Merge remote-tracking branch 'origin/master' into topic/vladg/kerberos

CHANGES

@@ -1,4 +1,47 @@
 
+2.3-278 | 2014-11-03 18:55:18 -0800
+
+  * Add new curves from draft-ietf-tls-negotiated-ff-dhe to SSL
+    analysis. (Johanna Amann)
+
+2.3-274 | 2014-10-31 17:45:25 -0700
+
+  * Adding call to new binpac::init() function. (Robin Sommer)
+
+2.3-272 | 2014-10-31 16:29:42 -0700
+
+  * Fix segfault if when statement's RHS is unitialized. Addresses
+    BIT-1176. (Jon Siwek)
+
+  * Fix checking vector indices via "in". Addresses BIT-1280.  (Jon
+    Siwek)
+
+2.3-268 | 2014-10-31 12:12:22 -0500
+
+  * BIT-1283: Fix crash when using &encrypt. (Jon Siwek)
+
+2.3-267 | 2014-10-31 10:35:02 -0500
+
+  * BIT-1284: Allow arbitrary when statement timeout expressions
+    (Jon Siwek)
+
+2.3-266 | 2014-10-31 09:21:28 -0500
+
+  * BIT-1166: Add configure options to fine tune local state dirs used
+    by BroControl. (Jon Siwek)
+
+2.3-264 | 2014-10-30 13:25:57 -0500
+
+  * Fix some minor Coverity Scan complaints. (Jon Siwek)
+
+2.3-263 | 2014-10-28 15:09:10 -0500
+
+  * Fix checking of fwrite return values (Johanna Amann)
+
+2.3-260 | 2014-10-27 12:54:17 -0500
+
+  * Fix errors/warnings when compiling with -std=c++11 (Jon Siwek)
+
 2.3-259 | 2014-10-27 10:04:04 -0500
 
   * Documentation fixes. (Vicente Jimenez Aguilar and Stefano Azzalini)

VERSION

@@ -1 +1 @@
-2.3-259
+2.3-278

aux/binpac

@@ -1 +1 @@
-Subproject commit c8e017b4b1893cf254fc2bc8eedd86b852a2e654
+Subproject commit 77a86591dcf89d7252d3676d3f1199d6c927d073

aux/broctl

@@ -1 +1 @@
-Subproject commit 2b13bfcc941018c76f74b81a6e74e5e4e723c747
+Subproject commit 39e865dec9611b9b53b609cbc8df519cebae0a1e

configure

@@ -24,6 +24,13 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --prefix=PREFIX        installation directory [/usr/local/bro]
     --scriptdir=PATH       root installation directory for Bro scripts
                            [PREFIX/share/bro]
+    --localstatedir=PATH   when using BroControl, path to store log files
+                           and run-time data (within log/ and spool/ subdirs)
+                           [PREFIX]
+    --spooldir=PATH        when using BroControl, path to store run-time data
+                           [PREFIX/spool]
+    --logdir=PATH          when using BroControl, path to store log file
+                           [PREFIX/logs]
     --conf-files-dir=PATH  config files installation directory [PREFIX/etc]
 
   Optional Features:
@@ -144,6 +151,15 @@ while [ $# -ne 0 ]; do
             append_cache_entry BRO_ETC_INSTALL_DIR PATH $optarg
             user_set_conffilesdir="true"
             ;;
+        --localstatedir=*)
+            append_cache_entry BRO_LOCAL_STATE_DIR  PATH   $optarg
+            ;;
+        --spooldir=*)
+            append_cache_entry BRO_SPOOL_DIR  PATH   $optarg
+            ;;
+        --logdir=*)
+            append_cache_entry BRO_LOG_DIR  PATH   $optarg
+            ;;
         --enable-debug)
             append_cache_entry ENABLE_DEBUG         BOOL   true
             ;;

pkg/make-deb-packages

@@ -16,6 +16,7 @@ the 'dpkg-dev' package, please install it first.
 }
 
 prefix=/opt/bro
+localstatedir=/var/opt/bro
 
 # During the packaging process, `dpkg-shlibs` will fail if used on a library
 # that links to other internal/project libraries unless an RPATH is used or
@@ -31,7 +32,7 @@ cd ..
 ( cd build && make package )
 
 # Full Bro package
-./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package
+./configure --prefix=${prefix} --localstatedir=${localstatedir} --pkg-name-prefix=Bro --binary-package
 ( cd build && make package )
 
 # Broccoli
@@ -42,6 +43,6 @@ cd ../..
 
 # Broctl
 cd aux/broctl
-./configure --prefix=${prefix} --binary-package
+./configure --prefix=${prefix} --localstatedir=${localstatedir} --binary-package
 ( cd build && make package && mv *.deb ../../../build/ )
 cd ../..

pkg/make-rpm-packages

@@ -15,6 +15,7 @@ the 'rpm-build' package, please install it first.
 }
 
 prefix=/opt/bro
+localstatedir=/var/opt/bro
 
 cd ..
 
@@ -24,7 +25,7 @@ cd ..
 ( cd build && make package )
 
 # Full Bro package
-./configure --prefix=${prefix} --pkg-name-prefix=Bro --binary-package
+./configure --prefix=${prefix} --localstatedir=${localstatedir} --pkg-name-prefix=Bro --binary-package
 ( cd build && make package )
 
 # Broccoli
@@ -35,6 +36,6 @@ cd ../..
 
 # Broctl
 cd aux/broctl
-./configure --prefix=${prefix} --binary-package
+./configure --prefix=${prefix} --localstatedir=${localstatedir} --binary-package
 ( cd build && make package && mv *.rpm ../../../build/ )
 cd ../..

scripts/base/protocols/ssl/consts.bro

@@ -158,6 +158,12 @@ export {
 		[26] = "brainpoolP256r1",
 		[27] = "brainpoolP384r1",
 		[28] = "brainpoolP512r1",
+		# draft-ietf-tls-negotiated-ff-dhe-02
+		[256] = "ffdhe2432",
+		[257] = "ffdhe3072",
+		[258] = "ffdhe4096",
+		[259] = "ffdhe6144",
+		[260] = "ffdhe8192",
 		[0xFF01] = "arbitrary_explicit_prime_curves",
 		[0xFF02] = "arbitrary_explicit_char2_curves"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };

src/Expr.cc

@@ -636,7 +636,7 @@ Val* BinaryExpr::Eval(Frame* f) const
 		return v_result;
 		}
 
-	if ( is_vec1 || is_vec2 )
+	if ( IsVector(Type()->Tag()) && (is_vec1 || is_vec2) )
 		{ // fold vector against scalar
 		VectorVal* vv = (is_vec1 ? v1 : v2)->AsVectorVal();
 		VectorVal* v_result = new VectorVal(Type()->AsVectorType());
@@ -4703,8 +4703,14 @@ Val* InExpr::Fold(Val* v1, Val* v2) const
 	     v2->Type()->Tag() == TYPE_SUBNET )
 		return new Val(v2->AsSubNetVal()->Contains(v1->AsAddr()), TYPE_BOOL);
 
-	TableVal* vt = v2->AsTableVal();
-	if ( vt->Lookup(v1, false) )
+	Val* res;
+
+	if ( is_vector(v2) )
+		res = v2->AsVectorVal()->Lookup(v1);
+	else
+		res = v2->AsTableVal()->Lookup(v1, false);
+
+	if ( res )
 		return new Val(1, TYPE_BOOL);
 	else
 		return new Val(0, TYPE_BOOL);

src/File.cc

@@ -527,7 +527,7 @@ void BroFile::SetAttrs(Attributes* arg_attrs)
 		if ( ef->AttrExpr() )
 			InitEncrypt(ef->AttrExpr()->ExprVal()->AsString()->CheckString());
 		else
-			InitEncrypt(log_encryption_key->AsString()->CheckString());
+			InitEncrypt(opt_internal_string("log_encryption_key")->CheckString());
 		}
 
 	if ( attrs->FindAttr(ATTR_RAW_OUTPUT) )
@@ -708,10 +708,10 @@ void BroFile::InitEncrypt(const char* keyfile)
 
 	secret_len = htonl(secret_len);
 
-	if ( ! (fwrite("BROENC1", 7, 1, f) &&
-		fwrite(&secret_len, sizeof(secret_len), 1, f) &&
-		fwrite(secret, ntohl(secret_len), 1, f) &&
-		fwrite(iv, iv_len, 1, f)) )
+	if ( fwrite("BROENC1", 7, 1, f) < 1 ||
+		fwrite(&secret_len, sizeof(secret_len), 1, f) < 1 ||
+		fwrite(secret, ntohl(secret_len), 1, f) < 1 ||
+		fwrite(iv, iv_len, 1, f) < 1 )
 		{
 		reporter->Error("can't write header to log file %s: %s",
 				name, strerror(errno));
@@ -736,7 +736,7 @@ void BroFile::FinishEncrypt()
 		int outl;
 		EVP_SealFinal(cipher_ctx, cipher_buffer, &outl);
 
-		if ( outl && ! fwrite(cipher_buffer, outl, 1, f) )
+		if ( outl && fwrite(cipher_buffer, outl, 1, f) < 1 )
 			{
 			reporter->Error("write error for %s: %s",
 					name, strerror(errno));
@@ -777,7 +777,7 @@ int BroFile::Write(const char* data, int len)
 				return 0;
 				}
 
-			if ( outl && ! fwrite(cipher_buffer, outl, 1, f) )
+			if ( outl && fwrite(cipher_buffer, outl, 1, f) < 1 )
 				{
 				reporter->Error("write error for %s: %s",
 						name, strerror(errno));
@@ -792,8 +792,7 @@ int BroFile::Write(const char* data, int len)
 		return 1;
 		}
 
-	len = fwrite(data, 1, len, f);
-	if ( len <= 0 )
+	if ( fwrite(data, len, 1, f) < 1 )
 		return false;
 
 	if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size )

src/Flare.cc

@@ -22,7 +22,7 @@ static void bad_pipe_op(const char* which)
 
 void Flare::Fire()
 	{
-	char tmp;
+	char tmp = 0;
 
 	for ( ; ; )
 		{

src/H3.h

@@ -110,7 +110,7 @@ public:
 		T result = 0;
 
 		// loop optmized with Duff's Device
-		register unsigned n = (size + 7) / 8;
+		unsigned n = (size + 7) / 8;
 		switch ( size % 8 ) {
 		case 0: do { result ^= byte_lookup[offset++][*p++];
 		case 7:      result ^= byte_lookup[offset++][*p++];

src/RemoteSerializer.cc

@@ -4190,7 +4190,7 @@ bool SocketComm::Listen()
 		     setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0 )
 			Error(fmt("can't set IPV6_V6ONLY, %s", strerror(errno)));
 
-		if ( bind(fd, res->ai_addr, res->ai_addrlen) < 0 )
+		if ( ::bind(fd, res->ai_addr, res->ai_addrlen) < 0 )
 			{
 			Error(fmt("can't bind to %s:%s, %s", l_addr_str.c_str(),
 			          port_str, strerror(errno)));

src/Trigger.cc

@@ -131,18 +131,19 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 		arg_frame->SetDelayed();
 		}
 
-	Val* timeout = arg_timeout ? arg_timeout->ExprVal() : 0;
+	Val* timeout_val = arg_timeout ? arg_timeout->Eval(arg_frame) : 0;
 
 	// Make sure we don't get deleted if somebody calls a method like
 	// Timeout() while evaluating the trigger. 
 	Ref(this);
 
-	if ( ! Eval() && timeout )
+	if ( ! Eval() && timeout_val )
 		{
-		timer = new TriggerTimer(timeout->AsInterval(), this);
+		timer = new TriggerTimer(timeout_val->AsInterval(), this);
 		timer_mgr->Add(timer);
 		}
 
+	Unref(timeout_val);
 	Unref(this);
 	}
 
@@ -206,7 +207,7 @@ bool Trigger::Eval()
 		return false;
 		}
 
-	if ( v->IsZero() )
+	if ( ! v || v->IsZero() )
 		{
 		// Not true. Perhaps next time...
 		DBG_LOG(DBG_NOTIFIERS, "%s: trigger condition is false", Name());

src/analyzer/protocol/smtp/SMTP.cc

@@ -21,7 +21,9 @@ static const char* smtp_cmd_word[] = {
 #include "SMTP_cmd.def"
 };
 
-#define SMTP_CMD_WORD(code) ((code >= 0) ? smtp_cmd_word[code] : "(UNKNOWN)")
+static const char* unknown_cmd = "(UNKNOWN)";
+
+#define SMTP_CMD_WORD(code) ((code >= 0) ? smtp_cmd_word[code] : unknown_cmd)
 
 
 SMTP_Analyzer::SMTP_Analyzer(Connection* conn)
@@ -422,7 +424,6 @@ void SMTP_Analyzer::NewReply(const int reply_code)
 	if ( state == SMTP_AFTER_GAP && reply_code > 0 )
 		{
 		state = SMTP_GAP_RECOVERY;
-		const char* unknown_cmd = SMTP_CMD_WORD(-1);
 		RequestEvent(strlen(unknown_cmd), unknown_cmd, 0, "");
 		/*
 		if ( line_after_gap )

src/cq.c

@@ -357,7 +357,7 @@ cq_remove(register struct cq_handle *hp, register double pri,
 
 	/* The priority must be positive and the cookie non-null */
 	if (pri <= 0.0 || cookie == NULL)
-		return (-0);
+		return (0);
 
 	bp = hp->buckets + PRI2BUCKET(hp, pri);
 	if (! BUCKETINUSE(bp))
@@ -370,7 +370,7 @@ cq_remove(register struct cq_handle *hp, register double pri,
 		}
 
 	if ( ! bp )
-		return (-0);
+		return (0);
 
 	/* Unlink entry */
 	if ( ! bp2 ) {

src/iosource/PktSrc.cc

@@ -506,6 +506,7 @@ bool PktSrc::ApplyBPFFilter(int index, const struct pcap_pkthdr *hdr, const u_ch
 		{
 		Error(fmt("BPF filter %d not compiled", index));
 		Close();
+		return false;
 		}
 
 	if ( code->MatchesAnything() )

src/iosource/PktSrc.h

@@ -266,7 +266,11 @@ protected:
 
 		Properties()
 			{
+			selectable_fd = -1;
+			link_type = -1;
+			hdr_size = -1;
 			netmask = PCAP_NETMASK_UNKNOWN;
+			is_live = false;
 			}
 	};
 

src/iosource/pcap/Source.cc

@@ -21,6 +21,9 @@ PcapSource::PcapSource(const std::string& path, bool is_live)
 	{
 	props.path = path;
 	props.is_live = is_live;
+	pd = 0;
+	memset(&current_hdr, 0, sizeof(current_hdr));
+	memset(&last_hdr, 0, sizeof(last_hdr));
 	last_data = 0;
 	}
 

src/main.cc

@@ -775,6 +775,9 @@ int main(int argc, char** argv)
 	// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
 	init_hash_function();
 
+	// Must come after hash initialization.
+	binpac::init();
+
 	ERR_load_crypto_strings();
 	OPENSSL_add_all_algorithms_conf();
 	SSL_library_init();

testing/btest/Baseline/language.vector-in-operator/out

@@ -0,0 +1,11 @@
+[zero, one, , , , five, , seven]
+vec[0] = zero.exe
+vec[1] = one.exe
+vec[2] = <not set>
+vec[3] = <not set>
+vec[4] = <not set>
+vec[5] = five.exe
+vec[6] = <not set>
+vec[7] = seven.exe
+vec[8] = <not set>
+vec[9] = <not set>

testing/btest/Baseline/language.when-unitialized-rhs/out

@@ -0,0 +1,38 @@
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 9: value used but not set (crashMe)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.when-unitialized-rhs/when-unitialized-rhs.bro, line 14: value used but not set (x)
+1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+2nd when stmt executing, 999
+1st when stmt executing, not anymore you don't
+11
+12
+13
+14
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34

testing/btest/language/vector-in-operator.bro

@@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+local ten = "0123456789";
+local vec: vector of string = { "zero", "one" };
+local n = 0;
+vec[5] = "five";
+vec[7] = "seven";
+print vec;
+vec = vec + ".exe";
+
+for ( c in ten )
+	{
+	local is_set: bool = (n in vec);
+	print fmt("vec[%s] = %s", n, is_set ? vec[n] : "<not set>");
+	++n;
+	}

testing/btest/language/when-unitialized-rhs.bro

@@ -0,0 +1,32 @@
+# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+global crashMe: function(): string;
+global x: int;
+
+event bro_init()
+	{
+	when( local result = crashMe() )
+		{
+		print "1st when stmt executing", result;
+		}
+
+	when( local other_result = x )
+		{
+		print "2nd when stmt executing", other_result;
+		}
+	}
+
+global conn_count = 0;
+
+event new_connection(c: connection)
+	{
+	++conn_count;
+	print conn_count;
+
+	if ( conn_count == 10 )
+		{
+		x = 999;
+		crashMe = function(): string { return "not anymore you don't"; };
+		}
+	}

testing/btest/language/when.bro

@@ -8,13 +8,25 @@
 
 event bro_init()
 {
-	local h1: addr = 127.0.0.1;
+	local h: addr = 127.0.0.1;
 
-	when ( local h1name = lookup_addr(h1) )
+	when ( local hname = lookup_addr(h) )
 		{ 
 		print "lookup successful";
 		terminate();
 		}
+	timeout 10sec
+		{
+		print "timeout (1)";
+		}
+
+	local to = 5sec;
+	# Just checking that timeouts can use arbitrary expressions...
+	when ( local hname2 = lookup_addr(h) ) {}
+	timeout to {}
+	when ( local hname3 = lookup_addr(h) ) {}
+	timeout to + 2sec {}
+
 	print "done";
 }