Merge branch 'topic/bbannier/spicy-ssl-refs'

2025-10-02 06:38:20 +00:00 · 2025-06-18 13:12:59 +02:00 · 2025-06-18 13:12:59 +02:00 · 2866934792
commit 2866934792
parent 19f2621f7b bf4dce5e5f
4 changed files with 31 additions and 4 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -376,6 +376,7 @@ ubuntu22_spicy_head_task:
  << : *CI_TEMPLATE
  env:
    ZEEK_CI_CREATE_ARTIFACT: 1
+    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
    # Pull auxil/spicy to the latest head version. May or may not build.
    ZEEK_CI_PREBUILD_COMMAND: 'cd auxil/spicy && git fetch && git reset --hard origin/main && git submodule update --init --recursive'
  spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
--- a/26
+++ b/26
@ -1,3 +1,29 @@
+8.0.0-dev.439 | 2025-06-18 13:12:59 +0200
+
+  * Enable Spicy SSL analyzer in nightly CI job against Spicy `HEAD` (Benjamin Bannier, Corelight)
+
+  * Clean up use of references in Spicy SSL analyzer (Benjamin Bannier, Corelight)
+
+    The Spicy SSL analyzer was using references pretty heavily, probably to
+    work around now fixed issues with `inout` parameters in older Spicy
+    versions. At least for units this seems not needed anymore, and was also
+    partially incorrect, e.g., the Spicy docs call out that when using
+    `inout` parameters, passed and expected types should match exactly so
+    passing a reference as an `inout` value seems incorrect. Additionally,
+    one use case for references in Spicy is to use their interior
+    mutability, i.e., a reference never needs to be passed `inout` since
+    their can always be mutated.
+
+    Internally units are stored as reference-counted values, and references
+    to units are not much cheaper since they also need to be refcounted.
+    With that there seems litle reason to use references in this analyzer at
+    all, and this patch drops their use completely; instead we either pass
+    values, or values declared `inout`.
+
+    We leave the use of references for sharing sinks in place.
+
+  * GH-2091: Add workaround for zeek/spicy#2091 (Benjamin Bannier, Corelight)
+
 8.0.0-dev.435 | 2025-06-17 09:25:30 +0200

  * GH-4573: IOSource: Remove IsPacketSource (Arne Welzel, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-8.0.0-dev.435
+8.0.0-dev.439
--- a/src/analyzer/protocol/ssl/spicy/SSL.spicy
+++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy
@ -862,16 +862,16 @@ type Heartbeat = unit(sh: Share, length: uint16) {
 };

 # note - this will mostly be garbage because it is encrypted.
-public type Alert = unit(sh: Share&) {
+public type Alert = unit(sh: Share) {
    alerts: Alert_message(sh)[];
 };

-type Alert_message = unit(sh: Share&) {
+type Alert_message = unit(sh: Share) {
    level: uint8; # &convert=AlertLevel($$);
    description: uint8; # &convert=AlertDescription($$);
 };

-type Handshake = unit(inout msg: Message, sh: Share&) {
+type Handshake = unit(inout msg: Message, inout sh: Share) {
    handshakes: Handshake_message(msg, sh)[];
 };