From Adam Langley via bug 4349:

This patch adds support for getting the pre-master secret of a TLS
connection from a log file. Currently Wireshark can decrypt and TLS
connection only if it has the server's private key.

I commonly have a use case where I control the TLS client, but not the
server.  In order to decrypt in this case, I've added support to NSS
(used by Chrome and Firefox) to log the keys to a file on disk:

https://bugzilla.mozilla.org/show_bug.cgi?id=536474

Given this file, Wireshark can then decrypt the resulting TLS connections.

The format is such that Wireshark opens and linearly scans the file each
time it sees a ClientKeyExchange. If the key log grows too large, this
is pretty inefficient. However, it's simple and the number of
interesting TLS connections when debugging is usually very small.

svn path=/trunk/; revision=36876

1 files changed, 11 insertions, 0 deletions

diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h
index 157a63f1dc..939d32f646 100644
--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@@ -420,6 +420,17 @@ ssl_generate_keyring_material(SslDecryptSession*ssl_session);
 extern void
 ssl_change_cipher(SslDecryptSession *ssl_session, gboolean server);
 
+/** Try to find the pre-master secret for the given encrypted pre-master secret
+    from a log of secrets.
+ @param ssl_session the store for the decrypted pre_master_secret
+ @param ssl_keylog_filename a file that contains a log of pre-master secrets
+ @param encrypted_pre_master the rsa encrypted pre_master_secret
+ @return 0 on success */
+int
+ssl_keylog_lookup(SslDecryptSession* ssl_session,
+                  const gchar* ssl_keylog_filename,
+                  StringInfo* encrypted_pre_master);
+
 /** Try to decrypt in place the encrypted pre_master_secret
  @param ssl_session the store for the decrypted pre_master_secret
  @param encrypted_pre_master the rsa encrypted pre_master_secret