diff --git a/CHANGES b/CHANGES index 4b16b4b1e8..e2025f36f5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +7.0.0-dev.282 | 2024-05-24 10:49:31 -0700 + + * Update TLS consts, mainly new named curves. (Johanna Amann, Corelight) + + Add test for X25519Kyber768Draft00 (post-quantum key agreement) + 7.0.0-dev.280 | 2024-05-21 16:22:57 -0700 * CI: Remove --enable-werror for asan builds (Tim Wojtulewicz, Corelight) diff --git a/VERSION b/VERSION index 51e992b45e..a82b0b68eb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.0-dev.280 +7.0.0-dev.282 diff --git a/scripts/base/protocols/ssl/consts.zeek b/scripts/base/protocols/ssl/consts.zeek index cc953df3ab..9c1854285b 100644 --- a/scripts/base/protocols/ssl/consts.zeek +++ b/scripts/base/protocols/ssl/consts.zeek @@ -136,7 +136,9 @@ export { [113] = "bad_certificate_status_response", [114] = "bad_certificate_hash_value", [115] = "unknown_psk_identity", + [116] = "certificate_required", # RFC8446 [120] = "no_application_protocol", + [121] = "ech_required", # draft-ietf-tls-esni-17 } &default=function(i: count):string { return fmt("unknown-%d", i); }; # Map SSL Extension values to consts for easier readability of code. @@ -338,15 +340,27 @@ export { [26] = "brainpoolP256r1", # 26-28 are TLS 1.3 obsoleted [27] = "brainpoolP384r1", [28] = "brainpoolP512r1", - # Temporary till 2017-01-09 - draft-ietf-tls-rfc4492bis - [29] = "x25519", # TLS 1.3 valid - [30] = "x448", # TLS 1.3 valid + [29] = "x25519", # RFC8446, RFC8422, TLS 1.3 valid + [30] = "x448", # RFC8446, RFC8422, TLS 1.3 valid + [31] = "brainpoolP256r1tls13", # RFC8734 + [32] = "brainpoolP384r1tls13", # RFC8734 + [33] = "brainpoolP512r1tls13", # RFC8734 + [34] = "GC256A", # RFC9189 + [35] = "GC256B", # RFC9189 + [36] = "GC256C", # RFC9189 + [37] = "GC256D", # RFC9189 + [38] = "GC512A", # RFC9189 + [39] = "GC512B", # RFC9189 + [40] = "GC512C", # RFC9189 + [41] = "curveSM2", # RFC8998 # draft-ietf-tls-negotiated-ff-dhe-10 [256] = "ffdhe2048", # 256-260 are TLS 1.3 valid [257] = "ffdhe3072", [258] = "ffdhe4096", [259] = "ffdhe6144", [260] = "ffdhe8192", + [25497] = "X25519Kyber768Draft00", # draft-tls-westerbaan-xyber768d00-02 + [25498] = "SecP256r1Kyber768Draft00", # draft-kwiatkowski-tls-ecdhe-kyber-01 [0xFF01] = "arbitrary_explicit_prime_curves", [0xFF02] = "arbitrary_explicit_char2_curves", # GREASE values - rfc8701 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout index d1de37cbdc..94c5dd788b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout @@ -125,3 +125,17 @@ established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, res encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23 +chrome-1250-tls-x25519-kyber.pcap +key_share, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], T +grease_0xCACA +X25519Kyber768Draft00 +x25519 +client, TLSv10, TLSv12 +key_share, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], F +X25519Kyber768Draft00 +server, TLSv12, TLSv12 +encrypted, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], F, TLSv12, 23 +established, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp] +encrypted, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], T, TLSv12, 23 +encrypted, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], F, TLSv12, 23 +encrypted, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], F, TLSv12, 23 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log index 8ec1f6448a..a31d066e05 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log @@ -63,3 +63,13 @@ XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.178.80 54220 174.138.9.219 443 TLSv1 #types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.192.48.168 63564 64.233.185.139 443 TLSv13 TLS_AES_256_GCM_SHA384 secp256r1 - F - - T CjiICs - - - #close XXXX-XX-XX-XX-XX-XX +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert +#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 0.0.51.217 13783 142.250.200.14 443 TLSv13 TLS_AES_128_GCM_SHA256 X25519Kyber768Draft00 lh3.google.com F - - T CsiI - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tls/chrome-1250-tls-x25519-kyber.pcap b/testing/btest/Traces/tls/chrome-1250-tls-x25519-kyber.pcap new file mode 100644 index 0000000000..91cb3e33bd Binary files /dev/null and b/testing/btest/Traces/tls/chrome-1250-tls-x25519-kyber.pcap differ diff --git a/testing/btest/scripts/base/protocols/ssl/tls13.test b/testing/btest/scripts/base/protocols/ssl/tls13.test index d7424f7a65..f9eaaab2b7 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls13.test +++ b/testing/btest/scripts/base/protocols/ssl/tls13.test @@ -16,6 +16,9 @@ # @TEST-EXEC: echo "hrr.pcap" # @TEST-EXEC: zeek -b -C -r $TRACES/tls/hrr.pcap %INPUT # @TEST-EXEC: cat ssl.log >> ssl-out.log +# @TEST-EXEC: echo "chrome-1250-tls-x25519-kyber.pcap" +# @TEST-EXEC: zeek -b -C -r $TRACES/tls/chrome-1250-tls-x25519-kyber.pcap %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-out.log # @TEST-EXEC: btest-diff ssl-out.log # @TEST-EXEC: btest-diff .stdout