Merge remote-tracking branch 'origin/topic/johanna/tls-new-groups-and-consts'

* origin/topic/johanna/tls-new-groups-and-consts: Update TLS consts, mainly new named curves.
2025-10-02 06:38:20 +00:00 · 2024-05-24 10:49:31 -07:00 · 2024-05-24 10:49:31 -07:00 · 47dd834bdb
commit 47dd834bdb
parent afc89c0480 34225e83ba
7 changed files with 51 additions and 4 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+7.0.0-dev.282 | 2024-05-24 10:49:31 -0700
+
+  * Update TLS consts, mainly new named curves. (Johanna Amann, Corelight)
+
+    Add test for X25519Kyber768Draft00 (post-quantum key agreement)
+
 7.0.0-dev.280 | 2024-05-21 16:22:57 -0700

  * CI: Remove --enable-werror for asan builds (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-7.0.0-dev.280
+7.0.0-dev.282
--- a/scripts/base/protocols/ssl/consts.zeek
+++ b/scripts/base/protocols/ssl/consts.zeek
@ -136,7 +136,9 @@ export {
 		[113] = "bad_certificate_status_response",
 		[114] = "bad_certificate_hash_value",
 		[115] = "unknown_psk_identity",
+		[116] = "certificate_required", # RFC8446
 		[120] = "no_application_protocol",
+		[121] = "ech_required", # draft-ietf-tls-esni-17
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };

 	# Map SSL Extension values to consts for easier readability of code.
@ -338,15 +340,27 @@ export {
 		[26] = "brainpoolP256r1", # 26-28 are TLS 1.3 obsoleted
 		[27] = "brainpoolP384r1",
 		[28] = "brainpoolP512r1",
-		# Temporary till 2017-01-09 - draft-ietf-tls-rfc4492bis
-		[29] = "x25519", # TLS 1.3 valid
-		[30] = "x448", # TLS 1.3 valid
+		[29] = "x25519", # RFC8446, RFC8422, TLS 1.3 valid
+		[30] = "x448", # RFC8446, RFC8422, TLS 1.3 valid
+		[31] = "brainpoolP256r1tls13", # RFC8734
+		[32] = "brainpoolP384r1tls13", # RFC8734
+		[33] = "brainpoolP512r1tls13", # RFC8734
+		[34] = "GC256A", # RFC9189
+		[35] = "GC256B", # RFC9189
+		[36] = "GC256C", # RFC9189
+		[37] = "GC256D", # RFC9189
+		[38] = "GC512A", # RFC9189
+		[39] = "GC512B", # RFC9189
+		[40] = "GC512C", # RFC9189
+		[41] = "curveSM2", # RFC8998
 		# draft-ietf-tls-negotiated-ff-dhe-10
 		[256] = "ffdhe2048", # 256-260 are TLS 1.3 valid
 		[257] = "ffdhe3072",
 		[258] = "ffdhe4096",
 		[259] = "ffdhe6144",
 		[260] = "ffdhe8192",
+		[25497] = "X25519Kyber768Draft00", # draft-tls-westerbaan-xyber768d00-02
+		[25498] = "SecP256r1Kyber768Draft00", # draft-kwiatkowski-tls-ecdhe-kyber-01
 		[0xFF01] = "arbitrary_explicit_prime_curves",
 		[0xFF02] = "arbitrary_explicit_char2_curves",
 		# GREASE values - rfc8701
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
@ -125,3 +125,17 @@ established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, res
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
+chrome-1250-tls-x25519-kyber.pcap
+key_share, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], T
+grease_0xCACA
+X25519Kyber768Draft00
+x25519
+client, TLSv10, TLSv12
+key_share, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], F
+X25519Kyber768Draft00
+server, TLSv12, TLSv12
+encrypted, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], F, TLSv12, 23
+established, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp]
+encrypted, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], T, TLSv12, 23
+encrypted, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], F, TLSv12, 23
+encrypted, [orig_h=0.0.51.217, orig_p=13783/tcp, resp_h=142.250.200.14, resp_p=443/tcp], F, TLSv12, 23
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
@ -63,3 +63,13 @@ XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.178.80	54220	174.138.9.219	443	TLSv1
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	CjiICs	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	0.0.51.217	13783	142.250.200.14	443	TLSv13	TLS_AES_128_GCM_SHA256	X25519Kyber768Draft00	lh3.google.com	F	-	-	T	CsiI	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/tls/chrome-1250-tls-x25519-kyber.pcap
+++ b/testing/btest/Traces/tls/chrome-1250-tls-x25519-kyber.pcap
--- a/testing/btest/scripts/base/protocols/ssl/tls13.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13.test
@ -16,6 +16,9 @@
 # @TEST-EXEC: echo "hrr.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/hrr.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "chrome-1250-tls-x25519-kyber.pcap"
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/chrome-1250-tls-x25519-kyber.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: btest-diff ssl-out.log
 # @TEST-EXEC: btest-diff .stdout