X509 caching API change: callback gets entry directly

Suggestion from Jon: now the callback is passed the table-entry
directly. This allows us to skip one lookup.

scripts/base/files/x509/main.zeek

@@ -68,7 +68,7 @@ export {
 	##
 	## It is possible to change this behavior/skip sending the events by
 	## installing a higher priority hook instead.
-	global x509_certificate_cache_replay: hook(f: fa_file, sha256: string);
+	global x509_certificate_cache_replay: hook(f: fa_file, e: X509::Info, sha256: string);
 
 	## Event for accessing logged records.
 	global log_x509: event(rec: Info);
@@ -120,7 +120,7 @@ event zeek_init() &priority=5
 	x509_set_certificate_cache_hit_callback(x509_certificate_cache_replay);
 	}
 
-hook x509_certificate_cache_replay(f: fa_file, sha256: string)
+hook x509_certificate_cache_replay(f: fa_file, e: X509::Info, sha256: string)
 	{
 	# we encountered a cached cert. The X509 analyzer will skip it. Let's raise all the events that it typically
 	# raises by ourselfes.
@@ -130,7 +130,6 @@ hook x509_certificate_cache_replay(f: fa_file, sha256: string)
 	if ( f$info?$x509 )
 		return;
 
-	local e = certificate_cache[sha256];
 	event x509_certificate(f, e$handle, e$certificate);
 	for ( i in e$extensions_cache )
 		{

scripts/base/init-bare.zeek

@@ -512,12 +512,12 @@ type fa_file: record {
 	bof_buffer: string &optional;
 } &redef;
 
-## A hook taking a fa_file and a string. Used by the X509 analyzer as callback.
+## A hook taking a fa_file, an any, and a string. Used by the X509 analyzer as callback.
 ##
 ## .. todo:: We need this type definition only for declaring builtin functions
 ##    via ``bifcl``. We should extend ``bifcl`` to understand composite types
 ##    directly and then remove this alias.
-type string_file_hook: hook(f: fa_file, str: string);
+type string_any_file_hook: hook(f: fa_file, e: any, str: string);
 
 ## Metadata that's been inferred about a particular file.
 type fa_metadata: record {

src/file_analysis/analyzer/x509/X509.cc

@@ -51,7 +51,8 @@ bool file_analysis::X509::EndOfFile()
 		hash_final(ctx, buf);
 		std::string cert_sha256 = sha256_digest_print(buf);
 		auto index = make_intrusive<StringVal>(cert_sha256);
-		if ( certificate_cache->Lookup(index.get(), false) )
+		auto* entry = certificate_cache->Lookup(index.get(), false);
+		if ( entry )
 			// in this case, the certificate is in the cache and we do not
 			// do any further processing here. However, if there is a callback, we execute it.
 			{
@@ -59,8 +60,9 @@ bool file_analysis::X509::EndOfFile()
 				return false;
 			// yup, let's call the callback.
 
-			val_list vl(2);
+			val_list vl(3);
 			vl.push_back(GetFile()->GetVal()->Ref());
+			vl.push_back(entry->Ref());
 			vl.push_back(new StringVal(cert_sha256));
 			IntrusivePtr<Val> v{AdoptRef{}, cache_hit_callback->Call(&vl)};
 			return false;

src/file_analysis/analyzer/x509/functions.bif

@@ -916,7 +916,7 @@ function x509_set_certificate_cache%(tbl: string_any_table%) : bool
 ##           callback function if you are sure you will not conflict with the base scripts.
 ##
 ## .. zeek:see:: x509_set_certificate_cache
-function x509_set_certificate_cache_hit_callback%(f: string_file_hook%) : bool
+function x509_set_certificate_cache_hit_callback%(f: string_any_file_hook%) : bool
 	%{
 	file_analysis::X509::SetCertificateCacheHitCallback({NewRef{}, f->AsFunc()});
 

testing/btest/scripts/base/files/x509/caching-hook.test

@@ -7,7 +7,7 @@
 
 redef X509::caching_required_encounters = 1;
 
-hook X509::x509_certificate_cache_replay(f: fa_file, sha256: string) &priority=1
+hook X509::x509_certificate_cache_replay(f: fa_file, e: any, sha256: string) &priority=1
 	{
 	print "Encountered cached certificate not further handled by core", sha256;
 	break;

testing/btest/scripts/base/files/x509/caching.test

@@ -6,7 +6,7 @@
 
 redef X509::caching_required_encounters = 1;
 
-hook X509::x509_certificate_cache_replay(f: fa_file, sha256: string) &priority=1
+hook X509::x509_certificate_cache_replay(f: fa_file, e: any, sha256: string) &priority=1
 	{
 	print "Encountered cached certificate not further handled by core", sha256;
 	}