Merge branch 'master' into 48c8dependabot/go_modules/golang.org/x/cry…

…pto-0.10.0

.github/workflows/autorelease.yml

@@ -7,7 +7,6 @@ on:
 jobs:
   servers-build:
     name: Build Server Binaries
-    if: startsWith( github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     timeout-minutes: 45
     steps:
@@ -38,7 +37,6 @@ jobs:
 
   clients-build:
     name: Build Client Binaries
-    if: startsWith( github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     timeout-minutes: 45
     steps:

.github/workflows/go.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   linux-windows-build:
-    name: Linux & Windows Build
+    name: Linux & Windows Test
     runs-on: ubuntu-latest
     timeout-minutes: 90
     steps:
@@ -45,7 +45,7 @@ jobs:
         run: make linux-arm64
 
   macos-build:
-    name: MacOS Build
+    name: MacOS Test
     runs-on: macos-latest
     timeout-minutes: 90
     steps:

server/c2/dns.go

@@ -505,7 +505,7 @@ func (s *SliverDNSServer) handleDNSSessionInit(domain string, msg *dnspb.DNSMess
 
 	var publicKeyDigest [32]byte
 	copy(publicKeyDigest[:], msg.Data[:32])
-	implantConfig, err := db.ImplantConfigByECCPublicKeyDigest(publicKeyDigest)
+	implantConfig, err := db.ImplantConfigByPublicKeyDigest(publicKeyDigest)
 	if err != nil || implantConfig == nil {
 		dnsLog.Errorf("[session init] error implant public key not found")
 		return s.refusedErrorResp(req)

server/c2/http.go

@@ -520,7 +520,7 @@ func (s *SliverHTTPC2) startSessionHandler(resp http.ResponseWriter, req *http.R
 
 	var publicKeyDigest [32]byte
 	copy(publicKeyDigest[:], data[:32])
-	implantConfig, err := db.ImplantConfigByECCPublicKeyDigest(publicKeyDigest)
+	implantConfig, err := db.ImplantConfigByPublicKeyDigest(publicKeyDigest)
 	if err != nil || implantConfig == nil {
 		httpLog.Warn("Unknown public key")
 		s.defaultHandler(resp, req)

server/c2/http_test.go

@@ -60,7 +60,7 @@ func TestStartSessionHandler(t *testing.T) {
 	testURL := client.NonceQueryArgument(baseURL, nonce)
 
 	// Generate key exchange request
-	sKey := cryptography.RandomKey()
+	sKey := cryptography.RandomSymmetricKey()
 	httpSessionInit := &sliverpb.HTTPSessionInit{Key: sKey[:]}
 	data, _ := proto.Marshal(httpSessionInit)
 	encryptedSessionInit, err := implantCrypto.AgeKeyExToServer(data)

server/cryptography/cryptography.go

@@ -74,8 +74,8 @@ func deriveKeyFrom(data []byte) [chacha20poly1305.KeySize]byte {
 	return key
 }
 
-// RandomKey - Generate random ID of randomIDSize bytes
-func RandomKey() [chacha20poly1305.KeySize]byte {
+// RandomSymmetricKey - Generate random ID of randomIDSize bytes
+func RandomSymmetricKey() [chacha20poly1305.KeySize]byte {
 	randBuf := make([]byte, 64)
 	rand.Read(randBuf)
 	return deriveKeyFrom(randBuf)
@@ -89,7 +89,7 @@ func KeyFromBytes(data []byte) ([chacha20poly1305.KeySize]byte, error) {
 		// and it seems like a really bad idea to return a zero key in case
 		// the error is not checked by the caller, so instead we return a
 		// random key, which should break everything if the error is not checked.
-		return RandomKey(), ErrInvalidKeyLength
+		return RandomSymmetricKey(), ErrInvalidKeyLength
 	}
 	copy(key[:], data)
 	return key, nil

server/cryptography/cryptography_test.go

@@ -107,7 +107,7 @@ func TestAgeWrongKeyEncryptDecrypt(t *testing.T) {
 }
 
 func TestAgeKeyEx(t *testing.T) {
-	sessionKey := RandomKey()
+	sessionKey := RandomSymmetricKey()
 	plaintext := sessionKey[:]
 	ciphertext, err := implantCrypto.AgeKeyExToServer(plaintext)
 	if err != nil {
@@ -127,7 +127,7 @@ func TestAgeKeyEx(t *testing.T) {
 }
 
 func TestAgeKeyExTamper(t *testing.T) {
-	sessionKey := RandomKey()
+	sessionKey := RandomSymmetricKey()
 	plaintext := sessionKey[:]
 	allCiphertext, err := implantCrypto.AgeKeyExToServer(plaintext)
 	if err != nil {
@@ -159,7 +159,7 @@ func TestAgeKeyExTamper(t *testing.T) {
 
 // TestEncryptDecrypt - Test AEAD functions
 func TestEncryptDecrypt(t *testing.T) {
-	key := RandomKey()
+	key := RandomSymmetricKey()
 	cipher1, err := Encrypt(key, sample1)
 	if err != nil {
 		t.Fatal(err)
@@ -172,7 +172,7 @@ func TestEncryptDecrypt(t *testing.T) {
 		t.Fatalf("Sample does not match decrypted data")
 	}
 
-	key = RandomKey()
+	key = RandomSymmetricKey()
 	cipher2, err := Encrypt(key, sample2)
 	if err != nil {
 		t.Fatal(err)
@@ -188,7 +188,7 @@ func TestEncryptDecrypt(t *testing.T) {
 
 // TestTamperData - Detect tampered ciphertext
 func TestTamperData(t *testing.T) {
-	key := RandomKey()
+	key := RandomSymmetricKey()
 	cipher1, err := Encrypt(key, sample1)
 	if err != nil {
 		t.Fatal(err)
@@ -205,12 +205,12 @@ func TestTamperData(t *testing.T) {
 
 // TestWrongKey - Attempt to decrypt with wrong key
 func TestWrongKey(t *testing.T) {
-	key := RandomKey()
+	key := RandomSymmetricKey()
 	cipher1, err := Encrypt(key, sample1)
 	if err != nil {
 		t.Fatal(err)
 	}
-	key2 := RandomKey()
+	key2 := RandomSymmetricKey()
 	_, err = Decrypt(key2, cipher1)
 	if err == nil {
 		t.Fatalf("Decrypted with wrong key, should have resulted in Fatal")
@@ -219,7 +219,7 @@ func TestWrongKey(t *testing.T) {
 
 // TestCipherContext - Test CipherContext
 func TestCipherContext(t *testing.T) {
-	testKey := RandomKey()
+	testKey := RandomSymmetricKey()
 	cipherCtx1 := &CipherContext{
 		Key:    testKey,
 		replay: &sync.Map{},
@@ -256,7 +256,7 @@ func TestCipherContext(t *testing.T) {
 
 // TestEncryptDecrypt - Test AEAD functions
 func TestImplantEncryptDecrypt(t *testing.T) {
-	key := RandomKey()
+	key := RandomSymmetricKey()
 	cipher1, err := Encrypt(key, sample1)
 	if err != nil {
 		t.Fatal(err)
@@ -269,7 +269,7 @@ func TestImplantEncryptDecrypt(t *testing.T) {
 		t.Fatalf("Sample does not match decrypted data")
 	}
 
-	key = RandomKey()
+	key = RandomSymmetricKey()
 	cipher2, err := implantCrypto.Encrypt(key, sample2)
 	if err != nil {
 		t.Fatal(err)

server/db/helpers.go

@@ -86,8 +86,8 @@ func ImplantConfigWithC2sByID(id string) (*models.ImplantConfig, error) {
 	return &config, err
 }
 
-// ImplantConfigByECCPublicKey - Fetch implant build by it's ecc public key
-func ImplantConfigByECCPublicKeyDigest(publicKeyDigest [32]byte) (*models.ImplantConfig, error) {
+// ImplantConfigByPublicKeyDigest - Fetch implant build by it's ecc public key
+func ImplantConfigByPublicKeyDigest(publicKeyDigest [32]byte) (*models.ImplantConfig, error) {
 	config := models.ImplantConfig{}
 	err := Session().Where(&models.ImplantConfig{
 		PeerPublicKeyDigest: hex.EncodeToString(publicKeyDigest[:]),

server/handlers/pivot.go

@@ -38,7 +38,6 @@ package handlers
 */
 
 import (
-	"encoding/base64"
 	"fmt"
 
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
@@ -205,20 +204,18 @@ func serverKeyExchange(implantConn *core.ImplantConnection, peerEnvelope *sliver
 	// everything after that is the encrypted session key
 	var publicKeyDigest [32]byte
 	copy(publicKeyDigest[:], serverKeyEx.SessionKey[:32])
-	implantConfig, err := db.ImplantConfigByECCPublicKeyDigest(publicKeyDigest)
+	implantConfig, err := db.ImplantConfigByPublicKeyDigest(publicKeyDigest)
 	if err != nil || implantConfig == nil {
 		pivotLog.Warn("Unknown public key digest")
 		return nil
 	}
-	publicKey, err := base64.RawStdEncoding.DecodeString(implantConfig.PeerPublicKey)
-	if err != nil || len(publicKey) != 32 {
-		pivotLog.Warn("Failed to decode public key")
-		return nil
-	}
-	var senderPublicKey [32]byte
-	copy(senderPublicKey[:], publicKey)
+
 	serverKeyPair := cryptography.AgeServerKeyPair()
-	rawSessionKey, err := cryptography.AgeDecrypt(serverKeyPair.Private, serverKeyEx.SessionKey[32:])
+	rawSessionKey, err := cryptography.AgeKeyExFromImplant(
+		serverKeyPair.Private,
+		implantConfig.PeerPrivateKey,
+		serverKeyEx.SessionKey[32:],
+	)
 	if err != nil {
 		pivotLog.Warn("Failed to decrypt session key from origin")
 		return nil