Add option to log TLS info so packets can be decoded with wireshark

BishopFox · Sep 14, 2022 · a2673f7 · a2673f7
1 parent 70b0667
commit a2673f7
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 1 deletion.
diff --git a/server/c2/http.go b/server/c2/http.go
@@ -245,9 +245,13 @@ func getHTTPTLSConfig(conf *HTTPServerConfig) *tls.Config {
 		httpLog.Errorf("Failed to parse tls cert/key pair %s", err)
 		return nil
 	}
-	return &tls.Config{
+	tlsConfig := &tls.Config{
 		Certificates: []tls.Certificate{cert},
 	}
+	if certs.TLSKeyLogger != nil {
+		tlsConfig.KeyLogWriter = certs.TLSKeyLogger
+	}
+	return tlsConfig
 }
 
 func (s *SliverHTTPC2) router() *mux.Router {

diff --git a/server/c2/jobs.go b/server/c2/jobs.go
@@ -429,6 +429,9 @@ func listenAndServeTLS(srv *http.Server, certPEMBlock, keyPEMBlock []byte) error
 	if srv.TLSConfig != nil {
 		*config = *srv.TLSConfig
 	}
+	if certs.TLSKeyLogger != nil {
+		config.KeyLogWriter = certs.TLSKeyLogger
+	}
 	if config.NextProtos == nil {
 		config.NextProtos = []string{"http/1.1"}
 	}

diff --git a/server/c2/mtls.go b/server/c2/mtls.go
@@ -220,5 +220,8 @@ func getServerTLSConfig(host string) *tls.Config {
 		Certificates: []tls.Certificate{cert},
 		MinVersion:   tls.VersionTLS13, // Force TLS v1.3
 	}
+	if certs.TLSKeyLogger != nil {
+		tlsConfig.KeyLogWriter = certs.TLSKeyLogger
+	}
 	return tlsConfig
 }
diff --git a/server/certs/tlskeys.go b/server/certs/tlskeys.go
@@ -0,0 +1,50 @@
+package certs
+
+/*
+	Sliver Implant Framework
+	Copyright (C) 2019  Bishop Fox
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"github.com/bishopfox/sliver/server/configs"
+	"github.com/bishopfox/sliver/server/log"
+)
+
+const (
+	keyFileName = "tls.keys"
+)
+
+var (
+	// TLSKeyLogger - File descriptor for logging TLS keys
+	TLSKeyLogger = newKeyLogger()
+)
+
+func newKeyLogger() *os.File {
+	serverConfig := configs.GetServerConfig()
+	if serverConfig.Logs.TLSKeyLogger {
+		keyFilePath := filepath.Join(log.GetLogDir(), keyFileName)
+		keyFile, err := os.OpenFile(keyFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
+		if err != nil {
+			certsLog.Errorf(fmt.Sprintf("Failed to open TLS key file %v", err))
+			return nil
+		}
+		return keyFile
+	}
+	return nil
+}
diff --git a/server/configs/server.go b/server/configs/server.go
@@ -53,6 +53,7 @@ type LogConfig struct {
 	Level              int  `json:"level"`
 	GRPCUnaryPayloads  bool `json:"grpc_unary_payloads"`
 	GRPCStreamPayloads bool `json:"grpc_stream_payloads"`
+	TLSKeyLogger       bool `json:"tls_key_logger"`
 }
 
 // DaemonConfig - Configure daemon mode

diff --git a/server/transport/mtls.go b/server/transport/mtls.go
@@ -116,6 +116,10 @@ func getOperatorServerTLSConfig(host string) *tls.Config {
 		PreferServerCipherSuites: true,
 		MinVersion:               tls.VersionTLS13,
 	}
+	if certs.TLSKeyLogger != nil {
+		tlsConfig.KeyLogWriter = certs.TLSKeyLogger
+	}
+
 	tlsConfig.BuildNameToCertificate()
 	return tlsConfig
 }