Merge remote-tracking branch 'MaxKellermann/includes'

* MaxKellermann/includes: broker: include cleanup file_analysis: include cleanup file_analysis/Analyzer: eliminate duplicate constructor probabilistic/Topk: include cleanup digest: eliminate the "Reporter.h" include Val: eliminate the "RE.h" include Val: eliminate the "BroString.h" include Val: eliminate the "CompHash.h" include Val: forward-declare class PDict, reduce includes Val: eliminate the "Scope.h" include
2025-10-02 14:48:21 +00:00 · 2020-02-14 10:29:36 -07:00 · 2020-02-14 10:29:36 -07:00 · cf8496dc0a
commit cf8496dc0a
parent a5166086db c6ffec02fc
58 changed files with 283 additions and 136 deletions
--- a/23
+++ b/23
@ -1,4 +1,27 @@

+3.2.0-dev.36 | 2020-02-14 10:29:36 -0700
+
+  * broker: include cleanup (Max Kellermann)
+
+  * file_analysis: include cleanup (Max Kellermann)
+
+  * file_analysis/Analyzer: eliminate duplicate constructor (Max Kellermann)
+
+  * probabilistic/Topk: include cleanup (Max Kellermann)
+
+  * digest: eliminate the "Reporter.h" include (Max Kellermann)
+
+  * Val: eliminate the "RE.h" include (Max Kellermann)
+
+  * Val: eliminate the "BroString.h" include (Max Kellermann)
+
+  * Val: eliminate the "CompHash.h" include (Max Kellermann)
+
+  * Val: forward-declare class PDict, reduce includes (Max Kellermann)
+
+  * Val: eliminate the "Scope.h" include (Max Kellermann)
+
+
 3.2.0-dev.25 | 2020-02-13 19:05:56 -0800

  * Reset the number of entries in a dict when calling Clear() (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-3.2.0-dev.25
+3.2.0-dev.36
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -205,6 +205,7 @@ set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS

 set(MAIN_SRCS
    main.cc
+    digest.cc
    net_util.cc
    util.cc
    module_util.cc
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@ -3,7 +3,10 @@
 #include "zeek-config.h"

 #include "CompHash.h"
+#include "BroString.h"
+#include "Dict.h"
 #include "Val.h"
+#include "RE.h"
 #include "Reporter.h"
 #include "Func.h"

--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@ -31,6 +31,7 @@

 #include <algorithm>

+#include "BroString.h"
 #include "Event.h"
 #include "Net.h"
 #include "Val.h"
--- a/src/Discard.cc
+++ b/src/Discard.cc
@ -6,6 +6,7 @@

 #include <algorithm>

+#include "BroString.h"
 #include "Net.h"
 #include "Func.h"
 #include "Var.h"
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@ -4,6 +4,7 @@
 #include "Func.h"
 #include "Scope.h"
 #include "NetVar.h"
+#include "ID.h"

 #include "broker/Manager.h"
 #include "broker/Data.h"
--- a/src/Frame.cc
+++ b/src/Frame.cc
@ -10,6 +10,7 @@
 #include "IntrusivePtr.h"
 #include "Trigger.h"
 #include "Val.h"
+#include "ID.h"

 vector<Frame*> g_frame_stack;

--- a/src/IP.cc
+++ b/src/IP.cc
@ -10,6 +10,7 @@
 #include "Type.h"
 #include "Val.h"
 #include "Var.h"
+#include "BroString.h"
 #include "Reporter.h"

 static RecordType* ip4_hdr_type = 0;
--- a/src/Net.cc
+++ b/src/Net.cc
@ -30,6 +30,7 @@ extern "C" {
 #include "Timer.h"
 #include "Var.h"
 #include "Reporter.h"
+#include "Scope.h"
 #include "Anon.h"
 #include "PacketDumper.h"
 #include "iosource/Manager.h"
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@ -3,8 +3,10 @@
 #include <memory>

 #include "OpaqueVal.h"
+#include "CompHash.h"
 #include "NetVar.h"
 #include "Reporter.h"
+#include "Scope.h"
 #include "Desc.h"
 #include "Var.h"
 #include "probabilistic/BloomFilter.h"
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@ -15,6 +15,7 @@
 #include "Net.h"
 #include "Conn.h"
 #include "Timer.h"
+#include "Var.h" // for internal_val()
 #include "EventHandler.h"
 #include "plugin/Plugin.h"
 #include "plugin/Manager.h"
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@ -7,6 +7,7 @@

 #include "RuleAction.h"
 #include "RuleCondition.h"
+#include "BroString.h"
 #include "ID.h"
 #include "IntSet.h"
 #include "IP.h"
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@ -2,6 +2,7 @@

 #include "zeek-config.h"

+#include "CompHash.h"
 #include "Expr.h"
 #include "Event.h"
 #include "Frame.h"
--- a/src/Val.cc
+++ b/src/Val.cc
@ -14,6 +14,9 @@
 #include <stdlib.h>

 #include "Attr.h"
+#include "BroString.h"
+#include "CompHash.h"
+#include "Dict.h"
 #include "Net.h"
 #include "File.h"
 #include "Func.h"
@ -28,6 +31,7 @@
 #include "Conn.h"
 #include "Reporter.h"
 #include "IPAddr.h"
+#include "Var.h" // for internal_type()

 #include "broker/Data.h"

@ -363,6 +367,11 @@ void Val::ValDescribeReST(ODesc* d) const


 #ifdef DEBUG
+ID* Val::GetID() const
+	{
+	return bound_id ? global_scope()->Lookup(bound_id) : 0;
+	}
+
 void Val::SetID(ID* id)
 	{
 	delete [] bound_id;
@ -991,6 +1000,26 @@ StringVal::StringVal(const string& s) : Val(TYPE_STRING)
 	val.string_val = new BroString(reinterpret_cast<const u_char*>(s.data()), s.length(), 1);
 	}

+Val* StringVal::SizeVal() const
+	{
+	return val_mgr->GetCount(val.string_val->Len());
+	}
+
+int StringVal::Len()
+	{
+	return AsString()->Len();
+	}
+
+const u_char* StringVal::Bytes()
+	{
+	return AsString()->Bytes();
+	}
+
+const char* StringVal::CheckString()
+	{
+	return AsString()->CheckString();
+	}
+
 string StringVal::ToStdString() const
 	{
 	auto* bs = AsString();
@ -1352,6 +1381,11 @@ void TableVal::RemoveAll()
 	val.table_val->SetDeleteFunc(table_entry_val_delete_func);
 	}

+int TableVal::Size() const
+	{
+	return AsTable()->Length();
+	}
+
 int TableVal::RecursiveSize() const
 	{
 	int n = AsTable()->Length();
@ -2544,6 +2578,11 @@ unsigned int TableVal::MemoryAllocation() const
 		+ table_hash->MemoryAllocation();
 	}

+HashKey* TableVal::ComputeHash(const Val* index) const
+	{
+	return table_hash->ComputeHash(index, 1);
+	}
+
 vector<RecordVal*> RecordVal::parse_time_records;

 RecordVal::RecordVal(RecordType* t, bool init_fields) : Val(t)
--- a/src/Val.h
+++ b/src/Val.h
@ -3,13 +3,8 @@
 #pragma once

 #include "Type.h"
-#include "Dict.h"
-#include "CompHash.h"
-#include "BroString.h"
 #include "Timer.h"
-#include "Scope.h"
 #include "Notifier.h"
-#include "RE.h"
 #include "net_util.h"

 #include <vector>
@ -32,7 +27,11 @@ using std::string;
 #define UDP_PORT_MASK	0x20000
 #define ICMP_PORT_MASK	0x30000

+template<typename T> class PDict;
+class IterCookie;
+
 class Val;
+class BroString;
 class BroFunc;
 class Func;
 class BroFile;
@ -60,6 +59,8 @@ class VectorVal;

 class TableEntryVal;

+class RE_Matcher;
+
 typedef union {
 	// Used for bool, int, enum.
 	bro_int_t int_val;
@ -286,10 +287,7 @@ public:
 #ifdef DEBUG
 	// For debugging, we keep a reference to the global ID to which a
 	// value has been bound *last*.
-	ID* GetID() const
-		{
-		return bound_id ? global_scope()->Lookup(bound_id) : 0;
-		}
+	ID* GetID() const;

 	void SetID(ID* id);
 #endif
@ -549,12 +547,11 @@ public:
 	explicit StringVal(const string& s);
 	StringVal(int length, const char* s);

-	Val* SizeVal() const override
-		{ return val_mgr->GetCount(val.string_val->Len()); }
+	Val* SizeVal() const override;

-	int Len()		{ return AsString()->Len(); }
-	const u_char* Bytes()	{ return AsString()->Bytes(); }
-	const char* CheckString() { return AsString()->CheckString(); }
+	int Len();
+	const u_char* Bytes();
+	const char* CheckString();

 	// Note that one needs to de-allocate the return value of
 	// ExpandedString() to avoid a memory leak.
@ -700,6 +697,7 @@ protected:
 };

 class CompositeHash;
+class HashKey;
 class Frame;

 class TableVal : public Val, public notifier::Modifiable {
@ -790,7 +788,7 @@ public:
 	Attributes* Attrs()	{ return attrs; }

 	// Returns the size of the table.
-	int Size() const	{ return AsTable()->Length(); }
+	int Size() const;
 	int RecursiveSize() const;

 	// Returns the Prefix table used inside the table (if present).
@ -816,8 +814,7 @@ public:
 			timer = 0;
 		}

-	HashKey* ComputeHash(const Val* index) const
-		{ return table_hash->ComputeHash(index, 1); }
+	HashKey* ComputeHash(const Val* index) const;

 	notifier::Modifiable* Modifiable() override	{ return this; }

--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@ -7,6 +7,7 @@
 #include "binpac.h"

 #include "analyzer/protocol/pia/PIA.h"
+#include "../BroString.h"
 #include "../Event.h"

 namespace analyzer {
--- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
+++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
@ -1,5 +1,6 @@
 %extern{
 #include "Sessions.h"
+#include "Conn.h"
 %}

 connection AYIYA_Conn(bro_analyzer: BroAnalyzer)
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -9,6 +9,7 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>

+#include "BroString.h"
 #include "NetVar.h"
 #include "Sessions.h"
 #include "Event.h"
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@ -5,6 +5,7 @@

 #include <stdlib.h>

+#include "BroString.h"
 #include "NetVar.h"
 #include "Event.h"
 #include "Base64.h"
--- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
+++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
@ -1,5 +1,6 @@
 %extern{
 #include "Sessions.h"
+#include "BroString.h"
 %}

 %code{
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@ -4,6 +4,7 @@

 #include <ctype.h>

+#include "BroString.h"
 #include "NetVar.h"
 #include "Ident.h"
 #include "Event.h"
--- a/src/analyzer/protocol/login/Login.cc
+++ b/src/analyzer/protocol/login/Login.cc
@ -6,6 +6,7 @@
 #include <ctype.h>
 #include <stdlib.h>

+#include "BroString.h"
 #include "NetVar.h"
 #include "RE.h"
 #include "Reporter.h"
--- a/src/analyzer/protocol/login/NVT.cc
+++ b/src/analyzer/protocol/login/NVT.cc
@ -5,6 +5,7 @@

 #include <stdlib.h>

+#include "BroString.h"
 #include "NetVar.h"
 #include "Event.h"
 #include "Reporter.h"
--- a/src/analyzer/protocol/mqtt/MQTT.cc
+++ b/src/analyzer/protocol/mqtt/MQTT.cc
@ -4,6 +4,7 @@

 #include "MQTT.h"
 #include "Reporter.h"
+#include "Scope.h"
 #include "mqtt_pac.h"

 using namespace analyzer::MQTT;
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@ -5,6 +5,7 @@

 #include <ctype.h>

+#include "BroString.h"
 #include "NetVar.h"
 #include "Sessions.h"
 #include "Event.h"
--- a/src/analyzer/protocol/rpc/MOUNT.cc
+++ b/src/analyzer/protocol/rpc/MOUNT.cc
@ -6,6 +6,7 @@
 #include <algorithm>
 #include <vector>

+#include "BroString.h"
 #include "NetVar.h"
 #include "XDR.h"
 #include "Event.h"
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@ -6,6 +6,7 @@
 #include <utility>
 #include <vector>

+#include "BroString.h"
 #include "NetVar.h"
 #include "XDR.h"
 #include "Event.h"
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@ -1,5 +1,9 @@
 %include consts.pac

+%extern{
+#include "BroString.h"
+%}
+
 # Common constructs across SSH1 and SSH2
 ########################################

--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@ -3,6 +3,7 @@
 #include "File.h"
 #include "analyzer/Analyzer.h"
 #include "analyzer/protocol/tcp/TCP.h"
+#include "BroString.h"
 #include "Reporter.h"
 #include "RuleMatcher.h"

--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@ -5,6 +5,7 @@
 #include "IP.h"
 #include "Reporter.h"
 #include "Sessions.h"
+#include "BroString.h"

 #include "events.bif.h"

--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@ -2,6 +2,9 @@
 #include "File.h"
 #include "Desc.h"
 #include "IntrusivePtr.h"
+#include "RE.h"
+#include "Var.h" // for internal_type()
+#include "Scope.h"
 #include "module_util.h"
 #include "3rdparty/doctest.h"
 #include "broker/data.bif.h"
@ -1170,6 +1173,14 @@ IntrusivePtr<Val> bro_broker::DataVal::castTo(BroType* t)
 	return data_to_val(data, t);
 	}

+BroType* bro_broker::DataVal::ScriptDataType()
+	{
+	if ( ! script_data_type )
+		script_data_type = internal_type("Broker::Data");
+
+	return script_data_type;
+	}
+
 IMPLEMENT_OPAQUE_VALUE(bro_broker::DataVal)

 broker::expected<broker::data> bro_broker::DataVal::DoSerialize() const
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@ -4,7 +4,6 @@
 #include "Reporter.h"
 #include "Frame.h"
 #include "Expr.h"
-#include "Var.h" // for internal_type()

 template <class T>
 class IntrusivePtr;
@ -111,13 +110,7 @@ public:
 	// Returns the Bro type that scripts use to represent a Broker data
 	// instance. This may be wrapping the opaque value inside another
 	// type.
-	static BroType* ScriptDataType()
-		{
-		if ( ! script_data_type )
-			script_data_type = internal_type("Broker::Data");
-
-		return script_data_type;
-		}
+	static BroType* ScriptDataType();

 	broker::data data;

--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@ -17,11 +17,11 @@
 #include <string>
 #include <unordered_map>

-#include "NetVar.h"
 #include "iosource/IOSource.h"
 #include "logging/WriterBackend.h"

 class Frame;
+class Func;

 namespace bro_broker {

--- a/src/broker/Store.cc
+++ b/src/broker/Store.cc
@ -1,11 +1,28 @@
 #include "Store.h"
 #include "Desc.h"
+#include "Var.h" // for internal_type()
 #include "broker/Manager.h"

 namespace bro_broker {

 OpaqueType* opaque_of_store_handle;

+EnumVal* query_status(bool success)
+	{
+	static EnumType* store_query_status = nullptr;
+	static int success_val;
+	static int failure_val;
+
+	if ( ! store_query_status )
+		{
+		store_query_status = internal_type("Broker::QueryStatus")->AsEnumType();
+		success_val = store_query_status->Lookup("Broker", "SUCCESS");
+		failure_val = store_query_status->Lookup("Broker", "FAILURE");
+		}
+
+	return store_query_status->GetVal(success ? success_val : failure_val);
+	}
+
 void StoreHandleVal::ValDescribe(ODesc* d) const
 	{
 	//using BifEnum::Broker::BackendType;
--- a/src/broker/Store.h
+++ b/src/broker/Store.h
@ -2,8 +2,6 @@

 #include "broker/store.bif.h"
 #include "broker/data.bif.h"
-#include "Type.h"
-#include "Var.h" // for internal_type()
 #include "OpaqueVal.h"
 #include "Trigger.h"

@ -20,21 +18,7 @@ extern OpaqueType* opaque_of_store_handle;
 * @param success whether the query status should be set to success or failure.
 * @return a Broker::QueryStatus value.
 */
-inline EnumVal* query_status(bool success)
-	{
-	static EnumType* store_query_status = nullptr;
-	static int success_val;
-	static int failure_val;
-
-	if ( ! store_query_status )
-		{
-		store_query_status = internal_type("Broker::QueryStatus")->AsEnumType();
-		success_val = store_query_status->Lookup("Broker", "SUCCESS");
-		failure_val = store_query_status->Lookup("Broker", "FAILURE");
-		}
-
-	return store_query_status->GetVal(success ? success_val : failure_val);
-	}
+EnumVal* query_status(bool success);

 /**
 * @return a Broker::QueryResult value that has a Broker::QueryStatus indicating
--- a/src/digest.cc
+++ b/src/digest.cc
@ -0,0 +1,75 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+/**
+ * Wrapper and helper functions for MD5/SHA digest algorithms.
+ */
+
+#include "digest.h"
+
+#include "Reporter.h"
+
+EVP_MD_CTX* hash_init(HashAlgorithm alg)
+	{
+	EVP_MD_CTX* c = EVP_MD_CTX_new();
+	const EVP_MD* md;
+
+	switch (alg)
+		{
+		case Hash_MD5:
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+			/* Allow this to work even if FIPS disables it */
+			EVP_MD_CTX_set_flags(c, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+			md = EVP_md5();
+			break;
+		case Hash_SHA1:
+			md = EVP_sha1();
+			break;
+		case Hash_SHA224:
+			md = EVP_sha224();
+			break;
+		case Hash_SHA256:
+			md = EVP_sha256();
+			break;
+		case Hash_SHA384:
+			md = EVP_sha384();
+			break;
+		case Hash_SHA512:
+			md = EVP_sha512();
+			break;
+		default:
+			reporter->InternalError("Unknown hash algorithm passed to hash_init");
+		}
+
+	if ( ! EVP_DigestInit_ex(c, md, NULL) )
+		reporter->InternalError("EVP_DigestInit failed");
+
+	return c;
+	}
+
+void hash_update(EVP_MD_CTX* c, const void* data, unsigned long len)
+	{
+	if ( ! EVP_DigestUpdate(c, data, len) )
+		reporter->InternalError("EVP_DigestUpdate failed");
+	}
+
+void hash_final(EVP_MD_CTX* c, u_char* md)
+	{
+	if ( ! EVP_DigestFinal(c, md, NULL) )
+		reporter->InternalError("EVP_DigestFinal failed");
+
+	EVP_MD_CTX_free(c);
+	}
+
+unsigned char* internal_md5(const unsigned char* data, unsigned long len, unsigned char* out)
+	{
+	static unsigned char static_out[MD5_DIGEST_LENGTH];
+
+	if ( ! out )
+		out = static_out; // use static array for return, see OpenSSL man page
+
+	EVP_MD_CTX* c = hash_init(Hash_MD5);
+	hash_update(c, data, len);
+	hash_final(c, out);
+	return out;
+	}
--- a/src/digest.h
+++ b/src/digest.h
@ -10,6 +10,8 @@
 #include <openssl/sha.h>
 #include <openssl/evp.h>

+#include <sys/types.h> // for u_char
+
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 #define EVP_MD_CTX_new EVP_MD_CTX_create
 #define EVP_MD_CTX_free EVP_MD_CTX_destroy
@ -20,8 +22,6 @@ inline void* EVP_MD_CTX_md_data(const EVP_MD_CTX* ctx)
 	}
 #endif

-#include "Reporter.h"
-
 enum HashAlgorithm { Hash_MD5, Hash_SHA1, Hash_SHA224, Hash_SHA256, Hash_SHA384, Hash_SHA512 };

 inline const char* digest_print(const u_char* digest, size_t n)
@ -47,68 +47,10 @@ inline const char* sha256_digest_print(const u_char digest[SHA256_DIGEST_LENGTH]
 	return digest_print(digest, SHA256_DIGEST_LENGTH);
 	}

-inline EVP_MD_CTX* hash_init(HashAlgorithm alg)
-	{
-	EVP_MD_CTX* c = EVP_MD_CTX_new();
-	const EVP_MD* md;
+EVP_MD_CTX* hash_init(HashAlgorithm alg);

-	switch (alg)
-		{
-		case Hash_MD5:
-#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-			/* Allow this to work even if FIPS disables it */
-			EVP_MD_CTX_set_flags(c, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-#endif
-			md = EVP_md5();
-			break;
-		case Hash_SHA1:
-			md = EVP_sha1();
-			break;
-		case Hash_SHA224:
-			md = EVP_sha224();
-			break;
-		case Hash_SHA256:
-			md = EVP_sha256();
-			break;
-		case Hash_SHA384:
-			md = EVP_sha384();
-			break;
-		case Hash_SHA512:
-			md = EVP_sha512();
-			break;
-		default:
-			reporter->InternalError("Unknown hash algorithm passed to hash_init");
-		}
+void hash_update(EVP_MD_CTX* c, const void* data, unsigned long len);

-	if ( ! EVP_DigestInit_ex(c, md, NULL) )
-		reporter->InternalError("EVP_DigestInit failed");
+void hash_final(EVP_MD_CTX* c, u_char* md);

-	return c;
-	}
-
-inline void hash_update(EVP_MD_CTX* c, const void* data, unsigned long len)
-	{
-	if ( ! EVP_DigestUpdate(c, data, len) )
-		reporter->InternalError("EVP_DigestUpdate failed");
-	}
-
-inline void hash_final(EVP_MD_CTX* c, u_char* md)
-	{
-	if ( ! EVP_DigestFinal(c, md, NULL) )
-		reporter->InternalError("EVP_DigestFinal failed");
-
-	EVP_MD_CTX_free(c);
-	}
-
-inline unsigned char* internal_md5(const unsigned char* data, unsigned long len, unsigned char* out)
-	{
-	static unsigned char static_out[MD5_DIGEST_LENGTH];
-
-	if ( ! out )
-		out = static_out; // use static array for return, see OpenSSL man page
-
-	EVP_MD_CTX* c = hash_init(Hash_MD5);
-	hash_update(c, data, len);
-	hash_final(c, out);
-	return out;
-	}
+unsigned char* internal_md5(const unsigned char* data, unsigned long len, unsigned char* out);
--- a/src/file_analysis/Analyzer.cc
+++ b/src/file_analysis/Analyzer.cc
@ -2,6 +2,7 @@

 #include "Analyzer.h"
 #include "Manager.h"
+#include "Val.h"

 file_analysis::ID file_analysis::Analyzer::id_counter = 0;

@ -17,3 +18,13 @@ void file_analysis::Analyzer::SetAnalyzerTag(const file_analysis::Tag& arg_tag)
 	assert(! tag || tag == arg_tag);
 	tag = arg_tag;
 	}
+
+file_analysis::Analyzer::Analyzer(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file)
+	: tag(arg_tag),
+	  args(arg_args->Ref()->AsRecordVal()),
+	  file(arg_file),
+	  got_stream_delivery(false),
+	  skip(false)
+	{
+	id = ++id_counter;
+	}
--- a/src/file_analysis/Analyzer.h
+++ b/src/file_analysis/Analyzer.h
@ -2,11 +2,11 @@

 #pragma once

-#include "Val.h"
-#include "NetVar.h"
 #include "Tag.h"

-#include "file_analysis/file_analysis.bif.h"
+#include <sys/types.h> // for u_char
+
+class RecordVal;

 namespace file_analysis {

@ -146,15 +146,7 @@ protected:
 	 *        tunable options, if any, related to a particular analyzer type.
 	 * @param arg_file the file to which the the analyzer is being attached.
 	 */
-	Analyzer(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file)
-	    : tag(arg_tag),
-	      args(arg_args->Ref()->AsRecordVal()),
-	      file(arg_file),
-	      got_stream_delivery(false),
-	      skip(false)
-		{
-		id = ++id_counter;
-		}
+	Analyzer(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file);

 	/**
 	 * Constructor.  Only derived classes are meant to be instantiated.
@ -166,13 +158,8 @@ protected:
 	 * @param arg_file the file to which the the analyzer is being attached.
 	 */
 	Analyzer(RecordVal* arg_args, File* arg_file)
-	    : tag(),
-	      args(arg_args->Ref()->AsRecordVal()),
-	      file(arg_file),
-	      got_stream_delivery(false),
-	      skip(false)
+	    : Analyzer({}, arg_args, arg_file)
 		{
-		id = ++id_counter;
 		}

 private:
--- a/src/file_analysis/AnalyzerSet.cc
+++ b/src/file_analysis/AnalyzerSet.cc
@ -4,6 +4,9 @@
 #include "File.h"
 #include "Analyzer.h"
 #include "Manager.h"
+#include "CompHash.h"
+#include "Val.h"
+#include "file_analysis/file_analysis.bif.h"

 using namespace file_analysis;

@ -106,6 +109,12 @@ bool AnalyzerSet::AddMod::Perform(AnalyzerSet* set)
 	return true;
 	}

+void AnalyzerSet::AddMod::Abort()
+	{
+	delete a;
+	delete key;
+	}
+
 bool AnalyzerSet::Remove(const file_analysis::Tag& tag, RecordVal* args)
 	{
 	return Remove(tag, GetKey(tag, args));
--- a/src/file_analysis/AnalyzerSet.h
+++ b/src/file_analysis/AnalyzerSet.h
@ -4,14 +4,17 @@

 #include <queue>

-#include "Analyzer.h"
 #include "Dict.h"
-#include "CompHash.h"
-#include "Val.h"
 #include "Tag.h"

+using std::queue;
+
+class CompositeHash;
+class RecordVal;
+
 namespace file_analysis {

+class Analyzer;
 class File;

 /**
@ -173,7 +176,7 @@ private:
 			: Modification(), a(arg_a), key(arg_key) {}
 		~AddMod() override {}
 		bool Perform(AnalyzerSet* set) override;
-		void Abort() override { delete a; delete key; }
+		void Abort() override;

 	protected:
 		file_analysis::Analyzer* a;
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@ -2,17 +2,22 @@

 #pragma once

+#include <list>
 #include <string>
 #include <utility>

+#include "analyzer/Tag.h"
 #include "AnalyzerSet.h"
 #include "BroString.h"
+#include "BroList.h" // for val_list
 #include "WeirdState.h"

 using std::string;

 class Connection;
+class RecordType;
 class RecordVal;
+class EventHandlerPtr;

 namespace file_analysis {

--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -10,6 +10,7 @@

 #include "plugin/Manager.h"
 #include "analyzer/Manager.h"
+#include "file_analysis/file_analysis.bif.h"

 #include <openssl/md5.h>

--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@ -12,7 +12,7 @@

 #include "plugin/ComponentManager.h"

-#include "file_analysis/file_analysis.bif.h"
+#include "analyzer/Tag.h"

 using std::map;
 using std::set;
--- a/src/file_analysis/analyzer/data_event/DataEvent.cc
+++ b/src/file_analysis/analyzer/data_event/DataEvent.cc
@ -5,6 +5,7 @@
 #include "DataEvent.h"
 #include "EventRegistry.h"
 #include "Event.h"
+#include "Func.h"
 #include "util.h"
 #include "file_analysis/Manager.h"

--- a/src/file_analysis/analyzer/data_event/DataEvent.h
+++ b/src/file_analysis/analyzer/data_event/DataEvent.h
@ -7,6 +7,7 @@
 #include "Val.h"
 #include "File.h"
 #include "Analyzer.h"
+#include "EventHandler.h"

 namespace file_analysis {

--- a/src/file_analysis/analyzer/extract/functions.bif
+++ b/src/file_analysis/analyzer/extract/functions.bif
@ -4,6 +4,7 @@ module FileExtract;

 %%{
 #include "file_analysis/Manager.h"
+#include "file_analysis/file_analysis.bif.h"
 %%}

 ## :zeek:see:`FileExtract::set_limit`.
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@ -10,6 +10,7 @@
 #include "types.bif.h"
 #include "ocsp_events.bif.h"

+#include "file_analysis/File.h"
 #include "file_analysis/Manager.h"

 #include <openssl/x509.h>
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@ -4,14 +4,14 @@

 #include <string>

-#include "../File.h"
-#include "Analyzer.h"
 #include "X509Common.h"

 #include <openssl/ocsp.h>

 namespace file_analysis {

+class File;
+
 class OCSP : public file_analysis::X509Common {
 public:
 	bool DeliverStream(const u_char* data, uint64_t len) override;
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@ -8,6 +8,7 @@
 #include "events.bif.h"
 #include "types.bif.h"

+#include "file_analysis/File.h"
 #include "file_analysis/Manager.h"

 #include <broker/error.hh>
--- a/src/file_analysis/analyzer/x509/X509Common.h
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@ -5,16 +5,20 @@

 #pragma once

-#include "file_analysis/File.h"
 #include "Analyzer.h"

 #include <openssl/x509.h>
 #include <openssl/asn1.h>

+class EventHandlerPtr;
 class Reporter;
+class StringVal;

 namespace file_analysis {

+class Tag;
+class File;
+
 class X509Common : public file_analysis::Analyzer {
 public:
 	~X509Common() override {};
--- a/src/iosource/Manager.cc
+++ b/src/iosource/Manager.cc
@ -14,6 +14,7 @@
 #include "PktDumper.h"
 #include "plugin/Manager.h"
 #include "broker/Manager.h"
+#include "NetVar.h"

 #include "util.h"

--- a/src/plugin/ComponentManager.h
+++ b/src/plugin/ComponentManager.h
@ -8,6 +8,7 @@
 #include "Var.h" // for add_type()
 #include "Val.h"
 #include "Reporter.h"
+#include "Scope.h"
 #include "zeekygen/Manager.h"
 #include "DebugLogger.h"

--- a/src/probabilistic/Topk.cc
+++ b/src/probabilistic/Topk.cc
@ -8,7 +8,7 @@
 #include "CompHash.h"
 #include "IntrusivePtr.h"
 #include "Reporter.h"
-#include "NetVar.h"
+#include "Dict.h"

 namespace probabilistic {

--- a/src/probabilistic/Topk.h
+++ b/src/probabilistic/Topk.h
@ -4,12 +4,13 @@

 #include <list>
 #include "Val.h"
-#include "CompHash.h"
 #include "OpaqueVal.h"

 // This class implements the top-k algorithm. Or - to be more precise - an
 // interpretation of it.

+class CompositeHash;
+
 namespace probabilistic {

 struct Element;
--- a/src/supervisor/Supervisor.cc
+++ b/src/supervisor/Supervisor.cc
@ -13,7 +13,11 @@
 #include <sstream>

 #include "iosource/Manager.h"
+#include "BroString.h"
+#include "Dict.h"
+#include "RE.h"
 #include "Reporter.h"
+#include "Scope.h"
 #include "DebugLogger.h"
 #include "ID.h"
 #include "Val.h"
--- a/src/util.cc
+++ b/src/util.cc
@ -44,6 +44,7 @@
 #endif

 #include "Desc.h"
+#include "Dict.h"
 #include "digest.h"
 #include "input.h"
 #include "Obj.h"