diff --git a/CHANGES b/CHANGES index d0207f5d52..3f34a63c54 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,11 @@ +7.0.0-dev.119 | 2024-04-15 17:52:44 +0200 + + * Bump Spicy. (Robin Sommer, Corelight) + + Includes a couple of updates for the QUIC analyzer. + + * Remove support for old Spicy versions from QUIC analyzer. (Robin Sommer, Corelight) + 7.0.0-dev.116 | 2024-04-11 15:26:05 -0700 * Make sure that vcpkg isn't preferred if pcap_root_dir is passed in (Tim Wojtulewicz) diff --git a/VERSION b/VERSION index bc33ec9689..aec4efd5d7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.0-dev.116 +7.0.0-dev.119 diff --git a/auxil/spicy b/auxil/spicy index d38f31a95f..f4ff0d0f83 160000 --- a/auxil/spicy +++ b/auxil/spicy @@ -1 +1 @@ -Subproject commit d38f31a95f93b1d9ea81fa01f0c92a72cf40f38c +Subproject commit f4ff0d0f83d736d7c7f2e31d89337b166102ee78 diff --git a/src/analyzer/protocol/quic/QUIC.spicy b/src/analyzer/protocol/quic/QUIC.spicy index f9f81c05ed..fb2f854a3a 100644 --- a/src/analyzer/protocol/quic/QUIC.spicy +++ b/src/analyzer/protocol/quic/QUIC.spicy @@ -67,11 +67,7 @@ type ConnectionIDInfo = struct { client_initial_processed: bool; server_initial_processed: bool; -@if SPICY_VERSION >= 10800 ssl_handle: zeek::ProtocolHandle &optional; -@else - did_ssl_begin: bool; -@endif }; ############## @@ -223,11 +219,7 @@ public type LongHeaderPacketV2 = unit(inout outer: LongHeaderPacket) { # Just eat the data for event raising. public type UnhandledVersion = unit(header: LongHeaderPacket) { var header: LongHeaderPacket = header; -@if SPICY_VERSION >= 10800 payload: skip bytes &eod; -@else - payload: bytes &eod; -@endif }; public type LongHeaderPacket = unit { @@ -280,7 +272,7 @@ public type LongHeaderPacket = unit { }; # A QUIC Frame. -public type Frame = unit(header: LongHeaderPacket, from_client: bool, inout crypto_sink: sink) { +public type Frame = unit(header: LongHeaderPacket, from_client: bool, crypto_sink: sink&) { frame_type : uint8 &convert=cast($$); # TODO: add other FrameTypes as well @@ -292,11 +284,7 @@ public type Frame = unit(header: LongHeaderPacket, from_client: bool, inout cryp crypto_sink.write(self.c.cryptodata, self.c.offset.result); } FrameType::CONNECTION_CLOSE1 -> : ConnectionClosePayload(header); -@if SPICY_VERSION >= 10800 FrameType::PADDING -> : skip /\x00*/; # eat the padding -@else - FrameType::PADDING -> : /\x00*/; # eat the padding -@endif FrameType::PING -> : void; * -> : void { throw "unhandled frame type %s in %s" % (self.frame_type, header.first_byte.packet_type); @@ -354,31 +342,19 @@ type InitialPacket = unit(header: LongHeaderPacket) { # includes the packet number field, but we # do not know its length yet. We need the # payload for sampling, however. -@if SPICY_VERSION >= 10800 payload: skip bytes &size=self.length.result; -@else - payload: bytes &size=self.length.result; -@endif }; type ZeroRTTPacket = unit(header: LongHeaderPacket) { var header: LongHeaderPacket = header; length: VariableLengthInteger; -@if SPICY_VERSION >= 10800 payload: skip bytes &size=self.length.result; -@else - payload: bytes &size=self.length.result; -@endif }; type HandshakePacket = unit(header: LongHeaderPacket) { var header: LongHeaderPacket = header; length: VariableLengthInteger; -@if SPICY_VERSION >= 10800 payload: skip bytes &size=self.length.result; -@else - payload: bytes &size=self.length.result; -@endif }; @@ -414,20 +390,12 @@ public type ShortHeader = unit(dest_conn_id_length: uint8) { # TODO: investigate whether we can parse something useful out of this public type ShortPacketPayload = unit { -@if SPICY_VERSION >= 10800 payload: skip bytes &eod; -@else - payload: bytes &eod; -@endif }; # TODO: investigate whether we can do something useful with this public type EncryptedLongPacketPayload = unit { -@if SPICY_VERSION >= 10800 payload: skip bytes &eod; -@else - payload: bytes &eod; -@endif }; # Buffer all crypto messages (which might be fragmented and unordered) @@ -447,7 +415,7 @@ type CryptoBuffer = unit() { # # A UDP datagram contains one or more QUIC packets. ############## -type Packet = unit(from_client: bool, inout context: ConnectionIDInfo&) { +type Packet = unit(from_client: bool, context: ConnectionIDInfo&) { var decrypted_data: bytes; var full_packet: bytes; var start: iterator; @@ -457,16 +425,9 @@ type Packet = unit(from_client: bool, inout context: ConnectionIDInfo&) { # Attach an SSL analyzer to this connection once. on %init { -@if SPICY_VERSION >= 10800 if ( ! context?.ssl_handle ) { context.ssl_handle = zeek::protocol_handle_get_or_create("SSL"); } -@else - if ( ! context.did_ssl_begin ) { - zeek::protocol_begin("SSL"); - context.did_ssl_begin = True; - } -@endif self.start = self.input(); } @@ -497,13 +458,8 @@ type Packet = unit(from_client: bool, inout context: ConnectionIDInfo&) { context.initial_destination_conn_id = b""; # Allow re-opening the SSL analyzer the next time around. -@if SPICY_VERSION >= 10800 zeek::protocol_handle_close(context.ssl_handle); unset context.ssl_handle; -@else - zeek::protocol_end(); - context.did_ssl_begin = False; -@endif } } }; @@ -578,10 +534,7 @@ type Packet = unit(from_client: bool, inout context: ConnectionIDInfo&) { zeek::protocol_data_in( from_client , b"\x16\x03\x03" + length_bytes + handshake_data -# With Spicy 1.8.0, can use the SSL handle directly. -@if SPICY_VERSION >= 10800 , context.ssl_handle -@endif ); # Stop decryption attempts after processing the very first INITIAL