aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-12-18 06:11:06 -0500
committerJack Lloyd <[email protected]>2017-12-18 06:11:20 -0500
commit8a30a2d229a51b5ae0f23b71591d9ed8f08c3126 (patch)
treee8f7e606403252cac9177dfa23b117a731361f36
parentd358e9e12190c08c946c0f87dbedc55229ce11a6 (diff)
parent4a6879ab001428866d59c96874fa865a84661360 (diff)
Merge GH #1360 Add timeouts to HTTP socket operations
Fixes #1326
-rw-r--r--src/cli/utils.cpp8
-rw-r--r--src/cli/x509.cpp5
-rw-r--r--src/lib/utils/http_util/http_util.cpp35
-rw-r--r--src/lib/utils/http_util/http_util.h30
-rw-r--r--src/lib/utils/http_util/info.txt12
-rw-r--r--src/lib/utils/http_util/socket.cpp283
-rw-r--r--src/lib/utils/socket/info.txt13
-rw-r--r--src/lib/utils/socket/socket.cpp367
-rw-r--r--src/lib/utils/socket/socket.h (renamed from src/lib/utils/http_util/socket.h)6
-rw-r--r--src/lib/x509/ocsp.cpp13
-rw-r--r--src/lib/x509/ocsp.h17
-rw-r--r--src/lib/x509/x509path.cpp29
-rw-r--r--src/lib/x509/x509path.h4
-rwxr-xr-xsrc/scripts/ci_build.py2
14 files changed, 473 insertions, 351 deletions
diff --git a/src/cli/utils.cpp b/src/cli/utils.cpp
index 094665a00..161cc24bf 100644
--- a/src/cli/utils.cpp
+++ b/src/cli/utils.cpp
@@ -218,11 +218,15 @@ BOTAN_REGISTER_COMMAND("rng", RNG);
class HTTP_Get final : public Command
{
public:
- HTTP_Get() : Command("http_get url") {}
+ HTTP_Get() : Command("http_get --redirects=1 --timeout=3000 url") {}
void go() override
{
- output() << Botan::HTTP::GET_sync(get_arg("url")) << "\n";
+ const std::string url = get_arg("url");
+ const std::chrono::milliseconds timeout(get_arg_sz("timeout"));
+ const size_t redirects = get_arg_sz("redirects");
+
+ output() << Botan::HTTP::GET_sync(url, redirects, timeout) << "\n";
}
};
diff --git a/src/cli/x509.cpp b/src/cli/x509.cpp
index eb09eb41d..10e7a1c7f 100644
--- a/src/cli/x509.cpp
+++ b/src/cli/x509.cpp
@@ -117,16 +117,17 @@ BOTAN_REGISTER_COMMAND("cert_info", Cert_Info);
class OCSP_Check final : public Command
{
public:
- OCSP_Check() : Command("ocsp_check subject issuer") {}
+ OCSP_Check() : Command("ocsp_check --timeout=3000 subject issuer") {}
void go() override
{
Botan::X509_Certificate subject(get_arg("subject"));
Botan::X509_Certificate issuer(get_arg("issuer"));
+ std::chrono::milliseconds timeout(get_arg_sz("timeout"));
Botan::Certificate_Store_In_Memory cas;
cas.add_certificate(issuer);
- Botan::OCSP::Response resp = Botan::OCSP::online_check(issuer, subject, &cas);
+ Botan::OCSP::Response resp = Botan::OCSP::online_check(issuer, subject, &cas, timeout);
auto status = resp.status_for(issuer, subject, std::chrono::system_clock::now());
diff --git a/src/lib/utils/http_util/http_util.cpp b/src/lib/utils/http_util/http_util.cpp
index 8dcd8d55a..f5f9c0213 100644
--- a/src/lib/utils/http_util/http_util.cpp
+++ b/src/lib/utils/http_util/http_util.cpp
@@ -25,13 +25,16 @@ namespace {
* closes the socket.
*/
std::string http_transact(const std::string& hostname,
- const std::string& message)
+ const std::string& message,
+ std::chrono::milliseconds timeout)
{
std::unique_ptr<OS::Socket> socket;
+ const std::chrono::system_clock::time_point start_time = std::chrono::system_clock::now();
+
try
{
- socket = OS::open_socket(hostname, "http");
+ socket = OS::open_socket(hostname, "http", timeout);
if(!socket)
throw Exception("No socket support enabled in build");
}
@@ -44,6 +47,9 @@ std::string http_transact(const std::string& hostname,
socket->write(cast_char_ptr_to_uint8(message.data()),
message.size());
+ if(std::chrono::system_clock::now() - start_time > timeout)
+ throw HTTP_Error("Timeout during writing message body");
+
std::ostringstream oss;
std::vector<uint8_t> buf(BOTAN_DEFAULT_BUFFER_SIZE);
while(true)
@@ -52,6 +58,9 @@ std::string http_transact(const std::string& hostname,
if(got == 0) // EOF
break;
+ if(std::chrono::system_clock::now() - start_time > timeout)
+ throw HTTP_Error("Timeout while reading message body");
+
oss.write(cast_uint8_ptr_to_char(buf.data()),
static_cast<std::streamsize>(got));
}
@@ -205,10 +214,17 @@ Response http_sync(const std::string& verb,
const std::string& url,
const std::string& content_type,
const std::vector<uint8_t>& body,
- size_t allowable_redirects)
+ size_t allowable_redirects,
+ std::chrono::milliseconds timeout)
{
+ auto transact_with_timeout =
+ [timeout](const std::string& hostname, const std::string& service)
+ {
+ return http_transact(hostname, service, timeout);
+ };
+
return http_sync(
- http_transact,
+ transact_with_timeout,
verb,
url,
content_type,
@@ -216,17 +232,20 @@ Response http_sync(const std::string& verb,
allowable_redirects);
}
-Response GET_sync(const std::string& url, size_t allowable_redirects)
+Response GET_sync(const std::string& url,
+ size_t allowable_redirects,
+ std::chrono::milliseconds timeout)
{
- return http_sync("GET", url, "", std::vector<uint8_t>(), allowable_redirects);
+ return http_sync("GET", url, "", std::vector<uint8_t>(), allowable_redirects, timeout);
}
Response POST_sync(const std::string& url,
const std::string& content_type,
const std::vector<uint8_t>& body,
- size_t allowable_redirects)
+ size_t allowable_redirects,
+ std::chrono::milliseconds timeout)
{
- return http_sync("POST", url, content_type, body, allowable_redirects);
+ return http_sync("POST", url, content_type, body, allowable_redirects, timeout);
}
}
diff --git a/src/lib/utils/http_util/http_util.h b/src/lib/utils/http_util/http_util.h
index ea6122c07..9edd3d983 100644
--- a/src/lib/utils/http_util/http_util.h
+++ b/src/lib/utils/http_util/http_util.h
@@ -14,6 +14,7 @@
#include <map>
#include <string>
#include <functional>
+#include <chrono>
namespace Botan {
@@ -69,25 +70,28 @@ BOTAN_PUBLIC_API(2,0) std::ostream& operator<<(std::ostream& o, const Response&
typedef std::function<std::string (const std::string&, const std::string&)> http_exch_fn;
BOTAN_PUBLIC_API(2,0) Response http_sync(http_exch_fn fn,
- const std::string& verb,
- const std::string& url,
- const std::string& content_type,
- const std::vector<uint8_t>& body,
- size_t allowable_redirects);
+ const std::string& verb,
+ const std::string& url,
+ const std::string& content_type,
+ const std::vector<uint8_t>& body,
+ size_t allowable_redirects);
BOTAN_PUBLIC_API(2,0) Response http_sync(const std::string& verb,
- const std::string& url,
- const std::string& content_type,
- const std::vector<uint8_t>& body,
- size_t allowable_redirects);
+ const std::string& url,
+ const std::string& content_type,
+ const std::vector<uint8_t>& body,
+ size_t allowable_redirects,
+ std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
BOTAN_PUBLIC_API(2,0) Response GET_sync(const std::string& url,
- size_t allowable_redirects = 1);
+ size_t allowable_redirects = 1,
+ std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
BOTAN_PUBLIC_API(2,0) Response POST_sync(const std::string& url,
- const std::string& content_type,
- const std::vector<uint8_t>& body,
- size_t allowable_redirects = 1);
+ const std::string& content_type,
+ const std::vector<uint8_t>& body,
+ size_t allowable_redirects = 1,
+ std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
BOTAN_PUBLIC_API(2,0) std::string url_encode(const std::string& url);
diff --git a/src/lib/utils/http_util/info.txt b/src/lib/utils/http_util/info.txt
index a6cbd902f..a3ebc249e 100644
--- a/src/lib/utils/http_util/info.txt
+++ b/src/lib/utils/http_util/info.txt
@@ -6,12 +6,6 @@ HTTP_UTIL -> 20171003
http_util.h
</header:public>
-<header:internal>
-socket.h
-</header:internal>
-
-<libs>
-linux -> rt
-mingw -> ws2_32
-windows -> ws2_32.lib
-</libs>
+<requires>
+socket
+</requires>
diff --git a/src/lib/utils/http_util/socket.cpp b/src/lib/utils/http_util/socket.cpp
deleted file mode 100644
index a2b9d5567..000000000
--- a/src/lib/utils/http_util/socket.cpp
+++ /dev/null
@@ -1,283 +0,0 @@
-/*
-* OS and machine specific utility functions
-* (C) 2015,2016,2017 Jack Lloyd
-* (C) 2016 Daniel Neus
-*
-* Botan is released under the Simplified BSD License (see license.txt)
-*/
-
-#include <botan/internal/socket.h>
-#include <botan/exceptn.h>
-#include <botan/mem_ops.h>
-#include <chrono>
-
-#if defined(BOTAN_HAS_BOOST_ASIO)
- /*
- * We don't need serial port support anyway, and asking for it
- * causes macro conflicts with Darwin's termios.h when this
- * file is included in the amalgamation. GH #350
- */
- #define BOOST_ASIO_DISABLE_SERIAL_PORT
- #include <boost/asio.hpp>
-
-#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX)
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <netdb.h>
- #include <string.h>
- #include <unistd.h>
- #include <errno.h>
-
-#elif defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS)
- #define NOMINMAX 1
- #include <winsock2.h>
- #include <ws2tcpip.h>
- #include <windows.h>
-#endif
-
-namespace Botan {
-
-namespace {
-
-#if defined(BOTAN_HAS_BOOST_ASIO)
-
-class Asio_Socket final : public OS::Socket
- {
- public:
- Asio_Socket(const std::string& hostname, const std::string& service) :
- m_tcp(m_io)
- {
- boost::asio::ip::tcp::resolver resolver(m_io);
- boost::asio::ip::tcp::resolver::query query(hostname, service);
- boost::asio::connect(m_tcp, resolver.resolve(query));
- }
-
- void write(const uint8_t buf[], size_t len) override
- {
- boost::asio::write(m_tcp, boost::asio::buffer(buf, len));
- }
-
- size_t read(uint8_t buf[], size_t len) override
- {
- boost::system::error_code error;
- size_t got = m_tcp.read_some(boost::asio::buffer(buf, len), error);
-
- if(error)
- {
- if(error == boost::asio::error::eof)
- return 0;
- throw boost::system::system_error(error); // Some other error.
- }
-
- return got;
- }
-
- private:
- boost::asio::io_service m_io;
- boost::asio::ip::tcp::socket m_tcp;
- };
-
-#elif defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS)
-
-class Winsock_Socket final : public OS::Socket
- {
- public:
- Winsock_Socket(const std::string& hostname, const std::string& service)
- {
- WSAData wsa_data;
- WORD wsa_version = MAKEWORD(2, 2);
-
- if (::WSAStartup(wsa_version, &wsa_data) != 0)
- {
- throw Exception("WSAStartup() failed: " + std::to_string(WSAGetLastError()));
- }
-
- if (LOBYTE(wsa_data.wVersion) != 2 || HIBYTE(wsa_data.wVersion) != 2)
- {
- ::WSACleanup();
- throw Exception("Could not find a usable version of Winsock.dll");
- }
-
- addrinfo hints;
- ::memset(&hints, 0, sizeof(addrinfo));
- hints.ai_family = AF_UNSPEC;
- hints.ai_socktype = SOCK_STREAM;
- addrinfo* res;
-
- if(::getaddrinfo(hostname.c_str(), service.c_str(), &hints, &res) != 0)
- {
- throw Exception("Name resolution failed for " + hostname);
- }
-
- for(addrinfo* rp = res; (m_socket == INVALID_SOCKET) && (rp != nullptr); rp = rp->ai_next)
- {
- m_socket = ::socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
-
- // unsupported socket type?
- if(m_socket == INVALID_SOCKET)
- continue;
-
- if(::connect(m_socket, rp->ai_addr, rp->ai_addrlen) != 0)
- {
- ::closesocket(m_socket);
- m_socket = INVALID_SOCKET;
- continue;
- }
- }
-
- ::freeaddrinfo(res);
-
- if(m_socket == INVALID_SOCKET)
- {
- throw Exception("Connecting to " + hostname +
- " for service " + service + " failed");
- }
- }
-
- ~Winsock_Socket()
- {
- ::closesocket(m_socket);
- m_socket = INVALID_SOCKET;
- ::WSACleanup();
- }
-
- void write(const uint8_t buf[], size_t len) override
- {
- size_t sent_so_far = 0;
- while(sent_so_far != len)
- {
- const size_t left = len - sent_so_far;
- int sent = ::send(m_socket,
- cast_uint8_ptr_to_char(buf + sent_so_far),
- static_cast<int>(left),
- 0);
-
- if(sent == SOCKET_ERROR)
- throw Exception("Socket write failed with error " +
- std::to_string(::WSAGetLastError()));
- else
- sent_so_far += static_cast<size_t>(sent);
- }
- }
-
- size_t read(uint8_t buf[], size_t len) override
- {
- int got = ::recv(m_socket,
- cast_uint8_ptr_to_char(buf),
- static_cast<int>(len), 0);
-
- if(got == SOCKET_ERROR)
- throw Exception("Socket read failed with error " +
- std::to_string(::WSAGetLastError()));
- return static_cast<size_t>(got);
- }
-
- private:
- SOCKET m_socket = INVALID_SOCKET;
- };
-
-#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX)
-class BSD_Socket final : public OS::Socket
- {
- public:
- BSD_Socket(const std::string& hostname, const std::string& service)
- {
- addrinfo hints;
- ::memset(&hints, 0, sizeof(addrinfo));
- hints.ai_family = AF_UNSPEC;
- hints.ai_socktype = SOCK_STREAM;
- addrinfo* res;
-
- if(::getaddrinfo(hostname.c_str(), service.c_str(), &hints, &res) != 0)
- {
- throw Exception("Name resolution failed for " + hostname);
- }
-
- m_fd = -1;
-
- for(addrinfo* rp = res; (m_fd < 0) && (rp != nullptr); rp = rp->ai_next)
- {
- m_fd = ::socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
-
- if(m_fd < 0)
- {
- // unsupported socket type?
- continue;
- }
-
- if(::connect(m_fd, rp->ai_addr, rp->ai_addrlen) != 0)
- {
- ::close(m_fd);
- m_fd = -1;
- continue;
- }
- }
-
- ::freeaddrinfo(res);
-
- if(m_fd < 0)
- {
- throw Exception("Connecting to " + hostname +
- " for service " + service + " failed");
- }
- }
-
- ~BSD_Socket()
- {
- ::close(m_fd);
- m_fd = -1;
- }
-
- void write(const uint8_t buf[], size_t len) override
- {
- size_t sent_so_far = 0;
- while(sent_so_far != len)
- {
- const size_t left = len - sent_so_far;
- ssize_t sent = ::write(m_fd, &buf[sent_so_far], left);
- if(sent < 0)
- throw Exception("Socket write failed with error '" +
- std::string(::strerror(errno)) + "'");
- else
- sent_so_far += static_cast<size_t>(sent);
- }
- }
-
- size_t read(uint8_t buf[], size_t len) override
- {
- ssize_t got = ::read(m_fd, buf, len);
-
- if(got < 0)
- throw Exception("Socket read failed with error '" +
- std::string(::strerror(errno)) + "'");
- return static_cast<size_t>(got);
- }
-
- private:
- int m_fd;
- };
-
-#endif
-
-}
-
-std::unique_ptr<OS::Socket>
-OS::open_socket(const std::string& hostname,
- const std::string& service)
- {
-#if defined(BOTAN_HAS_BOOST_ASIO)
- return std::unique_ptr<OS::Socket>(new Asio_Socket(hostname, service));
-
-#elif defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS)
- return std::unique_ptr<OS::Socket>(new Winsock_Socket(hostname, service));
-
-#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX)
- return std::unique_ptr<OS::Socket>(new BSD_Socket(hostname, service));
-
-#else
- // No sockets for you
- return std::unique_ptr<Socket>();
-#endif
- }
-
-}
diff --git a/src/lib/utils/socket/info.txt b/src/lib/utils/socket/info.txt
new file mode 100644
index 000000000..ef0d939ea
--- /dev/null
+++ b/src/lib/utils/socket/info.txt
@@ -0,0 +1,13 @@
+<defines>
+SOCKETS -> 20171216
+</defines>
+
+<header:internal>
+socket.h
+</header:internal>
+
+<libs>
+linux -> rt
+mingw -> ws2_32
+windows -> ws2_32.lib
+</libs>
diff --git a/src/lib/utils/socket/socket.cpp b/src/lib/utils/socket/socket.cpp
new file mode 100644
index 000000000..f263531dd
--- /dev/null
+++ b/src/lib/utils/socket/socket.cpp
@@ -0,0 +1,367 @@
+/*
+* (C) 2015,2016,2017 Jack Lloyd
+* (C) 2016 Daniel Neus
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/internal/socket.h>
+#include <botan/exceptn.h>
+#include <botan/mem_ops.h>
+#include <chrono>
+
+#if defined(BOTAN_HAS_BOOST_ASIO)
+ /*
+ * We don't need serial port support anyway, and asking for it
+ * causes macro conflicts with Darwin's termios.h when this
+ * file is included in the amalgamation. GH #350
+ */
+ #define BOOST_ASIO_DISABLE_SERIAL_PORT
+ #include <boost/asio.hpp>
+ #include <boost/asio/system_timer.hpp>
+
+#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX)
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <netdb.h>
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <fcntl.h>
+
+#elif defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS)
+ #define NOMINMAX 1
+ #include <winsock2.h>
+ #include <ws2tcpip.h>
+ #include <windows.h>
+#endif
+
+namespace Botan {
+
+namespace {
+
+#if defined(BOTAN_HAS_BOOST_ASIO)
+
+class Asio_Socket final : public OS::Socket
+ {
+ public:
+ Asio_Socket(const std::string& hostname,
+ const std::string& service,
+ std::chrono::milliseconds timeout) :
+ m_timeout(timeout), m_timer(m_io), m_tcp(m_io)
+ {
+ m_timer.expires_from_now(m_timeout);
+ check_timeout();
+
+ boost::asio::ip::tcp::resolver resolver(m_io);
+ boost::asio::ip::tcp::resolver::query query(hostname, service);
+ boost::asio::ip::tcp::resolver::iterator dns_iter = resolver.resolve(query);
+
+ boost::system::error_code ec = boost::asio::error::would_block;
+
+ auto connect_cb = [&ec](const boost::system::error_code& e,
+ boost::asio::ip::tcp::resolver::iterator) { ec = e; };
+
+ boost::asio::async_connect(m_tcp, dns_iter, connect_cb);
+
+ while(ec == boost::asio::error::would_block)
+ {
+ m_io.run_one();
+ }
+
+ if(ec)
+ throw boost::system::system_error(ec);
+ if(ec || m_tcp.is_open() == false)
+ throw Exception("Connection to host " + hostname + " failed");
+ }
+
+ void write(const uint8_t buf[], size_t len) override
+ {
+ m_timer.expires_from_now(m_timeout);
+
+ boost::system::error_code ec = boost::asio::error::would_block;
+
+ boost::asio::async_write(m_tcp, boost::asio::buffer(buf, len),
+ [&ec](boost::system::error_code e, size_t got) { printf("wrote %d\n", got); ec = e; });
+
+ while(ec == boost::asio::error::would_block) { m_io.run_one(); }
+
+ if(ec)
+ {
+ throw boost::system::system_error(ec);
+ }
+ }
+
+ size_t read(uint8_t buf[], size_t len) override
+ {
+ m_timer.expires_from_now(m_timeout);
+
+ boost::system::error_code ec = boost::asio::error::would_block;
+ size_t got = 0;
+
+ auto read_cb = [&](const boost::system::error_code cb_ec, size_t cb_got) {
+ ec = cb_ec; got = cb_got;
+ };
+
+ m_tcp.async_read_some(boost::asio::buffer(buf, len), read_cb);
+
+ while(ec == boost::asio::error::would_block) { m_io.run_one(); }
+
+ if(ec)
+ {
+ if(ec == boost::asio::error::eof)
+ return 0;
+ throw boost::system::system_error(ec); // Some other error.
+ }
+
+ return got;
+ }
+
+ private:
+ void check_timeout()
+ {
+ if(m_tcp.is_open() && m_timer.expires_at() < std::chrono::system_clock::now())
+ {
+ boost::system::error_code err;
+ m_tcp.close(err);
+ }
+
+ m_timer.async_wait(std::bind(&Asio_Socket::check_timeout, this));
+ }
+
+ const std::chrono::milliseconds m_timeout;
+ boost::asio::io_service m_io;
+ boost::asio::system_timer m_timer;
+ boost::asio::ip::tcp::socket m_tcp;
+ };
+
+#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX) || defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS)
+
+class BSD_Socket final : public OS::Socket
+ {
+ private:
+#if defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS)
+ typedef SOCKET socket_type;
+ typedef int socket_op_ret_type;
+ static socket_type invalid_socket() { return INVALID_SOCKET; }
+ static void close_socket(socket_type s) { ::closesocket(s); }
+ static std::string get_last_socket_error() { return std::to_string(::WSAGetLastError()); }
+
+ static bool nonblocking_connect_in_progress()
+ {
+ return (::WSAGetLastError() == WSAEWOULDBLOCK);
+ }
+
+ static void set_nonblocking(socket_type s)
+ {
+ u_long nonblocking = 1;
+ ::ioctlsocket(s, FIONBIO, &nonblocking);
+ }
+
+ static void socket_init()
+ {
+ WSAData wsa_data;
+ WORD wsa_version = MAKEWORD(2, 2);
+
+ if (::WSAStartup(wsa_version, &wsa_data) != 0)
+ {
+ throw Exception("WSAStartup() failed: " + std::to_string(WSAGetLastError()));
+ }
+
+ if (LOBYTE(wsa_data.wVersion) != 2 || HIBYTE(wsa_data.wVersion) != 2)
+ {
+ ::WSACleanup();
+ throw Exception("Could not find a usable version of Winsock.dll");
+ }
+ }
+
+ static void socket_fini()
+ {
+ ::WSACleanup();
+ }
+#else
+ typedef int socket_type;
+ typedef ssize_t socket_op_ret_type;
+ static socket_type invalid_socket() { return -1; }
+ static void close_socket(socket_type s) { ::close(s); }
+ static std::string get_last_socket_error() { return ::strerror(errno); }
+ static bool nonblocking_connect_in_progress() { return (errno == EINPROGRESS); }
+ static void set_nonblocking(socket_type s)
+ {
+ if(::fcntl(s, F_SETFL, O_NONBLOCK) < 0)
+ throw Exception("Setting socket to non-blocking state failed");
+ }
+
+ static void socket_init() {}
+ static void socket_fini() {}
+#endif
+
+ public:
+ BSD_Socket(const std::string& hostname,
+ const std::string& service,
+ std::chrono::microseconds timeout) : m_timeout(timeout)
+ {
+ socket_init();
+
+ m_socket = invalid_socket();
+
+ addrinfo hints;
+ ::memset(&hints, 0, sizeof(addrinfo));
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ addrinfo* res;
+
+ if(::getaddrinfo(hostname.c_str(), service.c_str(), &hints, &res) != 0)
+ {
+ throw Exception("Name resolution failed for " + hostname);
+ }
+
+ for(addrinfo* rp = res; (m_socket == invalid_socket()) && (rp != nullptr); rp = rp->ai_next)
+ {
+ if(rp->ai_family != AF_INET && rp->ai_family != AF_INET6)
+ continue;
+
+ m_socket = ::socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
+
+ if(m_socket == invalid_socket())
+ {
+ // unsupported socket type?
+ continue;
+ }
+
+ set_nonblocking(m_socket);
+
+ int err = ::connect(m_socket, rp->ai_addr, rp->ai_addrlen);
+
+ if(err == -1)
+ {
+ int active = 0;
+ if(nonblocking_connect_in_progress())
+ {
+ struct timeval timeout = make_timeout_tv();
+ fd_set write_set;
+ FD_ZERO(&write_set);
+ FD_SET(m_socket, &write_set);
+
+ active = ::select(m_socket + 1, nullptr, &write_set, nullptr, &timeout);
+
+ if(active)
+ {
+ int socket_error = 0;
+ socklen_t len = sizeof(socket_error);
+
+ if(::getsockopt(m_socket, SOL_SOCKET, SO_ERROR, reinterpret_cast<char*>(&socket_error), &len) < 0)
+ throw Exception("Error calling getsockopt");
+
+ if(socket_error != 0)
+ {
+ active = 0;
+ }
+ }
+ }
+
+ if(active == 0)
+ {
+ close_socket(m_socket);
+ m_socket = invalid_socket();
+ continue;
+ }
+ }
+ }
+
+ ::freeaddrinfo(res);
+
+ if(m_socket == invalid_socket())
+ {
+ throw Exception("Connecting to " + hostname +
+ " for service " + service + " failed");
+ }
+ }
+
+ ~BSD_Socket()
+ {
+ close_socket(m_socket);
+ m_socket = invalid_socket();
+ socket_fini();
+ }
+
+ void write(const uint8_t buf[], size_t len) override
+ {
+ fd_set write_set;
+ FD_ZERO(&write_set);
+ FD_SET(m_socket, &write_set);
+
+ size_t sent_so_far = 0;
+ while(sent_so_far != len)
+ {
+ struct timeval timeout = make_timeout_tv();
+ int active = ::select(m_socket + 1, nullptr, &write_set, nullptr, &timeout);
+
+ if(active == 0)
+ throw Exception("Timeout during socket write");
+
+ const size_t left = len - sent_so_far;
+ socket_op_ret_type sent = ::send(m_socket, cast_uint8_ptr_to_char(&buf[sent_so_far]), left, 0);
+ if(sent < 0)
+ throw Exception("Socket write failed with error '" +
+ std::string(::strerror(errno)) + "'");
+ else
+ sent_so_far += static_cast<size_t>(sent);
+ }
+ }
+
+ size_t read(uint8_t buf[], size_t len) override
+ {
+ fd_set read_set;
+ FD_ZERO(&read_set);
+ FD_SET(m_socket, &read_set);
+
+ struct timeval timeout = make_timeout_tv();
+ int active = ::select(m_socket + 1, &read_set, nullptr, nullptr, &timeout);
+
+ if(active == 0)
+ throw Exception("Timeout during socket read");
+
+ socket_op_ret_type got = ::recv(m_socket, cast_uint8_ptr_to_char(buf), len, 0);
+
+ if(got < 0)
+ throw Exception("Socket read failed with error '" +
+ std::string(::strerror(errno)) + "'");
+ return static_cast<size_t>(got);
+ }
+
+ private:
+ struct timeval make_timeout_tv() const
+ {
+ struct timeval tv;
+ tv.tv_sec = m_timeout.count() / 1000000;
+ tv.tv_usec = m_timeout.count() % 1000000;
+ return tv;
+ }
+
+ const std::chrono::microseconds m_timeout;
+ socket_type m_socket;
+ };
+
+#endif
+
+}
+
+std::unique_ptr<OS::Socket>
+OS::open_socket(const std::string& hostname,
+ const std::string& service,
+ std::chrono::milliseconds timeout)
+ {
+#if defined(BOTAN_HAS_BOOST_ASIO)
+ return std::unique_ptr<OS::Socket>(new Asio_Socket(hostname, service, timeout));
+
+#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX) || defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS)
+ return std::unique_ptr<OS::Socket>(new BSD_Socket(hostname, service, timeout));
+
+#else
+ // No sockets for you
+ return std::unique_ptr<Socket>();
+#endif
+ }
+
+}
diff --git a/src/lib/utils/http_util/socket.h b/src/lib/utils/socket/socket.h
index 4961738ae..03a951478 100644
--- a/src/lib/utils/http_util/socket.h
+++ b/src/lib/utils/socket/socket.h
@@ -9,7 +9,8 @@
#define BOTAN_SOCKET_H_
#include <botan/types.h>
-#include <functional>
+#include <string>
+#include <chrono>
namespace Botan {
@@ -54,7 +55,8 @@ class BOTAN_TEST_API Socket
*/
std::unique_ptr<Socket>
BOTAN_TEST_API open_socket(const std::string& hostname,
- const std::string& service);
+ const std::string& service,
+ std::chrono::milliseconds timeout);
} // OS
} // Botan
diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp
index cf0c1064b..6d8d66687 100644
--- a/src/lib/x509/ocsp.cpp
+++ b/src/lib/x509/ocsp.cpp
@@ -283,7 +283,8 @@ Certificate_Status_Code Response::status_for(const X509_Certificate& issuer,
Response online_check(const X509_Certificate& issuer,
const BigInt& subject_serial,
const std::string& ocsp_responder,
- Certificate_Store* trusted_roots)
+ Certificate_Store* trusted_roots,
+ std::chrono::milliseconds timeout)
{
if(ocsp_responder.empty())
throw Invalid_Argument("No OCSP responder specified");
@@ -292,7 +293,9 @@ Response online_check(const X509_Certificate& issuer,
auto http = HTTP::POST_sync(ocsp_responder,
"application/ocsp-request",
- req.BER_encode());
+ req.BER_encode(),
+ 1,
+ timeout);
http.throw_unless_ok();
@@ -312,7 +315,8 @@ Response online_check(const X509_Certificate& issuer,
Response online_check(const X509_Certificate& issuer,
const X509_Certificate& subject,
- Certificate_Store* trusted_roots)
+ Certificate_Store* trusted_roots,
+ std::chrono::milliseconds timeout)
{
if(subject.issuer_dn() != issuer.subject_dn())
throw Invalid_Argument("Invalid cert pair to OCSP::online_check (mismatched issuer,subject args?)");
@@ -320,7 +324,8 @@ Response online_check(const X509_Certificate& issuer,
return online_check(issuer,
BigInt::decode(subject.serial_number()),
subject.ocsp_responder(),
- trusted_roots);
+ trusted_roots,
+ timeout);
}
#endif
diff --git a/src/lib/x509/ocsp.h b/src/lib/x509/ocsp.h
index 33177dc59..1b780d63f 100644
--- a/src/lib/x509/ocsp.h
+++ b/src/lib/x509/ocsp.h
@@ -11,6 +11,7 @@
#include <botan/cert_status.h>
#include <botan/ocsp_types.h>
#include <botan/x509_dn.h>
+#include <chrono>
namespace Botan {
@@ -164,23 +165,35 @@ class BOTAN_PUBLIC_API(2,0) Response final
#if defined(BOTAN_HAS_HTTP_UTIL)
+/**
+* Makes an online OCSP request via HTTP and returns the OCSP response.
+* @param issuer issuer certificate
+* @param subject_serial the subject's serial number
+* @param ocsp_responder the OCSP responder to query
+* @param trusted_roots trusted roots for the OCSP response
+* @param timeout a timeout on the HTTP request
+* @return OCSP response
+*/
BOTAN_PUBLIC_API(2,1)
Response online_check(const X509_Certificate& issuer,
const BigInt& subject_serial,
const std::string& ocsp_responder,
- Certificate_Store* trusted_roots);
+ Certificate_Store* trusted_roots,
+ std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
/**
* Makes an online OCSP request via HTTP and returns the OCSP response.
* @param issuer issuer certificate
* @param subject subject certificate
* @param trusted_roots trusted roots for the OCSP response
+* @param timeout a timeout on the HTTP request
* @return OCSP response
*/
BOTAN_PUBLIC_API(2,0)
Response online_check(const X509_Certificate& issuer,
const X509_Certificate& subject,
- Certificate_Store* trusted_roots);
+ Certificate_Store* trusted_roots,
+ std::chrono::milliseconds timeout = std::chrono::milliseconds(3000));
#endif
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index 11bcdbb12..237ac33a5 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -320,7 +320,9 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate
auto http = HTTP::POST_sync(subject->ocsp_responder(),
"application/ocsp-request",
- req.BER_encode());
+ req.BER_encode(),
+ /*redirects*/1,
+ timeout);
http.throw_unless_ok();
// Check the MIME type?
@@ -330,30 +332,11 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate
}
}
- std::vector<std::shared_ptr<const OCSP::Response>> ocsp_responses(ocsp_response_futures.size());
+ std::vector<std::shared_ptr<const OCSP::Response>> ocsp_responses;
- for(size_t pass = 1; pass < 3; ++pass)
+ for(size_t i = 0; i < ocsp_response_futures.size(); ++i)
{
- for(size_t i = 0; i < ocsp_response_futures.size(); ++i)
- {
- try
- {
- if(ocsp_responses[i] == nullptr && ocsp_response_futures[i].valid())
- {
- std::future_status status = ocsp_response_futures[i].wait_for(timeout);
-
- if(status == std::future_status::ready ||
- status == std::future_status::deferred)
- {
- ocsp_responses[i] = ocsp_response_futures[i].get();
- }
- }
- }
- catch(std::exception&)
- {
- // value is default initialized to null, no need to do anything
- }
- }
+ ocsp_responses.push_back(ocsp_response_futures[i].get());
}
return PKIX::check_ocsp(cert_path, ocsp_responses, trusted_certstores, ref_time);
diff --git a/src/lib/x509/x509path.h b/src/lib/x509/x509path.h
index 17932c871..6898d0679 100644
--- a/src/lib/x509/x509path.h
+++ b/src/lib/x509/x509path.h
@@ -207,7 +207,7 @@ Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate(
* @param hostname if not empty, compared against the DNS name in end_cert
* @param usage if not set to UNSPECIFIED, compared against the key usage in end_cert
* @param validation_time what reference time to use for validation
-* @param ocsp_timeout timeoutput for OCSP operations, 0 disables OCSP check
+* @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check
* @param ocsp_resp additional OCSP responses to consider (eg from peer)
* @return result of the path validation
*/
@@ -251,7 +251,7 @@ Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate(
* @param hostname if not empty, compared against the DNS name in end_certs[0]
* @param usage if not set to UNSPECIFIED, compared against the key usage in end_certs[0]
* @param validation_time what reference time to use for validation
-* @param ocsp_timeout timeoutput for OCSP operations, 0 disables OCSP check
+* @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check
* @param ocsp_resp additional OCSP responses to consider (eg from peer)
* @return result of the path validation
*/
diff --git a/src/scripts/ci_build.py b/src/scripts/ci_build.py
index 011e9b3fc..69617dee0 100755
--- a/src/scripts/ci_build.py
+++ b/src/scripts/ci_build.py
@@ -71,7 +71,7 @@ def determine_flags(target, target_os, target_cpu, target_cc, cc_bin, ccache, ro
if target in ['mini-static', 'mini-shared']:
flags += ['--minimized-build', '--enable-modules=system_rng,sha2_32,sha2_64,aes']
- if target == 'shared':
+ if target == 'shared' and target_os != 'osx':
# Enabling amalgamation build for shared is somewhat arbitrary, but we want to test it
# somewhere. In addition the majority of the Windows builds are shared, and MSVC is
# much faster compiling via the amalgamation than individual files.