Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/robin/bump-spicy'

Browse source 
* origin/topic/robin/bump-spicy:
  Bump Spicy.
  Remove support for old Spicy versions from QUIC analyzer.
This commit is contained in:
Robin Sommer 2024-04-15 17:52:44 +02:00
commit 5236c73e39
No known key found for this signature in database
GPG key ID: D8187293B3FFE5D0
4 changed files with 12 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

8
CHANGES
View file

@ -1,3 +1,11 @@
7.0.0-dev.119 | 2024-04-15 17:52:44 +0200
* Bump Spicy. (Robin Sommer, Corelight)
Includes a couple of updates for the QUIC analyzer.
* Remove support for old Spicy versions from QUIC analyzer. (Robin Sommer, Corelight)
7.0.0-dev.116 | 2024-04-11 15:26:05 -0700 7.0.0-dev.116 | 2024-04-11 15:26:05 -0700
* Make sure that vcpkg isn't preferred if pcap_root_dir is passed in (Tim Wojtulewicz) * Make sure that vcpkg isn't preferred if pcap_root_dir is passed in (Tim Wojtulewicz)

2
VERSION
View file

@ -1 +1 @@
7.0.0-dev.116 7.0.0-dev.119

2
auxil/spicy

@ -1 +1 @@
Subproject commit d38f31a95f93b1d9ea81fa01f0c92a72cf40f38c Subproject commit f4ff0d0f83d736d7c7f2e31d89337b166102ee78

51
src/analyzer/protocol/quic/QUIC.spicy
View file

@ -67,11 +67,7 @@ type ConnectionIDInfo = struct {
client_initial_processed: bool; client_initial_processed: bool;
server_initial_processed: bool; server_initial_processed: bool;
@if SPICY_VERSION >= 10800
ssl_handle: zeek::ProtocolHandle &optional; ssl_handle: zeek::ProtocolHandle &optional;
@else
did_ssl_begin: bool;
@endif
}; };
############## ##############
@ -223,11 +219,7 @@ public type LongHeaderPacketV2 = unit(inout outer: LongHeaderPacket) {
# Just eat the data for event raising. # Just eat the data for event raising.
public type UnhandledVersion = unit(header: LongHeaderPacket) { public type UnhandledVersion = unit(header: LongHeaderPacket) {
var header: LongHeaderPacket = header; var header: LongHeaderPacket = header;
@if SPICY_VERSION >= 10800
payload: skip bytes &eod; payload: skip bytes &eod;
@else
payload: bytes &eod;
@endif
}; };
public type LongHeaderPacket = unit { public type LongHeaderPacket = unit {
@ -280,7 +272,7 @@ public type LongHeaderPacket = unit {
}; };
# A QUIC Frame. # A QUIC Frame.
public type Frame = unit(header: LongHeaderPacket, from_client: bool, inout crypto_sink: sink) { public type Frame = unit(header: LongHeaderPacket, from_client: bool, crypto_sink: sink&) {
frame_type : uint8 &convert=cast<FrameType>($$); frame_type : uint8 &convert=cast<FrameType>($$);
# TODO: add other FrameTypes as well # TODO: add other FrameTypes as well
@ -292,11 +284,7 @@ public type Frame = unit(header: LongHeaderPacket, from_client: bool, inout cryp
crypto_sink.write(self.c.cryptodata, self.c.offset.result); crypto_sink.write(self.c.cryptodata, self.c.offset.result);
} }
FrameType::CONNECTION_CLOSE1 -> : ConnectionClosePayload(header); FrameType::CONNECTION_CLOSE1 -> : ConnectionClosePayload(header);
@if SPICY_VERSION >= 10800
FrameType::PADDING -> : skip /\x00*/; # eat the padding FrameType::PADDING -> : skip /\x00*/; # eat the padding
@else
FrameType::PADDING -> : /\x00*/; # eat the padding
@endif
FrameType::PING -> : void; FrameType::PING -> : void;
* -> : void { * -> : void {
throw "unhandled frame type %s in %s" % (self.frame_type, header.first_byte.packet_type); throw "unhandled frame type %s in %s" % (self.frame_type, header.first_byte.packet_type);
@ -354,31 +342,19 @@ type InitialPacket = unit(header: LongHeaderPacket) {
# includes the packet number field, but we # includes the packet number field, but we
# do not know its length yet. We need the # do not know its length yet. We need the
# payload for sampling, however. # payload for sampling, however.
@if SPICY_VERSION >= 10800
payload: skip bytes &size=self.length.result; payload: skip bytes &size=self.length.result;
@else
payload: bytes &size=self.length.result;
@endif
}; };
type ZeroRTTPacket = unit(header: LongHeaderPacket) { type ZeroRTTPacket = unit(header: LongHeaderPacket) {
var header: LongHeaderPacket = header; var header: LongHeaderPacket = header;
length: VariableLengthInteger; length: VariableLengthInteger;
@if SPICY_VERSION >= 10800
payload: skip bytes &size=self.length.result; payload: skip bytes &size=self.length.result;
@else
payload: bytes &size=self.length.result;
@endif
}; };
type HandshakePacket = unit(header: LongHeaderPacket) { type HandshakePacket = unit(header: LongHeaderPacket) {
var header: LongHeaderPacket = header; var header: LongHeaderPacket = header;
length: VariableLengthInteger; length: VariableLengthInteger;
@if SPICY_VERSION >= 10800
payload: skip bytes &size=self.length.result; payload: skip bytes &size=self.length.result;
@else
payload: bytes &size=self.length.result;
@endif
}; };
@ -414,20 +390,12 @@ public type ShortHeader = unit(dest_conn_id_length: uint8) {
# TODO: investigate whether we can parse something useful out of this # TODO: investigate whether we can parse something useful out of this
public type ShortPacketPayload = unit { public type ShortPacketPayload = unit {
@if SPICY_VERSION >= 10800
payload: skip bytes &eod; payload: skip bytes &eod;
@else
payload: bytes &eod;
@endif
}; };
# TODO: investigate whether we can do something useful with this # TODO: investigate whether we can do something useful with this
public type EncryptedLongPacketPayload = unit { public type EncryptedLongPacketPayload = unit {
@if SPICY_VERSION >= 10800
payload: skip bytes &eod; payload: skip bytes &eod;
@else
payload: bytes &eod;
@endif
}; };
# Buffer all crypto messages (which might be fragmented and unordered) # Buffer all crypto messages (which might be fragmented and unordered)
@ -447,7 +415,7 @@ type CryptoBuffer = unit() {
# #
# A UDP datagram contains one or more QUIC packets. # A UDP datagram contains one or more QUIC packets.
############## ##############
type Packet = unit(from_client: bool, inout context: ConnectionIDInfo&) { type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
var decrypted_data: bytes; var decrypted_data: bytes;
var full_packet: bytes; var full_packet: bytes;
var start: iterator<stream>; var start: iterator<stream>;
@ -457,16 +425,9 @@ type Packet = unit(from_client: bool, inout context: ConnectionIDInfo&) {
# Attach an SSL analyzer to this connection once. # Attach an SSL analyzer to this connection once.
on %init { on %init {
@if SPICY_VERSION >= 10800
if ( ! context?.ssl_handle ) { if ( ! context?.ssl_handle ) {
context.ssl_handle = zeek::protocol_handle_get_or_create("SSL"); context.ssl_handle = zeek::protocol_handle_get_or_create("SSL");
} }
@else
if ( ! context.did_ssl_begin ) {
zeek::protocol_begin("SSL");
context.did_ssl_begin = True;
}
@endif
self.start = self.input(); self.start = self.input();
} }
@ -497,13 +458,8 @@ type Packet = unit(from_client: bool, inout context: ConnectionIDInfo&) {
context.initial_destination_conn_id = b""; context.initial_destination_conn_id = b"";
# Allow re-opening the SSL analyzer the next time around. # Allow re-opening the SSL analyzer the next time around.
@if SPICY_VERSION >= 10800
zeek::protocol_handle_close(context.ssl_handle); zeek::protocol_handle_close(context.ssl_handle);
unset context.ssl_handle; unset context.ssl_handle;
@else
zeek::protocol_end();
context.did_ssl_begin = False;
@endif
} }
} }
}; };
@ -578,10 +534,7 @@ type Packet = unit(from_client: bool, inout context: ConnectionIDInfo&) {
zeek::protocol_data_in( zeek::protocol_data_in(
from_client from_client
, b"\x16\x03\x03" + length_bytes + handshake_data , b"\x16\x03\x03" + length_bytes + handshake_data
# With Spicy 1.8.0, can use the SSL handle directly.
@if SPICY_VERSION >= 10800
, context.ssl_handle , context.ssl_handle
@endif
); );
# Stop decryption attempts after processing the very first INITIAL # Stop decryption attempts after processing the very first INITIAL