From 69f1ae2301ac77191971639e42c2c6998525ec91 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 16 Dec 2024 10:19:18 -0700 Subject: [PATCH 01/14] Merge remote-tracking branch 'security/topic/awelzel/217-quic-decrypt-crash' * security/topic/awelzel/217-quic-decrypt-crash: QUIC/decrypt_crypto: Actually check if decryption was successful QUIC/decrypt_crypto: Limit payload_length to 10k QUIC/decrypt_crypto: Fix decrypting into too small stack buffer (cherry picked from commit f940f2d88f3261f18b65cf7394ca40be16dc6a68) --- CHANGES | 27 ++++++++++++++++++ VERSION | 2 +- src/analyzer/protocol/quic/decrypt_crypto.cc | 14 ++++++--- .../analyzer.log.cut | 3 ++ .../conn.log.cut | 5 ++++ .../Traces/quic/383379789-decrypt-crash.pcap | Bin 0 -> 43734 bytes .../base/protocols/quic/decrypt-crash.zeek | 8 ++++++ 7 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut create mode 100644 testing/btest/Traces/quic/383379789-decrypt-crash.pcap create mode 100644 testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek diff --git a/CHANGES b/CHANGES index e1809fb25d..af468d3512 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,30 @@ +7.1.0-dev.830 | 2024-12-16 10:20:24 -0700 + + * QUIC/decrypt_crypto: Actually check if decryption was successful (Arne Welzel, Corelight) + + ...and bail if it wasn't. + + PCAP was produced using OSS-Fuzz input from issue 383379789. + + (cherry picked from commit f940f2d88f3261f18b65cf7394ca40be16dc6a68) + + * QUIC/decrypt_crypto: Limit payload_length to 10k (Arne Welzel, Corelight) + + Given we dynamically allocate memory for decryption, employ a limit + that is unlikely to be hit, but allows for large payloads produced + by the fuzzer or jumbo frames. + + (cherry picked from commit f940f2d88f3261f18b65cf7394ca40be16dc6a68) + + * QUIC/decrypt_crypto: Fix decrypting into too small stack buffer (Arne Welzel, Corelight) + + A QUIC initial packet larger than 1500 bytes could lead to crashes + due to the usage of a fixed size stack buffer for decryption. + + Allocate the necessary memory dynamically on the heap instead. + + (cherry picked from commit f940f2d88f3261f18b65cf7394ca40be16dc6a68) + 7.1.0-dev.829 | 2024-12-13 13:15:41 -0700 * Updating submodule(s) [nomail] (Tim Wojtulewicz, Corelight) diff --git a/VERSION b/VERSION index 79c87d9f36..0c818f4af8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-dev.829 +7.1.0-dev.830 diff --git a/src/analyzer/protocol/quic/decrypt_crypto.cc b/src/analyzer/protocol/quic/decrypt_crypto.cc index d38bc4154f..fa496413ae 100644 --- a/src/analyzer/protocol/quic/decrypt_crypto.cc +++ b/src/analyzer/protocol/quic/decrypt_crypto.cc @@ -60,7 +60,6 @@ const size_t AEAD_IV_LEN = 12; const size_t AEAD_HP_LEN = 16; const size_t AEAD_SAMPLE_LENGTH = 16; const size_t AEAD_TAG_LENGTH = 16; -const size_t MAXIMUM_PACKET_LENGTH = 1500; const size_t MAXIMUM_PACKET_NUMBER_LENGTH = 4; EVP_CIPHER_CTX* get_aes_128_ecb() { @@ -153,12 +152,17 @@ Function that calls the AEAD decryption routine, and returns the decrypted data. */ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt::Bytes& all_data, uint64_t payload_length, const DecryptionInformation& decryptInfo) { - int out, out2, res; + int out, out2; if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH ) throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length, decryptInfo.packet_number_length + AEAD_TAG_LENGTH)); + // Bail on large payloads, somewhat arbitrarily. 10k allows for Jumbo frames + // and sometimes the fuzzer produces packets up to that size as well. + if ( payload_length > 10000 ) + throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length)); + const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size(); int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH; @@ -173,7 +177,8 @@ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt const void* tag_to_check = all_data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size; int tag_to_check_length = AEAD_TAG_LENGTH; - std::array decrypt_buffer; + // Allocate memory for decryption. + std::vector decrypt_buffer(encrypted_payload_size); // Setup context auto* ctx = get_aes_128_gcm(); @@ -197,7 +202,8 @@ hilti::rt::Bytes decrypt(const std::vector& client_key, const hilti::rt EVP_CipherUpdate(ctx, decrypt_buffer.data(), &out, encrypted_payload, encrypted_payload_size); // Validate whether the decryption was successful or not - EVP_CipherFinal_ex(ctx, NULL, &out2); + if ( EVP_CipherFinal_ex(ctx, NULL, &out2) == 0 ) + throw hilti::rt::RuntimeError("decryption failed"); // Copy the decrypted data from the decrypted buffer into a Bytes instance. return hilti::rt::Bytes(decrypt_buffer.data(), decrypt_buffer.data() + out); diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut new file mode 100644 index 0000000000..1a3b7336c7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid cause analyzer_kind analyzer_name failure_reason +1733909795.417573 C4J4Th3PJpwUYZZ6gc violation protocol QUIC decryption failed (<...>/QUIC.spicy:) diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut new file mode 100644 index 0000000000..e9151b0dee --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid proto history service +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h udp D - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc udp D - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 tcp F ftp diff --git a/testing/btest/Traces/quic/383379789-decrypt-crash.pcap b/testing/btest/Traces/quic/383379789-decrypt-crash.pcap new file mode 100644 index 0000000000000000000000000000000000000000..aeb980850817a541f4956db12eada9abb9381664 GIT binary patch literal 43734 zcmeI*ziU%b6u|NG()3}Taqt%oE~3$tLUU1ZQ~W_H1%vpbA`+xJB&86dqDvmsW+)=~ z4-}jf9CT1{Dmdz*lcJl5OI-?1QluSP&%KTGXB4H@yu9y$`{=v5x$m4$r<9(X4=Ifi!00IagfB*srAbf&DS5lQI!N0D+|fd+fQqd6A3cuJlU}d? z)avv4Uc23wvmJ6+f40NL!ZE)YkuII8Z?=a5kNA4(uZ&N6FYH;oE5q)!cfgltN5l=c zV)ea7MC@ksdxhm!y3~_oV#3RK<7JVwed`vPv?mcKCJMLo&Mya@(^EkZJRQ5XF*|tN zt{@OVAie_I-p03fDn|eT1Q0*~0R#|0009ILKp+MJUt>@sB_erQL z{I;|FiR(CT)?wakUiWs5?6q|B&hxr1>Jr;|zNA~+rM2vmX*9)O*Lgc!{7vWi^f&#I zQhj2r)OY{QqE7n7o#)HD>-Ayw`M>O conn.log.cut +# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut +# @TEST-EXEC: btest-diff conn.log.cut +# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut From 993529fae40d4763472cea8cdcb88b304811df1f Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 16 Dec 2024 11:01:50 -0700 Subject: [PATCH 02/14] Update docs submodule [nomail] [skip ci] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index 69f1299287..698ca5e36c 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 69f1299287333c8835f7603050aa6afb5d4d080b +Subproject commit 698ca5e36c3df57512222b6bfe05351bbdbba174 From 4d6031cbb01cd5bfb53ab14047fc6d43a8d608c7 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 16 Dec 2024 11:28:28 -0700 Subject: [PATCH 03/14] Updating CHANGES and VERSION. --- CHANGES | 4 ++++ VERSION | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index af468d3512..8fe262c0a4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +7.1.0-rc1 | 2024-12-16 11:01:50 -0700 + + * Update docs submodule [nomail] [skip ci] (Tim Wojtulewicz) + 7.1.0-dev.830 | 2024-12-16 10:20:24 -0700 * QUIC/decrypt_crypto: Actually check if decryption was successful (Arne Welzel, Corelight) diff --git a/VERSION b/VERSION index 0c818f4af8..db45bc9329 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-dev.830 +7.1.0-rc1 From 05f8d043a75988392f5b1aa804354ea28617d2d1 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 16 Dec 2024 12:37:25 -0700 Subject: [PATCH 04/14] Merge remote-tracking branch 'origin/topic/awelzel/4084-vector-of-pattern-compare' * origin/topic/awelzel/4084-vector-of-pattern-compare: ZAM/relexpr-op NE for patterns Expr: Fix folding of pattern values to support == and != (cherry picked from commit 33eaa5ccda4157a34feb5ffc466f7371dc6d8eff) --- CHANGES | 13 +++++++++++++ VERSION | 2 +- src/Expr.cc | 16 ++++++++++++---- src/script_opt/ZAM/OPs/rel-exprs.op | 3 ++- testing/btest/Baseline/language.vector/out | 2 ++ testing/btest/Baseline/opt.validate-ZAM/output | 2 +- testing/btest/language/vector.zeek | 7 +++++++ 7 files changed, 38 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 8fe262c0a4..4fbe8c7095 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,16 @@ +7.1.0-rc1.1 | 2024-12-16 13:02:12 -0700 + + * ZAM/relexpr-op NE for patterns (Vern Paxson, Corelight) + + (cherry picked from commit 33eaa5ccda4157a34feb5ffc466f7371dc6d8eff) + + * Expr: Fix folding of pattern values to support == and != (Arne Welzel, Corelight) + The fatal error is actually triggered at runtime, so it's a bit + dangerous for users, but not sure there's many use-cases to + compare vectors of patterns. + + (cherry picked from commit 33eaa5ccda4157a34feb5ffc466f7371dc6d8eff) + 7.1.0-rc1 | 2024-12-16 11:01:50 -0700 * Update docs submodule [nomail] [skip ci] (Tim Wojtulewicz) diff --git a/VERSION b/VERSION index db45bc9329..490966df74 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-rc1 +7.1.0-rc1.1 diff --git a/src/Expr.cc b/src/Expr.cc index cd1c98ebd3..88c2bbd759 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -925,12 +925,20 @@ ValPtr BinaryExpr::PatternFold(Val* v1, Val* v2) const { const RE_Matcher* re1 = v1->AsPattern(); const RE_Matcher* re2 = v2->AsPattern(); - if ( tag != EXPR_AND && tag != EXPR_OR ) + ValPtr res; + if ( tag == EXPR_AND || tag == EXPR_OR ) { + RE_Matcher* matcher = tag == EXPR_AND ? RE_Matcher_conjunction(re1, re2) : RE_Matcher_disjunction(re1, re2); + res = make_intrusive(matcher); + } + else if ( tag == EXPR_EQ || tag == EXPR_NE ) { + bool cmp = strcmp(re1->PatternText(), re2->PatternText()); + res = val_mgr->Bool(tag == EXPR_EQ ? cmp == 0 : cmp != 0); + } + else { BadTag("BinaryExpr::PatternFold"); + } - RE_Matcher* res = tag == EXPR_AND ? RE_Matcher_conjunction(re1, re2) : RE_Matcher_disjunction(re1, re2); - - return make_intrusive(res); + return res; } ValPtr BinaryExpr::SetFold(Val* v1, Val* v2) const { diff --git a/src/script_opt/ZAM/OPs/rel-exprs.op b/src/script_opt/ZAM/OPs/rel-exprs.op index 92c35b7ce6..f4ed1a023f 100644 --- a/src/script_opt/ZAM/OPs/rel-exprs.op +++ b/src/script_opt/ZAM/OPs/rel-exprs.op @@ -29,7 +29,7 @@ eval-type P strcmp($1->Get()->PatternText(), $2->Get()->PatternText()) == 0 eval-mixed P S $1->MatchExactly($2->AsString()) rel-expr-op NE -op-type I U D S T A N F +op-type I U D S T A N F P vector eval $1 != $2 eval-type S Bstr_cmp($1->AsString(), $2->AsString()) != 0 @@ -37,6 +37,7 @@ eval-type T ! $1->EqualTo(*$2) eval-type A $1->AsAddr() != $2->AsAddr() eval-type N $1->AsSubNet() != $2->AsSubNet() eval-type F $1->GetName() != $2->GetName() +eval-type P strcmp($1->Get()->PatternText(), $2->Get()->PatternText()) != 0 eval-mixed P S ! $1->MatchExactly($2->AsString()) # Note, canonicalization means that GE and GT shouldn't occur diff --git a/testing/btest/Baseline/language.vector/out b/testing/btest/Baseline/language.vector/out index 5887d66595..03d2d0c894 100644 --- a/testing/btest/Baseline/language.vector/out +++ b/testing/btest/Baseline/language.vector/out @@ -84,3 +84,5 @@ negative index (PASS) negative index (PASS) += of empty vector (PASS) += of empty vector (PASS) +pv1 == pv2 -> [T, F] (PASS) +pv1 != pv2 -> [F, T] (PASS) diff --git a/testing/btest/Baseline/opt.validate-ZAM/output b/testing/btest/Baseline/opt.validate-ZAM/output index 2f91ef7f21..e99ede3a6b 100644 --- a/testing/btest/Baseline/opt.validate-ZAM/output +++ b/testing/btest/Baseline/opt.validate-ZAM/output @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -1248 valid, 1890 tested, 437 skipped +1255 valid, 1908 tested, 440 skipped diff --git a/testing/btest/language/vector.zeek b/testing/btest/language/vector.zeek index 820261e0e8..60f4178358 100644 --- a/testing/btest/language/vector.zeek +++ b/testing/btest/language/vector.zeek @@ -241,4 +241,11 @@ event zeek_init() v26 += vector(); test_case( "+= of empty vector", |v26| == 0 ); + # Pattern vectors + local pv1 = vector(/a/, /b/); + local pv2 = vector(/a/, /c/); + local pv_eq = pv1 == pv2; + local pv_ne = pv1 != pv2; + test_case( fmt("pv1 == pv2 -> %s", pv_eq), (pv_eq[0] == T) && (pv_eq[1] == F) ); + test_case( fmt("pv1 != pv2 -> %s", pv_ne), (pv_ne[0] == F) && (pv_ne[1] == T) ); } From a2419f30bdcb5123c1a492dabea83494847287b1 Mon Sep 17 00:00:00 2001 From: Benjamin Bannier Date: Mon, 6 Jan 2025 14:14:12 +0100 Subject: [PATCH 05/14] Bump auxil/spicy to latest release --- auxil/spicy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auxil/spicy b/auxil/spicy index d59f2458a4..c8b709fa59 160000 --- a/auxil/spicy +++ b/auxil/spicy @@ -1 +1 @@ -Subproject commit d59f2458a480d5bd5d66810aa77f1918e94bb244 +Subproject commit c8b709fa5936b5bf318de7c63e694e0077ad5dd4 From 3197fd74ef5ce4ef1f72707501973d72f8376585 Mon Sep 17 00:00:00 2001 From: Benjamin Bannier Date: Mon, 6 Jan 2025 14:19:29 +0100 Subject: [PATCH 06/14] Bump spicy-format pre-commit hook --- .pre-commit-config.yaml | 2 +- auxil/spicy | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f6cfed7519..2deb32b668 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -47,7 +47,7 @@ repos: exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek)$' - repo: https://github.com/bbannier/spicy-format - rev: v0.22.0 + rev: v0.23.0 hooks: - id: spicy-format # TODO: Reformat existing large analyzers just before 8.0. diff --git a/auxil/spicy b/auxil/spicy index c8b709fa59..0e1959acae 160000 --- a/auxil/spicy +++ b/auxil/spicy @@ -1 +1 @@ -Subproject commit c8b709fa5936b5bf318de7c63e694e0077ad5dd4 +Subproject commit 0e1959acaeb17eceeeb2f03e9c2f8b9240c785e1 From 0f3af67f6f52b74119831ee1527878a769c23827 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 6 Jan 2025 16:23:08 -0700 Subject: [PATCH 07/14] Update doc submodule [nomail] [skip ci] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index 698ca5e36c..3292435ff5 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 698ca5e36c3df57512222b6bfe05351bbdbba174 +Subproject commit 3292435ff52d4f52d489896b823abde72c3cfcae From 86663c071c23b90a7ffe778c410414bfaa8160c0 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Sun, 5 Jan 2025 14:19:15 -0700 Subject: [PATCH 08/14] Merge remote-tracking branch 'origin/topic/bbannier/fix-zeek-see-uses' * origin/topic/bbannier/fix-zeek-see-uses: Fix incorrect uses of `zeek:see` (cherry picked from commit 6deae2d28d49a25a3498dc3c79e1f5ede59f766f) --- CHANGES | 12 ++++++++++++ VERSION | 2 +- scripts/base/frameworks/logging/main.zeek | 10 +++++----- scripts/base/init-bare.zeek | 3 +++ scripts/policy/frameworks/management/agent/api.zeek | 2 +- src/analyzer/protocol/ssl/events.bif | 2 +- src/zeek.bif | 6 +++--- 7 files changed, 26 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 1c1f4d7ba7..aa33184823 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,15 @@ +7.1.0-rc1.6 | 2025-01-06 16:23:36 -0700 + + * Fix incorrect uses of `zeek:see` (Benjamin Bannier) + + This fixes instances where `zeek:see` was used incorrectly so it was not + rendered correctly. All these instances have been found by looking for + `zeek:see` in the generated HTML where it should not be visible anymore. + + I also removed a doc reference to `paraglob_add` which never existed. + + (cherry picked from commit 6deae2d28d49a25a3498dc3c79e1f5ede59f766f) + 7.1.0-rc1.4 | 2025-01-06 08:16:36 -0700 * Bump spicy-format pre-commit hook (Benjamin Bannier, Corelight) diff --git a/VERSION b/VERSION index 8dae3e3f7e..1aa5bbb79b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-rc1.4 +7.1.0-rc1.6 diff --git a/scripts/base/frameworks/logging/main.zeek b/scripts/base/frameworks/logging/main.zeek index 0a55d25a38..953b6a51de 100644 --- a/scripts/base/frameworks/logging/main.zeek +++ b/scripts/base/frameworks/logging/main.zeek @@ -509,8 +509,8 @@ export { ## ## Returns: The set of filter names associated with the stream. ## - ## ..zeek:see:: Log::remove_filter Log::add_default_filter - ## Log::remove_default_filter Log::get_filter + ## .. zeek:see:: Log::remove_filter Log::add_default_filter + ## Log::remove_default_filter Log::get_filter global get_filter_names: function(id: ID) : set[string]; ## Gets a filter associated with an existing logging stream. @@ -635,7 +635,7 @@ export { ## Type of function to invoke when delaying a log write has completed. ## ## Functions of this type take the same arguments as :zeek:see:`Log::StreamPolicyHook` - ## and act as a callback passed to zeek:see:`Log::delay`. They execute + ## and act as a callback passed to :zeek:see:`Log::delay`. They execute ## just before the record is forwarded to the individual log filters. ## ## Returning ``F`` from a post delay callback discards the log write. @@ -658,7 +658,7 @@ export { ## as parameters. ## ## Conceptually, the delay is inserted between the execution of the - ## zeek:see:`Log::log_stream_policy` hook and the policy hooks of filters. + ## :zeek:see:`Log::log_stream_policy` hook and the policy hooks of filters. ## ## Calling this function increments a reference count that can subsequently ## be decremented using :zeek:see:`Log::delay_finish`. @@ -701,7 +701,7 @@ export { ## ## Multiple calls to this function will only ever increase the maximum ## delay, the delay cannot be lowered. The default maximum delay for a - ## stream is zeek:see:`Log::default_max_delay_interval`. + ## stream is :zeek:see:`Log::default_max_delay_interval`. ## ## When a stream is removed and re-created via :zeek:see:`Log::create_stream`, ## the new stream is re-configured with the previously used maximum delay. diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index ab337d3591..6810b6f51e 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3903,6 +3903,7 @@ export { type DHCP::Addrs: vector of addr; ## A DHCP message. + ## ## .. zeek:see:: dhcp_message type DHCP::Msg: record { op: count; ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY @@ -3922,6 +3923,7 @@ export { }; ## DHCP Client Identifier (Option 61) + ## ## .. zeek:see:: dhcp_message type DHCP::ClientID: record { hwtype: count; @@ -3942,6 +3944,7 @@ export { }; ## DHCP Relay Agent Information Option (Option 82) + ## ## .. zeek:see:: dhcp_message type DHCP::SubOpt: record { code: count; diff --git a/scripts/policy/frameworks/management/agent/api.zeek b/scripts/policy/frameworks/management/agent/api.zeek index ac938c13ae..a6a5555e2f 100644 --- a/scripts/policy/frameworks/management/agent/api.zeek +++ b/scripts/policy/frameworks/management/agent/api.zeek @@ -185,7 +185,7 @@ export { ## The agent sends this event upon peering as a "check-in", informing ## the controller that an agent of the given name is now available to ## communicate with. It is a controller-level equivalent of - ## `:zeek:see:`Broker::peer_added` and triggered by it. + ## :zeek:see:`Broker::peer_added` and triggered by it. ## ## instance: an instance name, really the agent's name as per ## :zeek:see:`Management::Agent::get_name`. diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 3a6e0e3ff7..03f03f0091 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -655,7 +655,7 @@ event ssl_encrypted_data%(c: connection, is_client: bool, record_version: count, ## not correct; the client can send more handshake packets before the finished message, e.g., ## when client certificates are used. ## -## Note that :zeek:see::ssl_encrypted_data is also raised for these messages. +## Note that :zeek:see:`ssl_encrypted_data` is also raised for these messages. ## ## c: The connection. ## diff --git a/src/zeek.bif b/src/zeek.bif index cc2321408e..1a42f00344 100644 --- a/src/zeek.bif +++ b/src/zeek.bif @@ -881,7 +881,7 @@ function sha256_hash_finish%(handle: opaque of sha256%): string ## ## Returns: A new, compiled, paraglob with the patterns in *v* ## -## .. zeek:see::paraglob_match paraglob_equals paraglob_add +## .. zeek:see:: paraglob_match paraglob_equals function paraglob_init%(v: any%) : opaque of paraglob %{ if ( v->GetType()->Tag() != zeek::TYPE_VECTOR || @@ -921,7 +921,7 @@ function paraglob_init%(v: any%) : opaque of paraglob ## ## Returns: A vector of strings matching the input string. ## -## ## .. zeek:see::paraglob_add paraglob_equals paraglob_init +## .. zeek:see:: paraglob_equals paraglob_init function paraglob_match%(handle: opaque of paraglob, match: string%): string_vec %{ return static_cast(handle)->Get(match); @@ -935,7 +935,7 @@ function paraglob_match%(handle: opaque of paraglob, match: string%): string_vec ## ## Returns: True if both paraglobs contain the same patterns, false otherwise. ## -## ## .. zeek:see::paraglob_add paraglob_match paraglob_init +## .. zeek:see:: paraglob_match paraglob_init function paraglob_equals%(p_one: opaque of paraglob, p_two: opaque of paraglob%) : bool %{ return zeek::val_mgr->Bool( From 6679de4dc29f77a69ae0041689c5ca218e3bd0eb Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 6 Jan 2025 16:31:55 -0700 Subject: [PATCH 09/14] Update doc submodule [nomail] [skip ci] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index 3292435ff5..72e50ddc22 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 3292435ff52d4f52d489896b823abde72c3cfcae +Subproject commit 72e50ddc22d235ac92ce03ed06abce4f0d0f87da From 6f7cb325c65caf166b23c490641f928899d15a3a Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 6 Jan 2025 15:51:03 -0700 Subject: [PATCH 10/14] Merge remote-tracking branch 'origin/topic/johanna/more-post-quantum-curves' * origin/topic/johanna/more-post-quantum-curves: Update ssl consts with more post-quantum curves (cherry picked from commit 7f4a620db6d0009aa60deaa8c1031038ad2de7d3) --- CHANGES | 6 ++++++ VERSION | 2 +- scripts/base/protocols/ssl/consts.zeek | 8 ++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index aa33184823..633a6812e3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +7.1.0-rc1.8 | 2025-01-07 10:06:11 -0700 + + * Update ssl consts with more post-quantum curves (Johanna Amann, Corelight) + + (cherry picked from commit 7f4a620db6d0009aa60deaa8c1031038ad2de7d3) + 7.1.0-rc1.6 | 2025-01-06 16:23:36 -0700 * Fix incorrect uses of `zeek:see` (Benjamin Bannier) diff --git a/VERSION b/VERSION index 1aa5bbb79b..bb0206123d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-rc1.6 +7.1.0-rc1.8 diff --git a/scripts/base/protocols/ssl/consts.zeek b/scripts/base/protocols/ssl/consts.zeek index 9c1854285b..603b9dbf61 100644 --- a/scripts/base/protocols/ssl/consts.zeek +++ b/scripts/base/protocols/ssl/consts.zeek @@ -359,6 +359,14 @@ export { [258] = "ffdhe4096", [259] = "ffdhe6144", [260] = "ffdhe8192", + # draft-connolly-tls-mlkem-key-agreement-03 + [512] = "MLKEM512", + [513] = "MLKEM768", + [514] = "MLKEM1024", + # draft-kwiatkowski-tls-ecdhe-mlkem-03] + [4587] = "SecP256r1MLKEM768", + [4588] = "X25519MLKEM768", + [4589] = "SecP384r1MLKEM1024", [25497] = "X25519Kyber768Draft00", # draft-tls-westerbaan-xyber768d00-02 [25498] = "SecP256r1Kyber768Draft00", # draft-kwiatkowski-tls-ecdhe-kyber-01 [0xFF01] = "arbitrary_explicit_prime_curves", From addbc4ef31cb2c9888bfab454209567645094202 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 7 Jan 2025 10:05:15 -0700 Subject: [PATCH 11/14] Merge remote-tracking branch 'origin/topic/johanna/even-more-tls-const-updates' * origin/topic/johanna/even-more-tls-const-updates: More updates to the SSL consts from recent protocol additions (cherry picked from commit 2ce71a75a7337cd105e0b8b88a885f9241cc499a) --- CHANGES | 6 +++++ VERSION | 2 +- scripts/base/protocols/ssl/consts.zeek | 32 ++++++++++++++++++-------- 3 files changed, 29 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 633a6812e3..4cefc0fe1c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +7.1.0-rc1.9 | 2025-01-07 10:07:20 -0700 + + * More updates to the SSL consts from recent protocol additions (Johanna Amann, Corelight) + + (cherry picked from commit 2ce71a75a7337cd105e0b8b88a885f9241cc499a) + 7.1.0-rc1.8 | 2025-01-07 10:06:11 -0700 * Update ssl consts with more post-quantum curves (Johanna Amann, Corelight) diff --git a/VERSION b/VERSION index bb0206123d..950ba6366a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-rc1.8 +7.1.0-rc1.9 diff --git a/scripts/base/protocols/ssl/consts.zeek b/scripts/base/protocols/ssl/consts.zeek index 603b9dbf61..1a853834cd 100644 --- a/scripts/base/protocols/ssl/consts.zeek +++ b/scripts/base/protocols/ssl/consts.zeek @@ -38,6 +38,9 @@ export { const HANDSHAKE = 22; const APPLICATION_DATA = 23; const HEARTBEAT = 24; + const TLS12_CID = 25; # RFC 9146 + const TLS13_ACK = 26; # RFC 9147 + const RETURN_ROUTABILITY_CHECK = 26; # draft-ietf-tls-dtls-rrc-10 const V2_ERROR = 300; const V2_CLIENT_HELLO = 301; const V2_CLIENT_MASTER_KEY = 302; @@ -49,8 +52,8 @@ export { const SERVER_HELLO = 2; const HELLO_VERIFY_REQUEST = 3; # RFC 6347 const SESSION_TICKET = 4; # RFC 5077 - const HELLO_RETRY_REQUEST = 6; # draft-ietf-tls-tls13-16 - const ENCRYPTED_EXTENSIONS = 8; # draft-ietf-tls-tls13-16 + const HELLO_RETRY_REQUEST = 6; # draft-ietf-tls-tls13-16 - moved to extension in final RFC + const ENCRYPTED_EXTENSIONS = 8; # RFC 8446 const CERTIFICATE = 11; const SERVER_KEY_EXCHANGE = 12; const CERTIFICATE_REQUEST = 13; @@ -61,7 +64,10 @@ export { const CERTIFICATE_URL = 21; # RFC 3546 const CERTIFICATE_STATUS = 22; # RFC 3546 const SUPPLEMENTAL_DATA = 23; # RFC 4680 - const KEY_UPDATE = 24; # draft-ietf-tls-tls13-16 + const KEY_UPDATE = 24; # RFC 8446 + const COMPRESSED_CERTIFICATE = 25; # RFC 8879 + const EKT_KEY = 26; # RFC 8870 + ## Mapping between numeric codes and human readable strings for alert ## levels. @@ -205,6 +211,8 @@ export { const SSL_EXTENSION_TICKET_REQUEST = 58; const SSL_EXTENSION_DNSSEC_CHAIN = 59; const SSL_EXTENSION_SEQUENCE_NUMBER_ENCRYPTION_ALGORITHMS = 60; + const SSL_EXTENSION_RRC = 61; + const SSL_EXTENSION_TLS_FLAGS = 62; const SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION = 13172; const SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES = 13175; const SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES = 13180; @@ -212,6 +220,7 @@ export { const SSL_EXTENSION_CHANNEL_ID = 30031; const SSL_EXTENSION_CHANNEL_ID_NEW = 30032; const SSL_EXTENSION_PADDING_TEMP = 35655; + const SSL_EXTENSION_ECH_OUTER_EXTENSION = 64768; const SSL_EXTENSION_ENCRYPTED_CLIENT_HELLO = 65037; const SSL_EXTENSION_RENEGOTIATION_INFO = 65281; @@ -278,9 +287,11 @@ export { [55] = "external_id_hash", # RFC8844 [56] = "external_session_id", # RFC8844 [57] = "quic_transport_parameters", # RFC9001 - [58] = "ticket_request", # RFC9149] + [58] = "ticket_request", # RFC9149 [59] = "dnssec_chain", # RFC9102 [60] = "sequence_number_encryption_algorithms", # draft-pismenny-tls-dtls-plaintext-sequence-number-01 + [61] = "rrc", # draft-ietf-tls-dtls-rrc-10 + [62] = "tls_flags", # draft-ietf-tls-tlsflags-14 [13172] = "next_protocol_negotiation", [13175] = "origin_bound_certificates", [13180] = "encrypted_client_certificates", @@ -288,7 +299,8 @@ export { [30031] = "channel_id", [30032] = "channel_id_new", [35655] = "padding", - [65037] = "encrypted_client_hello", # draft-ietf-tls-esni + [64768] = "ech_outer_extensions", # draft-ietf-tls-esni-17 + [65037] = "encrypted_client_hello", # draft-ietf-tls-esni-17 [65281] = "renegotiation_info", # GREASE values - rfc8701 [2570] = "grease_0x0A0A", @@ -363,7 +375,7 @@ export { [512] = "MLKEM512", [513] = "MLKEM768", [514] = "MLKEM1024", - # draft-kwiatkowski-tls-ecdhe-mlkem-03] + # draft-kwiatkowski-tls-ecdhe-mlkem-03 [4587] = "SecP256r1MLKEM768", [4588] = "X25519MLKEM768", [4589] = "SecP384r1MLKEM1024", @@ -769,12 +781,12 @@ export { const TLS_ECDHE_ECDSA_WITH_AES_256_CCM = 0xC0AD; const TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE; const TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF; - # RFC8492] + # RFC8492 const TLS_ECCPWD_WITH_AES_128_GCM_SHA256 = 0xC0B0; const TLS_ECCPWD_WITH_AES_256_GCM_SHA384 = 0xC0B1; const TLS_ECCPWD_WITH_AES_128_CCM_SHA256 = 0xC0B2; const TLS_ECCPWD_WITH_AES_256_CCM_SHA384 = 0xC0B3; - # RFC RFC9150 + # RFC9150 const TLS_SHA256_SHA256 = 0xC0B4; const TLS_SHA384_SHA384 = 0xC0B5; # RFC9189 @@ -1191,12 +1203,12 @@ export { [TLS_ECDHE_ECDSA_WITH_AES_256_CCM] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", [TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", [TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", - # RFC8492] + # RFC8492 [TLS_ECCPWD_WITH_AES_128_GCM_SHA256] = "TLS_ECCPWD_WITH_AES_128_GCM_SHA256", [TLS_ECCPWD_WITH_AES_256_GCM_SHA384] = "TLS_ECCPWD_WITH_AES_256_GCM_SHA384", [TLS_ECCPWD_WITH_AES_128_CCM_SHA256] = "TLS_ECCPWD_WITH_AES_128_CCM_SHA256", [TLS_ECCPWD_WITH_AES_256_CCM_SHA384] = "TLS_ECCPWD_WITH_AES_256_CCM_SHA384", - # RFC RFC9150 + # RFC9150 [TLS_SHA256_SHA256] = "TLS_SHA256_SHA256", [TLS_SHA384_SHA384] = "TLS_SHA384_SHA384", # RFC9189 From 560cdcc0abefac827a823c6637556ac793eadfe9 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 7 Jan 2025 10:08:48 -0700 Subject: [PATCH 12/14] Update docs submodule [nomail] --- doc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc b/doc index 72e50ddc22..039fbc7f27 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 72e50ddc22d235ac92ce03ed06abce4f0d0f87da +Subproject commit 039fbc7f273643947b5c153bbe6df1eb6981a3a8 From 91571f34119a6b1167a408a3bb306727da917bc5 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 7 Jan 2025 11:41:31 -0700 Subject: [PATCH 13/14] Merge remote-tracking branch 'origin/topic/christian/news-7-1-contribs' * origin/topic/christian/news-7-1-contribs: Add 7.1 contributors to NEWS file [skip ci] (cherry picked from commit f1c054f8f3d4f2703bfc8c6d5b713bd2ecdd86c6) --- CHANGES | 6 ++++++ NEWS | 13 +++++++++++++ VERSION | 2 +- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 4cefc0fe1c..23d1c18bf6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +7.1.0-rc1.11 | 2025-01-07 11:42:30 -0700 + + * Add 7.1 contributors to NEWS file [skip ci] (Christian Kreibich, Corelight) + + (cherry picked from commit f1c054f8f3d4f2703bfc8c6d5b713bd2ecdd86c6) + 7.1.0-rc1.9 | 2025-01-07 10:07:20 -0700 * More updates to the SSL consts from recent protocol additions (Johanna Amann, Corelight) diff --git a/NEWS b/NEWS index fee004e09a..bc34e16b12 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,19 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file Zeek 7.1.0 ========== +We would like to thank Aashish Sharma (@initconf), Andras Gemes (@gemesa), +Anthony Kasza (@anthonykasza), Benjamin Grap (@blightzero), Chiragdeshlehra27, +@cooper-grill, Craig Leres (@leres), Eldon Koyle (@ekoyle), Emmanuele Zambon +(@zambo99), Fox-IT Data Science (@fox-ds), Fupeng Zhao (@AmazingPP), Jan +Grashöfer (@J-Gras), Jordan Barnartt (@JordanBarnartt), Jürgen Löhel (@jloehel), +Justin Azoff (@JustinAzoff), Lucas (@Lucasmeteenc), Martin van Hensbergen +(@martinvanhensbergen), Matti Bispham (@mbispham), Matteo (@skorpion98), Mike +Dopheide (@dopheide-esnet), Mike Peters (@MP-Corelight), Mohan Dhawan +(@Mohan-Dhawan), Pierre (@p-l-), @robinkou, Rodrigo Rojo (@r-rojo), @scyllaever, +Seth Hall (@sethhall), Simeon Miteff (@simeonmiteff), @Sonderino, @superzerosec, +Sven (@svenvanhal), Theo Buehler (@botovq), @timo-mue, @Zopazz, and +@zrobinette12 for their contributions to this release. + Breaking Changes ---------------- diff --git a/VERSION b/VERSION index 950ba6366a..a82e3e1047 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-rc1.9 +7.1.0-rc1.11 From 2836442a2c688fd9f799f01dfa2c7c051c5f6863 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Tue, 7 Jan 2025 11:45:10 -0700 Subject: [PATCH 14/14] Updating CHANGES and VERSION. --- CHANGES | 4 ++++ VERSION | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 23d1c18bf6..ee97b2d625 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +7.1.0 | 2025-01-07 11:43:07 -0700 + + * Release 7.1.0. + 7.1.0-rc1.11 | 2025-01-07 11:42:30 -0700 * Add 7.1 contributors to NEWS file [skip ci] (Christian Kreibich, Corelight) diff --git a/VERSION b/VERSION index a82e3e1047..a3fcc7121b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.1.0-rc1.11 +7.1.0