mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 00:28:21 +00:00
Move IntrusivePtr and utility methods to the zeek namespace
This commit is contained in:
Tim Wojtulewicz
parent
4668378d91
commit
9364e6a5b7
255 changed files with 3761 additions and 3730 deletions
|
|
@ -19,7 +19,7 @@ void file_analysis::Analyzer::SetAnalyzerTag(const file_analysis::Tag& arg_tag)
|
|||
}
|
||||
|
||||
file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
|
||||
IntrusivePtr<RecordVal> arg_args,
|
||||
zeek::IntrusivePtr<RecordVal> arg_args,
|
||||
File* arg_file)
|
||||
: tag(arg_tag),
|
||||
args(std::move(arg_args)),
|
||||
|
|
@ -30,16 +30,16 @@ file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
|
|||
id = ++id_counter;
|
||||
}
|
||||
|
||||
file_analysis::Analyzer::Analyzer(IntrusivePtr<RecordVal> arg_args, File* arg_file)
|
||||
file_analysis::Analyzer::Analyzer(zeek::IntrusivePtr<RecordVal> arg_args, File* arg_file)
|
||||
: Analyzer({}, std::move(arg_args), arg_file)
|
||||
{}
|
||||
|
||||
file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag,
|
||||
RecordVal* arg_args,
|
||||
File* arg_file)
|
||||
: Analyzer(arg_tag, {NewRef{}, arg_args}, arg_file)
|
||||
: Analyzer(arg_tag, {zeek::NewRef{}, arg_args}, arg_file)
|
||||
{}
|
||||
|
||||
file_analysis::Analyzer::Analyzer(RecordVal* arg_args, File* arg_file)
|
||||
: Analyzer({}, {NewRef{}, arg_args}, arg_file)
|
||||
: Analyzer({}, {zeek::NewRef{}, arg_args}, arg_file)
|
||||
{}
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ public:
|
|||
/**
|
||||
* @return the AnalyzerArgs associated with the analyzer.
|
||||
*/
|
||||
const IntrusivePtr<RecordVal>& GetArgs() const
|
||||
const zeek::IntrusivePtr<RecordVal>& GetArgs() const
|
||||
{ return args; }
|
||||
|
||||
[[deprecated("Remove in v4.1. Use GetArgs().")]]
|
||||
|
|
@ -151,7 +151,7 @@ protected:
|
|||
* tunable options, if any, related to a particular analyzer type.
|
||||
* @param arg_file the file to which the the analyzer is being attached.
|
||||
*/
|
||||
Analyzer(file_analysis::Tag arg_tag, IntrusivePtr<RecordVal> arg_args,
|
||||
Analyzer(file_analysis::Tag arg_tag, zeek::IntrusivePtr<RecordVal> arg_args,
|
||||
File* arg_file);
|
||||
|
||||
[[deprecated("Remove in v4.1.. Construct using IntrusivePtr instead.")]]
|
||||
|
|
@ -166,7 +166,7 @@ protected:
|
|||
* tunable options, if any, related to a particular analyzer type.
|
||||
* @param arg_file the file to which the the analyzer is being attached.
|
||||
*/
|
||||
Analyzer(IntrusivePtr<RecordVal> arg_args, File* arg_file);
|
||||
Analyzer(zeek::IntrusivePtr<RecordVal> arg_args, File* arg_file);
|
||||
|
||||
[[deprecated("Remove in v4.1.. Construct using IntrusivePtr instead.")]]
|
||||
Analyzer(RecordVal* arg_args, File* arg_file);
|
||||
|
|
@ -175,7 +175,7 @@ private:
|
|||
|
||||
ID id; /**< Unique instance ID. */
|
||||
file_analysis::Tag tag; /**< The particular type of the analyzer instance. */
|
||||
IntrusivePtr<RecordVal> args; /**< \c AnalyzerArgs val gives tunable analyzer params. */
|
||||
zeek::IntrusivePtr<RecordVal> args; /**< \c AnalyzerArgs val gives tunable analyzer params. */
|
||||
File* file; /**< The file to which the analyzer is attached. */
|
||||
bool got_stream_delivery;
|
||||
bool skip;
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ static void analyzer_del_func(void* v)
|
|||
|
||||
AnalyzerSet::AnalyzerSet(File* arg_file) : file(arg_file)
|
||||
{
|
||||
auto t = make_intrusive<zeek::TypeList>();
|
||||
auto t = zeek::make_intrusive<zeek::TypeList>();
|
||||
t->Append(file_mgr->GetTagType());
|
||||
t->Append(zeek::BifType::Record::Files::AnalyzerArgs);
|
||||
analyzer_hash = new CompositeHash(std::move(t));
|
||||
|
|
@ -41,14 +41,14 @@ AnalyzerSet::~AnalyzerSet()
|
|||
}
|
||||
|
||||
Analyzer* AnalyzerSet::Find(const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args)
|
||||
zeek::IntrusivePtr<RecordVal> args)
|
||||
{
|
||||
auto key = GetKey(tag, std::move(args));
|
||||
Analyzer* rval = analyzer_map.Lookup(key.get());
|
||||
return rval;
|
||||
}
|
||||
|
||||
bool AnalyzerSet::Add(const file_analysis::Tag& tag, IntrusivePtr<RecordVal> args)
|
||||
bool AnalyzerSet::Add(const file_analysis::Tag& tag, zeek::IntrusivePtr<RecordVal> args)
|
||||
{
|
||||
auto key = GetKey(tag, args);
|
||||
|
||||
|
|
@ -72,7 +72,7 @@ bool AnalyzerSet::Add(const file_analysis::Tag& tag, IntrusivePtr<RecordVal> arg
|
|||
}
|
||||
|
||||
Analyzer* AnalyzerSet::QueueAdd(const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args)
|
||||
zeek::IntrusivePtr<RecordVal> args)
|
||||
{
|
||||
auto key = GetKey(tag, args);
|
||||
file_analysis::Analyzer* a = InstantiateAnalyzer(tag, std::move(args));
|
||||
|
|
@ -108,7 +108,7 @@ void AnalyzerSet::AddMod::Abort()
|
|||
}
|
||||
|
||||
bool AnalyzerSet::Remove(const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args)
|
||||
zeek::IntrusivePtr<RecordVal> args)
|
||||
{
|
||||
return Remove(tag, GetKey(tag, std::move(args)));
|
||||
}
|
||||
|
|
@ -140,7 +140,7 @@ bool AnalyzerSet::Remove(const file_analysis::Tag& tag,
|
|||
}
|
||||
|
||||
bool AnalyzerSet::QueueRemove(const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args)
|
||||
zeek::IntrusivePtr<RecordVal> args)
|
||||
{
|
||||
auto key = GetKey(tag, std::move(args));
|
||||
auto rval = analyzer_map.Lookup(key.get());
|
||||
|
|
@ -154,9 +154,9 @@ bool AnalyzerSet::RemoveMod::Perform(AnalyzerSet* set)
|
|||
}
|
||||
|
||||
std::unique_ptr<HashKey> AnalyzerSet::GetKey(const file_analysis::Tag& t,
|
||||
IntrusivePtr<RecordVal> args) const
|
||||
zeek::IntrusivePtr<RecordVal> args) const
|
||||
{
|
||||
auto lv = make_intrusive<ListVal>(zeek::TYPE_ANY);
|
||||
auto lv = zeek::make_intrusive<ListVal>(zeek::TYPE_ANY);
|
||||
lv->Append(t.AsVal());
|
||||
lv->Append(std::move(args));
|
||||
auto key = analyzer_hash->MakeHashKey(*lv, true);
|
||||
|
|
@ -168,7 +168,7 @@ std::unique_ptr<HashKey> AnalyzerSet::GetKey(const file_analysis::Tag& t,
|
|||
}
|
||||
|
||||
file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(const Tag& tag,
|
||||
IntrusivePtr<RecordVal> args) const
|
||||
zeek::IntrusivePtr<RecordVal> args) const
|
||||
{
|
||||
auto a = file_mgr->InstantiateAnalyzer(tag, std::move(args), file);
|
||||
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ public:
|
|||
* @param args an \c AnalyzerArgs record.
|
||||
* @return pointer to an analyzer instance, or a null pointer if not found.
|
||||
*/
|
||||
Analyzer* Find(const file_analysis::Tag& tag, IntrusivePtr<RecordVal> args);
|
||||
Analyzer* Find(const file_analysis::Tag& tag, zeek::IntrusivePtr<RecordVal> args);
|
||||
|
||||
/**
|
||||
* Attach an analyzer to #file immediately.
|
||||
|
|
@ -51,7 +51,7 @@ public:
|
|||
* @param args an \c AnalyzerArgs value which specifies an analyzer.
|
||||
* @return true if analyzer was instantiated/attached, else false.
|
||||
*/
|
||||
bool Add(const file_analysis::Tag& tag, IntrusivePtr<RecordVal> args);
|
||||
bool Add(const file_analysis::Tag& tag, zeek::IntrusivePtr<RecordVal> args);
|
||||
|
||||
/**
|
||||
* Queue the attachment of an analyzer to #file.
|
||||
|
|
@ -61,7 +61,7 @@ public:
|
|||
* a null pointer. The caller does *not* take ownership of the memory.
|
||||
*/
|
||||
file_analysis::Analyzer* QueueAdd(const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args);
|
||||
zeek::IntrusivePtr<RecordVal> args);
|
||||
|
||||
/**
|
||||
* Remove an analyzer from #file immediately.
|
||||
|
|
@ -69,7 +69,7 @@ public:
|
|||
* @param args an \c AnalyzerArgs value which specifies an analyzer.
|
||||
* @return false if analyzer didn't exist and so wasn't removed, else true.
|
||||
*/
|
||||
bool Remove(const file_analysis::Tag& tag, IntrusivePtr<RecordVal> args);
|
||||
bool Remove(const file_analysis::Tag& tag, zeek::IntrusivePtr<RecordVal> args);
|
||||
|
||||
/**
|
||||
* Queue the removal of an analyzer from #file.
|
||||
|
|
@ -77,7 +77,7 @@ public:
|
|||
* @param args an \c AnalyzerArgs value which specifies an analyzer.
|
||||
* @return true if analyzer exists at time of call, else false;
|
||||
*/
|
||||
bool QueueRemove(const file_analysis::Tag& tag, IntrusivePtr<RecordVal> args);
|
||||
bool QueueRemove(const file_analysis::Tag& tag, zeek::IntrusivePtr<RecordVal> args);
|
||||
|
||||
/**
|
||||
* Perform all queued modifications to the current analyzer set.
|
||||
|
|
@ -111,7 +111,7 @@ protected:
|
|||
* @return the hash key calculated from \a args
|
||||
*/
|
||||
std::unique_ptr<HashKey> GetKey(const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args) const;
|
||||
zeek::IntrusivePtr<RecordVal> args) const;
|
||||
|
||||
/**
|
||||
* Create an instance of a file analyzer.
|
||||
|
|
@ -120,7 +120,7 @@ protected:
|
|||
* @return a new file analyzer instance.
|
||||
*/
|
||||
file_analysis::Analyzer* InstantiateAnalyzer(const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args) const;
|
||||
zeek::IntrusivePtr<RecordVal> args) const;
|
||||
|
||||
/**
|
||||
* Insert an analyzer instance in to the set.
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ class Component : public zeek::plugin::Component,
|
|||
public plugin::TaggedComponent<file_analysis::Tag> {
|
||||
public:
|
||||
typedef Analyzer* (*factory_callback)(RecordVal* args, File* file);
|
||||
using factory_function = Analyzer* (*)(IntrusivePtr<RecordVal> args, File* file);
|
||||
using factory_function = Analyzer* (*)(zeek::IntrusivePtr<RecordVal> args, File* file);
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
|
|
|
|||
|
|
@ -21,21 +21,21 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
static IntrusivePtr<TableVal> empty_connection_table()
|
||||
static zeek::IntrusivePtr<TableVal> empty_connection_table()
|
||||
{
|
||||
auto tbl_index = make_intrusive<zeek::TypeList>(zeek::id::conn_id);
|
||||
auto tbl_index = zeek::make_intrusive<zeek::TypeList>(zeek::id::conn_id);
|
||||
tbl_index->Append(zeek::id::conn_id);
|
||||
auto tbl_type = make_intrusive<zeek::TableType>(std::move(tbl_index),
|
||||
auto tbl_type = zeek::make_intrusive<zeek::TableType>(std::move(tbl_index),
|
||||
zeek::id::connection);
|
||||
return make_intrusive<TableVal>(std::move(tbl_type));
|
||||
return zeek::make_intrusive<TableVal>(std::move(tbl_type));
|
||||
}
|
||||
|
||||
static IntrusivePtr<RecordVal> get_conn_id_val(const Connection* conn)
|
||||
static zeek::IntrusivePtr<RecordVal> get_conn_id_val(const Connection* conn)
|
||||
{
|
||||
auto v = make_intrusive<RecordVal>(zeek::id::conn_id);
|
||||
v->Assign(0, make_intrusive<AddrVal>(conn->OrigAddr()));
|
||||
auto v = zeek::make_intrusive<RecordVal>(zeek::id::conn_id);
|
||||
v->Assign(0, zeek::make_intrusive<AddrVal>(conn->OrigAddr()));
|
||||
v->Assign(1, val_mgr->Port(ntohs(conn->OrigPort()), conn->ConnTransport()));
|
||||
v->Assign(2, make_intrusive<AddrVal>(conn->RespAddr()));
|
||||
v->Assign(2, zeek::make_intrusive<AddrVal>(conn->RespAddr()));
|
||||
v->Assign(3, val_mgr->Port(ntohs(conn->RespPort()), conn->ConnTransport()));
|
||||
return v;
|
||||
}
|
||||
|
|
@ -91,8 +91,8 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio
|
|||
|
||||
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
|
||||
|
||||
val = make_intrusive<RecordVal>(zeek::id::fa_file);
|
||||
val->Assign(id_idx, make_intrusive<StringVal>(file_id.c_str()));
|
||||
val = zeek::make_intrusive<RecordVal>(zeek::id::fa_file);
|
||||
val->Assign(id_idx, zeek::make_intrusive<StringVal>(file_id.c_str()));
|
||||
SetSource(source_name);
|
||||
|
||||
if ( conn )
|
||||
|
|
@ -115,7 +115,7 @@ File::~File()
|
|||
|
||||
void File::UpdateLastActivityTime()
|
||||
{
|
||||
val->Assign(last_active_idx, make_intrusive<TimeVal>(network_time));
|
||||
val->Assign(last_active_idx, zeek::make_intrusive<TimeVal>(network_time));
|
||||
}
|
||||
|
||||
double File::GetLastActivityTime() const
|
||||
|
|
@ -190,7 +190,7 @@ std::string File::GetSource() const
|
|||
|
||||
void File::SetSource(const std::string& source)
|
||||
{
|
||||
val->Assign(source_idx, make_intrusive<StringVal>(source.c_str()));
|
||||
val->Assign(source_idx, zeek::make_intrusive<StringVal>(source.c_str()));
|
||||
}
|
||||
|
||||
double File::GetTimeoutInterval() const
|
||||
|
|
@ -200,13 +200,13 @@ double File::GetTimeoutInterval() const
|
|||
|
||||
void File::SetTimeoutInterval(double interval)
|
||||
{
|
||||
val->Assign(timeout_interval_idx, make_intrusive<IntervalVal>(interval));
|
||||
val->Assign(timeout_interval_idx, zeek::make_intrusive<IntervalVal>(interval));
|
||||
}
|
||||
|
||||
bool File::SetExtractionLimit(RecordVal* args, uint64_t bytes)
|
||||
{ return SetExtractionLimit({NewRef{}, args}, bytes); }
|
||||
{ return SetExtractionLimit({zeek::NewRef{}, args}, bytes); }
|
||||
|
||||
bool File::SetExtractionLimit(IntrusivePtr<RecordVal> args, uint64_t bytes)
|
||||
bool File::SetExtractionLimit(zeek::IntrusivePtr<RecordVal> args, uint64_t bytes)
|
||||
{
|
||||
Analyzer* a = analyzers.Find(file_mgr->GetComponentTag("EXTRACT"),
|
||||
std::move(args));
|
||||
|
|
@ -254,9 +254,9 @@ void File::ScheduleInactivityTimer() const
|
|||
}
|
||||
|
||||
bool File::AddAnalyzer(file_analysis::Tag tag, RecordVal* args)
|
||||
{ return AddAnalyzer(tag, {NewRef{}, args}); }
|
||||
{ return AddAnalyzer(tag, {zeek::NewRef{}, args}); }
|
||||
|
||||
bool File::AddAnalyzer(file_analysis::Tag tag, IntrusivePtr<RecordVal> args)
|
||||
bool File::AddAnalyzer(file_analysis::Tag tag, zeek::IntrusivePtr<RecordVal> args)
|
||||
{
|
||||
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing addition of %s analyzer",
|
||||
id.c_str(), file_mgr->GetComponentName(tag).c_str());
|
||||
|
|
@ -268,9 +268,9 @@ bool File::AddAnalyzer(file_analysis::Tag tag, IntrusivePtr<RecordVal> args)
|
|||
}
|
||||
|
||||
bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args)
|
||||
{ return RemoveAnalyzer(tag, {NewRef{}, args}); }
|
||||
{ return RemoveAnalyzer(tag, {zeek::NewRef{}, args}); }
|
||||
|
||||
bool File::RemoveAnalyzer(file_analysis::Tag tag, IntrusivePtr<RecordVal> args)
|
||||
bool File::RemoveAnalyzer(file_analysis::Tag tag, zeek::IntrusivePtr<RecordVal> args)
|
||||
{
|
||||
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing remove of %s analyzer",
|
||||
id.c_str(), file_mgr->GetComponentName(tag).c_str());
|
||||
|
|
@ -306,8 +306,8 @@ bool File::SetMime(const std::string& mime_type)
|
|||
if ( ! FileEventAvailable(file_sniff) )
|
||||
return false;
|
||||
|
||||
auto meta = make_intrusive<RecordVal>(zeek::id::fa_metadata);
|
||||
meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type));
|
||||
auto meta = zeek::make_intrusive<RecordVal>(zeek::id::fa_metadata);
|
||||
meta->Assign(meta_mime_type_idx, zeek::make_intrusive<StringVal>(mime_type));
|
||||
meta->Assign(meta_inferred_idx, val_mgr->False());
|
||||
|
||||
FileEvent(file_sniff, {val, std::move(meta)});
|
||||
|
|
@ -339,7 +339,7 @@ void File::InferMetadata()
|
|||
len = std::min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
|
||||
file_mgr->DetectMIME(data, len, &matches);
|
||||
|
||||
auto meta = make_intrusive<RecordVal>(zeek::id::fa_metadata);
|
||||
auto meta = zeek::make_intrusive<RecordVal>(zeek::id::fa_metadata);
|
||||
|
||||
if ( ! matches.empty() )
|
||||
{
|
||||
|
|
@ -370,7 +370,7 @@ bool File::BufferBOF(const u_char* data, uint64_t len)
|
|||
if ( bof_buffer.size > 0 )
|
||||
{
|
||||
BroString* bs = concatenate(bof_buffer.chunks);
|
||||
val->Assign(bof_buffer_idx, make_intrusive<StringVal>(bs));
|
||||
val->Assign(bof_buffer_idx, zeek::make_intrusive<StringVal>(bs));
|
||||
}
|
||||
|
||||
return false;
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ public:
|
|||
/**
|
||||
* @return the wrapped \c fa_file record value, #val.
|
||||
*/
|
||||
const IntrusivePtr<RecordVal>& ToVal() const
|
||||
const zeek::IntrusivePtr<RecordVal>& ToVal() const
|
||||
{ return val; }
|
||||
|
||||
[[deprecated("Remove in v4.1. Use ToVal().")]]
|
||||
|
|
@ -75,7 +75,7 @@ public:
|
|||
* @param bytes new limit.
|
||||
* @return false if no extraction analyzer is active, else true.
|
||||
*/
|
||||
bool SetExtractionLimit(IntrusivePtr<RecordVal> args, uint64_t bytes);
|
||||
bool SetExtractionLimit(zeek::IntrusivePtr<RecordVal> args, uint64_t bytes);
|
||||
|
||||
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
|
||||
bool SetExtractionLimit(RecordVal* args, uint64_t bytes);
|
||||
|
|
@ -123,7 +123,7 @@ public:
|
|||
* @param args an \c AnalyzerArgs value representing a file analyzer.
|
||||
* @return false if analyzer can't be instantiated, else true.
|
||||
*/
|
||||
bool AddAnalyzer(file_analysis::Tag tag, IntrusivePtr<RecordVal> args);
|
||||
bool AddAnalyzer(file_analysis::Tag tag, zeek::IntrusivePtr<RecordVal> args);
|
||||
|
||||
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
|
||||
bool AddAnalyzer(file_analysis::Tag tag, RecordVal* args);
|
||||
|
|
@ -134,7 +134,7 @@ public:
|
|||
* @param args an \c AnalyzerArgs value representing a file analyzer.
|
||||
* @return true if analyzer was active at time of call, else false.
|
||||
*/
|
||||
bool RemoveAnalyzer(file_analysis::Tag tag, IntrusivePtr<RecordVal> args);
|
||||
bool RemoveAnalyzer(file_analysis::Tag tag, zeek::IntrusivePtr<RecordVal> args);
|
||||
|
||||
[[deprecated("Remove in v4.1. Pass an IntrusivePtr instead.")]]
|
||||
bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args);
|
||||
|
|
@ -338,7 +338,7 @@ protected:
|
|||
* @return the field offset in #val record corresponding to \a field_name.
|
||||
*/
|
||||
static int Idx(const std::string& field_name, const zeek::RecordType* type);
|
||||
static int Idx(const std::string& field_name, const IntrusivePtr<zeek::RecordType>& type)
|
||||
static int Idx(const std::string& field_name, const zeek::IntrusivePtr<zeek::RecordType>& type)
|
||||
{ return Idx(field_name, type.get()); }
|
||||
|
||||
/**
|
||||
|
|
@ -348,7 +348,7 @@ protected:
|
|||
|
||||
protected:
|
||||
std::string id; /**< A pretty hash that likely identifies file */
|
||||
IntrusivePtr<RecordVal> val; /**< \c fa_file from script layer. */
|
||||
zeek::IntrusivePtr<RecordVal> val; /**< \c fa_file from script layer. */
|
||||
FileReassembler* file_reassembler; /**< A reassembler for the file if it's needed. */
|
||||
uint64_t stream_offset; /**< The offset of the file which has been forwarded. */
|
||||
uint64_t reassembly_max_buffer; /**< Maximum allowed buffer for reassembly. */
|
||||
|
|
|
|||
|
|
@ -260,10 +260,10 @@ bool Manager::SetReassemblyBuffer(const string& file_id, uint64_t max)
|
|||
|
||||
bool Manager::SetExtractionLimit(const string& file_id, RecordVal* args,
|
||||
uint64_t n) const
|
||||
{ return SetExtractionLimit(file_id, {NewRef{}, args}, n); }
|
||||
{ return SetExtractionLimit(file_id, {zeek::NewRef{}, args}, n); }
|
||||
|
||||
bool Manager::SetExtractionLimit(const string& file_id,
|
||||
IntrusivePtr<RecordVal> args, uint64_t n) const
|
||||
zeek::IntrusivePtr<RecordVal> args, uint64_t n) const
|
||||
{
|
||||
File* file = LookupFile(file_id);
|
||||
|
||||
|
|
@ -275,10 +275,10 @@ bool Manager::SetExtractionLimit(const string& file_id,
|
|||
|
||||
bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
|
||||
RecordVal* args) const
|
||||
{ return AddAnalyzer(file_id, tag, {NewRef{}, args}); }
|
||||
{ return AddAnalyzer(file_id, tag, {zeek::NewRef{}, args}); }
|
||||
|
||||
bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args) const
|
||||
zeek::IntrusivePtr<RecordVal> args) const
|
||||
{
|
||||
File* file = LookupFile(file_id);
|
||||
|
||||
|
|
@ -290,10 +290,10 @@ bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
|
|||
|
||||
bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
|
||||
RecordVal* args) const
|
||||
{ return RemoveAnalyzer(file_id, tag, {NewRef{}, args}); }
|
||||
{ return RemoveAnalyzer(file_id, tag, {zeek::NewRef{}, args}); }
|
||||
|
||||
bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args) const
|
||||
zeek::IntrusivePtr<RecordVal> args) const
|
||||
{
|
||||
File* file = LookupFile(file_id);
|
||||
|
||||
|
|
@ -455,10 +455,10 @@ bool Manager::IsDisabled(const analyzer::Tag& tag)
|
|||
}
|
||||
|
||||
Analyzer* Manager::InstantiateAnalyzer(const Tag& tag, RecordVal* args, File* f) const
|
||||
{ return InstantiateAnalyzer(tag, {NewRef{}, args}, f); }
|
||||
{ return InstantiateAnalyzer(tag, {zeek::NewRef{}, args}, f); }
|
||||
|
||||
Analyzer* Manager::InstantiateAnalyzer(const Tag& tag,
|
||||
IntrusivePtr<RecordVal> args,
|
||||
zeek::IntrusivePtr<RecordVal> args,
|
||||
File* f) const
|
||||
{
|
||||
Component* c = Lookup(tag);
|
||||
|
|
@ -517,22 +517,22 @@ string Manager::DetectMIME(const u_char* data, uint64_t len) const
|
|||
return *(matches.begin()->second.begin());
|
||||
}
|
||||
|
||||
IntrusivePtr<VectorVal> file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m)
|
||||
zeek::IntrusivePtr<VectorVal> file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m)
|
||||
{
|
||||
static auto mime_matches = zeek::id::find_type<zeek::VectorType>("mime_matches");
|
||||
static auto mime_match = zeek::id::find_type<zeek::RecordType>("mime_match");
|
||||
auto rval = make_intrusive<VectorVal>(mime_matches);
|
||||
auto rval = zeek::make_intrusive<VectorVal>(mime_matches);
|
||||
|
||||
for ( RuleMatcher::MIME_Matches::const_iterator it = m.begin();
|
||||
it != m.end(); ++it )
|
||||
{
|
||||
auto element = make_intrusive<RecordVal>(mime_match);
|
||||
auto element = zeek::make_intrusive<RecordVal>(mime_match);
|
||||
|
||||
for ( set<string>::const_iterator it2 = it->second.begin();
|
||||
it2 != it->second.end(); ++it2 )
|
||||
{
|
||||
element->Assign(0, val_mgr->Int(it->first));
|
||||
element->Assign(1, make_intrusive<StringVal>(*it2));
|
||||
element->Assign(1, zeek::make_intrusive<StringVal>(*it2));
|
||||
}
|
||||
|
||||
rval->Assign(rval->Size(), std::move(element));
|
||||
|
|
|
|||
|
|
@ -254,7 +254,7 @@ public:
|
|||
* else true.
|
||||
*/
|
||||
bool SetExtractionLimit(const std::string& file_id,
|
||||
IntrusivePtr<RecordVal> args, uint64_t n) const;
|
||||
zeek::IntrusivePtr<RecordVal> args, uint64_t n) const;
|
||||
|
||||
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
|
||||
bool SetExtractionLimit(const std::string& file_id, RecordVal* args,
|
||||
|
|
@ -278,7 +278,7 @@ public:
|
|||
* @return false if the analyzer failed to be instantiated, else true.
|
||||
*/
|
||||
bool AddAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args) const;
|
||||
zeek::IntrusivePtr<RecordVal> args) const;
|
||||
|
||||
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
|
||||
bool AddAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
|
||||
|
|
@ -292,7 +292,7 @@ public:
|
|||
* @return true if the analyzer is active at the time of call, else false.
|
||||
*/
|
||||
bool RemoveAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
|
||||
IntrusivePtr<RecordVal> args) const;
|
||||
zeek::IntrusivePtr<RecordVal> args) const;
|
||||
|
||||
[[deprecated("Remove in v4.1. Pass IntrusivePtr args param instead.")]]
|
||||
bool RemoveAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
|
||||
|
|
@ -312,7 +312,7 @@ public:
|
|||
* @param f The file analzer is to be associated with.
|
||||
* @return The new analyzer instance or null if tag is invalid.
|
||||
*/
|
||||
Analyzer* InstantiateAnalyzer(const Tag& tag, IntrusivePtr<RecordVal> args,
|
||||
Analyzer* InstantiateAnalyzer(const Tag& tag, zeek::IntrusivePtr<RecordVal> args,
|
||||
File* f) const;
|
||||
|
||||
[[deprecated("Remove in v4.1. Pass in IntrusivePtr args instead.")]]
|
||||
|
|
@ -438,7 +438,7 @@ private:
|
|||
* Returns a script-layer value corresponding to the \c mime_matches type.
|
||||
* @param m The MIME match information with which to populate the value.
|
||||
*/
|
||||
IntrusivePtr<VectorVal> GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m);
|
||||
zeek::IntrusivePtr<VectorVal> GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m);
|
||||
|
||||
} // namespace file_analysis
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ file_analysis::Tag& file_analysis::Tag::operator=(const file_analysis::Tag& othe
|
|||
return *this;
|
||||
}
|
||||
|
||||
const IntrusivePtr<EnumVal>& file_analysis::Tag::AsVal() const
|
||||
const zeek::IntrusivePtr<EnumVal>& file_analysis::Tag::AsVal() const
|
||||
{
|
||||
return ::Tag::AsVal(file_mgr->GetTagType());
|
||||
}
|
||||
|
|
@ -28,10 +28,10 @@ EnumVal* file_analysis::Tag::AsEnumVal() const
|
|||
return AsVal().get();
|
||||
}
|
||||
|
||||
file_analysis::Tag::Tag(IntrusivePtr<EnumVal> val)
|
||||
file_analysis::Tag::Tag(zeek::IntrusivePtr<EnumVal> val)
|
||||
: ::Tag(std::move(val))
|
||||
{ }
|
||||
|
||||
file_analysis::Tag::Tag(EnumVal* val)
|
||||
: ::Tag({NewRef{}, val})
|
||||
: ::Tag({zeek::NewRef{}, val})
|
||||
{ }
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ public:
|
|||
*
|
||||
* @param etype the script-layer enum type associated with the tag.
|
||||
*/
|
||||
const IntrusivePtr<EnumVal>& AsVal() const;
|
||||
const zeek::IntrusivePtr<EnumVal>& AsVal() const;
|
||||
|
||||
[[deprecated("Remove in v4.1. Use AsVal() instead.")]]
|
||||
EnumVal* AsEnumVal() const;
|
||||
|
|
@ -116,7 +116,7 @@ protected:
|
|||
*
|
||||
* @param val An enum value of script type \c Files::Tag.
|
||||
*/
|
||||
explicit Tag(IntrusivePtr<EnumVal> val);
|
||||
explicit Tag(zeek::IntrusivePtr<EnumVal> val);
|
||||
|
||||
[[deprecated("Remove in v4.1. Construct from IntrusivePtr instead.")]]
|
||||
explicit Tag(EnumVal* val);
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
DataEvent::DataEvent(IntrusivePtr<RecordVal> args, File* file,
|
||||
DataEvent::DataEvent(zeek::IntrusivePtr<RecordVal> args, File* file,
|
||||
EventHandlerPtr ce, EventHandlerPtr se)
|
||||
: file_analysis::Analyzer(file_mgr->GetComponentTag("DATA_EVENT"),
|
||||
std::move(args), file),
|
||||
|
|
@ -19,7 +19,7 @@ DataEvent::DataEvent(IntrusivePtr<RecordVal> args, File* file,
|
|||
{
|
||||
}
|
||||
|
||||
file_analysis::Analyzer* DataEvent::Instantiate(IntrusivePtr<RecordVal> args,
|
||||
file_analysis::Analyzer* DataEvent::Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{
|
||||
const auto& chunk_val = args->GetField("chunk_event");
|
||||
|
|
@ -45,7 +45,7 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
|
|||
|
||||
mgr.Enqueue(chunk_event,
|
||||
GetFile()->ToVal(),
|
||||
make_intrusive<StringVal>(new BroString(data, len, false)),
|
||||
zeek::make_intrusive<StringVal>(new BroString(data, len, false)),
|
||||
val_mgr->Count(offset)
|
||||
);
|
||||
|
||||
|
|
@ -58,7 +58,7 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
|
|||
|
||||
mgr.Enqueue(stream_event,
|
||||
GetFile()->ToVal(),
|
||||
make_intrusive<StringVal>(new BroString(data, len, false))
|
||||
zeek::make_intrusive<StringVal>(new BroString(data, len, false))
|
||||
);
|
||||
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ public:
|
|||
* @return the new DataEvent analyzer instance or a null pointer if
|
||||
* no "chunk_event" or "stream_event" field was specfied in \a args.
|
||||
*/
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file);
|
||||
|
||||
protected:
|
||||
|
|
@ -57,7 +57,7 @@ protected:
|
|||
* @param se pointer to event handler which will be called to receive
|
||||
* sequential file data.
|
||||
*/
|
||||
DataEvent(IntrusivePtr<RecordVal> args, File* file,
|
||||
DataEvent(zeek::IntrusivePtr<RecordVal> args, File* file,
|
||||
EventHandlerPtr ce, EventHandlerPtr se);
|
||||
|
||||
private:
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
Entropy::Entropy(IntrusivePtr<RecordVal> args, File* file)
|
||||
Entropy::Entropy(zeek::IntrusivePtr<RecordVal> args, File* file)
|
||||
: file_analysis::Analyzer(file_mgr->GetComponentTag("ENTROPY"),
|
||||
std::move(args), file)
|
||||
{
|
||||
|
|
@ -23,7 +23,7 @@ Entropy::~Entropy()
|
|||
Unref(entropy);
|
||||
}
|
||||
|
||||
file_analysis::Analyzer* Entropy::Instantiate(IntrusivePtr<RecordVal> args,
|
||||
file_analysis::Analyzer* Entropy::Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{
|
||||
return new Entropy(std::move(args), file);
|
||||
|
|
@ -63,7 +63,7 @@ void Entropy::Finalize()
|
|||
entropy->Get(&ent, &chisq, &mean, &montepi, &scc);
|
||||
|
||||
static auto entropy_test_result = zeek::id::find_type<zeek::RecordType>("entropy_test_result");
|
||||
auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
|
||||
auto ent_result = zeek::make_intrusive<RecordVal>(entropy_test_result);
|
||||
ent_result->Assign<DoubleVal>(0, ent);
|
||||
ent_result->Assign<DoubleVal>(1, chisq);
|
||||
ent_result->Assign<DoubleVal>(2, mean);
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ public:
|
|||
* @return the new Entropy analyzer instance or a null pointer if the
|
||||
* the "extraction_file" field of \a args wasn't set.
|
||||
*/
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file);
|
||||
|
||||
/**
|
||||
|
|
@ -66,7 +66,7 @@ protected:
|
|||
* @param hv specific hash calculator object.
|
||||
* @param kind human readable name of the hash algorithm to use.
|
||||
*/
|
||||
Entropy(IntrusivePtr<RecordVal> args, File* file);
|
||||
Entropy(zeek::IntrusivePtr<RecordVal> args, File* file);
|
||||
|
||||
/**
|
||||
* If some file contents have been seen, finalizes the entropy of them and
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
Extract::Extract(IntrusivePtr<RecordVal> args, File* file,
|
||||
Extract::Extract(zeek::IntrusivePtr<RecordVal> args, File* file,
|
||||
const std::string& arg_filename, uint64_t arg_limit)
|
||||
: file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"),
|
||||
std::move(args), file),
|
||||
|
|
@ -33,8 +33,8 @@ Extract::~Extract()
|
|||
safe_close(fd);
|
||||
}
|
||||
|
||||
static const IntrusivePtr<Val>& get_extract_field_val(const IntrusivePtr<RecordVal>& args,
|
||||
const char* name)
|
||||
static const zeek::IntrusivePtr<Val>& get_extract_field_val(const zeek::IntrusivePtr<RecordVal>& args,
|
||||
const char* name)
|
||||
{
|
||||
const auto& rval = args->GetField(name);
|
||||
|
||||
|
|
@ -44,7 +44,7 @@ static const IntrusivePtr<Val>& get_extract_field_val(const IntrusivePtr<RecordV
|
|||
return rval;
|
||||
}
|
||||
|
||||
file_analysis::Analyzer* Extract::Instantiate(IntrusivePtr<RecordVal> args, File* file)
|
||||
file_analysis::Analyzer* Extract::Instantiate(zeek::IntrusivePtr<RecordVal> args, File* file)
|
||||
{
|
||||
const auto& fname = get_extract_field_val(args, "extract_filename");
|
||||
const auto& limit = get_extract_field_val(args, "extract_limit");
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ public:
|
|||
* @return the new Extract analyzer instance or a null pointer if the
|
||||
* the "extraction_file" field of \a args wasn't set.
|
||||
*/
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file);
|
||||
|
||||
/**
|
||||
|
|
@ -67,7 +67,7 @@ protected:
|
|||
* to which the contents of the file will be extracted/written.
|
||||
* @param arg_limit the maximum allowed file size.
|
||||
*/
|
||||
Extract(IntrusivePtr<RecordVal> args, File* file,
|
||||
Extract(zeek::IntrusivePtr<RecordVal> args, File* file,
|
||||
const std::string& arg_filename, uint64_t arg_limit);
|
||||
|
||||
private:
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
Hash::Hash(IntrusivePtr<RecordVal> args, File* file, HashVal* hv, const char* arg_kind)
|
||||
Hash::Hash(zeek::IntrusivePtr<RecordVal> args, File* file, HashVal* hv, const char* arg_kind)
|
||||
: file_analysis::Analyzer(file_mgr->GetComponentTag(to_upper(arg_kind).c_str()),
|
||||
std::move(args), file),
|
||||
hash(hv), fed(false), kind(arg_kind)
|
||||
|
|
@ -55,7 +55,7 @@ void Hash::Finalize()
|
|||
|
||||
mgr.Enqueue(file_hash,
|
||||
GetFile()->ToVal(),
|
||||
make_intrusive<StringVal>(kind),
|
||||
zeek::make_intrusive<StringVal>(kind),
|
||||
hash->Get()
|
||||
);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ protected:
|
|||
* @param hv specific hash calculator object.
|
||||
* @param kind human readable name of the hash algorithm to use.
|
||||
*/
|
||||
Hash(IntrusivePtr<RecordVal> args, File* file, HashVal* hv, const char* kind);
|
||||
Hash(zeek::IntrusivePtr<RecordVal> args, File* file, HashVal* hv, const char* kind);
|
||||
|
||||
/**
|
||||
* If some file contents have been seen, finalizes the hash of them and
|
||||
|
|
@ -83,7 +83,7 @@ public:
|
|||
* @return the new MD5 analyzer instance or a null pointer if there's no
|
||||
* handler for the "file_hash" event.
|
||||
*/
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{ return file_hash ? new MD5(std::move(args), file) : nullptr; }
|
||||
|
||||
|
|
@ -94,7 +94,7 @@ protected:
|
|||
* @param args the \c AnalyzerArgs value which represents the analyzer.
|
||||
* @param file the file to which the analyzer will be attached.
|
||||
*/
|
||||
MD5(IntrusivePtr<RecordVal> args, File* file)
|
||||
MD5(zeek::IntrusivePtr<RecordVal> args, File* file)
|
||||
: Hash(std::move(args), file, new MD5Val(), "md5")
|
||||
{}
|
||||
};
|
||||
|
|
@ -112,7 +112,7 @@ public:
|
|||
* @return the new MD5 analyzer instance or a null pointer if there's no
|
||||
* handler for the "file_hash" event.
|
||||
*/
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{ return file_hash ? new SHA1(std::move(args), file) : nullptr; }
|
||||
|
||||
|
|
@ -123,7 +123,7 @@ protected:
|
|||
* @param args the \c AnalyzerArgs value which represents the analyzer.
|
||||
* @param file the file to which the analyzer will be attached.
|
||||
*/
|
||||
SHA1(IntrusivePtr<RecordVal> args, File* file)
|
||||
SHA1(zeek::IntrusivePtr<RecordVal> args, File* file)
|
||||
: Hash(std::move(args), file, new SHA1Val(), "sha1")
|
||||
{}
|
||||
};
|
||||
|
|
@ -141,7 +141,7 @@ public:
|
|||
* @return the new MD5 analyzer instance or a null pointer if there's no
|
||||
* handler for the "file_hash" event.
|
||||
*/
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{ return file_hash ? new SHA256(std::move(args), file) : nullptr; }
|
||||
|
||||
|
|
@ -152,7 +152,7 @@ protected:
|
|||
* @param args the \c AnalyzerArgs value which represents the analyzer.
|
||||
* @param file the file to which the analyzer will be attached.
|
||||
*/
|
||||
SHA256(IntrusivePtr<RecordVal> args, File* file)
|
||||
SHA256(zeek::IntrusivePtr<RecordVal> args, File* file)
|
||||
: Hash(std::move(args), file, new SHA256Val(), "sha256")
|
||||
{}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
PE::PE(IntrusivePtr<RecordVal> args, File* file)
|
||||
PE::PE(zeek::IntrusivePtr<RecordVal> args, File* file)
|
||||
: file_analysis::Analyzer(file_mgr->GetComponentTag("PE"), std::move(args),
|
||||
file)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ class PE : public file_analysis::Analyzer {
|
|||
public:
|
||||
~PE();
|
||||
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{ return new PE(std::move(args), file); }
|
||||
|
||||
|
|
@ -24,7 +24,7 @@ public:
|
|||
virtual bool EndOfFile();
|
||||
|
||||
protected:
|
||||
PE(IntrusivePtr<RecordVal> args, File* file);
|
||||
PE(zeek::IntrusivePtr<RecordVal> args, File* file);
|
||||
binpac::PE::File* interp;
|
||||
binpac::PE::MockConnection* conn;
|
||||
bool done;
|
||||
|
|
|
|||
|
|
@ -5,14 +5,14 @@
|
|||
%}
|
||||
|
||||
%header{
|
||||
IntrusivePtr<VectorVal> process_rvas(const RVAS* rvas);
|
||||
IntrusivePtr<TableVal> characteristics_to_bro(uint32_t c, uint8_t len);
|
||||
zeek::IntrusivePtr<VectorVal> process_rvas(const RVAS* rvas);
|
||||
zeek::IntrusivePtr<TableVal> characteristics_to_bro(uint32_t c, uint8_t len);
|
||||
%}
|
||||
|
||||
%code{
|
||||
IntrusivePtr<VectorVal> process_rvas(const RVAS* rva_table)
|
||||
zeek::IntrusivePtr<VectorVal> process_rvas(const RVAS* rva_table)
|
||||
{
|
||||
auto rvas = make_intrusive<VectorVal>(zeek::id::index_vec);
|
||||
auto rvas = zeek::make_intrusive<VectorVal>(zeek::id::index_vec);
|
||||
|
||||
for ( uint16 i=0; i < rva_table->rvas()->size(); ++i )
|
||||
rvas->Assign(i, val_mgr->Count((*rva_table->rvas())[i]->size()));
|
||||
|
|
@ -20,10 +20,10 @@ IntrusivePtr<VectorVal> process_rvas(const RVAS* rva_table)
|
|||
return rvas;
|
||||
}
|
||||
|
||||
IntrusivePtr<TableVal> characteristics_to_bro(uint32_t c, uint8_t len)
|
||||
zeek::IntrusivePtr<TableVal> characteristics_to_bro(uint32_t c, uint8_t len)
|
||||
{
|
||||
uint64 mask = (len==16) ? 0xFFFF : 0xFFFFFFFF;
|
||||
auto char_set = make_intrusive<TableVal>(zeek::id::count_set);
|
||||
auto char_set = zeek::make_intrusive<TableVal>(zeek::id::count_set);
|
||||
|
||||
for ( uint16 i=0; i < len; ++i )
|
||||
{
|
||||
|
|
@ -46,8 +46,8 @@ refine flow File += {
|
|||
%{
|
||||
if ( pe_dos_header )
|
||||
{
|
||||
auto dh = make_intrusive<RecordVal>(zeek::BifType::Record::PE::DOSHeader);
|
||||
dh->Assign(0, make_intrusive<StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
|
||||
auto dh = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::PE::DOSHeader);
|
||||
dh->Assign(0, zeek::make_intrusive<StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
|
||||
dh->Assign(1, val_mgr->Count(${h.UsedBytesInTheLastPage}));
|
||||
dh->Assign(2, val_mgr->Count(${h.FileSizeInPages}));
|
||||
dh->Assign(3, val_mgr->Count(${h.NumberOfRelocationItems}));
|
||||
|
|
@ -77,7 +77,7 @@ refine flow File += {
|
|||
if ( pe_dos_code )
|
||||
mgr.Enqueue(pe_dos_code,
|
||||
connection()->bro_analyzer()->GetFile()->ToVal(),
|
||||
make_intrusive<StringVal>(code.length(), (const char*) code.data())
|
||||
zeek::make_intrusive<StringVal>(code.length(), (const char*) code.data())
|
||||
);
|
||||
return true;
|
||||
%}
|
||||
|
|
@ -96,9 +96,9 @@ refine flow File += {
|
|||
%{
|
||||
if ( pe_file_header )
|
||||
{
|
||||
auto fh = make_intrusive<RecordVal>(zeek::BifType::Record::PE::FileHeader);
|
||||
auto fh = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::PE::FileHeader);
|
||||
fh->Assign(0, val_mgr->Count(${h.Machine}));
|
||||
fh->Assign(1, make_intrusive<TimeVal>(static_cast<double>(${h.TimeDateStamp})));
|
||||
fh->Assign(1, zeek::make_intrusive<TimeVal>(static_cast<double>(${h.TimeDateStamp})));
|
||||
fh->Assign(2, val_mgr->Count(${h.PointerToSymbolTable}));
|
||||
fh->Assign(3, val_mgr->Count(${h.NumberOfSymbols}));
|
||||
fh->Assign(4, val_mgr->Count(${h.SizeOfOptionalHeader}));
|
||||
|
|
@ -124,7 +124,7 @@ refine flow File += {
|
|||
|
||||
if ( pe_optional_header )
|
||||
{
|
||||
auto oh = make_intrusive<RecordVal>(zeek::BifType::Record::PE::OptionalHeader);
|
||||
auto oh = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::PE::OptionalHeader);
|
||||
|
||||
oh->Assign(0, val_mgr->Count(${h.magic}));
|
||||
oh->Assign(1, val_mgr->Count(${h.major_linker_version}));
|
||||
|
|
@ -166,7 +166,7 @@ refine flow File += {
|
|||
%{
|
||||
if ( pe_section_header )
|
||||
{
|
||||
auto section_header = make_intrusive<RecordVal>(zeek::BifType::Record::PE::SectionHeader);
|
||||
auto section_header = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::PE::SectionHeader);
|
||||
|
||||
// Strip null characters from the end of the section name.
|
||||
u_char* first_null = (u_char*) memchr(${h.name}.data(), 0, ${h.name}.length());
|
||||
|
|
@ -175,7 +175,7 @@ refine flow File += {
|
|||
name_len = ${h.name}.length();
|
||||
else
|
||||
name_len = first_null - ${h.name}.data();
|
||||
section_header->Assign(0, make_intrusive<StringVal>(name_len, (const char*) ${h.name}.data()));
|
||||
section_header->Assign(0, zeek::make_intrusive<StringVal>(name_len, (const char*) ${h.name}.data()));
|
||||
|
||||
section_header->Assign(1, val_mgr->Count(${h.virtual_size}));
|
||||
section_header->Assign(2, val_mgr->Count(${h.virtual_addr}));
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
Unified2::Unified2(IntrusivePtr<RecordVal> args, File* file)
|
||||
Unified2::Unified2(zeek::IntrusivePtr<RecordVal> args, File* file)
|
||||
: file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), std::move(args), file)
|
||||
{
|
||||
interp = new binpac::Unified2::Unified2_Analyzer(this);
|
||||
|
|
@ -16,7 +16,7 @@ Unified2::~Unified2()
|
|||
delete interp;
|
||||
}
|
||||
|
||||
file_analysis::Analyzer* Unified2::Instantiate(IntrusivePtr<RecordVal> args, File* file)
|
||||
file_analysis::Analyzer* Unified2::Instantiate(zeek::IntrusivePtr<RecordVal> args, File* file)
|
||||
{
|
||||
return new Unified2(std::move(args), file);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,11 +20,11 @@ public:
|
|||
|
||||
bool DeliverStream(const u_char* data, uint64_t len) override;
|
||||
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file);
|
||||
|
||||
protected:
|
||||
Unified2(IntrusivePtr<RecordVal> args, File* file);
|
||||
Unified2(zeek::IntrusivePtr<RecordVal> args, File* file);
|
||||
|
||||
private:
|
||||
binpac::Unified2::Unified2_Analyzer* interp;
|
||||
|
|
|
|||
|
|
@ -8,25 +8,25 @@
|
|||
%}
|
||||
|
||||
%code{
|
||||
IntrusivePtr<AddrVal> binpac::Unified2::Flow::unified2_addr_to_bro_addr(std::vector<uint32_t>* a)
|
||||
zeek::IntrusivePtr<AddrVal> binpac::Unified2::Flow::unified2_addr_to_bro_addr(std::vector<uint32_t>* a)
|
||||
{
|
||||
if ( a->size() == 1 )
|
||||
{
|
||||
return make_intrusive<AddrVal>(IPAddr(IPv4, &(a->at(0)), IPAddr::Host));
|
||||
return zeek::make_intrusive<AddrVal>(IPAddr(IPv4, &(a->at(0)), IPAddr::Host));
|
||||
}
|
||||
else if ( a->size() == 4 )
|
||||
{
|
||||
uint32 tmp[4] = { a->at(0), a->at(1), a->at(2), a->at(3) };
|
||||
return make_intrusive<AddrVal>(IPAddr(IPv6, tmp, IPAddr::Host));
|
||||
return zeek::make_intrusive<AddrVal>(IPAddr(IPv6, tmp, IPAddr::Host));
|
||||
}
|
||||
else
|
||||
{
|
||||
// Should never reach here.
|
||||
return make_intrusive<AddrVal>(1);
|
||||
return zeek::make_intrusive<AddrVal>(1);
|
||||
}
|
||||
}
|
||||
|
||||
IntrusivePtr<Val> binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p)
|
||||
zeek::IntrusivePtr<Val> binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p)
|
||||
{
|
||||
TransportProto proto = TRANSPORT_UNKNOWN;
|
||||
switch ( p ) {
|
||||
|
|
@ -42,8 +42,8 @@ IntrusivePtr<Val> binpac::Unified2::Flow::to_port(uint16_t n, uint8_t p)
|
|||
refine flow Flow += {
|
||||
|
||||
%member{
|
||||
IntrusivePtr<AddrVal> unified2_addr_to_bro_addr(std::vector<uint32_t>* a);
|
||||
IntrusivePtr<Val> to_port(uint16_t n, uint8_t p);
|
||||
zeek::IntrusivePtr<AddrVal> unified2_addr_to_bro_addr(std::vector<uint32_t>* a);
|
||||
zeek::IntrusivePtr<Val> to_port(uint16_t n, uint8_t p);
|
||||
%}
|
||||
|
||||
%init{
|
||||
|
|
@ -71,10 +71,10 @@ refine flow Flow += {
|
|||
%{
|
||||
if ( ::unified2_event )
|
||||
{
|
||||
auto ids_event = make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
|
||||
auto ids_event = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
|
||||
ids_event->Assign(0, val_mgr->Count(${ev.sensor_id}));
|
||||
ids_event->Assign(1, val_mgr->Count(${ev.event_id}));
|
||||
ids_event->Assign(2, make_intrusive<TimeVal>(ts_to_double(${ev.ts})));
|
||||
ids_event->Assign(2, zeek::make_intrusive<TimeVal>(ts_to_double(${ev.ts})));
|
||||
ids_event->Assign(3, val_mgr->Count(${ev.signature_id}));
|
||||
ids_event->Assign(4, val_mgr->Count(${ev.generator_id}));
|
||||
ids_event->Assign(5, val_mgr->Count(${ev.signature_revision}));
|
||||
|
|
@ -97,10 +97,10 @@ refine flow Flow += {
|
|||
%{
|
||||
if ( ::unified2_event )
|
||||
{
|
||||
auto ids_event = make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
|
||||
auto ids_event = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
|
||||
ids_event->Assign(0, val_mgr->Count(${ev.sensor_id}));
|
||||
ids_event->Assign(1, val_mgr->Count(${ev.event_id}));
|
||||
ids_event->Assign(2, make_intrusive<TimeVal>(ts_to_double(${ev.ts})));
|
||||
ids_event->Assign(2, zeek::make_intrusive<TimeVal>(ts_to_double(${ev.ts})));
|
||||
ids_event->Assign(3, val_mgr->Count(${ev.signature_id}));
|
||||
ids_event->Assign(4, val_mgr->Count(${ev.generator_id}));
|
||||
ids_event->Assign(5, val_mgr->Count(${ev.signature_revision}));
|
||||
|
|
@ -128,11 +128,11 @@ refine flow Flow += {
|
|||
%{
|
||||
if ( ::unified2_packet )
|
||||
{
|
||||
auto packet = make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::Packet);
|
||||
auto packet = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::Unified2::Packet);
|
||||
packet->Assign(0, val_mgr->Count(${pkt.sensor_id}));
|
||||
packet->Assign(1, val_mgr->Count(${pkt.event_id}));
|
||||
packet->Assign(2, val_mgr->Count(${pkt.event_second}));
|
||||
packet->Assign(3, make_intrusive<TimeVal>(ts_to_double(${pkt.packet_ts})));
|
||||
packet->Assign(3, zeek::make_intrusive<TimeVal>(ts_to_double(${pkt.packet_ts})));
|
||||
packet->Assign(4, val_mgr->Count(${pkt.link_type}));
|
||||
packet->Assign(5, to_stringval(${pkt.packet_data}));
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
|
||||
// See the file "COPYING" in the main distribution directory for copyright.
|
||||
|
||||
#include <string>
|
||||
|
|
@ -91,40 +92,40 @@ static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bi
|
|||
|
||||
i2a_ASN1_OBJECT(bio, hash_alg);
|
||||
int len = BIO_read(bio, buf, sizeof(buf));
|
||||
vl->emplace_back(make_intrusive<StringVal>(len, buf));
|
||||
vl->emplace_back(zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
|
||||
i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING);
|
||||
len = BIO_read(bio, buf, sizeof(buf));
|
||||
vl->emplace_back(make_intrusive<StringVal>(len, buf));
|
||||
vl->emplace_back(zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
|
||||
i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING);
|
||||
len = BIO_read(bio, buf, sizeof(buf));
|
||||
vl->emplace_back(make_intrusive<StringVal>(len, buf));
|
||||
vl->emplace_back(zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
|
||||
i2a_ASN1_INTEGER(bio, serial_number);
|
||||
len = BIO_read(bio, buf, sizeof(buf));
|
||||
vl->emplace_back(make_intrusive<StringVal>(len, buf));
|
||||
vl->emplace_back(zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
file_analysis::Analyzer* OCSP::InstantiateRequest(IntrusivePtr<RecordVal> args,
|
||||
file_analysis::Analyzer* OCSP::InstantiateRequest(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{
|
||||
return new OCSP(std::move(args), file, true);
|
||||
}
|
||||
|
||||
file_analysis::Analyzer* OCSP::InstantiateReply(IntrusivePtr<RecordVal> args,
|
||||
file_analysis::Analyzer* OCSP::InstantiateReply(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{
|
||||
return new OCSP(std::move(args), file, false);
|
||||
}
|
||||
|
||||
file_analysis::OCSP::OCSP(IntrusivePtr<RecordVal> args, file_analysis::File* file,
|
||||
file_analysis::OCSP::OCSP(zeek::IntrusivePtr<RecordVal> args, file_analysis::File* file,
|
||||
bool arg_request)
|
||||
: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"),
|
||||
std::move(args), file),
|
||||
|
|
@ -210,9 +211,9 @@ typedef struct ocsp_basic_response_st {
|
|||
STACK_OF(X509) *certs;
|
||||
} OCSP_BASICRESP;
|
||||
*/
|
||||
static IntrusivePtr<StringVal> parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
|
||||
BIO* bio, char* buf,
|
||||
size_t buf_len)
|
||||
static zeek::IntrusivePtr<StringVal> parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
|
||||
BIO* bio, char* buf,
|
||||
size_t buf_len)
|
||||
{
|
||||
int der_basic_resp_len = 0;
|
||||
unsigned char* der_basic_resp_dat = nullptr;
|
||||
|
|
@ -277,14 +278,14 @@ static IntrusivePtr<StringVal> parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_re
|
|||
auto alg_obj = alg_obj_type->value.object;
|
||||
i2a_ASN1_OBJECT(bio, alg_obj);
|
||||
auto alg_len = BIO_read(bio, buf, buf_len);
|
||||
auto rval = make_intrusive<StringVal>(alg_len, buf);
|
||||
auto rval = zeek::make_intrusive<StringVal>(alg_len, buf);
|
||||
BIO_reset(bio);
|
||||
|
||||
OPENSSL_free(der_basic_resp_dat);
|
||||
return rval;
|
||||
}
|
||||
|
||||
static IntrusivePtr<Val> parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
|
||||
static zeek::IntrusivePtr<Val> parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
|
||||
{
|
||||
int der_basic_resp_len = 0;
|
||||
unsigned char* der_basic_resp_dat = nullptr;
|
||||
|
|
@ -459,7 +460,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
|
|||
memset(buf, 0, sizeof(buf));
|
||||
|
||||
const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
|
||||
auto status_val = make_intrusive<StringVal>(strlen(status_str), status_str);
|
||||
auto status_val = zeek::make_intrusive<StringVal>(strlen(status_str), status_str);
|
||||
|
||||
if ( ocsp_response_status )
|
||||
mgr.Enqueue(ocsp_response_status, GetFile()->ToVal(), status_val);
|
||||
|
|
@ -502,7 +503,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
|
|||
if ( OCSP_RESPID_bio(basic_resp, bio) )
|
||||
{
|
||||
len = BIO_read(bio, buf, sizeof(buf));
|
||||
vl.emplace_back(make_intrusive<StringVal>(len, buf));
|
||||
vl.emplace_back(zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
}
|
||||
else
|
||||
|
|
@ -518,7 +519,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
|
|||
produced_at = OCSP_resp_get0_produced_at(basic_resp);
|
||||
#endif
|
||||
|
||||
vl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), reporter)));
|
||||
vl.emplace_back(zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(produced_at, GetFile(), reporter)));
|
||||
|
||||
// responses
|
||||
|
||||
|
|
@ -561,36 +562,36 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
|
|||
reporter->Weird("OpenSSL failed to find status of OCSP response");
|
||||
|
||||
const char* cert_status_str = OCSP_cert_status_str(status);
|
||||
rvl.emplace_back(make_intrusive<StringVal>(strlen(cert_status_str), cert_status_str));
|
||||
rvl.emplace_back(zeek::make_intrusive<StringVal>(strlen(cert_status_str), cert_status_str));
|
||||
|
||||
// revocation time and reason if revoked
|
||||
if ( status == V_OCSP_CERTSTATUS_REVOKED )
|
||||
{
|
||||
rvl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(revoke_time, GetFile(), reporter)));
|
||||
rvl.emplace_back(zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(revoke_time, GetFile(), reporter)));
|
||||
|
||||
if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
|
||||
{
|
||||
const char* revoke_reason = OCSP_crl_reason_str(reason);
|
||||
rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
|
||||
rvl.emplace_back(zeek::make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
|
||||
}
|
||||
else
|
||||
rvl.emplace_back(make_intrusive<StringVal>(0, ""));
|
||||
rvl.emplace_back(zeek::make_intrusive<StringVal>(0, ""));
|
||||
}
|
||||
else
|
||||
{
|
||||
rvl.emplace_back(make_intrusive<TimeVal>(0.0));
|
||||
rvl.emplace_back(make_intrusive<StringVal>(0, ""));
|
||||
rvl.emplace_back(zeek::make_intrusive<TimeVal>(0.0));
|
||||
rvl.emplace_back(zeek::make_intrusive<StringVal>(0, ""));
|
||||
}
|
||||
|
||||
if ( this_update )
|
||||
rvl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(this_update, GetFile(), reporter)));
|
||||
rvl.emplace_back(zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(this_update, GetFile(), reporter)));
|
||||
else
|
||||
rvl.emplace_back(make_intrusive<TimeVal>(0.0));
|
||||
rvl.emplace_back(zeek::make_intrusive<TimeVal>(0.0));
|
||||
|
||||
if ( next_update )
|
||||
rvl.emplace_back(make_intrusive<TimeVal>(GetTimeFromAsn1(next_update, GetFile(), reporter)));
|
||||
rvl.emplace_back(zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(next_update, GetFile(), reporter)));
|
||||
else
|
||||
rvl.emplace_back(make_intrusive<TimeVal>(0.0));
|
||||
rvl.emplace_back(zeek::make_intrusive<TimeVal>(0.0));
|
||||
|
||||
if ( ocsp_response_certificate )
|
||||
mgr.Enqueue(ocsp_response_certificate, std::move(rvl));
|
||||
|
|
@ -609,7 +610,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
|
|||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
|
||||
len = BIO_read(bio, buf, sizeof(buf));
|
||||
vl.emplace_back(make_intrusive<StringVal>(len, buf));
|
||||
vl.emplace_back(zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
#else
|
||||
vl.emplace_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
|
||||
|
|
@ -617,11 +618,11 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
|
|||
|
||||
//i2a_ASN1_OBJECT(bio, basic_resp->signature);
|
||||
//len = BIO_read(bio, buf, sizeof(buf));
|
||||
//ocsp_resp_record->Assign(7, make_intrusive<StringVal>(len, buf));
|
||||
//ocsp_resp_record->Assign(7, zeek::make_intrusive<StringVal>(len, buf));
|
||||
//BIO_reset(bio);
|
||||
|
||||
certs_vector = new VectorVal(zeek::id::find_type<zeek::VectorType>("x509_opaque_vector"));
|
||||
vl.emplace_back(AdoptRef{}, certs_vector);
|
||||
vl.emplace_back(zeek::AdoptRef{}, certs_vector);
|
||||
|
||||
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
|
||||
certs = basic_resp->certs;
|
||||
|
|
@ -637,7 +638,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
|
|||
::X509 *this_cert = X509_dup(helper_sk_X509_value(certs, i));
|
||||
//::X509 *this_cert = X509_dup(sk_X509_value(certs, i));
|
||||
if (this_cert)
|
||||
certs_vector->Assign(i, make_intrusive<file_analysis::X509Val>(this_cert));
|
||||
certs_vector->Assign(i, zeek::make_intrusive<file_analysis::X509Val>(this_cert));
|
||||
else
|
||||
reporter->Weird("OpenSSL returned null certificate");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,13 +18,13 @@ public:
|
|||
bool Undelivered(uint64_t offset, uint64_t len) override;
|
||||
bool EndOfFile() override;
|
||||
|
||||
static file_analysis::Analyzer* InstantiateRequest(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* InstantiateRequest(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file);
|
||||
static file_analysis::Analyzer* InstantiateReply(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* InstantiateReply(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file);
|
||||
|
||||
protected:
|
||||
OCSP(IntrusivePtr<RecordVal> args, File* file, bool request);
|
||||
OCSP(zeek::IntrusivePtr<RecordVal> args, File* file, bool request);
|
||||
|
||||
private:
|
||||
void ParseResponse(OCSP_RESPONSE*);
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
|
||||
using namespace file_analysis;
|
||||
|
||||
file_analysis::X509::X509(IntrusivePtr<RecordVal> args, file_analysis::File* file)
|
||||
file_analysis::X509::X509(zeek::IntrusivePtr<RecordVal> args, file_analysis::File* file)
|
||||
: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"),
|
||||
std::move(args), file)
|
||||
{
|
||||
|
|
@ -53,7 +53,7 @@ bool file_analysis::X509::EndOfFile()
|
|||
hash_update(ctx, cert_char, cert_data.size());
|
||||
hash_final(ctx, buf);
|
||||
std::string cert_sha256 = sha256_digest_print(buf);
|
||||
auto index = make_intrusive<StringVal>(cert_sha256);
|
||||
auto index = zeek::make_intrusive<StringVal>(cert_sha256);
|
||||
const auto& entry = certificate_cache->Find(index);
|
||||
|
||||
if ( entry )
|
||||
|
|
@ -65,7 +65,7 @@ bool file_analysis::X509::EndOfFile()
|
|||
// yup, let's call the callback.
|
||||
|
||||
cache_hit_callback->Invoke(GetFile()->ToVal(), entry,
|
||||
make_intrusive<StringVal>(cert_sha256));
|
||||
zeek::make_intrusive<StringVal>(cert_sha256));
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -88,7 +88,7 @@ bool file_analysis::X509::EndOfFile()
|
|||
if ( x509_certificate )
|
||||
mgr.Enqueue(x509_certificate,
|
||||
GetFile()->ToVal(),
|
||||
IntrusivePtr{NewRef{}, cert_val},
|
||||
zeek::IntrusivePtr{zeek::NewRef{}, cert_val},
|
||||
cert_record);
|
||||
|
||||
// after parsing the certificate - parse the extensions...
|
||||
|
|
@ -113,25 +113,25 @@ bool file_analysis::X509::EndOfFile()
|
|||
return false;
|
||||
}
|
||||
|
||||
IntrusivePtr<RecordVal> file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
|
||||
zeek::IntrusivePtr<RecordVal> file_analysis::X509::ParseCertificate(X509Val* cert_val, File* f)
|
||||
{
|
||||
::X509* ssl_cert = cert_val->GetCertificate();
|
||||
|
||||
char buf[2048]; // we need a buffer for some of the openssl functions
|
||||
memset(buf, 0, sizeof(buf));
|
||||
|
||||
auto pX509Cert = make_intrusive<RecordVal>(zeek::BifType::Record::X509::Certificate);
|
||||
auto pX509Cert = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::Certificate);
|
||||
BIO *bio = BIO_new(BIO_s_mem());
|
||||
|
||||
pX509Cert->Assign(0, val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1));
|
||||
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
|
||||
int len = BIO_read(bio, buf, sizeof(buf));
|
||||
pX509Cert->Assign(1, make_intrusive<StringVal>(len, buf));
|
||||
pX509Cert->Assign(1, zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
|
||||
X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253);
|
||||
len = BIO_gets(bio, buf, sizeof(buf));
|
||||
pX509Cert->Assign(2, make_intrusive<StringVal>(len, buf));
|
||||
pX509Cert->Assign(2, zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
|
||||
X509_NAME *subject_name = X509_get_subject_name(ssl_cert);
|
||||
|
|
@ -151,17 +151,17 @@ IntrusivePtr<RecordVal> file_analysis::X509::ParseCertificate(X509Val* cert_val,
|
|||
// we found a common name
|
||||
ASN1_STRING_print(bio, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, namepos)));
|
||||
len = BIO_gets(bio, buf, sizeof(buf));
|
||||
pX509Cert->Assign(4, make_intrusive<StringVal>(len, buf));
|
||||
pX509Cert->Assign(4, zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_reset(bio);
|
||||
}
|
||||
|
||||
X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
|
||||
len = BIO_gets(bio, buf, sizeof(buf));
|
||||
pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf));
|
||||
pX509Cert->Assign(3, zeek::make_intrusive<StringVal>(len, buf));
|
||||
BIO_free(bio);
|
||||
|
||||
pX509Cert->Assign(5, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
|
||||
pX509Cert->Assign(6, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
|
||||
pX509Cert->Assign(5, zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
|
||||
pX509Cert->Assign(6, zeek::make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
|
||||
|
||||
// we only read 255 bytes because byte 256 is always 0.
|
||||
// if the string is longer than 255, that will be our null-termination,
|
||||
|
|
@ -171,7 +171,7 @@ IntrusivePtr<RecordVal> file_analysis::X509::ParseCertificate(X509Val* cert_val,
|
|||
if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
|
||||
buf[0] = 0;
|
||||
|
||||
pX509Cert->Assign(7, make_intrusive<StringVal>(buf));
|
||||
pX509Cert->Assign(7, zeek::make_intrusive<StringVal>(buf));
|
||||
|
||||
// Special case for RDP server certificates. For some reason some (all?) RDP server
|
||||
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
|
||||
|
|
@ -193,25 +193,25 @@ IntrusivePtr<RecordVal> file_analysis::X509::ParseCertificate(X509Val* cert_val,
|
|||
if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
|
||||
buf[0] = 0;
|
||||
|
||||
pX509Cert->Assign(8, make_intrusive<StringVal>(buf));
|
||||
pX509Cert->Assign(8, zeek::make_intrusive<StringVal>(buf));
|
||||
|
||||
// Things we can do when we have the key...
|
||||
EVP_PKEY *pkey = X509_extract_key(ssl_cert);
|
||||
if ( pkey != NULL )
|
||||
{
|
||||
if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
|
||||
pX509Cert->Assign(9, make_intrusive<StringVal>("dsa"));
|
||||
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("dsa"));
|
||||
|
||||
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
|
||||
{
|
||||
pX509Cert->Assign(9, make_intrusive<StringVal>("rsa"));
|
||||
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("rsa"));
|
||||
|
||||
const BIGNUM *e;
|
||||
RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
|
||||
char *exponent = BN_bn2dec(e);
|
||||
if ( exponent != NULL )
|
||||
{
|
||||
pX509Cert->Assign(11, make_intrusive<StringVal>(exponent));
|
||||
pX509Cert->Assign(11, zeek::make_intrusive<StringVal>(exponent));
|
||||
OPENSSL_free(exponent);
|
||||
exponent = NULL;
|
||||
}
|
||||
|
|
@ -219,7 +219,7 @@ IntrusivePtr<RecordVal> file_analysis::X509::ParseCertificate(X509Val* cert_val,
|
|||
#ifndef OPENSSL_NO_EC
|
||||
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
|
||||
{
|
||||
pX509Cert->Assign(9, make_intrusive<StringVal>("ecdsa"));
|
||||
pX509Cert->Assign(9, zeek::make_intrusive<StringVal>("ecdsa"));
|
||||
pX509Cert->Assign(12, KeyCurve(pkey));
|
||||
}
|
||||
#endif
|
||||
|
|
@ -290,7 +290,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
|
|||
{
|
||||
if ( x509_ext_basic_constraints )
|
||||
{
|
||||
auto pBasicConstraint = make_intrusive<RecordVal>(zeek::BifType::Record::X509::BasicConstraints);
|
||||
auto pBasicConstraint = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::BasicConstraints);
|
||||
pBasicConstraint->Assign(0, val_mgr->Bool(constr->ca));
|
||||
|
||||
if ( constr->pathlen )
|
||||
|
|
@ -340,10 +340,10 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
|
|||
return;
|
||||
}
|
||||
|
||||
IntrusivePtr<VectorVal> names;
|
||||
IntrusivePtr<VectorVal> emails;
|
||||
IntrusivePtr<VectorVal> uris;
|
||||
IntrusivePtr<VectorVal> ips;
|
||||
zeek::IntrusivePtr<VectorVal> names;
|
||||
zeek::IntrusivePtr<VectorVal> emails;
|
||||
zeek::IntrusivePtr<VectorVal> uris;
|
||||
zeek::IntrusivePtr<VectorVal> ips;
|
||||
|
||||
bool otherfields = false;
|
||||
|
||||
|
|
@ -365,27 +365,27 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
|
|||
#else
|
||||
const char* name = (const char*) ASN1_STRING_get0_data(gen->d.ia5);
|
||||
#endif
|
||||
auto bs = make_intrusive<StringVal>(name);
|
||||
auto bs = zeek::make_intrusive<StringVal>(name);
|
||||
|
||||
switch ( gen->type )
|
||||
{
|
||||
case GEN_DNS:
|
||||
if ( names == nullptr )
|
||||
names = make_intrusive<VectorVal>(zeek::id::string_vec);
|
||||
names = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
|
||||
|
||||
names->Assign(names->Size(), std::move(bs));
|
||||
break;
|
||||
|
||||
case GEN_URI:
|
||||
if ( uris == nullptr )
|
||||
uris = make_intrusive<VectorVal>(zeek::id::string_vec);
|
||||
uris = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
|
||||
|
||||
uris->Assign(uris->Size(), std::move(bs));
|
||||
break;
|
||||
|
||||
case GEN_EMAIL:
|
||||
if ( emails == nullptr )
|
||||
emails = make_intrusive<VectorVal>(zeek::id::string_vec);
|
||||
emails = zeek::make_intrusive<VectorVal>(zeek::id::string_vec);
|
||||
|
||||
emails->Assign(emails->Size(), std::move(bs));
|
||||
break;
|
||||
|
|
@ -395,15 +395,15 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
|
|||
else if ( gen->type == GEN_IPADD )
|
||||
{
|
||||
if ( ips == nullptr )
|
||||
ips = make_intrusive<VectorVal>(zeek::id::find_type<zeek::VectorType>("addr_vec"));
|
||||
ips = zeek::make_intrusive<VectorVal>(zeek::id::find_type<zeek::VectorType>("addr_vec"));
|
||||
|
||||
uint32_t* addr = (uint32_t*) gen->d.ip->data;
|
||||
|
||||
if( gen->d.ip->length == 4 )
|
||||
ips->Assign(ips->Size(), make_intrusive<AddrVal>(*addr));
|
||||
ips->Assign(ips->Size(), zeek::make_intrusive<AddrVal>(*addr));
|
||||
|
||||
else if ( gen->d.ip->length == 16 )
|
||||
ips->Assign(ips->Size(), make_intrusive<AddrVal>(addr));
|
||||
ips->Assign(ips->Size(), zeek::make_intrusive<AddrVal>(addr));
|
||||
|
||||
else
|
||||
{
|
||||
|
|
@ -421,7 +421,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
|
|||
}
|
||||
}
|
||||
|
||||
auto sanExt = make_intrusive<RecordVal>(zeek::BifType::Record::X509::SubjectAlternativeName);
|
||||
auto sanExt = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::SubjectAlternativeName);
|
||||
|
||||
if ( names != nullptr )
|
||||
sanExt->Assign(0, names);
|
||||
|
|
@ -443,7 +443,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
|
|||
GENERAL_NAMES_free(altname);
|
||||
}
|
||||
|
||||
IntrusivePtr<StringVal> file_analysis::X509::KeyCurve(EVP_PKEY* key)
|
||||
zeek::IntrusivePtr<StringVal> file_analysis::X509::KeyCurve(EVP_PKEY* key)
|
||||
{
|
||||
assert(key != nullptr);
|
||||
|
||||
|
|
@ -472,7 +472,7 @@ IntrusivePtr<StringVal> file_analysis::X509::KeyCurve(EVP_PKEY* key)
|
|||
if ( curve_name == nullptr )
|
||||
return nullptr;
|
||||
|
||||
return make_intrusive<StringVal>(curve_name);
|
||||
return zeek::make_intrusive<StringVal>(curve_name);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
@ -543,9 +543,9 @@ X509Val::~X509Val()
|
|||
X509_free(certificate);
|
||||
}
|
||||
|
||||
IntrusivePtr<Val> X509Val::DoClone(CloneState* state)
|
||||
zeek::IntrusivePtr<Val> X509Val::DoClone(CloneState* state)
|
||||
{
|
||||
auto copy = make_intrusive<X509Val>();
|
||||
auto copy = zeek::make_intrusive<X509Val>();
|
||||
if ( certificate )
|
||||
copy->certificate = X509_dup(certificate);
|
||||
|
||||
|
|
|
|||
|
|
@ -86,9 +86,9 @@ public:
|
|||
* @param Returns the new record value and passes ownership to
|
||||
* caller.
|
||||
*/
|
||||
static IntrusivePtr<RecordVal> ParseCertificate(X509Val* cert_val, File* file = nullptr);
|
||||
static zeek::IntrusivePtr<RecordVal> ParseCertificate(X509Val* cert_val, File* file = nullptr);
|
||||
|
||||
static file_analysis::Analyzer* Instantiate(IntrusivePtr<RecordVal> args,
|
||||
static file_analysis::Analyzer* Instantiate(zeek::IntrusivePtr<RecordVal> args,
|
||||
File* file)
|
||||
{ return new X509(std::move(args), file); }
|
||||
|
||||
|
|
@ -117,17 +117,17 @@ public:
|
|||
/**
|
||||
* Sets the table[string] that used as the certificate cache inside of Zeek.
|
||||
*/
|
||||
static void SetCertificateCache(IntrusivePtr<TableVal> cache)
|
||||
static void SetCertificateCache(zeek::IntrusivePtr<TableVal> cache)
|
||||
{ certificate_cache = std::move(cache); }
|
||||
|
||||
/**
|
||||
* Sets the callback when a certificate cache hit is encountered
|
||||
*/
|
||||
static void SetCertificateCacheHitCallback(IntrusivePtr<Func> func)
|
||||
static void SetCertificateCacheHitCallback(zeek::IntrusivePtr<Func> func)
|
||||
{ cache_hit_callback = std::move(func); }
|
||||
|
||||
protected:
|
||||
X509(IntrusivePtr<RecordVal> args, File* file);
|
||||
X509(zeek::IntrusivePtr<RecordVal> args, File* file);
|
||||
|
||||
private:
|
||||
void ParseBasicConstraints(X509_EXTENSION* ex);
|
||||
|
|
@ -137,12 +137,12 @@ private:
|
|||
std::string cert_data;
|
||||
|
||||
// Helpers for ParseCertificate.
|
||||
static IntrusivePtr<StringVal> KeyCurve(EVP_PKEY* key);
|
||||
static zeek::IntrusivePtr<StringVal> KeyCurve(EVP_PKEY* key);
|
||||
static unsigned int KeyLength(EVP_PKEY *key);
|
||||
/** X509 stores associated with global script-layer values */
|
||||
inline static std::map<Val*, X509_STORE*> x509_stores = std::map<Val*, X509_STORE*>();
|
||||
inline static IntrusivePtr<TableVal> certificate_cache = nullptr;
|
||||
inline static IntrusivePtr<Func> cache_hit_callback = nullptr;
|
||||
inline static zeek::IntrusivePtr<TableVal> certificate_cache = nullptr;
|
||||
inline static zeek::IntrusivePtr<Func> cache_hit_callback = nullptr;
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
@ -170,7 +170,7 @@ public:
|
|||
*
|
||||
* @return A cloned X509Val.
|
||||
*/
|
||||
IntrusivePtr<Val> DoClone(CloneState* state) override;
|
||||
zeek::IntrusivePtr<Val> DoClone(CloneState* state) override;
|
||||
|
||||
/**
|
||||
* Destructor.
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
using namespace file_analysis;
|
||||
|
||||
X509Common::X509Common(const file_analysis::Tag& arg_tag,
|
||||
IntrusivePtr<RecordVal> arg_args, File* arg_file)
|
||||
zeek::IntrusivePtr<RecordVal> arg_args, File* arg_file)
|
||||
: file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
|
||||
{
|
||||
}
|
||||
|
|
@ -268,15 +268,15 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
|
|||
}
|
||||
|
||||
if ( ! ext_val )
|
||||
ext_val = make_intrusive<StringVal>(0, "");
|
||||
ext_val = zeek::make_intrusive<StringVal>(0, "");
|
||||
|
||||
auto pX509Ext = make_intrusive<RecordVal>(zeek::BifType::Record::X509::Extension);
|
||||
pX509Ext->Assign(0, make_intrusive<StringVal>(name));
|
||||
auto pX509Ext = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::Extension);
|
||||
pX509Ext->Assign(0, zeek::make_intrusive<StringVal>(name));
|
||||
|
||||
if ( short_name and strlen(short_name) > 0 )
|
||||
pX509Ext->Assign(1, make_intrusive<StringVal>(short_name));
|
||||
pX509Ext->Assign(1, zeek::make_intrusive<StringVal>(short_name));
|
||||
|
||||
pX509Ext->Assign(2, make_intrusive<StringVal>(oid));
|
||||
pX509Ext->Assign(2, zeek::make_intrusive<StringVal>(oid));
|
||||
pX509Ext->Assign(3, val_mgr->Bool(critical));
|
||||
pX509Ext->Assign(4, ext_val);
|
||||
|
||||
|
|
@ -298,7 +298,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
|
|||
ParseExtensionsSpecific(ex, global, ext_asn, oid);
|
||||
}
|
||||
|
||||
IntrusivePtr<StringVal> file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
|
||||
zeek::IntrusivePtr<StringVal> file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
|
||||
{
|
||||
BIO_flush(bio);
|
||||
ERR_clear_error();
|
||||
|
|
@ -331,7 +331,7 @@ IntrusivePtr<StringVal> file_analysis::X509Common::GetExtensionFromBIO(BIO* bio,
|
|||
}
|
||||
|
||||
BIO_read(bio, (void*) buffer, length);
|
||||
auto ext_val = make_intrusive<StringVal>(length, buffer);
|
||||
auto ext_val = zeek::make_intrusive<StringVal>(length, buffer);
|
||||
|
||||
free(buffer);
|
||||
BIO_free_all(bio);
|
||||
|
|
|
|||
|
|
@ -35,13 +35,13 @@ public:
|
|||
*
|
||||
* @return The X509 extension value.
|
||||
*/
|
||||
static IntrusivePtr<StringVal> GetExtensionFromBIO(BIO* bio, File* f = nullptr);
|
||||
static zeek::IntrusivePtr<StringVal> GetExtensionFromBIO(BIO* bio, File* f = nullptr);
|
||||
|
||||
static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter);
|
||||
|
||||
protected:
|
||||
X509Common(const file_analysis::Tag& arg_tag,
|
||||
IntrusivePtr<RecordVal> arg_args, File* arg_file);
|
||||
zeek::IntrusivePtr<RecordVal> arg_args, File* arg_file);
|
||||
|
||||
void ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global);
|
||||
void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
|
||||
|
|
|
|||
|
|
@ -11,12 +11,12 @@
|
|||
#include <openssl/err.h>
|
||||
|
||||
// construct an error record
|
||||
static IntrusivePtr<RecordVal> x509_result_record(uint64_t num, const char* reason, IntrusivePtr<Val> chainVector = nullptr)
|
||||
static zeek::IntrusivePtr<RecordVal> x509_result_record(uint64_t num, const char* reason, zeek::IntrusivePtr<Val> chainVector = nullptr)
|
||||
{
|
||||
auto rrecord = make_intrusive<RecordVal>(zeek::BifType::Record::X509::Result);
|
||||
auto rrecord = zeek::make_intrusive<RecordVal>(zeek::BifType::Record::X509::Result);
|
||||
|
||||
rrecord->Assign(0, val_mgr->Int(num));
|
||||
rrecord->Assign(1, make_intrusive<StringVal>(reason));
|
||||
rrecord->Assign(1, zeek::make_intrusive<StringVal>(reason));
|
||||
if ( chainVector )
|
||||
rrecord->Assign(2, std::move(chainVector));
|
||||
|
||||
|
|
@ -161,7 +161,7 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate
|
|||
function x509_from_der%(der: string%): opaque of x509
|
||||
%{
|
||||
const u_char* data = der->Bytes();
|
||||
return make_intrusive<file_analysis::X509Val>(d2i_X509(nullptr, &data, der->Len()));
|
||||
return zeek::make_intrusive<file_analysis::X509Val>(d2i_X509(nullptr, &data, der->Len()));
|
||||
%}
|
||||
|
||||
## Returns the string form of a certificate.
|
||||
|
|
@ -215,7 +215,7 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
|
|||
## x509_get_certificate_string x509_verify
|
||||
function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
|
||||
%{
|
||||
IntrusivePtr<RecordVal> rval;
|
||||
zeek::IntrusivePtr<RecordVal> rval;
|
||||
X509_STORE* ctx = ::file_analysis::X509::GetRootStore(root_certs->AsTableVal());
|
||||
if ( ! ctx )
|
||||
return x509_result_record(-1, "Problem initializing root store");
|
||||
|
|
@ -542,7 +542,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
|
|||
|
||||
int result = X509_verify_cert(csc);
|
||||
|
||||
IntrusivePtr<VectorVal> chainVector;
|
||||
zeek::IntrusivePtr<VectorVal> chainVector;
|
||||
|
||||
if ( result == 1 ) // we have a valid chain. try to get it...
|
||||
{
|
||||
|
|
@ -556,7 +556,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
|
|||
}
|
||||
|
||||
int num_certs = sk_X509_num(chain);
|
||||
chainVector = make_intrusive<VectorVal>(zeek::id::find_type<VectorType>("x509_opaque_vector"));
|
||||
chainVector = zeek::make_intrusive<VectorVal>(zeek::id::find_type<VectorType>("x509_opaque_vector"));
|
||||
|
||||
for ( int i = 0; i < num_certs; i++ )
|
||||
{
|
||||
|
|
@ -564,7 +564,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
|
|||
|
||||
if ( currcert )
|
||||
// X509Val takes ownership of currcert.
|
||||
chainVector->Assign(i, make_intrusive<file_analysis::X509Val>(currcert));
|
||||
chainVector->Assign(i, zeek::make_intrusive<file_analysis::X509Val>(currcert));
|
||||
else
|
||||
{
|
||||
reporter->InternalWarning("OpenSSL returned null certificate");
|
||||
|
|
@ -761,7 +761,7 @@ sct_verify_err:
|
|||
* 1 -> issuer name
|
||||
* 2 -> pubkey
|
||||
*/
|
||||
IntrusivePtr<StringVal> x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
|
||||
zeek::IntrusivePtr<StringVal> x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
|
||||
{
|
||||
assert(cert_handle);
|
||||
|
||||
|
|
@ -824,7 +824,7 @@ IntrusivePtr<StringVal> x509_entity_hash(file_analysis::X509Val *cert_handle, un
|
|||
|
||||
assert( len <= sizeof(md) );
|
||||
|
||||
return make_intrusive<StringVal>(len, reinterpret_cast<const char*>(md));
|
||||
return zeek::make_intrusive<StringVal>(len, reinterpret_cast<const char*>(md));
|
||||
}
|
||||
%%}
|
||||
|
||||
|
|
@ -900,7 +900,7 @@ function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
|
|||
## .. zeek:see:: x509_set_certificate_cache_hit_callback
|
||||
function x509_set_certificate_cache%(tbl: string_any_table%) : bool
|
||||
%{
|
||||
file_analysis::X509::SetCertificateCache({NewRef{}, tbl->AsTableVal()});
|
||||
file_analysis::X509::SetCertificateCache({zeek::NewRef{}, tbl->AsTableVal()});
|
||||
|
||||
return val_mgr->True();
|
||||
%}
|
||||
|
|
@ -918,7 +918,7 @@ function x509_set_certificate_cache%(tbl: string_any_table%) : bool
|
|||
## .. zeek:see:: x509_set_certificate_cache
|
||||
function x509_set_certificate_cache_hit_callback%(f: string_any_file_hook%) : bool
|
||||
%{
|
||||
file_analysis::X509::SetCertificateCacheHitCallback({NewRef{}, f->AsFunc()});
|
||||
file_analysis::X509::SetCertificateCacheHitCallback({zeek::NewRef{}, f->AsFunc()});
|
||||
|
||||
return val_mgr->True();
|
||||
%}
|
||||
|
|
|
|||
|
|
@ -41,11 +41,11 @@ refine connection MockConnection += {
|
|||
mgr.Enqueue(x509_ocsp_ext_signed_certificate_timestamp,
|
||||
bro_analyzer()->GetFile()->ToVal(),
|
||||
val_mgr->Count(version),
|
||||
make_intrusive<StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
|
||||
zeek::make_intrusive<StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
|
||||
val_mgr->Count(timestamp),
|
||||
val_mgr->Count(digitally_signed_algorithms->HashAlgorithm()),
|
||||
val_mgr->Count(digitally_signed_algorithms->SignatureAlgorithm()),
|
||||
make_intrusive<StringVal>(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
|
||||
zeek::make_intrusive<StringVal>(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
|
||||
);
|
||||
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -70,8 +70,8 @@ function Files::__stop%(file_id: string%): bool
|
|||
## :zeek:see:`Files::analyzer_name`.
|
||||
function Files::__analyzer_name%(tag: Files::Tag%) : string
|
||||
%{
|
||||
const auto& n = file_mgr->GetComponentName(IntrusivePtr{NewRef{}, tag->AsEnumVal()});
|
||||
return make_intrusive<StringVal>(n);
|
||||
const auto& n = file_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, tag->AsEnumVal()});
|
||||
return zeek::make_intrusive<StringVal>(n);
|
||||
%}
|
||||
|
||||
## :zeek:see:`Files::file_exists`.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue