From e2258b2e09ccfcc59ff8c73ac1c8bc3db0dacb9e Mon Sep 17 00:00:00 2001 From: Hyun Date: Fri, 6 Jun 2025 17:58:15 +0800 Subject: [PATCH 1/2] Fix NSS KeyLog cannot decrypt TLS1.3 traffic. --- scapy/layers/tls/session.py | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/scapy/layers/tls/session.py b/scapy/layers/tls/session.py index 3ac56789e91..de9f342bb46 100644 --- a/scapy/layers/tls/session.py +++ b/scapy/layers/tls/session.py @@ -731,6 +731,15 @@ def compute_tls13_early_secrets(self, external=False): b"".join(self.handshake_messages)) self.tls13_derived_secrets["early_exporter_secret"] = ees + if self.nss_keys: + cets_dict = self.nss_keys.get('CLIENT_EARLY_TRAFFIC_SECRET', {}) + cets = cets_dict.get(self.client_random, cets) + self.tls13_derived_secrets["client_early_traffic_secret"] = cets + + ees_dict = self.nss_keys.get('EARLY_EXPORTER_SECRET', {}) + ees = ees_dict.get(self.client_random, ees) + self.tls13_derived_secrets["early_exporter_secret"] = ees + if self.connection_end == "server": if self.prcs: self.prcs.tls13_derive_keys(cets) @@ -768,6 +777,15 @@ def compute_tls13_handshake_secrets(self): b"".join(self.handshake_messages)) self.tls13_derived_secrets["server_handshake_traffic_secret"] = shts + if self.nss_keys: + chts_dict = self.nss_keys.get('CLIENT_HANDSHAKE_TRAFFIC_SECRET', {}) + chts = chts_dict.get(self.client_random, chts) + self.tls13_derived_secrets["client_handshake_traffic_secret"] = chts + + shts_dict = self.nss_keys.get('SERVER_HANDSHAKE_TRAFFIC_SECRET', {}) + shts = shts_dict.get(self.client_random, shts) + self.tls13_derived_secrets["server_handshake_traffic_secret"] = shts + def compute_tls13_traffic_secrets(self): """ Ciphers key and IV are updated accordingly for Application data. @@ -801,6 +819,19 @@ def compute_tls13_traffic_secrets(self): b"".join(self.handshake_messages)) self.tls13_derived_secrets["exporter_secret"] = es + if self.nss_keys: + cts0_dict = self.nss_keys.get('CLIENT_TRAFFIC_SECRET_0', {}) + cts0 = cts0_dict.get(self.client_random, cts0) + self.tls13_derived_secrets["client_traffic_secrets"] = [cts0] + + sts0_dict = self.nss_keys.get('SERVER_TRAFFIC_SECRET_0', {}) + sts0 = sts0_dict.get(self.client_random, sts0) + self.tls13_derived_secrets["server_traffic_secrets"] = [sts0] + + es_dict = self.nss_keys.get('EXPORTER_SECRET', {}) + es = es_dict.get(self.client_random, es) + self.tls13_derived_secrets["exporter_secret"] = es + if self.connection_end == "server": # self.prcs.tls13_derive_keys(cts0) self.pwcs.tls13_derive_keys(sts0) From 6b94114c1e3bac386352820ac652f9f7cfd1c0e5 Mon Sep 17 00:00:00 2001 From: Hyun Date: Tue, 10 Jun 2025 17:35:17 +0800 Subject: [PATCH 2/2] Adding TLS1.3 NSS Keylog Decryption Unit Tests. --- .../tls/notebook3_tls_compromised.ipynb | 139 ++++++++++-------- .../tls/raw_data/tls_nss_example.keys.txt | 7 +- .../tls/raw_data/tls_nss_example.pcap | Bin 4208 -> 11073 bytes test/scapy/layers/tls/tls.uts | 16 +- 4 files changed, 97 insertions(+), 65 deletions(-) diff --git a/doc/notebooks/tls/notebook3_tls_compromised.ipynb b/doc/notebooks/tls/notebook3_tls_compromised.ipynb index c6e75010328..6b9351d6544 100644 --- a/doc/notebooks/tls/notebook3_tls_compromised.ipynb +++ b/doc/notebooks/tls/notebook3_tls_compromised.ipynb @@ -12,89 +12,89 @@ ] }, { - "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], + "cell_type": "code", "source": [ "from scapy.all import *\n", "load_layer('tls')" - ] + ], + "outputs": [], + "execution_count": null }, { - "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], + "cell_type": "code", "source": [ "record1_str = open('raw_data/tls_session_compromised/01_cli.raw', 'rb').read()\n", "record1 = TLS(record1_str)\n", "record1.msg[0].show()" - ] + ], + "outputs": [], + "execution_count": null }, { "cell_type": "code", - "execution_count": null, "metadata": { "scrolled": true }, - "outputs": [], "source": [ "record2_str = open('raw_data/tls_session_compromised/02_srv.raw', 'rb').read()\n", "record2 = TLS(record2_str, tls_session=record1.tls_session.mirror())\n", "record2.msg[0].show()" - ] + ], + "outputs": [], + "execution_count": null }, { "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], "source": [ "# Supposing that the private key of the server was stolen,\n", "# the traffic can be decoded by registering it to the Scapy TLS session\n", "key = PrivKey('raw_data/pki/srv_key.pem')\n", "record2.tls_session.server_rsa_key = key" - ] + ], + "outputs": [], + "execution_count": null }, { "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], "source": [ "record3_str = open('raw_data/tls_session_compromised/03_cli.raw', 'rb').read()\n", "record3 = TLS(record3_str, tls_session=record2.tls_session.mirror())\n", "record3.show()" - ] + ], + "outputs": [], + "execution_count": null }, { "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], "source": [ "record4_str = open('raw_data/tls_session_compromised/04_srv.raw', 'rb').read()\n", "record4 = TLS(record4_str, tls_session=record3.tls_session.mirror())\n", "record4.show()" - ] + ], + "outputs": [], + "execution_count": null }, { "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], "source": [ "# This is the first TLS Record containing user data. If decryption works,\n", "# you should see the string \"To boldly go where no man has gone before...\" in plaintext.\n", "record5_str = open('raw_data/tls_session_compromised/05_cli.raw', 'rb').read()\n", "record5 = TLS(record5_str, tls_session=record4.tls_session.mirror())\n", "record5.show()" - ] + ], + "outputs": [], + "execution_count": null }, { - "cell_type": "markdown", "metadata": {}, + "cell_type": "markdown", "source": [ "# Decrypting TLS Traffic Protected with PFS\n", "\n", @@ -104,14 +104,15 @@ "```\n", "cd doc/notebooks/tls/raw_data/\n", "\n", - "# Start a TLS 1.12 Server using the s_server\n", - "sudo openssl s_server -accept localhost:443 -cert pki/srv_cert.pem -key pki/srv_key.pem -WWW -tls1_2\n", + "# Start a TLS Server using the s_server\n", + "sudo openssl s_server -accept localhost:443 -cert pki/srv_cert.pem -key pki/srv_key.pem -WWW\n", "\n", "# Sniff the network and write packets to a file\n", "sudo tcpdump -i lo -w tls_nss_example.pcap port 443\n", "\n", - "# Connect to the server using s_client and retrieve the secrets.txt file\n", - "openssl s_client -connect localhost:443 -keylogfile tls_nss_example.keys.txt\n", + "# Connect to the server using TLS 1.2 and TLS 1.3, and write the keys to a file\n", + "echo -e \"GET /pki/srv_key.pem HTTP/1.0\\r\\n\" | openssl s_client -connect localhost:443 -keylogfile tls_nss_example.keys.txt -tls1_2 -ign_eof\n", + "echo -e \"GET /pki/srv_key.pem HTTP/1.0\\r\\n\" | openssl s_client -connect localhost:443 -keylogfile tls_nss_example.keys.txt -tls1_3 -ign_eof\n", "```\n", "\n", "## Decrypt a PCAP files\n", @@ -120,38 +121,58 @@ ] }, { - "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], + "cell_type": "code", "source": [ "load_layer(\"tls\")\n", "\n", "conf.tls_session_enable = True\n", "conf.tls_nss_filename = \"raw_data/tls_nss_example.keys.txt\"\n", "\n", - "packets = rdpcap(\"raw_data/tls_nss_example.pcap\")" - ] + "packets = sniff(offline=\"raw_data/tls_nss_example.pcap\", session=TCPSession)" + ], + "outputs": [], + "execution_count": null }, { - "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], + "cell_type": "code", "source": [ - "# Display the HTTP GET query\n", - "packets[11][TLS].show()" - ] + "# Display the TLS1.2 HTTP GET query\n", + "packets[9][TLS].show()" + ], + "outputs": [], + "execution_count": null }, { + "metadata": {}, "cell_type": "code", - "execution_count": null, + "source": [ + "# Display the answer containing the secret\n", + "packets[10][TLS].show()" + ], + "outputs": [], + "execution_count": null + }, + { "metadata": {}, + "cell_type": "code", + "source": [ + "# Display the TLS1.3 HTTP GET query\n", + "packets[27][TLS13].show()" + ], "outputs": [], + "execution_count": null + }, + { + "metadata": {}, + "cell_type": "code", "source": [ "# Display the answer containing the secret\n", - "packets[13][TLS].show()" - ] + "packets[28][TLS13].show()" + ], + "outputs": [], + "execution_count": null }, { "cell_type": "markdown", @@ -166,24 +187,23 @@ }, { "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], "source": [ "# Read packets from a pcap\n", "load_layer(\"tls\")\n", "\n", + "conf.tls_session_enable = False\n", "packets = rdpcap(\"raw_data/tls_nss_example.pcap\")\n", "\n", "# Load the keys from a NSS Key Log\n", "nss_keys = load_nss_keys(\"raw_data/tls_nss_example.keys.txt\")" - ] + ], + "outputs": [], + "execution_count": null }, { "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], "source": [ "# Parse the Client Hello message from its raw bytes. This configures a new tlsSession object\n", "client_hello = TLS(raw(packets[3][TLS]))\n", @@ -192,34 +212,37 @@ "server_hello = TLS(raw(packets[5][TLS]), tls_session=client_hello.tls_session.mirror())\n", "\n", "# Configure the TLS master secret retrieved from the NSS Key Log\n", - "server_hello.tls_session.master_secret = nss_keys[\"CLIENT_RANDOM\"][\"Secret\"]\n", + "server_hello.tls_session.master_secret = nss_keys[\"CLIENT_RANDOM\"][client_hello.tls_session.client_random]\n", + "server_hello.tls_session.compute_ms_and_derive_keys()\n", "\n", "# Parse remaining TLS messages\n", "client_finished = TLS(raw(packets[7][TLS]), tls_session=server_hello.tls_session.mirror())\n", - "server_finished = TLS(raw(packets[9][TLS]), tls_session=client_finished.tls_session.mirror())" - ] + "server_finished = TLS(raw(packets[8][TLS]), tls_session=client_finished.tls_session.mirror())" + ], + "outputs": [], + "execution_count": null }, { "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], "source": [ "# Display the HTTP GET query\n", - "http_query = TLS(raw(packets[11][TLS]), tls_session=server_finished.tls_session.mirror())\n", + "http_query = TLS(raw(packets[9][TLS]), tls_session=server_finished.tls_session.mirror())\n", "http_query.show()" - ] + ], + "outputs": [], + "execution_count": null }, { "cell_type": "code", - "execution_count": null, "metadata": {}, - "outputs": [], "source": [ "# Display the answer containing the secret\n", - "http_response = TLS(raw(packets[13][TLS]), tls_session=http_query.tls_session.mirror())\n", + "http_response = TLS(raw(packets[10][TLS]), tls_session=http_query.tls_session.mirror())\n", "http_response.show()" - ] + ], + "outputs": [], + "execution_count": null } ], "metadata": { diff --git a/doc/notebooks/tls/raw_data/tls_nss_example.keys.txt b/doc/notebooks/tls/raw_data/tls_nss_example.keys.txt index 69734b2585b..6cf32f6e662 100644 --- a/doc/notebooks/tls/raw_data/tls_nss_example.keys.txt +++ b/doc/notebooks/tls/raw_data/tls_nss_example.keys.txt @@ -1,2 +1,7 @@ # SSL/TLS secrets log file, generated by OpenSSL -CLIENT_RANDOM c43c799f04ad31e397ee4fe14c8819a19bf5951bbc545cada407c6c7589e60ab b599798159244555ddd10d80b5552a37d327fd6e661f3520194c28ef6e8bb0af6e3fb4d4f9945a61e83a41f2345fa27a +CLIENT_RANDOM 216e876ea1a480c60145c4c80eb8d05c85b6806043105c391236cd4e88f79a21 54a828bfc25edf47070cd48b8253e8137e88082face8d7e96960756653b57f41bc6df3f45a5746bc9c6305ccd9b35ab8 +SERVER_HANDSHAKE_TRAFFIC_SECRET 74ef95570af6a305910ee6cb0f98fc5bcec0c5d5dffe5f293ae9a4d7ba2110f2 5f2fd60aecc80ee54d17d48ec58fcfccf6fe229e08055dba1a6a09297bea98fd1268bdd6fe19e15c76d7c152d17f7237 +EXPORTER_SECRET 74ef95570af6a305910ee6cb0f98fc5bcec0c5d5dffe5f293ae9a4d7ba2110f2 02aa67e90b524002f7eb00fcda23365ca6bfea5ad179d965264b5c1f6ff93483465b3c147c5070a90e47a406bd431152 +SERVER_TRAFFIC_SECRET_0 74ef95570af6a305910ee6cb0f98fc5bcec0c5d5dffe5f293ae9a4d7ba2110f2 c5f265aee5d17472c71fa889cfa351b12b9280bf74d16477161fd495c87432632908cae923e390d5d52a4719c2f896de +CLIENT_HANDSHAKE_TRAFFIC_SECRET 74ef95570af6a305910ee6cb0f98fc5bcec0c5d5dffe5f293ae9a4d7ba2110f2 bf58ee2a720cb26a594c0c7b714783a406f4daad18fbf7b7b3437bfe944d840cbc0e1843096e1c4ec92b68f230b22fa9 +CLIENT_TRAFFIC_SECRET_0 74ef95570af6a305910ee6cb0f98fc5bcec0c5d5dffe5f293ae9a4d7ba2110f2 7f3ac59f48dbe7f0fa66f92a0e691cf6ad4b84062e66b303f3149107c723ffb8424f8a3488072a8938d842b403e43229 diff --git a/doc/notebooks/tls/raw_data/tls_nss_example.pcap b/doc/notebooks/tls/raw_data/tls_nss_example.pcap index f03811d0c874643e541d58a65167f68bcfedb591..9268ae4866cf5951b33ec0a8b72c42f4453453fe 100644 GIT binary patch literal 11073 zcmbt)cQ}=A{Qq;D@9n*goq?7g^-!OH(4nX*(0J5A(8Bn?D0L% zDW6aE{e1iV@w>0ZVMB6+{NM|sf?QoFaDWpe6d1n_6yk;k4T!k>^*<5Gk%)7@ zBa%WPKs{36r%))pOPEVmZcqnA;dR%!hC$kkeoEJv`GF#)$)X zq64V-Q(tuJsvQvVUdn$WBK3tD{-f_Ph)4>B0y1a-API%ehYPr@N8GMOkMwQp_8VZK zGSd7?!f{DkUR_U3QA-{IAhiWZkXj+tI@1c&2B`}Y1zL&&KnnqA9stco1Vhsi!DykG zP&5b{8WwN@)5GgzUED$7!LcreUJ2dBgFtZ50mL<490V2|ssn=)p{c6z5+ew~3k+Nw z9VZJ57fTBZFAEP|G6V_uDGu&A?duk9zI4~DJ-z5Ot}5}8B8b5+ptyLyd?6=;pe4iO z6+(#e3h^TNM0j}($?*8VOTnL)2>t)BSt$|ZKW07u%dFbg9^Td-h+qiAuS^_L*aAo}?Pza&dX#-S=5rR!AIh%a!jDp1EOB5k%k*m|?gG zY&a$d9DWE@{YRO#hqO&OSM&>H1TWnR7!*!A*T5Nn zvrAJ*y37EJtxNa)l2K{R*d@Dqo1Ra)!bO1fl4kcxwY`$b{^yoei)-D486B0_o;qK3 z1kKl}g*HA6#oW||HI#^~?P9g(CB-l#V*5z#^Vj&92h@Vu zM`WQNTTAx^sgZc4?3Lw{oSnKeJk-vmMz~8e?HO1=?53n!s+Tl`OYir@NCdR?? z7#QU*KgPcipCLB%rcAus|7z(5NH?Ar2M|Eo02sdxkS>I!Y8Rv%F?L4xhpXu(^2wAF z2O;U6QvOEw1f0GRSyI&j05u&@x$&B&wb5!-d;ev5$@^Y>za|1fvc_VaU57P|nxIPj zQYWQpPZAh2_7b5-KI_+GAJ(hRg<(1VzC(I!A#GmFEq*ID*y_GAf{}|{1-l(}B*F9gmyS`z9ax{68^b_2a~DPuBM4PXf$OupgGtt;K1~?27vlIs&h$oj}4;%|RKh<9-9_y!*)gq63w`R`gAb9d1#ha|cwU9(Z zS28*z1&?Y}QfAw8Qc)#k&y7NBtg zepu*vskTE#4e(uhN-m}tQ^PAh?+)(T(w|?>_#$zSG^gm?{tHeUlNBG|Ph%%=ife7{ zD*(-WLE084#sC3vQPPyQCJlAj;=xLTqwsuIYZ-OtMWqX2!ATsnPty(F;->W4n^|_g z6h11O>c}Izd7F{mofFNVv}LZl<8>PCbSge<5(hVm`??QqSs7#M2%^XdN8PrWjrO+J zy7*qm^BQ?~BJ2#EntV+BwxfPd1(z||)MtH-(cxA6FKPy9ji(8H(oD(eeN)?b7w#VB zZV4~QmVP=5cwI5F%RjL^eYyv{l>ON35WrO_f-qTDgVjR{Hmgl??pc6m&J0@&`;*45!-| zx!V%SrY%@1=8N2iVqZK~l|E%2hHUBB+U!q{?OVU$dOH!di~)!Mg*MgT-tYs2!k4fy1NNTQrjU>d zi)S{hQk0!4`_e)q_gO?3wl?=JWVNpxyvJkj3qOZWt#(T|O!MMCu2A4){(Jvt3K{3E z44=GZ?7ak`5?$R7=jxKp?C^P8s28Q;T=8{M@`%!Yj8{jvSgu=+i-JrFPsuZjnenLn zIX|#%=B;-m>&zsr=vpkcyUpBlxm<BN zD0g4oIhjK9iA8@z~zs&taEP#vnxiptf zx1>qJkc<&JMUNT47RZW4dm2-fbiG+Y@q^>$b;|B1^;MmhZe=XB*Le8lzu*^f(|{Vk z3^EUcS2z|L2kJQK7l`qwrNW> zBb8?h8)yDAR=AL6dXCFZi2hK-H@6R4g0{LhT!OD-${i80I@RAvUJ-HFrOJp2C%irT z*n!VO^-|d)2EmdG?@MO)4GXtT9Z8){Zjww%nc`}~`A#CgG`I!U$A(%aZ~Z0fy-3y5 zch6>|-3uSSVHWGwpcuTeXsF5j9nS@^I#B!Es5+d8W<@NBEH7?|h8fXVr#yU<-^@8J3NtPGsv0YGFnZ+gS)J0NRp5y2)W)$` z0|dVhHOIfitk0iV6!x@$w}6m+Jec@3FNIC??U@bJ^I4{0*q+S`jBT7$OTjbYbNF^W zk7=6Kay@NUh~jQj*WaBm7Br9^YK=6}oaYU^w9OLNmwA%~s4_{6VJGhp!0mtUSPA1j z)Dm$R#Nr`1RTL<0yhEySRXX@eOuP-Q9AEVz`-kgUL zsmAsxe`NG`X(Gi7a0C7I4$@yOkj4teuLD)#X;ZdTO#NBU-qT=&Ti~3yUT=y6CwzdM@GnIwJ*vLQJe%-meWBTjVOobQQn&ss zQb9vUpn4e_e_etG0}3(dKM}!-<+mju&`?YGS+T5ChHSN;rYd#>a0PdT%ifPo?gy73 zB>mSVFrp^>qoG#rhFZdTJX^w#D#x@AnFY6?{{vC&uZS8< zD2`9g5P!<-j^v1J@ccJNoxdVh9iljPoFV??SdZlB{$Ge*NF9Mw^uIJF9d3Y#Z{^Pr zvl=1KvqLZGfOqNtZcNJZfuDozLlBwgugCxZBLCKyY}D+fE;N2KL_V;9@#{c6w2(O51QCbq{}T~>Xu&$$ zfj&C6IT(e&C}QS+ZpRv087g{rC1V9s$Z#xbWe1e}3CCp|w^g{)WvNP3XIhNHvEQ71mWIp|SDo1y}F|G%q@If`JI>j_Y|?u@0mQ(RC769tCyxnUo;%p)xuRs$B}*Y-NY?)zNjhA zN?w*7&-G5J^27SRtRe)z{dmphf^wypj#xxyqA0onM|@zCJbxO7)p2y?`?1S0eO;L; zCt9AX84?|#FN#fhj4zs7QtNe5Q)(>9^HZyT{frQ+{4k{1naKyFs*qJfc8y=>abA-c zCj6*Zd;4K?#U!oO%(W_b#MGyf0*QTz;+sV>{O2JmQ`_tdYVnxXl>`Crrvg)k z*3_nSiF`fHC*QCXtuS)dL-)RT@!O% zA@$^{ae)tYyaiPR>d*72$@pW6#YK z7Cpu-IBID$?=;aH8uhdc;%(^;Xy6_eP)4Ki=z71Q5V+2@A*MC%F-%7k^2&INBEU7^ zlaT7Yy{Lm!yXI>TAujPV(Zn8Qx5Mnn+oEA|3rgeXMcm$OetxtMe~8Z$4#+ zzTPc6S?kC?d8#_$diq6U#Wy*@C!g<5Q@hzq4lM1s_7T_oqhV@EI?D-$ard@&HLsp! z_F{!IR*#lM9P_(5vrO>R8ap*BepHK_PnLC-qzv)b|B&KETjkt>R|CVEt?4QyQ9Z#; zbyMH;ZiVtz3>}VKGq#&GuwH5NcbTP8D5GF^hK4>zZej>UZu!j(<|{UleqT1{H%q+4 zdqVZU9y~c=c~oo2BIjqgMNT)EOPH%d_i|x<-QABX7=MU)M2~ORI!<$k$%n32$}BGntu2AKE#`Ils6 zqYr4@z7hs@J|$ka{XVLBaa8JKQNfe@uae)EC2{vA4;-9t+#Yv&6g5o)Z9c`Bq$}Oc zgbYWJ%}#_nCX>aI8ridd7oFm)?Dl;)9rma^+w}Bx#y|pR}`hy6FC`<Z4pJ;escHs4c3|o;5Wss!=7{3lwVZvX6`oD2Z!5PCJF3aGDblEUe zH)8D=jKefwMH5Kl7l_*)gcR`tze()#nJ*6^}*{uZ&u_BF?FPyLhpCiw## zzHh|qsq&PX@2fno&?dFbad#bil6sERcR0mA9Gbm!?6&~mMTE~Gj3Qm`puJL`b0l4Q zbw$#6koqGo^}$7S>pJ~+M&*OU;3wMe*U|lsDEn5THbUST79voNUE2g=f#BRpQvisj(g|3Eb1+v z4){+Rwm%ag;wQ@?y#~i94Nqs1Rj>0WXnrLqvpRkxDlYP!fm@|My_{gR>B(zT;pGoE zHsY?_{`4lNT6uzq2A_L`6<4*ZM47JzVW7(uQGOYN?1p-%GM}0wqpSy4iw-|_0xv6B zPy$)U9KU*sMnzQWlG_$2s65kOccmX{S1O(f`g2!?Y4$St{85aHBlnOPh#0^O2asC} z6@T9IfP=#=6e7WYB7(cp^q+ekg$UmByp_+5D_d2juGu6q(YL40-?bX=p1I@Y!t|Pj z|EX7U7ZFthX^a<2|{O*@} zpAsvmoD6@+@sI(0m59#Mt}8xH#R~pK2|HWVMc`av??l5&mV13KEK5eIL;3Wzj-@bV zg>r3b4^dnHr?K9Y`{Y%jF{I}9rsR1OStZl-j@g#YsxqZXnbiA3Gj~|NvaP1}9NcW| z{6t=x@1;nfR|4%YSjoAU|2UdlZ0$KiPnZ<3^~>RfGBCu#?*P_NxK8G8V{BD$9+dgWZ zoa=7RT3q8stx+JhzQuQpdml!NV*;Eylw~m(5>_LsGa5cEKb?3-ILs5-&y-vjn~$+w zqLr3p*e?-#_*kH9+sct_FZ)8Mmqkm~d)qnwmDKNUU&ri9W3(o z_F_fkK8?^&;$x8E=^s*jjP1zz{V3-S<~!lT5Sxd(6>^ZaVy#2O4X9r~ha!7;+055K z9G)g#z0kqPasMPwB4R~vrNCGCqfzS`SL|9<^p!DM8uso`Pgx>tOqa$VE)YI@coRQ3 z-QKuh;FBVBBj=>P`9v^k7)^8`@Fkq#@M`Xte60fiLiGDUp!MBK;aT(9%`+OGmi}}EV@aj+b)GZ{JOm~_*C=g1Szq>rcv>9FL&4bOEE>1)PeITef z+?4LHPZR#^bR5n1NN(;T=Ofs5hxO)QQ@l6z{%Cv%dU(IO8994j;HKHChSw7ju(}bf z*aypvn!W}$9LJuYgJ#noW_?|X7*rj2Yaglk#_P?d#)0$rQQ~yW1%X?kF_X{AThMmT zZSGi-)gqGJD&8h4+L6V~TmTxj`xm1c=c-Guh3r2$4YR?pcPp0kOpkaWCps$mZCbgz z&6R3ieW_!WQRY}$mAg+qMRtCaLxgc+#^RfPrNso#hB@Ax>0dhnW#%PGtCj#%@yt+>ky92Y^tvEMzt#P%^` z89FYq!j(T2j^V{{p(!=lBsQsB5yr{DE+nq7UFv!VN~DqMIhfW+Oxjr%bBZ4+Na$y; z@ahg%Qo`K={#7Qf(3{1_QI&63o#ZKT;%0_E2+5l)j0>piWfI;uOcflO{_LqC`)oQ{ zUGpLBwTCKmJ4Xbnn|dVtD;D!ajUl)5AQFB+rJ&b!D?ajU#vtN~PegsBt>aeb<{{SU zgDGaPLTk}m2z+*ytOik z#E-(By9EbA4F(>I^Vl*|Sx!@3PAk;1yVubXuqhC~_kdrAZrLGWS3HT55K%#L`)3CK!&o^2&y4j%`hOWK zKs0OUF}+XiVD9!FXAk36uPXZoGH@neoOR-}=$0@&m=a^RI{{s5ePsv(FHJ>Yj+y{r&G9?tc-nc>k(zAc~{x S8RAbh-Xl3C{Zag(^!*=#)yOLV literal 4208 zcmbtX3sj70AAjDf1NwLvbBSO2XE!k~NrO_@bmuN*- zMbe5QDQn!L_A}V+f?6T1igGI@`ktp|ePhqgq4WLE`JXe-`@Hpgf0y~c&-{Mjcs345 z@V_Df1{ae^Z_(bnG_VAIMy*`Z#vrxkL%@RWqI?y8Mt`VW*!>Qy!fIZ|;I%A#;3A*^ zz{!D&B+gK8TA+&PUXqf4yPeH>f?srJfg#|)HENkSzsehs&#J|yQLNq^! zj#{}C+<2eN4TFeFBqMMDEFc$bh!;XaoOU+Rz;{p;)XFu4f_V%RMIQ&4*M}&&1cvc2 zfQ=@Ii=Rhll0||Cd!BkXdnOuWr@u-ytn~e|=z!YgEB+Zlg}jq*W<-p3*qGq+6_a=N zagwvPRhRsa!&aIH-7-T<&gK{cCoNoy(86RBWE9A(DX2MAb6CcgS%VDOIGF`lEi;vw zgJ7AuOdB}Jm@+N!8Q2f@fob4#Fa=nH0Z1|xumDK_3 zYz}m05=qbqI>At5Fc?gRI)lX^88il+#Ap~DnuHSshGPVd<0MYQ={Vp6CW9aew1a_( z0LL&0ZwAIe2wvs)SFGh#SE_$9+FGPG&Cbl3BYhWs{2Qa#w%<%HuFi-=Run)hR2Yup z^$CV6;~b-Tg#@&oDBlMMqx`$8-Lv=Qh)Tc9z2+k$L>7Qp{P z9AN?C5FqjZkwe818B`oD%_49N$C=v{#7p|0%9!FqHIS6b8l#RVWut<+%gO*biOUnQMLLEiv520!*p)L@IMT*0yIBcvk zMT`cBIE)M6b#*)rCamV!v-F^eLBBjtAL zCEda;tvl{FJx`cbnmys=+sH$~*GOKFrhfkOf|L1U8VZ__;D+MR4PtJ0-z4%@s&miZeR zyx7mrPK&!%H+9?_rbBV%`PA!imfz}HI=k`o_+Bns{niwn=1xvHw$UYe-TJaTvSL@y z3D?x8-?wjLN3RU%tS;$uT5t3;*mFbUy`MX8w{{+92L3AHnb6`VxZer1inPotHcgCB z^Br4jxnakvuP0`-zBc3U^B1G<8kYMtwRX_;FsS%j6B`|f+5)8y9?g(GKvo*E0(e-JP(V5(t{s&#BIDZ!-w@cGF zHDOm&m5;4UQ2^7T%CEL<@sZMc=apqEt~LAF6##LY&()6Ot7ZlEK9D^T`Cc8FdAV3U zT=Jx$+pgO;Qlk9GQ-$_VdzhE<(o#&@jPK}dw6TaSOi#e)q_*1md}law(i^Aw zxt!AJ1v?x^8`r5D`Oof~wVlcz#kBgXaOqZ;hq1>id*XvNL+9>n8+&vhcW>0fNIA>?$m^eWO-ZWzT~vb& zj4MqRnVwFp3wZeWwAI`bI^2EoHv0C4rb76I#U`);WxSTGS^n{NvYdN3O?$l_wHJEU z{6LorrJMGi$vIKhY3%dlOyu~bbG(Jm_bzXy)8E`}YbDAHDqH6N_+Wh8!B;i@k8CRa zOYA3Sn2jxaeYf<^quAxQzMOS5NzPfWEjBsXCkd@?sSRu{cFdib(|tNm6e72?@17AX z4u5$>5}Ei~epc&G*Plw~TXZlN8vWq*COba6{@JbbL1An0wT&0_*1pJS-S&Es;ezfe z#v%`QwQ*V&=l^nVU2Lqa&DHfy3EjKN>6LqQOd7sFr6GZ3PoL$m%xO#iVy@=4inNRR ziFKaQD-%4}OBXb_juwa;gso>Q`LB$2qd7@xz-fnue>WV+?=n9!>6(80t)${xqqPWmO>QVP$X-g+xd}g;2wKOGYKbw`BZ3jzx$<9YT@3qyc;Q zQbMgDz8ub(k&oO>hrBv`)A0e0c3jg6OVQM?qA(J*VzBXU5fbn z%ZDyD28=Ta&WVydx%RL5>k4$tW8ErSuP%5O9I((pRLnVjhfyz^;Kj{rT>hfH;y(wr z^j;55mh|8CG~2qbE+(W)^M=li+-e(6VL5xwtj;!JsJCfs-hVlxeA6H-~uL=~TK+<~!22qd#B8BxY*T~wNMozr6 zr!(AUX;xrI+`DbdRtdYirG-;{Ms($0ed5B7t)h2$&d#?u?pqdYozq#QHfc-AZ1wiY z4W6q4ti`>_Gs9~`R@^@Aa-cV0Qbo~@lb;zZ`q}-u9C3+-TvRAFyv&rt%+&phV$KMq zMK#Lse5o7sMH4Fa{^!-8FM}v6-V)$jXb5WMQY6#).Q2MzGY[k@" in packets[13].msg[0].data +packets = sniff(offline=scapy_path("doc/notebooks/tls/raw_data/tls_nss_example.pcap"), session=TCPSession) +assert b"GET /pki/srv_key.pem HTTP/1.0\r\n" in packets[9].msg[0].data +assert b"BEGIN PRIVATE KEY" in packets[10].msg[0].data +assert b"GET /pki/srv_key.pem HTTP/1.0\r\n" in packets[27].inner.msg[0].data +assert b"BEGIN PRIVATE KEY" in packets[28].inner.msg[0].data conf = bck_conf @@ -1602,9 +1604,11 @@ if shutil.which("editcap"): pcapng_path = get_temp_file() exit_status = os.system("editcap --inject-secrets tls,%s %s %s" % (key_log_path, pcap_path, pcapng_path)) assert exit_status == 0 - packets = rdpcap(pcapng_path) - assert b"GET /secret.txt HTTP/1.0\n" in packets[11].msg[0].data - assert b"z2|gxarIKOxt,G1d>.Q2MzGY[k@" in packets[13].msg[0].data + packets = sniff(offline=pcapng_path, session=TCPSession) + assert b"GET /pki/srv_key.pem HTTP/1.0\r\n" in packets[9].msg[0].data + assert b"BEGIN PRIVATE KEY" in packets[10].msg[0].data + assert b"GET /pki/srv_key.pem HTTP/1.0\r\n" in packets[27].inner.msg[0].data + assert b"BEGIN PRIVATE KEY" in packets[28].inner.msg[0].data conf = bck_conf = pcapng file with a non-UTF-8 Decryption Secrets Block