Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new handshake handler and keylog writer #56

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add new handshake handler and keylog writer #56

wants to merge 1 commit into from
+82 −5

Conversation

stv0g
Copy link

@stv0g stv0g commented Aug 21, 2022
edited
Loading

This change adds support for a new environment variable 'WG_KEYLOGFILE'
in resemblance to the 'SSLKEYLOGFILE' environment variable used by
curl, Chrome & Firefox to log ephemeral TLS encryption keys

When set, wireguard-go will log ephemeral keys generated during
each handshake to a file specified by the environment variable in the
WireGuard key log format.

The format used is the same as then one generated by the
extract-handshakes.sh script.

See also:

Signed-off-by: Steffen Vogel post@steffenvogel.de

@stv0g
device: add new handshake handler and keylog writer
aa784a9 
This change adds support for a new environment variable 'WG_KEYLOGFILE'
in resemblance to the 'SSLKEYLOGFILE' environment variable used by
curl, Chrome & Firefox to log ephemeral TLS encryption keys

When set, wireguard-go will log ephemeral keys generated during
each handshake to a file specified by the environment variable in the
WireGuard key log format.

The format used is the same as then one generated by the
extract-handshakes.sh script.

See also:
- https://git.zx2c4.com/wireguard-tools/tree/contrib/extract-handshakes
- https://wiki.wireshark.org/WireGuard#key-log-format
- https://everything.curl.dev/usingcurl/tls/sslkeylogfile

Signed-off-by: Steffen Vogel <post@steffenvogel.de>
@stv0g
Copy link
Author

stv0g commented Oct 31, 2022

Any chance to get this reviewed? I've also posted it on the mailing list.
But there seems nobody to care?

@zx2c4
Copy link
Member

zx2c4 commented Oct 31, 2022

I'm slightly worried about baking this in directly... For the kernel, it's just extracted from memory using a kprobe. Wonder if a similar kludge would work here?

Wondering what you want this for, by the way.

@stv0g
Copy link
Author

stv0g commented Oct 31, 2022

Hi @zx2c4,

I am using for debugging purposes of my WireGuard-based P2P VPN agent cunīcu.
cunicu uses ICE, STUN and TURN servers to build a mesh of WireGuard peer-to-peer links.

To debug all of this, I wrote Gont a network testing toolkit written in Go.
Gont uses Linux network namespaces to build virtual network topologies including firewalls, NATs, network impairments and more.

Gont also includes a feature to automatically record PCAP files of all network links between the namespaces.
Wireshark can load these PCAP dumps and decrypt WireGuard as well as SSL trafic as long as we dump the ephemeral keys as well.

This is why I need this feature: I would like to dump wireguard-go's ephemeral keys to a PCAP file for subsequent analysis in WireShark for debugging purposes.

@stv0g
Copy link
Author

stv0g commented Feb 2, 2023

@zx2c4 How would you feel, if I remove the setup of the key log writer from main.go? That way this feature would not ship with the wireguard-go binaries but would need to be enabled explicity by a user of the wireguard-go module?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stv0g @zx2c4