thesis: evaluation of libraries and servers

evaluation-libraries/.gitignore

@@ -0,0 +1,4 @@
+*.vscode
+build/
+java/client/bin/Client.class
+java/server/bin/Server.class

evaluation-libraries/README.md

@@ -0,0 +1,42 @@
+# evaluation-libraries
+TLS-library examples with strict SNI and strict ALPN implemented to prevent the cross-protocol attacks demonstrated in the [ALPACA-Attack](https://alpaca-attack.com/index.html).
+
+DISCLAIMER: The implementations only focused on the ALPN&SNI TLS-Extensions, i can't guarantee that they are otherwise securely implemented.
+
+## Containers
+Each library example starts the following containers
+- ``server`` with SNI=tls-server.com , ALPN=http/1.1 written in the library
+- ``server-openssl-wrong-cn`` with SNI=tls-server.com , ALPN=http/1.1 and a certificate that has a wrong common name
+- ``server-openssl-malicious-alpn`` with SNI=tls-server.com and always sends back ALPN=invalid
+- ``client`` runs a bash script that does the following tests
+
+## Tests
+1. send correct SNI and ALPN to ``server`` and send application data
+2. send wrong SNI to ``server`` (tests SNI on server)
+3. send wrong ALPN to ``server`` (tests ALPN on server)
+4. send correct SNI and ALPN to ``server-openssl-wrong-cn`` (tests strict SNI on client)
+5. send correct SNI and ALPN to ``server-openssl-malicious-alpn`` (tests strict ALPN on client)
+
+The first test needs to succeed and every other tests needs to return a non-null value.
+
+## How to run
+Requires docker, docker-compose and easy-rsa
+
+This builds all containers, runs all test and puts the results in a file called ``results``
+```
+./run-everything.sh
+```
+
+----------------
+### Running single libraries
+First build the baseimage and the openssl image. (The openssl image is required for tests 4 and 5)
+```
+cd baseimage && ./build.sh && cd ..
+cd openssl && ./build.sh && cd ..
+```
+
+Then go into any of the library folders and start the tests
+```
+./run.sh
+```
+

evaluation-libraries/baseimage/Dockerfile

@@ -0,0 +1,28 @@
+ARG VERSION=3.15
+FROM alpine:${VERSION}
+RUN apk add \
+    git \
+    linux-headers \
+    cmake \
+    make \
+    wget \
+    bash \
+    autoconf \
+    automake \
+    coreutils \
+    patch \
+    gettext-dev \
+    gperf \
+    pkgconf \
+    libtool \
+    g++ \
+    gcc \
+    perl \
+    python3 \
+    go
+COPY ./certs/ca.crt /etc/ssl/certs/
+COPY ./certs /etc/ssl/cert-data
+COPY client.sh /client.sh
+RUN mkdir /src
+RUN mkdir /build
+WORKDIR /src/

evaluation-libraries/baseimage/Dockerfile-archlinux

@@ -0,0 +1,17 @@
+FROM archlinux:base-devel
+RUN pacman-key --init
+RUN pacman-key --populate archlinux
+RUN pacman -Syu --noconfirm
+RUN pacman -S git --noconfirm
+
+#create build user that has root access because archlinux doesn't allow makepkg to be run as root
+RUN useradd --no-create-home --shell=/bin/false build && usermod -L build
+RUN echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+RUN echo "root ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+
+COPY ./certs/ca.crt /etc/ssl/certs/
+COPY ./certs /etc/ssl/cert-data
+COPY client.sh /client.sh
+RUN mkdir /src
+WORKDIR /src/
+RUN chown build /src

evaluation-libraries/baseimage/Dockerfile-debian

@@ -0,0 +1,26 @@
+ARG VERSION=bullseye
+FROM debian:${VERSION}
+RUN apt-get update && apt-get install -y \
+    git \
+    cmake \
+    make \
+    wget \
+    bash \
+    autoconf \
+    automake \
+    coreutils \
+    patch \
+    gperf \
+    pkgconf \
+    libtool \
+    g++ \
+    gcc \
+    perl \
+    python3 \
+    golang
+COPY ./certs/ca.crt /etc/ssl/certs/
+COPY ./certs /etc/ssl/cert-data
+COPY client.sh /client.sh
+RUN mkdir /src
+RUN mkdir /build
+WORKDIR /src/

evaluation-libraries/baseimage/build.sh

@@ -0,0 +1,6 @@
+(cd certs 
+    ./generate-ca.sh);
+
+docker build -t tls-baseimage .
+docker build -t tls-baseimagedebian -f Dockerfile-debian .
+docker build -t tls-baseimage-archlinux -f Dockerfile-archlinux .

evaluation-libraries/baseimage/certs/generate-ca.sh

@@ -0,0 +1,71 @@
+DIR="`pwd`/`dirname "$0"`/"
+
+echo $DIR
+
+if [ "$OS" = "Darwin" ]; then
+   brew install easy-rsa
+else
+   apt-get install -y easy-rsa
+fi
+
+path="/usr/share/easy-rsa/"
+if [ "$OS" = "Darwin" ]; then
+   path=""
+   DIR_MAC="/usr/local/etc/"
+fi
+echo -e "${GREEN}[CERT] Creating PKI${NC}"
+${path}easyrsa init-pki --pki-dir = "$DIR/pki"
+cat << EOF > "$DIR/pki/vars"
+set_var EASYRSA_DN     "cn_only"
+set_var EASYRSA_DIGEST "sha512"
+set_var EASYRSA_BATCH    "1"
+set_var EASYRSA_REQ_CN "alpaca.poc"
+EOF
+dd if=/dev/urandom of="$DIR/pki/.rnd" bs=256 count=1 2> /dev/null
+echo -e "${GREEN}[CERT] Build CA${NC}"
+${path}easyrsa build-ca nopass
+
+echo -e "${GREEN}[CERT] Generating Certificates${NC}"
+${path}easyrsa --req-cn="tls-server.com" gen-req tls-server.com nopass
+${path}easyrsa sign-req server tls-server.com
+
+${path}easyrsa --req-cn="wrong-cn.com" gen-req wrong-cn.com nopass
+${path}easyrsa sign-req server wrong-cn.com
+
+#copy certs
+cp "$DIR/pki/issued/tls-server.com.crt" "$DIR"
+cp "$DIR/pki/private/tls-server.com.key" "$DIR"
+cp "$DIR/pki/issued/wrong-cn.com.crt" "$DIR"
+cp "$DIR/pki/private/wrong-cn.com.key" "$DIR"
+cp "$DIR/pki/ca.crt" "$DIR"
+
+#generate chains
+cat  "$DIR/tls-server.com.crt" >>  "$DIR/tls-server.com-chain.crt"
+cat  "$DIR/ca.crt" >>  "$DIR/tls-server.com-chain.crt"
+
+#generate chains
+cat  "$DIR/wrong-cn.com.crt" >>  "$DIR/wrong-cn.com-chain.crt"
+cat  "$DIR/ca.crt" >>  "$DIR/wrong-cn.com-chain.crt"
+
+#generate p12
+openssl pkcs12 -export -in "$DIR/tls-server.com.crt" -inkey "$DIR/tls-server.com.key" -out "$DIR/tls-server.com.p12" -password pass:123456
+openssl pkcs12 -export -in "$DIR/wrong-cn.com.crt" -inkey "$DIR/wrong-cn.com.key" -out "$DIR/wrong-cn.com.p12" -password pass:123456
+
+openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in tls-server.com.key -out tls-server.com.pkcs8.key
+openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in wrong-cn.com.key -out wrong-cn.com.pkcs8.key
+
+#if [ "$OS" = "Darwin" ]; then
+#   DIR_MAC="/usr/local/etc"
+#else
+#   DIR_MAC=${DIR}
+#fi
+#
+#mkdir -p "$DIR/servers/files/cert/" 2> /dev/null
+#cp "$DIR_MAC/pki/issued/attacker.com.crt" "$DIR/servers/files/cert/"
+#cp "$DIR_MAC/pki/private/attacker.com.key" "$DIR/servers/files/cert/"
+#
+#${path}easyrsa --req-cn="target.com" gen-req target.com nopass
+#${path}easyrsa sign-req server target.com
+#
+#cp "$DIR_MAC/pki/issued/target.com.crt" "$DIR/servers/files/cert/"
+#cp "$DIR_MAC/pki/private/target.com.key" "$DIR/servers/files/cert/"

evaluation-libraries/baseimage/client.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+#$1 command to run
+#$2 server1 to connect
+#$3 server2 to connect
+#$4 openssl-malicious-alpn server
+#$5 wait seconds before starting
+
+results=()
+
+sleep $5
+
+echo "------------  Test 1: SNI=tls-server.com   ALPN=http/1.1 ------------------"
+$1 -h $2 -s tls-server.com -a http/1.1
+results+=($?)
+
+echo "------------  Test 2: SNI=example.com ALPN=http/1.1 ------------------"
+/openssl-client -h $2 -s example.com -a http/1.1
+results+=($?)
+
+echo "------------  Test 3: SNI=tls-server.com   ALPN=invalid  ------------------"
+/openssl-client -h $2 -s tls-server.com -a invalid
+results+=($?)
+
+echo "------------  Test 4: wrong certificate by server   ------------------"
+$1 -h $3 -s tls-server.com -a http/1.1
+results+=($?)
+
+echo "------------  Test 5: server sends wrong alpn       ------------------"
+$1 -h $4 -s tls-server.com -a http/1.1
+results+=($?)
+
+RED='\033[0;31m '
+GREEN='\033[0;32m '
+NC='\033[0m' # No Color
+
+echo "" > results
+
+for i in "${!results[@]}"; do 
+  test=$((i+1))
+  if [ $i = "0" ]; then #first test needs to return 0
+    if [ ${results[$i]} = "0" ];
+    then 
+      echo -e "${GREEN}Test$test success! exitcode:${results[$i]}" >> results;
+    else 
+      echo -e "${RED}Test$test FAILED! exitcode:${results[$i]}" >> results;
+    fi
+  else #every other test needs to return non-zero value
+    if [ ${results[$i]} = "0" ]; 
+    then 
+      echo -e "${RED}Test$test FAILED! exitcode:${results[$i]}" >> results;
+    else 
+      echo -e "${GREEN}Test$test success! exitcode:${results[$i]}" >> results;
+    fi
+  fi
+done
+
+cat results

evaluation-libraries/bearssl/CMakeLists.txt

@@ -0,0 +1,7 @@
+cmake_minimum_required(VERSION 3.0.0)
+project(alpaca-bearssl VERSION 0.1.0)
+
+
+
+add_subdirectory(client)
+add_subdirectory(server)

evaluation-libraries/bearssl/Dockerfile

@@ -0,0 +1,37 @@
+# syntax=docker/dockerfile:1
+FROM tls-openssl as tls-bearssl
+ARG VERSION=0.6
+
+RUN apk add sed
+
+WORKDIR /build
+RUN git clone --depth=1 --branch=v${VERSION} https://www.bearssl.org/git/BearSSL
+WORKDIR /build/BearSSL
+RUN make
+
+
+
+
+WORKDIR /build
+ADD server /build/server
+ADD client /build/client
+ADD CMakeLists.txt /build/CMakeLists.txt
+
+# generate c code from private keys and certs
+RUN ls /build/server/
+RUN /build/BearSSL/build/brssl chain /etc/ssl/cert-data/tls-server.com-chain.crt | tail -n +2 >> /build/server/server.h
+RUN /build/BearSSL/build/brssl skey -C /etc/ssl/cert-data/tls-server.com.key | tail -n +2 >> /build/server/server.h
+
+# wrong-cn.com key&cert need different variable names
+RUN /build/BearSSL/build/brssl chain /etc/ssl/cert-data/wrong-cn.com-chain.crt | tail -n +2 | sed "s/\(\(CERT[01]\)\|\(CHAIN\(_LEN\)\?\)\|\(RSA\(_[DIPQ]\*\)\?\)\)/WRONG_\1/g" >> /build/server/server.h
+RUN /build/BearSSL/build/brssl skey -C /etc/ssl/cert-data/wrong-cn.com.key | tail -n +2 | sed "s/\(\(CERT[01]\)\|\(CHAIN\(_LEN\)\?\)\|\(RSA\(_[DIPQ]\*\)\?\)\)/WRONG_\1/g"  >> /build/server/server.h
+
+
+RUN cmake . .. && make
+RUN mv /build/server/server /
+RUN mv /build/client/client /
+COPY --from=tls-openssl /openssl-client /openssl-client
+
+
+WORKDIR /
+CMD ["/server"]

evaluation-libraries/bearssl/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2016 Thomas Pornin <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining 
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be 
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

evaluation-libraries/bearssl/README.md

@@ -0,0 +1,13 @@
+# bearssl example with strict sni and strict alpn
+
+Tested with bearSSL 0.6
+
+needs tls-baseimage already in docker
+
+Based on BearSSL/tools/server.c and client.c
+
+```bash
+./run.sh
+```
+
+

evaluation-libraries/bearssl/build.sh

@@ -0,0 +1 @@
+docker build --build-arg VERSION=0.6 . -t tls-bearssl -f Dockerfile

evaluation-libraries/bearssl/client/CMakeLists.txt

@@ -0,0 +1,12 @@
+cmake_minimum_required(VERSION 3.0.0)
+project(client VERSION 0.1.0)
+
+#include_directories(${CMAKE_SOURCE_DIR}/BearSSL/inc)
+add_library(brssl STATIC IMPORTED)
+set_target_properties(brssl PROPERTIES
+    IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/BearSSL/build/libbearssl.a"
+    INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/BearSSL/inc"
+  )
+add_executable(client client.c)
+target_link_libraries(client brssl)
+target_compile_options(client PRIVATE -Wall -Wextra)