aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/cli/tls_server.cpp51
-rw-r--r--src/extra_tests/tls-attacker/README.md35
-rw-r--r--src/extra_tests/tls-attacker/fuzzing/config.xml14
-rwxr-xr-xsrc/extra_tests/tls-attacker/fuzzing/server_fuzzer.sh8
-rwxr-xr-xsrc/extra_tests/tls-attacker/fuzzing/setup.sh31
-rwxr-xr-xsrc/extra_tests/tls-attacker/testsuite/server_policytest.sh17
-rwxr-xr-xsrc/extra_tests/tls-attacker/testsuite/server_testsuite.sh17
-rwxr-xr-xsrc/extra_tests/tls-attacker/testsuite/setup.sh21
-rw-r--r--src/lib/tls/tls_cbc/tls_cbc.h2
9 files changed, 175 insertions, 21 deletions
diff --git a/src/cli/tls_server.cpp b/src/cli/tls_server.cpp
index dd1c7f450..b1a5b0ec6 100644
--- a/src/cli/tls_server.cpp
+++ b/src/cli/tls_server.cpp
@@ -138,31 +138,42 @@ class TLS_Server final : public Command
{
while(!server.is_closed())
{
- uint8_t buf[4*1024] = { 0 };
- ssize_t got = ::read(fd, buf, sizeof(buf));
-
- if(got == -1)
+ try
{
- std::cout << "Error in socket read - " << strerror(errno) << std::endl;
- break;
- }
+ uint8_t buf[4*1024] = { 0 };
+ ssize_t got = ::read(fd, buf, sizeof(buf));
- if(got == 0)
- {
- std::cout << "EOF on socket" << std::endl;
- break;
- }
+ if(got == -1)
+ {
+ std::cout << "Error in socket read - " << strerror(errno) << std::endl;
+ break;
+ }
+
+ if(got == 0)
+ {
+ std::cout << "EOF on socket" << std::endl;
+ break;
+ }
- server.received_data(buf, got);
+ server.received_data(buf, got);
- while(server.is_active() && !pending_output.empty())
- {
- std::string output = pending_output.front();
- pending_output.pop_front();
- server.send(output);
+ while(server.is_active() && !pending_output.empty())
+ {
+ std::string output = pending_output.front();
+ pending_output.pop_front();
+ server.send(output);
- if(output == "quit\n")
- server.close();
+ if(output == "quit\n")
+ server.close();
+ }
+ }
+ catch(std::exception& e)
+ {
+ std::cout << "Connection1 problem: " << e.what() << std::endl;
+ if(is_tcp)
+ {
+ ::close(fd);
+ }
}
}
}
diff --git a/src/extra_tests/tls-attacker/README.md b/src/extra_tests/tls-attacker/README.md
new file mode 100644
index 000000000..abff9b2c3
--- /dev/null
+++ b/src/extra_tests/tls-attacker/README.md
@@ -0,0 +1,35 @@
+# TLS-Attacker testsuite and fuzzing
+
+Extended Botan library tests with TLS-Attacker. https://github.com/RUB-NDS/TLS-Attacker
+
+## Testsuite
+Contains a testsuite to validate correct TLS server behavior.
+
+Run
+```bash
+setup.sh
+```
+to download and build the recent TLS-Attacker version, and generate RSA key pairs.
+
+Run
+```bash
+server_testsuite.sh
+server_policytest.sh
+```
+to run the tests. Testsuite executes specific TLS handshakes with the Botan server and verifies that the server correctly handles specific TLS versions and cipher suites. The policy test instantiates the Botan server with a specific policy and verifies that the server behaves according to this policy.
+
+
+## Fuzzing
+Starts the TLS-Attacker fuzzer against the Botan server.
+
+Run
+```bash
+setup.sh
+```
+to download and build the recent TLS-Attacker version, generate RSA key pairs, and re-compile Botan with Address Sanitizer.
+
+Run
+```bash
+server_fuzzer.sh
+```
+to start the fuzzer. The fuzzer config is located in `config.xml`. Per default, one Botan server is started on port 55020, with the generated RSA keys.` \ No newline at end of file
diff --git a/src/extra_tests/tls-attacker/fuzzing/config.xml b/src/extra_tests/tls-attacker/fuzzing/config.xml
new file mode 100644
index 000000000..5ae1c829a
--- /dev/null
+++ b/src/extra_tests/tls-attacker/fuzzing/config.xml
@@ -0,0 +1,14 @@
+<startupCommandsHolder>
+ <serverCommand>../../../../botan </serverCommand>
+ <serverPort>55020</serverPort>
+ <workflowFolder>../TLS-Attacker/resources/fuzzing/workflows</workflowFolder>
+ <modifiedVariableTypes>TLS_CONSTANT,LENGTH,COUNT,PUBLIC_KEY,PADDING,SIGNATURE,PLAIN_PROTOCOL_MESSAGE</modifiedVariableTypes>
+ <outputFolder>output/</outputFolder>
+ <startupCommandsList>
+ <startupCommands>
+ <fuzzerCommand>simple_fuzzer -connect localhost:$PORT</fuzzerCommand>
+ <serverCommandParameters>tls_server ../rsa2048cert.pem ../rsa2048key.pem --port=$PORT </serverCommandParameters>
+ <shortName>botan-rsa</shortName>
+ </startupCommands>
+ </startupCommandsList>
+</startupCommandsHolder> \ No newline at end of file
diff --git a/src/extra_tests/tls-attacker/fuzzing/server_fuzzer.sh b/src/extra_tests/tls-attacker/fuzzing/server_fuzzer.sh
new file mode 100755
index 000000000..9e23aee89
--- /dev/null
+++ b/src/extra_tests/tls-attacker/fuzzing/server_fuzzer.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ -d tls-testsuite ]
+then
+ cd tls-testsuite
+fi
+
+java -jar ../TLS-Attacker/Runnable/target/TLS-Attacker-1.2.jar -loglevel ERROR multi_fuzzer -startup_command_file config.xml \ No newline at end of file
diff --git a/src/extra_tests/tls-attacker/fuzzing/setup.sh b/src/extra_tests/tls-attacker/fuzzing/setup.sh
new file mode 100755
index 000000000..8c83f6eff
--- /dev/null
+++ b/src/extra_tests/tls-attacker/fuzzing/setup.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+if [ ! -d output ]
+then
+ mkdir output
+fi
+
+cd ..
+
+openssl genpkey -algorithm RSA -out rsa2048key.pem -pkeyopt rsa_keygen_bits:2048
+openssl req -key rsa2048key.pem -new -x509 -days 365 -out rsa2048cert.pem -subj "/C=DE/ST=NRW/L=Bochum/O=TLS-Attacker/CN=tls-attacker.de"
+
+if [ ! -d TLS-Attacker ]
+then
+ git clone https://github.com/RUB-NDS/TLS-Attacker.git
+fi
+
+cd TLS-Attacker
+git checkout .
+git pull
+./mvnw clean package -DskipTests=true
+
+cd ../../../../
+make clean
+export ASAN_OPTIONS=check_initialization_order=true
+if [ -n "$CC" ]
+ then ./configure.py --with-sanitizers --disable-shared --with-debug-info --with-bzip2 --with-lzma --with-sqlite --with-zlib --cc="$CC" --cc-bin="$CXX"
+ else ./configure.py --with-sanitizers --disable-shared --with-debug-info --with-bzip2 --with-lzma --with-sqlite --with-zlib
+fi
+
+make -j4 \ No newline at end of file
diff --git a/src/extra_tests/tls-attacker/testsuite/server_policytest.sh b/src/extra_tests/tls-attacker/testsuite/server_policytest.sh
new file mode 100755
index 000000000..5cf78bc66
--- /dev/null
+++ b/src/extra_tests/tls-attacker/testsuite/server_policytest.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+../../../../botan tls_server ../rsa2048cert.pem ../rsa2048key.pem --port=4434 --policy=../../../../tls-policy/BSI_TR-02102-2.txt > output/server_policytest.log 2>&1 &
+botan_pid=$!
+
+java -jar ../TLS-Attacker/Runnable/target/TLS-Attacker-1.2.jar -loglevel INFO testtls_server -policy ../../../../tls-policy/BSI_TR-02102-2.txt -connect localhost:4434 -tls_timeout 1000
+rc=$?
+
+if [ $rc -eq 0 ]; then
+ echo Policy tests finished without failures
+else
+ echo '\n\nPolicy tests failed. See the recent error and the server log output.'
+# cat output/server_policytest.log
+fi
+
+kill $botan_pid
+exit $rc \ No newline at end of file
diff --git a/src/extra_tests/tls-attacker/testsuite/server_testsuite.sh b/src/extra_tests/tls-attacker/testsuite/server_testsuite.sh
new file mode 100755
index 000000000..e26d71e1a
--- /dev/null
+++ b/src/extra_tests/tls-attacker/testsuite/server_testsuite.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+../../../../botan tls_server ../rsa2048cert.pem ../rsa2048key.pem --port=4433 > output/server_testsuite.log 2>&1 &
+botan_pid=$!
+
+java -jar ../TLS-Attacker/Runnable/target/TLS-Attacker-1.2.jar -loglevel INFO testsuite_server -folder ../TLS-Attacker/resources/testsuite -tls_timeout 1000
+rc=$?
+
+if [ $rc -eq 0 ]; then
+ echo Tests finished without failures
+else
+ echo '\n\nTests failed. See the recent error and the server log output.'
+# cat output/server_testsuite.log
+fi
+
+kill $botan_pid
+exit $rc \ No newline at end of file
diff --git a/src/extra_tests/tls-attacker/testsuite/setup.sh b/src/extra_tests/tls-attacker/testsuite/setup.sh
new file mode 100755
index 000000000..f528cd1da
--- /dev/null
+++ b/src/extra_tests/tls-attacker/testsuite/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+if [ ! -d output ]
+then
+ mkdir output
+fi
+
+cd ..
+
+openssl genpkey -algorithm RSA -out rsa2048key.pem -pkeyopt rsa_keygen_bits:2048
+openssl req -key rsa2048key.pem -new -x509 -days 365 -out rsa2048cert.pem -subj "/C=DE/ST=NRW/L=Bochum/O=TLS-Attacker/CN=tls-attacker.de"
+
+if [ ! -d TLS-Attacker ]
+then
+ git clone https://github.com/RUB-NDS/TLS-Attacker.git
+fi
+
+cd TLS-Attacker
+git checkout .
+git pull
+./mvnw clean package -DskipTests=true
diff --git a/src/lib/tls/tls_cbc/tls_cbc.h b/src/lib/tls/tls_cbc/tls_cbc.h
index c448879fb..97c3387e8 100644
--- a/src/lib/tls/tls_cbc/tls_cbc.h
+++ b/src/lib/tls/tls_cbc/tls_cbc.h
@@ -21,7 +21,7 @@ namespace TLS {
* TLS CBC+HMAC AEAD base class (GenericBlockCipher in TLS spec)
* This is the weird TLS-specific mode, not for general consumption.
*/
-class TLS_CBC_HMAC_AEAD_Mode : public AEAD_Mode
+class BOTAN_DLL TLS_CBC_HMAC_AEAD_Mode : public AEAD_Mode
{
public:
size_t process(uint8_t buf[], size_t sz) override final;