Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Plugins: Clean up explicit uses of namespaces in places where they're not necessary.

Browse source 
This commit covers all of the plugin classes.
This commit is contained in:
Tim Wojtulewicz 2020-08-21 09:45:16 -07:00
parent fe0c22c789
commit 70c2397f69
169 changed files with 3139 additions and 3141 deletions
Download patch file Download diff file Expand all files Collapse all files

32
src/file_analysis/analyzer/data_event/DataEvent.cc
View file

@ -11,30 +11,30 @@
namespace zeek::file_analysis::detail {
DataEvent::DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file,
zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se)
: file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("DATA_EVENT"),
DataEvent::DataEvent(RecordValPtr args, file_analysis::File* file,
EventHandlerPtr ce, EventHandlerPtr se)
: file_analysis::Analyzer(file_mgr->GetComponentTag("DATA_EVENT"),
std::move(args), file),
chunk_event(ce), stream_event(se)
{
}
zeek::file_analysis::Analyzer* DataEvent::Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
file_analysis::Analyzer* DataEvent::Instantiate(RecordValPtr args,
file_analysis::File* file)
{
const auto& chunk_val = args->GetField("chunk_event");
const auto& stream_val = args->GetField("stream_event");
if ( ! chunk_val && ! stream_val ) return nullptr;
zeek::EventHandlerPtr chunk;
zeek::EventHandlerPtr stream;
EventHandlerPtr chunk;
EventHandlerPtr stream;
if ( chunk_val )
chunk = zeek::event_registry->Lookup(chunk_val->AsFunc()->Name());
chunk = event_registry->Lookup(chunk_val->AsFunc()->Name());
if ( stream_val )
stream = zeek::event_registry->Lookup(stream_val->AsFunc()->Name());
stream = event_registry->Lookup(stream_val->AsFunc()->Name());
return new DataEvent(std::move(args), file, chunk, stream);
}
@ -43,10 +43,10 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
{
if ( ! chunk_event ) return true;
zeek::event_mgr.Enqueue(chunk_event,
GetFile()->ToVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false)),
zeek::val_mgr->Count(offset)
event_mgr.Enqueue(chunk_event,
GetFile()->ToVal(),
make_intrusive<StringVal>(new String(data, len, false)),
val_mgr->Count(offset)
);
return true;
@ -56,9 +56,9 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
{
if ( ! stream_event ) return true;
zeek::event_mgr.Enqueue(stream_event,
GetFile()->ToVal(),
zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, false))
event_mgr.Enqueue(stream_event,
GetFile()->ToVal(),
make_intrusive<StringVal>(new String(data, len, false))
);
return true;

14
src/file_analysis/analyzer/data_event/DataEvent.h
View file

@ -14,7 +14,7 @@ namespace zeek::file_analysis::detail {
/**
* An analyzer to send file data to script-layer via events.
*/
class DataEvent : public zeek::file_analysis::Analyzer {
class DataEvent : public file_analysis::Analyzer {
public:
/**
@ -43,8 +43,8 @@ public:
* @return the new DataEvent analyzer instance or a null pointer if
* no "chunk_event" or "stream_event" field was specfied in \a args.
*/
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file);
protected:
@ -57,12 +57,12 @@ protected:
* @param se pointer to event handler which will be called to receive
* sequential file data.
*/
DataEvent(zeek::RecordValPtr args, zeek::file_analysis::File* file,
zeek::EventHandlerPtr ce, zeek::EventHandlerPtr se);
DataEvent(RecordValPtr args, file_analysis::File* file,
EventHandlerPtr ce, EventHandlerPtr se);
private:
zeek::EventHandlerPtr chunk_event;
zeek::EventHandlerPtr stream_event;
EventHandlerPtr chunk_event;
EventHandlerPtr stream_event;
};
} // namespace zeek::file_analysis::detail

32
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -9,11 +9,11 @@
namespace zeek::file_analysis::detail {
Entropy::Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("ENTROPY"),
std::move(args), file)
Entropy::Entropy(RecordValPtr args, file_analysis::File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("ENTROPY"),
std::move(args), file)
{
entropy = new zeek::EntropyVal;
entropy = new EntropyVal;
fed = false;
}
@ -22,8 +22,8 @@ Entropy::~Entropy()
Unref(entropy);
}
zeek::file_analysis::Analyzer* Entropy::Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
file_analysis::Analyzer* Entropy::Instantiate(RecordValPtr args,
file_analysis::File* file)
{
return new Entropy(std::move(args), file);
}
@ -60,17 +60,17 @@ void Entropy::Finalize()
montepi = scc = ent = mean = chisq = 0.0;
entropy->Get(&ent, &chisq, &mean, &montepi, &scc);
static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result");
auto ent_result = zeek::make_intrusive<zeek::RecordVal>(entropy_test_result);
ent_result->Assign<zeek::DoubleVal>(0, ent);
ent_result->Assign<zeek::DoubleVal>(1, chisq);
ent_result->Assign<zeek::DoubleVal>(2, mean);
ent_result->Assign<zeek::DoubleVal>(3, montepi);
ent_result->Assign<zeek::DoubleVal>(4, scc);
static auto entropy_test_result = id::find_type<RecordType>("entropy_test_result");
auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
ent_result->Assign<DoubleVal>(0, ent);
ent_result->Assign<DoubleVal>(1, chisq);
ent_result->Assign<DoubleVal>(2, mean);
ent_result->Assign<DoubleVal>(3, montepi);
ent_result->Assign<DoubleVal>(4, scc);
zeek::event_mgr.Enqueue(file_entropy,
GetFile()->ToVal(),
std::move(ent_result)
event_mgr.Enqueue(file_entropy,
GetFile()->ToVal(),
std::move(ent_result)
);
}

10
src/file_analysis/analyzer/entropy/Entropy.h
View file

@ -16,7 +16,7 @@ namespace zeek::file_analysis::detail {
/**
* An analyzer to produce entropy of file contents.
*/
class Entropy : public zeek::file_analysis::Analyzer {
class Entropy : public file_analysis::Analyzer {
public:
/**
@ -31,8 +31,8 @@ public:
* @return the new Entropy analyzer instance or a null pointer if the
* the "extraction_file" field of \a args wasn't set.
*/
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file);
/**
* Calculate entropy of next chunk of file contents.
@ -66,7 +66,7 @@ protected:
* @param hv specific hash calculator object.
* @param kind human readable name of the hash algorithm to use.
*/
Entropy(zeek::RecordValPtr args, zeek::file_analysis::File* file);
Entropy(RecordValPtr args, file_analysis::File* file);
/**
* If some file contents have been seen, finalizes the entropy of them and
@ -75,7 +75,7 @@ protected:
void Finalize();
private:
zeek::EntropyVal* entropy;
EntropyVal* entropy;
bool fed;
};

30
src/file_analysis/analyzer/extract/Extract.cc
View file

@ -10,9 +10,9 @@
namespace zeek::file_analysis::detail {
Extract::Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file,
Extract::Extract(RecordValPtr args, file_analysis::File* file,
const std::string& arg_filename, uint64_t arg_limit)
: file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("EXTRACT"),
: file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"),
std::move(args), file),
filename(arg_filename), limit(arg_limit), depth(0)
{
@ -22,30 +22,30 @@ Extract::Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file,
{
fd = 0;
char buf[128];
zeek::util::zeek_strerror_r(errno, buf, sizeof(buf));
zeek::reporter->Error("cannot open %s: %s", filename.c_str(), buf);
util::zeek_strerror_r(errno, buf, sizeof(buf));
reporter->Error("cannot open %s: %s", filename.c_str(), buf);
}
}
Extract::~Extract()
{
if ( fd )
zeek::util::safe_close(fd);
util::safe_close(fd);
}
static const zeek::ValPtr& get_extract_field_val(const zeek::RecordValPtr& args,
const char* name)
static const ValPtr& get_extract_field_val(const RecordValPtr& args,
const char* name)
{
const auto& rval = args->GetField(name);
if ( ! rval )
zeek::reporter->Error("File extraction analyzer missing arg field: %s", name);
reporter->Error("File extraction analyzer missing arg field: %s", name);
return rval;
}
zeek::file_analysis::Analyzer* Extract::Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
file_analysis::Analyzer* Extract::Instantiate(RecordValPtr args,
file_analysis::File* file)
{
const auto& fname = get_extract_field_val(args, "extract_filename");
const auto& limit = get_extract_field_val(args, "extract_limit");
@ -93,12 +93,12 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len)
if ( limit_exceeded && file_extraction_limit )
{
zeek::file_analysis::File* f = GetFile();
file_analysis::File* f = GetFile();
f->FileEvent(file_extraction_limit, {
f->ToVal(),
GetArgs(),
zeek::val_mgr->Count(limit),
zeek::val_mgr->Count(len)
val_mgr->Count(limit),
val_mgr->Count(len)
});
// Limit may have been modified by a BIF, re-check it.
@ -107,7 +107,7 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len)
if ( towrite > 0 )
{
zeek::util::safe_write(fd, reinterpret_cast<const char*>(data), towrite);
util::safe_write(fd, reinterpret_cast<const char*>(data), towrite);
depth += towrite;
}
@ -119,7 +119,7 @@ bool Extract::Undelivered(uint64_t offset, uint64_t len)
if ( depth == offset )
{
char* tmp = new char[len]();
zeek::util::safe_write(fd, tmp, len);
util::safe_write(fd, tmp, len);
delete [] tmp;
depth += len;
}

8
src/file_analysis/analyzer/extract/Extract.h
View file

@ -15,7 +15,7 @@ namespace zeek::file_analysis::detail {
/**
* An analyzer to extract content of files to local disk.
*/
class Extract : public zeek::file_analysis::Analyzer {
class Extract : public file_analysis::Analyzer {
public:
/**
@ -47,8 +47,8 @@ public:
* @return the new Extract analyzer instance or a null pointer if the
* the "extraction_file" field of \a args wasn't set.
*/
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file);
/**
* Sets the maximum allowed extracted file size. A value of zero means
@ -67,7 +67,7 @@ protected:
* to which the contents of the file will be extracted/written.
* @param arg_limit the maximum allowed file size.
*/
Extract(zeek::RecordValPtr args, zeek::file_analysis::File* file,
Extract(RecordValPtr args, file_analysis::File* file,
const std::string& arg_filename, uint64_t arg_limit);
private:

14
src/file_analysis/analyzer/hash/Hash.cc
View file

@ -9,9 +9,9 @@
namespace zeek::file_analysis::detail {
Hash::Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file,
zeek::HashVal* hv, const char* arg_kind)
: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag(zeek::util::to_upper(arg_kind).c_str()),
Hash::Hash(RecordValPtr args, file_analysis::File* file,
HashVal* hv, const char* arg_kind)
: file_analysis::Analyzer(file_mgr->GetComponentTag(util::to_upper(arg_kind).c_str()),
std::move(args), file),
hash(hv), fed(false), kind(arg_kind)
{
@ -54,10 +54,10 @@ void Hash::Finalize()
if ( ! file_hash )
return;
zeek::event_mgr.Enqueue(file_hash,
GetFile()->ToVal(),
zeek::make_intrusive<zeek::StringVal>(kind),
hash->Get()
event_mgr.Enqueue(file_hash,
GetFile()->ToVal(),
make_intrusive<StringVal>(kind),
hash->Get()
);
}

30
src/file_analysis/analyzer/hash/Hash.h
View file

@ -16,7 +16,7 @@ namespace zeek::file_analysis::detail {
/**
* An analyzer to produce a hash of file contents.
*/
class Hash : public zeek::file_analysis::Analyzer {
class Hash : public file_analysis::Analyzer {
public:
/**
@ -56,7 +56,7 @@ protected:
* @param hv specific hash calculator object.
* @param kind human readable name of the hash algorithm to use.
*/
Hash(zeek::RecordValPtr args, zeek::file_analysis::File* file, zeek::HashVal* hv, const char* kind);
Hash(RecordValPtr args, file_analysis::File* file, HashVal* hv, const char* kind);
/**
* If some file contents have been seen, finalizes the hash of them and
@ -65,7 +65,7 @@ protected:
void Finalize();
private:
zeek::HashVal* hash;
HashVal* hash;
bool fed;
const char* kind;
};
@ -83,8 +83,8 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file)
{ return file_hash ? new MD5(std::move(args), file) : nullptr; }
protected:
@ -94,8 +94,8 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
MD5(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: Hash(std::move(args), file, new zeek::MD5Val(), "md5")
MD5(RecordValPtr args, file_analysis::File* file)
: Hash(std::move(args), file, new MD5Val(), "md5")
{}
};
@ -112,8 +112,8 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file)
{ return file_hash ? new SHA1(std::move(args), file) : nullptr; }
protected:
@ -123,8 +123,8 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
SHA1(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: Hash(std::move(args), file, new zeek::SHA1Val(), "sha1")
SHA1(RecordValPtr args, file_analysis::File* file)
: Hash(std::move(args), file, new SHA1Val(), "sha1")
{}
};
@ -141,8 +141,8 @@ public:
* @return the new MD5 analyzer instance or a null pointer if there's no
* handler for the "file_hash" event.
*/
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file)
{ return file_hash ? new SHA256(std::move(args), file) : nullptr; }
protected:
@ -152,8 +152,8 @@ protected:
* @param args the \c AnalyzerArgs value which represents the analyzer.
* @param file the file to which the analyzer will be attached.
*/
SHA256(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: Hash(std::move(args), file, new zeek::SHA256Val(), "sha256")
SHA256(RecordValPtr args, file_analysis::File* file)
: Hash(std::move(args), file, new SHA256Val(), "sha256")
{}
};

8
src/file_analysis/analyzer/pe/PE.cc
View file

@ -3,10 +3,10 @@
namespace zeek::file_analysis::detail {
PE::PE(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: zeek::file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("PE"),
std::move(args),
file)
PE::PE(RecordValPtr args, file_analysis::File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("PE"),
std::move(args),
file)
{
conn = new binpac::PE::MockConnection(this);
interp = new binpac::PE::File(conn);

8
src/file_analysis/analyzer/pe/PE.h
View file

@ -11,12 +11,12 @@ namespace zeek::file_analysis::detail {
/**
* Analyze Portable Executable files
*/
class PE : public zeek::file_analysis::Analyzer {
class PE : public file_analysis::Analyzer {
public:
~PE();
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file)
{ return new PE(std::move(args), file); }
virtual bool DeliverStream(const u_char* data, uint64_t len);
@ -24,7 +24,7 @@ public:
virtual bool EndOfFile();
protected:
PE(zeek::RecordValPtr args, zeek::file_analysis::File* file);
PE(RecordValPtr args, file_analysis::File* file);
binpac::PE::File* interp;
binpac::PE::MockConnection* conn;
bool done;

8
src/file_analysis/analyzer/unified2/Unified2.cc
View file

@ -5,8 +5,8 @@
namespace zeek::file_analysis::detail {
Unified2::Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: file_analysis::Analyzer(zeek::file_mgr->GetComponentTag("UNIFIED2"),
Unified2::Unified2(RecordValPtr args, file_analysis::File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"),
std::move(args), file)
{
interp = new binpac::Unified2::Unified2_Analyzer(this);
@ -17,8 +17,8 @@ Unified2::~Unified2()
delete interp;
}
zeek::file_analysis::Analyzer* Unified2::Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
file_analysis::Analyzer* Unified2::Instantiate(RecordValPtr args,
file_analysis::File* file)
{
return new Unified2(std::move(args), file);
}

8
src/file_analysis/analyzer/unified2/Unified2.h
View file

@ -14,17 +14,17 @@ namespace zeek::file_analysis::detail {
/**
* An analyzer to extract content of files from local disk.
*/
class Unified2 : public zeek::file_analysis::Analyzer {
class Unified2 : public file_analysis::Analyzer {
public:
~Unified2() override;
bool DeliverStream(const u_char* data, uint64_t len) override;
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file);
protected:
Unified2(zeek::RecordValPtr args, zeek::file_analysis::File* file);
Unified2(RecordValPtr args, file_analysis::File* file);
private:
binpac::Unified2::Unified2_Analyzer* interp;

134
src/file_analysis/analyzer/x509/OCSP.cc
View file

@ -79,11 +79,11 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi
if ( ! res )
{
zeek::reporter->Weird("OpenSSL failed to get OCSP_CERTID info");
vl->emplace_back(zeek::val_mgr->EmptyString());
vl->emplace_back(zeek::val_mgr->EmptyString());
vl->emplace_back(zeek::val_mgr->EmptyString());
vl->emplace_back(zeek::val_mgr->EmptyString());
reporter->Weird("OpenSSL failed to get OCSP_CERTID info");
vl->emplace_back(val_mgr->EmptyString());
vl->emplace_back(val_mgr->EmptyString());
vl->emplace_back(val_mgr->EmptyString());
vl->emplace_back(val_mgr->EmptyString());
return false;
}
@ -92,42 +92,42 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi
i2a_ASN1_OBJECT(bio, hash_alg);
int len = BIO_read(bio, buf, sizeof(buf));
vl->emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
vl->emplace_back(make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING);
len = BIO_read(bio, buf, sizeof(buf));
vl->emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
vl->emplace_back(make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING);
len = BIO_read(bio, buf, sizeof(buf));
vl->emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
vl->emplace_back(make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
i2a_ASN1_INTEGER(bio, serial_number);
len = BIO_read(bio, buf, sizeof(buf));
vl->emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
vl->emplace_back(make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
return true;
}
zeek::file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
file_analysis::Analyzer* OCSP::InstantiateRequest(RecordValPtr args,
file_analysis::File* file)
{
return new OCSP(std::move(args), file, true);
}
zeek::file_analysis::Analyzer* OCSP::InstantiateReply(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
file_analysis::Analyzer* OCSP::InstantiateReply(RecordValPtr args,
file_analysis::File* file)
{
return new OCSP(std::move(args), file, false);
}
OCSP::OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file,
bool arg_request)
: X509Common::X509Common(zeek::file_mgr->GetComponentTag("OCSP"),
OCSP::OCSP(RecordValPtr args, file_analysis::File* file,
bool arg_request)
: X509Common::X509Common(file_mgr->GetComponentTag("OCSP"),
std::move(args), file),
request(arg_request)
{
@ -156,7 +156,7 @@ bool OCSP::EndOfFile()
if (!req)
{
zeek::reporter->Weird(GetFile(), "openssl_ocsp_request_parse_error");
reporter->Weird(GetFile(), "openssl_ocsp_request_parse_error");
return false;
}
@ -169,7 +169,7 @@ bool OCSP::EndOfFile()
if (!resp)
{
zeek::reporter->Weird(GetFile(), "openssl_ocsp_response_parse_error");
reporter->Weird(GetFile(), "openssl_ocsp_response_parse_error");
return false;
}
@ -211,7 +211,7 @@ typedef struct ocsp_basic_response_st {
STACK_OF(X509) *certs;
} OCSP_BASICRESP;
*/
static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
static StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
BIO* bio, char* buf,
size_t buf_len)
{
@ -221,7 +221,7 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
der_basic_resp_len = i2d_OCSP_BASICRESP(basic_resp, &der_basic_resp_dat);
if ( der_basic_resp_len <= 0 )
return zeek::val_mgr->EmptyString();
return val_mgr->EmptyString();
const unsigned char* const_der_basic_resp_dat = der_basic_resp_dat;
@ -230,13 +230,13 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
if ( ! bseq )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->EmptyString();
return val_mgr->EmptyString();
}
if ( sk_ASN1_TYPE_num(bseq) < 3 )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->EmptyString();
return val_mgr->EmptyString();
}
auto constexpr sig_alg_idx = 1u;
@ -245,7 +245,7 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
if ( ASN1_TYPE_get(aseq_type) != V_ASN1_SEQUENCE )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->EmptyString();
return val_mgr->EmptyString();
}
auto aseq_str = aseq_type->value.asn1_string;
@ -257,13 +257,13 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
if ( ! aseq )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->EmptyString();
return val_mgr->EmptyString();
}
if ( sk_ASN1_TYPE_num(aseq) < 1 )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->EmptyString();
return val_mgr->EmptyString();
}
auto constexpr alg_obj_idx = 0u;
@ -272,20 +272,20 @@ static zeek::StringValPtr parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
if ( ASN1_TYPE_get(alg_obj_type) != V_ASN1_OBJECT )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->EmptyString();
return val_mgr->EmptyString();
}
auto alg_obj = alg_obj_type->value.object;
i2a_ASN1_OBJECT(bio, alg_obj);
auto alg_len = BIO_read(bio, buf, buf_len);
auto rval = zeek::make_intrusive<zeek::StringVal>(alg_len, buf);
auto rval = make_intrusive<StringVal>(alg_len, buf);
BIO_reset(bio);
OPENSSL_free(der_basic_resp_dat);
return rval;
}
static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
static ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
{
int der_basic_resp_len = 0;
unsigned char* der_basic_resp_dat = nullptr;
@ -293,7 +293,7 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
der_basic_resp_len = i2d_OCSP_BASICRESP(basic_resp, &der_basic_resp_dat);
if ( der_basic_resp_len <= 0 )
return zeek::val_mgr->Count(-1);
return val_mgr->Count(-1);
const unsigned char* const_der_basic_resp_dat = der_basic_resp_dat;
@ -302,13 +302,13 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
if ( ! bseq )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->Count(-1);
return val_mgr->Count(-1);
}
if ( sk_ASN1_TYPE_num(bseq) < 3 )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->Count(-1);
return val_mgr->Count(-1);
}
auto constexpr resp_data_idx = 0u;
@ -317,7 +317,7 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
if ( ASN1_TYPE_get(dseq_type) != V_ASN1_SEQUENCE )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->Count(-1);
return val_mgr->Count(-1);
}
auto dseq_str = dseq_type->value.asn1_string;
@ -329,13 +329,13 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
if ( ! dseq )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->Count(-1);
return val_mgr->Count(-1);
}
if ( sk_ASN1_TYPE_num(dseq) < 1 )
{
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->Count(-1);
return val_mgr->Count(-1);
}
/*- ResponseData ::= SEQUENCE {
@ -353,12 +353,12 @@ static zeek::ValPtr parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
{
OPENSSL_free(der_basic_resp_dat);
// Not present, use default value.
return zeek::val_mgr->Count(0);
return val_mgr->Count(0);
}
uint64_t asn1_int = ASN1_INTEGER_get(version_type->value.integer);
OPENSSL_free(der_basic_resp_dat);
return zeek::val_mgr->Count(asn1_int);
return val_mgr->Count(asn1_int);
}
static uint64_t parse_request_version(OCSP_REQUEST* req)
@ -417,9 +417,9 @@ void OCSP::ParseRequest(OCSP_REQUEST* req)
#endif
if ( ocsp_request )
zeek::event_mgr.Enqueue(ocsp_request,
GetFile()->ToVal(),
zeek::val_mgr->Count(version)
event_mgr.Enqueue(ocsp_request,
GetFile()->ToVal(),
val_mgr->Count(version)
);
BIO *bio = BIO_new(BIO_s_mem());
@ -437,7 +437,7 @@ void OCSP::ParseRequest(OCSP_REQUEST* req)
ocsp_add_cert_id(cert_id, &rvl, bio);
if ( ocsp_request_certificate )
zeek::event_mgr.Enqueue(ocsp_request_certificate, std::move(rvl));
event_mgr.Enqueue(ocsp_request_certificate, std::move(rvl));
}
BIO_free(bio);
@ -453,17 +453,17 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp)
const STACK_OF(X509)* certs = nullptr;
int resp_count, num_ext = 0;
zeek::VectorVal *certs_vector = nullptr;
VectorVal *certs_vector = nullptr;
int len = 0;
char buf[OCSP_STRING_BUF_SIZE];
memset(buf, 0, sizeof(buf));
const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
auto status_val = zeek::make_intrusive<zeek::StringVal>(strlen(status_str), status_str);
auto status_val = make_intrusive<StringVal>(strlen(status_str), status_str);
if ( ocsp_response_status )
zeek::event_mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val);
event_mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val);
//if (!resp_bytes)
// {
@ -494,7 +494,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp)
vl.emplace_back(std::move(status_val));
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
vl.emplace_back(zeek::val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version)));
vl.emplace_back(val_mgr->Count((uint64_t)ASN1_INTEGER_get(resp_data->version)));
#else
vl.emplace_back(parse_basic_resp_data_version(basic_resp));
#endif
@ -503,13 +503,13 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp)
if ( OCSP_RESPID_bio(basic_resp, bio) )
{
len = BIO_read(bio, buf, sizeof(buf));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
vl.emplace_back(make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
}
else
{
zeek::reporter->Weird("OpenSSL failed to get OCSP responder id");
vl.emplace_back(zeek::val_mgr->EmptyString());
reporter->Weird("OpenSSL failed to get OCSP responder id");
vl.emplace_back(val_mgr->EmptyString());
}
// producedAt
@ -519,7 +519,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp)
produced_at = OCSP_resp_get0_produced_at(basic_resp);
#endif
vl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), zeek::reporter)));
vl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), reporter)));
// responses
@ -559,42 +559,42 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp)
const_cast<OCSP_CERTID*>(cert_id),
&status, &reason, &revoke_time,
&this_update, &next_update) )
zeek::reporter->Weird("OpenSSL failed to find status of OCSP response");
reporter->Weird("OpenSSL failed to find status of OCSP response");
const char* cert_status_str = OCSP_cert_status_str(status);
rvl.emplace_back(zeek::make_intrusive<zeek::StringVal>(strlen(cert_status_str), cert_status_str));
rvl.emplace_back(make_intrusive<StringVal>(strlen(cert_status_str), cert_status_str));
// revocation time and reason if revoked
if ( status == V_OCSP_CERTSTATUS_REVOKED )
{
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(revoke_time, GetFile(), zeek::reporter)));
rvl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(revoke_time, GetFile(), reporter)));
if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
{
const char* revoke_reason = OCSP_crl_reason_str(reason);
rvl.emplace_back(zeek::make_intrusive<zeek::StringVal>(strlen(revoke_reason), revoke_reason));
rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
}
else
rvl.emplace_back(zeek::make_intrusive<zeek::StringVal>(0, ""));
rvl.emplace_back(make_intrusive<StringVal>(0, ""));
}
else
{
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(0.0));
rvl.emplace_back(zeek::make_intrusive<zeek::StringVal>(0, ""));
rvl.emplace_back(make_intrusive<TimeVal>(0.0));
rvl.emplace_back(make_intrusive<StringVal>(0, ""));
}
if ( this_update )
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(this_update, GetFile(), zeek::reporter)));
rvl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(this_update, GetFile(), reporter)));
else
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(0.0));
rvl.emplace_back(make_intrusive<TimeVal>(0.0));
if ( next_update )
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(next_update, GetFile(), zeek::reporter)));
rvl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(next_update, GetFile(), reporter)));
else
rvl.emplace_back(zeek::make_intrusive<zeek::TimeVal>(0.0));
rvl.emplace_back(make_intrusive<TimeVal>(0.0));
if ( ocsp_response_certificate )
zeek::event_mgr.Enqueue(ocsp_response_certificate, std::move(rvl));
event_mgr.Enqueue(ocsp_response_certificate, std::move(rvl));
num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
for ( int k = 0; k < num_ext; ++k )
@ -610,7 +610,7 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp)
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
len = BIO_read(bio, buf, sizeof(buf));
vl.emplace_back(zeek::make_intrusive<zeek::StringVal>(len, buf));
vl.emplace_back(make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
#else
vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
@ -618,11 +618,11 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp)
//i2a_ASN1_OBJECT(bio, basic_resp->signature);
//len = BIO_read(bio, buf, sizeof(buf));
//ocsp_resp_record->Assign(7, zeek::make_intrusive<zeek::StringVal>(len, buf));
//ocsp_resp_record->Assign(7, make_intrusive<StringVal>(len, buf));
//BIO_reset(bio);
certs_vector = new zeek::VectorVal(zeek::id::find_type<zeek::VectorType>("x509_opaque_vector"));
vl.emplace_back(zeek::AdoptRef{}, certs_vector);
certs_vector = new VectorVal(id::find_type<VectorType>("x509_opaque_vector"));
vl.emplace_back(AdoptRef{}, certs_vector);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
certs = basic_resp->certs;
@ -638,14 +638,14 @@ void OCSP::ParseResponse(OCSP_RESPONSE *resp)
::X509 *this_cert = X509_dup(helper_sk_X509_value(certs, i));
//::X509 *this_cert = X509_dup(sk_X509_value(certs, i));
if (this_cert)
certs_vector->Assign(i, zeek::make_intrusive<X509Val>(this_cert));
certs_vector->Assign(i, make_intrusive<X509Val>(this_cert));
else
zeek::reporter->Weird("OpenSSL returned null certificate");
reporter->Weird("OpenSSL returned null certificate");
}
}
if ( ocsp_response_bytes )
zeek::event_mgr.Enqueue(ocsp_response_bytes, std::move(vl));
event_mgr.Enqueue(ocsp_response_bytes, std::move(vl));
// ok, now that we are done with the actual certificate - let's parse extensions :)
num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);

12
src/file_analysis/analyzer/x509/OCSP.h
View file

@ -11,19 +11,19 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(File, zeek, file_analysis);
namespace zeek::file_analysis::detail {
class OCSP : public zeek::file_analysis::detail::X509Common {
class OCSP : public file_analysis::detail::X509Common {
public:
bool DeliverStream(const u_char* data, uint64_t len) override;
bool Undelivered(uint64_t offset, uint64_t len) override;
bool EndOfFile() override;
static zeek::file_analysis::Analyzer* InstantiateRequest(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
static zeek::file_analysis::Analyzer* InstantiateReply(zeek::RecordValPtr args,
zeek::file_analysis::File* file);
static file_analysis::Analyzer* InstantiateRequest(RecordValPtr args,
file_analysis::File* file);
static file_analysis::Analyzer* InstantiateReply(RecordValPtr args,
file_analysis::File* file);
protected:
OCSP(zeek::RecordValPtr args, zeek::file_analysis::File* file, bool request);
OCSP(RecordValPtr args, file_analysis::File* file, bool request);
private:
void ParseResponse(OCSP_RESPONSE*);

118
src/file_analysis/analyzer/x509/X509.cc
View file

@ -23,8 +23,8 @@
namespace zeek::file_analysis::detail {
X509::X509(zeek::RecordValPtr args, zeek::file_analysis::File* file)
: X509Common::X509Common(zeek::file_mgr->GetComponentTag("X509"),
X509::X509(RecordValPtr args, file_analysis::File* file)
: X509Common::X509Common(file_mgr->GetComponentTag("X509"),
std::move(args), file)
{
cert_data.clear();
@ -53,7 +53,7 @@ bool X509::EndOfFile()
zeek::detail::hash_update(ctx, cert_char, cert_data.size());
zeek::detail::hash_final(ctx, buf);
std::string cert_sha256 = zeek::detail::sha256_digest_print(buf);
auto index = zeek::make_intrusive<zeek::StringVal>(cert_sha256);
auto index = make_intrusive<StringVal>(cert_sha256);
const auto& entry = certificate_cache->Find(index);
if ( entry )
@ -65,7 +65,7 @@ bool X509::EndOfFile()
// yup, let's call the callback.
cache_hit_callback->Invoke(GetFile()->ToVal(), entry,
zeek::make_intrusive<zeek::StringVal>(cert_sha256));
make_intrusive<StringVal>(cert_sha256));
return false;
}
}
@ -75,7 +75,7 @@ bool X509::EndOfFile()
::X509* ssl_cert = d2i_X509(NULL, &cert_char, cert_data.size());
if ( ! ssl_cert )
{
zeek::reporter->Weird(GetFile(), "x509_cert_parse_error");
reporter->Weird(GetFile(), "x509_cert_parse_error");
return false;
}
@ -86,10 +86,10 @@ bool X509::EndOfFile()
// and send the record on to scriptland
if ( x509_certificate )
zeek::event_mgr.Enqueue(x509_certificate,
GetFile()->ToVal(),
zeek::IntrusivePtr{zeek::NewRef{}, cert_val},
cert_record);
event_mgr.Enqueue(x509_certificate,
GetFile()->ToVal(),
IntrusivePtr{NewRef{}, cert_val},
cert_record);
// after parsing the certificate - parse the extensions...
@ -113,26 +113,26 @@ bool X509::EndOfFile()
return false;
}
zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
zeek::file_analysis::File* f)
RecordValPtr X509::ParseCertificate(X509Val* cert_val,
file_analysis::File* f)
{
::X509* ssl_cert = cert_val->GetCertificate();
char buf[2048]; // we need a buffer for some of the openssl functions
memset(buf, 0, sizeof(buf));
auto pX509Cert = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Certificate);
auto pX509Cert = make_intrusive<RecordVal>(BifType::Record::X509::Certificate);
BIO *bio = BIO_new(BIO_s_mem());
pX509Cert->Assign(0, zeek::val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1));
pX509Cert->Assign(0, val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1));
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
int len = BIO_read(bio, buf, sizeof(buf));
pX509Cert->Assign(1, zeek::make_intrusive<zeek::StringVal>(len, buf));
pX509Cert->Assign(1, make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253);
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(2, zeek::make_intrusive<zeek::StringVal>(len, buf));
pX509Cert->Assign(2, make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
X509_NAME *subject_name = X509_get_subject_name(ssl_cert);
@ -152,17 +152,17 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
// we found a common name
ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, namepos)));
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(4, zeek::make_intrusive<zeek::StringVal>(len, buf));
pX509Cert->Assign(4, make_intrusive<StringVal>(len, buf));
BIO_reset(bio);
}
X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(3, zeek::make_intrusive<zeek::StringVal>(len, buf));
pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf));
BIO_free(bio);
pX509Cert->Assign(5, zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, zeek::reporter)));
pX509Cert->Assign(6, zeek::make_intrusive<zeek::TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, zeek::reporter)));
pX509Cert->Assign(5, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
pX509Cert->Assign(6, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
// we only read 255 bytes because byte 256 is always 0.
// if the string is longer than 255, that will be our null-termination,
@ -172,7 +172,7 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
buf[0] = 0;
pX509Cert->Assign(7, zeek::make_intrusive<zeek::StringVal>(buf));
pX509Cert->Assign(7, make_intrusive<StringVal>(buf));
// Special case for RDP server certificates. For some reason some (all?) RDP server
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
@ -194,25 +194,25 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
buf[0] = 0;
pX509Cert->Assign(8, zeek::make_intrusive<zeek::StringVal>(buf));
pX509Cert->Assign(8, make_intrusive<StringVal>(buf));
// Things we can do when we have the key...
EVP_PKEY *pkey = X509_extract_key(ssl_cert);
if ( pkey != NULL )
{
if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("dsa"));
pX509Cert->Assign(9, make_intrusive<StringVal>("dsa"));
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
{
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("rsa"));
pX509Cert->Assign(9, make_intrusive<StringVal>("rsa"));
const BIGNUM *e;
RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
char *exponent = BN_bn2dec(e);
if ( exponent != NULL )
{
pX509Cert->Assign(11, zeek::make_intrusive<zeek::StringVal>(exponent));
pX509Cert->Assign(11, make_intrusive<StringVal>(exponent));
OPENSSL_free(exponent);
exponent = NULL;
}
@ -220,7 +220,7 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
#ifndef OPENSSL_NO_EC
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
{
pX509Cert->Assign(9, zeek::make_intrusive<zeek::StringVal>("ecdsa"));
pX509Cert->Assign(9, make_intrusive<StringVal>("ecdsa"));
pX509Cert->Assign(12, KeyCurve(pkey));
}
#endif
@ -232,7 +232,7 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
unsigned int length = KeyLength(pkey);
if ( length > 0 )
pX509Cert->Assign(10, zeek::val_mgr->Count(length));
pX509Cert->Assign(10, val_mgr->Count(length));
EVP_PKEY_free(pkey);
}
@ -241,7 +241,7 @@ zeek::RecordValPtr X509::ParseCertificate(X509Val* cert_val,
return pX509Cert;
}
X509_STORE* X509::GetRootStore(zeek::TableVal* root_certs)
X509_STORE* X509::GetRootStore(TableVal* root_certs)
{
// If this certificate store was built previously, just reuse the old one.
if ( x509_stores.count(root_certs) > 0 )
@ -255,13 +255,13 @@ X509_STORE* X509::GetRootStore(zeek::TableVal* root_certs)
{
const auto& key = idxs->Idx(i);
auto val = root_certs->FindOrDefault(key);
zeek::StringVal* sv = val->AsStringVal();
StringVal* sv = val->AsStringVal();
assert(sv);
const uint8_t* data = sv->Bytes();
::X509* x = d2i_X509(NULL, &data, sv->Len());
if ( ! x )
{
zeek::emit_builtin_error(zeek::util::fmt("Root CA error: %s", ERR_error_string(ERR_get_error(), NULL)));
emit_builtin_error(util::fmt("Root CA error: %s", ERR_error_string(ERR_get_error(), NULL)));
return nullptr;
}
@ -291,15 +291,15 @@ void X509::ParseBasicConstraints(X509_EXTENSION* ex)
{
if ( x509_ext_basic_constraints )
{
auto pBasicConstraint = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::BasicConstraints);
pBasicConstraint->Assign(0, zeek::val_mgr->Bool(constr->ca));
auto pBasicConstraint = make_intrusive<RecordVal>(BifType::Record::X509::BasicConstraints);
pBasicConstraint->Assign(0, val_mgr->Bool(constr->ca));
if ( constr->pathlen )
pBasicConstraint->Assign(1, zeek::val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen)));
pBasicConstraint->Assign(1, val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen)));
zeek::event_mgr.Enqueue(x509_ext_basic_constraints,
GetFile()->ToVal(),
std::move(pBasicConstraint)
event_mgr.Enqueue(x509_ext_basic_constraints,
GetFile()->ToVal(),
std::move(pBasicConstraint)
);
}
@ -307,7 +307,7 @@ void X509::ParseBasicConstraints(X509_EXTENSION* ex)
}
else
zeek::reporter->Weird(GetFile(), "x509_invalid_basic_constraint");
reporter->Weird(GetFile(), "x509_invalid_basic_constraint");
}
void X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
@ -337,14 +337,14 @@ void X509::ParseSAN(X509_EXTENSION* ext)
GENERAL_NAMES *altname = (GENERAL_NAMES*)X509V3_EXT_d2i(ext);
if ( ! altname )
{
zeek::reporter->Weird(GetFile(), "x509_san_parse_error");
reporter->Weird(GetFile(), "x509_san_parse_error");
return;
}
zeek::VectorValPtr names;
zeek::VectorValPtr emails;
zeek::VectorValPtr uris;
zeek::VectorValPtr ips;
VectorValPtr names;
VectorValPtr emails;
VectorValPtr uris;
VectorValPtr ips;
bool otherfields = false;
@ -357,7 +357,7 @@ void X509::ParseSAN(X509_EXTENSION* ext)
{
if ( ASN1_STRING_type(gen->d.ia5) != V_ASN1_IA5STRING )
{
zeek::reporter->Weird(GetFile(), "x509_san_non_string");
reporter->Weird(GetFile(), "x509_san_non_string");
continue;
}
@ -366,27 +366,27 @@ void X509::ParseSAN(X509_EXTENSION* ext)
#else
const char* name = (const char*) ASN1_STRING_get0_data(gen->d.ia5);
#endif
auto bs = zeek::make_intrusive<zeek::StringVal>(name);
auto bs = make_intrusive<StringVal>(name);
switch ( gen->type )
{
case GEN_DNS:
if ( names == nullptr )
names = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
names = make_intrusive<VectorVal>(id::string_vec);
names->Assign(names->Size(), std::move(bs));
break;
case GEN_URI:
if ( uris == nullptr )
uris = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
uris = make_intrusive<VectorVal>(id::string_vec);
uris->Assign(uris->Size(), std::move(bs));
break;
case GEN_EMAIL:
if ( emails == nullptr )
emails = zeek::make_intrusive<zeek::VectorVal>(zeek::id::string_vec);
emails = make_intrusive<VectorVal>(id::string_vec);
emails->Assign(emails->Size(), std::move(bs));
break;
@ -396,33 +396,33 @@ void X509::ParseSAN(X509_EXTENSION* ext)
else if ( gen->type == GEN_IPADD )
{
if ( ips == nullptr )
ips = zeek::make_intrusive<zeek::VectorVal>(zeek::id::find_type<zeek::VectorType>("addr_vec"));
ips = make_intrusive<VectorVal>(id::find_type<VectorType>("addr_vec"));
uint32_t* addr = (uint32_t*) gen->d.ip->data;
if( gen->d.ip->length == 4 )
ips->Assign(ips->Size(), zeek::make_intrusive<zeek::AddrVal>(*addr));
ips->Assign(ips->Size(), make_intrusive<AddrVal>(*addr));
else if ( gen->d.ip->length == 16 )
ips->Assign(ips->Size(), zeek::make_intrusive<zeek::AddrVal>(addr));
ips->Assign(ips->Size(), make_intrusive<AddrVal>(addr));
else
{
zeek::reporter->Weird(GetFile(), "x509_san_ip_length", zeek::util::fmt("%d", gen->d.ip->length));
reporter->Weird(GetFile(), "x509_san_ip_length", util::fmt("%d", gen->d.ip->length));
continue;
}
}
else
{
// zeek::reporter->Error("Subject alternative name contained unsupported fields. fuid %s", GetFile()->GetID().c_str());
// reporter->Error("Subject alternative name contained unsupported fields. fuid %s", GetFile()->GetID().c_str());
// This happens quite often - just mark it
otherfields = true;
continue;
}
}
auto sanExt = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::SubjectAlternativeName);
auto sanExt = make_intrusive<RecordVal>(BifType::Record::X509::SubjectAlternativeName);
if ( names != nullptr )
sanExt->Assign(0, names);
@ -436,15 +436,15 @@ void X509::ParseSAN(X509_EXTENSION* ext)
if ( ips != nullptr )
sanExt->Assign(3, ips);
sanExt->Assign(4, zeek::val_mgr->Bool(otherfields));
sanExt->Assign(4, val_mgr->Bool(otherfields));
zeek::event_mgr.Enqueue(x509_ext_subject_alternative_name,
event_mgr.Enqueue(x509_ext_subject_alternative_name,
GetFile()->ToVal(),
std::move(sanExt));
GENERAL_NAMES_free(altname);
}
zeek::StringValPtr X509::KeyCurve(EVP_PKEY* key)
StringValPtr X509::KeyCurve(EVP_PKEY* key)
{
assert(key != nullptr);
@ -473,7 +473,7 @@ zeek::StringValPtr X509::KeyCurve(EVP_PKEY* key)
if ( curve_name == nullptr )
return nullptr;
return zeek::make_intrusive<zeek::StringVal>(curve_name);
return make_intrusive<StringVal>(curve_name);
#endif
}
@ -525,7 +525,7 @@ unsigned int X509::KeyLength(EVP_PKEY *key)
return 0; // unknown public key type
}
zeek::reporter->InternalError("cannot be reached");
reporter->InternalError("cannot be reached");
}
X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type)
@ -544,9 +544,9 @@ X509Val::~X509Val()
X509_free(certificate);
}
zeek::ValPtr X509Val::DoClone(CloneState* state)
ValPtr X509Val::DoClone(CloneState* state)
{
auto copy = zeek::make_intrusive<X509Val>();
auto copy = make_intrusive<X509Val>();
if ( certificate )
copy->certificate = X509_dup(certificate);

28
src/file_analysis/analyzer/x509/X509.h
View file

@ -67,7 +67,7 @@ namespace zeek::file_analysis::detail {
class X509Val;
class X509 : public zeek::file_analysis::detail::X509Common {
class X509 : public file_analysis::detail::X509Common {
public:
bool DeliverStream(const u_char* data, uint64_t len) override;
bool Undelivered(uint64_t offset, uint64_t len) override;
@ -86,10 +86,10 @@ public:
* @param Returns the new record value and passes ownership to
* caller.
*/
static zeek::RecordValPtr ParseCertificate(X509Val* cert_val, zeek::file_analysis::File* file = nullptr);
static RecordValPtr ParseCertificate(X509Val* cert_val, file_analysis::File* file = nullptr);
static zeek::file_analysis::Analyzer* Instantiate(zeek::RecordValPtr args,
zeek::file_analysis::File* file)
static file_analysis::Analyzer* Instantiate(RecordValPtr args,
file_analysis::File* file)
{ return new X509(std::move(args), file); }
/**
@ -102,7 +102,7 @@ public:
*
* @return OpenSSL's X509 store associated with the table value.
*/
static X509_STORE* GetRootStore(zeek::TableVal* root_certs);
static X509_STORE* GetRootStore(TableVal* root_certs);
/**
* Frees memory obtained from OpenSSL that is associated with the global
@ -117,17 +117,17 @@ public:
/**
* Sets the table[string] that used as the certificate cache inside of Zeek.
*/
static void SetCertificateCache(zeek::TableValPtr cache)
static void SetCertificateCache(TableValPtr cache)
{ certificate_cache = std::move(cache); }
/**
* Sets the callback when a certificate cache hit is encountered
*/
static void SetCertificateCacheHitCallback(zeek::FuncPtr func)
static void SetCertificateCacheHitCallback(FuncPtr func)
{ cache_hit_callback = std::move(func); }
protected:
X509(zeek::RecordValPtr args, zeek::file_analysis::File* file);
X509(RecordValPtr args, file_analysis::File* file);
private:
void ParseBasicConstraints(X509_EXTENSION* ex);
@ -137,12 +137,12 @@ private:
std::string cert_data;
// Helpers for ParseCertificate.
static zeek::StringValPtr KeyCurve(EVP_PKEY* key);
static StringValPtr KeyCurve(EVP_PKEY* key);
static unsigned int KeyLength(EVP_PKEY *key);
/** X509 stores associated with global script-layer values */
inline static std::map<zeek::Val*, X509_STORE*> x509_stores = std::map<zeek::Val*, X509_STORE*>();
inline static zeek::TableValPtr certificate_cache = nullptr;
inline static zeek::FuncPtr cache_hit_callback = nullptr;
inline static std::map<Val*, X509_STORE*> x509_stores = std::map<Val*, X509_STORE*>();
inline static TableValPtr certificate_cache = nullptr;
inline static FuncPtr cache_hit_callback = nullptr;
};
/**
@ -152,7 +152,7 @@ private:
* script-land. Otherwise, we cannot verify certificates from Bro
* scriptland
*/
class X509Val : public zeek::OpaqueVal {
class X509Val : public OpaqueVal {
public:
/**
* Construct an X509Val.
@ -170,7 +170,7 @@ public:
*
* @return A cloned X509Val.
*/
zeek::ValPtr DoClone(CloneState* state) override;
ValPtr DoClone(CloneState* state) override;
/**
* Destructor.

50
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -16,22 +16,22 @@
namespace zeek::file_analysis::detail {
X509Common::X509Common(const zeek::file_analysis::Tag& arg_tag,
zeek::RecordValPtr arg_args,
zeek::file_analysis::File* arg_file)
: zeek::file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
X509Common::X509Common(const file_analysis::Tag& arg_tag,
RecordValPtr arg_args,
file_analysis::File* arg_file)
: file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
{
}
static void EmitWeird(const char* name, zeek::file_analysis::File* file, const char* addl = "")
static void EmitWeird(const char* name, file_analysis::File* file, const char* addl = "")
{
if ( file )
zeek::reporter->Weird(file, name, addl);
reporter->Weird(file, name, addl);
else
zeek::reporter->Weird(name);
reporter->Weird(name);
}
double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f, zeek::Reporter* reporter)
double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, file_analysis::File* f, Reporter* reporter)
{
time_t lResult = 0;
@ -206,7 +206,7 @@ void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length);
if ( !inner )
{
zeek::reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string");
reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string");
return;
}
@ -220,7 +220,7 @@ void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
catch( const binpac::Exception& e )
{
// throw a warning or sth
zeek::reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
}
ASN1_OCTET_STRING_free(inner);
@ -232,7 +232,7 @@ void X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
delete conn;
}
void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global)
void X509Common::ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global)
{
char name[256];
char oid[256];
@ -269,16 +269,16 @@ void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr&
}
if ( ! ext_val )
ext_val = zeek::make_intrusive<zeek::StringVal>(0, "");
ext_val = make_intrusive<StringVal>(0, "");
auto pX509Ext = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Extension);
pX509Ext->Assign(0, zeek::make_intrusive<zeek::StringVal>(name));
auto pX509Ext = make_intrusive<RecordVal>(BifType::Record::X509::Extension);
pX509Ext->Assign(0, make_intrusive<StringVal>(name));
if ( short_name and strlen(short_name) > 0 )
pX509Ext->Assign(1, zeek::make_intrusive<zeek::StringVal>(short_name));
pX509Ext->Assign(1, make_intrusive<StringVal>(short_name));
pX509Ext->Assign(2, zeek::make_intrusive<zeek::StringVal>(oid));
pX509Ext->Assign(3, zeek::val_mgr->Bool(critical));
pX509Ext->Assign(2, make_intrusive<StringVal>(oid));
pX509Ext->Assign(3, val_mgr->Bool(critical));
pX509Ext->Assign(4, ext_val);
// send off generic extension event
@ -289,17 +289,17 @@ void X509Common::ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr&
// but I am not sure if there is a better way to do it...
if ( h == ocsp_extension )
zeek::event_mgr.Enqueue(h, GetFile()->ToVal(),
std::move(pX509Ext),
zeek::val_mgr->Bool(global));
event_mgr.Enqueue(h, GetFile()->ToVal(),
std::move(pX509Ext),
val_mgr->Bool(global));
else
zeek::event_mgr.Enqueue(h, GetFile()->ToVal(), std::move(pX509Ext));
event_mgr.Enqueue(h, GetFile()->ToVal(), std::move(pX509Ext));
// let individual analyzers parse more.
ParseExtensionsSpecific(ex, global, ext_asn, oid);
}
zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f)
StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, file_analysis::File* f)
{
BIO_flush(bio);
ERR_clear_error();
@ -317,7 +317,7 @@ zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis
if ( length == 0 )
{
BIO_free_all(bio);
return zeek::val_mgr->EmptyString();
return val_mgr->EmptyString();
}
char* buffer = (char*) malloc(length);
@ -326,13 +326,13 @@ zeek::StringValPtr X509Common::GetExtensionFromBIO(BIO* bio, zeek::file_analysis
{
// Just emit an error here and try to continue instead of aborting
// because it's unclear the length value is very reliable.
zeek::reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
BIO_free_all(bio);
return nullptr;
}
BIO_read(bio, (void*) buffer, length);
auto ext_val = zeek::make_intrusive<zeek::StringVal>(length, buffer);
auto ext_val = make_intrusive<StringVal>(length, buffer);
free(buffer);
BIO_free_all(bio);

20
src/file_analysis/analyzer/x509/X509Common.h
View file

@ -18,12 +18,12 @@ ZEEK_FORWARD_DECLARE_NAMESPACED(Tag, zeek, file_analysis);
namespace zeek {
template <class T> class IntrusivePtr;
using StringValPtr = zeek::IntrusivePtr<StringVal>;
using StringValPtr = IntrusivePtr<StringVal>;
}
namespace zeek::file_analysis::detail {
class X509Common : public zeek::file_analysis::Analyzer {
class X509Common : public file_analysis::Analyzer {
public:
~X509Common() override {};
@ -38,22 +38,22 @@ public:
*
* @return The X509 extension value.
*/
static zeek::StringValPtr GetExtensionFromBIO(BIO* bio, zeek::file_analysis::File* f = nullptr);
static StringValPtr GetExtensionFromBIO(BIO* bio, file_analysis::File* f = nullptr);
static double GetTimeFromAsn1(const ASN1_TIME* atime, zeek::file_analysis::File* f,
zeek::Reporter* reporter);
static double GetTimeFromAsn1(const ASN1_TIME* atime, file_analysis::File* f,
Reporter* reporter);
protected:
X509Common(const zeek::file_analysis::Tag& arg_tag,
zeek::RecordValPtr arg_args,
zeek::file_analysis::File* arg_file);
X509Common(const file_analysis::Tag& arg_tag,
RecordValPtr arg_args,
file_analysis::File* arg_file);
void ParseExtension(X509_EXTENSION* ex, const zeek::EventHandlerPtr& h, bool global);
void ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global);
void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0;
};
} // namespace zeek:file_analysis
} // namespace zeek::file_analysis
namespace file_analysis {