Only pass session ticket data in ssl_session_ticket_handshake event

This commit fixes the parsing of the data field in the SSL analyzer. So
far, this field contained two extra bytes at the beginning, which
contain the length of the following data.

Now, the data passed to the event only contains the actual value of the
session ticket.

The Spicy analyzer already contains the correct handling of this field,
and does not need to be updated. A test that uses the event and
exhibited the bug was added.

NEWS

@@ -51,6 +51,11 @@ Breaking Changes
 - The ``IsPacketSource()`` method on ``IOSource`` was removed. It was unused
   and incorrectly returned ``false`` on all packet sources.
 
+- The parsing of data for the ``ssl_session_ticket_handshake`` event was fixed.
+  In the past, the data contained two extra bytes before the session ticket
+  data. The event now contains only the session ticket data. You might have to
+  adjust your scripts if you manually worked around this bug in the past.
+
 New Functionality
 -----------------
 

src/analyzer/protocol/ssl/tls-handshake-protocol.pac

@@ -793,7 +793,8 @@ type Finished(rec: HandshakeRecord) = record {
 
 type SessionTicketHandshake(rec: HandshakeRecord) = record {
 	ticket_lifetime_hint: uint32;
-	data:                 bytestring &restofdata;
+	length: uint16;
+	data: bytestring &length=length;
 };
 
 ######################################################################

testing/btest/scripts/base/protocols/ssl/session-ticket.test

@@ -0,0 +1,13 @@
+# @TEST-DOC: Tests the ssl_session_ticket_handshake event
+# @TEST-EXEC: echo "CVE-2015-3194.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/CVE-2015-3194.pcap %INPUT
+# @TEST-EXEC: echo "client-certificate.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/client-certificate.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+
+event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, ticket: string)
+	{
+	print ticket_lifetime_hint, ticket;
+	}