Add a flag to extract_secrets.py to pass it a known TLS session key

tools/extract_secrets/extract_secrets.py

@@ -58,6 +58,7 @@ class EXI(Packet):
 def main():
     ap = argparse.ArgumentParser()
     ap.add_argument("-f", "--file", help="path to pcap file", required=True)
+    ap.add_argument("-k", "--key", help="TLS session key", required=False)
     ap.add_argument("-v", "--verbose", help="print packets", action="count", default=0)
 
     bind_layers(IPv6, UDP6)
@@ -72,40 +73,41 @@ def main():
     secure_packet_port = None
     tls_secure_packet_port = None
     has_security = False
-    tls_key = None
+    tls_key = args.key if args.key else None
     secc_port = None
 
-    for pkt in cap:
-        if args.verbose > 0 and pkt.haslayer(SDP):
-            pkt.show()
-
-        if pkt.haslayer(SDPRequest):
-            if not bool(pkt.security):
-                secure_packet_port = pkt[UDP6].sport
-                print(f"TLS was requested by {pkt[IPv6].src}:{secure_packet_port}")
-                has_security = True
-            else:
-                print("Session did not request security, no secret to extract")
-
-        # also need try the secc port
-        if pkt.haslayer(SDPResponse):
-            secc_port = pkt[SDPResponse].secc_port
-
-        # Looking for SYN with secc_port which is typically the start of the TLS session.
-        # Some debug flows will insert this key into the TCP port streams as a UDP packet which will
-        # usually be followed up with an ICMPv6 Port Unreachable
-        if pkt.haslayer(TCP6) and pkt[TCP6].flags == "S":
-            if pkt[TCP6].dport == secc_port:
-                tls_secure_packet_port = pkt[TCP6].sport
-
-        if has_security and not pkt.haslayer(SDP):
-            if pkt.haslayer(UDP6):
-                if pkt[UDP6].dport == secure_packet_port:
-                    print(f"found potential session key on raw UDP packet with dest port {secure_packet_port}")
-                    tls_key = pkt[UDP6].load.decode("utf8", "ignore")
-                if pkt[UDP6].dport == tls_secure_packet_port:
-                    print(f"found potential session key on raw UDP packet with dest port {tls_secure_packet_port}")
-                    tls_key = pkt[UDP6].load.decode("utf8", "ignore")
+    if tls_key is None:
+        for pkt in cap:
+            if args.verbose > 0 and pkt.haslayer(SDP):
+                pkt.show()
+
+            if pkt.haslayer(SDPRequest):
+                if not bool(pkt.security):
+                    secure_packet_port = pkt[UDP6].sport
+                    print(f"TLS was requested by {pkt[IPv6].src}:{secure_packet_port}")
+                    has_security = True
+                else:
+                    print("Session did not request security, no secret to extract")
+
+            # also need try the secc port
+            if pkt.haslayer(SDPResponse):
+                secc_port = pkt[SDPResponse].secc_port
+
+            # Looking for SYN with secc_port which is typically the start of the TLS session.
+            # Some debug flows will insert this key into the TCP port streams as a UDP packet which will
+            # usually be followed up with an ICMPv6 Port Unreachable
+            if pkt.haslayer(TCP6) and pkt[TCP6].flags == "S":
+                if pkt[TCP6].dport == secc_port:
+                    tls_secure_packet_port = pkt[TCP6].sport
+
+            if has_security and not pkt.haslayer(SDP):
+                if pkt.haslayer(UDP6):
+                    if pkt[UDP6].dport == secure_packet_port:
+                        print(f"found potential session key on raw UDP packet with dest port {secure_packet_port}")
+                        tls_key = pkt[UDP6].load.decode("utf8", "ignore")
+                    if pkt[UDP6].dport == tls_secure_packet_port:
+                        print(f"found potential session key on raw UDP packet with dest port {tls_secure_packet_port}")
+                        tls_key = pkt[UDP6].load.decode("utf8", "ignore")
 
     if tls_key is not None:
         old_file = Path(args.file)