From 0b753366383ef2dac479581d9fb12c4d6802a992 Mon Sep 17 00:00:00 2001
From: ruokeqx <ruokeqx@gmail.com>
Date: Thu, 19 Jun 2025 20:13:43 +0800
Subject: [PATCH] feat(pcapng): add  support for Decryption Secrets Block
 (#411)

feat(pcapng): add support for Decryption Secrets Block
---
 patterns/pcapng.hexpat | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/patterns/pcapng.hexpat b/patterns/pcapng.hexpat
index 8664d40..5506bd9 100644
--- a/patterns/pcapng.hexpat
+++ b/patterns/pcapng.hexpat
@@ -393,8 +393,12 @@ enum CompressionType: u8 {
     Gzip = 0x2
 };
 
-enum EncryptionType : u8 {
-    // Experimental
+enum EncryptionType : u32 {
+	TLS            = 0x544c534b, /* TLS Key Log */
+	SSH            = 0x5353484b, /* SSH Key Log */
+	WIREGUARD      = 0x57474b4c, /* WireGuard Key Log */
+	ZIGBEE_NWK_KEY = 0x5a4e574b, /* Zigbee NWK Key */
+	ZIGBEE_APS_KEY = 0x5a415053 /* Zigbee APS Key */
 };
 
 enum FixedLengthType : u8 {
@@ -410,12 +414,16 @@ struct CompressionBlock{
     u32 block_len2[[name("BlockLen2")]];  
 };
 
-// Experimental
 struct EncryptionBlock{
     BlockType block_type[[name("BlockType")]]; 
     u32 block_len1[[name("BlockLen1")]];  
     EncryptionType comp_type [[name("Encryption")]];
-    char data[block_len1];
+    u32 secrets_len[[name("SecretsLength")]];  
+    char data[secrets_len];
+    padding[-$ & 3];
+    // https://ietf-opsawg-wg.github.io/draft-ietf-opsawg-pcap/draft-ietf-opsawg-pcapng.html#section-4.7-6.6.1
+    // No DSB-specific options are currently defined
+    // Option options;
     u32 block_len2[[name("BlockLen2")]];  
 };
 
@@ -505,6 +513,12 @@ struct PCAPng{
         } else {
             be CustomBlock CBN;
         }
+    } else if (block_type == BlockType::Decryption) {
+        if (order == PcapOrder::Little) {
+            le EncryptionBlock DSB;
+        } else {
+            be EncryptionBlock DSB;
+        }
     } else {
         std::print("Unknown BlockType at offset {:#x}\n", $);
         break;