Merge remote-tracking branch 'origin/topic/johanna/spicy-tls'

* origin/topic/johanna/spicy-tls: (31 commits)
  Spicy SSL: don't turn on compilation of Spicy SSL analyzer in all cases
  Spicy SSL analyzer - address feedback
  Spicy TLS: re-enable test and update test comments
  Spicy SSL: Skip private test suite for now.
  Spicy SSL - finish SSLv2 implementation
  Spicy TLS: SSLv2 client hello support.
  Spicy TLS - full test suite pass
  Spicy TLS - refactoring and partial connection fix
  Spicy SSL - run spicy-format
  Spicy-TLS: address review feedback re convert-functions
  Spicy TLS: address review feedback & run spicy-lint
  Spicy TLS: disable debug prints
  Add configure option to enable/disable spicy SSL
  Spicy TLS: inout/reference updates for recent spicy changes
  Spicy TLS: parse OCSP replies in TLS extension
  Spicy TLS: generate same file IDs as binpac analyzer
  Spicy TLS: skip CI; run performance tests
  Spicy TLS: fix parsing of no-extension hellos, port registration
  Spicy TLS: Re-enable starttls for RDP
  Spicy TLS: rename the analyzer to SSL
  ...

.cirrus.yml

@@ -14,6 +14,7 @@ config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WOR
 no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror
+spicy_ssl_config: &SPICY_SSL_CONFIG --build-type=release --disable-broker-tests --enable-spicy-ssl --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror
 ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror
 tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror
@@ -286,6 +287,7 @@ ubuntu22_task:
         $CIRRUS_BRANCH =~ 'release/.*' ||
         $CIRRUS_CRON == 'benchmark-nightly' )
 
+# Also enable Spicy SSL for this
 ubuntu22_spicy_task:
   container:
     # Ubuntu 22.04 EOL: April 2027
@@ -294,7 +296,7 @@ ubuntu22_spicy_task:
   << : *CI_TEMPLATE
   env:
     ZEEK_CI_CREATE_ARTIFACT: 1
-  test_script: true  # Don't run tests, these are redundant.
+    ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
   spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
   upload_binary_artifacts:
     path: build.tgz

CHANGES

@@ -1,3 +1,18 @@
+7.1.0-dev.305 | 2024-09-11 16:55:55 +0200
+
+  * Spicy SSL analyzer:
+
+    This commit adds an alternative Spicy-based SSL analyzer. It supports
+    nearly the entire functionality of the current binpac analyzer, with
+    the exception of DTLS and decryption.
+
+    This currently is mostly for internal tests, or for Spicy testing purposes.
+    There is no functional advantage to use the Spicy based analyzer - it does
+    not have any additional features.
+
+    It is currently gated behind a configure-time flag that needs to be provided
+    to enable it (--enable-spicy-ssl).
+
 7.1.0-dev.259 | 2024-09-09 13:24:45 +0200
 
   * script_opt/ZAM/IterInfo.h: Add missing Dict.h dependency (Arne Welzel, Corelight)

VERSION

@@ -1 +1 @@
-7.1.0-dev.259
+7.1.0-dev.305

cmake_templates/zeek-config.h.in

@@ -244,6 +244,9 @@
 /* Enable/disable ZAM profiling capability */
 #cmakedefine ENABLE_ZAM_PROFILE
 
+/* Enable/disable the Spicy SSL analyzer */
+#cmakedefine ENABLE_SPICY_SSL
+
 /* String with host architecture (e.g., "linux-x86_64") */
 #define HOST_ARCHITECTURE "@HOST_ARCHITECTURE@"
 

configure

@@ -69,6 +69,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --enable-static-broker build Broker statically (ignored if --with-broker is specified)
     --enable-werror        build with -Werror
     --enable-ZAM-profiling build with ZAM profiling enabled (--enable-debug implies this)
+    --enable-spicy-ssl     build with spicy SSL/TLS analyzer (conflicts with --disable-spicy)
     --disable-af-packet    don't include native AF_PACKET support (Linux only)
     --disable-auxtools     don't build or install auxiliary tools
     --disable-broker-tests don't try to build Broker unit tests
@@ -310,6 +311,9 @@ while [ $# -ne 0 ]; do
         --enable-ZAM-profiling)
             append_cache_entry ENABLE_ZAM_PROFILE BOOL true
             ;;
+        --enable-spicy-ssl)
+            append_cache_entry ENABLE_SPICY_SSL BOOL true
+            ;;
         --disable-af-packet)
             append_cache_entry DISABLE_AF_PACKET BOOL true
             ;;

src/analyzer/protocol/rdp/RDP.cc

@@ -1,6 +1,7 @@
 #include "zeek/analyzer/protocol/rdp/RDP.h"
 
 #include "zeek/Reporter.h"
+#include "zeek/analyzer/Manager.h"
 #include "zeek/analyzer/protocol/rdp/events.bif.h"
 #include "zeek/analyzer/protocol/rdp/types.bif.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
@@ -11,7 +12,7 @@ RDP_Analyzer::RDP_Analyzer(Connection* c) : analyzer::tcp::TCP_ApplicationAnalyz
     interp = new binpac::RDP::RDP_Conn(this);
 
     had_gap = false;
-    ssl = nullptr;
+    tls_active = false;
 }
 
 RDP_Analyzer::~RDP_Analyzer() { delete interp; }
@@ -44,12 +45,13 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) {
         // 0x01 is SSL/TLS
         // 0x03-0x04 is CredSSP which is effectively SSL/TLS
         if ( interp->encryption_method() > 0x00 ) {
-            if ( ! ssl ) {
+            if ( ! tls_active ) {
-                ssl = new analyzer::ssl::SSL_Analyzer(Conn());
+                tls_active = true;
+                Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
                 if ( ! AddChildAnalyzer(ssl) ) {
                     reporter->AnalyzerError(this,
                                             "failed to add TCP child analyzer "
-                                            "to RDP analyzer: already exists");
+                                            "to RDP analyzer");
                     return;
                 }
             }

src/analyzer/protocol/rdp/RDP.h

@@ -1,9 +1,7 @@
 #pragma once
 
-#include "zeek/analyzer/protocol/pia/PIA.h"
 #include "zeek/analyzer/protocol/rdp/events.bif.h"
 #include "zeek/analyzer/protocol/rdp/rdp_pac.h"
-#include "zeek/analyzer/protocol/ssl/SSL.h"
 #include "zeek/analyzer/protocol/tcp/TCP.h"
 
 namespace zeek::analyzer::rdp {
@@ -25,7 +23,7 @@ protected:
     binpac::RDP::RDP_Conn* interp;
 
     bool had_gap;
-    analyzer::ssl::SSL_Analyzer* ssl;
+    bool tls_active;
 };
 
 } // namespace zeek::analyzer::rdp

src/analyzer/protocol/ssl/CMakeLists.txt

@@ -1,34 +1,39 @@
-zeek_add_plugin(
+if (NOT ENABLE_SPICY_SSL)
-    Zeek
+    zeek_add_plugin(
-    SSL
+        Zeek
-    SOURCES
+        SSL
-    SSL.cc
+        SOURCES
-    DTLS.cc
+        SSL.cc
-    Plugin.cc
+        DTLS.cc
-    BIFS
+        Plugin.cc
-    types.bif
+        BIFS
-    events.bif
+        types.bif
-    functions.bif
+        events.bif
-    consts.bif
+        functions.bif
-    PAC
+        consts.bif
-    tls-handshake.pac
+        PAC
-    tls-handshake-protocol.pac
+        tls-handshake.pac
-    tls-handshake-analyzer.pac
+        tls-handshake-protocol.pac
-    ssl-defs.pac
+        tls-handshake-analyzer.pac
-    proc-certificate.pac
+        ssl-defs.pac
-    tls-handshake-signed_certificate_timestamp.pac
+        proc-certificate.pac
-    PAC
+        tls-handshake-signed_certificate_timestamp.pac
-    ssl.pac
+        PAC
-    ssl-dtls-analyzer.pac
+        ssl.pac
-    ssl-analyzer.pac
+        ssl-dtls-analyzer.pac
-    ssl-dtls-protocol.pac
+        ssl-analyzer.pac
-    ssl-protocol.pac
+        ssl-dtls-protocol.pac
-    ssl-defs.pac
+        ssl-protocol.pac
-    proc-certificate.pac
+        ssl-defs.pac
-    PAC
+        proc-certificate.pac
-    dtls.pac
+        PAC
-    ssl-dtls-analyzer.pac
+        dtls.pac
-    dtls-analyzer.pac
+        ssl-dtls-analyzer.pac
-    ssl-dtls-protocol.pac
+        dtls-analyzer.pac
-    dtls-protocol.pac
+        ssl-dtls-protocol.pac
-    ssl-defs.pac)
+        dtls-protocol.pac
+        ssl-defs.pac)
+else ()
+    add_subdirectory(spicy)
+    zeek_add_plugin(Zeek SSL SOURCES Plugin.cc BIFS functions.bif)
+endif ()

src/analyzer/protocol/ssl/Plugin.cc

@@ -2,17 +2,23 @@
 
 #include "zeek/plugin/Plugin.h"
 
+#include "zeek/zeek-config.h"
+
+#ifndef ENABLE_SPICY_SSL
 #include "zeek/analyzer/Component.h"
 #include "zeek/analyzer/protocol/ssl/DTLS.h"
 #include "zeek/analyzer/protocol/ssl/SSL.h"
+#endif
 
 namespace zeek::plugin::detail::Zeek_SSL {
 
 class Plugin : public zeek::plugin::Plugin {
 public:
     zeek::plugin::Configuration Configure() override {
+#ifndef ENABLE_SPICY_SSL
         AddComponent(new zeek::analyzer::Component("SSL", zeek::analyzer::ssl::SSL_Analyzer::Instantiate));
         AddComponent(new zeek::analyzer::Component("DTLS", zeek::analyzer::dtls::DTLS_Analyzer::Instantiate));
+#endif
 
         zeek::plugin::Configuration config;
         config.name = "Zeek::SSL";

src/analyzer/protocol/ssl/functions.bif

@@ -1,8 +1,12 @@
 
 %%{
 #include <openssl/x509.h>
-#include "zeek/analyzer/protocol/ssl/SSL.h"
 #include "zeek/Reporter.h"
+#include "zeek/zeek-config.h"
+
+#ifndef ENABLE_SPICY_SSL
+#include "zeek/analyzer/protocol/ssl/SSL.h"
+#endif
 %%}
 
 ## Sets if the SSL analyzer should consider the connection established (handshake
@@ -13,6 +17,8 @@
 ## Returns: T on success, F on failure.
 function set_ssl_established%(c: connection%): bool
 	%{
+#ifndef ENABLE_SPICY_SSL
+/* not implemented for Spicy ssl */
 	zeek::analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
 
 	if ( sa )
@@ -20,6 +26,7 @@ function set_ssl_established%(c: connection%): bool
 		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->StartEncryption();
 		return zeek::val_mgr->True();
 		}
+#endif
 
 	return zeek::val_mgr->False();
 	%}
@@ -34,6 +41,8 @@ function set_ssl_established%(c: connection%): bool
 ## Returns: T on success, F on failure.
 function set_secret%(c: connection, secret: string%): bool
 	%{
+#ifndef ENABLE_SPICY_SSL
+/* not implemented for Spicy ssl */
 	analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
 
 	if ( sa )
@@ -41,6 +50,7 @@ function set_secret%(c: connection, secret: string%): bool
 		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->SetSecret(*secret);
 		return zeek::val_mgr->True();
 		}
+#endif
 
 	return zeek::val_mgr->False();
 	%}
@@ -55,6 +65,8 @@ function set_secret%(c: connection, secret: string%): bool
 ## Returns: T on success, F on failure.
 function set_keys%(c: connection, keys: string%): bool
 	%{
+#ifndef ENABLE_SPICY_SSL
+/* not implemented for Spicy ssl */
 	analyzer::Analyzer* sa = c->FindAnalyzer("SSL");
 
 	if ( sa )
@@ -62,6 +74,7 @@ function set_keys%(c: connection, keys: string%): bool
 		static_cast<zeek::analyzer::ssl::SSL_Analyzer*>(sa)->SetKeys(*keys);
 		return zeek::val_mgr->True();
 		}
+#endif
 
 	return zeek::val_mgr->False();
 	%}

src/analyzer/protocol/ssl/spicy/CMakeLists.txt

@@ -0,0 +1 @@
+spicy_add_analyzer(NAME SSL SOURCES SSL.spicy SSL.evt support.cc)

src/analyzer/protocol/ssl/spicy/SSL.evt

@@ -0,0 +1,89 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+protocol analyzer SSL over TCP:
+	parse with SSL::Message;
+
+protocol analyzer DTLS over UDP:
+	parse with SSL::DTLSMessage;
+
+import SSL;
+import zeek;
+import spicy;
+
+on SSL::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods);
+on SSL::SSL2ClientHello -> event ssl_client_hello($conn, self.client_version, 0, cast<time>(0), self.challenge, self.session_id, self.ciphers, vector<uint16>());
+
+on SSL::ServerHello -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, self.session_id, self.cipher_suite, self.compression_method);
+on SSL::ServerHelloOneThree -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, "", self.cipher_suite, 0);
+on SSL::SSL2ServerHello::conn_id_data -> event ssl_server_hello($conn, self.server_version, 0, cast<time>(0), b"", self.conn_id_data, self.ciphers[0], 0);
+
+on SSL::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, SSL::get_direction(sh), self.elliptic_curve_list);
+
+on SSL::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, SSL::get_direction(sh), self.ec_point_format_list);
+
+on SSL::ServerNameList -> event ssl_extension_server_name($conn, SSL::get_direction(sh), self.server_name_list);
+
+on SSL::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
+
+on SSL::PlaintextRecord::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
+# weird trigger for event ordering
+on SSL::PlaintextRecord::trigger_zero if ( content_type == 23 && sh.tls_13 == True && ( sh.established == False || sh.both_sides_encrypted_first_time ) ) -> event ssl_probable_encrypted_handshake_message($conn, SSL::get_direction(sh), self.length);
+on SSL::PlaintextRecord::trigger_one if ( sh.both_sides_encrypted_first_time == True && content_type != 20 ) -> event ssl_established($conn);
+on SSL::PlaintextRecord::trigger_two if ( self.encrypted == False ) -> event ssl_plaintext_data($conn, SSL::get_direction(sh), msg.record_version, content_type, self.length);
+on SSL::PlaintextRecord::trigger_two if ( self.encrypted == True ) -> event ssl_encrypted_data($conn, SSL::get_direction(sh), msg.record_version, content_type, self.length);
+
+on SSL::SSL2ClientMasterKey::%init -> event ssl_established($conn);
+
+on SSL::Extension -> event ssl_extension($conn, SSL::get_direction(sh), self.code, self.raw);
+
+on SSL::Handshake_message -> event ssl_handshake_message($conn, SSL::get_direction(sh), self.msg_type, self.length);
+
+on SSL::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, SSL::get_direction(sh), self.supported_signature_algorithms_converted);
+
+on SSL::ServerHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.keyshare.namedgroup,));
+
+on SSL::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.namedgroup,));
+
+on SSL::ClientHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), self.named_groups);
+
+on SSL::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, SSL::get_direction(sh), self.identities, self.binders);
+
+on SSL::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, SSL::get_direction(sh), self.selected_identity);
+
+on SSL::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
+
+on SSL::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
+
+on SSL::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
+
+on SSL::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
+
+# just use nonsense values for no algorithm. Same as in the old analyzer
+on SSL::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
+
+on SSL::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
+
+on SSL::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
+
+on SSL::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
+
+on SSL::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, SSL::get_direction(sh), self.protocol_name_list);
+
+on SSL::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, SSL::get_direction(sh), self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
+
+on SSL::SupportedVersions -> event ssl_extension_supported_versions($conn, SSL::get_direction(sh), self.versions);
+
+on SSL::OneSupportedVersion -> event ssl_extension_supported_versions($conn, SSL::get_direction(sh), vector<uint16>(self.version,));
+
+on SSL::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, SSL::get_direction(sh), self.modes);
+
+on SSL::Alert_message -> event ssl_alert($conn, SSL::get_direction(sh), self.level, self.description);
+
+on SSL::Heartbeat -> event ssl_heartbeat($conn, SSL::get_direction(sh), length, self.tpe, self.payload_length, self.data);
+
+on SSL::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
+
+on SSL::CertificateRequest if ( SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, self.supported_signature_algorithms.supported_signature_algorithms_converted, self.certificate_authorities);
+on SSL::CertificateRequest if ( ! SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, SSL::create_empty_sigmature_algorithms(), self.certificate_authorities);
+
+on SSL::DirectionCheck if ( self.was_flipped ) -> event ssl_connection_flipped($conn);

src/analyzer/protocol/ssl/spicy/support.cc

@@ -0,0 +1,65 @@
+// Copyright (c) 2023 by the Zeek Project. See COPYING for details.
+
+#include <hilti/rt/libhilti.h>
+#include <cassert>
+
+#include "zeek/Desc.h"
+#include "zeek/file_analysis/Manager.h"
+#include "zeek/spicy/cookie.h"
+#include "zeek/spicy/runtime-support.h"
+
+std::string ssl_get_certificate_fuid(const hilti::rt::Bool& is_client, const hilti::rt::integer::safe<uint32_t>& pos) {
+    auto cookie = static_cast<zeek::spicy::rt::Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto c = cookie->protocol;
+    if ( ! c )
+        throw zeek::spicy::rt::ValueUnavailable("connection not available");
+
+    zeek::ODesc file_handle;
+    file_handle.AddRaw("Analyzer::ANALYZER_SSL");
+    file_handle.Add(c->analyzer->Conn()->StartTime());
+    file_handle.AddRaw(is_client ? "T" : "F", 1);
+    c->analyzer->Conn()->IDString(&file_handle);
+
+    file_handle.Add(pos.Ref());
+    std::string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
+    return file_id;
+}
+
+std::string ssl_get_ocsp_fuid() {
+    auto cookie = static_cast<zeek::spicy::rt::Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto c = cookie->protocol;
+    if ( ! c )
+        throw zeek::spicy::rt::ValueUnavailable("connection not available");
+
+    zeek::ODesc file_handle;
+    file_handle.AddRaw("Analyzer::ANALYZER_SSL");
+    file_handle.Add(c->analyzer->Conn()->StartTime());
+    file_handle.AddRaw("F");
+    c->analyzer->Conn()->IDString(&file_handle);
+    file_handle.Add("ocsp");
+    std::string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
+    return file_id;
+}
+
+// TODO: it would make sense to make this available for all users of Spicy
+bool ssl_is_partial_tcp() {
+    auto cookie = static_cast<zeek::spicy::rt::Cookie*>(hilti::rt::context::cookie());
+    assert(cookie);
+
+    auto x = cookie->protocol;
+    if ( ! x || ! x->analyzer )
+        return false;
+
+    auto* tcp = dynamic_cast<zeek::analyzer::tcp::TCP_ApplicationAnalyzer*>(x->analyzer);
+    if ( ! tcp )
+        return false;
+
+    if ( tcp->TCP() && tcp->TCP()->IsPartial() )
+        return true;
+
+    return false;
+}

testing/btest/core/analyzer-confirmation-violation-info.zeek

@@ -1,4 +1,5 @@
 # @TEST-DOC: The SSL analyzer picks up on the traffic in pppoe-over-qing, but then raises analyzer_violation_info
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
 # @TEST-EXEC: zeek -r $TRACES/pppoe-over-qinq.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 

testing/btest/coverage/bare-load-baseline.test

@@ -9,6 +9,7 @@
 # below does. Don't ask. :-)
 
 # @TEST-REQUIRES: $SCRIPTS/have-spicy  # This test logs loaded scripts, so disable it if Spicy and it associated plugin is unavailable.
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h # Enabling Spicy SSL changes the loaded scripts, skip in this case
 # @TEST-EXEC: zeek -b misc/loaded-scripts
 # @TEST-EXEC: test -e loaded_scripts.log
 # @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | awk 'NR>0{print $1}' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix

testing/btest/coverage/default-load-baseline.test

@@ -8,6 +8,7 @@
 # below does. Don't ask. :-)
 
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h # Enabling Spicy SSL changes the loaded scripts, skip in this case
 # @TEST-EXEC: zeek misc/loaded-scripts
 # @TEST-EXEC: test -e loaded_scripts.log
 # @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix

testing/btest/plugins/hooks.zeek

@@ -1,5 +1,6 @@
 # @TEST-REQUIRES: test "${ZEEK_ZAM}" != "1"
 # @TEST-REQUIRES: ${SCRIPTS}/have-spicy  # This test logs loaded scripts, so disable it if Spicy and the associated plugin are unavailable.
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h # Enabling Spicy SSL changes baselines and thus changes raised events. Skip in this case.
 # @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Hooks
 # @TEST-EXEC: cp -r %DIR/hooks-plugin/* .
 # @TEST-EXEC: ./configure --zeek-dist=${DIST} && make

testing/btest/scripts/base/protocols/ssl/certificate_request.zeek

@@ -1,5 +1,8 @@
 # This tests the certificate_request message parsing
 
+# Does not work in spicy version, due to missing DTLS support
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
+
 # @TEST-EXEC: zeek -b -r $TRACES/tls/client-certificate.pcap %INPUT > out
 # @TEST-EXEC: zeek -C -b -r $TRACES/tls/certificate-request-failed.pcap %INPUT >> out
 # @TEST-EXEC: zeek -C -b -r $TRACES/tls/webrtc-stun.pcap %INPUT >> out

testing/btest/scripts/base/protocols/ssl/dtls-13.test

@@ -1,5 +1,6 @@
 # This tests a normal SSL connection and the log it outputs.
 
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h # DTLS not supported in Spicy SSL
 # @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-wolfssl.pcap %INPUT
 # @TEST-EXEC: cp ssl.log ssl-all.log
 # @TEST-EXEC: echo "start CID test"

testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test

@@ -1,3 +1,4 @@
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h # DTLS is not supported in Spicy SSL yet
 # @TEST-EXEC: zeek -b -r $TRACES/tls/webrtc-stun.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: touch dpd.log

testing/btest/scripts/base/protocols/ssl/dtls.test

@@ -1,5 +1,6 @@
 # This tests a normal SSL connection and the log it outputs.
 
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h # DTLS is not supported in Spicy SSL yet
 # @TEST-EXEC: zeek -b -r $TRACES/tls/dtls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log

testing/btest/scripts/base/protocols/ssl/keyexchange.test

@@ -1,3 +1,6 @@
+# Does not work in spicy version, due to missing DTLS support
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
+
 # @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT

testing/btest/scripts/policy/protocols/ssl/decryption.zeek

@@ -1,4 +1,5 @@
 # @TEST-REQUIRES: grep -q "#define OPENSSL_HAVE_KDF_H" $BUILD/zeek-config.h
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h # Decryption is not supported in Spicy SSL
 
 # @TEST-EXEC: zeek -B dpd -C -r $TRACES/tls/tls12-decryption.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log

testing/btest/scripts/policy/protocols/ssl/ssl-log-ext.zeek

@@ -1,3 +1,6 @@
+# Does not work in spicy version, due to missing DTLS support
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
+
 # @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-5db3bb717a3507ffb3b94766dbe485855286571d
+8663dd6b4fd897ad49e796096fc9638fc4874d0e