Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Move all Val classes to the zeek namespaces

Browse source
This commit is contained in:
Tim Wojtulewicz 2020-06-24 16:55:28 -04:00
parent ec9eff0bd5
commit 64332ca22c
265 changed files with 3154 additions and 3086 deletions
Download patch file Download diff file Expand all files Collapse all files

70
src/file_analysis/analyzer/x509/X509.cc
View file

@ -23,7 +23,7 @@
using namespace file_analysis;
file_analysis::X509::X509(RecordValPtr args, file_analysis::File* file)
file_analysis::X509::X509(zeek::RecordValPtr args, file_analysis::File* file)
: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"),
std::move(args), file)
{
@ -53,7 +53,7 @@ bool file_analysis::X509::EndOfFile()
hash_update(ctx, cert_char, cert_data.size());
hash_final(ctx, buf);
std::string cert_sha256 = sha256_digest_print(buf);
auto index = zeek::make_intrusive<StringVal>(cert_sha256);
auto index = zeek::make_intrusive<zeek::StringVal>(cert_sha256);
const auto& entry = certificate_cache->Find(index);
if ( entry )
@ -65,7 +65,7 @@ bool file_analysis::X509::EndOfFile()
// yup, let's call the callback.
cache_hit_callback->Invoke(GetFile()->ToVal(), entry,
zeek::make_intrusive<StringVal>(cert_sha256));
zeek::make_intrusive<zeek::StringVal>(cert_sha256));
return false;
}
}
@ -113,25 +113,25 @@ bool file_analysis::X509::EndOfFile()
return false;
}
RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
zeek::RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
{
::X509* ssl_cert = cert_val->GetCertificate();
char buf[2048]; // we need a buffer for some of the openssl functions
memset(buf, 0, sizeof(buf));
auto pX509Cert = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::Certificate);
auto pX509Cert = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Certificate);
BIO *bio = BIO_new(BIO_s_mem());
pX509Cert->Assign(0, val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1));
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
int len = BIO_read(bio, buf, sizeof(buf));
pX509Cert->Assign(1, zeek::make_intrusive<StringVal>(len, buf));
pX509Cert->Assign(1, zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253);
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(2, zeek::make_intrusive<StringVal>(len, buf));
pX509Cert->Assign(2, zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
X509_NAME *subject_name = X509_get_subject_name(ssl_cert);
@ -151,17 +151,17 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
// we found a common name
ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, namepos)));
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(4, zeek::make_intrusive<StringVal>(len, buf));
pX509Cert->Assign(4, zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_reset(bio);
}
X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(3, zeek::make_intrusive<StringVal>(len, buf));
pX509Cert->Assign(3, zeek::make_intrusive<zeek::StringVal>(len, buf));
BIO_free(bio);
pX509Cert->Assign(5, zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
pX509Cert->Assign(6, zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
pX509Cert->Assign(5, zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
pX509Cert->Assign(6, zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
// we only read 255 bytes because byte 256 is always 0.
// if the string is longer than 255, that will be our null-termination,
@ -171,7 +171,7 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
buf[0] = 0;
pX509Cert->Assign(7, zeek::make_intrusive<StringVal>(buf));
pX509Cert->Assign(7, zeek::make_intrusive<zeek::StringVal>(buf));
// Special case for RDP server certificates. For some reason some (all?) RDP server
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
@ -193,25 +193,25 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
buf[0] = 0;
pX509Cert->Assign(8, zeek::make_intrusive<StringVal>(buf));
pX509Cert->Assign(8, zeek::make_intrusive<zeek::StringVal>(buf));
// Things we can do when we have the key...
EVP_PKEY *pkey = X509_extract_key(ssl_cert);
if ( pkey != NULL )
{
if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("dsa"));
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("dsa"));
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
{
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("rsa"));
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("rsa"));
const BIGNUM *e;
RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
char *exponent = BN_bn2dec(e);
if ( exponent != NULL )
{
pX509Cert->Assign(11, zeek::make_intrusive<StringVal>(exponent));
pX509Cert->Assign(11, zeek::make_intrusive<zeek::StringVal>(exponent));
OPENSSL_free(exponent);
exponent = NULL;
}
@ -219,7 +219,7 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
#ifndef OPENSSL_NO_EC
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
{
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("ecdsa"));
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("ecdsa"));
pX509Cert->Assign(12, KeyCurve(pkey));
}
#endif
@ -240,7 +240,7 @@ RecordValPtr file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
return pX509Cert;
}
X509_STORE* file_analysis::X509::GetRootStore(TableVal* root_certs)
X509_STORE* file_analysis::X509::GetRootStore(zeek::TableVal* root_certs)
{
// If this certificate store was built previously, just reuse the old one.
if ( x509_stores.count(root_certs) > 0 )
@ -254,7 +254,7 @@ X509_STORE* file_analysis::X509::GetRootStore(TableVal* root_certs)
{
const auto& key = idxs->Idx(i);
auto val = root_certs->FindOrDefault(key);
StringVal* sv = val->AsStringVal();
zeek::StringVal* sv = val->AsStringVal();
assert(sv);
const uint8_t* data = sv->Bytes();
::X509* x = d2i_X509(NULL, &data, sv->Len());
@ -290,7 +290,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
{
if ( x509_ext_basic_constraints )
{
auto pBasicConstraint = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::BasicConstraints);
auto pBasicConstraint = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::BasicConstraints);
pBasicConstraint->Assign(0, val_mgr->Bool(constr->ca));
if ( constr->pathlen )
@ -340,10 +340,10 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
return;
}
VectorValPtr names;
VectorValPtr emails;
VectorValPtr uris;
VectorValPtr ips;
zeek::VectorValPtr names;
zeek::VectorValPtr emails;
zeek::VectorValPtr uris;
zeek::VectorValPtr ips;
bool otherfields = false;
@ -365,27 +365,27 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
#else
const char* name = (const char*) ASN1_STRING_get0_data(gen->d.ia5);
#endif
auto bs = zeek::make_intrusive<StringVal>(name);
auto bs = zeek::make_intrusive<zeek::StringVal>(name);
switch ( gen->type )
{
case GEN_DNS:
if ( names == nullptr )
names = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
names = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
names->Assign(names->Size(), std::move(bs));
break;
case GEN_URI:
if ( uris == nullptr )
uris = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
uris = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
uris->Assign(uris->Size(), std::move(bs));
break;
case GEN_EMAIL:
if ( emails == nullptr )
emails = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
emails = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
emails->Assign(emails->Size(), std::move(bs));
break;
@ -395,15 +395,15 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
else if ( gen->type == GEN_IPADD )
{
if ( ips == nullptr )
ips = zeek::make_intrusive<VectorVal>(zeek::id::find_type<zeek::VectorType>("addr_vec"));
ips = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("addr_vec"));
uint32_t* addr = (uint32_t*) gen->d.ip->data;
if( gen->d.ip->length == 4 )
ips->Assign(ips->Size(), zeek::make_intrusive<AddrVal>(*addr));
ips->Assign(ips->Size(), zeek::make_intrusive<zeek::AddrVal>(*addr));
else if ( gen->d.ip->length == 16 )
ips->Assign(ips->Size(), zeek::make_intrusive<AddrVal>(addr));
ips->Assign(ips->Size(), zeek::make_intrusive<zeek::AddrVal>(addr));
else
{
@ -421,7 +421,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
}
}
auto sanExt = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::SubjectAlternativeName);
auto sanExt = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::SubjectAlternativeName);
if ( names != nullptr )
sanExt->Assign(0, names);
@ -443,7 +443,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
GENERAL_NAMES_free(altname);
}
StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
zeek::StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
{
assert(key != nullptr);
@ -472,7 +472,7 @@ StringValPtr file_analysis::X509::KeyCurve(EVP_PKEY* key)
if ( curve_name == nullptr )
return nullptr;
return zeek::make_intrusive<StringVal>(curve_name);
return zeek::make_intrusive<zeek::StringVal>(curve_name);
#endif
}
@ -543,7 +543,7 @@ X509Val::~X509Val()
X509_free(certificate);
}
ValPtr X509Val::DoClone(CloneState* state)
zeek::ValPtr X509Val::DoClone(CloneState* state)
{
auto copy = zeek::make_intrusive<X509Val>();
if ( certificate )