This event is raised for messages that (probably) are TLS 1.3 handshake
messages, including finished. This allows scripts to examine handshake
messages without having to handle all encrypted messages.
In TLS 1.3, the ChangeCipherSpec message is meaningless; it only is
included to convince middleboxes that the devices actually are speaking
TLS 1.2. Nowadays some TLS 1.3 implementations also just don't send the
packet.
In a push to unify our handling of TLS 1.3 connections - ignore CCS and
always go with application data packet counting to determine if
connections are or are not encrypted.
This commit changes the logic that is used to tracks connection
establishment - and moves it from scriptland into the core.
TLS 1.3 connection establishment is much more finnicky for us than the
establishment of earlier versions - since we cannot rely on the CCS
message anymore (which is meaningless and not sent in a lot of cases).
With this commit, the ssl_encrypted_data message gets raised for
encrypted TLS 1.3 handshake messages - which is much more correct than
the behavior before that just interpreted them as plaintext messages.
I will refine this a bit more - at the moment the connection established
event happens a bit too early - earlier than TLS 1.3 connections
actually can be estasblished.
Part of GH-1323
Merge adjustments:
- Rewrote the check for error response as a switch statement to
fix compiler warning about signed/unsigned comparison and also
to just simplify/clarify the logic.
- Changed the btest to use `zeek -b`.
* origin/topic/vlad/gh-1286:
Add tests for new SMB3 multichannel support
Fix SMB2 response status parsing. Fixes#1286
* The parsing of IPv6 addresses tried to fill a stack-buffer with as
much data as supplied in the Option even if it was in excess of the
desired prefix or maximum IPv6 address size. This could result in an
overflow of that stack-buffer.
* The parsing of IPv4 addresses would overwrite the storage used for
that address as many times as there were bytes in the Option in excess
of the desired prefix length or maximum IPv4 address size. This could
cause the resulting IPv4 address to be derived from the incorrect
data.
* Upon encountering unexpected/excessive option-length or source-prefix
parameters, the data pointer used for parsing was also not always
advanced to the start of the next alleged option's data. Assuming all
other parsing code correctly guards against invalid input, there's no
further harm from that other than the subsequent parsing being more
likely to encounter unexpected values and emitting more Weirds.
Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28336
(Link to details becomes public 30 days after patch release)
* origin/topic/jsiwek/gh-1264-ssh-host-key-fingerprints:
Simply ssh/main.zeek by using "ssh_server_host_key" for fingerprinting
Deprecate "ssh1_server_host_key" parameters *e* and *p*
GH-1264: Implement "ssh_server_host_key" event
* 'topic/vbrevet/ssh_version' of https://github.com/vbrevet/zeek:
[SSH] Handle SSH version 1.99 SSH can set in its identification a version 1.99 (SSH-1.99-xxx). That means the client/server is compatible with SSHv1 and SSHv2. So the version choice depends of the both side.
SSH can set in its identification a version 1.99 (SSH-1.99-xxx).
That means the client/server is compatible with SSHv1 and SSHv2.
So the version choice depends of the both side.
1.99 : 1.99 => 2.0
1.99 : 1.x => 1.x
1.99 : 2.0 => 2.O
(see "Compatibility With Old SSH Versions" in RFC 4253)
It's implemented with a new set[subnet] option named ignore_checksums_nets.
If you populate this set with subnets, any packet with a src address within
that set of subnets will not have it's checksum validated.
- Move all of the time handling code out of PktSrc into RunState
- Call packet_mgr->ProcessPacket() from various places to setup layer 2 data in packets
After detecting a closing-boundary for a given multipart MIME entity, it
enters into an "end of data" state, however any subsequent boundary
delimiter could still cause the allocation of a sub-entity object that
is never released due to cleanup logic being bypassed upon finding the
"end of data" state already reached.
This change prevents allocation/processing of sub-entities after the
"end of data" state is reached (e.g. from detecting a multipart
closing-boundary). This new behavior still aligns with RFC 2046
expectations:
"There appears to be room for additional information prior to the first
boundary delimiter line and following the final boundary delimiter line.
These areas should generally be left blank, and implementations must
ignore anything that appears before the first boundary delimiter line or
after the last one."
Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26027
(Link to details becomes public 30 days after patch release)
- Changed the new stub events to correctly check for existence of
their associated handler before generating an event
- Added a test case for the new stub event
* 'add-dce-rpc-payloads' of https://github.com/ynadji/zeek:
Add stub payload to dce_rpc_request and dce_rpc_response
Borrows the `in_cksum` code from tcpdump, which borrowed from FreeBSD.
It handles unaligned data better and also unrolls the inner loop to
process 16 two-byte values at a time versus 2 one-byte values at a time
in the previous version. Generally measured as ~1.5x faster in a
release build. The new API should generally be more amenable to any
future optimization explorations since all relevant data blocks are
available within a single call rather than spread across multiple.
* origin/topic/jsiwek/gh-822-ubsan-ci:
Fix negative-value-left-shift undefined behavior in patricia trie
Improve negation of ConstExpr
Avoid signed integer overflow when combining SMB header PID bits
Avoid unary negation of INT64_MIN in modp_litoa10
Avoid double-to-int conversion overflows in modp_dtoa functions
Fix divide-by-zero in Entropy analyzer
Fix divide-by-zero in stats/profiling memory usage calculation
Fix uninitialized field in POP3 fuzzer
Add framework for running UndefinedBehaviorSanitizer in CI
* origin/topic/jsiwek/gh-1119-conn-removal-callbacks:
GH-1119: add base/protcols/conn/removal-hooks.zeek
Avoid run-time cost of find-filtered-trace.zeek for live traffic
Remove connection_successful and successful_connection_remove events
