Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/johanna/gh-4598'

Browse source 
* origin/topic/johanna/gh-4598:
  Only pass session ticket data in ssl_session_ticket_handshake event
This commit is contained in:
Johanna Amann 2025-06-26 09:58:39 +01:00
commit 14e801a709
6 changed files with 34 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
CHANGES
View file

@ -1,3 +1,11 @@
8.0.0-dev.538 | 2025-06-26 09:58:39 +0100
* Only pass session ticket data in ssl_session_ticket_handshake event (Johanna Amann, Corelight)
This commit fixes the parsing of the data field in the SSL analyzer. So
far, this field contained two extra bytes at the beginning, which
contain the length of the following data.
8.0.0-dev.535 | 2025-06-25 19:27:01 +0200 8.0.0-dev.535 | 2025-06-25 19:27:01 +0200
* Update zeek.bif (bhaskarbhar) * Update zeek.bif (bhaskarbhar)

5
NEWS
View file

@ -70,6 +70,11 @@ Breaking Changes
on the host machine. We haven't heard from anyone that this is the case with the on the host machine. We haven't heard from anyone that this is the case with the
arguments in their currently-broken state. arguments in their currently-broken state.
- The parsing of data for the ``ssl_session_ticket_handshake`` event was fixed.
In the past, the data contained two extra bytes before the session ticket
data. The event now contains only the session ticket data. You might have to
adjust your scripts if you manually worked around this bug in the past.
New Functionality New Functionality
----------------- -----------------

2
VERSION
View file

@ -1 +1 @@
8.0.0-dev.535 8.0.0-dev.538

3
src/analyzer/protocol/ssl/tls-handshake-protocol.pac
View file

@ -793,7 +793,8 @@ type Finished(rec: HandshakeRecord) = record {
type SessionTicketHandshake(rec: HandshakeRecord) = record { type SessionTicketHandshake(rec: HandshakeRecord) = record {
ticket_lifetime_hint: uint32; ticket_lifetime_hint: uint32;
data: bytestring &restofdata; length: uint16;
data: bytestring &length=length;
}; };
###################################################################### ######################################################################

5
testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout Normal file
View file

File diff suppressed because one or more lines are too long

13
testing/btest/scripts/base/protocols/ssl/session-ticket.test Normal file
View file

@ -0,0 +1,13 @@
# @TEST-DOC: Tests the ssl_session_ticket_handshake event
# @TEST-EXEC: echo "CVE-2015-3194.pcap"
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/CVE-2015-3194.pcap %INPUT
# @TEST-EXEC: echo "client-certificate.pcap"
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/client-certificate.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/ssl
event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, ticket: string)
{
print ticket_lifetime_hint, ticket;
}