Updating CHANGES and VERSION.

* origin/topic/christian/news-7-1-contribs:
  Add 7.1 contributors to NEWS file [skip ci]

(cherry picked from commit f1c054f8f3)

.pre-commit-config.yaml

@@ -47,7 +47,7 @@ repos:
       exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES|scripts/base/protocols/ssl/mozilla-ca-list.zeek)$'
 
 - repo: https://github.com/bbannier/spicy-format
-  rev: v0.22.0
+  rev: v0.23.0
   hooks:
     - id: spicy-format
       # TODO: Reformat existing large analyzers just before 8.0.

CHANGES

@@ -1,3 +1,87 @@
+7.1.0 | 2025-01-07 11:43:07 -0700
+
+  * Release 7.1.0.
+
+7.1.0-rc1.11 | 2025-01-07 11:42:30 -0700
+
+  * Add 7.1 contributors to NEWS file [skip ci] (Christian Kreibich, Corelight)  
+
+    (cherry picked from commit f1c054f8f3d4f2703bfc8c6d5b713bd2ecdd86c6)
+
+7.1.0-rc1.9 | 2025-01-07 10:07:20 -0700
+
+  * More updates to the SSL consts from recent protocol additions (Johanna Amann, Corelight)
+
+    (cherry picked from commit 2ce71a75a7337cd105e0b8b88a885f9241cc499a)
+
+7.1.0-rc1.8 | 2025-01-07 10:06:11 -0700
+
+  * Update ssl consts with more post-quantum curves (Johanna Amann, Corelight)
+
+    (cherry picked from commit 7f4a620db6d0009aa60deaa8c1031038ad2de7d3)
+
+7.1.0-rc1.6 | 2025-01-06 16:23:36 -0700
+
+  * Fix incorrect uses of `zeek:see` (Benjamin Bannier)
+
+    This fixes instances where `zeek:see` was used incorrectly so it was not
+    rendered correctly. All these instances have been found by looking for
+    `zeek:see` in the generated HTML where it should not be visible anymore.
+
+    I also removed a doc reference to `paraglob_add` which never existed.
+
+    (cherry picked from commit 6deae2d28d49a25a3498dc3c79e1f5ede59f766f)
+
+7.1.0-rc1.4 | 2025-01-06 08:16:36 -0700
+
+  * Bump spicy-format pre-commit hook (Benjamin Bannier, Corelight)
+
+  * Bump auxil/spicy to latest release (Benjamin Bannier, Corelight)
+
+7.1.0-rc1.1 | 2024-12-16 13:02:12 -0700
+
+  * ZAM/relexpr-op NE for patterns (Vern Paxson, Corelight)
+
+    (cherry picked from commit 33eaa5ccda4157a34feb5ffc466f7371dc6d8eff)
+
+  * Expr: Fix folding of pattern values to support == and != (Arne Welzel, Corelight)
+    The fatal error is actually triggered at runtime, so it's a bit
+    dangerous for users, but not sure there's many use-cases to
+    compare vectors of patterns.
+
+    (cherry picked from commit 33eaa5ccda4157a34feb5ffc466f7371dc6d8eff)
+
+7.1.0-rc1 | 2024-12-16 11:01:50 -0700
+
+  * Update docs submodule [nomail] [skip ci] (Tim Wojtulewicz)
+
+7.1.0-dev.830 | 2024-12-16 10:20:24 -0700
+
+  * QUIC/decrypt_crypto: Actually check if decryption was successful (Arne Welzel, Corelight)
+
+    ...and bail if it wasn't.
+
+    PCAP was produced using OSS-Fuzz input from issue 383379789.
+
+    (cherry picked from commit f940f2d88f3261f18b65cf7394ca40be16dc6a68)
+
+  * QUIC/decrypt_crypto: Limit payload_length to 10k (Arne Welzel, Corelight)
+
+    Given we dynamically allocate memory for decryption, employ a limit
+    that is unlikely to be hit, but allows for large payloads produced
+    by the fuzzer or jumbo frames.
+
+    (cherry picked from commit f940f2d88f3261f18b65cf7394ca40be16dc6a68)
+
+  * QUIC/decrypt_crypto: Fix decrypting into too small stack buffer (Arne Welzel, Corelight)
+
+    A QUIC initial packet larger than 1500 bytes could lead to crashes
+    due to the usage of a fixed size stack buffer for decryption.
+
+    Allocate the necessary memory dynamically on the heap instead.
+
+    (cherry picked from commit f940f2d88f3261f18b65cf7394ca40be16dc6a68)
+
 7.1.0-dev.829 | 2024-12-13 13:15:41 -0700
 
   * Updating submodule(s) [nomail] (Tim Wojtulewicz, Corelight)

NEWS

@@ -6,6 +6,19 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 Zeek 7.1.0
 ==========
 
+We would like to thank Aashish Sharma (@initconf), Andras Gemes (@gemesa),
+Anthony Kasza (@anthonykasza), Benjamin Grap (@blightzero), Chiragdeshlehra27,
+@cooper-grill, Craig Leres (@leres), Eldon Koyle (@ekoyle), Emmanuele Zambon
+(@zambo99), Fox-IT Data Science (@fox-ds), Fupeng Zhao (@AmazingPP), Jan
+Grashöfer (@J-Gras), Jordan Barnartt (@JordanBarnartt), Jürgen Löhel (@jloehel),
+Justin Azoff (@JustinAzoff), Lucas (@Lucasmeteenc), Martin van Hensbergen
+(@martinvanhensbergen), Matti Bispham (@mbispham), Matteo (@skorpion98), Mike
+Dopheide (@dopheide-esnet), Mike Peters (@MP-Corelight), Mohan Dhawan
+(@Mohan-Dhawan), Pierre (@p-l-), @robinkou, Rodrigo Rojo (@r-rojo), @scyllaever,
+Seth Hall (@sethhall), Simeon Miteff (@simeonmiteff), @Sonderino, @superzerosec,
+Sven (@svenvanhal), Theo Buehler (@botovq), @timo-mue, @Zopazz, and
+@zrobinette12 for their contributions to this release.
+
 Breaking Changes
 ----------------
 

VERSION

@@ -1 +1 @@
-7.1.0-dev.829
+7.1.0

auxil/spicy

@@ -1 +1 @@
-Subproject commit d59f2458a480d5bd5d66810aa77f1918e94bb244
+Subproject commit 0e1959acaeb17eceeeb2f03e9c2f8b9240c785e1

doc

@@ -1 +1 @@
-Subproject commit 69f1299287333c8835f7603050aa6afb5d4d080b
+Subproject commit 039fbc7f273643947b5c153bbe6df1eb6981a3a8

scripts/base/frameworks/logging/main.zeek

@@ -635,7 +635,7 @@ export {
 	## Type of function to invoke when delaying a log write has completed.
 	##
 	## Functions of this type take the same arguments as :zeek:see:`Log::StreamPolicyHook`
-	## and act as a callback passed to zeek:see:`Log::delay`. They execute
+	## and act as a callback passed to :zeek:see:`Log::delay`. They execute
 	## just before the record is forwarded to the individual log filters.
 	##
 	## Returning ``F`` from a post delay callback discards the log write.
@@ -658,7 +658,7 @@ export {
 	## as parameters.
 	##
 	## Conceptually, the delay is inserted between the execution of the
-	## zeek:see:`Log::log_stream_policy` hook and the policy hooks of filters.
+	## :zeek:see:`Log::log_stream_policy` hook and the policy hooks of filters.
 	##
 	## Calling this function increments a reference count that can subsequently
 	## be decremented using :zeek:see:`Log::delay_finish`.
@@ -701,7 +701,7 @@ export {
 	##
 	## Multiple calls to this function will only ever increase the maximum
 	## delay, the delay cannot be lowered. The default maximum delay for a
-	## stream is zeek:see:`Log::default_max_delay_interval`.
+	## stream is :zeek:see:`Log::default_max_delay_interval`.
 	##
 	## When a stream is removed and re-created via :zeek:see:`Log::create_stream`,
 	## the new stream is re-configured with the previously used maximum delay.

scripts/base/init-bare.zeek

@@ -3903,6 +3903,7 @@ export {
 	type DHCP::Addrs: vector of addr;
 
 	## A DHCP message.
+	##
 	## .. zeek:see:: dhcp_message
 	type DHCP::Msg: record {
 		op: count;      ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
@@ -3922,6 +3923,7 @@ export {
 	};
 
 	## DHCP Client Identifier (Option 61)
+	##
 	## .. zeek:see:: dhcp_message
 	type DHCP::ClientID: record {
 		hwtype: count;
@@ -3942,6 +3944,7 @@ export {
 	};
 
 	## DHCP Relay Agent Information Option (Option 82)
+	##
 	## .. zeek:see:: dhcp_message
 	type DHCP::SubOpt: record {
 		code: count;

scripts/base/protocols/ssl/consts.zeek

@@ -38,6 +38,9 @@ export {
 	const HANDSHAKE = 22;
 	const APPLICATION_DATA = 23;
 	const HEARTBEAT = 24;
+	const TLS12_CID = 25; # RFC 9146
+	const TLS13_ACK = 26; # RFC 9147
+	const RETURN_ROUTABILITY_CHECK = 26; # draft-ietf-tls-dtls-rrc-10
 	const V2_ERROR = 300;
 	const V2_CLIENT_HELLO = 301;
 	const V2_CLIENT_MASTER_KEY = 302;
@@ -49,8 +52,8 @@ export {
 	const SERVER_HELLO        = 2;
 	const HELLO_VERIFY_REQUEST = 3; # RFC 6347
 	const SESSION_TICKET      = 4; # RFC 5077
-	const HELLO_RETRY_REQUEST = 6; # draft-ietf-tls-tls13-16
-	const ENCRYPTED_EXTENSIONS = 8; # draft-ietf-tls-tls13-16
+	const HELLO_RETRY_REQUEST = 6; # draft-ietf-tls-tls13-16 - moved to extension in final RFC
+	const ENCRYPTED_EXTENSIONS = 8; # RFC 8446
 	const CERTIFICATE         = 11;
 	const SERVER_KEY_EXCHANGE = 12;
 	const CERTIFICATE_REQUEST = 13;
@@ -61,7 +64,10 @@ export {
 	const CERTIFICATE_URL     = 21; # RFC 3546
 	const CERTIFICATE_STATUS  = 22; # RFC 3546
 	const SUPPLEMENTAL_DATA   = 23; # RFC 4680
-	const KEY_UPDATE          = 24; # draft-ietf-tls-tls13-16
+	const KEY_UPDATE          = 24; # RFC 8446
+	const COMPRESSED_CERTIFICATE = 25; # RFC 8879
+	const EKT_KEY = 26; # RFC 8870
+
 
 	## Mapping between numeric codes and human readable strings for alert
 	## levels.
@@ -205,6 +211,8 @@ export {
 	const SSL_EXTENSION_TICKET_REQUEST = 58;
 	const SSL_EXTENSION_DNSSEC_CHAIN = 59;
 	const SSL_EXTENSION_SEQUENCE_NUMBER_ENCRYPTION_ALGORITHMS = 60;
+	const SSL_EXTENSION_RRC = 61;
+	const SSL_EXTENSION_TLS_FLAGS = 62;
 	const SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION = 13172;
 	const SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES = 13175;
 	const SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES = 13180;
@@ -212,6 +220,7 @@ export {
 	const SSL_EXTENSION_CHANNEL_ID = 30031;
 	const SSL_EXTENSION_CHANNEL_ID_NEW = 30032;
 	const SSL_EXTENSION_PADDING_TEMP = 35655;
+	const SSL_EXTENSION_ECH_OUTER_EXTENSION = 64768;
 	const SSL_EXTENSION_ENCRYPTED_CLIENT_HELLO = 65037;
 	const SSL_EXTENSION_RENEGOTIATION_INFO = 65281;
 
@@ -278,9 +287,11 @@ export {
 		[55] = "external_id_hash", # RFC8844
 		[56] = "external_session_id", # RFC8844
 		[57] = "quic_transport_parameters", # RFC9001
-		[58] = "ticket_request", # RFC9149]
+		[58] = "ticket_request", # RFC9149
 		[59] = "dnssec_chain", # RFC9102
 		[60] = "sequence_number_encryption_algorithms", # draft-pismenny-tls-dtls-plaintext-sequence-number-01
+		[61] = "rrc", # draft-ietf-tls-dtls-rrc-10
+		[62] = "tls_flags", # draft-ietf-tls-tlsflags-14
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
@@ -288,7 +299,8 @@ export {
 		[30031] = "channel_id",
 		[30032] = "channel_id_new",
 		[35655] = "padding",
-		[65037] = "encrypted_client_hello", # draft-ietf-tls-esni
+		[64768] = "ech_outer_extensions", # draft-ietf-tls-esni-17
+		[65037] = "encrypted_client_hello", # draft-ietf-tls-esni-17
 		[65281] = "renegotiation_info",
 		# GREASE values - rfc8701
 		[2570] = "grease_0x0A0A",
@@ -359,6 +371,14 @@ export {
 		[258] = "ffdhe4096",
 		[259] = "ffdhe6144",
 		[260] = "ffdhe8192",
+		# draft-connolly-tls-mlkem-key-agreement-03
+		[512] = "MLKEM512",
+		[513] = "MLKEM768",
+		[514] = "MLKEM1024",
+		# draft-kwiatkowski-tls-ecdhe-mlkem-03
+		[4587] = "SecP256r1MLKEM768",
+		[4588] = "X25519MLKEM768",
+		[4589] = "SecP384r1MLKEM1024",
 		[25497] = "X25519Kyber768Draft00", # draft-tls-westerbaan-xyber768d00-02
 		[25498] = "SecP256r1Kyber768Draft00", # draft-kwiatkowski-tls-ecdhe-kyber-01
 		[0xFF01] = "arbitrary_explicit_prime_curves",
@@ -761,12 +781,12 @@ export {
 	const TLS_ECDHE_ECDSA_WITH_AES_256_CCM = 0xC0AD;
 	const TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE;
 	const TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF;
-	# RFC8492]
+	# RFC8492
 	const TLS_ECCPWD_WITH_AES_128_GCM_SHA256 = 0xC0B0;
 	const TLS_ECCPWD_WITH_AES_256_GCM_SHA384 = 0xC0B1;
 	const TLS_ECCPWD_WITH_AES_128_CCM_SHA256 = 0xC0B2;
 	const TLS_ECCPWD_WITH_AES_256_CCM_SHA384 = 0xC0B3;
-	# RFC RFC9150
+	# RFC9150
 	const TLS_SHA256_SHA256 = 0xC0B4;
 	const TLS_SHA384_SHA384 = 0xC0B5;
 	# RFC9189
@@ -1183,12 +1203,12 @@ export {
 		[TLS_ECDHE_ECDSA_WITH_AES_256_CCM] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
 		[TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
 		[TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
-		# RFC8492]
+		# RFC8492
 		[TLS_ECCPWD_WITH_AES_128_GCM_SHA256] = "TLS_ECCPWD_WITH_AES_128_GCM_SHA256",
 		[TLS_ECCPWD_WITH_AES_256_GCM_SHA384] = "TLS_ECCPWD_WITH_AES_256_GCM_SHA384",
 		[TLS_ECCPWD_WITH_AES_128_CCM_SHA256] = "TLS_ECCPWD_WITH_AES_128_CCM_SHA256",
 		[TLS_ECCPWD_WITH_AES_256_CCM_SHA384] = "TLS_ECCPWD_WITH_AES_256_CCM_SHA384",
-		# RFC RFC9150
+		# RFC9150
 		[TLS_SHA256_SHA256] = "TLS_SHA256_SHA256",
 		[TLS_SHA384_SHA384] = "TLS_SHA384_SHA384",
 		# RFC9189

scripts/policy/frameworks/management/agent/api.zeek

@@ -185,7 +185,7 @@ export {
 	## The agent sends this event upon peering as a "check-in", informing
 	## the controller that an agent of the given name is now available to
 	## communicate with. It is a controller-level equivalent of
-	## `:zeek:see:`Broker::peer_added` and triggered by it.
+	## :zeek:see:`Broker::peer_added` and triggered by it.
 	##
 	## instance: an instance name, really the agent's name as per
 	##    :zeek:see:`Management::Agent::get_name`.

src/Expr.cc

@@ -925,12 +925,20 @@ ValPtr BinaryExpr::PatternFold(Val* v1, Val* v2) const {
     const RE_Matcher* re1 = v1->AsPattern();
     const RE_Matcher* re2 = v2->AsPattern();
 
-    if ( tag != EXPR_AND && tag != EXPR_OR )
+    ValPtr res;
+    if ( tag == EXPR_AND || tag == EXPR_OR ) {
+        RE_Matcher* matcher = tag == EXPR_AND ? RE_Matcher_conjunction(re1, re2) : RE_Matcher_disjunction(re1, re2);
+        res = make_intrusive<PatternVal>(matcher);
+    }
+    else if ( tag == EXPR_EQ || tag == EXPR_NE ) {
+        bool cmp = strcmp(re1->PatternText(), re2->PatternText());
+        res = val_mgr->Bool(tag == EXPR_EQ ? cmp == 0 : cmp != 0);
+    }
+    else {
         BadTag("BinaryExpr::PatternFold");
+    }
 
-    RE_Matcher* res = tag == EXPR_AND ? RE_Matcher_conjunction(re1, re2) : RE_Matcher_disjunction(re1, re2);
-
-    return make_intrusive<PatternVal>(res);
+    return res;
 }
 
 ValPtr BinaryExpr::SetFold(Val* v1, Val* v2) const {

src/analyzer/protocol/quic/decrypt_crypto.cc

@@ -60,7 +60,6 @@ const size_t AEAD_IV_LEN = 12;
 const size_t AEAD_HP_LEN = 16;
 const size_t AEAD_SAMPLE_LENGTH = 16;
 const size_t AEAD_TAG_LENGTH = 16;
-const size_t MAXIMUM_PACKET_LENGTH = 1500;
 const size_t MAXIMUM_PACKET_NUMBER_LENGTH = 4;
 
 EVP_CIPHER_CTX* get_aes_128_ecb() {
@@ -153,12 +152,17 @@ Function that calls the AEAD decryption routine, and returns the decrypted data.
 */
 hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt::Bytes& all_data,
                          uint64_t payload_length, const DecryptionInformation& decryptInfo) {
-    int out, out2, res;
+    int out, out2;
 
     if ( payload_length < decryptInfo.packet_number_length + AEAD_TAG_LENGTH )
         throw hilti::rt::RuntimeError(hilti::rt::fmt("payload too small %ld < %ld", payload_length,
                                                      decryptInfo.packet_number_length + AEAD_TAG_LENGTH));
 
+    // Bail on large payloads, somewhat arbitrarily. 10k allows for Jumbo frames
+    // and sometimes the fuzzer produces packets up to that size as well.
+    if ( payload_length > 10000 )
+        throw hilti::rt::RuntimeError(hilti::rt::fmt("payload_length too large %ld", payload_length));
+
     const uint8_t* encrypted_payload = data_as_uint8(all_data) + decryptInfo.unprotected_header.size();
 
     int encrypted_payload_size = payload_length - decryptInfo.packet_number_length - AEAD_TAG_LENGTH;
@@ -173,7 +177,8 @@ hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt
     const void* tag_to_check = all_data.data() + decryptInfo.unprotected_header.size() + encrypted_payload_size;
     int tag_to_check_length = AEAD_TAG_LENGTH;
 
-    std::array<uint8_t, MAXIMUM_PACKET_LENGTH> decrypt_buffer;
+    // Allocate memory for decryption.
+    std::vector<uint8_t> decrypt_buffer(encrypted_payload_size);
 
     // Setup context
     auto* ctx = get_aes_128_gcm();
@@ -197,7 +202,8 @@ hilti::rt::Bytes decrypt(const std::vector<uint8_t>& client_key, const hilti::rt
     EVP_CipherUpdate(ctx, decrypt_buffer.data(), &out, encrypted_payload, encrypted_payload_size);
 
     // Validate whether the decryption was successful or not
-    EVP_CipherFinal_ex(ctx, NULL, &out2);
+    if ( EVP_CipherFinal_ex(ctx, NULL, &out2) == 0 )
+        throw hilti::rt::RuntimeError("decryption failed");
 
     // Copy the decrypted data from the decrypted buffer into a Bytes instance.
     return hilti::rt::Bytes(decrypt_buffer.data(), decrypt_buffer.data() + out);

src/analyzer/protocol/ssl/events.bif

@@ -655,7 +655,7 @@ event ssl_encrypted_data%(c: connection, is_client: bool, record_version: count,
 ## not correct; the client can send more handshake packets before the finished message, e.g.,
 ## when client certificates are used.
 ##
-## Note that :zeek:see::ssl_encrypted_data is also raised for these messages.
+## Note that :zeek:see:`ssl_encrypted_data` is also raised for these messages.
 ##
 ## c: The connection.
 ##

src/script_opt/ZAM/OPs/rel-exprs.op

@@ -29,7 +29,7 @@ eval-type P	strcmp($1->Get()->PatternText(), $2->Get()->PatternText()) == 0
 eval-mixed P S	$1->MatchExactly($2->AsString())
 
 rel-expr-op NE
-op-type I U D S T A N F
+op-type I U D S T A N F P
 vector
 eval $1 != $2
 eval-type S	Bstr_cmp($1->AsString(), $2->AsString()) != 0
@@ -37,6 +37,7 @@ eval-type T	! $1->EqualTo(*$2)
 eval-type A	$1->AsAddr() != $2->AsAddr()
 eval-type N	$1->AsSubNet() != $2->AsSubNet()
 eval-type F	$1->GetName() != $2->GetName()
+eval-type P	strcmp($1->Get()->PatternText(), $2->Get()->PatternText()) != 0
 eval-mixed P S	! $1->MatchExactly($2->AsString())
 
 # Note, canonicalization means that GE and GT shouldn't occur

src/zeek.bif

@@ -881,7 +881,7 @@ function sha256_hash_finish%(handle: opaque of sha256%): string
 ##
 ## Returns: A new, compiled, paraglob with the patterns in *v*
 ##
-## .. zeek:see::paraglob_match paraglob_equals paraglob_add
+## .. zeek:see:: paraglob_match paraglob_equals
 function paraglob_init%(v: any%) : opaque of paraglob
 	%{
 	if ( v->GetType()->Tag() != zeek::TYPE_VECTOR ||
@@ -921,7 +921,7 @@ function paraglob_init%(v: any%) : opaque of paraglob
 ##
 ## Returns: A vector of strings matching the input string.
 ##
-## ## .. zeek:see::paraglob_add paraglob_equals paraglob_init
+## .. zeek:see:: paraglob_equals paraglob_init
 function paraglob_match%(handle: opaque of paraglob, match: string%): string_vec
 	%{
 	return static_cast<ParaglobVal*>(handle)->Get(match);
@@ -935,7 +935,7 @@ function paraglob_match%(handle: opaque of paraglob, match: string%): string_vec
 ##
 ## Returns: True if both paraglobs contain the same patterns, false otherwise.
 ##
-## ## .. zeek:see::paraglob_add paraglob_match paraglob_init
+## .. zeek:see:: paraglob_match paraglob_init
 function paraglob_equals%(p_one: opaque of paraglob, p_two: opaque of paraglob%) : bool
 	%{
 	return zeek::val_mgr->Bool(

testing/btest/Baseline/language.vector/out

@@ -84,3 +84,5 @@ negative index (PASS)
 negative index (PASS)
 += of empty vector (PASS)
 += of empty vector (PASS)
+pv1 == pv2 -> [T, F] (PASS)
+pv1 != pv2 -> [F, T] (PASS)

testing/btest/Baseline/opt.validate-ZAM/output

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-1248 valid, 1890 tested, 437 skipped
+1255 valid, 1908 tested, 440 skipped

testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/analyzer.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	cause	analyzer_kind	analyzer_name	failure_reason
+1733909795.417573	C4J4Th3PJpwUYZZ6gc	violation	protocol	QUIC	decryption failed (<...>/QUIC.spicy:<location>)

testing/btest/Baseline/scripts.base.protocols.quic.decrypt-crash/conn.log.cut

@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	proto	history	service
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	udp	D	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	udp	D	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	tcp	F	ftp

testing/btest/language/vector.zeek

@@ -241,4 +241,11 @@ event zeek_init()
 	v26 += vector();
 	test_case( "+= of empty vector", |v26| == 0 );
 
+	# Pattern vectors
+	local pv1 = vector(/a/, /b/);
+	local pv2 = vector(/a/, /c/);
+	local pv_eq = pv1 == pv2;
+	local pv_ne = pv1 != pv2;
+	test_case( fmt("pv1 == pv2 -> %s", pv_eq), (pv_eq[0] == T) && (pv_eq[1] == F) );
+	test_case( fmt("pv1 != pv2 -> %s", pv_ne), (pv_ne[0] == F) && (pv_ne[1] == T) );
 }

testing/btest/scripts/base/protocols/quic/decrypt-crash.zeek

@@ -0,0 +1,8 @@
+# @TEST-DOC: Trace produced by OSS-Fuzz triggered a crash due to using a too small local buffer for decryption.
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -Cr $TRACES/quic/383379789-decrypt-crash.pcap base/protocols/quic %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid proto history service < conn.log > conn.log.cut
+# @TEST-EXEC: zeek-cut -m ts uid cause analyzer_kind analyzer_name failure_reason < analyzer.log > analyzer.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='sed -E "s/\((.+)\.spicy:[0-9]+:[0-9]+(-[0-9]+:[0-9]+)?\)/(\1.spicy:<location>)/g" | $SCRIPTS/diff-remove-abspath' btest-diff analyzer.log.cut