pcapsql_core/tls/
mod.rs

1//! TLS decryption support for pcapsql.
2//!
3//! This module provides the ability to decrypt TLS traffic using SSLKEYLOGFILE,
4//! the standard key logging format used by browsers, curl, and other TLS clients.
5//!
6//! ## Architecture
7//!
8//! ```text
9//! TCP Stream Reassembly -> TLS Handshake Parser (tls-parser)
10//!     |                         |
11//!     v                         v
12//! Key Lookup (SSLKEYLOGFILE) <- client_random, server_random, cipher_suite
13//!     |
14//!     v
15//! Key Derivation (TLS 1.2 PRF / TLS 1.3 HKDF)
16//!     |
17//!     v
18//! Record Decryption (AES-GCM, ChaCha20-Poly1305)
19//!     |
20//!     v
21//! Application Protocol Parsing (HTTP/2, HTTP/1.1, etc.)
22//! ```
23//!
24//! ## Usage
25//!
26//! ```rust,ignore
27//! use pcapsql_core::tls::KeyLog;
28//!
29//! // Load keys from SSLKEYLOGFILE
30//! let keylog = KeyLog::from_file("/tmp/keys.log")?;
31//!
32//! // Look up master secret by client_random
33//! if let Some(entries) = keylog.lookup(&client_random) {
34//!     // Use entries for key derivation and decryption
35//! }
36//! ```
37//!
38//! ## Supported Features
39//!
40//! - TLS 1.2 master secret (CLIENT_RANDOM)
41//! - TLS 1.3 traffic secrets (CLIENT_TRAFFIC_SECRET_0, SERVER_TRAFFIC_SECRET_0, etc.)
42//! - AES-128-GCM, AES-256-GCM cipher suites
43//! - ChaCha20-Poly1305 cipher suite
44//!
45//! ## SSLKEYLOGFILE Format
46//!
47//! The NSS Key Log format is a text file with lines like:
48//!
49//! ```text
50//! # TLS 1.2
51//! CLIENT_RANDOM <64_hex_client_random> <96_hex_master_secret>
52//!
53//! # TLS 1.3
54//! CLIENT_HANDSHAKE_TRAFFIC_SECRET <64_hex_client_random> <traffic_secret>
55//! SERVER_HANDSHAKE_TRAFFIC_SECRET <64_hex_client_random> <traffic_secret>
56//! CLIENT_TRAFFIC_SECRET_0 <64_hex_client_random> <traffic_secret>
57//! SERVER_TRAFFIC_SECRET_0 <64_hex_client_random> <traffic_secret>
58//! ```
59
60pub mod decrypt;
61pub mod kdf;
62pub mod keylog;
63pub mod session;
64
65pub use decrypt::{
66    extract_tls13_inner_content_type, DecryptionContext, DecryptionError, Direction, TlsVersion,
67};
68pub use kdf::{
69    derive_tls12_keys, derive_tls13_keys, hash_for_cipher_suite, tls12_prf, AeadAlgorithm,
70    HashAlgorithm, KeyDerivationError, Tls12KeyMaterial, Tls13KeyMaterial,
71};
72pub use keylog::{KeyLog, KeyLogEntries, KeyLogEntry, KeyLogError};
73pub use session::{HandshakeData, SessionError, SessionState, Tls13HandshakePhase, TlsSession};