From 1c3b7273d66f4d617e723e9a5a506d41a7b765e9 Mon Sep 17 00:00:00 2001 From: Benjamin Bannier Date: Wed, 18 Jun 2025 10:20:29 +0200 Subject: [PATCH 1/3] Add workaround for zeek/spicy#2091 --- src/analyzer/protocol/ssl/spicy/SSL.spicy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssl/spicy/SSL.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy index 826a8ec7e6..f028ad07c5 100644 --- a/src/analyzer/protocol/ssl/spicy/SSL.spicy +++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy @@ -1904,7 +1904,7 @@ public function convert_certificate_authorities(c: vector) } # returns true for the "client" -public function get_direction(sh: Share): bool { +public function get_direction(sh: Share&): bool { if (sh.flipped) return !zeek::is_orig(); else From ea4d30eb6abe7b4f344aa8fd7c9eb11208f09788 Mon Sep 17 00:00:00 2001 From: Benjamin Bannier Date: Wed, 18 Jun 2025 10:23:13 +0200 Subject: [PATCH 2/3] Clean up use of references in Spicy SSL analyzer The Spicy SSL analyzer was using references pretty heavily, probably to work around now fixed issues with `inout` parameters in older Spicy versions. At least for units this seems not needed anymore, and was also partially incorrect, e.g., the Spicy docs call out that when using `inout` parameters, passed and expected types should match exactly so passing a reference as an `inout` value seems incorrect. Additionally, one use case for references in Spicy is to use their interior mutability, i.e., a reference never needs to be passed `inout` since their can always be mutated. Internally units are stored as reference-counted values, and references to units are not much cheaper since they also need to be refcounted. With that there seems litle reason to use references in this analyzer at all, and this patch drops their use completely; instead we either pass values, or values declared `inout`. We leave the use of references for sharing sinks in place. --- src/analyzer/protocol/ssl/spicy/SSL.spicy | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/analyzer/protocol/ssl/spicy/SSL.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy index f028ad07c5..ee50442cb3 100644 --- a/src/analyzer/protocol/ssl/spicy/SSL.spicy +++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy @@ -862,16 +862,16 @@ type Heartbeat = unit(sh: Share, length: uint16) { }; # note - this will mostly be garbage because it is encrypted. -public type Alert = unit(sh: Share&) { +public type Alert = unit(sh: Share) { alerts: Alert_message(sh)[]; }; -type Alert_message = unit(sh: Share&) { +type Alert_message = unit(sh: Share) { level: uint8; # &convert=AlertLevel($$); description: uint8; # &convert=AlertDescription($$); }; -type Handshake = unit(inout msg: Message, sh: Share&) { +type Handshake = unit(inout msg: Message, inout sh: Share) { handshakes: Handshake_message(msg, sh)[]; }; @@ -1904,7 +1904,7 @@ public function convert_certificate_authorities(c: vector) } # returns true for the "client" -public function get_direction(sh: Share&): bool { +public function get_direction(sh: Share): bool { if (sh.flipped) return !zeek::is_orig(); else From bf4dce5e5f66dc851aa970ce78949101a6468797 Mon Sep 17 00:00:00 2001 From: Benjamin Bannier Date: Wed, 18 Jun 2025 11:00:18 +0200 Subject: [PATCH 3/3] Enable Spicy SSL analyzer in nightly CI job against Spicy `HEAD` --- .cirrus.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.cirrus.yml b/.cirrus.yml index 6d81f20090..a9557a83e1 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -376,6 +376,7 @@ ubuntu22_spicy_head_task: << : *CI_TEMPLATE env: ZEEK_CI_CREATE_ARTIFACT: 1 + ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG # Pull auxil/spicy to the latest head version. May or may not build. ZEEK_CI_PREBUILD_COMMAND: 'cd auxil/spicy && git fetch && git reset --hard origin/main && git submodule update --init --recursive' spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh