, and supervisor are deleted via iosource_mgr delete iosource_mgr; delete zeek::event_registry; @@ -581,14 +582,14 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv, zeek::analyzer_mgr = new analyzer::Manager(); log_mgr = new logging::Manager(); input_mgr = new input::Manager(); - file_mgr = new file_analysis::Manager(); + zeek::file_mgr = new file_analysis::Manager(); auto broker_real_time = ! options.pcap_file && ! options.deterministic_mode; broker_mgr = new bro_broker::Manager(broker_real_time); trigger_mgr = new zeek::detail::trigger::Manager(); zeek::plugin_mgr->InitPreScript(); zeek::analyzer_mgr->InitPreScript(); - file_mgr->InitPreScript(); + zeek::file_mgr->InitPreScript(); zeekygen_mgr->InitPreScript(); bool missing_plugin = false; @@ -674,7 +675,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv, } zeek::analyzer_mgr->InitPostScript(); - file_mgr->InitPostScript(); + zeek::file_mgr->InitPostScript(); zeek::detail::dns_mgr->InitPostScript(); if ( options.parse_only ) @@ -729,7 +730,7 @@ zeek::detail::SetupResult zeek::detail::setup(int argc, char** argv, if ( options.print_signature_debug_info ) rule_matcher->PrintDebug(); - file_mgr->InitMagic(); + zeek::file_mgr->InitMagic(); } if ( g_policy_debug ) diff --git a/src/zeek.bif b/src/zeek.bif index fc751831fd..429b944ea3 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -980,7 +980,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string if ( ! return_mime ) zeek::reporter->Warning("identify_data() builtin-function only returns MIME types, but verbose file info requested"); - string strongest_match = file_mgr->DetectMIME(data->Bytes(), data->Len()); + string strongest_match = zeek::file_mgr->DetectMIME(data->Bytes(), data->Len()); if ( strongest_match.empty() ) return zeek::make_intrusive(""); @@ -999,7 +999,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string function file_magic%(data: string%): mime_matches %{ zeek::detail::RuleMatcher::MIME_Matches matches; - file_mgr->DetectMIME(data->Bytes(), data->Len(), &matches); + zeek::file_mgr->DetectMIME(data->Bytes(), data->Len(), &matches); return file_analysis::GenMIMEMatchesVal(matches); %} diff --git a/src/zeekygen/Target.cc b/src/zeekygen/Target.cc index 710c3ab281..282007bc1c 100644 --- a/src/zeekygen/Target.cc +++ b/src/zeekygen/Target.cc @@ -44,9 +44,9 @@ static void write_analyzer_component(FILE* f, const zeek::analyzer::Component* c fprintf(f, ":zeek:enum:`Analyzer::%s`\n\n", tag.c_str()); } -static void write_analyzer_component(FILE* f, const file_analysis::Component* c) +static void write_analyzer_component(FILE* f, const zeek::file_analysis::Component* c) { - const auto& atag = file_mgr->GetTagType(); + const auto& atag = zeek::file_mgr->GetTagType(); string tag = fmt("ANALYZER_%s", c->CanonicalName().c_str()); if ( atag->Lookup("Files", tag.c_str()) < 0 ) @@ -79,8 +79,8 @@ static void write_plugin_components(FILE* f, const zeek::plugin::Plugin* p) case zeek::plugin::component::FILE_ANALYZER: { - const file_analysis::Component* c = - dynamic_cast(component); + const auto* c = + dynamic_cast(component); if ( c ) write_analyzer_component(f, c); diff --git a/zeek-config.h.in b/zeek-config.h.in index cc7f760f49..8d0db14f1f 100644 --- a/zeek-config.h.in +++ b/zeek-config.h.in @@ -278,8 +278,8 @@ extern const char* BRO_VERSION_FUNCTION(); // Note: macros for internal use only during deprecation/namespacing process. // This uses funny VA_ARGS tricks so that we can overload the name and have multiple macros for // varying namespace lengths. -#define GET_MACRO(_0, _1, _2, _3, NAME, ...) NAME -#define ZEEK_FORWARD_DECLARE_NAMESPACED( ... ) GET_MACRO(_0, ##__VA_ARGS__, ZEEK_FDN_3, ZEEK_FDN_2, ZEEK_FDN_1, ZEEK_FDN_0)(__VA_ARGS__) +#define GET_MACRO(_0, _1, _2, _3, _4, NAME, ...) NAME +#define ZEEK_FORWARD_DECLARE_NAMESPACED( ... ) GET_MACRO(_0, ##__VA_ARGS__, ZEEK_FDN_4, ZEEK_FDN_3, ZEEK_FDN_2, ZEEK_FDN_1, ZEEK_FDN_0)(__VA_ARGS__) #define ZEEK_FDN_0() #define ZEEK_FDN_1(cls) #define ZEEK_FDN_2(cls, ns) \ @@ -288,3 +288,6 @@ extern const char* BRO_VERSION_FUNCTION(); #define ZEEK_FDN_3(cls, ns1, ns2) \ namespace ns1::ns2 { class cls; } \ namespace ns2 { using cls [[deprecated("Remove in v4.1. Use " #ns1 "::" #ns2 "::" #cls " instead.")]] = ns1::ns2::cls; } +#define ZEEK_FDN_4(cls, ns1, ns2, ns3) \ + namespace ns1::ns2::ns3 { class cls; } \ + namespace ns2 { using cls [[deprecated("Remove in v4.1. Use " #ns1 "::" #ns2 "::" #ns3 "::" #cls " instead.")]] = ns1::ns2::ns3::cls; }