Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 05:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Move file_analysis code to zeek namespaces

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-08-01 10:47:36 -07:00
parent 8411adf9e1
commit 14408235b8
66 changed files with 554 additions and 410 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/file_analysis/analyzer/data_event/DataEvent.cc
View file

@ -9,18 +9,18 @@
#include "util.h"
#include "file_analysis/Manager.h"
using namespace file_analysis;
namespace zeek::file_analysis::detail {
DataEvent::DataEvent(zeek::RecordValPtr args, File* file,
DataEvent::DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file,
zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se)
: file_analysis::Analyzer(file_mgr->GetComponentTag("DATA_EVENT"),
: file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("DATA_EVENT"),
std::move(args), file),
chunk_event(ce), stream_event(se)
{
}
file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args,
File* file)
zeek::file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{
const auto& chunk_val = args->GetField("chunk_event");
const auto& stream_val = args->GetField("stream_event");
@ -63,3 +63,5 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
return true;
}
} // namespace zeek::file_analysis::detail

16
src/file_analysis/analyzer/data_event/DataEvent.h
View file

@ -9,12 +9,12 @@
#include "Analyzer.h"
#include "EventHandler.h"
namespace file_analysis {
namespace zeek::file_analysis::detail {
/**
* An analyzer to send file data to script-layer via events.
*/
class DataEvent : public file_analysis::Analyzer {
class DataEvent : public zeek::file_analysis::Analyzer {
public:
/**
@ -43,8 +43,8 @@ public:
* @return the new DataEvent analyzer instance or a null pointer if
* no "chunk_event" or "stream_event" field was specfied in \a args.
*/
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file);
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
protected:
@ -57,7 +57,7 @@ protected:
* @param se pointer to event handler which will be called to receive
* sequential file data.
*/
DataEvent(zeek::RecordValPtr args, File* file,
DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file,
zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se);
private:
@ -65,4 +65,10 @@ private:
zeek::EventHandlerPtr stream_event;
};
} // namespace zeek::file_analysis::detail
namespace file_analysis {
using DataEvent [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::DataEvent.")]] = zeek::file_analysis::detail::DataEvent;
} // namespace file_analysis

8
src/file_analysis/analyzer/data_event/Plugin.cc
View file

@ -4,14 +4,13 @@
#include "plugin/Plugin.h"
#include "file_analysis/Component.h"
namespace plugin {
namespace Zeek_FileDataEvent {
namespace zeek::plugin::detail::Zeek_FileDataEvent {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::file_analysis::Component("DATA_EVENT", ::file_analysis::DataEvent::Instantiate));
AddComponent(new zeek::file_analysis::Component("DATA_EVENT", zeek::file_analysis::detail::DataEvent::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::FileDataEvent";
@ -20,5 +19,4 @@ public:
}
} plugin;
}
}
} // namespace zeek::plugin::detail::Zeek_FileDataEvent

16
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -7,13 +7,12 @@
#include "Event.h"
#include "file_analysis/Manager.h"
using namespace file_analysis;
namespace zeek::file_analysis::detail {
Entropy::Entropy(zeek::RecordValPtr args, File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("ENTROPY"),
std::move(args), file)
Entropy::Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("ENTROPY"),
std::move(args), file)
{
//entropy->Init();
entropy = new zeek::EntropyVal;
fed = false;
}
@ -23,8 +22,8 @@ Entropy::~Entropy()
Unref(entropy);
}
file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args,
File* file)
zeek::file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{
return new Entropy(std::move(args), file);
}
@ -51,7 +50,6 @@ bool Entropy::Undelivered(uint64_t offset, uint64_t len)
void Entropy::Finalize()
{
//if ( ! entropy->IsValid() || ! fed )
if ( ! fed )
return;
@ -75,3 +73,5 @@ void Entropy::Finalize()
std::move(ent_result)
);
}
} // namespace zeek::file_analysis::detail

16
src/file_analysis/analyzer/entropy/Entropy.h
View file

@ -11,12 +11,12 @@
#include "events.bif.h"
namespace file_analysis {
namespace zeek::file_analysis::detail {
/**
* An analyzer to produce entropy of file contents.
*/
class Entropy : public file_analysis::Analyzer {
class Entropy : public zeek::file_analysis::Analyzer {
public:
/**
@ -31,8 +31,8 @@ public:
* @return the new Entropy analyzer instance or a null pointer if the
* the "extraction_file" field of \a args wasn't set.
*/
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file);
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
/**
* Calculate entropy of next chunk of file contents.
@ -66,7 +66,7 @@ protected:
* @param hv specific hash calculator object.
* @param kind human readable name of the hash algorithm to use.
*/
Entropy(zeek::RecordValPtr args, File* file);
Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file);
/**
* If some file contents have been seen, finalizes the entropy of them and
@ -79,4 +79,10 @@ private:
bool fed;
};
} // namespace zeek::file_analysis::detail
namespace file_analysis {
using Entropy [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Entropy.")]] = zeek::file_analysis::detail::Entropy;
} // namespace file_analysis

8
src/file_analysis/analyzer/entropy/Plugin.cc
View file

@ -4,14 +4,13 @@
#include "plugin/Plugin.h"
#include "file_analysis/Component.h"
namespace plugin {
namespace Zeek_FileEntropy {
namespace zeek::plugin::detail::Zeek_FileEntropy {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::file_analysis::Component("ENTROPY", ::file_analysis::Entropy::Instantiate));
AddComponent(new zeek::file_analysis::Component("ENTROPY", zeek::file_analysis::detail::Entropy::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::FileEntropy";
@ -20,5 +19,4 @@ public:
}
} plugin;
}
}
} // namespace zeek::plugin::detail::Zeek_FileEntropy

13
src/file_analysis/analyzer/extract/Extract.cc
View file

@ -8,11 +8,11 @@
#include "Event.h"
#include "file_analysis/Manager.h"
using namespace file_analysis;
namespace zeek::file_analysis::detail {
Extract::Extract(zeek::RecordValPtr args, File* file,
Extract::Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file,
const std::string& arg_filename, uint64_t arg_limit)
: file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"),
: file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("EXTRACT"),
std::move(args), file),
filename(arg_filename), limit(arg_limit), depth(0)
{
@ -44,7 +44,8 @@ static const zeek::ValPtr& get_extract_field_val(const zeek::RecordValPtr& args,
return rval;
}
file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args, File* file)
zeek::file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{
const auto& fname = get_extract_field_val(args, "extract_filename");
const auto& limit = get_extract_field_val(args, "extract_limit");
@ -92,7 +93,7 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len)
if ( limit_exceeded && file_extraction_limit )
{
File* f = GetFile();
zeek::file_analysis::File* f = GetFile();
f->FileEvent(file_extraction_limit, {
f->ToVal(),
GetArgs(),
@ -125,3 +126,5 @@ bool Extract::Undelivered(uint64_t offset, uint64_t len)
return true;
}
} // namespace zeek::file_analysis::detail

16
src/file_analysis/analyzer/extract/Extract.h
View file

@ -10,12 +10,12 @@
#include "analyzer/extract/events.bif.h"
namespace file_analysis {
namespace zeek::file_analysis::detail {
/**
* An analyzer to extract content of files to local disk.
*/
class Extract : public file_analysis::Analyzer {
class Extract : public zeek::file_analysis::Analyzer {
public:
/**
@ -47,8 +47,8 @@ public:
* @return the new Extract analyzer instance or a null pointer if the
* the "extraction_file" field of \a args wasn't set.
*/
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file);
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
/**
* Sets the maximum allowed extracted file size. A value of zero means
@ -67,7 +67,7 @@ protected:
* to which the contents of the file will be extracted/written.
* @param arg_limit the maximum allowed file size.
*/
Extract(zeek::RecordValPtr args, File* file,
Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file,
const std::string& arg_filename, uint64_t arg_limit);
private:
@ -77,4 +77,10 @@ private:
uint64_t depth;
};
} // namespace zeek::file_analysis::detail
namespace file_analysis {
using Extract [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Extract.")]] = zeek::file_analysis::detail::Extract;
} // namespace file_analysis

8
src/file_analysis/analyzer/extract/Plugin.cc
View file

@ -4,14 +4,13 @@
#include "plugin/Plugin.h"
#include "file_analysis/Component.h"
namespace plugin {
namespace Zeek_FileExtract {
namespace zeek::plugin::detail::Zeek_FileExtract {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::file_analysis::Component("EXTRACT", ::file_analysis::Extract::Instantiate));
AddComponent(new zeek::file_analysis::Component("EXTRACT", zeek::file_analysis::detail::Extract::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::FileExtract";
@ -20,5 +19,4 @@ public:
}
} plugin;
}
}
} // namespace zeek::plugin::detail::Zeek_FileExtract

4
src/file_analysis/analyzer/extract/functions.bif
View file

@ -12,8 +12,8 @@ function FileExtract::__set_limit%(file_id: string, args: any, n: count%): bool
%{
using zeek::BifType::Record::Files::AnalyzerArgs;
auto rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs);
bool result = file_mgr->SetExtractionLimit(file_id->CheckString(),
std::move(rv), n);
bool result = zeek::file_mgr->SetExtractionLimit(file_id->CheckString(),
std::move(rv), n);
return zeek::val_mgr->Bool(result);
%}

11
src/file_analysis/analyzer/hash/Hash.cc
View file

@ -7,11 +7,12 @@
#include "Event.h"
#include "file_analysis/Manager.h"
using namespace file_analysis;
namespace zeek::file_analysis::detail {
Hash::Hash(zeek::RecordValPtr args, File* file, zeek::HashVal* hv, const char* arg_kind)
: file_analysis::Analyzer(file_mgr->GetComponentTag(to_upper(arg_kind).c_str()),
std::move(args), file),
Hash::Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file,
zeek::HashVal* hv, const char* arg_kind)
: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag(to_upper(arg_kind).c_str()),
std::move(args), file),
hash(hv), fed(false), kind(arg_kind)
{
hash->Init();
@ -59,3 +60,5 @@ void Hash::Finalize()
hash->Get()
);
}
} // namespace zeek::file_analysis::detail

33
src/file_analysis/analyzer/hash/Hash.h
View file

@ -11,12 +11,12 @@
#include "events.bif.h"
namespace file_analysis {
namespace zeek::file_analysis::detail {
/**
* An analyzer to produce a hash of file contents.
*/
class Hash : public file_analysis::Analyzer {
class Hash : public zeek::file_analysis::Analyzer {
public:
/**
@ -56,7 +56,7 @@ protected:
* @param hv specific hash calculator object.
* @param kind human readable name of the hash algorithm to use.
*/
Hash(zeek::RecordValPtr args, File* file, zeek::HashVal* hv, const char* kind);
Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file, zeek::HashVal* hv, const char* kind);
/**
* If some file contents have been seen, finalizes the hash of them and
@ -83,8 +83,8 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{ return file_hash ? new MD5(std::move(args), file) : nullptr; }
protected:
@ -94,7 +94,7 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
MD5(zeek::RecordValPtr args, File* file)
MD5(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: Hash(std::move(args), file, new zeek::MD5Val(), "md5")
{}
};
@ -112,8 +112,8 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{ return file_hash ? new SHA1(std::move(args), file) : nullptr; }
protected:
@ -123,7 +123,7 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
SHA1(zeek::RecordValPtr args, File* file)
SHA1(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: Hash(std::move(args), file, new zeek::SHA1Val(), "sha1")
{}
};
@ -141,8 +141,8 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{ return file_hash ? new SHA256(std::move(args), file) : nullptr; }
protected:
@ -152,9 +152,18 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
SHA256(zeek::RecordValPtr args, File* file)
SHA256(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: Hash(std::move(args), file, new zeek::SHA256Val(), "sha256")
{}
};
} // namespace zeek::file_analysis
namespace file_analysis {
using Hash [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Hash.")]] = zeek::file_analysis::detail::Hash;
using MD5 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::MD5.")]] = zeek::file_analysis::detail::MD5;
using SHA1 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::SHA1.")]] = zeek::file_analysis::detail::SHA1;
using SHA256 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::SHA256.")]] = zeek::file_analysis::detail::SHA256;
} // namespace file_analysis

12
src/file_analysis/analyzer/hash/Plugin.cc
View file

@ -4,16 +4,15 @@
#include "plugin/Plugin.h"
#include "file_analysis/Component.h"
namespace plugin {
namespace Zeek_FileHash {
namespace zeek::plugin::detail::Zeek_FileHash {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::file_analysis::Component("MD5", ::file_analysis::MD5::Instantiate));
AddComponent(new ::file_analysis::Component("SHA1", ::file_analysis::SHA1::Instantiate));
AddComponent(new ::file_analysis::Component("SHA256", ::file_analysis::SHA256::Instantiate));
AddComponent(new zeek::file_analysis::Component("MD5", zeek::file_analysis::detail::MD5::Instantiate));
AddComponent(new zeek::file_analysis::Component("SHA1", zeek::file_analysis::detail::SHA1::Instantiate));
AddComponent(new zeek::file_analysis::Component("SHA256", zeek::file_analysis::detail::SHA256::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::FileHash";
@ -22,5 +21,4 @@ public:
}
} plugin;
}
}
} // namespace zeek::plugin::detail::Zeek_FileHash

11
src/file_analysis/analyzer/pe/PE.cc
View file

@ -1,11 +1,12 @@
#include "PE.h"
#include "file_analysis/Manager.h"
using namespace file_analysis;
namespace zeek::file_analysis::detail {
PE::PE(zeek::RecordValPtr args, File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), std::move(args),
file)
PE::PE(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("PE"),
std::move(args),
file)
{
conn = new binpac::PE::MockConnection(this);
interp = new binpac::PE::File(conn);
@ -39,3 +40,5 @@ bool PE::EndOfFile()
{
return false;
}
} // namespace zeek::file_analysis::detail

16
src/file_analysis/analyzer/pe/PE.h
View file

@ -6,17 +6,17 @@
#include "../File.h"
#include "pe_pac.h"
namespace file_analysis {
namespace zeek::file_analysis::detail {
/**
* Analyze Portable Executable files
*/
class PE : public file_analysis::Analyzer {
class PE : public zeek::file_analysis::Analyzer {
public:
~PE();
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{ return new PE(std::move(args), file); }
virtual bool DeliverStream(const u_char* data, uint64_t len);
@ -24,10 +24,16 @@ public:
virtual bool EndOfFile();
protected:
PE(zeek::RecordValPtr args, File* file);
PE(zeek::RecordValPtr args, zeek::file_analysis::File* file);
binpac::PE::File* interp;
binpac::PE::MockConnection* conn;
bool done;
};
} // namespace zeek::file_analysis::detail
namespace file_analysis {
using PE [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::PE.")]] = zeek::file_analysis::detail::PE;
} // namespace file_analysis

8
src/file_analysis/analyzer/pe/Plugin.cc
View file

@ -4,14 +4,13 @@
#include "plugin/Plugin.h"
#include "file_analysis/Component.h"
namespace plugin {
namespace Zeek_PE {
namespace zeek::plugin::detail::Zeek_PE {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::file_analysis::Component("PE", ::file_analysis::PE::Instantiate));
AddComponent(new zeek::file_analysis::Component("PE", zeek::file_analysis::detail::PE::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::PE";
@ -20,5 +19,4 @@ public:
}
} plugin;
}
}
} // namespace zeek::plugin::detail::Zeek_PE

8
src/file_analysis/analyzer/unified2/Plugin.cc
View file

@ -6,14 +6,13 @@
#include "plugin/Plugin.h"
#include "file_analysis/Component.h"
namespace plugin {
namespace Zeek_Unified2 {
namespace zeek::plugin::detail::Zeek_Unified2 {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::file_analysis::Component("UNIFIED2", ::file_analysis::Unified2::Instantiate));
AddComponent(new zeek::file_analysis::Component("UNIFIED2", zeek::file_analysis::detail::Unified2::Instantiate));
zeek::plugin::Configuration config;
config.name = "Zeek::Unified2";
@ -22,5 +21,4 @@ public:
}
} plugin;
}
}
} // namespace zeek::plugin::detail::Zeek_Unified2

12
src/file_analysis/analyzer/unified2/Unified2.cc
View file

@ -3,10 +3,11 @@
#include "Unified2.h"
#include "file_analysis/Manager.h"
using namespace file_analysis;
namespace zeek::file_analysis::detail {
Unified2::Unified2(zeek::RecordValPtr args, File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), std::move(args), file)
Unified2::Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("UNIFIED2"),
std::move(args), file)
{
interp = new binpac::Unified2::Unified2_Analyzer(this);
}
@ -16,7 +17,8 @@ Unified2::~Unified2()
delete interp;
}
file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args, File* file)
zeek::file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{
return new Unified2(std::move(args), file);
}
@ -35,3 +37,5 @@ bool Unified2::DeliverStream(const u_char* data, uint64_t len)
return true;
}
} // namespace zeek::file_analysis::detail

15
src/file_analysis/analyzer/unified2/Unified2.h
View file

@ -9,21 +9,22 @@
#include "Analyzer.h"
#include "unified2_pac.h"
namespace file_analysis {
namespace zeek::file_analysis::detail {
/**
* An analyzer to extract content of files from local disk.
*/
class Unified2 : public file_analysis::Analyzer {
class Unified2 : public zeek::file_analysis::Analyzer {
public:
~Unified2() override;
bool DeliverStream(const u_char* data, uint64_t len) override;
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args, File* file);
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
protected:
Unified2(zeek::RecordValPtr args, File* file);
Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file);
private:
binpac::Unified2::Unified2_Analyzer* interp;
@ -31,4 +32,10 @@ private:
string filename;
};
} // namespace zeek::file_analysis::detail
namespace file_analysis {
using Unified2 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::Unified2.")]] = zeek::file_analysis::detail::Unified2;
} // namespace file_analysis

30
src/file_analysis/analyzer/x509/OCSP.cc
View file

@ -29,7 +29,7 @@ X509* helper_sk_X509_value(const STACK_OF(X509)* certs, int i)
return sk_X509_value(certs, i);
}
using namespace file_analysis;
namespace zeek::file_analysis::detail {
#define OCSP_STRING_BUF_SIZE 2048
@ -113,38 +113,40 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi
return true;
}
file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args, File* file)
zeek::file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{
return new OCSP(std::move(args), file, true);
}
file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args, File* file)
zeek::file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{
return new OCSP(std::move(args), file, false);
}
file_analysis::OCSP::OCSP(zeek::RecordValPtr args, file_analysis::File* file,
OCSP::OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file,
bool arg_request)
: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"),
std::move(args), file),
: X509Common::X509Common(zeek::file_mgr->GetComponentTag("OCSP"),
std::move(args), file),
request(arg_request)
{
}
bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64_t len)
bool OCSP::DeliverStream(const u_char* data, uint64_t len)
{
ocsp_data.append(reinterpret_cast<const char*>(data), len);
return true;
}
bool file_analysis::OCSP::Undelivered(uint64_t offset, uint64_t len)
bool OCSP::Undelivered(uint64_t offset, uint64_t len)
{
return false;
}
// we parse the entire OCSP response in EOF, because we just pass it on
// to OpenSSL.
bool file_analysis::OCSP::EndOfFile()
bool OCSP::EndOfFile()
{
const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
@ -399,7 +401,7 @@ static uint64_t parse_request_version(OCSP_REQUEST* req)
}
#endif
void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
void OCSP::ParseRequest(OCSP_REQUEST* req)
{
char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
memset(buf, 0, sizeof(buf));
@ -441,7 +443,7 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
BIO_free(bio);
}
void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
void OCSP::ParseResponse(OCSP_RESPONSE *resp)
{
//OCSP_RESPBYTES *resp_bytes = resp->responseBytes;
OCSP_BASICRESP *basic_resp = nullptr;
@ -636,7 +638,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
::X509 *this_cert = X509_dup(helper_sk_X509_value(certs, i));
//::X509 *this_cert = X509_dup(sk_X509_value(certs, i));
if (this_cert)
certs_vector->Assign(i, zeek::make_intrusive<file_analysis::X509Val>(this_cert));
certs_vector->Assign(i, zeek::make_intrusive<X509Val>(this_cert));
else
zeek::reporter->Weird("OpenSSL returned null certificate");
}
@ -662,7 +664,7 @@ clean_up:
BIO_free(bio);
}
void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
void OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
{
// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts.
// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
@ -674,3 +676,5 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
#endif
ParseSignedCertificateTimestamps(ex);
}
} // namespace zeek::file_analysis::detail

27
src/file_analysis/analyzer/x509/OCSP.h
View file

@ -3,28 +3,27 @@
#pragma once
#include <string>
#include <openssl/ocsp.h>
#include "X509Common.h"
#include <openssl/ocsp.h>
ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
namespace file_analysis {
namespace zeek::file_analysis::detail {
class File;
class OCSP : public file_analysis::X509Common {
class OCSP : public zeek::file_analysis::detail::X509Common {
public:
bool DeliverStream(const u_char* data, uint64_t len) override;
bool Undelivered(uint64_t offset, uint64_t len) override;
bool EndOfFile() override;
static file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args,
File* file);
static file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args,
File* file);
static zeek::file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
static zeek::file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
protected:
OCSP(zeek::RecordValPtr args, File* file, bool request);
OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file, bool request);
private:
void ParseResponse(OCSP_RESPONSE*);
@ -35,4 +34,10 @@ private:
bool request = false; // true if ocsp request, false if reply
};
}
} // namespace zeek::file_analysis::detail
namespace file_analysis {
using OCSP [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::OCSP.")]] = zeek::file_analysis::detail::OCSP;
} // namespace file_analysis

14
src/file_analysis/analyzer/x509/Plugin.cc
View file

@ -5,16 +5,15 @@
#include "plugin/Plugin.h"
#include "file_analysis/Component.h"
namespace plugin {
namespace Zeek_X509 {
namespace zeek::plugin::detail::Zeek_X509 {
class Plugin : public zeek::plugin::Plugin {
public:
zeek::plugin::Configuration Configure() override
{
AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest));
AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
AddComponent(new zeek::file_analysis::Component("X509", zeek::file_analysis::detail::X509::Instantiate));
AddComponent(new zeek::file_analysis::Component("OCSP_REQUEST", zeek::file_analysis::detail::OCSP::InstantiateRequest));
AddComponent(new zeek::file_analysis::Component("OCSP_REPLY", zeek::file_analysis::detail::OCSP::InstantiateReply));
zeek::plugin::Configuration config;
config.name = "Zeek::X509";
@ -25,9 +24,8 @@ public:
void Done() override
{
zeek::plugin::Plugin::Done();
::file_analysis::X509::FreeRootStore();
zeek::file_analysis::detail::X509::FreeRootStore();
}
} plugin;
}
}
} // namespace zeek::plugin::detail::Zeek_X509

33
src/file_analysis/analyzer/x509/X509.cc
View file

@ -21,28 +21,28 @@
#include <openssl/opensslconf.h>
#include <openssl/err.h>
using namespace file_analysis;
namespace zeek::file_analysis::detail {
file_analysis::X509::X509(zeek::RecordValPtr args, file_analysis::File* file)
: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"),
std::move(args), file)
X509::X509(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: X509Common::X509Common(zeek::file_mgr->GetComponentTag("X509"),
std::move(args), file)
{
cert_data.clear();
}
bool file_analysis::X509::DeliverStream(const u_char* data, uint64_t len)
bool X509::DeliverStream(const u_char* data, uint64_t len)
{
// just add it to the data we have so far, since we cannot do anything else anyways...
cert_data.append(reinterpret_cast<const char*>(data), len);
return true;
}
bool file_analysis::X509::Undelivered(uint64_t offset, uint64_t len)
bool X509::Undelivered(uint64_t offset, uint64_t len)
{
return false;
}
bool file_analysis::X509::EndOfFile()
bool X509::EndOfFile()
{
const unsigned char* cert_char = reinterpret_cast<const unsigned char*>(cert_data.data());
if ( certificate_cache )
@ -113,7 +113,8 @@ bool file_analysis::X509::EndOfFile()
return false;
}
zeek::RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
zeek::file_analysis::File* f)
{
::X509* ssl_cert = cert_val->GetCertificate();
@ -240,7 +241,7 @@ zeek::RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File
return pX509Cert;
}
X509_STORE* file_analysis::X509::GetRootStore(zeek::TableVal* root_certs)
X509_STORE* X509::GetRootStore(zeek::TableVal* root_certs)
{
// If this certificate store was built previously, just reuse the old one.
if ( x509_stores.count(root_certs) > 0 )
@ -274,13 +275,13 @@ X509_STORE* file_analysis::X509::GetRootStore(zeek::TableVal* root_certs)
return ctx;
}
void file_analysis::X509::FreeRootStore()
void X509::FreeRootStore()
{
for ( const auto& e : x509_stores )
X509_STORE_free(e.second);
}
void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
void X509::ParseBasicConstraints(X509_EXTENSION* ex)
{
assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
@ -309,7 +310,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
zeek::reporter->Weird(GetFile(), "x509_invalid_basic_constraint");
}
void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
void X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
{
// look if we have a specialized handler for this event...
if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
@ -329,7 +330,7 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
ParseSignedCertificateTimestamps(ex);
}
void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
void X509::ParseSAN(X509_EXTENSION* ext)
{
assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
@ -443,7 +444,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
GENERAL_NAMES_free(altname);
}
zeek::StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
zeek::StringValPtr X509::KeyCurve(EVP_PKEY* key)
{
assert(key != nullptr);
@ -476,7 +477,7 @@ zeek::StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
#endif
}
unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
unsigned int X509::KeyLength(EVP_PKEY *key)
{
assert(key != NULL);
@ -583,3 +584,5 @@ bool X509Val::DoUnserialize(const broker::data& data)
certificate = d2i_X509(NULL, &opensslbuf, s->size());
return (certificate != nullptr);
}
} // namespace zeek::file_analysis::detail

21
src/file_analysis/analyzer/x509/X509.h
View file

@ -63,11 +63,11 @@ static void RSA_get0_key(const RSA *r,
#endif
namespace file_analysis {
namespace zeek::file_analysis::detail {
class X509Val;
class X509 : public file_analysis::X509Common {
class X509 : public zeek::file_analysis::detail::X509Common {
public:
bool DeliverStream(const u_char* data, uint64_t len) override;
bool Undelivered(uint64_t offset, uint64_t len) override;
@ -86,10 +86,10 @@ public:
* @param Returns the new record value and passes ownership to
* caller.
*/
static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, File* file = nullptr);
static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, zeek::file_analysis::File* file = nullptr);
static file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
File* file)
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
{ return new X509(std::move(args), file); }
/**
@ -127,7 +127,7 @@ public:
{ cache_hit_callback = std::move(func); }
protected:
X509(zeek::RecordValPtr args, File* file);
X509(zeek::RecordValPtr args, zeek::file_analysis::File* file);
private:
void ParseBasicConstraints(X509_EXTENSION* ex);
@ -196,4 +196,11 @@ private:
::X509* certificate; // the wrapped certificate
};
}
} // namespace zeek::file_analysis::detail
namespace file_analysis {
using X509 [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509.")]] = zeek::file_analysis::detail::X509;
using X509Val [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509Val.")]] = zeek::file_analysis::detail::X509Val;
} // namespace file_analysis

21
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -14,15 +14,16 @@
#include <openssl/opensslconf.h>
#include <openssl/err.h>
using namespace file_analysis;
namespace zeek::file_analysis::detail {
X509Common::X509Common(const file_analysis::Tag& arg_tag,
zeek::RecordValPtr arg_args, File* arg_file)
: file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
X509Common::X509Common(const zeek::file_analysis::Tag& arg_tag,
zeek::RecordValPtr arg_args,
zeek::file_analysis::File* arg_file)
: zeek::file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
{
}
static void EmitWeird(const char* name, File* file, const char* addl = "")
static void EmitWeird(const char* name, zeek::file_analysis::File* file, const char* addl = "")
{
if ( file )
zeek::reporter->Weird(file, name, addl);
@ -30,7 +31,7 @@ static void EmitWeird(const char* name, File* file, const char* addl = "")
zeek::reporter->Weird(name);
}
double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Reporter* reporter)
double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f, zeek::Reporter* reporter)
{
time_t lResult = 0;
@ -187,7 +188,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Report
return lResult;
}
void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
{
// Ok, signed certificate timestamps are a bit of an odd case out; we don't
// want to use the (basically nonexistant) OpenSSL functionality to parse them.
@ -231,7 +232,7 @@ void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION*
delete conn;
}
void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global)
void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global)
{
char name[256];
char oid[256];
@ -298,7 +299,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::E
ParseExtensionsSpecific(ex, global, ext_asn, oid);
}
zeek::StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f)
{
BIO_flush(bio);
ERR_clear_error();
@ -338,3 +339,5 @@ zeek::StringValPtr file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File
return ext_val;
}
} // namespace zeek::file_analysis::detail

27
src/file_analysis/analyzer/x509/X509Common.h
View file

@ -13,18 +13,17 @@
ZEEK_FORWARD_DECLARE_NAMESPACED(EventHandlerPtr, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(Reporter, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(StringVal, zeek);
ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis);
namespace zeek {
template <class T> class IntrusivePtr;
using StringValPtr = zeek::IntrusivePtr<StringVal>;
}
namespace file_analysis {
namespace zeek::file_analysis::detail {
class Tag;
class File;
class X509Common : public file_analysis::Analyzer {
class X509Common : public zeek::file_analysis::Analyzer {
public:
~X509Common() override {};
@ -39,17 +38,25 @@ public:
*
* @return The X509 extension value.
*/
static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, File* f = nullptr);
static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f = nullptr);
static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, zeek::Reporter* reporter);
static double GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f,
zeek::Reporter* reporter);
protected:
X509Common(const file_analysis::Tag& arg_tag,
zeek::RecordValPtr arg_args, File* arg_file);
X509Common(const zeek::file_analysis::Tag& arg_tag,
zeek::RecordValPtr arg_args,
zeek::file_analysis::File* arg_file);
void ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global);
void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0;
};
}
} // namespace zeek:file_analysis
namespace file_analysis {
using X509Common [[deprecated("Remove in v4.1. Use zeek::file_analysis::detail::X509Common.")]] = zeek::file_analysis::detail::X509Common;
} // namespace file_analysis

38
src/file_analysis/analyzer/x509/functions.bif
View file

@ -42,7 +42,7 @@ STACK_OF(X509)* x509_get_untrusted_stack(zeek::VectorVal* certs_vec)
continue;
// Fixme: check type
X509* x = ((file_analysis::X509Val*) sv.get())->GetCertificate();
X509* x = ((zeek::file_analysis::detail::X509Val*) sv.get())->GetCertificate();
if ( ! x )
{
sk_X509_free(untrusted_certs);
@ -147,9 +147,9 @@ const EVP_MD* hash_to_evp(int hash)
function x509_parse%(cert: opaque of x509%): X509::Certificate
%{
assert(cert);
file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
auto* h = (zeek::file_analysis::detail::X509Val*) cert;
return file_analysis::X509::ParseCertificate(h);
return zeek::file_analysis::detail::X509::ParseCertificate(h);
%}
## Constructs an opaque of X509 from a der-formatted string.
@ -162,7 +162,7 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate
function x509_from_der%(der: string%): opaque of x509
%{
const u_char* data = der->Bytes();
return zeek::make_intrusive<file_analysis::X509Val>(d2i_X509(nullptr, &data, der->Len()));
return zeek::make_intrusive<zeek::file_analysis::detail::X509Val>(d2i_X509(nullptr, &data, der->Len()));
%}
## Returns the string form of a certificate.
@ -180,7 +180,7 @@ function x509_from_der%(der: string%): opaque of x509
function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F%): string
%{
assert(cert);
file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
auto* h = (zeek::file_analysis::detail::X509Val*) cert;
BIO *bio = BIO_new(BIO_s_mem());
@ -190,7 +190,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
else
i2d_X509_bio(bio, h->GetCertificate());
auto ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
auto ext_val = zeek::file_analysis::detail::X509::GetExtensionFromBIO(bio);
if ( ! ext_val )
ext_val = zeek::val_mgr->EmptyString();
@ -217,7 +217,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
%{
zeek::RecordValPtr rval;
X509_STORE* ctx = ::file_analysis::X509::GetRootStore(root_certs->AsTableVal());
X509_STORE* ctx = zeek::file_analysis::detail::X509::GetRootStore(root_certs->AsTableVal());
if ( ! ctx )
return x509_result_record(-1, "Problem initializing root store");
@ -238,7 +238,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
return x509_result_record(-1, "undefined value in certificate vector");
}
file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv.get();
auto* cert_handle = (zeek::file_analysis::detail::X509Val*) sv.get();
X509* cert = cert_handle->GetCertificate();
if ( ! cert )
@ -503,7 +503,7 @@ x509_ocsp_cleanup:
## x509_get_certificate_string x509_ocsp_verify sct_verify
function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
%{
X509_STORE* ctx = ::file_analysis::X509::GetRootStore(root_certs->AsTableVal());
X509_STORE* ctx = zeek::file_analysis::detail::X509::GetRootStore(root_certs->AsTableVal());
if ( ! ctx )
return x509_result_record(-1, "Problem initializing root store");
@ -523,7 +523,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
zeek::emit_builtin_error("undefined value in certificate vector");
return x509_result_record(-1, "undefined value in certificate vector");
}
file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv.get();
auto* cert_handle = (zeek::file_analysis::detail::X509Val*) sv.get();
X509* cert = cert_handle->GetCertificate();
if ( ! cert )
@ -565,7 +565,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
if ( currcert )
// X509Val takes ownership of currcert.
chainVector->Assign(i, zeek::make_intrusive<file_analysis::X509Val>(currcert));
chainVector->Assign(i, zeek::make_intrusive<zeek::file_analysis::detail::X509Val>(currcert));
else
{
zeek::reporter->InternalWarning("OpenSSL returned null certificate");
@ -614,8 +614,8 @@ x509_verify_chainerror:
function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool
%{
assert(cert);
file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
X509* x = ((file_analysis::X509Val*) h)->GetCertificate();
auto* h = (zeek::file_analysis::detail::X509Val*) cert;
X509* x = ((zeek::file_analysis::detail::X509Val*) h)->GetCertificate();
assert(sizeof(timestamp) >= 8);
uint64_t timestamp_network = htonll(timestamp);
@ -762,7 +762,7 @@ sct_verify_err:
* 1 -> issuer name
* 2 -> pubkey
*/
zeek::StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
zeek::StringValPtr x509_entity_hash(zeek::file_analysis::detail::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
{
assert(cert_handle);
@ -842,7 +842,7 @@ zeek::StringValPtr x509_entity_hash(file_analysis::X509Val *cert_handle, unsigne
## x509_verify sct_verify
function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
%{
file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert;
return x509_entity_hash(cert_handle, hash_alg, 0);
%}
@ -860,7 +860,7 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
## x509_verify sct_verify
function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
%{
file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert;
return x509_entity_hash(cert_handle, hash_alg, 1);
%}
@ -878,7 +878,7 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
## x509_verify sct_verify
function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
%{
file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
auto* cert_handle = (zeek::file_analysis::detail::X509Val *) cert;
return x509_entity_hash(cert_handle, hash_alg, 2);
%}
@ -901,7 +901,7 @@ function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
## .. zeek:see:: x509_set_certificate_cache_hit_callback
function x509_set_certificate_cache%(tbl: string_any_table%) : bool
%{
file_analysis::X509::SetCertificateCache({zeek::NewRef{}, tbl->AsTableVal()});
zeek::file_analysis::detail::X509::SetCertificateCache({zeek::NewRef{}, tbl->AsTableVal()});
return zeek::val_mgr->True();
%}
@ -919,7 +919,7 @@ function x509_set_certificate_cache%(tbl: string_any_table%) : bool
## .. zeek:see:: x509_set_certificate_cache
function x509_set_certificate_cache_hit_callback%(f: string_any_file_hook%) : bool
%{
file_analysis::X509::SetCertificateCacheHitCallback({zeek::NewRef{}, f->AsFunc()});
zeek::file_analysis::detail::X509::SetCertificateCacheHitCallback({zeek::NewRef{}, f->AsFunc()});
return zeek::val_mgr->True();
%}