TLS decryption: remove payload from ssl_encrypted_data again.

There is no reason to make the payload available in the event - it is
still encrypted.

scripts/policy/protocols/ssl/decryption.zeek

@@ -77,7 +77,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
 		}
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
 	if ( c$ssl?$client_random )
 		{

scripts/policy/protocols/ssl/heartbleed.zeek

@@ -223,7 +223,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		}
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
 	if ( !c?$ssl )
 		return;

src/analyzer/protocol/ssl/events.bif

@@ -558,11 +558,9 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
 ##
 ## length: length of the entire message.
 ##
-## payload: encrypted payload of the SSL/TLS message
-##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
-event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string%);
+event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
 
 ## This event is generated for application data records of TLS 1.3 connections of which
 ## we suspect that they contain handshake messages.

src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac

@@ -64,8 +64,7 @@ refine connection SSL_Conn += {
 		if ( ssl_encrypted_data )
 			{
 			zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(),
-				zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length},
+				zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
-				zeek::make_intrusive<zeek::StringVal>(cont.length(), (const char*) cont.data()));
 			if (rec->content_type() == APPLICATION_DATA)
 				{
 				zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.data(), rec->is_orig(), rec->content_type(), rec->raw_tls_version());

testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log

@@ -9079,7 +9079,6 @@ XXXXXXXXXX.XXXXXX ssl_encrypted_data
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 32
-                  [5] payload: string    = \x1c\x1c\x84S/9\x14e\xb6'\xe5,\x03\x0fY\xdf\x1b\xcfu\xc84\xae\x1a"\xea]9j'\xbeZ\xa7
 
 XXXXXXXXXX.XXXXXX raw_packet
                   [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=91, cap_len=91, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=77, id=51331, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393854, ack=2319612745, hl=20, dl=37, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
@@ -9177,7 +9176,6 @@ XXXXXXXXXX.XXXXXX ssl_encrypted_data
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 32
-                  [5] payload: string    = Z\x99\x17~d\x06\xbd;\xb4\xdf\xe2\xb3~9,|\xac\xdb\xb4\xeb\xcc\x95.\x17\xd2Q\x8a\x96\xdb\x13\x09!
 
 XXXXXXXXXX.XXXXXX raw_packet
                   [0] p: raw_pkt_hdr     = [l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=50807, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=43, reserved=0, flags=24, win=3626], udp=<uninitialized>, icmp=<uninitialized>]

testing/btest/scripts/base/protocols/ssl/handshake-events.test

@@ -27,7 +27,7 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co
 	print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
 	print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
 	}

testing/btest/scripts/base/protocols/ssl/tls13.test

@@ -37,7 +37,7 @@ event ssl_established(c: connection)
 	print "established", c$id;
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
 	print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
 	}

testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test

@@ -6,7 +6,7 @@
 
 redef SSL::disable_analyzer_after_detection=F;
 
-event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
 	print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
 	}