When an option's value is a reader-incompatible table or set, Zeek now
renders the type as expressed in the script layer (e.g. "set[addr,addr]")
as opposed to the internal type tag (which'd here be "table", including
for sets).
The input framework's Manager::IsCompatibleType() already rejected
sets with multiple index types that aren't all the same (i.e. that are
not pure). Pure ones (e.g. "set[addr,addr]") slipped through and could
cause Zeek to segfault elsewhere in the config framework due to type
comparison subtleties. Note that the ASCII reader can't read such sets
anyway, so this method now rejects sets with any kind of index-type
tuple.
In the config framework, the script-level change handler has a risky
conversion from any to set[bool], which can trigger segfaults when the
underlying set's index is a type tuple. We now prevent this code path
by ensuring it only applies to sets with a single index type.
List-types as used in composite table/set indices, for example,
previously had incorrect same_type() comparisons due to flattening
of the list-type into a single type without checking whether the
number and kind of types all match.
This patch simply removes the flatten_type() call from same_type() since
it was already contradicting/preventing a subsequent full-comparison
between elements of two TYPE_LISTs.
There was also a superfluous special-case of the `in` operator's
type-checking for testing whether a record is in a table/set. It's
superfluous because the general case will already do the type-checking
from MatchesIndex() after first wrapping the record operand in a
ListExpr. The previous logic was incorrectly relying on the
flatten_type() for testing equality of a record-type against a
list-type, whereas the general case correctly normalizes to testing
equality of two list-types.
The special-cased type-checking logic for assigning a record value to a
table index during its initialization similarly needed minor
re-organization in order to maintain the same error messages as before.
A logger process being terminated/killed while in the process of creating
a new .shadow file may leave an empty (invalid) one around. This in turn
causes the logger to error and exit during startup.
$ $ ls -lha .shadow.*
-rw-r--r-- 1 root root 0 Dec 16 18:48 .shadow.dns.log
-rw-r--r-- 1 root root 0 Dec 16 18:48 .shadow.packet_filter.log
$ zeek LogAscii::enable_leftover_log_rotation=T Log::default_rotation_interval=30sec -i wlp0s20f3
error in <params>, line 1: failed to process leftover log 'dns.log': Found leftover log, 'dns.log', but the associated shadow file, '.shadow.dns.log', required to process it is invalid
error in <params>, line 1: failed to process leftover log 'packet_filter.log': Found leftover log, 'packet_filter.log', but the associated shadow file, '.shadow.packet_filter.log', required to process it is invalid
$ ...
Prevent creating invalid .shadow files by atomically creating them.
This event is raised for messages that (probably) are TLS 1.3 handshake
messages, including finished. This allows scripts to examine handshake
messages without having to handle all encrypted messages.
In TLS 1.3, the ChangeCipherSpec message is meaningless; it only is
included to convince middleboxes that the devices actually are speaking
TLS 1.2. Nowadays some TLS 1.3 implementations also just don't send the
packet.
In a push to unify our handling of TLS 1.3 connections - ignore CCS and
always go with application data packet counting to determine if
connections are or are not encrypted.
Otherwise, the global Broker manager object containing CAF/threading
logic is never destructed and can result in a heap-use-after-free if it
tries to access other global objects after they're cleaned up from
__cxa_finalize().
This commit changes the logic that is used to tracks connection
establishment - and moves it from scriptland into the core.
TLS 1.3 connection establishment is much more finnicky for us than the
establishment of earlier versions - since we cannot rely on the CCS
message anymore (which is meaningless and not sent in a lot of cases).
With this commit, the ssl_encrypted_data message gets raised for
encrypted TLS 1.3 handshake messages - which is much more correct than
the behavior before that just interpreted them as plaintext messages.
I will refine this a bit more - at the moment the connection established
event happens a bit too early - earlier than TLS 1.3 connections
actually can be estasblished.
Part of GH-1323
Otherwise there is a functional problem caused by using #include to
insert the disconnected source code: language server/analysis tools,
like clangd, may get confused by those files and report everything
in them as an error.
