Expand description
TLS decryption support for pcapsql.
This module provides the ability to decrypt TLS traffic using SSLKEYLOGFILE, the standard key logging format used by browsers, curl, and other TLS clients.
§Architecture
TCP Stream Reassembly -> TLS Handshake Parser (tls-parser)
| |
v v
Key Lookup (SSLKEYLOGFILE) <- client_random, server_random, cipher_suite
|
v
Key Derivation (TLS 1.2 PRF / TLS 1.3 HKDF)
|
v
Record Decryption (AES-GCM, ChaCha20-Poly1305)
|
v
Application Protocol Parsing (HTTP/2, HTTP/1.1, etc.)§Usage
ⓘ
use pcapsql_core::tls::KeyLog;
// Load keys from SSLKEYLOGFILE
let keylog = KeyLog::from_file("/tmp/keys.log")?;
// Look up master secret by client_random
if let Some(entries) = keylog.lookup(&client_random) {
// Use entries for key derivation and decryption
}§Supported Features
- TLS 1.2 master secret (CLIENT_RANDOM)
- TLS 1.3 traffic secrets (CLIENT_TRAFFIC_SECRET_0, SERVER_TRAFFIC_SECRET_0, etc.)
- AES-128-GCM, AES-256-GCM cipher suites
- ChaCha20-Poly1305 cipher suite
§SSLKEYLOGFILE Format
The NSS Key Log format is a text file with lines like:
# TLS 1.2
CLIENT_RANDOM <64_hex_client_random> <96_hex_master_secret>
# TLS 1.3
CLIENT_HANDSHAKE_TRAFFIC_SECRET <64_hex_client_random> <traffic_secret>
SERVER_HANDSHAKE_TRAFFIC_SECRET <64_hex_client_random> <traffic_secret>
CLIENT_TRAFFIC_SECRET_0 <64_hex_client_random> <traffic_secret>
SERVER_TRAFFIC_SECRET_0 <64_hex_client_random> <traffic_secret>Re-exports§
pub use decrypt::extract_tls13_inner_content_type;pub use decrypt::DecryptionContext;pub use decrypt::DecryptionError;pub use decrypt::Direction;pub use decrypt::TlsVersion;pub use kdf::derive_tls12_keys;pub use kdf::derive_tls13_keys;pub use kdf::hash_for_cipher_suite;pub use kdf::tls12_prf;pub use kdf::AeadAlgorithm;pub use kdf::HashAlgorithm;pub use kdf::KeyDerivationError;pub use kdf::Tls12KeyMaterial;pub use kdf::Tls13KeyMaterial;pub use keylog::KeyLog;pub use keylog::KeyLogEntries;pub use keylog::KeyLogEntry;pub use keylog::KeyLogError;pub use session::HandshakeData;pub use session::SessionError;pub use session::SessionState;pub use session::Tls13HandshakePhase;pub use session::TlsSession;