Fix NSS KeyLog cannot decrypt TLS1.3 traffic.

hyunel · hyunel · commit d2f40aaffcc6 · 2025-06-09T15:49:01.000+08:00
diff --git a/scapy/layers/tls/session.py b/scapy/layers/tls/session.py
@@ -731,6 +731,13 @@ def compute_tls13_early_secrets(self, external=False):
                                  b"".join(self.handshake_messages))
         self.tls13_derived_secrets["early_exporter_secret"] = ees
 
+        if self.nss_keys:
+            cets = self.nss_keys.get('CLIENT_EARLY_TRAFFIC_SECRET', {}).get(self.client_random, cets)
+            self.tls13_derived_secrets["client_handshake_traffic_secret"] = cets
+
+            ees = self.nss_keys.get('EARLY_EXPORTER_SECRET', {}).get(self.client_random, ees)
+            self.tls13_derived_secrets["server_handshake_traffic_secret"] = ees
+
         if self.connection_end == "server":
             if self.prcs:
                 self.prcs.tls13_derive_keys(cets)
@@ -768,6 +775,13 @@ def compute_tls13_handshake_secrets(self):
                                   b"".join(self.handshake_messages))
         self.tls13_derived_secrets["server_handshake_traffic_secret"] = shts
 
+        if self.nss_keys:
+            chts = self.nss_keys.get('CLIENT_HANDSHAKE_TRAFFIC_SECRET', {}).get(self.client_random, chts)
+            self.tls13_derived_secrets["client_handshake_traffic_secret"] = chts
+
+            shts = self.nss_keys.get('SERVER_HANDSHAKE_TRAFFIC_SECRET', {}).get(self.client_random, shts)
+            self.tls13_derived_secrets["server_handshake_traffic_secret"] = shts
+
     def compute_tls13_traffic_secrets(self):
         """
         Ciphers key and IV are updated accordingly for Application data.
@@ -801,6 +815,16 @@ def compute_tls13_traffic_secrets(self):
                                 b"".join(self.handshake_messages))
         self.tls13_derived_secrets["exporter_secret"] = es
 
+        if self.nss_keys:
+            cts0 = self.nss_keys.get('CLIENT_TRAFFIC_SECRET_0', {}).get(self.client_random, cts0)
+            self.tls13_derived_secrets["client_traffic_secrets"] = [cts0]
+
+            sts0 = self.nss_keys.get('SERVER_TRAFFIC_SECRET_0', {}).get(self.client_random, sts0)
+            self.tls13_derived_secrets["server_traffic_secrets"] = [sts0]
+
+            es = self.nss_keys.get('EXPORTER_SECRET', {}).get(self.client_random, es)
+            self.tls13_derived_secrets["exporter_secret"] = es
+
         if self.connection_end == "server":
             # self.prcs.tls13_derive_keys(cts0)
             self.pwcs.tls13_derive_keys(sts0)
