Merge remote-tracking branch 'origin/topic/johanna/its-time-to-add-more-tls-extension-types'

* origin/topic/johanna/its-time-to-add-more-tls-extension-types:
  SSL: Add new extension types and ECH test

(cherry picked from commit 3257c0e216)

scripts/base/protocols/ssl/consts.zeek

@@ -168,7 +168,20 @@ export {
 	const SSL_EXTENSION_EXTENDED_MASTER_SECRET = 23;
 	const SSL_EXTENSION_TOKEN_BINDING = 24;
 	const SSL_EXTENSION_CACHED_INFO = 25;
+	const SSL_EXTENSION_TLS_LTS = 26;
+	const SSL_EXTENSION_COMPRESS_CERTIFICATE = 27;
+	const SSL_EXTENSION_RECORD_SIZE_LIMIT = 28;
+	const SSL_EXTENSION_PWD_PROTECT = 29;
+	const SSL_EXTENSION_PWD_CLEAR = 30;
+	const SSL_EXTENSION_PASSWORD_SALT = 31;
+	const SSL_EXTENSION_TICKET_PINNING = 32;
+	const SSL_EXTENSION_TLS_CERT_WITH_EXTERN_PSK = 33;
+	const SSL_EXTENSION_DELEGATED_CREDENTIAL = 34;
 	const SSL_EXTENSION_SESSIONTICKET_TLS = 35;
+	const SSL_EXTENSION_TLMSP = 36;
+	const SSL_EXTENSION_TLMSP_PROXYING = 37;
+	const SSL_EXTENSION_TLMSP_DELEGATE = 38;
+	const SSL_EXTENSION_SUPPORTED_EKT_CIPHERS = 39;
 	const SSL_EXTENSION_KEY_SHARE_OLD = 40;
 	const SSL_EXTENSION_PRE_SHARED_KEY = 41;
 	const SSL_EXTENSION_EARLY_DATA = 42;
@@ -182,16 +195,22 @@ export {
 	const SSL_EXTENSION_SIGNATURE_ALGORITHMS_CERT = 50;
 	const SSL_EXTENSION_KEY_SHARE = 51;
 	const SSL_EXTENSION_TRANSPARENCY_INFO = 52;
-	const SSL_EXTENSION_CONNECTION_ID = 53;
+	const SSL_EXTENSION_CONNECTION_ID_DEPRECATED = 53;
+	const SSL_EXTENSION_CONNECTION_ID = 54;
 	const SSL_EXTENSION_EXTERNAL_ID_HASH = 55;
 	const SSL_EXTENSION_EXTERNAL_SESSION_ID = 56;
 	const SSL_EXTENSION_QUIC_TRANSPORT_PARAMETERS = 57;
+	const SSL_EXTENSION_TICKET_REQUEST = 58;
+	const SSL_EXTENSION_DNSSEC_CHAIN = 59;
+	const SSL_EXTENSION_SEQUENCE_NUMBER_ENCRYPTION_ALGORITHMS = 60;
 	const SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION = 13172;
 	const SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES = 13175;
 	const SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES = 13180;
+	const SSL_EXTENSION_APPLICATION_SETTING = 17513;
 	const SSL_EXTENSION_CHANNEL_ID = 30031;
 	const SSL_EXTENSION_CHANNEL_ID_NEW = 30032;
 	const SSL_EXTENSION_PADDING_TEMP = 35655;
+	const SSL_EXTENSION_ENCRYPTED_CLIENT_HELLO = 65037;
 	const SSL_EXTENSION_RENEGOTIATION_INFO = 65281;
 
 	## Mapping between numeric codes and human readable strings for SSL/TLS
@@ -225,7 +244,20 @@ export {
 		[23] = "extended_master_secret",
 		[24] = "token_binding", # temporary till 2017-03-06 - draft-ietf-tokbind-negotiation
 		[25] = "cached_info",
+		[26] = "tls_lts", # draft-gutmann-tls-lts
+		[27] = "compress_certificate", # RFC8879
+		[28] = "record_size_limit", # RFC8449
+		[29] = "pwd_protect", # RFC8492
+		[30] = "pwd_clear", # RFC8492
+		[31] = "password_salt", # RFC8492
+		[32] = "ticket_pinning", # RFC8672
+		[33] = "tls_cert_with_extern_psk", # RFC8773
+		[34] = "delegated_credential", # RFC9345
 		[35] = "SessionTicket TLS",
+		[36] = "TLMSP", # ETSI TS 103 523-2
+		[37] = "TLMSP_proxying", # ETSI TS 103 523-2
+		[38] = "TLMSP_delegate", # ETSI TS 103 523-2
+		[39] = "supported_ekt_ciphers", # RFC8870
 		[40] = "key_share_old", # new for TLS 1.3, used in some of the drafts. Did not make it into the RFC. Was used for extended_random before.
 		[41] = "pre_shared_key", # new for 1.3, see RFC 8446
 		[42] = "early_data", # new for 1.3, see RFC 8446
@@ -238,18 +270,41 @@ export {
 		[49] = "post_handshake_auth", # new for 1.3, see RFC 8446
 		[50] = "signature_algorithms_cert", # new for 1.3, see RFC 8446
 		[51] = "key_share", # new for 1.3, see RFC 8446
-		[52] = "transparency_info", # temporary - draft-ietf-trans-rfc6962-bis-34
+		[52] = "transparency_info", # RFC9162
-		[53] = "connection_id", # temporary -d draft-ietf-tls-dtls-connection-id
+		[53] = "connection_id_deprecated", # RFC9146
-		[55] = "external_id_hash", # temporary - RFC-ietf-mmusic-sdp-uks-07
+		[54] = "connection_id", # RFC9146
-		[56] = "external_session_id", # temporary - RFC-ietf-mmusic-sdp-uks-07
+		[55] = "external_id_hash", # RFC8844
-		[57] = "quic_transport_parameters", # temporary - draft-ietf-quic-tls-32
+		[56] = "external_session_id", # RFC8844
+		[57] = "quic_transport_parameters", # RFC9001
+		[58] = "ticket_request", # RFC9149]
+		[59] = "dnssec_chain", # RFC9102
+		[60] = "sequence_number_encryption_algorithms", # draft-pismenny-tls-dtls-plaintext-sequence-number-01
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
+		[17513] = "application_setting", # draft-vvv-tls-alps-01.html
 		[30031] = "channel_id",
 		[30032] = "channel_id_new",
 		[35655] = "padding",
-		[65281] = "renegotiation_info"
+		[65037] = "encrypted_client_hello", # draft-ietf-tls-esni
+		[65281] = "renegotiation_info",
+		# GREASE values - rfc8701
+		[2570] = "grease_0x0A0A",
+		[6682] = "grease_0x1A1A",
+		[10794] = "grease_0x2A2A",
+		[14906] = "grease_0x3A3A",
+		[19018] = "grease_0x4A4A",
+		[23130] = "grease_0x5A5A",
+		[27242] = "grease_0x6A6A",
+		[31354] = "grease_0x7A7A",
+		[35466] = "grease_0x8A8A",
+		[39578] = "grease_0x9A9A",
+		[43690] = "grease_0xAAAA",
+		[47802] = "grease_0xBABA",
+		[51914] = "grease_0xCACA",
+		[56026] = "grease_0xDADA",
+		[60138] = "grease_0xEAEA",
+		[64250] = "grease_0xFAFA"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 	## Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.
@@ -293,7 +348,24 @@ export {
 		[259] = "ffdhe6144",
 		[260] = "ffdhe8192",
 		[0xFF01] = "arbitrary_explicit_prime_curves",
-		[0xFF02] = "arbitrary_explicit_char2_curves"
+		[0xFF02] = "arbitrary_explicit_char2_curves",
+		# GREASE values - rfc8701
+		[2570] = "grease_0x0A0A",
+		[6682] = "grease_0x1A1A",
+		[10794] = "grease_0x2A2A",
+		[14906] = "grease_0x3A3A",
+		[19018] = "grease_0x4A4A",
+		[23130] = "grease_0x5A5A",
+		[27242] = "grease_0x6A6A",
+		[31354] = "grease_0x7A7A",
+		[35466] = "grease_0x8A8A",
+		[39578] = "grease_0x9A9A",
+		[43690] = "grease_0xAAAA",
+		[47802] = "grease_0xBABA",
+		[51914] = "grease_0xCACA",
+		[56026] = "grease_0xDADA",
+		[60138] = "grease_0xEAEA",
+		[64250] = "grease_0xFAFA"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 	## Mapping between numeric codes and human readable string for SSL/TLS EC point formats.
@@ -1081,6 +1153,23 @@ export {
 		[SSL_RSA_WITH_DES_CBC_MD5] = "SSL_RSA_WITH_DES_CBC_MD5",
 		[SSL_RSA_WITH_3DES_EDE_CBC_MD5] = "SSL_RSA_WITH_3DES_EDE_CBC_MD5",
 		[TLS_EMPTY_RENEGOTIATION_INFO_SCSV] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
+		# GREASE - rfc8701
+		[2570] = "grease_0x0A0A",
+		[6682] = "grease_0x1A1A",
+		[10794] = "grease_0x2A2A",
+		[14906] = "grease_0x3A3A",
+		[19018] = "grease_0x4A4A",
+		[23130] = "grease_0x5A5A",
+		[27242] = "grease_0x6A6A",
+		[31354] = "grease_0x7A7A",
+		[35466] = "grease_0x8A8A",
+		[39578] = "grease_0x9A9A",
+		[43690] = "grease_0xAAAA",
+		[47802] = "grease_0xBABA",
+		[51914] = "grease_0xCACA",
+		[56026] = "grease_0xDADA",
+		[60138] = "grease_0xEAEA",
+		[64250] = "grease_0xFAFA"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 }

testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout

@@ -12,7 +12,7 @@ ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XX
 request, 0, 
 request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, (UNKNOWN), XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, privilegeWithdrawn, XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX
 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XXXXXXXXXX.XXXXXX, sha1WithRSAEncryption
 request, 0, 
 request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A

testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log

@@ -9,6 +9,6 @@
 #types	time	string	string	string	string	string	string	time	string	time	time
 XXXXXXXXXX.XXXXXX	Fv1Mrl4zObGy9drLdg	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	revoked	XXXXXXXXXX.XXXXXX	superseded	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	F7TCyr1Y6YSyUVOW5	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	revoked	XXXXXXXXXX.XXXXXX	unspecified	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	FmK7Wj1W7PV2RclIig	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	XXXXXXXXXX.XXXXXX	(UNKNOWN)	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	FmK7Wj1W7PV2RclIig	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	XXXXXXXXXX.XXXXXX	privilegeWithdrawn	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	FfpvoO3DJXnAcoNnp4	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	revoked	XXXXXXXXXX.XXXXXX	keyCompromise	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/.stdout

@@ -0,0 +1,53 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+T, grease_0xDADA
+T, renegotiation_info
+T, application_layer_protocol_negotiation
+T, signature_algorithms
+T, key_share
+T, psk_key_exchange_modes
+T, application_setting
+T, SessionTicket TLS
+T, supported_versions
+Curves, 192.168.20.65, 162.159.138.85
+grease_0x1A1A
+x25519
+secp256r1
+secp384r1
+T, supported_groups
+T, encrypted_client_hello
+T, extended_master_secret
+T, status_request
+T, signed_certificate_timestamp
+T, ec_point_formats
+T, server_name
+T, compress_certificate
+T, grease_0x9A9A
+T, padding
+F, supported_versions
+F, key_share
+T, grease_0xBABA
+Curves, 192.168.20.65, 162.159.138.85
+grease_0xDADA
+x25519
+secp256r1
+secp384r1
+T, supported_groups
+T, SessionTicket TLS
+T, application_setting
+T, ec_point_formats
+T, encrypted_client_hello
+T, renegotiation_info
+T, signed_certificate_timestamp
+T, status_request
+T, signature_algorithms
+T, compress_certificate
+T, psk_key_exchange_modes
+T, extended_master_secret
+T, server_name
+T, application_layer_protocol_negotiation
+T, supported_versions
+T, key_share
+T, grease_0xFAFA
+T, padding
+F, supported_versions
+F, key_share

testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/ssl.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.20.65	51066	162.159.138.85	443	TLSv13	TLS_AES_128_GCM_SHA256	x25519	cloudflare-ech.com	F	-	-	T	CsiI	-	-	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.20.65	51071	162.159.138.85	443	TLSv13	TLS_AES_128_GCM_SHA256	x25519	cloudflare-ech.com	F	-	-	T	CsiI	-	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout

@@ -1,16 +1,16 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 tls13draft16-chrome55.0.2879.0-canary-aborted.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
-unknown-27242
+grease_0x6A6A
 x25519
 client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53227/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
-unknown-19018
+grease_0x4A4A
 x25519
 client, TLSv10, TLSv12
 tls13draft16-chrome55.0.2879.0-canary.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
-unknown-43690
+grease_0xAAAA
 x25519
 client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
@@ -24,7 +24,7 @@ established, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
-unknown-60138
+grease_0xEAEA
 x25519
 client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F

testing/btest/scripts/base/protocols/ssl/tls13-encrypted-client-hello.test

@@ -0,0 +1,20 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13-ech.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff .stdout
+
+# This is a trace that uses the new encrypted client hello extension to hide (among others)
+# the real value of the SNI.
+
+@load base/protocols/ssl
+
+event ssl_extension(c: connection, is_client: bool, code: count, val: string)
+	{
+	print is_client, SSL::extensions[code];
+	}
+
+event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
+	{
+	print "Curves", c$id$orig_h, c$id$resp_h;
+	for ( i in curves )
+		print SSL::ec_curves[curves[i]];
+	}