On Fri, May 18, 2018 at 11:44:12AM -0700, Ben Higgins wrote:
> Hey folks,
>
> Here's what I'm thinking at this point: a new block type for SSL/TLS
> keylogs and another block type for DTLS keylogs. The contents of each will
> be the format as described here:
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
The key log file format is the same for TLS and DTLS, but due to an
implementation detail (two separate preferences for DTLS and TLS in
Wireshark), they are different. I am not opposed to having two different
blocks, but would it make more sense to combine them and create a single
"TLS key log" block and have both the DTLS and TLS dissectors read it?
> Any number of these blocks can be included. For each block encountered,
> ssl_load_keyfile will be called, with the correct per-protocol master key
> map included. Some code refactoring to ssl_load_keyfile will likely be
> required since we're dealing with an array of bytes instead of a FILE.
Ok, doable.
> One thing I'm unclear on is how to trigger a reparse of previously
> processed packets when a keylog block is encountered at e.g. the end of the
> file. Is that possible?
Decryption currently requires keys to be available on the first pass.
I guess that for offline capture files, one needs to adjust pcapng_open
and add something similar to "pcapng_process_idb", but then for
decryption blocks.
Kinds regards,
Peter
