From ff27eb5a6959d819de8f8d55cfa9143cb88ff306 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 30 Oct 2023 13:55:17 +0000
Subject: [PATCH] SSL: Add new extension types and ECH test

This commit adds a multitude of new extension types that were added in
the last few years; it also adds grease values to extensions, curves,
and ciphersuites.

Furthermore, it adds a test that contains a encrypted-client-hello
key-exchange (which uses several extension types that we do not have in
our baseline so far).
---
 scripts/base/protocols/ssl/consts.zeek        | 105 ++++++++++++++++--
 .../.stdout                                   |  53 +++++++++
 .../ssl.log                                   |  12 ++
 .../scripts.base.protocols.ssl.tls13/.stdout  |   8 +-
 testing/btest/Traces/tls/tls13-ech.pcap       | Bin 0 -> 16446 bytes
 .../ssl/tls13-encrypted-client-hello.test     |  20 ++++
 6 files changed, 186 insertions(+), 12 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/ssl.log
 create mode 100644 testing/btest/Traces/tls/tls13-ech.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls13-encrypted-client-hello.test

diff --git a/scripts/base/protocols/ssl/consts.zeek b/scripts/base/protocols/ssl/consts.zeek
index 7f7188859a..ce6314a4ef 100644
--- a/scripts/base/protocols/ssl/consts.zeek
+++ b/scripts/base/protocols/ssl/consts.zeek
@@ -168,7 +168,20 @@ export {
 	const SSL_EXTENSION_EXTENDED_MASTER_SECRET = 23;
 	const SSL_EXTENSION_TOKEN_BINDING = 24;
 	const SSL_EXTENSION_CACHED_INFO = 25;
+	const SSL_EXTENSION_TLS_LTS = 26;
+	const SSL_EXTENSION_COMPRESS_CERTIFICATE = 27;
+	const SSL_EXTENSION_RECORD_SIZE_LIMIT = 28;
+	const SSL_EXTENSION_PWD_PROTECT = 29;
+	const SSL_EXTENSION_PWD_CLEAR = 30;
+	const SSL_EXTENSION_PASSWORD_SALT = 31;
+	const SSL_EXTENSION_TICKET_PINNING = 32;
+	const SSL_EXTENSION_TLS_CERT_WITH_EXTERN_PSK = 33;
+	const SSL_EXTENSION_DELEGATED_CREDENTIAL = 34;
 	const SSL_EXTENSION_SESSIONTICKET_TLS = 35;
+	const SSL_EXTENSION_TLMSP = 36;
+	const SSL_EXTENSION_TLMSP_PROXYING = 37;
+	const SSL_EXTENSION_TLMSP_DELEGATE = 38;
+	const SSL_EXTENSION_SUPPORTED_EKT_CIPHERS = 39;
 	const SSL_EXTENSION_KEY_SHARE_OLD = 40;
 	const SSL_EXTENSION_PRE_SHARED_KEY = 41;
 	const SSL_EXTENSION_EARLY_DATA = 42;
@@ -182,16 +195,22 @@ export {
 	const SSL_EXTENSION_SIGNATURE_ALGORITHMS_CERT = 50;
 	const SSL_EXTENSION_KEY_SHARE = 51;
 	const SSL_EXTENSION_TRANSPARENCY_INFO = 52;
-	const SSL_EXTENSION_CONNECTION_ID = 53;
+	const SSL_EXTENSION_CONNECTION_ID_DEPRECATED = 53;
+	const SSL_EXTENSION_CONNECTION_ID = 54;
 	const SSL_EXTENSION_EXTERNAL_ID_HASH = 55;
 	const SSL_EXTENSION_EXTERNAL_SESSION_ID = 56;
 	const SSL_EXTENSION_QUIC_TRANSPORT_PARAMETERS = 57;
+	const SSL_EXTENSION_TICKET_REQUEST = 58;
+	const SSL_EXTENSION_DNSSEC_CHAIN = 59;
+	const SSL_EXTENSION_SEQUENCE_NUMBER_ENCRYPTION_ALGORITHMS = 60;
 	const SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION = 13172;
 	const SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES = 13175;
 	const SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES = 13180;
+	const SSL_EXTENSION_APPLICATION_SETTING = 17513;
 	const SSL_EXTENSION_CHANNEL_ID = 30031;
 	const SSL_EXTENSION_CHANNEL_ID_NEW = 30032;
 	const SSL_EXTENSION_PADDING_TEMP = 35655;
+	const SSL_EXTENSION_ENCRYPTED_CLIENT_HELLO = 65037;
 	const SSL_EXTENSION_RENEGOTIATION_INFO = 65281;
 
 	## Mapping between numeric codes and human readable strings for SSL/TLS
@@ -225,7 +244,20 @@ export {
 		[23] = "extended_master_secret",
 		[24] = "token_binding", # temporary till 2017-03-06 - draft-ietf-tokbind-negotiation
 		[25] = "cached_info",
+		[26] = "tls_lts", # draft-gutmann-tls-lts
+		[27] = "compress_certificate", # RFC8879
+		[28] = "record_size_limit", # RFC8449
+		[29] = "pwd_protect", # RFC8492
+		[30] = "pwd_clear", # RFC8492
+		[31] = "password_salt", # RFC8492
+		[32] = "ticket_pinning", # RFC8672
+		[33] = "tls_cert_with_extern_psk", # RFC8773
+		[34] = "delegated_credential", # RFC9345
 		[35] = "SessionTicket TLS",
+		[36] = "TLMSP", # ETSI TS 103 523-2
+		[37] = "TLMSP_proxying", # ETSI TS 103 523-2
+		[38] = "TLMSP_delegate", # ETSI TS 103 523-2
+		[39] = "supported_ekt_ciphers", # RFC8870
 		[40] = "key_share_old", # new for TLS 1.3, used in some of the drafts. Did not make it into the RFC. Was used for extended_random before.
 		[41] = "pre_shared_key", # new for 1.3, see RFC 8446
 		[42] = "early_data", # new for 1.3, see RFC 8446
@@ -238,18 +270,41 @@ export {
 		[49] = "post_handshake_auth", # new for 1.3, see RFC 8446
 		[50] = "signature_algorithms_cert", # new for 1.3, see RFC 8446
 		[51] = "key_share", # new for 1.3, see RFC 8446
-		[52] = "transparency_info", # temporary - draft-ietf-trans-rfc6962-bis-34
-		[53] = "connection_id", # temporary -d draft-ietf-tls-dtls-connection-id
-		[55] = "external_id_hash", # temporary - RFC-ietf-mmusic-sdp-uks-07
-		[56] = "external_session_id", # temporary - RFC-ietf-mmusic-sdp-uks-07
-		[57] = "quic_transport_parameters", # temporary - draft-ietf-quic-tls-32
+		[52] = "transparency_info", # RFC9162
+		[53] = "connection_id_deprecated", # RFC9146
+		[54] = "connection_id", # RFC9146
+		[55] = "external_id_hash", # RFC8844
+		[56] = "external_session_id", # RFC8844
+		[57] = "quic_transport_parameters", # RFC9001
+		[58] = "ticket_request", # RFC9149]
+		[59] = "dnssec_chain", # RFC9102
+		[60] = "sequence_number_encryption_algorithms", # draft-pismenny-tls-dtls-plaintext-sequence-number-01
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
+		[17513] = "application_setting", # draft-vvv-tls-alps-01.html
 		[30031] = "channel_id",
 		[30032] = "channel_id_new",
 		[35655] = "padding",
-		[65281] = "renegotiation_info"
+		[65037] = "encrypted_client_hello", # draft-ietf-tls-esni
+		[65281] = "renegotiation_info",
+		# GREASE values - rfc8701
+		[2570] = "grease_0x0A0A",
+		[6682] = "grease_0x1A1A",
+		[10794] = "grease_0x2A2A",
+		[14906] = "grease_0x3A3A",
+		[19018] = "grease_0x4A4A",
+		[23130] = "grease_0x5A5A",
+		[27242] = "grease_0x6A6A",
+		[31354] = "grease_0x7A7A",
+		[35466] = "grease_0x8A8A",
+		[39578] = "grease_0x9A9A",
+		[43690] = "grease_0xAAAA",
+		[47802] = "grease_0xBABA",
+		[51914] = "grease_0xCACA",
+		[56026] = "grease_0xDADA",
+		[60138] = "grease_0xEAEA",
+		[64250] = "grease_0xFAFA"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 	## Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.
@@ -293,7 +348,24 @@ export {
 		[259] = "ffdhe6144",
 		[260] = "ffdhe8192",
 		[0xFF01] = "arbitrary_explicit_prime_curves",
-		[0xFF02] = "arbitrary_explicit_char2_curves"
+		[0xFF02] = "arbitrary_explicit_char2_curves",
+		# GREASE values - rfc8701
+		[2570] = "grease_0x0A0A",
+		[6682] = "grease_0x1A1A",
+		[10794] = "grease_0x2A2A",
+		[14906] = "grease_0x3A3A",
+		[19018] = "grease_0x4A4A",
+		[23130] = "grease_0x5A5A",
+		[27242] = "grease_0x6A6A",
+		[31354] = "grease_0x7A7A",
+		[35466] = "grease_0x8A8A",
+		[39578] = "grease_0x9A9A",
+		[43690] = "grease_0xAAAA",
+		[47802] = "grease_0xBABA",
+		[51914] = "grease_0xCACA",
+		[56026] = "grease_0xDADA",
+		[60138] = "grease_0xEAEA",
+		[64250] = "grease_0xFAFA"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 	## Mapping between numeric codes and human readable string for SSL/TLS EC point formats.
@@ -1081,6 +1153,23 @@ export {
 		[SSL_RSA_WITH_DES_CBC_MD5] = "SSL_RSA_WITH_DES_CBC_MD5",
 		[SSL_RSA_WITH_3DES_EDE_CBC_MD5] = "SSL_RSA_WITH_3DES_EDE_CBC_MD5",
 		[TLS_EMPTY_RENEGOTIATION_INFO_SCSV] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
+		# GREASE - rfc8701
+		[2570] = "grease_0x0A0A",
+		[6682] = "grease_0x1A1A",
+		[10794] = "grease_0x2A2A",
+		[14906] = "grease_0x3A3A",
+		[19018] = "grease_0x4A4A",
+		[23130] = "grease_0x5A5A",
+		[27242] = "grease_0x6A6A",
+		[31354] = "grease_0x7A7A",
+		[35466] = "grease_0x8A8A",
+		[39578] = "grease_0x9A9A",
+		[43690] = "grease_0xAAAA",
+		[47802] = "grease_0xBABA",
+		[51914] = "grease_0xCACA",
+		[56026] = "grease_0xDADA",
+		[60138] = "grease_0xEAEA",
+		[64250] = "grease_0xFAFA"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 }
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/.stdout
new file mode 100644
index 0000000000..0609c91cd5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/.stdout
@@ -0,0 +1,53 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+T, grease_0xDADA
+T, renegotiation_info
+T, application_layer_protocol_negotiation
+T, signature_algorithms
+T, key_share
+T, psk_key_exchange_modes
+T, application_setting
+T, SessionTicket TLS
+T, supported_versions
+Curves, 192.168.20.65, 162.159.138.85
+grease_0x1A1A
+x25519
+secp256r1
+secp384r1
+T, supported_groups
+T, encrypted_client_hello
+T, extended_master_secret
+T, status_request
+T, signed_certificate_timestamp
+T, ec_point_formats
+T, server_name
+T, compress_certificate
+T, grease_0x9A9A
+T, padding
+F, supported_versions
+F, key_share
+T, grease_0xBABA
+Curves, 192.168.20.65, 162.159.138.85
+grease_0xDADA
+x25519
+secp256r1
+secp384r1
+T, supported_groups
+T, SessionTicket TLS
+T, application_setting
+T, ec_point_formats
+T, encrypted_client_hello
+T, renegotiation_info
+T, signed_certificate_timestamp
+T, status_request
+T, signature_algorithms
+T, compress_certificate
+T, psk_key_exchange_modes
+T, extended_master_secret
+T, server_name
+T, application_layer_protocol_negotiation
+T, supported_versions
+T, key_share
+T, grease_0xFAFA
+T, padding
+F, supported_versions
+F, key_share
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/ssl.log
new file mode 100644
index 0000000000..9858cccfec
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-encrypted-client-hello/ssl.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.20.65	51066	162.159.138.85	443	TLSv13	TLS_AES_128_GCM_SHA256	x25519	cloudflare-ech.com	F	-	-	T	CsiI	-	-	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.20.65	51071	162.159.138.85	443	TLSv13	TLS_AES_128_GCM_SHA256	x25519	cloudflare-ech.com	F	-	-	T	CsiI	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
index 36f6474c08..d1de37cbdc 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
@@ -1,16 +1,16 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 tls13draft16-chrome55.0.2879.0-canary-aborted.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
-unknown-27242
+grease_0x6A6A
 x25519
 client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53227/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
-unknown-19018
+grease_0x4A4A
 x25519
 client, TLSv10, TLSv12
 tls13draft16-chrome55.0.2879.0-canary.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
-unknown-43690
+grease_0xAAAA
 x25519
 client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
@@ -24,7 +24,7 @@ established, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
-unknown-60138
+grease_0xEAEA
 x25519
 client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
diff --git a/testing/btest/Traces/tls/tls13-ech.pcap b/testing/btest/Traces/tls/tls13-ech.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6f111d730a3663bad20fb4e5df3aad4a8776a323
GIT binary patch
literal 16446
zcmb_?1z1+y*6n`D7X+jm1u3OFq>(NqL?op{I;2BVK<O?iX+=Urx<g6?q`Q$0K~T7R
z<EP(I&N=`6{(JRV&jW&E&Nb$oWAC-bJJ?*BfdC)@fB!)OVBj}!24>^FeMG<<{2E&2
zCktfHuULAS_SHzk0Z9PR0sv7!6os$8ArD_H^LfbKb}Lx5mc5lvpaF@m4>25oEdT%v
z21nNk!*3CZ7;`5=L<Fu4y~*5ltJS7CD);0K4tG}_^w1j)TC8ddyEhWQ_ieR&!4V3q
zsgCq3@Q;u`!v6?-KSvZ0Kv^J$f<nPz)$LYLP%wC|4>15=s{0XGB(m-R3Vt4#IY<2E
zNdh@blK{?T7{X57V{|W!La!Djv?SrkW*YfhAF-jpckUqp;^1zfbz#R`f9-hbj~(ZN
z!Sj8vQO`Qle(iV)3XTpUR<fc2N+24vE+C5jg*f&L(G6D31RM1Me;Ig<aCR271po+0
z$mK9ZL==cik;iEV(9e(%002U7^h5*X!0(}Tfha);T>wRB>R*U*LwS{T4~+0Q9ryG}
z(T#I-7bFBYI!*S~8VDVXgb5*2c%l6hCVu4o7)00b!G>e>U;nEFkDsGK$Pi*Oh$s!_
z4Xr<!K;Zwu1kdarO#DD3hGU!={EkS72txoH74{7gafC9#;%fQCP21znt9bX%bU83A
zbW!=;%50u03oK~p=}>w&e>GdL8$&`)*mpai(|fahu*KoJ9eV47Ao~lCnKm|nl7Rsa
zhKGQM*udDp+Q8Jn)}7y-*MQf652OI804u-^28tdV1AsH|3jn|dumB7MGY+_!qoXY=
zI}1C23E%?QNQiJGBp5Ox92pq~M?rxBoB$(mgOn8dFBAYJHF;TX?M%N;{Pc9o06__E
za9WH{|AZTsLyD+I^)kH`zziV3U=rp4GJptz1Jqzm839z3kPt*9aCFeYzi<$Y0w4m2
zPceZikPiUX4^Vb5c5ozCKRX+Dton{lp(5`aFMLe_H!*p$-+a?8>60fAamk&zxx{Up
zrLghvxLUt<Xx!O>Cx48`wUt-o%X1*;out6Px_CvuJDDef!f;CkegEs8o2w^_;;eX7
zK`yD5-od+3urn;903rS-FW*w19jHin)xzEGiZj%yhdeu#jC<jG8BeKmC&~azp2yjU
zeO8G(r*pC{lKOs0?aZ(o3X7rAo8AEwfepXyHwL=~E{Na`0C1Pckj?-ga{zD&+&c6%
z5kLU`gQ2C3laYy~zP&NCv7s4@p^X(l266%*Bqc#y5&)>s?}C4zwo?E2ccWey0WLcM
zXau?o{ulubCfInO4>o{0jQ69hz$Wb%0h<*<e7=na%pn8k>rX`FK|4VRu^sI{Ai{00
z{z4ps5DCHBxq&VJ2obR-u(-UM9)WW2Z8KZjH~+GiIq8@Qr2#Jxn3oQEhq1o>kBy24
z?w$o~3Is$Xu(@cUuDbkXR+5>+!~)>?fJ#x{`*Ol4j9D}1JGm-`2*D9G{Z)K0JPZa&
zAm!m~;k0g^F#MW^udApmAH##kA>N+&nTn)iu#(t0p6lQ*p&QBLS=$(QRbtm>i$y=Q
z>qvB^JXDFL2`^z&#6Z6h1|+74C>C~|?7VTTqIhi29v%zhUSJS(NK|}Sz~*sFTKXlY
z_no@|oZTCbHb0GNn3`!_`m*$7%n(TwW<?WRbi2x;M^{oEP!G+8A&hg;sJ1Ky2~E{k
zFKnwnGfyd#*dk(g70VrL;5}6p__WNRz3p=!$vudt(-%A8i=_?Drg4rTsbO^w#S?fl
z+c>*Bxqm<!N|P;mGg?48YxsKajNtd1Pq&CO<u$qI6xBWS*(>7aW`+&>F}yPa7Vq4U
zK=4=%B>sFbB40<}{Fn${kC!?6a%9^F$h>{}*{w-G;1YRBcox}KqC@e3Y!Io+gRpNf
z`JMnWadfFSMLLy|Q`ipr`Z<&w`zwVfR%(Hm?!hqj>s;fKFZaXBh(cX7zVGdjXj<=c
zuTD+Co1%5tqbGfku0%4lko3|g3`~}W4{1pV*6FFN+qmZGzAR`9G`?AY)Iu96E3(QL
z7s|ASZc2-5Z$ge*Ya(RsC-(p~FZ}bC*zl*=Q)Zn_epiH1=jy<TM+=`VXd6)(%PpBy
z8x3iTQm|r#BB?xR9??ZKz8v%VniqJ)%~Rvd_n{EKm`y@5sal_c|HIKuH|GyYSiuOH
zZ!@0h&Z#qTqjfuw;m!d!G*2r%{nJL6-Uh*hV9%}9xzrqdOc^Dp0ux83Q>7g)=a>2D
za)o>-L<$Ml@LEm~$NgSGX&joxqKTd}0K3$E?`cJ$$8p0#Wle~J;#R+k|A0865hnHI
z)`5n9wdWlFwrz8YZ^ne_HJmgxhviS$L779hkeguwMG7@yxwQ0HCT|7{RS+a77|BOU
z<w%(b={N}MZ;Kn-Tdm+sD^Y$?aJxPfH!{Y0<YXRA9$>FP%Jj8Y=)mr?w)RH21cisp
z3j-f}=|$27K5i7b#WDiF!NV6(ipnc+6PJ&plQ0rPoTh;l?;Q@7Ps=L4sVo}T6}_2)
z{EBnXYvepsxa@lnM9v7WQq%L!mQO##>ULyB3B#&6#z&WbGg*4(BwaYehB`^;83Je*
z%PUHd%JNNYg?(TZBTr4k@S&2Edl_l|?L)MU3Q2yc@hug)z_bo3{#oh%3_%K#{X5^c
z<oqZq1qXWb?ipaPleJ0)%+fOJq+g*YFnGvQ_OeIO+~-d2ig`G!F}jtQUy5iXT9b&J
z(oQfyih81;emyEbuPfDsRWYDZkgE=tz5bFT2V!f-`;re0?B<S~51-acH?DdQ>c6Gs
zTD0#JXErY^OTO_)V9h7go&oNM<vfFQ;9KT<zoN5V?GtyJTIebjiTSsM+6dQN^(hBA
z;z?w4A|w@c<LKiaLcIr}q;*0K-}iLxEFAV9A%3am3uXRT-p0|6RzPhq-r3GjoNt;c
z-;Z-r{!r*^tVvVHy-z!AxbkDpnu7V!qx3p}Fy)qK<`#Xv>i4}VtF=#~8}I$QzXaDQ
zOX1djpt|XMiHzfJN(^2PU-G41p^gRHu8@hk0tfWK)$pb$OO`gzRfjPgg|*@&*{+ca
zYg6w?|JAwqRjqc_=V-@VRD@3wFHfuNo^{EgSiiQbTDqnis#D#U{FT6G<I2w9NA0Kv
zf}(f&m5e-GYJ#5ucA?;xk_KVS{p3N6?+)Lfn<^|=n=>-jbp%VllsX!!p$h4_rev_r
zA7wv0TeV5{>R4TK`Y3I>8dCg>|E~B#=ZX*iUGejd{(6SMOB;Vz{O<e1MUU>X3X+J{
zcT1od(y~!w`IIr*%824gi_8X!IkTxwk_5TwXGYohTGxwydAh!YysE`c9YB|eSMvH4
zr88UjG@eM!RD6<Ad1}kx5zce@C6y5+Dkp!PG|aIpPgfVrv?djTkI{#6W}60YH|pEW
zM;)cUIEg2JxMmn;e9E0@%DQ$t_bnNmI3VL1iMY){6W1G5Uyisz?&6hTy`_4q;l(}?
zT575Kq49w@(oHrgVxIO-@DEolp9+RBzV>QCmdI52`c)_U5+Rj0`Lpy4?C+e*zMY;Q
z)+Ym=2Buh9316OX3@l0UCvvExl;9+ci&M!?!lCW(y7F1R-PD`%WXaY3mWJ~E;$Wq~
zW#<03aW2IT&5>*}r?v*0J<oE5IYmV)S3QU$50zRC8X5iVUmZVvpE8n-hCJJ`EV3$i
z*h#<igh)geML=Flul-Axy0PSNl&^SmRx>hTfVc^g9VRueY){V8Jgt+MZ|=Rp@7!aj
z`0>|rtglO<>!WYTe7wPc^BAriOCkL7<6SQMaw2!>@E*);afUGbF^T}DD`9GqMwEf0
zsr2u2hxUiq;1!O;ciTsIT6!nOC#{3#OYP^(j@gxS@FIw=uH28wqy1>3o4JMXbV+ah
z^^0xZQY&v1uSLp8R^&4V!6i$nBZlS43R3e(6O~TqhboG@jjB4En~WX|-K$$|e7@BJ
zI*GoUHxOes?`@_K<>C{3zc0Y@X6Q1G&{yhJiuh8&c_GTl!FckRdIj@MBO^7Xa*w#)
zw4ktP6qHCYd0Nuoa_P0LuDmigqZ$dTo7O6T^NJW@7<z5TyZW1ZmuX5z5-@U~+~T~?
z`NB&^Th6aZpCLc+w2>5W!vEZ8wYxINiHL77b{NAib6vr=PJ*LfewAF{K5`nyN$lj=
z-Eqf9<Vh>~6@elCEkH8{y6^#2>pSVQ66>|<GxK=<qr=<F2v3@K=8*JFLN2N9-=Xxy
zRSg|6i2DAT_!GA}L%QXmTOMqIt!PKuksUzz=4_nEXo>7al3U<1h`*aozEM*ue|Fo$
zjL^BhD<1o@gw8uj+2h`zF3C)ao5~5<mXXvlgY(jK_i^}4wiI$EB<Ov%)1N3+z#kLx
z#%5j~Kgf#f9Z9zh<`S1>>pLUnerxI;&dtQ9wvyuAKX-DS##`i6qvj6xQ@yly&V#vI
z)X&7yAMAfhp70k#o3aK@Z!9G*6;C+c7E6j+h+btF&o}cfA$ojh$^M0$j?2KXqoycq
z?Y5x$x^8MNuN~KEgQ5~kGM?g)E3ggtjs^sxxl_p`u)X@`$P!yLbmIeSXo}RQIE>^d
z7)`fUF%LmN=36ml)%>rxCY)ut*l(mll$%2eZ>)av*oSQ=EX3!LwJ`ZC3^a?s7fB*8
z+T~PjIT+Ck^bl@gXCDt0)#eLOsarcl=EHFHBV+2L!sNMM_nd8`&!l%$>H+DH3$cB8
zQ&_A)1^t>!mmBjKIX*96_7^mzlRlFYQp?N`oy}`+1CKg!i`pMqMhk^J^s@-vsIQ_z
zDT{v@NXR%%D!`VgL?|l9_9#XN$!LA>_<Ft~v%bsfP-dH5a4MSho#^oiI`<6p*Fy>)
z*%?%XPh@WyGHiX=3_&=aA}lJZk>SFH?VMTp9cTwF4^!gKc@dpiFDa9}%~8=vLcTg9
z!%REL8$;6-ES9k@ijWw$jjdtYyGPBTzUA3OeJdtWr}t)QAPS$LE$c_0wBGq$B1a(5
za`Ro;=|17@*oZW<Al@aML>S8iJ0>nc`m=zbiDw+@&tNY$F2RGJCLU{|yvGj|C93b#
zEA7-U_;OF=bKvwE`pbL!Rf4b1me4!yZL-}vXlv^)ALNxG+Dsa^_B%c)mE*y5f!=Q)
zu&zyKEY|czR9>@Y+i?GKPcMEfsz9S8hMRjCO&mG%R#Fgo#zfb2I;8lSpyHQ<CkSZ$
z`Hm0d*a@GX8n}N~{8tI*iVxl}SY-UJ__X^Ze)VnSm6i7ToSZo~fY1elj_}qq&tze&
z82w?9_<6Rvz}Eu@b7}AfWDiFFV_3|}V3G8$EtEF*CS^}X=0u6Tm(N<D?6h*0uY6c9
zljiu5hgjfqyiKcD?@-aI>7Km2y7XD$*}cV~Jso|~83t$%nmd1=eEvL80~aqV&X4Hh
zfhezv(ZS1#$!4P;djQWU^x)}d3_{F3Lj!z4Mxb>8(eba#ik#n%=zk%C7d{**zYrN9
z#J`Uo+#(eET<X)S*gXk)LIJ+(bz7(Am8-BR8p50wQoRYxJ(hb>;~$>x?R|VyS*yQj
z!!nxX*T@KEL=K*M!CRH{bs?jOzcLE>BcrzSJ%SmHd;gvh#P>b^-p&T6Rt4(oYk6!m
z8iITH2E)~A$E$E=`w}Ild!KC_8hwleE)%z2)~}aFA>qlgkDs<qdP(V_y|P%4x&MGv
zTWw=Ocx1*mAZ~E5#UYwx@bJcZtGp|e?OiZicJQnRtv|Cx0MGNH;Ds5_;qTc_T>F{r
zWtt1w!q#dJUo-@CH%h5IeVRsP{m3lI3>p1y)(Afu<tsa*^|_fM+r|nk(hSB=w;6A1
zl~CiUtWdXZ4p7~|I=a5Ce!Lk>uDD&$qLaHe-05q^cc1G@MYc`P9({F2dgH;g%ZQ^L
za>RgQKG7ZZ?#VK0B!oN9PzLyv3p%U5Mxo1mao`-V5md3zc^?p8An-&7p`y<$;^UP|
zw&9t^chPp!BpIALy=s&aZPsY<t)5xl%d6NqB?*+9WPhfNdZtQ378!#sI2J}PdsC&A
zsaF1u*07{3GpVA^=K7Q7jt41p*`KL()!Fn6%Zz2JbW+<$kT7En!m$1NC73>E7JTz~
zMN-6p=7sg%SG7v@8^4cYOj@voW(2pGH;RX42|LZ1wvSn7+GiKfua?Qq6aHN8nnHmm
zuT>sUMLFOuZ>JJj*#hwrYpU|h3&ae`@mh@PqP3QnHLS`%UM)8=(99qS4-A`T68N%U
z9$KN7^74IfM?MfKH2$<yfDU_S2OTYB8$ZP#D<tVa;EJO;@068ZP7yDmWdCm0igL@o
zu4$<kCjO_(t-Aax-Y@ycvV-Q|yfll7<J0k4jypSe5Z?ZX1*b$Kd2p0H#xms6q!JZX
z_oWylfw&d305OL&Ix!m&TQ)P)J5yS5S#?>ihy$W%m!wIc22#3%4uCy-zAng;ot?<J
zESdi<OU3A*EVY3bpQ!o0KN<)ez8!F^8K8FOyFDA{dO50f-$;9lAFbB?j={0Pk|RZE
zWroMsZ;}H&rGo0Cf~7h5$q%frGsf{Cau&~MTkPsLpI-vr2GcPH(}C87bne-So~Psc
zM>^6>u!(EXJuG$d#dNL&6_3=uf+_FFE{DgMhE$5=$u+kSqTS6VOg_89qYQBX1=R-w
zLhC|MRXefspaFjbwfGtIK=@)%Ql*e-<y=EUjC(U@c_-+hS!%dl4yw-xcS(t$fR@VW
z|M;qN3J088Y3S0oLH^g&ia^9eh}r*J#9$Edv;qAhVjGC~laxP|1yKD<2it#Fmh&8g
zp{sbQp5GCn#vpBeJ$c!34X=(mGW90Omd?8o4o&Z?qtYc5=fZ1lfDRmi6@b=-Dy-Rw
zLsjV7_@fHJOt2{&sPxUzzpC)%XD60KDc(G)8t#jFu5w(mDO@D+#X_DN-N2c7`^kw6
z;?)&&I`O!AW$wa>mx+`&X2YnwmzFH!wknodHWl%BII#})?yDEwmv_=SLs7pZaGW;q
z-lPD2+QNA&9@+E5oHp;xe9lr+1tzRc+${{LwbL(jqETE`dwZCqMR46<R;E$~eYNA3
z>M)y;j7Sryv6X?4z^BaE_ABB_5;tG19xx^PGi{i5e`XzDwB7VbnjRjSLbicQ3GrYL
z1J2i<Jiv_XZk_XB|2q$_MSk+&2wu!X_x508{Nw?~cvbs#IsQ<-7SmJSslz9OXr24o
zf;;k;)!oA;38F14$t&v^Cp=Qrq&C#JbtF>a^RGA&tO~*`iB@7xRBMoAJSQsM_xwon
z2v*zEKDCT?;%OPj;xGz46JNiZ{NzUN`Uz&{<9s^y*<1@H(G@+al;z#L=Q6bxu~mEt
z^#fP#;~TA&28SyIj26mrQJ}sbGY^y16nin!MC$fbFJg{HwFs}wrzOiTW|a+{XG3MR
zD|L25cQM5#?^*t)tF{Hd;^&*ld?^GuKGMcl+No0TFf$fegqb@cuilQ`E1`HBY-TFd
zE)W^?y5`A(o{AUWd#{|$?J;FQ>zJ;e`QY(ro|nOV!SZN<D;tXVu(z!s)`uDw13w|t
z^^|L>Y1diBD^NF11f5^ptUW2!#NkPWDqsOt;AiXqSph)RPU7E*P>IdY3bf2#r~p8k
z7nFB-_3W{omr!Q2?$wzZhs&vD$7&8!e%nyMGBBVx*!Ix6Fl+zey=saL<yA=-IK79p
z^S@?I0xCO%=v{~otbl0Hx_}7U3ebB2pXeXc`vVc2UUb4=i0Tj`G`$%o*}Soe>um5T
zz3`NpGfxtaYpr(Z_n7x-(mUQ`w(Jtw4r0B#-^kKE66&Nsp0jJ?#QM&5g@*Me_o8f*
zjmM+5s0}OzAxFSFr4R8tLt(77bT^W4^V9=v`zeAec`aVZlyXW_#k!drhEh=otE4uW
zQJ=SD2VKJam|41eB$T<&q(@VWDC7%vw=6K_89fW*%oqx)PuSwsgr1MG>=;`=xCHGx
z>F94JFO-hUPV&5T>Aw$8Nf=nVPvG4=y!9^~q{*hF07XOuLQH4B1jvEo2(3R6VS;v2
z=i?avZxKORy6gM187LVcM36}sV$=)5k7wR31y?((+i*pl9!hRv%PHE@#kPH)S1q~n
z{ceCDk}*NP>e;SD2qxy>A=-g=>^O<z<}PQevC--jJ)3Y#EP6>m4K5)OfY5x4ymv>p
zhX^K-Cz#b=QIH+$R&2#AYKx6f99l!2{gHt<WF}6X+c#xEmtxF2BUw2iqz8|wQ{rh2
z{ZbESy~nb>8^?O!C;dAq8WH&0oIGvw2}0u=Ol8HJ)f7mwRA>@Pr8WwJzOvoxv#O~j
z*@+AL^rIFUs?N;&i$`~~+1D1{^=yaY@)btv8_wOgy0bVF=M(%wm*ukzoWS5#_=$Od
z;7s|Y_aUF^g$Otjlid^Q9^R3rVr+q!%>bGGFJmTsUMuh4nJtYwuNBCw(zgrD0;H~^
zJXCM5tkbCt0Iu#iPI62HlQ~LBJu6uLP(W&qOaFY#KB2rSeFKi!Np;?@p>PEogb@Qo
zT;+uQZxM0eKn1w_A0BIV)lbAqe;A+%4lT6)Y&Sr`PUf7HKi)-3-+-hHLr*~qaI}A@
zKdrCG<LoMEaPbVUpwzB9$aobCT4+Xb_Qh81azeSk10($uoePn;>}1a)rTjsE&v_&q
z0A9KJdn5=EF8~JcfO$jfg6M$$?78Ud{vkTU;4cGrkN{wG4*(z(hW{@p<I|Y`#0B?;
zRfhwF&QLCp3;v?!cNg3nF{2Rr8RUXPIeuZm0>B6D`MSWJAhgpzTyXE0;Nx3h1Q*B!
zCj}2?pvQjhf<GAzjDpZ17aT&KXT|zel?xnRd=&i1+XY0IfLw49svlJW5gQ<62oZxF
z>z}yb|B48@;Q4L8BmRpE?$K8Cu6E*<)?>QXd1o|_-H`nSyqr4Qfry19&h4;~1j?Fl
zxgxoqJc@^Iaqf~i7`#!Za-13Rxl^f^x+|pb+r<Es78d`r3tm+P5`FGPgMRqA7Y!NJ
zf4kP_PVT?j(|7rw)#2c|j0DWQFx!TS5O%$HPdsgNN0`?9=vC%fA`e7t9b&_0RlV|-
zaK`7^AKgymeo$J)d--`_q1yFQosYBcj3Tb(z+SZVwz@Tp+)(!KF`QAU`bKy<GrdS6
z=B=$s(-GYQ><NZ!&IP#8cc*C*#@RX}IlGMOKmPWz$yCej@je%y=YyT0U4GNh)0F}8
z6Nk9FM=$2yB|bOd2)6Nhe986YhY86srr_=-eDVd{2(lk0KV(b)@~Hp4zyHIO{^8r7
zd)oiSz`ppI0m$3GdGp-cKmVWr$S3$v11(*-nN(_Dpk|XOi$yyf-|w1rG1tRALV!no
z&MW!Ty(6mQ<KJCysI4mf{%+I@Bfy1?4~+ox$A6IzXapp}0b)<c1((G5(N<uS=0eR1
zAv$DW{TCM;n*c(*&i)?|;eueBK+*>y7DI^t;)0JM-tz{ov0!9Q-gCz0Op7h=X=@Tr
zc3PLGYs0)AYBcdbHtN4|!Na;^)-~grR_%7KM^6rpWihT`=e+GivAgCP(t{O;%KZ0L
z6s1I@LJY6l(WIE(-9`KQ`wbHjv}Y=?8|JuWd&42_OB$d^qZ<J@Mt&OFNw;o(vCTH&
za_oLI^ZrX_Rs>U^;bXG(`S6x-YU`aN72>DkCplb1`1~p&67sur{Q_RHQb=E2JB&*F
z)qu&Q9LA50x;gi+KYS3)z8x_3sFdf-I6?F99$$8ENhKRD&DUwA(?qAK`m*>qTWSGV
zVR6yTcc_7cxw%_)2z8pbB5Py@!lFD72fruqj5NE{kOC)axI-OeFT{3GU)b;I$S^*x
zD(8nw&(1cYMJ(U<6D}_KgoC_pXEa2isWTeoA(U-*ofpUFw70y8Vm6Smr96?(|Lw_*
zvwja6adl5OtO3dXcF8eHGIQS6xgC+VtcI$of;+5<I#NOLj@lAuCH0P+6gLn$D54`%
zR&~GcIC*1QrU=&=TaPTpXwIcH%GMhdl>{L)I!7-yod_Nw&1)5nWA2oM<I)=}@;#Up
z4=WG;m?sP8Uh;!mc9e>~WJNr*>tE;%YoX6>=K8>CN=hqlT!6?|tF6?*fUiO<#*8iP
zvu-~WV?oh(##Z!3!>~uAB-jwCjd)zGi6=)2(+WY?SFO2Qt{i*(^ffc0Zo)JYfW4Sh
z#a1^3%Mn79{_y-!BFU1ja)>9tNYR$_6B%|oOXqo~eXZe67Buc@d<N9$V2@-=DLgIA
zOPiV)Dy<*5l9SeG^Mz}eg-6bqoSjkFM9!`R-U&t|$7-Yv^Cv%*PSStyEH~QQ<#85s
z-2uklB)Xa7K~l=f4fk1{)LS7_;Xsj?>9npCm6<^lyz9G$h)QClGw*fgsGGZ-Ekn4$
z2SZc+CR}Y>M#N&ZYv$S`@`GZRE3?d4({;$khIp92G;t0Nmq=AkqrEtDG^Cs(*2to%
z+mA-E#TOCPoo-!Zm*4#Ge#eJ%nb$Kll9wj0_0H^KyxJ=*B=R2GHE*@JOAi+*!n3^<
zXjpx|8+bJlSB&hB^8>2i4N~$Jn`Kp9;TAzWgJSRQWJn`nE~VXb#&b60rr!HZw0PpG
zB!AGG#pJvbZWYjW<(s`kiJb$13pJw~9sQvg8ILRG*N!0nuB#}wT2+>Jv1@o^7e(3&
z%OxUgnlRr9D8mlJNW(NpHSZ4#KCESnXBA3)v+9t++AgbFb+7rzQu~bmY7zn7D9wbL
z*YkeoS3|Z7;(LZ}E4A?Uqng@VXEhsoqNn6vPAgI$zEYqYick0+`d)G5>e|*gZ(e{~
z{>L&~X3tl&MB8W>1BpjPlUD)3tgnOS?zuam5$@5QGqul!GOw2BWOf-$+v>}4Hojty
zzFu+0b_dgy94^90YJE3XA+x`3_S&8(dT*f;hs0iZCh?qo*LpdjU`vhC)u~qdXFRJ6
z#yOOWI7h8DQ8Pyx!%8Y|IzAOw@#m>#sXuzi-mt>N@!1@sCi-ipDLG-_W`v6-0#d<~
zr!L(TMC?W%{mGou=dNtOyb-ar;2J2O=+Gxn6|`^rVTYyC4%iGTO<phYydqq@{^AWo
zH<6;;0p^IoWm95DC((Uc`hDG8Ar1izIDjoBi*-D}tHNK$f%ru8z1;HW@$am1E>91X
zGg|B^ecq_JKiMFj#uRRw^GKR-9_>+n5<LMIm<STOrT*kOLjH{wu3}%A#AhULw^oGP
z^G$9^r`qb~0V4tly(YK4o_Pyn3w$|yl=u#2^=_Mr_0EksukvfNkGYbJ7c!J@_^tFx
zR1wJ~Fl3*6IK_BrVOa;*Q$dRF^xqYq@LciPepmdng}<I5@G0<viT|qjSY2$n8(|L5
zQElf=#1H7On%|{u&z!Z$n8fpJ-iqi8gL$p@xd&`u7-vc_9At1z9d5%NY87fFXk9Lq
zQcFqmF^pK)(Th-X_~b0B3^$XRj8uqqTRK%~4<mbflT;NcbgVzTD;{czG$yd>pNQmj
zn;caSZo*TTd}16HdD2QC+l6hSdq*zp?pv+IT$UBbk?vd3CZi$bxW@685<^P*ellxY
zL*?1+9i})=zM@|nGn<*ya8C4?K9Y^XOP?a&+vs~?^{}()ej;)eiyS=r^;<IFto<nH
zdCEI=f(X(X(yNSRSTRXNDyaEPvDi{;Aq{0NfKsem7IK$<?Rvsh#pwNo^wVd;@!9Z>
zrRd#<YG(6YH*xX?94PZrFB9?BWwWObZn+gJ-eDkhp@T^&VfB==)l;)-vV3$FZRd(%
zs2h<y(lUDdNpb5s3B4o>L(0mV2QxxUI*+cWy?MfrT=tO`iQZ&)<0jF&I&FtnNT?o2
z1FF2uy+x)t9|`nul6sKncn%rOYS*unYko{OBFEq04!zbG#bDQL6Ip6j8p4-NKdyah
z%yZdcOH(_=Y4>4;H<t0WE=APbv6H)@4@*?noNwndI0<m;ki1rT`$eOY0Qs7kcnmX&
zc<G~qI^r8{yF!OkVhKL6f~{$WOtJN2HxVfgA1(QR$|4!gL@axWyZ#V+<=T<LvgMZ4
zA;oA2?r~pH&)y4qH6vHHa_Sm&HN9L*EVMp$r7s0M&m&o!Hd2ru;qs24!_v6(db|V}
z8P?zeQ%~8qSs(OVsW^4eNg-kOR(xwnl1g*uPR28Aea(02ceSMi?cm5~lk3S5ID>_D
z?<wJ5naW*7Zpb!1D~>b5!+Yk#q^HTgW2%yLR>D)5t?hO_>z->L4o|-F?7=G9GsU#Z
zQcIRkuM-x9GcqH|z81A=6XT}Xi}d<sb9a43c~-b9<}H!LAI>0`g(vZTVKkkDL8omj
zu7APZh(pd(zx66YhL#w$617Zg`%RTN@>X(OXXSmz>X;V34DuKeX?&frrdk4YJXq}W
zqngig%3a2t2KnqeLIvShbGEK0KAC*zT+P;^h&wjw5=oT|zo&>S>uLMB_ES$=UBu?4
zRO#jFK7lB!Y`m5z!U#M6k?wB|5kc!O_r@`hD@k(9XAP9iraTyIyLs99nv>=>nOhK?
zLg|ErIOJ`nECBim{vr}FK+0U9FSVD#V8$i;zyrxn|ADdc<4OfIJ|gt0s`V{XzhjJt
zl8qLX))n!(aG@q*GLu>LTq)IRJY<Gc4UOV7Pd;Bh>R$0mXOFaS+-kAOx489#*Q80{
zqQ>Zgz=LnbZ$6W`Z|n|KuVD&)%M?1`l;dj5r<(p$*7q%(s&b5l?b<TmO;N^PD*8a<
z?`{b<lu4)dBDPtPk*}NES@cC0AUb?UBz2d*?TykftHg|sgJ$+3Dc)S>k;SvAw-WEu
z9(}j}o@RFNd>2<XDYQ?5nE!~*h_LC(!;e_{11Z<uBzB9t+?{R&#XBz9@74Q5MX6yY
zR_k}{0U4|uCN@On%dk;a0~wlcFOF_kMN*a`M|=?If(@mb+7^Ao8uA=u65%6jwaF90
zWur3j6deI<(2;4i_J-xt@goym8SEVo(a_2w{J1w=k8Y+D^57o6;-q|W1SbxkPD`V=
zoEl5UYj`Xek)z>YRvF}FDy8Z>8d1jlt$Ck&&PI}g;2lw=`4Hyr>@CyjM>QPy9th6$
z+1jsEdl;x1RC9|=bcUqDd~Te*TcM#1qA1UNAHTz@hJ%+UPQKB%DScdw;U>p+o$>8p
zg=A)ZjdywrrYbFtd^)vgMNT40?tG{C%{}u*wA=^MMp-1qO}w76afo5gTiFTIr`yWV
z{lbIbEFH;9FSzEVp17QbyjZo$FzD25B8o^|(I+a6%aQDt>A%vjB1WAADgGl+@yo$;
z4zw<u8gj6S&QA?GzbSqQvj4f_gV!5KpMF>TklMVtYz8ZPfmK@i`@Rm$NR6hOMfp(}
z*Tg>u^}Hg%@28(ciT<3Y<i3_Yr^!g?$Q4`IXLu}b52elBxJ-WXu!b;6aqG_A`YvHA
z%}NJ7(I;6gRqJkRhOL&|IKq5$hI{SR4p$y|;Yu36*Jb8#tcLcWlKJ<^=l}MIPV5;I
zg8T)%Mw(>T`>_Y`j4}zGRUky;Lacw{f}bDJ|3U<BYtzDhA<jUEe;+-#Js!W9H_BN?
zWhJ%ACYU!PE{J3d4YORN(4tcxsKv%-E-0LJ%jY`aqv><xt7U$sT5pTHLk(plUxf8f
zT<{+m)t>JW%&52T_lzLE?|mamP*L7}IbeIDt~S!J6D~uX^yRQ}NO<|X#lu@#mmj5X
z6lKzT*(H5xzD2R3EX*)W!DP71j1q=gRhOhLeg|{8xV*EH&}J+(C)^hYp&XC+jTi~G
z*JCK#B{186@In9cY)MFdW@{pQAzK7s=JT@$g|zp{8bb0Nd{-uAGVk|4GIwhl(=@={
z!_3rYOgA(al2p^uK|8F;>9-Z~+`TdxlVj|Z8<QCu;uF0lgRUn{K}_^aCK`ogTW=G|
zO~B|f5mUhv#<OMrskd#`bg@p`urQ^eG-mcRrnmCqNQTSdH#a#Qmd@b1TRdUk)|Ayx
z==}TwrCS-9nb9}G5>gv)i(sq4^QLX=IVd#K3Nm^y?p`0kTi-RRG$*l1oURVy7_BO7
zPlY+k%gQqwwPAuHwfD_T?G2sb;zJipLH*>HGhB#(p~9tRRJHHK1Gxtpt!Rf>-MwP+
zy~mSp)kJK`?LJE}&d*p%QWZ>MB=+Prrrb{cKC=^O2lsdHvNun+ed=tT%avN-Um5Xn
zbo}hoE(1?<a8Wh~3g?49)FGmy!uT%6%sqiyDlJ>5$YUsoGWDKX@XvMnPX?uOamVM!
zwQC&Ql$JZfNHg;Jo2RGlJn)N|^k2x$j6o{+veC=_*yv>HS#ONc49At>yM0t7MPp6l
z@x^IjUBg)!bYJJF5UGHIE$Q!s3^zY2Y)7hG?L@jO@eLtmZ36*INaNH<Bbjnr%cX$x
zshb}=rbA{+2j>0Ouj3VA%Eh9L4D%G9?`1!Ibw<+A;IWFRQ&epzAuT`1F*MXMQ!yiA
zP&8vyDi{{LljhdH6GLS|DIJWG3AL5Q_rC}If>?236Q7G!?;m3IB^)3jfy@LxuODp%
zj$|7+>@yJJLlE&lyY1K{=ZF#i77>)crN6vA5V0LXgvN^RRh-5^UV#eQMuHC2+k9R>
zT|;#Y4-|H>dl_@fr<~Gj#eurT%GcAjoim#Q!?{L7KMv@jJzNV-{+Z5ycH6N@&(q2O
zJslLz^9_ROJpS-&gTK<bvY5#vKC#1lV)DBDq_hBkg1BY2yYxs=<m)R+fEoq`wFEi%
z&)5FgWamMP{s^ib4v<}eZn#T3E(RrC`N|r0)WiB5YplhtM>+I<VQEF%i{}=1B)>ud
zaZdj(<NvK*lU<1kK~aaiaTd&9>Tm!N4<RP~ZxNj!MCQ$lhyx(vPf{-Ac+qV?SFrOO
zoglZp_3Q75P-BoT%!hLM6_1$8!sr>o3hPOw{d9*(++y2ToS-dC;$QwRZaX&lc@^;g
zsDjhaDj*E~szT4tPAnPb-w}D5q=MbsjbB!^^>J=*-V<$GM3MZVAP4(QvP+1?8B(E+
zzJW54<Wgq$QrE<o{Fw|BpVY8SMb8$DM%i<KYxoQ&b)w+0-te|==6n1!?%rGO)<n0%
zH_ztz<yi8~qF!0sx0PJ4s>GS>=s2xbcrNluv`GT(wbdl)ZR8xjcm_2R2HW@7BBK0U
zU7Z<=3{?8p+Xr33*^E{v?y^WXZxS%0?%Maa-0gERYa?hyFN1iP26=D-Z$Y8;=ZwQl
zu_+)PnBsot0hRG54^8nGc!05N$5?r9zqNa*GYb!$Zo8&wJ-e4k5!_LJbA9`IHVymr
zq=<PJ5_M!<+RKNPZyruvOOzV8$GEBJINBqLPNQnR`t-|dEJwQ;dSTg}QUy8cG!uKv
zY=C~=g)fy(i*D17h6k_Z1Q(`Mc1@}xo2!{PUG{xIHGjnD=r)fITh8Iv*T-#pbXeSV
zri)*46QdGwX&&yjg;o2gcvV-oA-d~ex;o#u>{}IK)y;v87@>Jp@pbU^c=Eb^qy}T&
zy}1?QXf(?7({HGmHuh9DsX1CD^%+)k`Kq4V_96GhYFi$tC|WSwm)&BXCp{s5YAaBL
zcdH};`}Ec01gb7fmHDg>j^p++{x52d`5O?rU)jDx^(v1$Tzfsl>TwjY<7bX;E`e+M
zU4p|jJauy?X(i_NHY-$wCj^)OvFSl36cYm11?TCAapqU|pMVqE10nhmU;Z^uf0h+c
z#lG_Ilnt)?v#c$K7s?8dB6G2SY~Xq2u1UH7LO6X$N8eiv{r-n>suXc3AO^|*atq*f
zIO-YWUzgY5ES+xw6GYSm{eU&_H5pnLBw^w&H%<7LoAyHzAW}RbN#K3*la$O$5Gjx(
zWHso8*2E(DwS@<;!8ltYj-A5f%zL(|Glw3tn0=qBp?L!|=S&=MzO!<hOqSJ?XC62)
zXARwbO||2}w|QM;Xar6AG(95$KgT*M^w?3}<k}iS;d*o+vZs?jlP#T`q_(PcD!_5e
zmT|yh;j7Y`G;D@gYf@~Wd;?9QG|$H~#{=Jf-%%j^#b;y3lhl*wh&Y6!BbwrP`%jxR
z%Ja0G;k8n{c+k#ofFBh7&(0+F)$`)D|2~s&Pq284&~umL^RMFVfP5Z6h;Hw|Pj`V6
z4y`}i0j7#gc|PU2{}vH^=5!DIL<~ZO5J4_sq>P~pQo&m2eq)6ka4oB{=hW?fCL6*{
zFCP<mem15-W03e1<k|Ph-QfGa-a(Da$-L|y+4$=yNzyWYl_P;~)O8<*ET0D8`aL_I
zn_tg*U-f1GF093%FGb9@z0G?5{j{!PQ=#VKCx#NiFu6rFL^p*ONfGh8^B%01;u&|2
zas<80*Yjz+!tcG3xjHuA5fi~8C>q2R*f4D&C*8}UB-#`eN$ajdJ-3eAUrjVYN#8rg
zFgB4EdrG=&uRItUp`C^*_#}9o<Pp*tE80MIN!)unwt0zi16+wtN}l`U>v|2icutq%
z5MkK$j{wZs_EsIOtC$IV`}JdYnJhQ3K8#~~VRVb%)%w1qO?}Bwt{Tp3+cnQU?1SO7
zit-L3+yf#UY+PvlNjNxvROcnk`JHgIl=BjTgy$?>ARHiNi6>Ah?~hra@n5%SLe9n!
z&7Ob1kL{$1I|c;|ul~DdE=<dR@J-1UV?xlX!TCG6@z=n6BWChE84W_c3?fQ~ApYvY
ze~1Wr`;>n@A-xd`>V6`sjU)aSZy)>GIVpd<`JjQmG}#jL=Cii^lN9g{9z=yE8joYN
zP3U$l*|1}3*zG~fsbf>rEGYN8V5I*tLDc7wn*X4G;5-uO?Nbu{9tlEJpFsR4-u@3Y
U0?YWr+vlGJ00_nA{~6`~058MhHUIzs

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls13-encrypted-client-hello.test b/testing/btest/scripts/base/protocols/ssl/tls13-encrypted-client-hello.test
new file mode 100644
index 0000000000..3bd9e84d42
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls13-encrypted-client-hello.test
@@ -0,0 +1,20 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13-ech.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff .stdout
+
+# This is a trace that uses the new encrypted client hello extension to hide (among others)
+# the real value of the SNI.
+
+@load base/protocols/ssl
+
+event ssl_extension(c: connection, is_client: bool, code: count, val: string)
+	{
+	print is_client, SSL::extensions[code];
+	}
+
+event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
+	{
+	print "Curves", c$id$orig_h, c$id$resp_h;
+	for ( i in curves )
+		print SSL::ec_curves[curves[i]];
+	}