scapy icon indicating copy to clipboard operation
scapy copied to clipboard
verified publisher icon secdev

Fix NSS KeyLog cannot decrypt TLS1.3 traffic.

Open hyunel opened this issue 6 months ago • 4 comments

Checklist:

  • [x] If you are new to Scapy: I have checked CONTRIBUTING.md (esp. section submitting-pull-requests)
  • [x] I squashed commits belonging together
  • [x] I added unit tests or explained why they are not relevant
  • [x] I executed the regression tests (using cd test && ./run_tests or tox)
  • [x] If the PR is still not finished, please create a Draft Pull Request

fixes #3374

hyunel avatar Jun 09 '25 07:06 hyunel

Thanks for this PR. Could you add a unit test? You can have a look at the file tls.uts to check how it is done for TLS 1.2

guedou avatar Jun 09 '25 14:06 guedou

Thanks for this PR. Could you add a unit test? You can have a look at the file tls.uts to check how it is done for TLS 1.2

Hi guedou,

Thanks for the feedback. I've added the unit test. However, I noticed an issue: rdpcap fails to decrypt TLS 1.3 traffic, logging:

TLS: record integrity check failed [00:00:00:00:00:00 > 00:00:00:00:00:00 (IPv4)]

This doesn't happen with sniff(offline="/path/to/pcap", session=TCPSession), which works correctly. I'm not very familiar with this part of the library. Could you please help investigate the cause?

hyunel avatar Jun 10 '25 10:06 hyunel

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 81.02%. Comparing base (cbb09c4) to head (6b94114). Report is 21 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4767      +/-   ##
==========================================
- Coverage   81.26%   81.02%   -0.24%     
==========================================
  Files         363      365       +2     
  Lines       88325    89068     +743     
==========================================
+ Hits        71773    72168     +395     
- Misses      16552    16900     +348
Files with missing lines Coverage Δ
scapy/layers/tls/session.py 86.77% <100.00%> (-0.27%) :arrow_down:

... and 46 files with indirect coverage changes

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Jun 10 '25 18:06 codecov[bot]

Thanks for the update. I think that it is better to keep the TLS1.2 tests in /test/scapy/layers/tls/tls.uts and add the new ones into /test/scapy/layers/tls/tls13.uts That will ensure that both are tested and working.

Your fix (i.e. using sniff()) is correct, as the error is caused by a TCP segment that is not re-fragmented: the integrity cannot be checked as the complete TLS Record is not processed.

guedou avatar Jun 10 '25 18:06 guedou

@hyunel can you fix the linting errors? The lines that you added in scapy/layers/tls/session.py are too long.

guedou avatar Jul 12 '25 08:07 guedou