Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/vern/zval'

Browse source 
* origin/topic/vern/zval: (42 commits)
  whitespace tweaks
  resolved some TODO comments
  remove unnecessary casts, and change necessary ones to use static_cast<>
  explain cmp_func default
  change functions for ZVal type management to static members
  fix some unsigned/signed integer warnings
  address lint concern about uninitialized variable
  Remove use of obsolete forward-declaration macros
  fix #include's that lack zeek/ prefixes
  explicitly populate holes created in vectors
  fixes for now-incorrect assumption that GetField always returns an existing ValPtr
  memory management for assignment to vector elements
  memory management for assignment to record fields
  destructor cleanup from ZAM_vector/ZAM_record
  fix #include's that lack zeek/ prefixes
  overlooked another way in which vector holes can be created
  initialize vector holes to the correct corresponding type
  explicitly populate holes created in vectors
  fix other instances of GetField().get() assuming long-lived ValPtr's
  fix for now-incorrect assumption that GetField always returns an existing ValPtr
  ...
This commit is contained in:
Tim Wojtulewicz 2021-03-23 20:44:19 -07:00
commit f45df63cd0
100 changed files with 2376 additions and 1386 deletions
Download patch file Download diff file Expand all files Collapse all files

32
src/file_analysis/File.cc
View file

@ -92,12 +92,12 @@ File::File(const std::string& file_id, const std::string& source_name, Connectio
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Creating new File object", file_id.c_str());
val = make_intrusive<RecordVal>(id::fa_file);
val->Assign(id_idx, make_intrusive<StringVal>(file_id.c_str()));
val->Assign(id_idx, file_id);
SetSource(source_name);
if ( conn )
{
val->Assign(is_orig_idx, val_mgr->Bool(is_orig));
val->Assign(is_orig_idx, is_orig);
UpdateConnectionFields(conn, is_orig);
}
@ -115,7 +115,7 @@ File::~File()
void File::UpdateLastActivityTime()
{
val->Assign(last_active_idx, make_intrusive<TimeVal>(run_state::network_time));
val->AssignTime(last_active_idx, run_state::network_time);
}
double File::GetLastActivityTime() const
@ -128,12 +128,12 @@ bool File::UpdateConnectionFields(Connection* conn, bool is_orig)
if ( ! conn )
return false;
Val* conns = val->GetField(conns_idx).get();
auto conns = val->GetField(conns_idx);
if ( ! conns )
{
auto ect = empty_connection_table();
conns = ect.get();
conns = ect;
val->Assign(conns_idx, std::move(ect));
}
@ -190,7 +190,7 @@ std::string File::GetSource() const
void File::SetSource(const std::string& source)
{
val->Assign(source_idx, make_intrusive<StringVal>(source.c_str()));
val->Assign(source_idx, source);
}
double File::GetTimeoutInterval() const
@ -200,7 +200,7 @@ double File::GetTimeoutInterval() const
void File::SetTimeoutInterval(double interval)
{
val->Assign(timeout_interval_idx, make_intrusive<IntervalVal>(interval));
val->AssignInterval(timeout_interval_idx, interval);
}
bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes)
@ -223,13 +223,13 @@ bool File::SetExtractionLimit(RecordValPtr args, uint64_t bytes)
void File::IncrementByteCount(uint64_t size, int field_idx)
{
uint64_t old = LookupFieldDefaultCount(field_idx);
val->Assign(field_idx, val_mgr->Count(old + size));
val->Assign(field_idx, old + size);
}
void File::SetTotalBytes(uint64_t size)
{
DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Total bytes %" PRIu64, id.c_str(), size);
val->Assign(total_bytes_idx, val_mgr->Count(size));
val->Assign(total_bytes_idx, size);
}
bool File::IsComplete() const
@ -298,8 +298,8 @@ bool File::SetMime(const std::string& mime_type)
return false;
auto meta = make_intrusive<RecordVal>(id::fa_metadata);
meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type));
meta->Assign(meta_inferred_idx, val_mgr->False());
meta->Assign(meta_mime_type_idx, mime_type);
meta->Assign(meta_inferred_idx, false);
FileEvent(file_sniff, {val, std::move(meta)});
return true;
@ -309,7 +309,7 @@ void File::InferMetadata()
{
did_metadata_inference = true;
Val* bof_buffer_val = val->GetField(bof_buffer_idx).get();
auto bof_buffer_val = val->GetField(bof_buffer_idx);
if ( ! bof_buffer_val )
{
@ -317,8 +317,8 @@ void File::InferMetadata()
return;
String* bs = concatenate(bof_buffer.chunks);
val->Assign<StringVal>(bof_buffer_idx, bs);
bof_buffer_val = val->GetField(bof_buffer_idx).get();
val->Assign(bof_buffer_idx, bs);
bof_buffer_val = val->GetField(bof_buffer_idx);
}
if ( ! FileEventAvailable(file_sniff) )
@ -334,7 +334,7 @@ void File::InferMetadata()
if ( ! matches.empty() )
{
meta->Assign<StringVal>(meta_mime_type_idx,
meta->Assign(meta_mime_type_idx,
*(matches.begin()->second.begin()));
meta->Assign(meta_mime_types_idx,
file_analysis::GenMIMEMatchesVal(matches));
@ -361,7 +361,7 @@ bool File::BufferBOF(const u_char* data, uint64_t len)
if ( bof_buffer.size > 0 )
{
String* bs = concatenate(bof_buffer.chunks);
val->Assign(bof_buffer_idx, make_intrusive<StringVal>(bs));
val->Assign(bof_buffer_idx, bs);
}
return false;

4
src/file_analysis/Manager.cc
View file

@ -524,8 +524,8 @@ VectorValPtr GenMIMEMatchesVal(const zeek::detail::RuleMatcher::MIME_Matches& m)
for ( set<string>::const_iterator it2 = it->second.begin();
it2 != it->second.end(); ++it2 )
{
element->Assign(0, val_mgr->Int(it->first));
element->Assign(1, make_intrusive<StringVal>(*it2));
element->Assign(0, it->first);
element->Assign(1, *it2);
}
rval->Assign(rval->Size(), std::move(element));

10
src/file_analysis/analyzer/entropy/Entropy.cc
View file

@ -63,11 +63,11 @@ void Entropy::Finalize()
static auto entropy_test_result = id::find_type<RecordType>("entropy_test_result");
auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
ent_result->Assign<DoubleVal>(0, ent);
ent_result->Assign<DoubleVal>(1, chisq);
ent_result->Assign<DoubleVal>(2, mean);
ent_result->Assign<DoubleVal>(3, montepi);
ent_result->Assign<DoubleVal>(4, scc);
ent_result->Assign(0, ent);
ent_result->Assign(1, chisq);
ent_result->Assign(2, mean);
ent_result->Assign(3, montepi);
ent_result->Assign(4, scc);
event_mgr.Enqueue(file_entropy,
GetFile()->ToVal(),

4
src/file_analysis/analyzer/extract/Extract.cc
View file

@ -47,8 +47,8 @@ Extract::~Extract()
}
}
static const ValPtr& get_extract_field_val(const RecordValPtr& args,
const char* name)
static ValPtr get_extract_field_val(const RecordValPtr& args,
const char* name)
{
const auto& rval = args->GetField(name);

102
src/file_analysis/analyzer/pe/pe-analyzer.pac
View file

@ -49,22 +49,22 @@ refine flow File += {
{
auto dh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::DOSHeader);
dh->Assign(0, zeek::make_intrusive<zeek::StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
dh->Assign(1, zeek::val_mgr->Count(${h.UsedBytesInTheLastPage}));
dh->Assign(2, zeek::val_mgr->Count(${h.FileSizeInPages}));
dh->Assign(3, zeek::val_mgr->Count(${h.NumberOfRelocationItems}));
dh->Assign(4, zeek::val_mgr->Count(${h.HeaderSizeInParagraphs}));
dh->Assign(5, zeek::val_mgr->Count(${h.MinimumExtraParagraphs}));
dh->Assign(6, zeek::val_mgr->Count(${h.MaximumExtraParagraphs}));
dh->Assign(7, zeek::val_mgr->Count(${h.InitialRelativeSS}));
dh->Assign(8, zeek::val_mgr->Count(${h.InitialSP}));
dh->Assign(9, zeek::val_mgr->Count(${h.Checksum}));
dh->Assign(10, zeek::val_mgr->Count(${h.InitialIP}));
dh->Assign(11, zeek::val_mgr->Count(${h.InitialRelativeCS}));
dh->Assign(12, zeek::val_mgr->Count(${h.AddressOfRelocationTable}));
dh->Assign(13, zeek::val_mgr->Count(${h.OverlayNumber}));
dh->Assign(14, zeek::val_mgr->Count(${h.OEMid}));
dh->Assign(15, zeek::val_mgr->Count(${h.OEMinfo}));
dh->Assign(16, zeek::val_mgr->Count(${h.AddressOfNewExeHeader}));
dh->Assign(1, ${h.UsedBytesInTheLastPage});
dh->Assign(2, ${h.FileSizeInPages});
dh->Assign(3, ${h.NumberOfRelocationItems});
dh->Assign(4, ${h.HeaderSizeInParagraphs});
dh->Assign(5, ${h.MinimumExtraParagraphs});
dh->Assign(6, ${h.MaximumExtraParagraphs});
dh->Assign(7, ${h.InitialRelativeSS});
dh->Assign(8, ${h.InitialSP});
dh->Assign(9, ${h.Checksum});
dh->Assign(10, ${h.InitialIP});
dh->Assign(11, ${h.InitialRelativeCS});
dh->Assign(12, ${h.AddressOfRelocationTable});
dh->Assign(13, ${h.OverlayNumber});
dh->Assign(14, ${h.OEMid});
dh->Assign(15, ${h.OEMinfo});
dh->Assign(16, ${h.AddressOfNewExeHeader});
zeek::event_mgr.Enqueue(pe_dos_header,
connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -98,11 +98,11 @@ refine flow File += {
if ( pe_file_header )
{
auto fh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::FileHeader);
fh->Assign(0, zeek::val_mgr->Count(${h.Machine}));
fh->Assign(1, zeek::make_intrusive<zeek::TimeVal>(static_cast<double>(${h.TimeDateStamp})));
fh->Assign(2, zeek::val_mgr->Count(${h.PointerToSymbolTable}));
fh->Assign(3, zeek::val_mgr->Count(${h.NumberOfSymbols}));
fh->Assign(4, zeek::val_mgr->Count(${h.SizeOfOptionalHeader}));
fh->Assign(0, ${h.Machine});
fh->AssignTime(1, double(${h.TimeDateStamp}));
fh->Assign(2, ${h.PointerToSymbolTable});
fh->Assign(3, ${h.NumberOfSymbols});
fh->Assign(4, ${h.SizeOfOptionalHeader});
fh->Assign(5, characteristics_to_zeek(${h.Characteristics}, 16));
zeek::event_mgr.Enqueue(pe_file_header,
@ -127,31 +127,31 @@ refine flow File += {
{
auto oh = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::PE::OptionalHeader);
oh->Assign(0, zeek::val_mgr->Count(${h.magic}));
oh->Assign(1, zeek::val_mgr->Count(${h.major_linker_version}));
oh->Assign(2, zeek::val_mgr->Count(${h.minor_linker_version}));
oh->Assign(3, zeek::val_mgr->Count(${h.size_of_code}));
oh->Assign(4, zeek::val_mgr->Count(${h.size_of_init_data}));
oh->Assign(5, zeek::val_mgr->Count(${h.size_of_uninit_data}));
oh->Assign(6, zeek::val_mgr->Count(${h.addr_of_entry_point}));
oh->Assign(7, zeek::val_mgr->Count(${h.base_of_code}));
oh->Assign(0, ${h.magic});
oh->Assign(1, ${h.major_linker_version});
oh->Assign(2, ${h.minor_linker_version});
oh->Assign(3, ${h.size_of_code});
oh->Assign(4, ${h.size_of_init_data});
oh->Assign(5, ${h.size_of_uninit_data});
oh->Assign(6, ${h.addr_of_entry_point});
oh->Assign(7, ${h.base_of_code});
if ( ${h.pe_format} != PE32_PLUS )
oh->Assign(8, zeek::val_mgr->Count(${h.base_of_data}));
oh->Assign(8, ${h.base_of_data});
oh->Assign(9, zeek::val_mgr->Count(${h.image_base}));
oh->Assign(10, zeek::val_mgr->Count(${h.section_alignment}));
oh->Assign(11, zeek::val_mgr->Count(${h.file_alignment}));
oh->Assign(12, zeek::val_mgr->Count(${h.os_version_major}));
oh->Assign(13, zeek::val_mgr->Count(${h.os_version_minor}));
oh->Assign(14, zeek::val_mgr->Count(${h.major_image_version}));
oh->Assign(15, zeek::val_mgr->Count(${h.minor_image_version}));
oh->Assign(16, zeek::val_mgr->Count(${h.major_subsys_version}));
oh->Assign(17, zeek::val_mgr->Count(${h.minor_subsys_version}));
oh->Assign(18, zeek::val_mgr->Count(${h.size_of_image}));
oh->Assign(19, zeek::val_mgr->Count(${h.size_of_headers}));
oh->Assign(20, zeek::val_mgr->Count(${h.checksum}));
oh->Assign(21, zeek::val_mgr->Count(${h.subsystem}));
oh->Assign(9, ${h.image_base});
oh->Assign(10, ${h.section_alignment});
oh->Assign(11, ${h.file_alignment});
oh->Assign(12, ${h.os_version_major});
oh->Assign(13, ${h.os_version_minor});
oh->Assign(14, ${h.major_image_version});
oh->Assign(15, ${h.minor_image_version});
oh->Assign(16, ${h.major_subsys_version});
oh->Assign(17, ${h.minor_subsys_version});
oh->Assign(18, ${h.size_of_image});
oh->Assign(19, ${h.size_of_headers});
oh->Assign(20, ${h.checksum});
oh->Assign(21, ${h.subsystem});
oh->Assign(22, characteristics_to_zeek(${h.dll_characteristics}, 16));
oh->Assign(23, process_rvas(${h.rvas}));
@ -178,14 +178,14 @@ refine flow File += {
name_len = first_null - ${h.name}.data();
section_header->Assign(0, zeek::make_intrusive<zeek::StringVal>(name_len, (const char*) ${h.name}.data()));
section_header->Assign(1, zeek::val_mgr->Count(${h.virtual_size}));
section_header->Assign(2, zeek::val_mgr->Count(${h.virtual_addr}));
section_header->Assign(3, zeek::val_mgr->Count(${h.size_of_raw_data}));
section_header->Assign(4, zeek::val_mgr->Count(${h.ptr_to_raw_data}));
section_header->Assign(5, zeek::val_mgr->Count(${h.non_used_ptr_to_relocs}));
section_header->Assign(6, zeek::val_mgr->Count(${h.non_used_ptr_to_line_nums}));
section_header->Assign(7, zeek::val_mgr->Count(${h.non_used_num_of_relocs}));
section_header->Assign(8, zeek::val_mgr->Count(${h.non_used_num_of_line_nums}));
section_header->Assign(1, ${h.virtual_size});
section_header->Assign(2, ${h.virtual_addr});
section_header->Assign(3, ${h.size_of_raw_data});
section_header->Assign(4, ${h.ptr_to_raw_data});
section_header->Assign(5, ${h.non_used_ptr_to_relocs});
section_header->Assign(6, ${h.non_used_ptr_to_line_nums});
section_header->Assign(7, ${h.non_used_num_of_relocs});
section_header->Assign(8, ${h.non_used_num_of_line_nums});
section_header->Assign(9, characteristics_to_zeek(${h.characteristics}, 32));
zeek::event_mgr.Enqueue(pe_section_header,

54
src/file_analysis/analyzer/unified2/unified2-analyzer.pac
View file

@ -73,19 +73,19 @@ refine flow Flow += {
if ( ::unified2_event )
{
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
ids_event->Assign(0, zeek::val_mgr->Count(${ev.sensor_id}));
ids_event->Assign(1, zeek::val_mgr->Count(${ev.event_id}));
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts})));
ids_event->Assign(3, zeek::val_mgr->Count(${ev.signature_id}));
ids_event->Assign(4, zeek::val_mgr->Count(${ev.generator_id}));
ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision}));
ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id}));
ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id}));
ids_event->Assign(0, ${ev.sensor_id});
ids_event->Assign(1, ${ev.event_id});
ids_event->AssignTime(2, ts_to_double(${ev.ts}));
ids_event->Assign(3, ${ev.signature_id});
ids_event->Assign(4, ${ev.generator_id});
ids_event->Assign(5, ${ev.signature_revision});
ids_event->Assign(6, ${ev.classification_id});
ids_event->Assign(7, ${ev.priority_id});
ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip}));
ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip}));
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
ids_event->Assign(17, zeek::val_mgr->Count(${ev.packet_action}));
ids_event->Assign(17, ${ev.packet_action});
zeek::event_mgr.Enqueue(::unified2_event,
connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -99,23 +99,23 @@ refine flow Flow += {
if ( ::unified2_event )
{
auto ids_event = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::IDSEvent);
ids_event->Assign(0, zeek::val_mgr->Count(${ev.sensor_id}));
ids_event->Assign(1, zeek::val_mgr->Count(${ev.event_id}));
ids_event->Assign(2, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${ev.ts})));
ids_event->Assign(3, zeek::val_mgr->Count(${ev.signature_id}));
ids_event->Assign(4, zeek::val_mgr->Count(${ev.generator_id}));
ids_event->Assign(5, zeek::val_mgr->Count(${ev.signature_revision}));
ids_event->Assign(6, zeek::val_mgr->Count(${ev.classification_id}));
ids_event->Assign(7, zeek::val_mgr->Count(${ev.priority_id}));
ids_event->Assign(0, ${ev.sensor_id});
ids_event->Assign(1, ${ev.event_id});
ids_event->AssignTime(2, ts_to_double(${ev.ts}));
ids_event->Assign(3, ${ev.signature_id});
ids_event->Assign(4, ${ev.generator_id});
ids_event->Assign(5, ${ev.signature_revision});
ids_event->Assign(6, ${ev.classification_id});
ids_event->Assign(7, ${ev.priority_id});
ids_event->Assign(8, unified2_addr_to_zeek_addr(${ev.src_ip}));
ids_event->Assign(9, unified2_addr_to_zeek_addr(${ev.dst_ip}));
ids_event->Assign(10, to_port(${ev.src_p}, ${ev.protocol}));
ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
ids_event->Assign(12, zeek::val_mgr->Count(${ev.impact_flag}));
ids_event->Assign(13, zeek::val_mgr->Count(${ev.impact}));
ids_event->Assign(14, zeek::val_mgr->Count(${ev.blocked}));
ids_event->Assign(15, zeek::val_mgr->Count(${ev.mpls_label}));
ids_event->Assign(16, zeek::val_mgr->Count(${ev.vlan_id}));
ids_event->Assign(12, ${ev.impact_flag});
ids_event->Assign(13, ${ev.impact});
ids_event->Assign(14, ${ev.blocked});
ids_event->Assign(15, ${ev.mpls_label});
ids_event->Assign(16, ${ev.vlan_id});
zeek::event_mgr.Enqueue(::unified2_event,
connection()->zeek_analyzer()->GetFile()->ToVal(),
@ -130,11 +130,11 @@ refine flow Flow += {
if ( ::unified2_packet )
{
auto packet = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::Unified2::Packet);
packet->Assign(0, zeek::val_mgr->Count(${pkt.sensor_id}));
packet->Assign(1, zeek::val_mgr->Count(${pkt.event_id}));
packet->Assign(2, zeek::val_mgr->Count(${pkt.event_second}));
packet->Assign(3, zeek::make_intrusive<zeek::TimeVal>(ts_to_double(${pkt.packet_ts})));
packet->Assign(4, zeek::val_mgr->Count(${pkt.link_type}));
packet->Assign(0, ${pkt.sensor_id});
packet->Assign(1, ${pkt.event_id});
packet->Assign(2, ${pkt.event_second});
packet->AssignTime(3, ts_to_double(${pkt.packet_ts}));
packet->Assign(4, ${pkt.link_type});
packet->Assign(5, to_stringval(${pkt.packet_data}));
zeek::event_mgr.Enqueue(::unified2_packet,

26
src/file_analysis/analyzer/x509/X509.cc
View file

@ -124,7 +124,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
auto pX509Cert = make_intrusive<RecordVal>(BifType::Record::X509::Certificate);
BIO *bio = BIO_new(BIO_s_mem());
pX509Cert->Assign(0, val_mgr->Count((uint64_t) X509_get_version(ssl_cert) + 1));
pX509Cert->Assign(0, static_cast<uint64_t>(X509_get_version(ssl_cert) + 1));
i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
int len = BIO_read(bio, buf, sizeof(buf));
pX509Cert->Assign(1, make_intrusive<StringVal>(len, buf));
@ -161,8 +161,8 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf));
BIO_free(bio);
pX509Cert->Assign(5, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter)));
pX509Cert->Assign(6, make_intrusive<TimeVal>(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter)));
pX509Cert->AssignTime(5, GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter));
pX509Cert->AssignTime(6, GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter));
// we only read 255 bytes because byte 256 is always 0.
// if the string is longer than 255, that will be our null-termination,
@ -172,7 +172,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
buf[0] = 0;
pX509Cert->Assign(7, make_intrusive<StringVal>(buf));
pX509Cert->Assign(7, buf);
// Special case for RDP server certificates. For some reason some (all?) RDP server
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
@ -194,25 +194,25 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
buf[0] = 0;
pX509Cert->Assign(8, make_intrusive<StringVal>(buf));
pX509Cert->Assign(8, buf);
// Things we can do when we have the key...
EVP_PKEY *pkey = X509_extract_key(ssl_cert);
if ( pkey != NULL )
{
if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
pX509Cert->Assign(9, make_intrusive<StringVal>("dsa"));
pX509Cert->Assign(9, "dsa");
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
{
pX509Cert->Assign(9, make_intrusive<StringVal>("rsa"));
pX509Cert->Assign(9, "rsa");
const BIGNUM *e;
RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
char *exponent = BN_bn2dec(e);
if ( exponent != NULL )
{
pX509Cert->Assign(11, make_intrusive<StringVal>(exponent));
pX509Cert->Assign(11, exponent);
OPENSSL_free(exponent);
exponent = NULL;
}
@ -220,7 +220,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
#ifndef OPENSSL_NO_EC
else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
{
pX509Cert->Assign(9, make_intrusive<StringVal>("ecdsa"));
pX509Cert->Assign(9, "ecdsa");
pX509Cert->Assign(12, KeyCurve(pkey));
}
#endif
@ -232,7 +232,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val,
unsigned int length = KeyLength(pkey);
if ( length > 0 )
pX509Cert->Assign(10, val_mgr->Count(length));
pX509Cert->Assign(10, length);
EVP_PKEY_free(pkey);
}
@ -292,10 +292,10 @@ void X509::ParseBasicConstraints(X509_EXTENSION* ex)
if ( x509_ext_basic_constraints )
{
auto pBasicConstraint = make_intrusive<RecordVal>(BifType::Record::X509::BasicConstraints);
pBasicConstraint->Assign(0, val_mgr->Bool(constr->ca));
pBasicConstraint->Assign(0, constr->ca);
if ( constr->pathlen )
pBasicConstraint->Assign(1, val_mgr->Count((int32_t) ASN1_INTEGER_get(constr->pathlen)));
pBasicConstraint->Assign(1, static_cast<int32_t>(ASN1_INTEGER_get(constr->pathlen)));
event_mgr.Enqueue(x509_ext_basic_constraints,
GetFile()->ToVal(),
@ -436,7 +436,7 @@ void X509::ParseSAN(X509_EXTENSION* ext)
if ( ips != nullptr )
sanExt->Assign(3, ips);
sanExt->Assign(4, val_mgr->Bool(otherfields));
sanExt->Assign(4, otherfields);
event_mgr.Enqueue(x509_ext_subject_alternative_name,
GetFile()->ToVal(),

8
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -273,13 +273,13 @@ void X509Common::ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bo
ext_val = make_intrusive<StringVal>(0, "");
auto pX509Ext = make_intrusive<RecordVal>(BifType::Record::X509::Extension);
pX509Ext->Assign(0, make_intrusive<StringVal>(name));
pX509Ext->Assign(0, name);
if ( short_name and strlen(short_name) > 0 )
pX509Ext->Assign(1, make_intrusive<StringVal>(short_name));
pX509Ext->Assign(1, short_name);
pX509Ext->Assign(2, make_intrusive<StringVal>(oid));
pX509Ext->Assign(3, val_mgr->Bool(critical));
pX509Ext->Assign(2, oid);
pX509Ext->Assign(3, critical);
pX509Ext->Assign(4, ext_val);
// send off generic extension event

10
src/file_analysis/analyzer/x509/functions.bif
View file

@ -16,8 +16,8 @@ static zeek::RecordValPtr x509_result_record(uint64_t num, const char* reason, z
{
auto rrecord = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::X509::Result);
rrecord->Assign(0, zeek::val_mgr->Int(num));
rrecord->Assign(1, zeek::make_intrusive<zeek::StringVal>(reason));
rrecord->Assign(0, num);
rrecord->Assign(1, reason);
if ( chainVector )
rrecord->Assign(2, std::move(chainVector));
@ -37,7 +37,7 @@ STACK_OF(X509)* x509_get_untrusted_stack(zeek::VectorVal* certs_vec)
for ( int i = 1; i < (int) certs_vec->Size(); ++i ) // start at 1 - 0 is host cert
{
const auto& sv = certs_vec->At(i);
auto sv = certs_vec->ValAt(i);
if ( ! sv )
continue;
@ -232,7 +232,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
// host certificate
unsigned int index = 0; // to prevent overloading to 0pointer
const auto& sv = certs_vec->At(index);
auto sv = certs_vec->ValAt(index);
if ( ! sv )
{
zeek::emit_builtin_error("undefined value in certificate vector");
@ -518,7 +518,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
// host certificate
unsigned int index = 0; // to prevent overloading to 0pointer
const auto& sv = certs_vec->At(index);
auto sv = certs_vec->ValAt(index);
if ( !sv )
{
zeek::emit_builtin_error("undefined value in certificate vector");