Merge remote-tracking branch 'origin/topic/johanna/gh-4598'

* origin/topic/johanna/gh-4598: Only pass session ticket data in ssl_session_ticket_handshake event
2025-10-02 06:38:20 +00:00 · 2025-06-26 09:58:39 +01:00 · 2025-06-26 09:58:39 +01:00 · 14e801a709
commit 14e801a709
parent 9f16050d0a 9d06a13828
6 changed files with 34 additions and 2 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+8.0.0-dev.538 | 2025-06-26 09:58:39 +0100
+
+  * Only pass session ticket data in ssl_session_ticket_handshake event (Johanna Amann, Corelight)
+
+    This commit fixes the parsing of the data field in the SSL analyzer. So
+    far, this field contained two extra bytes at the beginning, which
+    contain the length of the following data.
+
 8.0.0-dev.535 | 2025-06-25 19:27:01 +0200

  * Update zeek.bif (bhaskarbhar)
--- a/5
+++ b/5
@ -70,6 +70,11 @@ Breaking Changes
  on the host machine. We haven't heard from anyone that this is the case with the
  arguments in their currently-broken state.

+- The parsing of data for the ``ssl_session_ticket_handshake`` event was fixed.
+  In the past, the data contained two extra bytes before the session ticket
+  data. The event now contains only the session ticket data. You might have to
+  adjust your scripts if you manually worked around this bug in the past.
+
 New Functionality
 -----------------

--- a/2
+++ b/2
@ -1 +1 @@
-8.0.0-dev.535
+8.0.0-dev.538
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@ -793,7 +793,8 @@ type Finished(rec: HandshakeRecord) = record {

 type SessionTicketHandshake(rec: HandshakeRecord) = record {
 	ticket_lifetime_hint: uint32;
-	data:                 bytestring &restofdata;
+	length: uint16;
+	data: bytestring &length=length;
 };

 ######################################################################
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout
--- a/testing/btest/scripts/base/protocols/ssl/session-ticket.test
+++ b/testing/btest/scripts/base/protocols/ssl/session-ticket.test
@ -0,0 +1,13 @@
+# @TEST-DOC: Tests the ssl_session_ticket_handshake event
+# @TEST-EXEC: echo "CVE-2015-3194.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/CVE-2015-3194.pcap %INPUT
+# @TEST-EXEC: echo "client-certificate.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/client-certificate.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+
+event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, ticket: string)
+	{
+	print ticket_lifetime_hint, ticket;
+	}