From 9d06a13828a78e7b6388a6482e8752ab194270e8 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 24 Jun 2025 15:08:30 +0100
Subject: [PATCH] Only pass session ticket data in ssl_session_ticket_handshake
 event

This commit fixes the parsing of the data field in the SSL analyzer. So
far, this field contained two extra bytes at the beginning, which
contain the length of the following data.

Now, the data passed to the event only contains the actual value of the
session ticket.

The Spicy analyzer already contains the correct handling of this field,
and does not need to be updated. A test that uses the event and
exhibited the bug was added.
---
 NEWS                                                |  5 +++++
 .../protocol/ssl/tls-handshake-protocol.pac         |  3 ++-
 .../.stdout                                         |  5 +++++
 .../scripts/base/protocols/ssl/session-ticket.test  | 13 +++++++++++++
 4 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout
 create mode 100644 testing/btest/scripts/base/protocols/ssl/session-ticket.test

diff --git a/NEWS b/NEWS
index 485bff0a78..e6c5326892 100644
--- a/NEWS
+++ b/NEWS
@@ -51,6 +51,11 @@ Breaking Changes
 - The ``IsPacketSource()`` method on ``IOSource`` was removed. It was unused
   and incorrectly returned ``false`` on all packet sources.
 
+- The parsing of data for the ``ssl_session_ticket_handshake`` event was fixed.
+  In the past, the data contained two extra bytes before the session ticket
+  data. The event now contains only the session ticket data. You might have to
+  adjust your scripts if you manually worked around this bug in the past.
+
 New Functionality
 -----------------
 
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 2e2271779a..ca66878644 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -793,7 +793,8 @@ type Finished(rec: HandshakeRecord) = record {
 
 type SessionTicketHandshake(rec: HandshakeRecord) = record {
 	ticket_lifetime_hint: uint32;
-	data:                 bytestring &restofdata;
+	length: uint16;
+	data: bytestring &length=length;
 };
 
 ######################################################################
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout
new file mode 100644
index 0000000000..dfd725c9b1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.session-ticket/.stdout
@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CVE-2015-3194.pcap
+300, \x8a\xfd\xb2q\xd2\xa7\xf8^=\x84\xc8\x123\x88\xa72[\xca4\xa6\x95:-D\x98s\xfd\xb6\xc8\x17\xb2\x81\xfa\xf9u\x0dz\xd00$\x96<\xfe;3\x04\xcd\xc1\x16\xa7\xc7\xf8\x9cD\x9f\x82\xaf\xf2\xed\xeer[3\x17\x04\x1a\xa0v\xf9h:w*\x04\xa5\x8d\xe9E\x7f\xae,y&PT\x11\x18\xb3\xff+\x03\x87;\xe6\xe9\xd6J\xe3\x0d\x1b\xf3\x08>\x921\xbd\xca3\x88\x86'h\xfe\x8c~7\xa6\x828\x8b\xcf\x0f\xa7y[\x9d\xfazF\x02\xb0[\xc3\xac\xbb\xa2\xd3=\xf1\x8c\xf8k\xd7\x1f\x9e \xb6\x90h\x95\x0c\xb7)\x00zW\xc7\x93\xec\x10
+client-certificate.pcap
+300, M#\xa7J\x9e\x8a\x19p{\x83\xf2\xe4\xa5\xf6C\x0f\xddNh6\x19\x9f0\xc1\x83\x84\xab\xf6\xd2\xa5?o\xf7%\x8b\x01D\xe5\xf4\xcb\x17\x05\x1c`\xdc\xb1\xff\xd5\xf9\xfe\xe2\Vu=\xb8\xee\xb6\xb2\xd6w\xdb\x95DT\xfb\x86\xea\xf4\x0c\xf3\xe2\xb0\x07\x0e\x1d\xcf\x01\xa0\xc3/\x19D*\x15;\xf2\x9d\x13\xcb\xecZ4\xe1\x9a\x14\xf3\xcf\xb1\xe8\x0e\x16&7n\xb2&\xae\xcdcb\x04@\xca\xa9\x00\x8e\xa1\x18\xc2I&\xa6$\xcb8\xdc\xb6\x04\xb5\xef55\x91kv\x10\x19\xfcP\xef5'\xdf\x01\xd9IM\xc1\xd5\xf0\xc8\xd5\x94\x06\xe6jw\xb1\x93go\xc1*\xb3y|A\x9f\xed\xdf\xc6a1\x1c\xc3Q\xde\x83a'X\xcc@\xe9Q\x9c\xf9\xad\x873\x00\x8f\x07\xe0\x14\x12g\xed\xdeo\xdd\xfc\xc6\xdfc\xaf\x1a\xe5'\xd8\x918\xb4\x8a\x9b\xb9\xdcF\xed\x98\x08\xfe\xe49G\xc5M\xccg\xe7\x8a\xa4z\xc6\x82>\x9d\x1a<i-\xf9\xb8n\xf9\xed\xd5R\xf6g|@\x81\x03|"\xe8\x18,Z\xe3\x04\xff\xdb|\xe9&N\x8b9N\x8cnz\x15\x0a 4\xf25\x9cG\xb7Vkz\x8a\xae)\xe2\xe7\xb3\x1d#C\xb3\x89\x12\xbbo\xff?}\xbd\x86\x09\xcb@\xaf\x95\x1eu#\xe0@\x9e\xe1\x90Q\xe2\x01\xf0v\xe3\xc3@{\xa3'\xd8K\xe0\xcc\x9c\x1bp\x06\x97\x17-\xda\xf4\xd1\x0a\x97qa\xd4A\x1a~\xa2\xa3\x02\x90\x080\xa1A\xc3\x87\xf4w\x00s\xac\x967E!\xa9$)\xa4\xffQ\x07i\xea\xec\x8c\xe3*\xae\xa7\xc8\xa5\x8e\xb2\x06\xe6\x89\xfc4\x1c\x1f\x0c\xff\x7f\y\xe0\x14\x01\xa9\xd3G\xde?\xde6\xbbF\x89\x9bA5\xaa*o>\x0d0/\xa5\xf1\xefb\xde\xab_5\xdc\xf3\xea\xe0s\x0cm\xbc>\xb2Zb\xf1\x11\x8f\xc60\x7f\x82\xa9\xfbt6Xg\xcd\xd1\xa7\xdbHOX\xbaU\x0b4\xda\x91L\xff\x0a\x15.JZ\xbf\xe9\xf0\x17\x92U\x86\xe9Q\x1d\x9c\xbf\x16^"]A0\xa9um\xef\x8f\x14=\xfes\xcc\xad\x12\x87\xd2\x7f\\x18\x00\xef\xd0V\xbb\xf2\xf4\xdb\x7f\xabO\x00B\xf7\x0c\xd0q\x9b%8\x85C\x02e\x0epom\\xa0\xf3\xff\xac\x99o\x8f\x89\xab^\x1b\x95\xa2x\x0c\x1a\x84\x19\xc2]\xfb,[;.\xa4\xb5L\x05\xb2\x8a\xd7eF\x98\xcb\xa6\xe6D\xaf\xdb\x96D/\xc3i\xc3\xfdfY\xd7\xd5jO\xc9\xd17\x97\xa9\xd4\x9e\x91\xc0O\x0b?I\xdb\xba\xf8\xf20\xeb\xcdY\xf5\xf3\xa1H\xf1\x82\x90\x91\xcd\x91\x90\xaa\x05\xac\x12\x15\x10\x9a#\xd2\xfc\xdf\x92g\xe7\xbeK\x1b")\xcd\x96\x90t\x07\xf7\xf3H\xf6\x81\x0aMJs,\xa4\x94\xb4@R\xa8\xbb\xa6\xdd\'\xef\xde%%\xf0i\xf3B\x1e]\x01S&sK\x17Q&U\xf3\x04\xa1\x0f\x11\xf2\xcc\xd2w\xfdy]\xdb`GL\xf8,\x96w\xa7\xa9\x09\xafB\xe8vz\x80\x98\xe1\x83)Ce=\xbf\x04\x97\xb9\xf70:\xdc\xc0\xcd\xb6%\xd8\xd2-\xae\x86\xcb\x00A\x86\xdf1\x0cs0\xc3\x99\xfd\xa7[\xf4P.\x89g)o\x04\xc4\xbc\xc4\xe2\xce!"\xb7\xce<T\xc8\x06\xc6\x91'\xa5x\x85\xa0o_bp\xdf?\xe6Q\x0f\xde`\x1a\xac\x13\x8a\x8aAS\xc1\x0a\xee\xffN*\x01\x05\xb8\x9e|\xa2\xca\xe1F\xf6\xf5<\x06\xa42\x8f[9=8\xd0\xf1\x1b\x03cM\x92R\x0a\xb3\x07\xd4\x8b\xc5\xa1\xcb\xbc~\x85\xf7\xb8\xef\xa0{:3\xeaa?\xe8\xa51\xbd\x8e\xa5\x84\xe7\x8a*\xd4S\x80k\x11\x86)\xc5R\xc8\xc2U\x9b{\xc6\xf6\xa6z\xc2\x8e\xb1\xff\xa83\x0e\xbc\xeb\x10\x0a\xd6\x13/\xc3l=\x11\x88l\xc2\xc0\xd4~\xf2\xe7\xb1\xe5l!\xad(\xbcr\xc7H\x18\x1b\x07\x9d_g\xc9\x08\xd4m\xc2\xccCD>\x13\x9b\xbc\x0b\x05\xbb\xad\xc0,\xb1(bz\xb2\xe8\x00X\xfa2\x9e~\x1dk3?}\x8c\xb1N\x9aG\x85\xd0T7\x08q\x85l\xe8\xd78\xefP\x9fG\xac\x17\xf0\x7f\x7f"\xa6\x8aa\x83\xb2;\x99q?\x91\xa03`w\x80\xfb\xe46\x18\xb5\xfa:ty\xbe\x0d\xf6K\x9c\x88f\xc0\xc2\xd4\x88Z\xb4\x0c\xf0{\xd9-\xa6~\xed\xcc\xbe\xdd(\x9e\xb5*\xcb\xbfn7\xad8\x18\xc7\xad\xd3\xb6\x7flJ\xb0\xaa\xe4\xac\x9a\xf4\xe6\x8eRo\x16\xd5\xb0d&\x01%\xe6q\xb7\xaeC0\xe5{\xbe\xf1b\xf5\xfe\x99\xa2c\x91\xc7\x07\x1dW\xf4\xe9lRD\xe9\x88\xdb\x9fy\xfd\xcd;y|{\xddJp\xe5\xaa\xab\x0e\xb9\x1e\xc7A\xbb\x85r\xa7X\x1c\x09\x0f\xa1\xba\x01\xeddt\xb8\xba\x95\xc5\xfcc`IMe\xd4\x9a\xbcqv\x07\x01\x86\xc4\x0d\xed\xee\xa2\xf4A\xbcQPc\xb3\xa5E\xbf\xdc\xd97\xdd\x99I5\xf9\xa6O\xc45\xf84\xd04"\xf1\x8d/\x13t(J&\xa7MS\xe5\x9d6 b\xf9\xbcr\xad\xf3i\xed\xcf\xc45\x1b\xac\x03\x8fv!\x1b\x8a\x9e\x86F\x9e\xba7\xff\xee\x90\x0e\x92\x84\xb0\x85\x80\xf0\x19\xb1\x0a+qp\x96Q\xde'\xdb\x01\x14\xb2\xefO\xb0\x09\x9c}Brq\xc9_y\xd0@[\x8dzd#\xeb\xad\xacztl\xf3\xc2p!\x0c\x9b\xb9\xf7\x9b\xc3G\xb1\x0b\xe6N(\xfe|4\xb1\x08\xc8\x9fw\x86\x97Rt+\xbe\xfaK\x93\xe8\xad\x10+\xb8(M\x8d1\xeb\x0fZi~\x12\xaa\xaa\xabZ\xfd\x9b\x13{U\x0a\x8a\x062a\x0eoAZa\x91\xd9p\xf2<\x1fn\x8b\xf8\xbbw\x18wH\xc2\xe0\xd5\xd6\xc9/:\xe5\x01:\xfa\xfd\xdf\xed\xad\xf6\x152\xccO\x84.\x8e\x88\xe9\x80\x11\x10 \xb4\xa9>\x02\xa7\xfc\xd1\x84\xecD\xf2.\x05\xe4\xfe\xe2\x0d{\xbfh\x900\xa6l\xfa2\xd9s\x89%\xc11\xbc|&E\xad\x07C\xbad\x93A"=4\xa0\x87\x89\xc7;\xaf\x01\xbcU\xc6\xffE\xb9\xcfK\x1b\xa0\xf9\xf3\x95\x84\xbe\x1b\xa2\xef\xab\xe3\x84:\xd8P\x09\xc3\xef\xe3\xee\xa28\xde\xda\xc9\x13\xfeck\xceX\x18\xff\xc9\x0f\xefC\xff\xaal;\xd1\x18\xe3\x12\xf0vg\xca\x0d\xa6\x8b`)\xa0LkTry\xbee\xe1\x1c\xbc\xdc!\xab\x1d-C\xee\x90\xedg\x17\xde\xf8?\x8a\xeb\x00\x94_\xdb\xd1\x0d\xfd\x07x\xb4\xa7\xc6\x08h\xfe_\xbe\xf4\xf6\x9b\x97\x15\xa8\x89Ex\xfc\x9e\xf1\xf9\xfbl3\xb4\xb8\x1fb\xabKS\x18b\x9d\xc1\xfa\xb4?\xea\x88\x8c\xfcM%\xe52\xf3\xe8\xc29\xfeY\xfb<\x7f\xdc"4\x0f$\xe8z\xa2\xeb\xd6\xb4\xfa\xbaMq}C\xa31\x7fP\xc1l\xc1\x81\xde\xbar\x0e\x81c\xaa\x1f\xe1\xca\x96\x9e\xb8<'\x04\xca/\xda\x98\xe2w\xa1%\xcd\xc5\xb0\xca\x88\xa0\xab\xe9n\x98K\xeap\xba\x86\xafF\xf3G\xe4\x97\x05\xcep\x12\x10MB@G\x96z\xbc\x1d5Z\xc6~\x075d\xcb\xbaD\x0c\x80\xdb\xfb\xf2\xbb\x97\xa8\x14Y6~c\x98\xecA\x1fi}\xff\xe7\x9d\x93\xd2\xcb\xad#\x91\x15(\x18=\x05\xb4\xe5\x8e\x98/\xe6\xfc\x18E\xaeO\xf2?yc\xe8\xf1\x9c\x05\xceo\xd3\xd3S\x02a
diff --git a/testing/btest/scripts/base/protocols/ssl/session-ticket.test b/testing/btest/scripts/base/protocols/ssl/session-ticket.test
new file mode 100644
index 0000000000..da788982d5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/session-ticket.test
@@ -0,0 +1,13 @@
+# @TEST-DOC: Tests the ssl_session_ticket_handshake event
+# @TEST-EXEC: echo "CVE-2015-3194.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/CVE-2015-3194.pcap %INPUT
+# @TEST-EXEC: echo "client-certificate.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/client-certificate.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+
+event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, ticket: string)
+	{
+	print ticket_lifetime_hint, ticket;
+	}