Merge remote-tracking branch 'origin/master' into topic/jsiwek/doc-framework

.gitmodules

@@ -10,3 +10,6 @@
 [submodule "aux/broctl"]
 	path = aux/broctl
 	url = git://git.icir.org/broctl
+[submodule "aux/btest"]
+	path = aux/btest
+	url = git://git.icir.org/btest

CHANGES

@@ -1,3 +1,84 @@
+1.6-dev.53 Fri Feb 25 17:03:05 PST 2011
+
+- Fixing file detector leak in remote communication module. (Scott
+  Campbell)
+
+- Updating independent-state tests to work with new setup. (Robin
+  Sommer)
+
+1.6-dev.49 Fri Feb 25 15:37:28 PST 2011
+
+- Enum IDs can have explicitly defined values. (Gregor Maier)
+
+- Extensions for the built-in function compiler, bifcl. (Gregor Maier)
+
+    * Support for policy-layer namespaces.
+    * Support for type declarations in bif files (with access them
+      from C++)
+    * Extended const declarations in bif files.
+
+  See http://bro.icir.org/devel/bif-doc for more information.
+
+1.6-dev.48 Fri Feb 25 10:53:04 PST 2011
+
+- Preliminary TCP Reassembler fix: deliver data after 2GB by disabling
+  the unused seq_to_skip feature. (Gregor Maier)
+
+1.6-dev.47 Fri Feb 25 10:40:22 PST 2011
+
+- Fixing endianess error in XDR when data is not 4-byte aligned.
+  (Gregor Maier)
+
+- Fix for Val constructor with new int64 typedefs. (Gregor Maier)
+
+- Updated fix for OS X 10.5 compile error wrt llabs(). (Gregor Maier)
+
+- Fix more compiler warning wrt printf format strings.  (Gregor Maier)
+
+1.6-dev.45 Tue Feb  8 21:28:01 PST 2011
+
+- Fixing a number of compiler warnings. (Seth Hall and Robin Sommer)
+
+1.6-dev.44 Tue Feb  8 20:11:44 PST 2011
+
+- A number of updates to the SSL analyzer, including support for new
+  ciphers; SSL extensions; and bug fixes. The analyzer does not longer
+  throw weird for exceeding a predefined cipherspec_size anymore.
+  (Seth Hall and Rmkml).
+
+- The various split*() BiFs now handle strings containing null bytes
+  correctly. (Seth Hall)
+
+- Adding new aux/btest submodule. This is a framework we will use in
+  the future for doing unit tests. (Robin Sommer)
+
+1.6-dev.41 Mon Feb  7 13:43:56 PST 2011
+
+- Smarter way to increase the parent/child pipe's socket buffer.
+  (Craig Leres).
+    
+- Fixing bug with defining bro_int_t and bro_uint_t to be 64 bits wide
+  on some platforms. (Robin Sommer)
+
+1.6-dev.39 Mon Jan 31 16:42:23 PST 2011
+
+- Login's confused messages now go through weird.bro. (Robin Sommer)
+
+1.6-dev.36 Mon Jan 31 08:45:35 PST 2011
+
+- Adding more configure options for finding dependencies, (Jon Siwek)
+
+    --with-flex=PATH       path to flex executable
+    --with-bison=PATH      path to bison executable
+    --with-perl=PATH       path to perl executable
+    --with-python=PATH     path to Python interpreter
+    --with-python-lib=PATH path to libpython
+    --with-python-inc=PATH path to Python headers
+    --with-swig=PATH       path to SWIG executable
+
+- Fixing typo in PCAPTests.cmake  (Jon Siwek)
+
+
 1.6-dev.33 Mon Jan 24 15:29:04 PST 2011
 
 - Fixing bug in SMB analyzer. (Robin Sommer)

VERSION

@@ -1 +1 @@
-1.6-dev.35
+1.6-dev.53

aux/binpac

@@ -1 +1 @@
-Subproject commit 7d4c82121c09ab8d978adbe404bb633ede72820f
+Subproject commit 26d02716f9090651f319a4bfdf8ede49b3a7b53a

aux/bro-aux

@@ -1 +1 @@
-Subproject commit 89476012d96039a9ed415993b2f6f7601436cda2
+Subproject commit 7e50bac938af1831ecf9660159145a3c2e77e13d

aux/broccoli

@@ -1 +1 @@
-Subproject commit 9ad8f64aecbb3320eaee087a867b5742ccfdafa1
+Subproject commit 9332ab3467191ac22be09d6941ebd469e7a334d0

aux/broctl

@@ -1 +1 @@
-Subproject commit 43bdb0fbf1a0a55fa7a862d19c471c279df62a73
+Subproject commit 06b74a0f23767c8345ed146657120aba812f6764

aux/btest

@@ -0,0 +1 @@
+Subproject commit a2b04952ae91dcd27d5e68a42d5d26c291ecb1f5

cmake/OSSpecific.cmake

@@ -1,6 +1,3 @@
-include(CheckCSourceCompiles)
-include(CheckCXXSourceCompiles)
-
 if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
     # alternate malloc is faster for FreeBSD, but needs more testing
     # need to add way to set this from the command line
@@ -10,28 +7,6 @@ elseif (${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD")
     set(USE_NMALLOC true)
 
 elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
-    # The following may have a greater scope than just Darwin
-    # (i.e. any platform w/ GCC < 4.1.0), but I've only seen
-    # it on OS X 10.5, which has GCC 4.0.1, so the workaround
-    # will be stuck here for now.
-    #
-    # See also http://gcc.gnu.org/bugzilla/show_bug.cgi?id=13943
-
-    check_cxx_source_compiles("
-        #include <math.h>
-        #include <cstdlib>
-        using namespace std;
-        int main() {
-            llabs(1);
-            return 0;
-        }
-    " darwin_llabs_works)
-
-    if (NOT darwin_llabs_works)
-        # abs() should be used in this case, the long long version should
-        # exist in the __gnu_cxx namespace
-        set(DARWIN_NO_LLABS true)
-    endif ()
 
 elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
     set(HAVE_LINUX true)
@@ -50,7 +25,7 @@ elseif (${CMAKE_SYSTEM_NAME} MATCHES "irix")
 elseif (${CMAKE_SYSTEM_NAME} MATCHES "ultrix")
     list(APPEND CMAKE_C_FLAGS -std1 -g3)
     list(APPEND CMAKE_CXX_FLAGS -std1 -g3)
-
+    include(CheckCSourceCompiles)
     check_c_source_compiles("
         #include <sys/types.h>
         int main() {

config.h.in

@@ -146,6 +146,3 @@
 
 /* Define u_int8_t */
 #define u_int8_t @U_INT8_T@
-
-/* Whether llabs will be ambiguous in stdlib.h and cstdlib headers */
-#cmakedefine DARWIN_NO_LLABS

configure

@@ -40,11 +40,18 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-bind=PATH       path to BIND install root
     --with-pcap=PATH       path to libpcap install root
     --with-binpac=PATH     path to BinPAC install root
+    --with-flex=PATH       path to flex executable
+    --with-bison=PATH      path to bison executable
+    --with-perl=PATH       path to perl executable
 
   Optional Packages in Non-Standard Locations:
     --with-libmagic=PATH   path to libmagic install root
     --with-geoip=PATH      path to the libGeoIP install root
     --with-perftools=PATH  path to Google Perftools install root
+    --with-python=PATH     path to Python interpreter
+    --with-python-lib=PATH path to libpython
+    --with-python-inc=PATH path to Python headers
+    --with-swig=PATH       path to SWIG executable
 
   Packaging Options (for developers):
     --ignore-dirs=PATHS    paths to ignore when creating source package
@@ -157,6 +164,15 @@ while [ $# -ne 0 ]; do
         --with-binpac=*)
             append_cache_entry BinPAC_ROOT_DIR PATH $optarg
             ;;
+        --with-flex=*)
+            append_cache_entry FLEX_EXECUTABLE PATH $optarg
+            ;;
+        --with-bison=*)
+            append_cache_entry BISON_EXECUTABLE PATH $optarg
+            ;;
+        --with-perl=*)
+            append_cache_entry PERL_EXECUTABLE PATH $optarg
+            ;;
         --with-libmagic=*)
             append_cache_entry LibMagic_ROOT_DIR PATH $optarg
             ;;
@@ -166,6 +182,19 @@ while [ $# -ne 0 ]; do
         --with-perftools=*)
             append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
             ;;
+        --with-python=*)
+            append_cache_entry PYTHON_EXECUTABLE    PATH    $optarg
+            ;;
+        --with-python-lib=*)
+            append_cache_entry PYTHON_LIBRARY       PATH    $optarg
+            ;;
+        --with-python-inc=*)
+            append_cache_entry PYTHON_INCLUDE_DIR   PATH    $optarg
+            append_cache_entry PYTHON_INCLUDE_PATH  PATH    $optarg
+            ;;
+        --with-swig=*)
+            append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
+            ;;
         --ignore-dirs=*)
             append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING $optarg
             ;;

policy/bro.init

@@ -1,6 +1,7 @@
 # $Id: bro.init 6887 2009-08-20 05:17:33Z vern $
 
 @load const.bif.bro
+@load types.bif.bro
 
 global bro_signal: event(signal: count);
 
@@ -912,8 +913,8 @@ global dns_skip_all_addl = T &redef;
 global dns_max_queries = 5;
 
 # The maxiumum size in bytes for an SSL cipherspec.  If we see a packet that
-# has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs.
+# has bigger cipherspecs, we won't do a comparisons of cipherspecs.
-const ssl_max_cipherspec_size = 45 &redef;
+const ssl_max_cipherspec_size = 68 &redef;
 
 # SSL and X.509 types.
 type cipher_suites_list: set[count];
@@ -1389,3 +1390,48 @@ const trace_output_file = "";
 # packets out before we actually process them, which can be helpful
 # for debugging in case the analysis triggers a crash.
 const record_all_packets = F &redef;
+
+# Some connections (e.g., SSH) retransmit the acknowledged last
+# byte to keep the connection alive. If ignore_keep_alive_rexmit
+# is set to T, such retransmissions will be excluded in the rexmit
+# counter in conn_stats.
+const ignore_keep_alive_rexmit = F &redef;
+
+# Skip HTTP data portions for performance considerations (the skipped
+# portion will not go through TCP reassembly).
+const skip_http_data = F &redef;
+
+# Whether the analysis engine parses IP packets encapsulated in
+# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro.
+const parse_udp_tunnels = F &redef;
+
+# Whether a commitment is required before writing the transformed
+# trace for a connection into the dump file.
+const requires_trace_commitment = F &redef;
+
+# Whether IP address anonymization is enabled.
+const anonymize_ip_addr = F &redef;
+
+# Whether to omit place holder packets when rewriting.
+const omit_rewrite_place_holder = T &redef;
+
+# Whether trace of various protocols is being rewritten.
+const rewriting_http_trace = F &redef;
+const rewriting_smtp_trace = F &redef;
+const rewriting_ftp_trace = F &redef;
+const rewriting_ident_trace = F &redef;
+const rewriting_finger_trace = F &redef;
+const rewriting_dns_trace = F &redef;
+const rewriting_smb_trace = F &redef;
+
+# Whether we dump selected original packets to the output trace.
+const dump_selected_source_packets = F &redef;
+
+# If true, we dump original packets to the output trace *if and only if*
+# the connection is not rewritten; if false, the policy script can decide
+# whether to dump a particular connection by calling dump_packets_of_connection.
+#
+# NOTE: DO NOT SET THIS TO TRUE WHEN ANONYMIZING A TRACE! 
+# (TODO: this variable should be disabled when using '-A' option)
+const dump_original_packets_if_not_rewriting = F &redef;
+

policy/login.bro

@@ -544,10 +544,7 @@ event login_confused(c: connection, msg: string, line: string)
 
 	append_addl(c, "<confused>");
 
-	if ( line == "" )
+	event conn_weird_addl(msg, c, line);
-		print Weird::weird_file, fmt("%.6f %s %s", network_time(), id_string(c$id), msg);
-	else
-		print Weird::weird_file, fmt("%.6f %s %s (%s)", network_time(), id_string(c$id), msg, line);
 
 	set_record_packets(c$id, T);
 	}

policy/ssl.bro

@@ -85,29 +85,28 @@ const myWeakCiphers: set[count] = {
 	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
 	SSLv20_CK_DES_64_CBC_WITH_MD5,
 
-	SSLv3x_NULL_WITH_NULL_NULL,
+	TLS_NULL_WITH_NULL_NULL,
-	SSLv3x_RSA_WITH_NULL_MD5,
+	TLS_RSA_WITH_NULL_MD5,
-	SSLv3x_RSA_WITH_NULL_SHA,
+	TLS_RSA_WITH_NULL_SHA,
-	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
-	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_RSA_WITH_DES_CBC_SHA,
+	TLS_RSA_WITH_DES_CBC_SHA,
 
-	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_DSS_WITH_DES_CBC_SHA,
+	TLS_DH_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_RSA_WITH_DES_CBC_SHA,
+	TLS_DH_RSA_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_DSS_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA,
-	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DHE_RSA_WITH_DES_CBC_SHA,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA,
 
-	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
-	SSLv3x_DH_anon_WITH_RC4_128_MD5,
+	TLS_DH_ANON_WITH_RC4_128_MD5,
-	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
-	SSLv3x_DH_anon_WITH_DES_CBC_SHA,
+	TLS_DH_ANON_WITH_DES_CBC_SHA,
-	SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
-	SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA
 };
 
 const x509_ignore_errors: set[int] = {

src/CMakeLists.txt

@@ -83,7 +83,7 @@ flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
 set(bifcl_SRCS
    ${BISON_BIFParser_OUTPUTS}
    ${FLEX_BIFScanner_OUTPUTS}
-   bif_arg.cc
+   bif_arg.cc module_util.cc
 )
 
 add_executable(bifcl ${bifcl_SRCS})
@@ -101,8 +101,9 @@ macro(BIF_TARGET bifInput)
     get_bif_output_files(${bifInput} bifOutputs)
     add_custom_command(OUTPUT ${bifOutputs}
                        COMMAND bifcl
-                       ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} 
+                       ARGS ${CMAKE_CURRENT_SOURCE_DIR}/${bifInput} || (rm -f ${bifOutputs} && exit 1)
                        DEPENDS ${bifInput}
+                       DEPENDS bifcl
                        COMMENT "[BIFCL] Processing ${bifInput}"
     )
     list(APPEND ALL_BIF_OUTPUTS ${bifOutputs})
@@ -128,6 +129,7 @@ set(BIF_SRCS
     bro.bif
     event.bif
     const.bif
+    types.bif
     common-rw.bif
     finger-rw.bif
     ident-rw.bif
@@ -160,7 +162,7 @@ macro(BINPAC_TARGET pacFile)
     add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h
                               ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc
                        COMMAND ${BinPAC_EXE}
-                       ARGS -d ${CMAKE_CURRENT_BINARY_DIR}
+                       ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR}
                             -I ${CMAKE_CURRENT_SOURCE_DIR}
                             ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile}
                        DEPENDS ${BinPAC_EXE} ${pacFile}
@@ -177,9 +179,9 @@ binpac_target(binpac_bro-lib.pac)
 binpac_target(bittorrent.pac
     bittorrent-protocol.pac bittorrent-analyzer.pac)
 binpac_target(dce_rpc.pac
-    dce_rpc-protocol.pac dce_rpc-analyzer.pac)
+    dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac)
 binpac_target(dce_rpc_simple.pac
-    dce_rpc-protocol.pac)
+    dce_rpc-protocol.pac epmapper.pac)
 binpac_target(dhcp.pac
     dhcp-protocol.pac dhcp-analyzer.pac)
 binpac_target(dns.pac
@@ -217,6 +219,8 @@ add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/DebugCmdConstants.h
 )
 
 set(dns_SRCS nb_dns.c nb_dns.h)
+set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS
+                            -fno-strict-aliasing)
 
 set(openssl_SRCS X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc
                  SSLv2.cc SSLv3.cc SSLv3Automaton.cc)
@@ -237,6 +241,7 @@ set(bro_SRCS
     main.cc
     net_util.cc
     util.cc
+    module_util.cc
     Active.cc
     Analyzer.cc
     Anon.cc

src/DCE_RPC.cc

@@ -82,10 +82,10 @@ UUID::UUID(const char* str)
 		}
 
 	if ( i != 16 )
-		internal_error(fmt("invalid UUID string: %s", str));
+		internal_error("invalid UUID string: %s", str);
 	}
 
-typedef map<UUID, BroEnum::dce_rpc_if_id> uuid_map_t;
+typedef map<UUID, BifEnum::dce_rpc_if_id> uuid_map_t;
 
 static uuid_map_t& well_known_uuid_map()
 	{
@@ -95,7 +95,7 @@ static uuid_map_t& well_known_uuid_map()
 	if ( initialized )
 		return the_map;
 
-	using namespace BroEnum;
+	using namespace BifEnum;
 
 	the_map[UUID("e1af8308-5d1f-11c9-91a4-08002b14a0fa")] = DCE_RPC_epmapper;
 
@@ -186,14 +186,14 @@ DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
 	else
 		fragmented = 0;
 
-	ptype = (BroEnum::dce_rpc_ptype) bytes[2];
+	ptype = (BifEnum::dce_rpc_ptype) bytes[2];
 	frag_len = extract_uint16(LittleEndian(), bytes + 8);
 	}
 
 DCE_RPC_Session::DCE_RPC_Session(Analyzer* a)
 : analyzer(a),
   if_uuid("00000000-0000-0000-0000-000000000000"),
-  if_id(BroEnum::DCE_RPC_unknown_if)
+  if_id(BifEnum::DCE_RPC_unknown_if)
 	{
 	opnum = -1;
 	}
@@ -234,7 +234,7 @@ void DCE_RPC_Session::DeliverPDU(int is_orig, int len, const u_char* data)
 		val_list* vl = new val_list;
 		vl->append(analyzer->BuildConnVal());
 		vl->append(new Val(is_orig, TYPE_BOOL));
-		vl->append(new EnumVal(data[2], enum_dce_rpc_ptype));
+		vl->append(new EnumVal(data[2], BifType::Enum::dce_rpc_ptype));
 		vl->append(new StringVal(len, (const char*) data));
 
 		analyzer->ConnectionEvent(dce_rpc_message, vl);
@@ -286,7 +286,7 @@ void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu
 			// conn->Weird(fmt("Unknown DCE_RPC interface %s",
 			// 		if_uuid.to_string()));
 #endif
-			if_id = BroEnum::DCE_RPC_unknown_if;
+			if_id = BifEnum::DCE_RPC_unknown_if;
 			}
 		else
 			if_id = uuid_it->second;
@@ -296,7 +296,7 @@ void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu
 			val_list* vl = new val_list;
 			vl->append(analyzer->BuildConnVal());
 			vl->append(new StringVal(if_uuid.to_string()));
-			// vl->append(new EnumVal(if_id, enum_dce_rpc_if_id));
+			// vl->append(new EnumVal(if_id, BifType::Enum::dce_rpc_if_id));
 
 			analyzer->ConnectionEvent(dce_rpc_bind, vl);
 			}
@@ -321,7 +321,7 @@ void DCE_RPC_Session::DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU*
 		}
 
 	switch ( if_id ) {
-	case BroEnum::DCE_RPC_epmapper:
+	case BifEnum::DCE_RPC_epmapper:
 		DeliverEpmapperRequest(pdu, req);
 		break;
 
@@ -345,7 +345,7 @@ void DCE_RPC_Session::DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU*
 		}
 
 	switch ( if_id ) {
-	case BroEnum::DCE_RPC_epmapper:
+	case BifEnum::DCE_RPC_epmapper:
 		DeliverEpmapperResponse(pdu, resp);
 		break;
 

src/DCE_RPC.h

@@ -91,7 +91,7 @@ class DCE_RPC_Header {
 public:
 	DCE_RPC_Header(Analyzer* a, const u_char* bytes);
 
-	BroEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
+	BifEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
 	int FragLen() const		{ return frag_len; }
 	int LittleEndian() const	{ return bytes[4] >> 4; }
 	bool Fragmented() const		{ return fragmented; }
@@ -102,7 +102,7 @@ public:
 protected:
 	Analyzer* analyzer;
 	const u_char* bytes;
-	BroEnum::dce_rpc_ptype ptype;
+	BifEnum::dce_rpc_ptype ptype;
 	int frag_len;
 	bool fragmented;
 };
@@ -138,7 +138,7 @@ protected:
 
 	Analyzer* analyzer;
 	UUID if_uuid;
-	BroEnum::dce_rpc_if_id if_id;
+	BifEnum::dce_rpc_if_id if_id;
 	int opnum;
 	struct {
 		dce_rpc_endpoint_addr addr;

src/DNS.h

@@ -267,7 +267,7 @@ public:
 					TCP_Endpoint* peer, int gen_event);
 	virtual int RewritingTrace()
 		{
-		return rewriting_dns_trace ||
+		return BifConst::rewriting_dns_trace ||
 			TCP_ApplicationAnalyzer::RewritingTrace();
 		}
 

src/FTP.h

@@ -16,7 +16,7 @@ public:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual int RewritingTrace()
 		{
-		return rewriting_ftp_trace ||
+		return BifConst::rewriting_ftp_trace ||
 			TCP_ApplicationAnalyzer::RewritingTrace();
 		}
 

src/Finger.h

@@ -18,7 +18,7 @@ public:
 	// Line-based input.
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual int RewritingTrace()
-		{ return rewriting_finger_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+		{ return BifConst::rewriting_finger_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Finger_Analyzer(conn); }

src/Func.cc

@@ -496,6 +496,17 @@ void builtin_run_time(const char* msg, BroObj* arg)
 		run_time(msg, arg);
 	}
 
+#include "bro.bif.func_h"
+
+#include "common-rw.bif.func_h"
+#include "finger-rw.bif.func_h"
+#include "ftp-rw.bif.func_h"
+#include "http-rw.bif.func_h"
+#include "ident-rw.bif.func_h"
+#include "smtp-rw.bif.func_h"
+#include "strings.bif.func_h"
+#include "dns-rw.bif.func_h"
+
 #include "bro.bif.func_def"
 #include "strings.bif.func_def"
 
@@ -523,7 +534,7 @@ void init_builtin_funcs()
 
 bool check_built_in_call(BuiltinFunc* f, CallExpr* call)
 	{
-	if ( f->TheFunc() != bro_fmt )
+	if ( f->TheFunc() != BifFunc::bro_fmt )
 		return true;
 
 	const expr_list& args = call->Args()->Exprs();

src/HTTP.cc

@@ -633,7 +633,7 @@ void HTTP_Message::SetPlainDelivery(int length)
 	{
 	content_line->SetPlainDelivery(length);
 
-	if ( length > 0 && skip_http_data )
+	if ( length > 0 && BifConst::skip_http_data )
 		content_line->SkipBytesAfterThisLine(length);
 
 	if ( ! data_buffer )

src/HTTP.h

@@ -170,7 +170,7 @@ public:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual int RewritingTrace()
-		{ return rewriting_http_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+		{ return BifConst::rewriting_http_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	// Overriden from TCP_ApplicationAnalyzer
 	virtual void EndpointEOF(bool is_orig);

src/Ident.h

@@ -16,7 +16,7 @@ public:
 	virtual void DeliverStream(int length, const u_char* data, bool is_orig);
 	virtual int RewritingTrace()
 		{
-		return rewriting_ident_trace ||
+		return BifConst::rewriting_ident_trace ||
 			TCP_ApplicationAnalyzer::RewritingTrace();
 		}
 

src/Net.cc

@@ -346,7 +346,7 @@ void net_init(name_list& interfaces, name_list& readfiles,
 		transformed_pkt_dump =
 			new PacketDumper(pkt_dumper->PcapDumper());
 
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		init_ip_addr_anonymizers();
 	else
 		for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )

src/NetVar.cc

@@ -261,6 +261,7 @@ RecordType* script_id;
 TableType* id_table;
 
 #include "const.bif.netvar_def"
+#include "types.bif.netvar_def"
 #include "event.bif.netvar_def"
 
 void init_event_handlers()
@@ -316,6 +317,7 @@ void init_general_global_var()
 void init_net_var()
 	{
 #include "const.bif.netvar_init"
+#include "types.bif.netvar_init"
 
 	conn_id = internal_type("conn_id")->AsRecordType();
 	endpoint = internal_type("endpoint")->AsRecordType();

src/NetVar.h

@@ -271,6 +271,7 @@ extern void init_event_handlers();
 extern void init_net_var();
 
 #include "const.bif.netvar_h"
+#include "types.bif.netvar_h"
 #include "event.bif.netvar_h"
 
 #endif

src/Portmap.cc

@@ -288,7 +288,7 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, int status, Val* r
 		}
 	else
 		{
-		vl->append(new EnumVal(status, enum_rpc_status));
+		vl->append(new EnumVal(status, BifType::Enum::rpc_status));
 		if ( request )
 			vl->append(request);
 		}

src/PrefixTable.cc

@@ -99,8 +99,8 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const
 		break;
 
 	default:
-		internal_error(fmt("Wrong index type %d for PrefixTable",
+		internal_error("Wrong index type %d for PrefixTable",
-					value->Type()->Tag()));
+		               value->Type()->Tag());
 		return 0;
 	}
 	}

src/RPC.cc

@@ -137,14 +137,14 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 		if ( ! buf )
 			return 0;
 
-		uint32 status = BroEnum::RPC_UNKNOWN_ERROR;
+		uint32 status = BifEnum::RPC_UNKNOWN_ERROR;
 
 		if ( reply_stat == RPC_MSG_ACCEPTED )
 			{
 			(void) skip_XDR_opaque_auth(buf, n);
 			uint32 accept_stat = extract_XDR_uint32(buf, n);
 
-			// The first members of BroEnum::RPC_* correspond
+			// The first members of BifEnum::RPC_* correspond
 			// to accept_stat.
 			if ( accept_stat <= RPC_SYSTEM_ERR )
 				status = accept_stat;
@@ -171,7 +171,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 			if ( reject_stat == RPC_MISMATCH )
 				{
 				// Note that RPC_MISMATCH == 0 == RPC_SUCCESS.
-				status = BroEnum::RPC_VERS_MISMATCH;
+				status = BifEnum::RPC_VERS_MISMATCH;
 
 				(void) extract_XDR_uint32(buf, n);
 				(void) extract_XDR_uint32(buf, n);
@@ -182,7 +182,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 
 			else if ( reject_stat == RPC_AUTH_ERROR )
 				{
-				status = BroEnum::RPC_AUTH_ERROR;
+				status = BifEnum::RPC_AUTH_ERROR;
 
 				(void) extract_XDR_uint32(buf, n);
 				if ( ! buf )
@@ -191,7 +191,7 @@ int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
 
 			else
 				{
-				status = BroEnum::RPC_UNKNOWN_ERROR;
+				status = BifEnum::RPC_UNKNOWN_ERROR;
 				Weird("bad_RPC");
 				}
 			}
@@ -264,7 +264,7 @@ void RPC_Interpreter::Timeout()
 
 	while ( (c = calls.NextEntry(cookie)) )
 		{
-		RPC_Event(c, BroEnum::RPC_TIMEOUT, 0);
+		RPC_Event(c, BifEnum::RPC_TIMEOUT, 0);
 		if ( c->IsValidCall() )
 			{
 			const u_char* buf;
@@ -276,7 +276,7 @@ void RPC_Interpreter::Timeout()
 			else
 				{
 				Event(event, c->TakeRequestVal(),
-					BroEnum::RPC_TIMEOUT, reply);
+					BifEnum::RPC_TIMEOUT, reply);
 				}
 			}
 		}

src/Reassem.cc

@@ -195,8 +195,10 @@ void Reassembler::Describe(ODesc* d) const
 	d->Add("reassembler");
 	}
 
-void Reassembler::Undelivered(int /* up_to_seq */)
+void Reassembler::Undelivered(int up_to_seq)
 	{
+	// TrimToSeq() expects this.
+	last_reassem_seq = up_to_seq;
 	}
 
 DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,

src/Reassem.h

@@ -11,7 +11,7 @@
 class DataBlock {
 public:
 	DataBlock(const u_char* data, int size, int seq,
-			DataBlock* next, DataBlock* prev);
+			DataBlock* prev, DataBlock* next);
 
 	~DataBlock();
 

src/RemoteSerializer.cc

@@ -544,6 +544,36 @@ void RemoteSerializer::Init()
 	initialized = 1;
 	}
 
+void RemoteSerializer::SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose)
+	{
+	int defsize = 0;
+	socklen_t len = sizeof(defsize);
+
+	if ( getsockopt(fd, SOL_SOCKET, opt, (void *)&defsize, &len) < 0 )
+		{
+		if ( verbose )
+			Log(LogInfo, fmt("warning: cannot get socket buffer size (%s): %s", what, strerror(errno)));
+		return;
+		}
+
+	for ( int trysize = size; trysize > defsize; trysize -= 1024 )
+		{
+		if ( setsockopt(fd, SOL_SOCKET, opt, &trysize, sizeof(trysize)) >= 0 )
+			{
+			if ( verbose )
+			    {
+			    if ( trysize == size )
+				    Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK", defsize / 1024, trysize / 1024));
+			    else
+				    Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK (%dK was requested)", defsize / 1024, trysize / 1024, size / 1024));
+			    }
+			return;
+			}
+		}
+
+	Log(LogInfo, fmt("warning: cannot increase %s socket buffer size from %dK (%dK was requested)", what, defsize / 1024, size / 1024));
+	}
+
 void RemoteSerializer::Fork()
 	{
 	if ( child_pid )
@@ -562,25 +592,11 @@ void RemoteSerializer::Fork()
 		return;
 		}
 
-	int bufsize;
+	// Try to increase the size of the socket send and receive buffers.
-	socklen_t len = sizeof(bufsize);
+	SetSocketBufferSize(pipe[0], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 1);
-
+	SetSocketBufferSize(pipe[0], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0);
-	if ( getsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, &bufsize, &len ) < 0 )
+	SetSocketBufferSize(pipe[1], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 0);
-		Log(LogInfo, fmt("warning: cannot get socket buffer size: %s", strerror(errno)));
+	SetSocketBufferSize(pipe[1], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0);
-	else
-		Log(LogInfo, fmt("pipe's socket buffer size is %d, setting to %d", bufsize, SOCKBUF_SIZE));
-
-	bufsize = SOCKBUF_SIZE;
-
-	if ( setsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[0], SOL_SOCKET, SO_RCVBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[1], SOL_SOCKET, SO_SNDBUF,
-			&bufsize, sizeof(bufsize) ) < 0 ||
-	     setsockopt(pipe[1], SOL_SOCKET, SO_RCVBUF,
-			&bufsize, sizeof(bufsize) ) < 0 )
-		Log(LogInfo, fmt("warning: cannot set socket buffer size to %dK: %s", bufsize / 1024, strerror(errno)));
 
 	child_pid = 0;
 
@@ -1500,13 +1516,13 @@ bool RemoteSerializer::DoMessage()
 		{
 		// We shut the connection to this peer down,
 		// so we ignore all further messages.
-		DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%d",
+		DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%" PRI_SOURCE_ID,
 					msgToStr(current_msgtype),
 					current_peer ? current_peer->id : 0));
 		return true;
 		}
 
-	DEBUG_COMM(fmt("parent: %s from child; peer is #%d",
+	DEBUG_COMM(fmt("parent: %s from child; peer is #%" PRI_SOURCE_ID,
 			msgToStr(current_msgtype),
 			current_peer ? current_peer->id : 0));
 
@@ -2603,7 +2619,7 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer)
 
 bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len)
 	{
-	DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
+	DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
 
 	if ( ! child_pid )
 		return false;
@@ -2627,7 +2643,7 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...)
 
 #ifdef DEBUG
 	va_start(ap, nargs);
-	DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)",
+	DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ",%s)",
 			msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
@@ -2708,7 +2724,7 @@ void RemoteSerializer::InternalCommError(const char* msg)
 #ifdef DEBUG_COMMUNICATION
 	DumpDebugData();
 #else
-	internal_error(msg);
+	internal_error("%s", msg);
 #endif
 	}
 
@@ -3058,7 +3074,7 @@ bool SocketComm::ProcessParentMessage()
 			}
 
 		default:
-			internal_error(fmt("unknown msg type %d", parent_msgtype));
+			internal_error("unknown msg type %d", parent_msgtype);
 			return true;
 		}
 
@@ -3228,7 +3244,7 @@ bool SocketComm::ForwardChunkToPeer()
 		{
 #ifdef DEBUG
 		if ( parent_peer )
-			DEBUG_COMM(fmt("child: not connected to #%d", parent_id));
+			DEBUG_COMM(fmt("child: not connected to #%" PRI_SOURCE_ID, parent_id));
 #endif
 		}
 
@@ -3311,7 +3327,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 
 		CMsg* msg = (CMsg*) c->data;
 
-		DEBUG_COMM(fmt("child: %s from peer #%d",
+		DEBUG_COMM(fmt("child: %s from peer #%" PRI_SOURCE_ID,
 				msgToStr(msg->Type()), peer->id));
 
 		switch ( msg->Type() ) {
@@ -3566,6 +3582,7 @@ bool SocketComm::Listen(uint32 ip, uint16 port, bool expect_ssl)
 	if ( bind(*listen_fd, (sockaddr*) &server, sizeof(server)) < 0 )
 		{
 		Error(fmt("can't bind to port %d, %s", port, strerror(errno)));
+		close(*listen_fd);
 		*listen_fd = -1;
 
 		if ( errno == EADDRINUSE )
@@ -3788,7 +3805,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len)
 #ifdef DEBUG
 	// str  may already by constructed with fmt()
 	const char* tmp = copy_string(str);
-	DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp));
+	DEBUG_COMM(fmt("child: (->parent) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp));
 	delete [] tmp;
 #endif
 	if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE,
@@ -3807,7 +3824,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...)
 
 #ifdef DEBUG
 	va_start(ap,nargs);
-	DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap)));
+	DEBUG_COMM(fmt("child: (->parent) %s (#%" PRI_SOURCE_ID ",%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
 
@@ -3843,7 +3860,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len)
 #ifdef DEBUG
 	// str  may already by constructed with fmt()
 	const char* tmp = copy_string(str);
-	DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), peer->id, tmp));
+	DEBUG_COMM(fmt("child: (->peer) %s to #%" PRI_SOURCE_ID " (%s)", msgToStr(type), peer->id, tmp));
 	delete [] tmp;
 #endif
 
@@ -3862,7 +3879,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
 
 #ifdef DEBUG
 	va_start(ap,nargs);
-	DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)",
+	DEBUG_COMM(fmt("child: (->peer) %s to #%" PRI_SOURCE_ID " (%s)",
 			msgToStr(type), peer->id, fmt_uint32s(nargs, ap)));
 	va_end(ap);
 #endif
@@ -3883,7 +3900,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
 
 bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c)
 	{
-	DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, peer->id));
+	DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%" PRI_SOURCE_ID, c->len, peer->id));
 	if ( ! sendToIO(peer->io, c) )
 		{
 		Error(fmt("child: write error %s", io->Error()), peer);

src/RemoteSerializer.h

@@ -297,6 +297,8 @@ protected:
 	bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only
 	bool SendToChild(ChunkedIO::Chunk* c);
 
+	void SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose);
+
 private:
 	enum { TYPE, ARGS } msgstate;	// current state of reading comm.
 	Peer* current_peer;

src/SMB.cc

@@ -166,7 +166,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data)
 			const u_char* tmp = data_start + next;
 			if ( data_start + next < data + body.length() )
 				{
-				Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %d", next, data + body.length() - data_start));
+				Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRIuPTR, next, data + body.length() - data_start));
 				break;
 				}
 

src/SMB.h

@@ -206,7 +206,7 @@ public:
 			DCE_RPC_Session::any_dce_rpc_event();
 		}
 
-	int RewritingTrace()	{ return rewriting_smb_trace; }
+	int RewritingTrace()	{ return BifConst::rewriting_smb_trace; }
 
 protected:
 	SMB_Session* smb_session;

src/SMTP.h

@@ -47,7 +47,7 @@ public:
 	virtual void ConnectionFinished(int half_finished);
 	virtual void Undelivered(int seq, int len, bool orig);
 	virtual int RewritingTrace()
-		{ return rewriting_smtp_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+		{ return BifConst::rewriting_smtp_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
 
 	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
 

src/SSLCiphers.cc

@@ -319,52 +319,52 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		168,
 		160
 	},
-	{ TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	{ TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,
 		SSL_CIPHER_TYPE_STREAM,
 		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_RC4,
 		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_DH_ANON_EXPORT,
+		SSL_KEY_EXCHANGE_DH_anon_EXPORT,
 		0,
 		40,
 		128
 	},
-	{ TLS_DH_ANON_WITH_RC4_128_MD5,
+	{ TLS_DH_anon_WITH_RC4_128_MD5,
 		SSL_CIPHER_TYPE_STREAM,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_RC4,
 		SSL_MAC_MD5,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		128,
 		128
 	},
-	{ TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	{ TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_DES40,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		40,
 		160
 	},
-	{ TLS_DH_ANON_WITH_DES_CBC_SHA,
+	{ TLS_DH_anon_WITH_DES_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_DES,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		56,
 		160
 	},
-	{ TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+	{ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_3DES,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		168,
 		160
@@ -389,16 +389,48 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		96,
 		160
 	},
-	{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,
+	
-		SSL_CIPHER_TYPE_STREAM,
+	{ SSL_RSA_WITH_RC2_CBC_MD5,
-		SSL_FLAG_SSLv30,
+		SSL_CIPHER_TYPE_BLOCK,
-		SSL_CIPHER_RC4,
+		SSL_FLAG_SSLv20,
-		SSL_MAC_SHA,
+		SSL_CIPHER_RC2,
-		SSL_KEY_EXCHANGE_FORTEZZA_KEA,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		56,
+		160
+	},
+	{ SSL_RSA_WITH_IDEA_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_IDEA,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
 		0,
 		128,
 		160
 	},
+	{ SSL_RSA_WITH_DES_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_DES,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		56,
+		160
+	},
+	{ SSL_RSA_WITH_3DES_EDE_CBC_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_3DES,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		168,
+		160
+	},
+	
 	// --- special SSLv3 FIPS ciphers
 	{ SSL_RSA_FIPS_WITH_DES_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
@@ -522,12 +554,12 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		128,
 		160
 	},
-	{ TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+	{ TLS_DH_anon_WITH_AES_128_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_AES,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		128,
 		160
@@ -582,16 +614,459 @@ SSL_CipherSpec SSL_CipherSpecs[] = {
 		256,
 		160
 	},
-	{ TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+	{ TLS_DH_anon_WITH_AES_256_CBC_SHA,
 		SSL_CIPHER_TYPE_BLOCK,
 		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
 		SSL_CIPHER_AES,
 		SSL_MAC_SHA,
-		SSL_KEY_EXCHANGE_DH_ANON,
+		SSL_KEY_EXCHANGE_DH_anon,
 		0,
 		256,
 		160
-	}
+	},
+	{ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_anon,
+		0,
+		128,
+		160
+	},
+	{ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		256,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_CAMELLIA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_anon,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_ECDSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		168,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		128,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		256,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		0,
+		160
+	},
+	{ TLS_ECDH_anon_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_ECDH_anon,
+		0,
+		128,
+		160
+	},
+	{ TLS_RSA_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_DSS_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_RSA_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_anon_WITH_SEED_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_SEED,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_anon,
+		0,
+		128,
+		160
+	},
+	
+	{ TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+		SSL_CIPHER_TYPE_NULL,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_NULL,
+		SSL_KEY_EXCHANGE_NULL,
+		0,
+		0,
+		0
+	},
+	
+	
 };
 
 const uint SSL_CipherSpecs_Count =

src/SSLCiphers.h

@@ -12,14 +12,14 @@
  */
 enum SSLv2_CipherSpec {
 	// --- standard SSLv2 ciphers
-	SSL_CK_RC4_128_WITH_MD5              = 0x010080,
+	SSL_CK_RC4_128_WITH_MD5                  = 0x010080,
-	SSL_CK_RC4_128_EXPORT40_WITH_MD5     = 0x020080,
+	SSL_CK_RC4_128_EXPORT40_WITH_MD5         = 0x020080,
-	SSL_CK_RC2_128_CBC_WITH_MD5          = 0x030080,
+	SSL_CK_RC2_128_CBC_WITH_MD5              = 0x030080,
-	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080,
+	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5     = 0x040080,
-	SSL_CK_IDEA_128_CBC_WITH_MD5         = 0x050080,
+	SSL_CK_IDEA_128_CBC_WITH_MD5             = 0x050080,
-	SSL_CK_DES_64_CBC_WITH_MD5           = 0x060040,
+	SSL_CK_DES_64_CBC_WITH_MD5               = 0x060040,
-	SSL_CK_DES_192_EDE3_CBC_WITH_MD5     = 0x0700C0,
+	SSL_CK_DES_192_EDE3_CBC_WITH_MD5         = 0x0700C0,
-	SSL_CK_RC4_64_WITH_MD5		     = 0x080080
+	SSL_CK_RC4_64_WITH_MD5                   = 0x080080
 };
 
 
@@ -28,60 +28,245 @@ enum SSLv2_CipherSpec {
  */
 enum SSL3_1_CipherSpec {
 	// --- standard SSLv3x ciphers
-	TLS_NULL_WITH_NULL_NULL                = 0x0000,
+	TLS_NULL_WITH_NULL_NULL                  = 0x0000,
-	TLS_RSA_WITH_NULL_MD5                  = 0x0001,
+	TLS_RSA_WITH_NULL_MD5                    = 0x0001,
-	TLS_RSA_WITH_NULL_SHA                  = 0x0002,
+	TLS_RSA_WITH_NULL_SHA                    = 0x0002,
-	TLS_RSA_EXPORT_WITH_RC4_40_MD5         = 0x0003,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5           = 0x0003,
-	TLS_RSA_WITH_RC4_128_MD5               = 0x0004,
+	TLS_RSA_WITH_RC4_128_MD5                 = 0x0004,
-	TLS_RSA_WITH_RC4_128_SHA               = 0x0005,
+	TLS_RSA_WITH_RC4_128_SHA                 = 0x0005,
-	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5     = 0x0006,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5       = 0x0006,
-	TLS_RSA_WITH_IDEA_CBC_SHA              = 0x0007,
+	TLS_RSA_WITH_IDEA_CBC_SHA                = 0x0007,
-	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA      = 0x0008,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA        = 0x0008,
-	TLS_RSA_WITH_DES_CBC_SHA               = 0x0009,
+	TLS_RSA_WITH_DES_CBC_SHA                 = 0x0009,
-	TLS_RSA_WITH_3DES_EDE_CBC_SHA          = 0x000A,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA            = 0x000A,
-	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA   = 0x000B,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA     = 0x000B,
-	TLS_DH_DSS_WITH_DES_CBC_SHA            = 0x000C,
+	TLS_DH_DSS_WITH_DES_CBC_SHA              = 0x000C,
-	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA       = 0x000D,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA         = 0x000D,
-	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA   = 0x000E,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA     = 0x000E,
-	TLS_DH_RSA_WITH_DES_CBC_SHA            = 0x000F,
+	TLS_DH_RSA_WITH_DES_CBC_SHA              = 0x000F,
-	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA       = 0x0010,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA         = 0x0010,
-	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  = 0x0011,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA    = 0x0011,
-	TLS_DHE_DSS_WITH_DES_CBC_SHA           = 0x0012,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA             = 0x0012,
-	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA      = 0x0013,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA        = 0x0013,
-	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  = 0x0014,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA    = 0x0014,
-	TLS_DHE_RSA_WITH_DES_CBC_SHA           = 0x0015,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA             = 0x0015,
-	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA      = 0x0016,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        = 0x0016,
-	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5     = 0x0017,
+	TLS_DH_anon_EXPORT_WITH_RC4_40_MD5       = 0x0017,
-	TLS_DH_ANON_WITH_RC4_128_MD5           = 0x0018,
+	TLS_DH_anon_WITH_RC4_128_MD5             = 0x0018,
-	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA  = 0x0019,
+	TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA    = 0x0019,
-	TLS_DH_ANON_WITH_DES_CBC_SHA           = 0x001A,
+	TLS_DH_anon_WITH_DES_CBC_SHA             = 0x001A,
-	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA      = 0x001B,
+	TLS_DH_anon_WITH_3DES_EDE_CBC_SHA        = 0x001B,
 	// --- special SSLv3 ciphers            
-	SSL_FORTEZZA_KEA_WITH_NULL_SHA         = 0x001C,
+	SSL_FORTEZZA_KEA_WITH_NULL_SHA           = 0x001C,
-	SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D,
+	SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA   = 0x001D,
-	SSL_FORTEZZA_KEA_WITH_RC4_128_SHA      = 0x001E,
+	//SSL_FORTEZZA_KEA_WITH_RC4_128_SHA        = 0x001E,
-	// --- special SSLv3 FIPS ciphers
+	// -- RFC 2712 (ciphers not fully described in SSLCiphers.cc)
-	SSL_RSA_FIPS_WITH_DES_CBC_SHA		   = 0xFEFE,
+	TLS_KRB5_WITH_DES_CBC_SHA                = 0x001E,
-	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA	   = 0XFEFF,
+	TLS_KRB5_WITH_3DES_EDE_CBC_SHA           = 0x001F,
-	// --- new 56 bit export ciphers
+	TLS_KRB5_WITH_RC4_128_SHA                = 0x0020,
-	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     = 0x0062,
+	TLS_KRB5_WITH_IDEA_CBC_SHA               = 0x0021,
-	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      = 0x0064,
+	TLS_KRB5_WITH_DES_CBC_MD5                = 0x0022,
-	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
+	TLS_KRB5_WITH_3DES_EDE_CBC_MD5           = 0x0023,
-	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  = 0x0065,
+	TLS_KRB5_WITH_RC4_128_MD5                = 0x0024,
-	TLS_DHE_DSS_WITH_RC4_128_SHA            = 0x0066,
+	TLS_KRB5_WITH_IDEA_CBC_MD5               = 0x0025,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA      = 0x0026,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA      = 0x0027,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA          = 0x0028,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5      = 0x0029,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5      = 0x002A,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5          = 0x002B,
+	
 	// --- new AES ciphers
-	TLS_RSA_WITH_AES_128_CBC_SHA      = 0x002F,
+	TLS_RSA_WITH_AES_128_CBC_SHA             = 0x002F,
-	TLS_DH_DSS_WITH_AES_128_CBC_SHA   = 0x0030,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA          = 0x0030,
-	TLS_DH_RSA_WITH_AES_128_CBC_SHA   = 0x0031,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA          = 0x0031,
-	TLS_DHE_DSS_WITH_AES_128_CBC_SHA  = 0x0032,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA         = 0x0032,
-	TLS_DHE_RSA_WITH_AES_128_CBC_SHA  = 0x0033,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA         = 0x0033,
-	TLS_DH_ANON_WITH_AES_128_CBC_SHA  = 0x0034,
+	TLS_DH_anon_WITH_AES_128_CBC_SHA         = 0x0034,
-	TLS_RSA_WITH_AES_256_CBC_SHA      = 0x0035,
+	TLS_RSA_WITH_AES_256_CBC_SHA             = 0x0035,
-	TLS_DH_DSS_WITH_AES_256_CBC_SHA   = 0x0036,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA          = 0x0036,
-	TLS_DH_RSA_WITH_AES_256_CBC_SHA   = 0x0037,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA          = 0x0037,
-	TLS_DHE_DSS_WITH_AES_256_CBC_SHA  = 0x0038,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA         = 0x0038,
-	TLS_DHE_RSA_WITH_AES_256_CBC_SHA  = 0x0039,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA         = 0x0039,
-	TLS_DH_ANON_WITH_AES_256_CBC_SHA  = 0x003A
+	TLS_DH_anon_WITH_AES_256_CBC_SHA         = 0x003A,
+	TLS_RSA_WITH_NULL_SHA256                 = 0x003B,
+	TLS_RSA_WITH_AES_128_CBC_SHA256          = 0x003C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256          = 0x003D,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256       = 0x003E,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256       = 0x003F,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256      = 0x0040,
+	// -- RFC 4132
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA        = 0x0041,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA     = 0x0042,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA     = 0x0043,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA    = 0x0044,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA    = 0x0045,
+	TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA    = 0x0046,
+	// -- Non-RFC.  Widely deployed implementation (ciphers not fully described in SSLCiphers.cc)
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5       = 0x0060,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5   = 0x0061,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA      = 0x0062,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA  = 0x0063,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA       = 0x0064,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA   = 0x0065,
+	TLS_DHE_DSS_WITH_RC4_128_SHA             = 0x0066,
+	// -- RFC 5246 (ciphers not fully described in SSLCiphers.cc)
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      = 0x0067,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256       = 0x0068,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256       = 0x0069,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256      = 0x006A,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      = 0x006B,
+	TLS_DH_anon_WITH_AES_128_CBC_SHA256      = 0x006C,
+	TLS_DH_anon_WITH_AES_256_CBC_SHA256      = 0x006D,
+	// -- RFC 5932
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        = 0x0084,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA     = 0x0085,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA     = 0x0086,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA    = 0x0087,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    = 0x0088,
+	TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA    = 0x0089,
+	// -- RFC 4279 (ciphers not fully described in SSLCiphers.cc)
+	TLS_PSK_WITH_RC4_128_SHA                 = 0x008A,
+	TLS_PSK_WITH_3DES_EDE_CBC_SHA            = 0x008B,
+	TLS_PSK_WITH_AES_128_CBC_SHA             = 0x008C,
+	TLS_PSK_WITH_AES_256_CBC_SHA             = 0x008D,
+	TLS_DHE_PSK_WITH_RC4_128_SHA             = 0x008E,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        = 0x008F,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA         = 0x0090,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA         = 0x0091,
+	TLS_RSA_PSK_WITH_RC4_128_SHA             = 0x0092,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA        = 0x0093,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA         = 0x0094,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA         = 0x0095,
+	// -- RFC 4162
+	TLS_RSA_WITH_SEED_CBC_SHA                = 0x0096,
+	TLS_DH_DSS_WITH_SEED_CBC_SHA             = 0x0097,
+	TLS_DH_RSA_WITH_SEED_CBC_SHA             = 0x0098,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA            = 0x0099,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA            = 0x009A,
+	TLS_DH_anon_WITH_SEED_CBC_SHA            = 0x009B,
+	// -- RFC 5288 (ciphers not fully described in SSLCiphers.cc)
+	TLS_RSA_WITH_AES_128_GCM_SHA256          = 0x009C,
+	TLS_RSA_WITH_AES_256_GCM_SHA384          = 0x009D,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      = 0x009E,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      = 0x009F,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256       = 0x00A0,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384       = 0x00A1,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256      = 0x00A2,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384      = 0x00A3,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256       = 0x00A4,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384       = 0x00A5,
+	TLS_DH_anon_WITH_AES_128_GCM_SHA256      = 0x00A6,
+	TLS_DH_anon_WITH_AES_256_GCM_SHA384      = 0x00A7,
+    // -- RFC 5487 (ciphers not fully described in SSLCiphers.cc)
+	TLS_PSK_WITH_AES_128_GCM_SHA256          = 0x00A8,
+	TLS_PSK_WITH_AES_256_GCM_SHA384          = 0x00A9,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256      = 0x00AA,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384      = 0x00AB,
+	TLS_RSA_PSK_WITH_AES_128_GCM_SHA256      = 0x00AC,
+	TLS_RSA_PSK_WITH_AES_256_GCM_SHA384      = 0x00AD,
+	TLS_PSK_WITH_AES_128_CBC_SHA256          = 0x00AE,
+	TLS_PSK_WITH_AES_256_CBC_SHA384          = 0x00AF,
+	TLS_PSK_WITH_NULL_SHA256                 = 0x00B0,
+	TLS_PSK_WITH_NULL_SHA384                 = 0x00B1,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256      = 0x00B2,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384      = 0x00B3,
+	TLS_DHE_PSK_WITH_NULL_SHA256             = 0x00B4,
+	TLS_DHE_PSK_WITH_NULL_SHA384             = 0x00B5,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256      = 0x00B6,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384      = 0x00B7,
+	TLS_RSA_PSK_WITH_NULL_SHA256             = 0x00B8,
+	TLS_RSA_PSK_WITH_NULL_SHA384             = 0x00B9,
+	// -- RFC 5932 (ciphers not fully described in SSLCiphers.cc)
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256     = 0x00BA,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256  = 0x00BB,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256  = 0x00BC,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
+	TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256     = 0x00C0,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256  = 0x00C1,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256  = 0x00C2,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
+	TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
+	// -- RFC 4492
+	TLS_ECDH_ECDSA_WITH_NULL_SHA             = 0xC001,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA          = 0xC002,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA     = 0xC003,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      = 0xC004,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      = 0xC005,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA            = 0xC006,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA         = 0xC007,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    = 0xC008,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     = 0xC009,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     = 0xC00A,
+	TLS_ECDH_RSA_WITH_NULL_SHA               = 0xC00B,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA            = 0xC00C,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA       = 0xC00D,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA        = 0xC00E,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA        = 0xC00F,
+	TLS_ECDHE_RSA_WITH_NULL_SHA              = 0xC010,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA           = 0xC011,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA      = 0xC012,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       = 0xC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       = 0xC014,
+	TLS_ECDH_anon_WITH_NULL_SHA              = 0xC015,
+	TLS_ECDH_anon_WITH_RC4_128_SHA           = 0xC016,
+	TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA      = 0xC017,
+	TLS_ECDH_anon_WITH_AES_128_CBC_SHA       = 0xC018,
+	TLS_ECDH_anon_WITH_AES_256_CBC_SHA       = 0xC019,
+	// -- RFC 5054 (ciphers not fully described in SSLCiphers.cc)
+	TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA        = 0xC01A,
+	TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA    = 0xC01B,
+	TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA    = 0xC01C,
+	TLS_SRP_SHA_WITH_AES_128_CBC_SHA         = 0xC01D,
+	TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA     = 0xC01E,
+	TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA     = 0xC01F,
+	TLS_SRP_SHA_WITH_AES_256_CBC_SHA         = 0xC020,
+	TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA     = 0xC021,
+	TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA     = 0xC022,
+	// -- RFC 5289 (ciphers not fully described in SSLCiphers.cc)
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  = 0xC023,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  = 0xC024,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   = 0xC025,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   = 0xC026,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    = 0xC027,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    = 0xC028,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     = 0xC029,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     = 0xC02A,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  = 0xC02B,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  = 0xC02C,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   = 0xC02D,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   = 0xC02E,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    = 0xC02F,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    = 0xC030,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     = 0xC031,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     = 0xC032,
+	// -- RFC 5489 (ciphers not fully described in SSLCiphers.cc)
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA           = 0xC033,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA      = 0xC034,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       = 0xC035,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       = 0xC036,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    = 0xC037,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384    = 0xC038,
+	TLS_ECDHE_PSK_WITH_NULL_SHA              = 0xC039,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256           = 0xC03A,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384           = 0xC03B,
+	
+	// --- special SSLv3 FIPS ciphers
+	SSL_RSA_FIPS_WITH_DES_CBC_SHA            = 0xFEFE,
+	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA       = 0xFEFF,
+	SSL_RSA_FIPS_WITH_DES_CBC_SHA_2          = 0xFFE1,
+	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2     = 0xFFE0,
+
+	// Tags for SSL 2 cipher kinds which are not specified for SSL 3. 
+	SSL_RSA_WITH_RC2_CBC_MD5                 = 0xFF80,
+	SSL_RSA_WITH_IDEA_CBC_MD5                = 0xFF81,
+	SSL_RSA_WITH_DES_CBC_MD5                 = 0xFF82,
+	SSL_RSA_WITH_3DES_EDE_CBC_MD5            = 0xFF83,
+	
+	TLS_EMPTY_RENEGOTIATION_INFO_SCSV        = 0x00FF,
 };
 
 enum SSL_CipherType {
@@ -99,7 +284,9 @@ enum SSL_BulkCipherAlgorithm {
 	SSL_CIPHER_DES40,
 	SSL_CIPHER_FORTEZZA,
 	SSL_CIPHER_IDEA,
-	SSL_CIPHER_AES
+	SSL_CIPHER_AES,
+	SSL_CIPHER_CAMELLIA,
+	SSL_CIPHER_SEED,
 };
 
 enum SSL_MACAlgorithm {
@@ -121,12 +308,18 @@ enum SSL_KeyExchangeAlgorithm {
 	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT,
 	SSL_KEY_EXCHANGE_DHE_RSA,
 	SSL_KEY_EXCHANGE_DHE_RSA_EXPORT,
-	SSL_KEY_EXCHANGE_DH_ANON,
+	SSL_KEY_EXCHANGE_DH_anon,
-	SSL_KEY_EXCHANGE_DH_ANON_EXPORT,
+	SSL_KEY_EXCHANGE_DH_anon_EXPORT,
 	SSL_KEY_EXCHANGE_FORTEZZA_KEA,
 	// --- new 56 bit export ciphers
 	SSL_KEY_EXCHANGE_RSA_EXPORT1024,
-	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024
+	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024,
+	// -- Elliptic Curve key change algorithms (rfc4492)
+	SSL_KEY_EXCHANGE_ECDH_ECDSA,
+	SSL_KEY_EXCHANGE_ECDHE_ECDSA,
+	SSL_KEY_EXCHANGE_ECDH_RSA,
+	SSL_KEY_EXCHANGE_ECDHE_RSA,
+	SSL_KEY_EXCHANGE_ECDH_anon,
 };
 
 #if 0

src/SSLProxy.cc

@@ -174,7 +174,6 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length)
 			if ( ! computeExpectedSize(data, length) )
 				return false;
 
-			// Insert weird here replacing assert.
 			if ( neededSize > expectedSize )
 				{
 				sslEndpoint->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize");
@@ -277,8 +276,7 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length)
 		else if ( currentSize + length < expectedSize )
 			{ // another (middle) segment
 			if ( length <= MIN_FRAGMENT_SIZE )
-				sslEndpoint->Parent()->Weird( "SSLProxy: Excessive small TCP Segment!" );
+				sslEndpoint->Parent()->Weird("SSLProxy: Excessive small TCP Segment!");
-
 			addData(data, length);
 			break;
 			}

src/SSLv3.cc

@@ -195,7 +195,7 @@ void SSLv3_Interpreter::printStats()
 	printf( "SSLv3x:\n" );
 	printf( "Note: Because handshake messages may be coalesced into a \n");
 	printf( "      single SSLv3x record, the number of total messages for SSLv3x plus \n");
-	printf( "      the number of total records seen for SSLv2 won't match \n");
+	printf( "      the number of total records seen for SSLv3 won't match \n");
 	printf( "      SSLProxy_Analyzer::totalRecords! \n");
 	printf( "total connections			= %u\n", totalConnections );
 	printf( "opened connections (complete handshake)	= %u\n", openedConnections );
@@ -383,84 +383,71 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 
 		case SSL3_1_CERTIFICATE:
 			{
-			if ( rec->length >= 3 )
+			const u_char* pData = rec->data;
+			uint32 certListLength =
+				uint32((pData[4] << 16) |
+				       pData[5] << 8) | pData[6];
+			
+			// Sum of all cert sizes has to match
+			// certListLength.
+			uint tempLength = 0;
+			uint certCount = 0;
+			while ( tempLength < certListLength )
 				{
-				const u_char* pData = rec->data;
+				if ( tempLength + 3 <= certListLength )
-				uint32 certListLength =
-					uint32((pData[4] << 16) |
-					       pData[5] << 8) | pData[6];
-
-				// Size consistency checks.
-				if ( certListLength + 3 != uint32(rec->length) )
 					{
-					if ( rec->endp->IsOrig() )
+					++certCount;
-						Weird("SSLv3x: Corrupt length field in client certificate list!");
+					uint32 certLength =
-					else
+						uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9];
-						Weird("SSLv3x: Corrupt length field in server certificate list!");
+					tempLength += certLength + 3;
-					return;
-					}
-
-				// Sum of all cert sizes has to match
-				// certListLength.
-				uint tempLength = 0;
-				uint certCount = 0;
-				while ( tempLength < certListLength )
-					{
-					if ( tempLength + 3 <= certListLength )
-						{
-						++certCount;
-						uint32 certLength =
-							uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9];
-						tempLength += certLength + 3;
-						}
-					else
-						{
-						Weird("SSLv3x: Corrupt length field in certificate list!");
-						return;
-						}
-					}
-
-				if ( tempLength > certListLength )
-					{
-					Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain");
-					return;
-					}
-
-				SSL_InterpreterEndpoint* pEp =
-					(SSL_InterpreterEndpoint*) rec->endp;
-
-				if ( certCount == 0 )
-					{ // we don't have a certificate...
-					if ( rec->endp->IsOrig() )
-						{
-						Weird("SSLv3x: Client certificate is missing!");
-						break;
-						}
-					else
-						{
-						Weird("SSLv3x: Server certificate is missing!");
-						break;
-						}
-					}
-
-				if ( certCount > 1 )
-					{ // we have a chain
-					analyzeCertificate(pEp,
-						rec->data + 7,
-						certListLength, 1, true);
 					}
 				else
 					{
-					// We have a single certificate.
+					Weird("SSLv3x: Corrupt length field in certificate list!");
-					// FIXME.
+					return;
-					analyzeCertificate(pEp,
-						rec->data + 10,
-						certListLength-3, 1, false);
 					}
+				}
 
+			if ( tempLength > certListLength )
+				{
+				Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain");
+				return;
+				}
+
+			SSL_InterpreterEndpoint* pEp =
+				(SSL_InterpreterEndpoint*) rec->endp;
+
+			if ( certCount == 0 )
+				{ 
+				// we don't have a certificate, but this is valid
+				// according to RFC2246
+				if ( rec->endp->IsOrig() )
+					{
+					Weird("SSLv3x: Client certificate is missing!");
+					break;
+					}
+				else
+					{
+					Weird("SSLv3x: Server certificate is missing!");
+					break;
+					}
+				}
+
+			if ( certCount > 1 )
+				{ // we have a chain
+				analyzeCertificate(pEp,
+					rec->data + 7,
+					certListLength, 1, true);
 				}
 			else
-				Weird("SSLv3x: Certificate record too small!" );
+				{
+				// We have a single certificate.
+				// FIXME.
+				analyzeCertificate(pEp,
+					rec->data + 10,
+					certListLength-3, 1, false);
+				}
+
 			break;
 			}
 
@@ -554,7 +541,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 					}
 				else
 					{
-					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
+					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
 						{
 						if ( rec->length < 2 )
 							{
@@ -595,11 +582,11 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 			switch (cipherSuite)
 				{
 				case TLS_NULL_WITH_NULL_NULL:
-				case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5:
+				case TLS_DH_anon_EXPORT_WITH_RC4_40_MD5:
-				case TLS_DH_ANON_WITH_RC4_128_MD5:
+				case TLS_DH_anon_WITH_RC4_128_MD5:
-				case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:
+				case TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
-				case TLS_DH_ANON_WITH_DES_CBC_SHA:
+				case TLS_DH_anon_WITH_DES_CBC_SHA:
-				case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA:
+				case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
 					{
 					Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
 					break;
@@ -618,7 +605,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 				break;
 				}
 
-			if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT )
+			if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT )
 				Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
 
 			// FIXME: Insert weird checks!
@@ -654,7 +641,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
 					}
 				else
 					{
-					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
+					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
 						{
 						if ( rec->length < 2 )
 							{
@@ -938,14 +925,6 @@ TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length,
 	{
 	int is_orig = (SSL_InterpreterEndpoint*) s == orig;
 
-	if ( length > ssl_max_cipherspec_size )
-		{
-		if ( is_orig )
-			Weird("SSLv2: Client has CipherSpecs > ssl_max_cipherspec_size");
-		else
-			Weird("SSLv2: Server has CipherSpecs > ssl_max_cipherspec_size");
-		}
-
 	const u_char* pCipher = data;
 	SSL_CipherSpec* pCipherSuiteTemp = 0;
 	uint16 cipherSuite;
@@ -1236,16 +1215,6 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len,
 				uint16 version, SSLv3_Endpoint const* e)
 : SSLv3_Record(data, len, version, e)
 	{
-	// Weird-check for minimum handshake length header.
-	if ( len < 4 )
-		{
-		e->Interpreter()->Weird("SSLv3x: Handshake-header-length too small!");
-		type = 255;
-		length = 0;
-		next = 0;
-		return;
-		}
-
 	// Don't analyze encrypted client handshake messages.
 	if ( e->IsOrig() &&
 	     ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_client_seen &&
@@ -1270,7 +1239,10 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len,
 
 	type = uint8(*(this->data));
 	length = ExtractInt24(data, len, 1);
-	if ( length + 4 < len )
+	
+	if ( length == 0 ) // this is a special case to deal with 0 length certs
+		next = 0;
+	else if ( length + 4 < len )
 		next = new SSLv3_HandshakeRecord(data + length + 4,
 					len - (length + 4), version, e);
 	else if ( length + 4 > len )
@@ -1328,7 +1300,9 @@ int SSLv3_HandshakeRecord::checkClientHello()
 	     version != SSLProxy_Analyzer::SSLv31 )
 		endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Client hello!");
 
-	uint8 sessionIDLength = uint8(data[38]);
+	uint16 offset = 38;
+	uint8 sessionIDLength = uint8(data[offset]);
+	offset += (1 + sessionIDLength);
 	if ( sessionIDLength > 32 )
 		{
 		endp->Interpreter()->Weird("SSLv3x: SessionID too long in Client hello!");
@@ -1336,29 +1310,38 @@ int SSLv3_HandshakeRecord::checkClientHello()
 		}
 
 	uint16 cipherSuiteLength =
-		uint16(data[39 + sessionIDLength] << 8 ) |
+		uint16(data[offset] << 8) | data[offset+1];
-		data[40 + sessionIDLength];
+	offset += (2 + cipherSuiteLength);
-
 	if ( cipherSuiteLength < 2 )
 		endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!");
 
-	if ( cipherSuiteLength + sessionIDLength + 41 > recordLength )
+	if ( offset > recordLength )
 		{
 		endp->Interpreter()->Weird("SSLv3x: Client hello too small, corrupt length fields!");
 		return 0;
 		}
 
-	uint8 compressionMethodLength =
+	uint8 compressionMethodLength = uint8(data[offset]);
-		uint8(data[41 + sessionIDLength + cipherSuiteLength]);
+	offset += (1 + compressionMethodLength);
-
 	if ( compressionMethodLength < 1 )
 		endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!");
 
-	if ( sessionIDLength + cipherSuiteLength +
+	if ( offset < length )
-	     compressionMethodLength + 38 != length )
 		{
-		endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!");
+		uint16 sslExtensionsLength =
-		return 0;
+			uint16(data[offset] << 8) | data[offset+1];
+		offset += 2;
+		if ( sslExtensionsLength < 4 )
+			endp->Interpreter()->Weird("SSLv3x: Extensions length too small!");
+
+		// TODO: extract SSL extensions here
+
+		offset += sslExtensionsLength;
+		if ( offset != length+4 )
+			{
+			endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!");
+			return 0;
+			}
 		}
 
 	return 1;
@@ -1377,16 +1360,33 @@ int SSLv3_HandshakeRecord::checkServerHello()
 	     version != SSLProxy_Analyzer::SSLv31 )
 		endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Server hello!");
 
-	uint8 sessionIDLength = uint8(data[38]);
+	uint16 offset = 38;
+	uint8 sessionIDLength = uint8(data[offset]);
 	if ( sessionIDLength > 32 )
 		{
 		endp->Interpreter()->Weird("SSLv3x: SessionID too long in Server hello!");
 		return 0;
 		}
+	offset += (1 + sessionIDLength);
 
-	if ( (sessionIDLength + 38) != length )
+	offset += 3; // account for cipher and compression method
+	if ( offset < length )
 		{
-		endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!");
+		uint16 sslExtensionsLength =
+			uint16(data[offset] << 8) | data[offset+1];
+		offset += 2;
+		if ( sslExtensionsLength < 4 )
+			endp->Interpreter()->Weird("SSLv3x: Extensions length too small!");
+
+		// TODO: extract SSL extensions here
+		offset += sslExtensionsLength;
+
+		if ( offset != length+4 )
+			{
+			endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!");
+			return 0;
+			}
+
 		return 0;
 		}
 

src/Scope.cc

@@ -11,45 +11,6 @@
 static scope_list scopes;
 static Scope* top_scope;
 
-extern const char* GLOBAL_MODULE_NAME = "GLOBAL";
-
-
-// Returns it without trailing "::".
-string extract_module_name(const char* name)
-	{
-	string module_name = name;
-	string::size_type pos = module_name.rfind("::");
-
-	if ( pos == string::npos )
-		return string(GLOBAL_MODULE_NAME);
-
-	module_name.erase(pos);
-
-	return module_name;
-	}
-
-string normalized_module_name(const char* module_name)
-	{
-	int mod_len;
-	if ( (mod_len = strlen(module_name)) >= 2 &&
-	     ! strcmp(module_name + mod_len - 2, "::") )
-		mod_len -= 2;
-
-	return string(module_name, mod_len);
-	}
-
-string make_full_var_name(const char* module_name, const char* var_name)
-	{
-	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
-	     strstr(var_name, "::") )
-		return string(var_name);
-
-	string full_name = normalized_module_name(module_name);
-	full_name += "::";
-	full_name += var_name;
-
-	return full_name;
-	}
 
 Scope::Scope(ID* id)
 	{

src/Scope.h

@@ -11,6 +11,7 @@
 #include "Obj.h"
 #include "BroList.h"
 #include "TraverseTypes.h"
+#include "module_util.h"
 
 class ID;
 class BroType;
@@ -59,14 +60,6 @@ protected:
 	id_list* inits;
 };
 
-extern const char* GLOBAL_MODULE_NAME;
-
-extern string extract_module_name(const char* name);
-extern string normalized_module_name(const char* module_name); // w/o ::
-
-// Concatenates module_name::var_name unless var_name is already fully
-// qualified, in which case it is returned unmodified.
-extern string make_full_var_name(const char* module_name, const char* var_name);
 
 extern bool in_debug;
 

src/SerializationFormat.cc

@@ -369,25 +369,25 @@ bool XMLSerializationFormat::Write(char v, const char* tag)
 
 bool XMLSerializationFormat::Write(uint16 v, const char* tag)
 	{
-	const char* tmp = fmt("%u", v);
+	const char* tmp = fmt("%"PRIu16, v);
 	return WriteElem(tag, "uint16", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(uint32 v, const char* tag)
 	{
-	const char* tmp = fmt("%u", v);
+	const char* tmp = fmt("%"PRIu32, v);
 	return WriteElem(tag, "uint32", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(uint64 v, const char* tag)
 	{
-	const char* tmp = fmt("%llu", v);
+	const char* tmp = fmt("%"PRIu64, v);
 	return WriteElem(tag, "uint64", tmp, strlen(tmp));
 	}
 
 bool XMLSerializationFormat::Write(int64 v, const char* tag)
 	{
-	const char* tmp = fmt("%lld", v);
+	const char* tmp = fmt("%"PRId64, v);
 	return WriteElem(tag, "int64", tmp, strlen(tmp));
 	}
 

src/Sessions.cc

@@ -201,7 +201,7 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 		//
 		// Should we discourage the use of encap_hdr_size for UDP
 		// tunnneling?  It is probably better handled by enabling
-		// parse_udp_tunnels instead of specifying a fixed
+		// BifConst::parse_udp_tunnels instead of specifying a fixed
 		// encap_hdr_size.
 		if ( udp_tunnel_port > 0 )
 			{
@@ -228,7 +228,7 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 	// Check IP packets encapsulated through UDP tunnels.
 	// Specifying a udp_tunnel_port is optional but recommended (to avoid
 	// the cost of checking every UDP packet).
-	else if ( parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
+	else if ( BifConst::parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
 		{
 		const struct udphdr* udp_hdr =
 			reinterpret_cast<const struct udphdr*>(ip_data);
@@ -663,9 +663,9 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 
 	// Override content record setting according to
 	// flags set by the policy script.
-	if ( dump_original_packets_if_not_rewriting )
+	if ( BifConst::dump_original_packets_if_not_rewriting )
 		record_packet = record_content = 1;
-	if ( dump_selected_source_packets )
+	if ( BifConst::dump_selected_source_packets )
 		record_packet = record_content = 0;
 
 	if ( f )
@@ -1354,7 +1354,7 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr,
 				const u_char* pkt)
 	{
 	DumpPacket(hdr, pkt);
-	internal_error(msg);
+	internal_error("%s", msg);
 	}
 
 void NetSessions::Weird(const char* name,

src/TCP.cc

@@ -56,7 +56,7 @@ TCP_Analyzer::TCP_Analyzer(Connection* conn)
 	orig->SetPeer(resp);
 	resp->SetPeer(orig);
 
-	if ( dump_selected_source_packets )
+	if ( BifConst::dump_selected_source_packets )
 		{
 		if ( source_pkt_dump )
 			src_pkt_writer =
@@ -87,7 +87,7 @@ void TCP_Analyzer::Init()
 	if ( transformed_pkt_dump && Conn()->RewritingTrace() )
 		SetTraceRewriter(new TCP_Rewriter(this, transformed_pkt_dump,
 						transformed_pkt_dump_MTU,
-						requires_trace_commitment));
+						BifConst::requires_trace_commitment));
 	}
 
 void TCP_Analyzer::Done()
@@ -2090,7 +2090,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 	int seq_delta = top_seq - max_top_seq;
 	if ( seq_delta <= 0 )
 		{
-		if ( ! ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
+		if ( ! BifConst::ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
 			{
 			++num_rxmit;
 			num_rxmit_bytes += len;

src/TCP_Reassembler.cc

@@ -9,6 +9,13 @@
 // Only needed for gap_report events.
 #include "Event.h"
 
+// Note, sequence numbers are relative. I.e., they start with 1.
+
+// TODO: The Reassembler should start using 64 bit ints for keeping track of
+// sequence numbers; currently they become negative once 2GB are exceeded.
+//
+// See #348 for more information.
+
 const bool DEBUG_tcp_contents = false;
 const bool DEBUG_tcp_connection_close = false;
 const bool DEBUG_tcp_match_undelivered = false;
@@ -35,7 +42,9 @@ TCP_Reassembler::TCP_Reassembler(Analyzer* arg_dst_analyzer,
 	deliver_tcp_contents = 0;
 	skip_deliveries = 0;
 	did_EOF = 0;
+#ifdef ENABLE_SEQ_TO_SKIP
 	seq_to_skip = 0;
+#endif
 	in_delivery = false;
 
 	if ( tcp_contents )
@@ -120,7 +129,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 	TCP_Endpoint* endpoint = endp;
 	TCP_Endpoint* peer = endpoint->peer;
 
-	if ( up_to_seq <= 2 && tcp_analyzer->IsPartial() )
+	if ( up_to_seq <= 2 && tcp_analyzer->IsPartial() ) {
 		// Since it was a partial connection, we faked up its
 		// initial sequence numbers as though we'd seen a SYN.
 		// We've now received the first ack and are getting a
@@ -129,7 +138,16 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		// (if up_to_seq is 2).  The latter can occur when the
 		// first packet we saw instantiating the partial connection
 		// was a keep-alive.  So, in either case, just ignore it.
-		return;
+
+		// TODO: Don't we need to update last_reassm_seq ????
+		if ( up_to_seq >=0 )
+			// Since seq are currently only 32 bit signed
+			// integers, they will become negative if a
+			// connection has more than 2GB of data. Remove the
+			// above if and always return here, once we're using
+			// 64 bit ints
+			return;
+	}
 
 #if 0
 	if ( endpoint->FIN_cnt > 0 )
@@ -144,16 +162,17 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f Undelivered: up_to_seq=%d, last_reassm=%d, "
+		DEBUG_MSG("%.6f Undelivered: is_orig=%d up_to_seq=%d, last_reassm=%d, "
 		          "endp: FIN_cnt=%d, RST_cnt=%d, "
 		          "peer: FIN_cnt=%d, RST_cnt=%d\n",
-		          network_time, up_to_seq, last_reassem_seq,
+		          network_time, is_orig, up_to_seq, last_reassem_seq,
 		          endpoint->FIN_cnt, endpoint->RST_cnt,
 		          peer->FIN_cnt, peer->RST_cnt);
 		}
 
 	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 )
-		return;
+		// This should never happen.
+		internal_error("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered");
 
 	if ( last_reassem_seq == 1 &&
 	     (endpoint->FIN_cnt > 0 || endpoint->RST_cnt > 0 ||
@@ -177,9 +196,9 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		{
 		if ( DEBUG_tcp_contents )
 			{
-			DEBUG_MSG("%.6f Undelivered: seq=%d, len=%d, "
+			DEBUG_MSG("%.6f Undelivered: is_orig=%d, seq=%d, len=%d, "
 					  "skip_deliveries=%d\n",
-					  network_time, last_reassem_seq,
+					  network_time, is_orig, last_reassem_seq,
 					  seq_delta(up_to_seq, last_reassem_seq),
 					  skip_deliveries);
 			}
@@ -376,7 +395,7 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, int n)
 	{
 	if ( DEBUG_tcp_contents )
-		DEBUG_MSG("%.6f TCP contents overlap: %d\n", network_time,  n);
+		DEBUG_MSG("%.6f TCP contents overlap: %d is_orig=%d\n", network_time,  n, is_orig);
 
 	if ( rexmit_inconsistency &&
 	     memcmp((const void*) b1, (const void*) b2, n) &&
@@ -419,8 +438,8 @@ int TCP_Reassembler::DataSent(double t, int seq, int len,
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f DataSent: seq=%d upper=%d ack=%d\n",
+		DEBUG_MSG("%.6f DataSent: is_orig=%d seq=%d upper=%d ack=%d\n",
-		          network_time, seq, upper_seq, ack);
+		          network_time, is_orig, seq, upper_seq, ack);
 		}
 
 	if ( skip_deliveries )
@@ -477,8 +496,7 @@ void TCP_Reassembler::AckReceived(int seq)
 		// Zero, or negative in sequence-space terms.  Nothing to do.
 		return;
 
-	bool test_active =
+	bool test_active = ! skip_deliveries && ! tcp_analyzer->Skipping() &&
-	     ! skip_deliveries && ! tcp_analyzer->Skipping() &&
 	     endp->state == TCP_ENDPOINT_ESTABLISHED &&
 	     endp->peer->state == TCP_ENDPOINT_ESTABLISHED;
 
@@ -569,6 +587,7 @@ void TCP_Reassembler::CheckEOF()
 
 void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 	{
+#ifdef ENABLE_SEQ_TO_SKIP
 	if ( seq_delta(seq + len, seq_to_skip) <= 0 )
 		return;
 
@@ -579,6 +598,7 @@ void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 		data += to_skip;
 		seq = seq_to_skip;
 		}
+#endif
 
 	if ( deliver_tcp_contents )
 		{
@@ -603,11 +623,13 @@ void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 	in_delivery = true;
 	Deliver(seq, len, data);
 	in_delivery = false;
-
+#ifdef ENABLE_SEQ_TO_SKIP
 	if ( seq_delta(seq + len, seq_to_skip) < 0 )
 		SkipToSeq(seq_to_skip);
+#endif
 	}
 
+#ifdef ENABLE_SEQ_TO_SKIP
 void TCP_Reassembler::SkipToSeq(int seq)
 	{
 	if ( seq_delta(seq, seq_to_skip) > 0 )
@@ -617,6 +639,7 @@ void TCP_Reassembler::SkipToSeq(int seq)
 			TrimToSeq(seq);
 		}
 	}
+#endif
 
 int TCP_Reassembler::DataPending() const
 	{

src/TCP_Reassembler.h

@@ -6,6 +6,13 @@
 #include "Reassem.h"
 #include "TCP_Endpoint.h"
 
+// The skip_to_seq feature does not work correctly with connections >2GB due
+// to use of 32 bit signed ints (see comments in TCP_Reassembler.cc) Since
+// it's not used by any analyzer or policy script we disable it. Could be
+// added back in once we start using 64bit integers.
+//
+// #define ENABLE_SEQ_TO_SKIP
+
 class BroFile;
 class Connection;
 class TCP_Analyzer;
@@ -60,9 +67,11 @@ public:
 
 	void MatchUndelivered(int up_to_seq = -1);
 
+#ifdef ENABLE_SEQ_TO_SKIP
 	// Skip up to seq, as if there's a content gap.
 	// Can be used to skip HTTP data for performance considerations.
 	void SkipToSeq(int seq);
+#endif
 
 	int DataSent(double t, int seq, int len, const u_char* data,
 			bool replaying=true);
@@ -85,9 +94,10 @@ public:
 	const TCP_Endpoint* Endpoint() const	{ return endp; }
 
 	int IsOrig() const	{ return endp->IsOrig(); }
-
+#ifdef ENABLE_SEQ_TO_SKIP
 	bool IsSkippedContents(int seq, int length) const
 		{ return seq + length <= seq_to_skip; }
+#endif
 
 private:
 	TCP_Reassembler()	{ }
@@ -110,7 +120,9 @@ private:
 	unsigned int did_EOF:1;
 	unsigned int skip_deliveries:1;
 
+#ifdef ENABLE_SEQ_TO_SKIP
 	int seq_to_skip;
+#endif
 	bool in_delivery;
 
 	BroFile* record_contents_file;	// file on which to reassemble contents

src/TCP_Rewriter.cc

@@ -288,7 +288,7 @@ int TCP_TracePacket::Finish(struct pcap_pkthdr*& hdr,
 	// tp->th_urp = 0;		// clear urgent pointer
 
 	// Fix IP addresses before computing the TCP checksum
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		{
 		ip->ip_src.s_addr = anon_src;
 		ip->ip_dst.s_addr = anon_dst;
@@ -726,7 +726,7 @@ void TCP_RewriterEndpoint::PushPacket()
 #endif
 
 	if ( ! IsPlaceHolderPacket(next_packet) ||
-	     ! omit_rewrite_place_holder )
+	     ! BifConst::omit_rewrite_place_holder )
 		{
 		if ( next_packet->PredictedAsEmptyPlaceHolder() )
 			{
@@ -798,7 +798,7 @@ TCP_Rewriter::TCP_Rewriter(TCP_Analyzer* arg_analyzer, PacketDumper* arg_dumper,
 
 	anon_addr[0] = anon_addr[1] = 0;
 
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		{
 		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
 						ORIG_ADDR);
@@ -909,7 +909,7 @@ void TCP_Rewriter::NextPacket(int is_orig, double t,
 
 	// Before setting current_packet to p, first clean up empty
 	// place holders to save memory space.
-	if ( omit_rewrite_place_holder && holding_packets )
+	if ( BifConst::omit_rewrite_place_holder && holding_packets )
 		CleanUpEmptyPlaceHolders();
 
 	current_packet = p;
@@ -1562,7 +1562,7 @@ TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer)
 		{
 		if ( ! pkt_dumper )
 			return 0;	// don't complain if no output file
-		else if ( ! dump_selected_source_packets )
+		else if ( ! BifConst::dump_selected_source_packets )
 			builtin_run_time("flag dump_source_packets is not set");
 		else
 			internal_error("source packet writer not initialized");
@@ -1571,5 +1571,5 @@ TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer)
 	return writer;
 	}
 
-
+#include "common-rw.bif.func_h"
 #include "common-rw.bif.func_def"

src/Type.cc

@@ -1082,10 +1082,9 @@ bool FileType::DoUnserialize(UnserialInfo* info)
 	return yield != 0;
 	}
 
-EnumType::EnumType(bool arg_is_export)
+EnumType::EnumType()
 : BroType(TYPE_ENUM)
 	{
-	is_export = arg_is_export;
 	counter = 0;
 	}
 
@@ -1095,9 +1094,46 @@ EnumType::~EnumType()
 		delete [] iter->first;
 	}
 
-int EnumType::AddName(const string& module_name, const char* name)
+// Note, we use error() here (not Error()) to include the current script
+// location in the error message, rather than the one where the type was
+// originally defined.
+void EnumType::AddName(const string& module_name, const char* name, bool is_export)
 	{
-	ID* id = lookup_ID(name, module_name.c_str());
+	/* implicit, auto-increment */
+	if ( counter < 0)
+		{
+		error("cannot mix explicit enumerator assignment and implicit auto-increment");
+		SetError();
+		return;
+		}
+	AddNameInternal(module_name, name, counter, is_export);
+	counter++;
+	}
+
+void EnumType::AddName(const string& module_name, const char* name, bro_int_t val, bool is_export)
+	{
+	/* explicit value specified */
+	if ( counter > 0 )
+		{
+		error("cannot mix explicit enumerator assignment and implicit auto-increment");
+		SetError();
+		return;
+		}
+	counter = -1;
+	AddNameInternal(module_name, name, val, is_export);
+	}
+
+void EnumType::AddNameInternal(const string& module_name, const char* name, bro_int_t val, bool is_export)
+	{
+	ID *id;
+	if ( Lookup(val) )
+		{
+		error("enumerator value in enumerated type definition already exists");
+		SetError();
+		return;
+		}
+
+	id = lookup_ID(name, module_name.c_str());
 	if ( ! id )
 		{
 		id = install_ID(name, module_name.c_str(), true, is_export);
@@ -1106,31 +1142,16 @@ int EnumType::AddName(const string& module_name, const char* name)
 		}
 	else
 		{
-		debug_msg("identifier already exists: %s\n", name);
+		error("identifier or enumerator value in enumerated type definition already exists");
-		return -1;
+		SetError();
+		return;
 		}
 
 	string fullname = make_full_var_name(module_name.c_str(), name);
-	names[copy_string(fullname.c_str())] = counter;
+	names[copy_string(fullname.c_str())] = val;
-	return counter++;
 	}
 
-int EnumType::AddNamesFrom(const string& module_name, EnumType* et)
+bro_int_t EnumType::Lookup(const string& module_name, const char* name)
-	{
-	int last_added = counter;
-	for ( NameMap::iterator iter = et->names.begin();
-	      iter != et->names.end(); ++iter )
-		{
-		ID* id = lookup_ID(iter->first, module_name.c_str());
-		id->SetType(this->Ref());
-		names[copy_string(id->Name())] = counter;
-		last_added = counter++;
-		}
-
-	return last_added;
-	}
-
-int EnumType::Lookup(const string& module_name, const char* name)
 	{
 	NameMap::iterator pos =
 		names.find(make_full_var_name(module_name.c_str(), name).c_str());
@@ -1141,7 +1162,7 @@ int EnumType::Lookup(const string& module_name, const char* name)
 		return pos->second;
 	}
 
-const char* EnumType::Lookup(int value)
+const char* EnumType::Lookup(bro_int_t value)
 	{
 	for ( NameMap::iterator iter = names.begin();
 	      iter != names.end(); ++iter )
@@ -1157,9 +1178,9 @@ bool EnumType::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_ENUM_TYPE, BroType);
 
-	// I guess we don't really need both ...
 	if ( ! (SERIALIZE(counter) && SERIALIZE((unsigned int) names.size()) &&
-		SERIALIZE(is_export)) )
+		// Dummy boolean for backwards compatibility.
+		SERIALIZE(false)) )
 		return false;
 
 	for ( NameMap::const_iterator iter = names.begin();
@@ -1177,15 +1198,17 @@ bool EnumType::DoUnserialize(UnserialInfo* info)
 	DO_UNSERIALIZE(BroType);
 
 	unsigned int len;
+	bool dummy;
 	if ( ! UNSERIALIZE(&counter) ||
 	     ! UNSERIALIZE(&len) ||
-	     ! UNSERIALIZE(&is_export) )
+	     // Dummy boolean for backwards compatibility.
+	     ! UNSERIALIZE(&dummy) )
 		return false;
 
 	while ( len-- )
 		{
 		const char* name;
-		int val;
+		bro_int_t val;
 		if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&val)) )
 			return false;
 

src/Type.h

@@ -452,31 +452,37 @@ protected:
 
 class EnumType : public BroType {
 public:
-	EnumType(bool arg_is_export);
+	EnumType();
 	~EnumType();
 
-	// The value of this name is next counter value, which is returned.
+	// The value of this name is next internal counter value, starting
-	// A return value of -1 means that the identifier already existed
+	// with zero. The internal counter is incremented.
-	// (and thus could not be used).
+	void AddName(const string& module_name, const char* name, bool is_export);
-	int AddName(const string& module_name, const char* name);
 
-	// Add in names from the suppled EnumType; the return value is
+	// The value of this name is set to val. Once a value has been
-	// the value of the last enum added.
+	// explicitly assigned using this method, no further names can be
-	int AddNamesFrom(const string& module_name, EnumType* et);
+	// added that aren't likewise explicitly initalized.
+	void AddName(const string& module_name, const char* name, bro_int_t val, bool is_export);
 
 	// -1 indicates not found.
-	int Lookup(const string& module_name, const char* name);
+	bro_int_t Lookup(const string& module_name, const char* name);
-	const char* Lookup(int value); // Returns 0 if not found
+	const char* Lookup(bro_int_t value); // Returns 0 if not found
 
 protected:
-	EnumType()	{}
-
 	DECLARE_SERIAL(EnumType)
 
-	typedef std::map< const char*, int, ltstr > NameMap;
+	void AddNameInternal(const string& module_name, const char* name, bro_int_t val, bool is_export);
+
+	typedef std::map< const char*, bro_int_t, ltstr > NameMap;
 	NameMap names;
-	int counter;
+
-	bool is_export;
+	// The counter is initialized to 0 and incremented on every implicit
+	// auto-increment name that gets added (thus its > 0 if
+	// auto-increment is used).  Once an explicit value has been
+	// specified, the counter is set to -1. This way counter can be used
+	// as a flag to prevent mixing of auto-increment and explicit
+	// enumerator specifications.
+	bro_int_t counter;
 };
 
 class VectorType : public BroType {

src/UDP_Rewriter.cc

@@ -26,7 +26,7 @@ UDP_Rewriter::UDP_Rewriter(Analyzer* arg_analyzer, int arg_MTU,
 	packets_rewritten = 0;
 	current_packet = next_packet = 0;
 
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		{
 		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
 						ORIG_ADDR);
@@ -73,7 +73,7 @@ int UDP_TracePacket::BuildPacket(struct pcap_pkthdr*& hdr,
 	uint32 sum = 0;
 
 	// Fix IP addresses before computing the UDP checksum
-	if ( anonymize_ip_addr )
+	if ( BifConst::anonymize_ip_addr )
 		{
 		ip->ip_src.s_addr = anon_src;
 		ip->ip_dst.s_addr = anon_dst;

src/Val.cc

@@ -515,11 +515,12 @@ Val* Val::SizeVal() const
 	{
 	switch ( type->InternalType() ) {
 	case TYPE_INTERNAL_INT:
-#ifdef DARWIN_NO_LLABS
+		// Return abs value. However abs() only works on ints and llabs
-		return new Val(abs(val.int_val), TYPE_COUNT);
+		// doesn't work on Mac OS X 10.5. So we do it by hand
-#else
+		if ( val.int_val < 0 )
-		return new Val(llabs(val.int_val), TYPE_COUNT);
+			return new Val(-val.int_val, TYPE_COUNT);
-#endif
+		else
+			return new Val(val.int_val, TYPE_COUNT);
 
 	case TYPE_INTERNAL_UNSIGNED:
 		return new Val(val.uint_val, TYPE_COUNT);

src/Val.h

@@ -87,7 +87,7 @@ public:
 #endif
 		}
 
-	Val(int i, TypeTag t)
+	Val(int32 i, TypeTag t)
 		{
 		val.int_val = bro_int_t(i);
 		type = base_type(t);
@@ -97,27 +97,7 @@ public:
 #endif
 		}
 
-	Val(long i, TypeTag t)
+	Val(uint32 u, TypeTag t)
-		{
-		val.int_val = bro_int_t(i);
-		type = base_type(t);
-		attribs = 0;
-#ifdef DEBUG
-		bound_id = 0;
-#endif
-		}
-
-	Val(unsigned int u, TypeTag t)
-		{
-		val.uint_val = bro_uint_t(u);
-		type = base_type(t);
-		attribs = 0;
-#ifdef DEBUG
-		bound_id = 0;
-#endif
-		}
-
-	Val(unsigned long u, TypeTag t)
 		{
 		val.uint_val = bro_uint_t(u);
 		type = base_type(t);

src/Var.cc

@@ -343,6 +343,18 @@ Val* internal_val(const char* name)
 	return id->ID_Val();
 	}
 
+Val* internal_const_val(const char* name)
+	{
+	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	if ( ! id )
+		internal_error("internal variable %s missing", name);
+
+	if ( ! id->IsConst() )
+		internal_error("internal variable %s is not constant", name);
+
+	return id->ID_Val();
+	}
+
 Val* opt_internal_val(const char* name)
 	{
 	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);

src/Var.h

@@ -27,6 +27,7 @@ extern void begin_func(ID* id, const char* module_name, function_flavor flavor,
 extern void end_func(Stmt* body, attr_list* attrs = 0);
 
 extern Val* internal_val(const char* name);
+extern Val* internal_const_val(const char* name); // internal error if not const
 extern Val* opt_internal_val(const char* name);	// returns nil if not defined
 extern double opt_internal_double(const char* name);
 extern bro_int_t opt_internal_int(const char* name);

src/XDR.cc

@@ -17,13 +17,13 @@ uint32 extract_XDR_uint32(const u_char*& buf, int& len)
 		return 0;
 		}
 
-	uint32 bits32 = XDR_aligned(buf) ? *(uint32*) buf :
+	// Takes care of alignment and endianess differences. 
-		((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
+	uint32 bits32 = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
 
 	buf += 4;
 	len -= 4;
 
-	return ntohl(bits32);
+	return bits32;
 	}
 
 double extract_XDR_uint64_as_double(const u_char*& buf, int& len)

src/XDR.h

@@ -10,11 +10,6 @@
 
 #include "util.h"
 
-inline int XDR_aligned(const u_char* buf)
-	{
-	return (((unsigned long) buf) & 0x3) == 0;
-	}
-
 extern uint32 extract_XDR_uint32(const u_char*& buf, int& len);
 extern double extract_XDR_uint64_as_double(const u_char*& buf, int& len);
 extern double extract_XDR_time(const u_char*& buf, int& len);

src/bif_arg.cc

@@ -24,7 +24,6 @@ static struct {
 };
 
 extern const char* arg_list_name;
-extern set<string> enum_types;
 
 BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, int arg_type)
 	{
@@ -45,9 +44,6 @@ BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str)
 			type = i;
 			type_str = "";
 			}
-
-	if ( enum_types.find(type_str) != enum_types.end() )
-		type = TYPE_ENUM;
 	}
 
 void BuiltinFuncArg::PrintBro(FILE* fp)
@@ -75,21 +71,11 @@ void BuiltinFuncArg::PrintCArg(FILE* fp, int n)
 	{
 	const char* ctype = builtin_func_arg_type[type].c_type;
 	char buf[1024];
-	if ( type == TYPE_ENUM )
-		{
-		snprintf(buf, sizeof(buf),
-			builtin_func_arg_type[type].c_type, type_str);
-		ctype = buf;
-		}
 
 	fprintf(fp, "%s %s", ctype, name);
 	}
 
 void BuiltinFuncArg::PrintBroValConstructor(FILE* fp)
 	{
-	if ( type == TYPE_ENUM )
+	fprintf(fp, builtin_func_arg_type[type].constructor, name);
-		fprintf(fp, builtin_func_arg_type[type].constructor,
-			name, type_str);
-	else
-		fprintf(fp, builtin_func_arg_type[type].constructor, name);
 	}

src/bif_type.def

@@ -22,5 +22,4 @@ DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "StringVal*", 	"%s->AsStringVa
 // DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "BroString*", 	"%s->AsString()",	"new StringVal(%s)")
 DEFINE_BIF_TYPE(TYPE_SUBNET, 	"subnet", "subnet", "SubNetVal*", 	"%s->AsSubNetVal()",	"%s")
 DEFINE_BIF_TYPE(TYPE_TIME, 	"time", "time", "double", 		"%s->AsTime()", 	"new Val(%s, TYPE_TIME)")
-DEFINE_BIF_TYPE(TYPE_ENUM, 	"", "", "BroEnum::%s", 			"%s->InternalInt()",	"new EnumVal(%s, enum_%s)")
 DEFINE_BIF_TYPE(TYPE_OTHER, 	"", "", "Val*", 			"%s", 			"%s")

src/bittorrent-analyzer.pac

@@ -64,7 +64,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		handshake_ok = true;
 		if ( ::bittorrent_peer_handshake )
 			{
-			bro_event_bittorrent_peer_handshake(
+			BifEvent::generate_bittorrent_peer_handshake(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -82,7 +82,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_keep_alive )
 			{
-			bro_event_bittorrent_peer_keep_alive(
+			BifEvent::generate_bittorrent_peer_keep_alive(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -95,7 +95,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_choke )
 			{
-			bro_event_bittorrent_peer_choke(
+			BifEvent::generate_bittorrent_peer_choke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -108,7 +108,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unchoke )
 			{
-			bro_event_bittorrent_peer_unchoke(
+			BifEvent::generate_bittorrent_peer_unchoke(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -121,7 +121,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_interested )
 			{
-			bro_event_bittorrent_peer_interested(
+			BifEvent::generate_bittorrent_peer_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -134,7 +134,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_not_interested )
 			{
-			bro_event_bittorrent_peer_not_interested(
+			BifEvent::generate_bittorrent_peer_not_interested(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig());
@@ -147,7 +147,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_have )
 			{
-			bro_event_bittorrent_peer_have(
+			BifEvent::generate_bittorrent_peer_have(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -161,7 +161,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_bitfield )
 			{
-			bro_event_bittorrent_peer_bitfield(
+			BifEvent::generate_bittorrent_peer_bitfield(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -176,7 +176,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_request )
 			{
-			bro_event_bittorrent_peer_request(
+			BifEvent::generate_bittorrent_peer_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -191,7 +191,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_piece )
 			{
-			bro_event_bittorrent_peer_piece(
+			BifEvent::generate_bittorrent_peer_piece(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -206,7 +206,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_cancel )
 			{
-			bro_event_bittorrent_peer_cancel(
+			BifEvent::generate_bittorrent_peer_cancel(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -220,7 +220,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_port )
 			{
-			bro_event_bittorrent_peer_port(
+			BifEvent::generate_bittorrent_peer_port(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
@@ -234,7 +234,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 		%{
 		if ( ::bittorrent_peer_unknown )
 			{
-			bro_event_bittorrent_peer_unknown(
+			BifEvent::generate_bittorrent_peer_unknown(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),

src/builtin-func.l

@@ -2,6 +2,7 @@
 // $Id: builtin-func.l 6015 2008-07-23 05:42:37Z vern $
 
 #include <string.h>
+#include <unistd.h>
 #include "bif_arg.h"
 #include "bif_parse.h"
 
@@ -27,8 +28,15 @@ int check_c_mode(int t)
 %}
 
 WS	[ \t]+
-ID	[A-Za-z_][A-Za-z_0-9]*
+ /* Note, bifcl only accepts a single "::" in IDs while the policy
+    layer acceptes multiple. (But the policy layer doesn't have 
+	a hierachy. */
+IDCOMPONENT [A-Za-z_][A-Za-z_0-9]*
+ID	{IDCOMPONENT}(::{IDCOMPONENT})?
 ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
+DEC [[:digit:]]+
+HEX	[0-9a-fA-F]+
+
 
 %option nodefault
 
@@ -64,7 +72,12 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 "event"		return check_c_mode(TOK_EVENT);
 "const"		return check_c_mode(TOK_CONST);
 "enum"		return check_c_mode(TOK_ENUM);
-"declare"	return check_c_mode(TOK_DECLARE);
+"type"		return check_c_mode(TOK_TYPE);
+"record"	return check_c_mode(TOK_RECORD);
+"set"		return check_c_mode(TOK_SET);
+"table"		return check_c_mode(TOK_TABLE);
+"vector"	return check_c_mode(TOK_VECTOR);
+"module"    return check_c_mode(TOK_MODULE);
 
 "@ARG@"		return TOK_ARG;
 "@ARGS@"	return TOK_ARGS;
@@ -78,6 +91,17 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 "T"	yylval.val = 1; return TOK_BOOL;
 "F"	yylval.val = 0; return TOK_BOOL;
 
+{DEC}	{
+	yylval.str = copy_string(yytext);
+	return TOK_INT;
+	}
+
+"0x"{HEX} {
+	yylval.str = copy_string(yytext);
+	return TOK_INT;
+	}
+
+
 {ID}	{
 	yylval.str = copy_string(yytext);
 	return TOK_ID;
@@ -120,13 +144,20 @@ int yywrap()
 extern int yyparse();
 char* input_filename = 0;
 
-FILE* fp_bro_init;
+FILE* fp_bro_init = 0;
-FILE* fp_func_def;
+FILE* fp_func_def = 0;
-FILE* fp_func_h;
+FILE* fp_func_h = 0;
-FILE* fp_func_init;
+FILE* fp_func_init = 0;
-FILE* fp_netvar_h;
+FILE* fp_netvar_h = 0;
-FILE* fp_netvar_def;
+FILE* fp_netvar_def = 0;
-FILE* fp_netvar_init;
+FILE* fp_netvar_init = 0;
+
+void remove_file(const char *surfix);
+void err_exit(void);
+FILE* open_output_file(const char* surfix);
+void close_if_open(FILE **fpp);
+void close_all_output_files(void);
+
 
 FILE* open_output_file(const char* surfix)
 	{
@@ -137,12 +168,13 @@ FILE* open_output_file(const char* surfix)
 	if ( (fp = fopen(fn, "w")) == NULL )
 		{
 		fprintf(stderr, "Error: cannot open file: %s\n", fn);
-		exit(1);
+		err_exit();
 		}
 
 	return fp;
 	}
 
+
 int main(int argc, char* argv[])
 	{
 	for ( int i = 1; i < argc; i++ )
@@ -156,6 +188,7 @@ int main(int argc, char* argv[])
 		if ( (fp_input = fopen(input_filename, "r")) == NULL )
 			{
 			fprintf(stderr, "Error: cannot open file: %s\n", input_filename);
+			/* no output files open. can simply exit */
 			exit(1);
 			}
 
@@ -174,12 +207,48 @@ int main(int argc, char* argv[])
 		yyparse();
 
 		fclose(fp_input);
-		fclose(fp_bro_init);
+		close_all_output_files();
-		fclose(fp_func_h);
+
-		fclose(fp_func_def);
-		fclose(fp_func_init);
-		fclose(fp_netvar_h);
-		fclose(fp_netvar_def);
-		fclose(fp_netvar_init);
 		}
 	}
+
+void close_if_open(FILE **fpp)
+	{
+	if (*fpp)
+		fclose(*fpp);
+	*fpp = NULL;
+	}
+
+void close_all_output_files(void)
+	{
+	close_if_open(&fp_bro_init);
+	close_if_open(&fp_func_h);
+	close_if_open(&fp_func_def);
+	close_if_open(&fp_func_init);
+	close_if_open(&fp_netvar_h);
+	close_if_open(&fp_netvar_def);
+	close_if_open(&fp_netvar_init);
+	}
+
+void remove_file(const char *surfix)
+	{
+	char fn[1024];
+
+	snprintf(fn, sizeof(fn), "%s.%s", input_filename, surfix);
+	unlink(fn);
+	}
+
+void err_exit(void) 
+	{
+	close_all_output_files();
+	/* clean up. remove all output files we've generated so far */
+	remove_file("bro");
+	remove_file("func_h");
+	remove_file("func_def");
+	remove_file("func_init");
+	remove_file("netvar_h");
+	remove_file("netvar_def");
+	remove_file("netvar_init");
+	exit(1);
+	}
+

src/builtin-func.y

@@ -9,6 +9,10 @@ using namespace std;
 #include <stdio.h>
 #include <stdlib.h>
 
+#include "module_util.h"
+
+using namespace std;
+
 extern int line_number;
 extern char* input_filename;
 
@@ -23,39 +27,131 @@ extern FILE* fp_netvar_def;
 extern FILE* fp_netvar_init;
 
 int in_c_code = 0;
+string current_module = GLOBAL_MODULE_NAME;
 int definition_type;
-const char* bro_prefix;
+string type_name;
-const char* c_prefix;
+
 
 enum {
 	C_SEGMENT_DEF,
 	FUNC_DEF,
 	REWRITER_DEF,
 	EVENT_DEF,
+	TYPE_DEF,
+	CONST_DEF,
 };
 
-void set_definition_type(int type)
+// Holds the name of a declared object (function, enum, record type, event,
+// etc. and information about namespaces, etc.
+struct decl_struct {
+	string module_name;
+	string bare_name; // name without module or namespace
+	string c_namespace_start; // "opening" namespace for use in netvar_*
+	string c_namespace_end;   // closing "}" for all the above namespaces
+	string c_fullname; // fully qualified name (namespace::....) for use in netvar_init
+	string bro_fullname; // fully qualified bro name, for netvar (and lookup_ID())
+	string bro_name;  // the name as we read it from input. What we write into the .bro file
+
+	// special cases for events. Events have an EventHandlerPtr
+	// and a generate_* function. This name is for the generate_* function
+	string generate_bare_name;
+	string generate_c_fullname;
+	string generate_c_namespace_start;
+	string generate_c_namespace_end;
+} decl;
+
+void set_definition_type(int type, const char *arg_type_name)
 	{
 	definition_type = type;
-	switch ( type ) {
+	if ( type == TYPE_DEF && arg_type_name )
-	case FUNC_DEF:
+		type_name = string(arg_type_name);
-		bro_prefix = "";
+	else
-		c_prefix = "bro_";
+		type_name = "";
+	}
+
+void set_decl_name(const char *name)
+	{
+	decl.bare_name = extract_var_name(name);
+
+	// make_full_var_name prepends the correct module, if any
+	// then we can extract the module name again.
+	string varname = make_full_var_name(current_module.c_str(), name);
+	decl.module_name = extract_module_name(varname.c_str());
+
+	decl.c_namespace_start = "";
+	decl.c_namespace_end = "";
+	decl.c_fullname = "";
+	decl.bro_fullname = "";
+	decl.bro_name = "";
+
+	decl.generate_c_fullname = "";
+	decl.generate_bare_name = string("generate_") + decl.bare_name;
+	decl.generate_c_namespace_start = "";
+	decl.generate_c_namespace_end = "";
+
+	switch ( definition_type ) {
+	case TYPE_DEF:
+		decl.c_namespace_start = "namespace BifType { namespace " + type_name + "{ ";
+		decl.c_namespace_end = " } }";
+		decl.c_fullname = "BifType::" + type_name + "::";
+		break;
+
+	case CONST_DEF:
+		decl.c_namespace_start = "namespace BifConst { ";
+		decl.c_namespace_end = " } ";
+		decl.c_fullname = "BifConst::";
 		break;
 
 	case REWRITER_DEF:
-		bro_prefix = "rewrite_";
+		// XXX: Legacy. No module names / namespaces supported
-		c_prefix = "bro_rewrite_";
+		// If support for namespaces is desired: add a namespace
+		// to c_namespace_* and bro_fullname and get rid of
+		// the hack to bro_name.
+		decl.c_namespace_start = "";
+		decl.c_namespace_end = "";
+		decl.bare_name = "rewrite_" + decl.bare_name;
+		decl.bro_name = "rewrite_";
+		break;
+
+	case FUNC_DEF:
+		decl.c_namespace_start = "namespace BifFunc { ";
+		decl.c_namespace_end = " } ";
+		decl.c_fullname = "BifFunc::";
 		break;
 
 	case EVENT_DEF:
-		bro_prefix = "";
+		decl.c_namespace_start = "";
-		c_prefix = "bro_event_";
+		decl.c_namespace_end = "";
+		decl.c_fullname = "::";  // need this for namespace qualified events due do event_c_body
+		decl.generate_c_namespace_start = "namespace BifEvent { ";
+		decl.generate_c_namespace_end = " } ";
+		decl.generate_c_fullname = "BifEvent::";
 		break;
 
-	case C_SEGMENT_DEF:
+	default:
 		break;
 	}
+
+	if ( decl.module_name != GLOBAL_MODULE_NAME )
+		{
+		decl.c_namespace_start += "namespace " + decl.module_name + " { ";
+		decl.c_namespace_end += string(" }");
+		decl.c_fullname += decl.module_name + "::";
+		decl.bro_fullname += decl.module_name + "::";
+
+		decl.generate_c_namespace_start  += "namespace " + decl.module_name + " { ";
+		decl.generate_c_namespace_end += " } ";
+		decl.generate_c_fullname += decl.module_name + "::";
+		}
+
+	decl.bro_fullname += decl.bare_name;
+	if ( definition_type == FUNC_DEF )
+		decl.bare_name = string("bro_") + decl.bare_name;
+
+	decl.c_fullname += decl.bare_name;
+	decl.bro_name += name;
+	decl.generate_c_fullname += decl.generate_bare_name;
+
 	}
 
 const char* arg_list_name = "BiF_ARGS";
@@ -63,13 +159,34 @@ const char* trace_rewriter_name = "trace_rewriter";
 
 #include "bif_arg.h"
 
-extern const char* decl_name;
+/* Map bif/bro type names to C types for use in const declaration */
+static struct {
+	const char* bif_type;
+	const char* bro_type;
+	const char* c_type;
+	const char* accessor;
+	const char* constructor;
+} builtin_types[] = {
+#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
+	{bif_type, bro_type, c_type, accessor, constructor},
+#include "bif_type.def"
+#undef DEFINE_BIF_TYPE
+};
+
+int get_type_index(const char *type_name)
+	{
+	for ( int i = 0; builtin_types[i].bif_type[0] != '\0'; ++i )
+		{
+		if ( strcmp(builtin_types[i].bif_type, type_name) == 0 )
+			return i;
+		}
+		return TYPE_OTHER;
+	}
+
+
 int var_arg; // whether the number of arguments is variable
 std::vector<BuiltinFuncArg*> args;
 
-// enum types declared by "declare enum <id>"
-set<string> enum_types;
-
 extern int yyerror(const char[]);
 extern int yywarn(const char msg[]);
 extern int yylex();
@@ -90,9 +207,15 @@ char* concat(const char* str1, const char* str2)
 	}
 
 // Print the bro_event_* function prototype in C++, without the ending ';'
-void print_event_c_prototype(FILE *fp)
+void print_event_c_prototype(FILE *fp, bool is_header)
 	{
-	fprintf(fp, "void %s%s(Analyzer* analyzer%s", c_prefix, decl_name,
+	if ( is_header )
+		fprintf(fp, "%s void %s(Analyzer* analyzer%s",
+			decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(),
+			args.size() ? ", " : "" );
+	else
+		fprintf(fp, "void %s(Analyzer* analyzer%s",
+			decl.generate_c_fullname.c_str(),
 			args.size() ? ", " : "" );
 	for ( int i = 0; i < (int) args.size(); ++i )
 		{
@@ -101,6 +224,10 @@ void print_event_c_prototype(FILE *fp)
 		args[i]->PrintCArg(fp, i);
 		}
 	fprintf(fp, ")");
+	if ( is_header )
+		fprintf(fp, "; %s\n", decl.generate_c_namespace_end.c_str());
+	else
+		fprintf(fp, "\n");
 	}
 
 // Print the bro_event_* function body in C++.
@@ -109,9 +236,9 @@ void print_event_c_body(FILE *fp)
 	fprintf(fp, "\t{\n");
 	fprintf(fp, "\t// Note that it is intentional that here we do not\n");
 	fprintf(fp, "\t// check if %s is NULL, which should happen *before*\n",
-		decl_name);
+		decl.c_fullname.c_str());
-	fprintf(fp, "\t// bro_event_%s is called to avoid unnecessary Val\n",
+	fprintf(fp, "\t// %s is called to avoid unnecessary Val\n",
-		decl_name);
+		decl.generate_c_fullname.c_str());
 	fprintf(fp, "\t// allocation.\n");
 	fprintf(fp, "\n");
 
@@ -141,7 +268,7 @@ void print_event_c_body(FILE *fp)
 
 	fprintf(fp, "\n");
 	fprintf(fp, "\tmgr.QueueEvent(%s, vl, SOURCE_LOCAL, analyzer->GetID(), timer_mgr",
-		decl_name);
+		decl.c_fullname.c_str());
 
 	if ( connection_arg )
 		// Pass the connection to the EventMgr as the "cookie"
@@ -149,20 +276,22 @@ void print_event_c_body(FILE *fp)
 
 	fprintf(fp, ");\n");
 	fprintf(fp, "\t} // event generation\n");
+	//fprintf(fp, "%s // end namespace\n", decl.generate_c_namespace_end.c_str());
 	}
 %}
 
 %token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG
 %token TOK_BOOL
-%token TOK_FUNCTION TOK_REWRITER TOK_EVENT TOK_CONST TOK_ENUM TOK_DECLARE
+%token TOK_FUNCTION TOK_REWRITER TOK_EVENT TOK_CONST TOK_ENUM
+%token TOK_TYPE TOK_RECORD TOK_SET TOK_VECTOR TOK_TABLE TOK_MODULE
 %token TOK_WRITE TOK_PUSH TOK_EOF TOK_TRACE
 %token TOK_ARGS TOK_ARG TOK_ARGC
 %token TOK_ID TOK_ATTR TOK_CSTR TOK_LF TOK_WS TOK_COMMENT
-%token TOK_ATOM TOK_C_TOKEN
+%token TOK_ATOM TOK_INT TOK_C_TOKEN
 
 %left ',' ':'
 
-%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR opt_ws
+%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws
 %type <val> TOK_ATOM TOK_BOOL
 
 %union	{
@@ -172,6 +301,14 @@ void print_event_c_body(FILE *fp)
 
 %%
 
+builtin_lang:	definitions
+			{
+			fprintf(fp_bro_init, "} # end of export section\n");
+			fprintf(fp_bro_init, "module %s;\n", GLOBAL_MODULE_NAME);
+			}
+
+
+
 definitions:	definitions definition opt_ws
 			{ fprintf(fp_func_def, "%s", $3); }
 	|	opt_ws
@@ -191,6 +328,7 @@ definitions:	definitions definition opt_ws
 			fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment);
 			fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment);
 
+			fprintf(fp_bro_init, "export {\n");
 			fprintf(fp_func_def, "%s", $1);
 			}
 	;
@@ -201,24 +339,58 @@ definition:	event_def
 	|	c_code_segment
 	|	enum_def
 	|	const_def
-	|	declare_def
+	|	type_def
+	|   module_def
 	;
 
-declare_def:	TOK_DECLARE opt_ws TOK_ENUM opt_ws TOK_ID opt_ws ';'
+
+module_def:	TOK_MODULE opt_ws TOK_ID opt_ws ';'
 			{
-			enum_types.insert($5);
+			current_module = string($3);
+			fprintf(fp_bro_init, "module %s;\n", $3);
 			}
+
+	 // XXX: Add the netvar glue so that the event engine knows about
+	 // the type. One still has to define the type in bro.init.
+	 // Would be nice, if we could just define the record type here
+	 // and then copy to the .bif.bro file, but type declarations in
+	 // Bro can be quite powerful. Don't know whether it's worth it
+	 // extend the bif-language to be able to handle that all....
+	 // Or we just support a simple form of record type definitions
+	 // TODO: add other types (tables, sets)
+type_def:	TOK_TYPE opt_ws TOK_ID opt_ws ':' opt_ws type_def_types opt_ws ';'
+			{
+			set_decl_name($3);
+
+			fprintf(fp_netvar_h, "%s extern %sType * %s; %s\n",
+				decl.c_namespace_start.c_str(), type_name.c_str(),
+				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_def, "%s %sType * %s; %s\n",
+				decl.c_namespace_start.c_str(), type_name.c_str(),
+				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_init,
+				"\t%s = internal_type(\"%s\")->As%sType();\n",
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
+				type_name.c_str());
+			}
+	;
+
+type_def_types: TOK_RECORD
+			{ set_definition_type(TYPE_DEF, "Record"); }
+	| TOK_SET
+			{ set_definition_type(TYPE_DEF, "Set"); }
+	| TOK_VECTOR
+			{ set_definition_type(TYPE_DEF, "Vector"); }
+	| TOK_TABLE
+			{ set_definition_type(TYPE_DEF, "Table"); }
 	;
 
 event_def:	event_prefix opt_ws plain_head opt_attr end_of_head ';'
 			{
-			print_event_c_prototype(fp_func_h);
+			print_event_c_prototype(fp_func_h, true);
-			fprintf(fp_func_h, ";\n");
+			print_event_c_prototype(fp_func_def, false);
-			print_event_c_prototype(fp_func_def);
-			fprintf(fp_func_def, "\n");
 			print_event_c_body(fp_func_def);
 			}
-	;
 
 func_def:	func_prefix opt_ws typed_head end_of_head body
 	;
@@ -230,24 +402,34 @@ enum_def:	enum_def_1 enum_list TOK_RPB
 			{
 			// First, put an end to the enum type decl.
 			fprintf(fp_bro_init, "};\n");
-			fprintf(fp_netvar_h, "}; }\n");
+			if ( decl.module_name != GLOBAL_MODULE_NAME )
+				fprintf(fp_netvar_h, "}; } }\n");
+			else
+				fprintf(fp_netvar_h, "}; }\n");
 
 			// Now generate the netvar's.
-			fprintf(fp_netvar_h,
+			fprintf(fp_netvar_h, "%s extern EnumType * %s; %s\n",
-				"extern EnumType* enum_%s;\n", decl_name);
+				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_def,
+			fprintf(fp_netvar_def, "%s EnumType * %s; %s\n",
-				"EnumType* enum_%s;\n", decl_name);
+				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 			fprintf(fp_netvar_init,
-				"\tenum_%s = internal_type(\"%s\")->AsEnumType();\n",
+				"\t%s = internal_type(\"%s\")->AsEnumType();\n",
-				decl_name, decl_name);
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 			}
 	;
 
 enum_def_1:	TOK_ENUM opt_ws TOK_ID opt_ws TOK_LPB opt_ws
 			{
-			decl_name = $3;
+			set_definition_type(TYPE_DEF, "Enum");
-			fprintf(fp_bro_init, "type %s: enum %s{%s", $3, $4, $6);
+			set_decl_name($3);
-			fprintf(fp_netvar_h, "namespace BroEnum { ");
+			fprintf(fp_bro_init, "type %s: enum %s{%s", decl.bro_name.c_str(), $4, $6);
+
+			// this is the namespace were the enumerators are defined, not where
+			// the type is defined.
+			// We don't support fully qualified names as enumerators. Use a module name
+			fprintf(fp_netvar_h, "namespace BifEnum { ");
+			if ( decl.module_name != GLOBAL_MODULE_NAME )
+				fprintf(fp_netvar_h, "namespace %s { ", decl.module_name.c_str());
 			fprintf(fp_netvar_h, "enum %s {\n", $3);
 			}
 	;
@@ -257,33 +439,41 @@ enum_list:	enum_list TOK_ID opt_ws ',' opt_ws
 			fprintf(fp_bro_init, "%s%s,%s", $2, $3, $5);
 			fprintf(fp_netvar_h, "\t%s,\n", $2);
 			}
+	| 		enum_list TOK_ID opt_ws '=' opt_ws TOK_INT opt_ws ',' opt_ws
+			{
+			fprintf(fp_bro_init, "%s = %s%s,%s", $2, $6, $7, $9);
+			fprintf(fp_netvar_h, "\t%s = %s,\n", $2, $6);
+			}
 	|	/* nothing */
 	;
 
-const_def:	const_def_1 const_init opt_attr ';'
-			{
-			fprintf(fp_bro_init, ";\n");
-			fprintf(fp_netvar_h, "extern int %s;\n", decl_name);
-			fprintf(fp_netvar_def, "int %s;\n", decl_name);
-			fprintf(fp_netvar_init, "\t%s = internal_val(\"%s\")->AsBool();\n",
-				decl_name, decl_name);
-			}
-	;
 
-const_def_1:	TOK_CONST opt_ws TOK_ID opt_ws
+const_def:	TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';'
 			{
-			decl_name = $3;
+			set_definition_type(CONST_DEF, 0);
-			fprintf(fp_bro_init, "const%s", $2);
+			set_decl_name($3);
-			fprintf(fp_bro_init, "%s: bool%s", $3, $4);
+			int typeidx = get_type_index($7);
-			}
+			char accessor[1024];
-	;
+
+			snprintf(accessor, sizeof(accessor), builtin_types[typeidx].accessor, "");
+
+
+			fprintf(fp_netvar_h, "%s extern %s %s; %s\n",
+					decl.c_namespace_start.c_str(),
+					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
+					decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_def, "%s %s %s; %s\n",
+					decl.c_namespace_start.c_str(),
+					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
+					decl.c_namespace_end.c_str());
+			fprintf(fp_netvar_init, "\t%s = internal_const_val(\"%s\")%s;\n",
+				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
+				accessor);
+			}
 
-opt_const_init:	/* nothing */
-	|	const_init
-	;
 
 /* Currently support only boolean and string values */
-const_init:	'=' opt_ws TOK_BOOL opt_ws
+opt_attr_init:	'=' opt_ws TOK_BOOL opt_ws
 			{
 			fprintf(fp_bro_init, "=%s%c%s", $2, ($3) ? 'T' : 'F', $4);
 			}
@@ -293,19 +483,19 @@ const_init:	'=' opt_ws TOK_BOOL opt_ws
 
 opt_attr:	/* nothing */
 	|	opt_attr TOK_ATTR { fprintf(fp_bro_init, "%s", $2); }
-		opt_ws opt_const_init
+		opt_ws opt_attr_init
 	;
 
 func_prefix:	TOK_FUNCTION
-			{ set_definition_type(FUNC_DEF); }
+			{ set_definition_type(FUNC_DEF, 0); }
 	;
 
 rewriter_prefix: TOK_REWRITER
-			{ set_definition_type(REWRITER_DEF); }
+			{ set_definition_type(REWRITER_DEF, 0); }
 	;
 
 event_prefix:	TOK_EVENT
-			{ set_definition_type(EVENT_DEF); }
+			{ set_definition_type(EVENT_DEF, 0); }
 	;
 
 end_of_head:	/* nothing */
@@ -346,7 +536,7 @@ plain_head:	head_1 args arg_end opt_ws
 head_1:		TOK_ID opt_ws arg_begin
 			{
 			const char* method_type = 0;
-			decl_name = $1;
+			set_decl_name($1);
 
 			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
 				{
@@ -358,40 +548,37 @@ head_1:		TOK_ID opt_ws arg_begin
 
 			if ( method_type )
 				fprintf(fp_bro_init,
-					"global %s%s: %s%s(",
+					"global %s: %s%s(",
-					bro_prefix, decl_name, method_type, $2);
+					decl.bro_name.c_str(), method_type, $2);
 
 			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
 				{
 				fprintf(fp_func_init,
-					"\textern Val* %s%s(Frame* frame, val_list*);\n",
+					"\t(void) new BuiltinFunc(%s, \"%s\", 0);\n",
-					c_prefix, decl_name);
+					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
-
-				fprintf(fp_func_init,
-					"\t(void) new BuiltinFunc(%s%s, \"%s%s\", 0);\n",
-					c_prefix, decl_name, bro_prefix, decl_name);
 
 				fprintf(fp_func_h,
-					"extern Val* %s%s(Frame* frame, val_list*);\n",
+					"%sextern Val* %s(Frame* frame, val_list*);%s\n",
-					c_prefix, decl_name);
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_func_def,
-					"Val* %s%s(Frame* frame, val_list* %s)",
+					"Val* %s(Frame* frame, val_list* %s)",
-					c_prefix, decl_name, arg_list_name);
+					decl.c_fullname.c_str(), arg_list_name);
 				}
 			else if ( definition_type == EVENT_DEF )
 				{
+				// TODO: add namespace for events here
 				fprintf(fp_netvar_h,
-					"extern EventHandlerPtr %s;\n",
+					"%sextern EventHandlerPtr %s; %s\n",
-					decl_name);
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_netvar_def,
-					"EventHandlerPtr %s;\n",
+					"%sEventHandlerPtr %s; %s\n",
-					decl_name);
+					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
 
 				fprintf(fp_netvar_init,
 					"\t%s = internal_handler(\"%s\");\n",
-					decl_name, decl_name);
+					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
 
 				// C++ prototypes of bro_event_* functions will
 				// be generated later.
@@ -437,7 +624,7 @@ return_type:	':' opt_ws TOK_ID opt_ws
 
 body:		body_start c_body body_end
 			{
-			fprintf(fp_func_def, " // end of %s\n", decl_name);
+			fprintf(fp_func_def, " // end of %s\n", decl.c_fullname.c_str());
 			print_line_directive(fp_func_def);
 			}
 	;
@@ -474,7 +661,7 @@ body_start:	TOK_LPB c_code_begin
 				fprintf(fp_func_def, "\t\t{\n");
 				fprintf(fp_func_def,
 					"\t\trun_time(\"%s() takes exactly %d argument(s)\");\n",
-					decl_name, argc);
+					decl.bro_fullname.c_str(), argc);
 				fprintf(fp_func_def, "\t\treturn 0;\n");
 				fprintf(fp_func_def, "\t\t}\n");
 				}
@@ -484,7 +671,7 @@ body_start:	TOK_LPB c_code_begin
 				fprintf(fp_func_def, "\t\t{\n");
 				fprintf(fp_func_def,
 					"\t\trun_time(\"%s() takes at least %d argument(s)\");\n",
-					decl_name, argc);
+					decl.bro_fullname.c_str(), argc);
 				fprintf(fp_func_def, "\t\treturn 0;\n");
 				fprintf(fp_func_def, "\t\t}\n");
 				}
@@ -543,6 +730,9 @@ c_atom:		TOK_ID
 			{ fprintf(fp_func_def, "%s", $1); }
 	|	TOK_ATOM
 			{ fprintf(fp_func_def, "%c", $1); }
+	|	TOK_INT
+			{ fprintf(fp_func_def, "%s", $1); }
+
 	;
 
 opt_ws:		opt_ws TOK_WS
@@ -565,7 +755,7 @@ opt_ws:		opt_ws TOK_WS
 extern char* yytext;
 extern char* input_filename;
 extern int line_number;
-const char* decl_name;
+void err_exit(void);
 
 void print_msg(const char msg[])
 	{
@@ -605,7 +795,6 @@ int yyerror(const char msg[])
 	{
 	print_msg(msg);
 
-	abort();
+	err_exit();
-	exit(1);
 	return 0;
 	}

src/const.bif

@@ -1,97 +1,19 @@
 # $Id: const.bif 3929 2007-01-14 00:37:59Z vern $
 
-# Some connections (e.g., SSH) retransmit the acknowledged last
+# Documentation and default values for these are located in policy/bro.dif.
-# byte to keep the connection alive. If ignore_keep_alive_rexmit
-# is set to T, such retransmissions will be excluded in the rexmit
-# counter in conn_stats.
-const ignore_keep_alive_rexmit = F &redef;
 
-# Skip HTTP data portions for performance considerations (the skipped
+const ignore_keep_alive_rexmit: bool;
-# portion will not go through TCP reassembly).
+const skip_http_data: bool;
-const skip_http_data = F &redef;
+const parse_udp_tunnels: bool;
-
+const requires_trace_commitment: bool;
-# Whether the analysis engine parses IP packets encapsulated in
+const anonymize_ip_addr: bool;
-# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro.
+const omit_rewrite_place_holder: bool;
-const parse_udp_tunnels = F &redef;
+const rewriting_http_trace :bool;
-
+const rewriting_smtp_trace: bool;
-# Whether a commitment is required before writing the transformed
+const rewriting_ftp_trace: bool;
-# trace for a connection into the dump file.
+const rewriting_ident_trace: bool;
-const requires_trace_commitment = F &redef;
+const rewriting_finger_trace: bool;
-
+const rewriting_dns_trace: bool;
-# Whether IP address anonymization is enabled.
+const rewriting_smb_trace: bool;
-const anonymize_ip_addr = F &redef;
+const dump_selected_source_packets: bool;
-
+const dump_original_packets_if_not_rewriting: bool;
-# Whether to omit place holder packets when rewriting.
-const omit_rewrite_place_holder = T &redef;
-
-# Whether trace of various protocols is being rewritten.
-const rewriting_http_trace = F &redef;
-const rewriting_smtp_trace = F &redef;
-const rewriting_ftp_trace = F &redef;
-const rewriting_ident_trace = F &redef;
-const rewriting_finger_trace = F &redef;
-const rewriting_dns_trace = F &redef;
-const rewriting_smb_trace = F &redef;
-
-# Whether we dump selected original packets to the output trace.
-const dump_selected_source_packets = F &redef;
-
-# If true, we dump original packets to the output trace *if and only if*
-# the connection is not rewritten; if false, the policy script can decide
-# whether to dump a particular connection by calling dump_packets_of_connection.
-#
-# NOTE: DO NOT SET THIS TO TRUE WHEN ANONYMIZING A TRACE! 
-# (TODO: this variable should be disabled when using '-A' option)
-const dump_original_packets_if_not_rewriting = F &redef;
-
-enum dce_rpc_ptype %{
-	DCE_RPC_REQUEST,
-	DCE_RPC_PING,
-	DCE_RPC_RESPONSE,
-	DCE_RPC_FAULT,
-	DCE_RPC_WORKING,
-	DCE_RPC_NOCALL,
-	DCE_RPC_REJECT,
-	DCE_RPC_ACK,
-	DCE_RPC_CL_CANCEL,
-	DCE_RPC_FACK,
-	DCE_RPC_CANCEL_ACK,
-	DCE_RPC_BIND,
-	DCE_RPC_BIND_ACK,
-	DCE_RPC_BIND_NAK,
-	DCE_RPC_ALTER_CONTEXT,
-	DCE_RPC_ALTER_CONTEXT_RESP,
-	DCE_RPC_SHUTDOWN,
-	DCE_RPC_CO_CANCEL,
-	DCE_RPC_ORPHANED,
-%}
-
-enum dce_rpc_if_id %{
-	DCE_RPC_unknown_if,
-	DCE_RPC_epmapper,
-	DCE_RPC_lsarpc,
-	DCE_RPC_lsa_ds,
-	DCE_RPC_mgmt,
-	DCE_RPC_netlogon,
-	DCE_RPC_samr,
-	DCE_RPC_srvsvc,
-	DCE_RPC_spoolss,
-	DCE_RPC_drs,
-	DCE_RPC_winspipe,
-	DCE_RPC_wkssvc,
-	DCE_RPC_oxid,
-	DCE_RPC_ISCMActivator,
-%}
-
-enum rpc_status %{
-	RPC_SUCCESS,
-	RPC_PROG_UNAVAIL,
-	RPC_PROG_MISMATCH,
-	RPC_PROC_UNAVAIL,
-	RPC_GARBAGE_ARGS,
-	RPC_SYSTEM_ERR,
-	RPC_TIMEOUT,
-	RPC_VERS_MISMATCH,
-	RPC_AUTH_ERROR,
-	RPC_UNKNOWN_ERROR,
-%}

src/cq.c

@@ -570,8 +570,8 @@ cq_debugbucket(register struct cq_handle *hp,
 			bp2 = hp->buckets + PRI2BUCKET(hp, bp->pri);
 			if (bp2 != buckets) {
 				fprintf(stderr,
-				    "%f in wrong bucket! (off by %d)\n",
+				    "%f in wrong bucket! (off by %ld)\n",
-				    bp->pri, bp2 - buckets);
+				    bp->pri, (long)(bp2 - buckets));
 				cq_dump(hp);
 				abort();
 			}

src/dce_rpc-analyzer.pac

@@ -88,7 +88,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 					bind_elems.p_cont_elem[i].abstract_syntax.if_uuid};
 
 				// Queue the event
-				bro_event_dce_rpc_bind(
+				BifEvent::generate_dce_rpc_bind(
 					${connection.bro_analyzer},
 					${connection.bro_analyzer}->Conn(),
 					bytestring_to_val(${if_uuid}));
@@ -106,7 +106,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		%{
 		if ( dce_rpc_request )
 			{
-			bro_event_dce_rpc_request(
+			BifEvent::generate_dce_rpc_request(
 				${connection.bro_analyzer},
 				${connection.bro_analyzer}->Conn(),
 				${req.opnum},
@@ -124,7 +124,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 		%{
 		if ( dce_rpc_response )
 			{
-			bro_event_dce_rpc_response(
+			BifEvent::generate_dce_rpc_response(
 				${connection.bro_analyzer},
 				${connection.bro_analyzer}->Conn(),
 				${connection}->get_cont_id_opnum_map(${resp.p_cont_id}),

src/dce_rpc.pac

@@ -8,5 +8,5 @@ analyzer DCE_RPC withcontext {
 	flow: DCE_RPC_Flow;
 };
 
-%include "dce_rpc-protocol.pac"
+%include dce_rpc-protocol.pac
-%include "dce_rpc-analyzer.pac"
+%include dce_rpc-analyzer.pac

src/dhcp-analyzer.pac

@@ -91,31 +91,31 @@ flow DHCP_Flow(is_orig: bool) {
 		switch ( type )
 		{
 		case DHCPDISCOVER:
-			bro_event_dhcp_discover(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), req_addr);
 			break;
 
 		case DHCPREQUEST:
-			bro_event_dhcp_request(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dhcp_msg_val_->Ref(), req_addr, serv_addr);
 			break;
 
 		case DHCPDECLINE:
-			bro_event_dhcp_decline(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
 
 		case DHCPRELEASE:
-			bro_event_dhcp_release(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
 
 		case DHCPINFORM:
-			bro_event_dhcp_inform(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;
@@ -204,21 +204,21 @@ flow DHCP_Flow(is_orig: bool) {
 
 		switch ( type ) {
 		case DHCPOFFER:
-			bro_event_dhcp_offer(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), subnet_mask,
 					router_list, lease, serv_addr);
 			break;
 
 		case DHCPACK:
-			bro_event_dhcp_ack(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref(), subnet_mask,
 					router_list, lease, serv_addr);
 			break;
 
 		case DHCPNAK:
-			bro_event_dhcp_nak(connection()->bro_analyzer(),
+			BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dhcp_msg_val_->Ref());
 			break;

src/dns-analyzer.pac

@@ -124,7 +124,7 @@ flow DNS_Flow
 
 		if ( msg->header()->qr() == 0 )
 			{
-			bro_event_dns_request(
+			BifEvent::generate_dns_request(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(),
@@ -137,7 +137,7 @@ flow DNS_Flow
 		          msg->header()->nscount() == 0 &&
 		          msg->header()->arcount() == 0 )
 			{
-			bro_event_dns_rejected(
+			BifEvent::generate_dns_rejected(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(),
@@ -253,7 +253,7 @@ flow DNS_Flow
 			// above fixes for BROv6, we can probably now introduce
 			// their own events.  (It's not clear A6 is needed -
 			// do we actually encounter it in practice?)
-			bro_event_dns_A_reply(connection()->bro_analyzer(),
+			BifEvent::generate_dns_A_reply(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				dns_msg_val_->Ref(), build_dns_answer(rr), addr);
 			break;
@@ -261,7 +261,7 @@ flow DNS_Flow
 		case TYPE_NS:
 			if ( dns_NS_reply )
 				{
-				bro_event_dns_NS_reply(connection()->bro_analyzer(),
+				BifEvent::generate_dns_NS_reply(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
 					build_dns_answer(rr),
@@ -272,7 +272,7 @@ flow DNS_Flow
 		case TYPE_CNAME:
 			if ( dns_CNAME_reply )
 				{
-				bro_event_dns_CNAME_reply(
+				BifEvent::generate_dns_CNAME_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -284,7 +284,7 @@ flow DNS_Flow
 		case TYPE_SOA:
 			if ( dns_SOA_reply )
 				{
-				bro_event_dns_SOA_reply(
+				BifEvent::generate_dns_SOA_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -296,7 +296,7 @@ flow DNS_Flow
 		case TYPE_PTR:
 			if ( dns_PTR_reply )
 				{
-				bro_event_dns_PTR_reply(
+				BifEvent::generate_dns_PTR_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -308,7 +308,7 @@ flow DNS_Flow
 		case TYPE_MX:
 			if ( dns_MX_reply )
 				{
-				bro_event_dns_MX_reply(
+				BifEvent::generate_dns_MX_reply(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),
@@ -321,7 +321,7 @@ flow DNS_Flow
 		case TYPE_EDNS:
 			if ( dns_EDNS_addl )
 				{
-				bro_event_dns_EDNS_addl(
+				BifEvent::generate_dns_EDNS_addl(
 					connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					dns_msg_val_->Ref(),

src/event.bif

@@ -1,10 +1,5 @@
 # $Id: event.bif 6942 2009-11-16 03:54:08Z vern $
 
-# Declare to bifcl the following types as enum types.
-declare enum dce_rpc_ptype;
-declare enum dce_rpc_if_id;
-declare enum rpc_status;
-
 event bro_init%(%);
 event bro_done%(%);
 

src/http-analyzer.pac

@@ -84,7 +84,7 @@ flow HTTP_Flow(is_orig: bool) {
 		if ( ::http_request )
 			{
 			bytestring unescaped_uri = unescape_uri(uri);
-			bro_event_http_request(connection()->bro_analyzer(),
+			BifEvent::generate_http_request(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				bytestring_to_val(method),
 				bytestring_to_val(uri),
@@ -103,7 +103,7 @@ flow HTTP_Flow(is_orig: bool) {
 		%{
 		if ( ::http_reply )
 			{
-			bro_event_http_reply(connection()->bro_analyzer(),
+			BifEvent::generate_http_reply(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				bytestring_to_val(${vers.vers_str}), code,
 				bytestring_to_val(reason));
@@ -205,7 +205,7 @@ flow HTTP_Flow(is_orig: bool) {
 
 		if ( ::http_header )
 			{
-			bro_event_http_header(connection()->bro_analyzer(),
+			BifEvent::generate_http_header(connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
 				bytestring_to_val(name)->ToUpper(),
@@ -236,7 +236,7 @@ flow HTTP_Flow(is_orig: bool) {
 		%{
 		if ( ::http_all_headers )
 			{
-			bro_event_http_all_headers(connection()->bro_analyzer(),
+			BifEvent::generate_http_all_headers(connection()->bro_analyzer(),
 						connection()->bro_analyzer()->Conn(),
 						is_orig(),
 						build_http_headers_val());
@@ -263,7 +263,7 @@ flow HTTP_Flow(is_orig: bool) {
 		msg_start_time_ = network_time();
 		if ( ::http_begin_entity )
 			{
-			bro_event_http_begin_entity(connection()->bro_analyzer(),
+			BifEvent::generate_http_begin_entity(connection()->bro_analyzer(),
 							connection()->bro_analyzer()->Conn(), is_orig());
 			}
 		%}
@@ -295,13 +295,13 @@ flow HTTP_Flow(is_orig: bool) {
 
 		if ( ::http_end_entity )
 			{
-			bro_event_http_end_entity(connection()->bro_analyzer(),
+			BifEvent::generate_http_end_entity(connection()->bro_analyzer(),
 							connection()->bro_analyzer()->Conn(), is_orig());
 			}
 
 		if ( ::http_message_done )
 			{
-			bro_event_http_message_done(connection()->bro_analyzer(),
+			BifEvent::generate_http_message_done(connection()->bro_analyzer(),
 					connection()->bro_analyzer()->Conn(),
 					is_orig(), build_http_message_stat());
 			}

src/main.cc

@@ -8,6 +8,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <signal.h>
+#include <string.h>
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
@@ -424,7 +425,7 @@ int main(int argc, char** argv)
 
 	prog = argv[0];
 
-	prefixes.append("");	// "" = "no prefix"
+	prefixes.append(strdup(""));	// "" = "no prefix"
 
 	char* p = getenv("BRO_PREFIXES");
 	if ( p )

src/module_util.cc

@@ -0,0 +1,62 @@
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+#include <string.h>
+#include "module_util.h"
+
+static int streq(const char* s1, const char* s2)
+	{
+	return ! strcmp(s1, s2);
+	}
+
+// Returns it without trailing "::".
+string extract_module_name(const char* name)
+	{
+	string module_name = name;
+	string::size_type pos = module_name.rfind("::");
+
+	if ( pos == string::npos )
+		return string(GLOBAL_MODULE_NAME);
+
+	module_name.erase(pos);
+
+	return module_name;
+	}
+
+string extract_var_name(const char *name)
+	{
+	string var_name = name;
+	string::size_type pos = var_name.rfind("::");
+
+	if ( pos == string::npos )
+		return var_name;
+
+	if ( pos + 2 > var_name.size() )
+		return string("");
+
+	return var_name.substr(pos+2);
+	}
+
+string normalized_module_name(const char* module_name)
+	{
+	int mod_len;
+	if ( (mod_len = strlen(module_name)) >= 2 &&
+	     streq(module_name + mod_len - 2, "::") )
+		mod_len -= 2;
+
+	return string(module_name, mod_len);
+	}
+
+string make_full_var_name(const char* module_name, const char* var_name)
+	{
+	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
+	     strstr(var_name, "::") )
+		return string(var_name);
+
+	string full_name = normalized_module_name(module_name);
+	full_name += "::";
+	full_name += var_name;
+
+	return full_name;
+	}

src/module_util.h

@@ -0,0 +1,17 @@
+//
+// These functions are used by both Bro and bifcl.
+//
+
+#include <string>
+
+using namespace std;
+
+static const char* GLOBAL_MODULE_NAME = "GLOBAL";
+
+extern string extract_module_name(const char* name);
+extern string extract_var_name(const char* name);
+extern string normalized_module_name(const char* module_name); // w/o ::
+
+// Concatenates module_name::var_name unless var_name is already fully
+// qualified, in which case it is returned unmodified.
+extern string make_full_var_name(const char* module_name, const char* var_name);

src/parse.y

@@ -3,6 +3,8 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 %}
 
+%expect 71
+
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ALARM TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
 %token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST
@@ -49,7 +51,7 @@
 %type <expr> expr init anonymous_function
 %type <event_expr> event
 %type <stmt> stmt stmt_list func_body for_head
-%type <type> type opt_type refined_type enum_id_list
+%type <type> type opt_type refined_type enum_body
 %type <func_type> func_hdr func_params
 %type <type_l> type_list
 %type <type_decl> type_decl formal_args_decl
@@ -111,6 +113,30 @@ bool in_debug = false;
 bool resolving_global_ID = false;
 
 ID* func_id = 0;
+EnumType *cur_enum_type = 0;
+
+static void parser_new_enum (void)
+	{
+	/* Starting a new enum definition. */
+	assert(cur_enum_type == NULL);
+	cur_enum_type = new EnumType();
+	}
+
+static void parser_redef_enum (ID *id)
+	{
+	/* Redef an enum. id points to the enum to be redefined.
+	   Let cur_enum_type point to it. */
+	assert(cur_enum_type == NULL);
+	if ( ! id->Type() )
+		id->Error("unknown identifier");
+	else
+		{
+		cur_enum_type = id->Type()->AsEnumType();
+		if ( ! cur_enum_type )
+			id->Error("not an enum");
+		}
+	}
+
 %}
 
 %union {
@@ -553,24 +579,49 @@ single_pattern:
 			{ $$ = $3; }
 	;
 
-enum_id_list:
+enum_body:
-		TOK_ID
+		enum_body_list opt_comma
 			{
-			set_location(@1);
+			$$ = cur_enum_type;
-
+			cur_enum_type = NULL;
-			EnumType* et = new EnumType(is_export);
-			if ( et->AddName(current_module, $1) < 0 )
-				error("identifier in enumerated type definition already exists");
-			$$ = et;
 			}
+	;
 
-	|	enum_id_list ',' TOK_ID
+enum_body_list:
+			enum_body_elem	 /* No action */
+		|	enum_body_list ',' enum_body_elem  /* no action */
+	;
+
+enum_body_elem:
+		/* TODO: We could also define this as TOK_ID '=' expr, (or
+		   TOK_ID '=' = TOK_ID) so that we can return more descriptive
+		   error messages if someboy tries to use constant variables as
+		   enumerator.
+		*/
+		TOK_ID '=' TOK_CONSTANT
 			{
 			set_location(@1, @3);
+			assert(cur_enum_type);
+			if ( $3->Type()->Tag() != TYPE_COUNT )
+				error("enumerator is not a count constant");
+			else
+				cur_enum_type->AddName(current_module, $1, $3->InternalUnsigned(), is_export);
+			}
 
-			if ( $1->AsEnumType()->AddName(current_module, $3) < 1 )
+	|	TOK_ID '=' '-' TOK_CONSTANT
-				error("identifier in enumerated type definition already exists");
+			{
-			$$ = $1;
+			/* We only accept counts as enumerator, but we want to return a nice
+			   error message if users triy to use a negative integer (will also
+			   catch other cases, but that's fine.)
+			*/
+			error("enumerator is not a count constant");
+			}
+
+	|	TOK_ID
+			{
+			set_location(@1);
+			assert(cur_enum_type);
+			cur_enum_type->AddName(current_module, $1, is_export);
 			}
 	;
 
@@ -675,10 +726,11 @@ type:
 				$$ = 0;
 				}
 
-	|	TOK_ENUM '{' enum_id_list opt_comma '}'
+	|	TOK_ENUM '{' { set_location(@1); parser_new_enum(); } enum_body '}'
 				{
-				set_location(@1, @4);
+				set_location(@1, @5);
-				$$ = $3;
+				$4->UpdateLocationEndInfo(@5);
+				$$ = $4;
 				}
 
 	|	TOK_LIST
@@ -814,21 +866,9 @@ decl:
 	|	TOK_REDEF global_id opt_type init_class opt_init opt_attr ';'
 			{ add_global($2, $3, $4, $5, $6, VAR_REDEF); }
 
-	|       TOK_REDEF TOK_ENUM global_id TOK_ADD_TO
+	|	TOK_REDEF TOK_ENUM global_id TOK_ADD_TO
-		'{' enum_id_list opt_comma '}' ';'
+		'{' { parser_redef_enum($3); } enum_body '}' ';'
-			{
+			{ /* no action */ }
-			if ( ! $3->Type() )
-				$3->Error("unknown identifier");
-			else
-				{
-				EnumType* add_to = $3->Type()->AsEnumType();
-				if ( ! add_to )
-					$3->Error("not an enum");
-				else
-					add_to->AddNamesFrom(current_module,
-							     $6->AsEnumType());
-				}
-			}
 
 	|	TOK_TYPE global_id ':' refined_type opt_attr ';'
 			{

src/patricia.c

@@ -1027,7 +1027,7 @@ lookup_then_remove (patricia_tree_t *tree, char *string)
 {
     patricia_node_t *node;
 
-    if (node = try_search_exact (tree, string))
+    if ( (node = try_search_exact(tree, string)) )
         patricia_remove (tree, node);
 }
 

src/portmap-analyzer.pac

@@ -100,23 +100,23 @@ refine connection RPC_Conn += {
 
 		switch ( call->proc() ) {
 		case PMAPPROC_NULL:
-			bro_event_pm_request_null(bro_analyzer(), bro_analyzer()->Conn());
+			BifEvent::generate_pm_request_null(bro_analyzer(), bro_analyzer()->Conn());
 			break;
 
 		case PMAPPROC_SET:
-			bro_event_pm_request_set(bro_analyzer(),
+			BifEvent::generate_pm_request_set(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(), results->set());
 			break;
 
 		case PMAPPROC_UNSET:
-			bro_event_pm_request_unset(bro_analyzer(),
+			BifEvent::generate_pm_request_unset(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(), results->unset());
 			break;
 
 		case PMAPPROC_GETPORT:
-			bro_event_pm_request_getport(bro_analyzer(),
+			BifEvent::generate_pm_request_getport(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(),
 				PortmapBuildPortVal(results->getport(),
@@ -124,13 +124,13 @@ refine connection RPC_Conn += {
 			break;
 
 		case PMAPPROC_DUMP:
-			bro_event_pm_request_dump(bro_analyzer(),
+			BifEvent::generate_pm_request_dump(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				PortmapBuildDumpVal(results->dump()));
 			break;
 
 		case PMAPPROC_CALLIT:
-			bro_event_pm_request_callit(bro_analyzer(),
+			BifEvent::generate_pm_request_callit(bro_analyzer(),
 				bro_analyzer()->Conn(),
 				call->call_val(),
 				new PortVal(results->callit()->port(),
@@ -149,37 +149,37 @@ function PortmapCallFailed(connection: RPC_Conn,
 			call: RPC_Call,
 			status: EnumRPCStatus): bool
 	%{
-	// BroEnum::rpc_status st = static_cast<BroEnum::rpc_status>(status);
+	// BifEnum::rpc_status st = static_cast<BifEnum::rpc_status>(status);
-	BroEnum::rpc_status st = (BroEnum::rpc_status) status;
+	Val *st = new EnumVal(status, BifType::Enum::rpc_status);
 
 	switch ( call->proc() ) {
 	case PMAPPROC_NULL:
-		bro_event_pm_attempt_null(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_null(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st);
 		break;
 
 	case PMAPPROC_SET:
-		bro_event_pm_attempt_set(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_set(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 
 	case PMAPPROC_UNSET:
-		bro_event_pm_attempt_unset(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_unset(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 
 	case PMAPPROC_GETPORT:
-		bro_event_pm_attempt_getport(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_getport(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 
 	case PMAPPROC_DUMP:
-		bro_event_pm_attempt_dump(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_dump(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st);
 		break;
 
 	case PMAPPROC_CALLIT:
-		bro_event_pm_attempt_callit(connection->bro_analyzer(),
+		BifEvent::generate_pm_attempt_callit(connection->bro_analyzer(),
 			connection->bro_analyzer()->Conn(), st, call->call_val());
 		break;
 

src/rpc-analyzer.pac

@@ -157,7 +157,7 @@ flow RPC_Flow (is_orig: bool) {
 			return false;
 			}
 
-		bro_event_rpc_call(connection()->bro_analyzer(),
+		BifEvent::generate_rpc_call(connection()->bro_analyzer(),
 		                   connection()->bro_analyzer()->Conn(),
 		                   call->prog(),
 		                   call->vers(),

src/ssl-analyzer.pac

@@ -165,7 +165,7 @@ refine analyzer SSLAnalyzer += {
 		%{
 		StringVal* err_str =
 			new StringVal(X509_verify_cert_error_string(err_num));
-		bro_event_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
 						err_num, err_str);
 		%}
 
@@ -189,7 +189,7 @@ refine analyzer SSLAnalyzer += {
 
 	function proc_alert(level : int, description : int) : bool
 		%{
-		bro_event_ssl_conn_alert(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_conn_alert(bro_analyzer_, bro_analyzer_->Conn(),
 						current_record_version_, level,
 						description);
 		return true;
@@ -217,7 +217,7 @@ refine analyzer SSLAnalyzer += {
 			Unref(ciph);
 			}
 
-		bro_event_ssl_conn_attempt(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_conn_attempt(bro_analyzer_, bro_analyzer_->Conn(),
 						version, cipher_table);
 
 		if ( ssl_compare_cipherspecs )
@@ -252,7 +252,7 @@ refine analyzer SSLAnalyzer += {
 			Unref(ciph);
 			}
 
-		bro_event_ssl_conn_server_reply(bro_analyzer_,
+		BifEvent::generate_ssl_conn_server_reply(bro_analyzer_,
 						bro_analyzer_->Conn(),
 						version_, chosen_ciphers);
 
@@ -263,10 +263,10 @@ refine analyzer SSLAnalyzer += {
 			TableVal* tv = to_table_val(session_id);
 			if ( client_session_id_ &&
 			     *client_session_id_ == *session_id )
-				bro_event_ssl_conn_reused(bro_analyzer_,
+				BifEvent::generate_ssl_conn_reused(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 			else
-				bro_event_ssl_session_insertion(bro_analyzer_,
+				BifEvent::generate_ssl_session_insertion(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 
 			delete ciphers;
@@ -277,13 +277,13 @@ refine analyzer SSLAnalyzer += {
 			if ( client_session_id_ )
 				{
 				TableVal* tv = to_table_val(client_session_id_);
-				bro_event_ssl_conn_reused(bro_analyzer_,
+				BifEvent::generate_ssl_conn_reused(bro_analyzer_,
 						bro_analyzer_->Conn(), tv);
 				}
 
 			// We don't know the chosen cipher, as there is
 			// no session storage.
-			bro_event_ssl_conn_established(bro_analyzer_,
+			BifEvent::generate_ssl_conn_established(bro_analyzer_,
 							bro_analyzer_->Conn(),
 							version_, 0xffffffff);
 			delete ciphers;
@@ -316,7 +316,7 @@ refine analyzer SSLAnalyzer += {
 		if ( certificates->size() == 0 )
 			return true;
 
-		bro_event_ssl_certificate_seen(bro_analyzer_,
+		BifEvent::generate_ssl_certificate_seen(bro_analyzer_,
 						bro_analyzer_->Conn(),
 						! current_record_is_orig_);
 
@@ -341,7 +341,7 @@ refine analyzer SSLAnalyzer += {
 		pX509Cert->Assign(1, new StringVal(tmp));
 		pX509Cert->Assign(2, new AddrVal(bro_analyzer_->Conn()->OrigAddr()));
 
-		bro_event_ssl_certificate(bro_analyzer_, bro_analyzer_->Conn(),
+		BifEvent::generate_ssl_certificate(bro_analyzer_, bro_analyzer_->Conn(),
 					pX509Cert, current_record_is_orig_);
 
 		if ( X509_get_ext_count(pCert) > 0 )
@@ -361,7 +361,7 @@ refine analyzer SSLAnalyzer += {
 				Unref(index);
 				}
 
-			bro_event_process_X509_extensions(bro_analyzer_,
+			BifEvent::generate_process_X509_extensions(bro_analyzer_,
 						bro_analyzer_->Conn(), x509ex);
 			}
 
@@ -442,7 +442,7 @@ refine analyzer SSLAnalyzer += {
 				state_label(old_state_).c_str()));
 
 		check_cipher(cipher);
-		bro_event_ssl_conn_established(bro_analyzer_,
+		BifEvent::generate_ssl_conn_established(bro_analyzer_,
 				bro_analyzer_->Conn(), version_, cipher);
 
 		return true;
@@ -483,7 +483,7 @@ refine analyzer SSLAnalyzer += {
 		if ( state_ == STATE_CONN_ESTABLISHED &&
 		     old_state_ == STATE_COMM_ENCRYPTED )
 			{
-			bro_event_ssl_conn_established(bro_analyzer_,
+			BifEvent::generate_ssl_conn_established(bro_analyzer_,
 							bro_analyzer_->Conn(),
 							version_, cipher_);
 			}

src/strings.bif

@@ -138,27 +138,27 @@ function sort_string_array%(a: string_array%): string_array
 
 function edit%(arg_s: string, arg_edit_char: string%): string
 	%{
-	const char* s = arg_s->AsString()->CheckString();
+	if ( arg_edit_char->Len() != 1 )
-	const char* edit_s = arg_edit_char->AsString()->CheckString();
-
-	if ( strlen(edit_s) != 1 )
 		builtin_run_time("not exactly one edit character", @ARG@[1]);
 
-	char edit_c = *edit_s;
+	const u_char* s = arg_s->Bytes();
+	const u_char* edit_s = arg_edit_char->Bytes();
 
-	int n = strlen(s) + 1;
+	u_char edit_c = *edit_s;
-	char* new_s = new char[n];
+
+	int n = arg_s->Len();
+	u_char* new_s = new u_char[n+1];
 	int ind = 0;
 
-	for ( ; *s; ++s )
+	for ( int i = 0; i < n; ++i )
 		{
-		if ( *s == edit_c )
+		if ( s[i] == edit_c )
 			{ // Delete last character
 			if ( --ind < 0 )
 				ind = 0;
 			}
 		else
-			new_s[ind++] = *s;
+			new_s[ind++] = s[i];
 		}
 
 	new_s[ind] = '\0';
@@ -198,75 +198,55 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t)
 Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep,
 		int incl_sep, int max_num_sep)
 	{
-	const BroString* str = str_val->AsString();
 	TableVal* a = new TableVal(internal_type("string_array")->AsTableType());
 	ListVal* other_strings = 0;
 
 	if ( other_sep && other_sep->Size() > 0 )
 		other_strings = other_sep->ConvertToPureList();
 
-	// Currently let us assume that str is NUL-terminated. In
+	const u_char* s = str_val->Bytes();
-	// the future we expect to change this by giving RE_Matcher a
+	int n = str_val->Len();
-	// const char* segment.
+	const u_char* end_of_s = s + n;
-
-	const char* s = str->CheckString();
-	int len = strlen(s);
-	const char* end_of_s = s + len;
 	int num = 0;
 	int num_sep = 0;
 
-	while ( 1 )
+	int offset = 0;
+	while ( n >= 0 )
 		{
-		int offset = 0;
+		offset = 0;
-		const char* t;
+		// Find next match offset.
-
+		int end_of_match = 0;
-		if ( max_num_sep > 0 && num_sep >= max_num_sep )
+		while ( n > 0 &&
-			t = end_of_s;
+		        (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 )
-		else
 			{
-			for ( t = s; t < end_of_s; ++t )
+			// Move on to next byte.
-				{
+			++offset;
-				offset = re->MatchPrefix(t);
+			--n;
-
-				if ( other_strings )
-					{
-					val_list* vl = other_strings->Vals();
-					loop_over_list(*vl, i)
-						{
-						const BroString* sub =
-							(*vl)[i]->AsString();
-						if ( sub->Len() > offset &&
-						     match_prefix(end_of_s - t,
-								t, sub->Len(),
-								(const char*) (sub->Bytes())) )
-							{
-							offset = sub->Len();
-							}
-						}
-					}
-
-				if ( offset > 0 )
-					break;
-				}
 			}
 
 		Val* ind = new Val(++num, TYPE_COUNT);
-		a->Assign(ind, new StringVal(t - s, s));
+		a->Assign(ind, new StringVal(offset, (const char*) s));
 		Unref(ind);
 
-		if ( t >= end_of_s )
+		// No more separators will be needed if this is the end of string.
+		if ( n <= 0 )
 			break;
 
-		++num_sep;
-
 		if ( incl_sep )
 			{ // including the part that matches the pattern
 			ind = new Val(++num, TYPE_COUNT);
-			a->Assign(ind, new StringVal(offset, t));
+			a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset));
 			Unref(ind);
 			}
 
-		s = t + offset;
+		if ( max_num_sep && num_sep >= max_num_sep )
+			break;
+
+		++num_sep;
+
+		n -= end_of_match;
+		s += offset + end_of_match;;
+
 		if ( s > end_of_s )
 			internal_error("RegMatch in split goes beyond the string");
 		}
@@ -476,42 +456,38 @@ function subst_string%(s: string, from: string, to: string%): string
 
 function to_lower%(str: string%): string
 	%{
-	const char* s = str->CheckString();
+	const u_char* s = str->Bytes();
-	int n = strlen(s) + 1;
+	int n = str->Len();
 	char* lower_s = new char[n];
+	char* ls = lower_s;
 
-	char* ls;
+	for ( int i = 0; i < n; ++i)
-	for ( ls = lower_s; *s; ++s )
 		{
-		if ( isascii(*s) && isupper(*s) )
+		if ( isascii(s[i]) && isupper(s[i]) )
-			*ls++ = tolower(*s);
+			*ls++ = tolower(s[i]);
 		else
-			*ls++ = *s;
+			*ls++ = s[i];
 		}
 
-	*ls = '\0';
+	return new StringVal(new BroString(1, byte_vec(lower_s), n));
-
-	return new StringVal(new BroString(1, byte_vec(lower_s), n-1));
 	%}
 
 function to_upper%(str: string%): string
 	%{
-	const char* s = str->CheckString();
+	const u_char* s = str->Bytes();
-	int n = strlen(s) + 1;
+	int n = str->Len();
 	char* upper_s = new char[n];
+	char* us = upper_s;
 
-	char* us;
+	for ( int i = 0; i < n; ++i)
-	for ( us = upper_s; *s; ++s )
 		{
-		if ( isascii(*s) && islower(*s) )
+		if ( isascii(s[i]) && islower(s[i]) )
-			*us++ = toupper(*s);
+			*us++ = toupper(s[i]);
 		else
-			*us++ = *s;
+			*us++ = s[i];
 		}
 
-	*us = '\0';
+	return new StringVal(new BroString(1, byte_vec(upper_s), n));
-
-	return new StringVal(new BroString(1, byte_vec(upper_s), n-1));
 	%}
 
 function clean%(str: string%): string
@@ -604,40 +580,35 @@ function str_split%(s: string, idx: index_vec%): string_vec
 
 function strip%(str: string%): string
 	%{
-	const char* s = str->CheckString();
+	const u_char* s = str->Bytes();
+	int n = str->Len();
 
-	int n = strlen(s) + 1;
+	if ( n == 0 )
-	char* strip_s = new char[n];
-
-	if ( n == 1 )
 		// Empty string.
-		return new StringVal(new BroString(1, byte_vec(strip_s), 0));
+		return new StringVal(new BroString(s, n, 1));
 
-	while ( isspace(*s) )
+	const u_char* sp = s;
-		++s;
 
-	strncpy(strip_s, s, n);
+	// Move a pointer from the end of the string.
-
+	const u_char* e = sp + n - 1;
-	char* s2 = strip_s;
+	while ( e > sp && isspace(*e) )
-	char* e = &s2[strlen(s2) - 1];
-
-	while ( e > s2 && isspace(*e) )
 		--e;
 
-	e[1] = '\0';	// safe even if e hasn't changed, due to n = strlen + 1
+	// Move the pointer for the beginning of the string.
+	while ( isspace(*sp) && sp <= e )
+		++sp;
 
-	return new StringVal(new BroString(1, byte_vec(s2), (e-s2)+1));
+	return new StringVal(new BroString(sp, (e - sp + 1), 1));
 	%}
 
 function string_fill%(len: int, source: string%): string
 	%{
-	const char* src = source->CheckString();
+	const u_char* src = source->Bytes();
-
+	int n = source->Len();
-	int sn = strlen(src);
 	char* dst = new char[len];
 
-	for ( int i = 0; i < len; i += sn )
+	for ( int i = 0; i < len; i += n )
-		::memcpy((dst + i), src, min(sn, len - i));
+		::memcpy((dst + i), src, min(n, len - i));
 
 	dst[len - 1] = 0;
 
@@ -651,10 +622,11 @@ function string_fill%(len: int, source: string%): string
 function str_shell_escape%(source: string%): string
 	%{
 	unsigned j = 0;
-	const char* src = source->CheckString();
+	const u_char* src = source->Bytes();
-	char* dst = new char[strlen(src) * 2 + 1];
+	unsigned n = source->Len();
+	byte_vec dst = new u_char[n * 2 + 1];
 
-	for ( unsigned i = 0; i < strlen(src); ++i )
+	for ( unsigned i = 0; i < n; ++i )
 		{
 		switch ( src[i] ) {
 		case '`': case '"': case '\\': case '$':
@@ -672,7 +644,7 @@ function str_shell_escape%(source: string%): string
 		}
 
 	dst[j] = '\0';
-	return new StringVal(new BroString(1, byte_vec(dst), j));
+	return new StringVal(new BroString(1, dst, j));
 	%}
 
 # Returns all occurrences of the given pattern in the given string (an empty

src/types.bif

@@ -0,0 +1,52 @@
+
+enum dce_rpc_ptype %{
+	DCE_RPC_REQUEST,
+	DCE_RPC_PING,
+	DCE_RPC_RESPONSE,
+	DCE_RPC_FAULT,
+	DCE_RPC_WORKING,
+	DCE_RPC_NOCALL,
+	DCE_RPC_REJECT,
+	DCE_RPC_ACK,
+	DCE_RPC_CL_CANCEL,
+	DCE_RPC_FACK,
+	DCE_RPC_CANCEL_ACK,
+	DCE_RPC_BIND,
+	DCE_RPC_BIND_ACK,
+	DCE_RPC_BIND_NAK,
+	DCE_RPC_ALTER_CONTEXT,
+	DCE_RPC_ALTER_CONTEXT_RESP,
+	DCE_RPC_SHUTDOWN,
+	DCE_RPC_CO_CANCEL,
+	DCE_RPC_ORPHANED,
+%}
+
+enum dce_rpc_if_id %{
+	DCE_RPC_unknown_if,
+	DCE_RPC_epmapper,
+	DCE_RPC_lsarpc,
+	DCE_RPC_lsa_ds,
+	DCE_RPC_mgmt,
+	DCE_RPC_netlogon,
+	DCE_RPC_samr,
+	DCE_RPC_srvsvc,
+	DCE_RPC_spoolss,
+	DCE_RPC_drs,
+	DCE_RPC_winspipe,
+	DCE_RPC_wkssvc,
+	DCE_RPC_oxid,
+	DCE_RPC_ISCMActivator,
+%}
+
+enum rpc_status %{
+	RPC_SUCCESS,
+	RPC_PROG_UNAVAIL,
+	RPC_PROG_MISMATCH,
+	RPC_PROC_UNAVAIL,
+	RPC_GARBAGE_ARGS,
+	RPC_SYSTEM_ERR,
+	RPC_TIMEOUT,
+	RPC_VERS_MISMATCH,
+	RPC_AUTH_ERROR,
+	RPC_UNKNOWN_ERROR,
+%}

src/util.h

@@ -11,6 +11,11 @@
 #include <stdarg.h>
 #include "config.h"
 
+// Expose C99 functionality from inttypes.h, which would otherwise not be
+// available in C++.
+#define __STDC_FORMAT_MACROS
+#include <inttypes.h>
+
 #if __STDC__
 #define myattribute __attribute__
 #else
@@ -39,24 +44,21 @@
 extern HeapLeakChecker* heap_checker;
 #endif
 
-typedef unsigned long long int uint64;
+#include <stdint.h>
-typedef unsigned int uint32;
+
-typedef unsigned short uint16;
+typedef uint64_t uint64;
-typedef unsigned char uint8;
+typedef uint32_t uint32;
-typedef long long int int64;
+typedef uint16_t uint16;
+typedef uint8_t uint8;
+
+typedef int64_t int64;
+typedef int32_t int32;
+typedef int16_t int16;
+typedef int8_t int8;
+
 typedef int64 bro_int_t;
 typedef uint64 bro_uint_t;
 
-#if SIZEOF_LONG_LONG == 8
-typedef unsigned long long uint64;
-typedef long long int64;
-#elif SIZEOF_LONG_INT == 8
-typedef unsigned long int uint64;
-typedef long int int64;
-#else
-# error "Couldn't reliably identify 64-bit type. Please report to bro@bro-ids.org."
-#endif
-
 // "ptr_compat_uint" and "ptr_compat_int" are (un)signed integers of
 // pointer size. They can be cast safely to a pointer, e.g. in Lists,
 // which represent their entities as void* pointers.
@@ -64,9 +66,13 @@ typedef long int int64;
 #if SIZEOF_VOID_P == 8
 typedef uint64 ptr_compat_uint;
 typedef int64 ptr_compat_int;
+#define PRI_PTR_COMPAT_INT PRId64 // Format to use with printf.
+#define PRI_PTR_COMPAT_UINT PRIu64
 #elif SIZEOF_VOID_P == 4
 typedef uint32 ptr_compat_uint;
-typedef int ptr_compat_int;
+typedef int32 ptr_compat_int;
+#define PRI_PTR_COMPAT_INT PRId32
+#define PRI_PTR_COMPAT_UINT PRIu32
 #else
 # error "Unusual pointer size. Please report to bro@bro-ids.org."
 #endif
@@ -157,6 +163,7 @@ extern uint8 uhash_key[UHASH_KEY_SIZE];
 // the obvious places (like Event.h or RemoteSerializer.h)
 
 typedef ptr_compat_uint SourceID;
+#define PRI_SOURCE_ID PRI_PTR_COMPAT_UINT
 static const SourceID SOURCE_LOCAL = 0;
 
 class BroObj;

testing/istate/base/persistence-read/vars.log

@@ -20,9 +20,9 @@ file "test" of string
 2
 }
 {
-[3, GHI] = 103,
 [2, DEF] = 102,
-[1, ABC] = 101
+[1, ABC] = 101,
+[3, GHI] = 103
 }
 {
 [12345] = /^?(12345)$?/,

testing/istate/base/persistence-write/vars.log

@@ -20,9 +20,9 @@ file "test" of string
 2
 }
 {
-[3, GHI] = 103,
 [2, DEF] = 102,
-[1, ABC] = 101
+[1, ABC] = 101,
+[3, GHI] = 103
 }
 {
 [12345] = /^?(12345)$?/,

testing/istate/base/sync-rcv/remote.log

@@ -1,4 +1,4 @@
-xxxxxxxxxx.xxxxxx [info]  [parent] pipe's socket buffer size is 8192, setting to 1048576
+xxxxxxxxxx.xxxxxx [info]  [parent] raised pipe's socket buffer size from 126K to 1024K
 xxxxxxxxxx.xxxxxx [info]  [parent] communication started, parent 
 xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] added peer
 xxxxxxxxxx.xxxxxx [info]  [child]  [#1/127.0.0.1:47757] connected

testing/istate/base/sync-rcv/vars.log

@@ -20,9 +20,9 @@ file "test2" of string
 2
 }
 {
-[3, GHI] = 103,
 [4, JKL] = 104,
-[2, DEF] = 103
+[2, DEF] = 103,
+[3, GHI] = 103
 }
 {
 [12345] = /^?(12345)$?/,

testing/istate/base/sync-send/vars.log

@@ -20,9 +20,9 @@ file "test2" of string
 2
 }
 {
-[3, GHI] = 103,
 [4, JKL] = 104,
-[2, DEF] = 103
+[2, DEF] = 103,
+[3, GHI] = 103
 }
 {
 [12345] = /^?(12345)$?/,

testing/istate/istate.py

@@ -113,11 +113,11 @@ if tests.testSet("sync"):
 
 if tests.testSet("broccoli"):
 
-    broctest = os.path.join(tests.Bro, "aux/broccoli/test")    
+    broctest = os.path.join(tests.BroBase, "aux/broccoli/test")
-    broclib = os.path.join(tests.Bro, "aux/broccoli/src/.libs")
+    broclib = os.path.join(tests.BroBase, "build/aux/broccoli/src/")
-    broping = os.path.join(broctest, "broping")
+    broping = os.path.join(tests.BroBase, "build/aux/broccoli/test/broping")
 
-    brocpy = os.path.join(tests.Bro, "aux/broccoli/bindings/python")    
+    brocpy = os.path.join(tests.BroBase, "build/aux/broccoli/bindings/broccoli-python")
 
     broccoli = True
 
@@ -128,7 +128,7 @@ if tests.testSet("broccoli"):
 
     # Test if this is a IPv6 Bro.
     if broccoli:
-        v6 = subprocess.call(["grep", "-q", "#define BROv6", os.path.join(tests.Bro, "config.h")])
+        v6 = subprocess.call(["grep", "-q", "#define BROv6", os.path.join(tests.BroBase, "build/config.h")])
         if v6 == 0:
             print "    Bro built with IPv6 support not compatible with Broccoli, skipping tests."
             broccoli = False

testing/istate/tests.py

@@ -13,10 +13,10 @@ import subprocess
 Testing = os.path.abspath(".")
 
 # Path to top-level Bro directory.
-if os.path.exists("../../src/bro"):
+if os.path.exists("../../build/src/bro"):
-    Bro = os.path.abspath("../..")
+    BroBase = os.path.abspath("../..")
 else:
-    Bro = os.path.abspath("../../bro")
+    error("cannot find build directory")
 
 # Path where tmp files are created.
 Tmp = os.path.join(Testing, "tmp")
@@ -99,10 +99,13 @@ def spawnProc(tag, cmdline, copy=[]):
 
 # Spaws a Bro process.
 def spawnBro(tag, args, copy=[]):
-    os.putenv("BROPATH", os.path.join(Bro, "policy") + ":" + Scripts)
+    bropath =  os.path.join(BroBase, "policy")
+    bropath += ":" + os.path.join(BroBase, "build/src")
+
+    os.putenv("BROPATH", bropath + ":" + Scripts)
     os.unsetenv("BRO_LOG_SUFFIX")
     args += ["--load-seeds", BroSeed, "-B", "state,comm"]
-    spawnProc(tag, [os.path.join(Bro, "src/bro")] + args, copy=copy)
+    spawnProc(tag, [os.path.join(BroBase, "build/src/bro")] + args, copy=copy)
 
 # Examines a process' exit code.
 def parseExitCode(tag, result):