diff options
author | Jack Lloyd <[email protected]> | 2017-12-18 06:11:06 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-12-18 06:11:20 -0500 |
commit | 8a30a2d229a51b5ae0f23b71591d9ed8f08c3126 (patch) | |
tree | e8f7e606403252cac9177dfa23b117a731361f36 | |
parent | d358e9e12190c08c946c0f87dbedc55229ce11a6 (diff) | |
parent | 4a6879ab001428866d59c96874fa865a84661360 (diff) |
Merge GH #1360 Add timeouts to HTTP socket operations
Fixes #1326
-rw-r--r-- | src/cli/utils.cpp | 8 | ||||
-rw-r--r-- | src/cli/x509.cpp | 5 | ||||
-rw-r--r-- | src/lib/utils/http_util/http_util.cpp | 35 | ||||
-rw-r--r-- | src/lib/utils/http_util/http_util.h | 30 | ||||
-rw-r--r-- | src/lib/utils/http_util/info.txt | 12 | ||||
-rw-r--r-- | src/lib/utils/http_util/socket.cpp | 283 | ||||
-rw-r--r-- | src/lib/utils/socket/info.txt | 13 | ||||
-rw-r--r-- | src/lib/utils/socket/socket.cpp | 367 | ||||
-rw-r--r-- | src/lib/utils/socket/socket.h (renamed from src/lib/utils/http_util/socket.h) | 6 | ||||
-rw-r--r-- | src/lib/x509/ocsp.cpp | 13 | ||||
-rw-r--r-- | src/lib/x509/ocsp.h | 17 | ||||
-rw-r--r-- | src/lib/x509/x509path.cpp | 29 | ||||
-rw-r--r-- | src/lib/x509/x509path.h | 4 | ||||
-rwxr-xr-x | src/scripts/ci_build.py | 2 |
14 files changed, 473 insertions, 351 deletions
diff --git a/src/cli/utils.cpp b/src/cli/utils.cpp index 094665a00..161cc24bf 100644 --- a/src/cli/utils.cpp +++ b/src/cli/utils.cpp @@ -218,11 +218,15 @@ BOTAN_REGISTER_COMMAND("rng", RNG); class HTTP_Get final : public Command { public: - HTTP_Get() : Command("http_get url") {} + HTTP_Get() : Command("http_get --redirects=1 --timeout=3000 url") {} void go() override { - output() << Botan::HTTP::GET_sync(get_arg("url")) << "\n"; + const std::string url = get_arg("url"); + const std::chrono::milliseconds timeout(get_arg_sz("timeout")); + const size_t redirects = get_arg_sz("redirects"); + + output() << Botan::HTTP::GET_sync(url, redirects, timeout) << "\n"; } }; diff --git a/src/cli/x509.cpp b/src/cli/x509.cpp index eb09eb41d..10e7a1c7f 100644 --- a/src/cli/x509.cpp +++ b/src/cli/x509.cpp @@ -117,16 +117,17 @@ BOTAN_REGISTER_COMMAND("cert_info", Cert_Info); class OCSP_Check final : public Command { public: - OCSP_Check() : Command("ocsp_check subject issuer") {} + OCSP_Check() : Command("ocsp_check --timeout=3000 subject issuer") {} void go() override { Botan::X509_Certificate subject(get_arg("subject")); Botan::X509_Certificate issuer(get_arg("issuer")); + std::chrono::milliseconds timeout(get_arg_sz("timeout")); Botan::Certificate_Store_In_Memory cas; cas.add_certificate(issuer); - Botan::OCSP::Response resp = Botan::OCSP::online_check(issuer, subject, &cas); + Botan::OCSP::Response resp = Botan::OCSP::online_check(issuer, subject, &cas, timeout); auto status = resp.status_for(issuer, subject, std::chrono::system_clock::now()); diff --git a/src/lib/utils/http_util/http_util.cpp b/src/lib/utils/http_util/http_util.cpp index 8dcd8d55a..f5f9c0213 100644 --- a/src/lib/utils/http_util/http_util.cpp +++ b/src/lib/utils/http_util/http_util.cpp @@ -25,13 +25,16 @@ namespace { * closes the socket. */ std::string http_transact(const std::string& hostname, - const std::string& message) + const std::string& message, + std::chrono::milliseconds timeout) { std::unique_ptr<OS::Socket> socket; + const std::chrono::system_clock::time_point start_time = std::chrono::system_clock::now(); + try { - socket = OS::open_socket(hostname, "http"); + socket = OS::open_socket(hostname, "http", timeout); if(!socket) throw Exception("No socket support enabled in build"); } @@ -44,6 +47,9 @@ std::string http_transact(const std::string& hostname, socket->write(cast_char_ptr_to_uint8(message.data()), message.size()); + if(std::chrono::system_clock::now() - start_time > timeout) + throw HTTP_Error("Timeout during writing message body"); + std::ostringstream oss; std::vector<uint8_t> buf(BOTAN_DEFAULT_BUFFER_SIZE); while(true) @@ -52,6 +58,9 @@ std::string http_transact(const std::string& hostname, if(got == 0) // EOF break; + if(std::chrono::system_clock::now() - start_time > timeout) + throw HTTP_Error("Timeout while reading message body"); + oss.write(cast_uint8_ptr_to_char(buf.data()), static_cast<std::streamsize>(got)); } @@ -205,10 +214,17 @@ Response http_sync(const std::string& verb, const std::string& url, const std::string& content_type, const std::vector<uint8_t>& body, - size_t allowable_redirects) + size_t allowable_redirects, + std::chrono::milliseconds timeout) { + auto transact_with_timeout = + [timeout](const std::string& hostname, const std::string& service) + { + return http_transact(hostname, service, timeout); + }; + return http_sync( - http_transact, + transact_with_timeout, verb, url, content_type, @@ -216,17 +232,20 @@ Response http_sync(const std::string& verb, allowable_redirects); } -Response GET_sync(const std::string& url, size_t allowable_redirects) +Response GET_sync(const std::string& url, + size_t allowable_redirects, + std::chrono::milliseconds timeout) { - return http_sync("GET", url, "", std::vector<uint8_t>(), allowable_redirects); + return http_sync("GET", url, "", std::vector<uint8_t>(), allowable_redirects, timeout); } Response POST_sync(const std::string& url, const std::string& content_type, const std::vector<uint8_t>& body, - size_t allowable_redirects) + size_t allowable_redirects, + std::chrono::milliseconds timeout) { - return http_sync("POST", url, content_type, body, allowable_redirects); + return http_sync("POST", url, content_type, body, allowable_redirects, timeout); } } diff --git a/src/lib/utils/http_util/http_util.h b/src/lib/utils/http_util/http_util.h index ea6122c07..9edd3d983 100644 --- a/src/lib/utils/http_util/http_util.h +++ b/src/lib/utils/http_util/http_util.h @@ -14,6 +14,7 @@ #include <map> #include <string> #include <functional> +#include <chrono> namespace Botan { @@ -69,25 +70,28 @@ BOTAN_PUBLIC_API(2,0) std::ostream& operator<<(std::ostream& o, const Response& typedef std::function<std::string (const std::string&, const std::string&)> http_exch_fn; BOTAN_PUBLIC_API(2,0) Response http_sync(http_exch_fn fn, - const std::string& verb, - const std::string& url, - const std::string& content_type, - const std::vector<uint8_t>& body, - size_t allowable_redirects); + const std::string& verb, + const std::string& url, + const std::string& content_type, + const std::vector<uint8_t>& body, + size_t allowable_redirects); BOTAN_PUBLIC_API(2,0) Response http_sync(const std::string& verb, - const std::string& url, - const std::string& content_type, - const std::vector<uint8_t>& body, - size_t allowable_redirects); + const std::string& url, + const std::string& content_type, + const std::vector<uint8_t>& body, + size_t allowable_redirects, + std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); BOTAN_PUBLIC_API(2,0) Response GET_sync(const std::string& url, - size_t allowable_redirects = 1); + size_t allowable_redirects = 1, + std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); BOTAN_PUBLIC_API(2,0) Response POST_sync(const std::string& url, - const std::string& content_type, - const std::vector<uint8_t>& body, - size_t allowable_redirects = 1); + const std::string& content_type, + const std::vector<uint8_t>& body, + size_t allowable_redirects = 1, + std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); BOTAN_PUBLIC_API(2,0) std::string url_encode(const std::string& url); diff --git a/src/lib/utils/http_util/info.txt b/src/lib/utils/http_util/info.txt index a6cbd902f..a3ebc249e 100644 --- a/src/lib/utils/http_util/info.txt +++ b/src/lib/utils/http_util/info.txt @@ -6,12 +6,6 @@ HTTP_UTIL -> 20171003 http_util.h </header:public> -<header:internal> -socket.h -</header:internal> - -<libs> -linux -> rt -mingw -> ws2_32 -windows -> ws2_32.lib -</libs> +<requires> +socket +</requires> diff --git a/src/lib/utils/http_util/socket.cpp b/src/lib/utils/http_util/socket.cpp deleted file mode 100644 index a2b9d5567..000000000 --- a/src/lib/utils/http_util/socket.cpp +++ /dev/null @@ -1,283 +0,0 @@ -/* -* OS and machine specific utility functions -* (C) 2015,2016,2017 Jack Lloyd -* (C) 2016 Daniel Neus -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include <botan/internal/socket.h> -#include <botan/exceptn.h> -#include <botan/mem_ops.h> -#include <chrono> - -#if defined(BOTAN_HAS_BOOST_ASIO) - /* - * We don't need serial port support anyway, and asking for it - * causes macro conflicts with Darwin's termios.h when this - * file is included in the amalgamation. GH #350 - */ - #define BOOST_ASIO_DISABLE_SERIAL_PORT - #include <boost/asio.hpp> - -#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX) - #include <sys/socket.h> - #include <netinet/in.h> - #include <netdb.h> - #include <string.h> - #include <unistd.h> - #include <errno.h> - -#elif defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS) - #define NOMINMAX 1 - #include <winsock2.h> - #include <ws2tcpip.h> - #include <windows.h> -#endif - -namespace Botan { - -namespace { - -#if defined(BOTAN_HAS_BOOST_ASIO) - -class Asio_Socket final : public OS::Socket - { - public: - Asio_Socket(const std::string& hostname, const std::string& service) : - m_tcp(m_io) - { - boost::asio::ip::tcp::resolver resolver(m_io); - boost::asio::ip::tcp::resolver::query query(hostname, service); - boost::asio::connect(m_tcp, resolver.resolve(query)); - } - - void write(const uint8_t buf[], size_t len) override - { - boost::asio::write(m_tcp, boost::asio::buffer(buf, len)); - } - - size_t read(uint8_t buf[], size_t len) override - { - boost::system::error_code error; - size_t got = m_tcp.read_some(boost::asio::buffer(buf, len), error); - - if(error) - { - if(error == boost::asio::error::eof) - return 0; - throw boost::system::system_error(error); // Some other error. - } - - return got; - } - - private: - boost::asio::io_service m_io; - boost::asio::ip::tcp::socket m_tcp; - }; - -#elif defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS) - -class Winsock_Socket final : public OS::Socket - { - public: - Winsock_Socket(const std::string& hostname, const std::string& service) - { - WSAData wsa_data; - WORD wsa_version = MAKEWORD(2, 2); - - if (::WSAStartup(wsa_version, &wsa_data) != 0) - { - throw Exception("WSAStartup() failed: " + std::to_string(WSAGetLastError())); - } - - if (LOBYTE(wsa_data.wVersion) != 2 || HIBYTE(wsa_data.wVersion) != 2) - { - ::WSACleanup(); - throw Exception("Could not find a usable version of Winsock.dll"); - } - - addrinfo hints; - ::memset(&hints, 0, sizeof(addrinfo)); - hints.ai_family = AF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - addrinfo* res; - - if(::getaddrinfo(hostname.c_str(), service.c_str(), &hints, &res) != 0) - { - throw Exception("Name resolution failed for " + hostname); - } - - for(addrinfo* rp = res; (m_socket == INVALID_SOCKET) && (rp != nullptr); rp = rp->ai_next) - { - m_socket = ::socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); - - // unsupported socket type? - if(m_socket == INVALID_SOCKET) - continue; - - if(::connect(m_socket, rp->ai_addr, rp->ai_addrlen) != 0) - { - ::closesocket(m_socket); - m_socket = INVALID_SOCKET; - continue; - } - } - - ::freeaddrinfo(res); - - if(m_socket == INVALID_SOCKET) - { - throw Exception("Connecting to " + hostname + - " for service " + service + " failed"); - } - } - - ~Winsock_Socket() - { - ::closesocket(m_socket); - m_socket = INVALID_SOCKET; - ::WSACleanup(); - } - - void write(const uint8_t buf[], size_t len) override - { - size_t sent_so_far = 0; - while(sent_so_far != len) - { - const size_t left = len - sent_so_far; - int sent = ::send(m_socket, - cast_uint8_ptr_to_char(buf + sent_so_far), - static_cast<int>(left), - 0); - - if(sent == SOCKET_ERROR) - throw Exception("Socket write failed with error " + - std::to_string(::WSAGetLastError())); - else - sent_so_far += static_cast<size_t>(sent); - } - } - - size_t read(uint8_t buf[], size_t len) override - { - int got = ::recv(m_socket, - cast_uint8_ptr_to_char(buf), - static_cast<int>(len), 0); - - if(got == SOCKET_ERROR) - throw Exception("Socket read failed with error " + - std::to_string(::WSAGetLastError())); - return static_cast<size_t>(got); - } - - private: - SOCKET m_socket = INVALID_SOCKET; - }; - -#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX) -class BSD_Socket final : public OS::Socket - { - public: - BSD_Socket(const std::string& hostname, const std::string& service) - { - addrinfo hints; - ::memset(&hints, 0, sizeof(addrinfo)); - hints.ai_family = AF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - addrinfo* res; - - if(::getaddrinfo(hostname.c_str(), service.c_str(), &hints, &res) != 0) - { - throw Exception("Name resolution failed for " + hostname); - } - - m_fd = -1; - - for(addrinfo* rp = res; (m_fd < 0) && (rp != nullptr); rp = rp->ai_next) - { - m_fd = ::socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); - - if(m_fd < 0) - { - // unsupported socket type? - continue; - } - - if(::connect(m_fd, rp->ai_addr, rp->ai_addrlen) != 0) - { - ::close(m_fd); - m_fd = -1; - continue; - } - } - - ::freeaddrinfo(res); - - if(m_fd < 0) - { - throw Exception("Connecting to " + hostname + - " for service " + service + " failed"); - } - } - - ~BSD_Socket() - { - ::close(m_fd); - m_fd = -1; - } - - void write(const uint8_t buf[], size_t len) override - { - size_t sent_so_far = 0; - while(sent_so_far != len) - { - const size_t left = len - sent_so_far; - ssize_t sent = ::write(m_fd, &buf[sent_so_far], left); - if(sent < 0) - throw Exception("Socket write failed with error '" + - std::string(::strerror(errno)) + "'"); - else - sent_so_far += static_cast<size_t>(sent); - } - } - - size_t read(uint8_t buf[], size_t len) override - { - ssize_t got = ::read(m_fd, buf, len); - - if(got < 0) - throw Exception("Socket read failed with error '" + - std::string(::strerror(errno)) + "'"); - return static_cast<size_t>(got); - } - - private: - int m_fd; - }; - -#endif - -} - -std::unique_ptr<OS::Socket> -OS::open_socket(const std::string& hostname, - const std::string& service) - { -#if defined(BOTAN_HAS_BOOST_ASIO) - return std::unique_ptr<OS::Socket>(new Asio_Socket(hostname, service)); - -#elif defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS) - return std::unique_ptr<OS::Socket>(new Winsock_Socket(hostname, service)); - -#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX) - return std::unique_ptr<OS::Socket>(new BSD_Socket(hostname, service)); - -#else - // No sockets for you - return std::unique_ptr<Socket>(); -#endif - } - -} diff --git a/src/lib/utils/socket/info.txt b/src/lib/utils/socket/info.txt new file mode 100644 index 000000000..ef0d939ea --- /dev/null +++ b/src/lib/utils/socket/info.txt @@ -0,0 +1,13 @@ +<defines> +SOCKETS -> 20171216 +</defines> + +<header:internal> +socket.h +</header:internal> + +<libs> +linux -> rt +mingw -> ws2_32 +windows -> ws2_32.lib +</libs> diff --git a/src/lib/utils/socket/socket.cpp b/src/lib/utils/socket/socket.cpp new file mode 100644 index 000000000..f263531dd --- /dev/null +++ b/src/lib/utils/socket/socket.cpp @@ -0,0 +1,367 @@ +/* +* (C) 2015,2016,2017 Jack Lloyd +* (C) 2016 Daniel Neus +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include <botan/internal/socket.h> +#include <botan/exceptn.h> +#include <botan/mem_ops.h> +#include <chrono> + +#if defined(BOTAN_HAS_BOOST_ASIO) + /* + * We don't need serial port support anyway, and asking for it + * causes macro conflicts with Darwin's termios.h when this + * file is included in the amalgamation. GH #350 + */ + #define BOOST_ASIO_DISABLE_SERIAL_PORT + #include <boost/asio.hpp> + #include <boost/asio/system_timer.hpp> + +#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX) + #include <sys/socket.h> + #include <netinet/in.h> + #include <netdb.h> + #include <string.h> + #include <unistd.h> + #include <errno.h> + #include <fcntl.h> + +#elif defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS) + #define NOMINMAX 1 + #include <winsock2.h> + #include <ws2tcpip.h> + #include <windows.h> +#endif + +namespace Botan { + +namespace { + +#if defined(BOTAN_HAS_BOOST_ASIO) + +class Asio_Socket final : public OS::Socket + { + public: + Asio_Socket(const std::string& hostname, + const std::string& service, + std::chrono::milliseconds timeout) : + m_timeout(timeout), m_timer(m_io), m_tcp(m_io) + { + m_timer.expires_from_now(m_timeout); + check_timeout(); + + boost::asio::ip::tcp::resolver resolver(m_io); + boost::asio::ip::tcp::resolver::query query(hostname, service); + boost::asio::ip::tcp::resolver::iterator dns_iter = resolver.resolve(query); + + boost::system::error_code ec = boost::asio::error::would_block; + + auto connect_cb = [&ec](const boost::system::error_code& e, + boost::asio::ip::tcp::resolver::iterator) { ec = e; }; + + boost::asio::async_connect(m_tcp, dns_iter, connect_cb); + + while(ec == boost::asio::error::would_block) + { + m_io.run_one(); + } + + if(ec) + throw boost::system::system_error(ec); + if(ec || m_tcp.is_open() == false) + throw Exception("Connection to host " + hostname + " failed"); + } + + void write(const uint8_t buf[], size_t len) override + { + m_timer.expires_from_now(m_timeout); + + boost::system::error_code ec = boost::asio::error::would_block; + + boost::asio::async_write(m_tcp, boost::asio::buffer(buf, len), + [&ec](boost::system::error_code e, size_t got) { printf("wrote %d\n", got); ec = e; }); + + while(ec == boost::asio::error::would_block) { m_io.run_one(); } + + if(ec) + { + throw boost::system::system_error(ec); + } + } + + size_t read(uint8_t buf[], size_t len) override + { + m_timer.expires_from_now(m_timeout); + + boost::system::error_code ec = boost::asio::error::would_block; + size_t got = 0; + + auto read_cb = [&](const boost::system::error_code cb_ec, size_t cb_got) { + ec = cb_ec; got = cb_got; + }; + + m_tcp.async_read_some(boost::asio::buffer(buf, len), read_cb); + + while(ec == boost::asio::error::would_block) { m_io.run_one(); } + + if(ec) + { + if(ec == boost::asio::error::eof) + return 0; + throw boost::system::system_error(ec); // Some other error. + } + + return got; + } + + private: + void check_timeout() + { + if(m_tcp.is_open() && m_timer.expires_at() < std::chrono::system_clock::now()) + { + boost::system::error_code err; + m_tcp.close(err); + } + + m_timer.async_wait(std::bind(&Asio_Socket::check_timeout, this)); + } + + const std::chrono::milliseconds m_timeout; + boost::asio::io_service m_io; + boost::asio::system_timer m_timer; + boost::asio::ip::tcp::socket m_tcp; + }; + +#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX) || defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS) + +class BSD_Socket final : public OS::Socket + { + private: +#if defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS) + typedef SOCKET socket_type; + typedef int socket_op_ret_type; + static socket_type invalid_socket() { return INVALID_SOCKET; } + static void close_socket(socket_type s) { ::closesocket(s); } + static std::string get_last_socket_error() { return std::to_string(::WSAGetLastError()); } + + static bool nonblocking_connect_in_progress() + { + return (::WSAGetLastError() == WSAEWOULDBLOCK); + } + + static void set_nonblocking(socket_type s) + { + u_long nonblocking = 1; + ::ioctlsocket(s, FIONBIO, &nonblocking); + } + + static void socket_init() + { + WSAData wsa_data; + WORD wsa_version = MAKEWORD(2, 2); + + if (::WSAStartup(wsa_version, &wsa_data) != 0) + { + throw Exception("WSAStartup() failed: " + std::to_string(WSAGetLastError())); + } + + if (LOBYTE(wsa_data.wVersion) != 2 || HIBYTE(wsa_data.wVersion) != 2) + { + ::WSACleanup(); + throw Exception("Could not find a usable version of Winsock.dll"); + } + } + + static void socket_fini() + { + ::WSACleanup(); + } +#else + typedef int socket_type; + typedef ssize_t socket_op_ret_type; + static socket_type invalid_socket() { return -1; } + static void close_socket(socket_type s) { ::close(s); } + static std::string get_last_socket_error() { return ::strerror(errno); } + static bool nonblocking_connect_in_progress() { return (errno == EINPROGRESS); } + static void set_nonblocking(socket_type s) + { + if(::fcntl(s, F_SETFL, O_NONBLOCK) < 0) + throw Exception("Setting socket to non-blocking state failed"); + } + + static void socket_init() {} + static void socket_fini() {} +#endif + + public: + BSD_Socket(const std::string& hostname, + const std::string& service, + std::chrono::microseconds timeout) : m_timeout(timeout) + { + socket_init(); + + m_socket = invalid_socket(); + + addrinfo hints; + ::memset(&hints, 0, sizeof(addrinfo)); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + addrinfo* res; + + if(::getaddrinfo(hostname.c_str(), service.c_str(), &hints, &res) != 0) + { + throw Exception("Name resolution failed for " + hostname); + } + + for(addrinfo* rp = res; (m_socket == invalid_socket()) && (rp != nullptr); rp = rp->ai_next) + { + if(rp->ai_family != AF_INET && rp->ai_family != AF_INET6) + continue; + + m_socket = ::socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); + + if(m_socket == invalid_socket()) + { + // unsupported socket type? + continue; + } + + set_nonblocking(m_socket); + + int err = ::connect(m_socket, rp->ai_addr, rp->ai_addrlen); + + if(err == -1) + { + int active = 0; + if(nonblocking_connect_in_progress()) + { + struct timeval timeout = make_timeout_tv(); + fd_set write_set; + FD_ZERO(&write_set); + FD_SET(m_socket, &write_set); + + active = ::select(m_socket + 1, nullptr, &write_set, nullptr, &timeout); + + if(active) + { + int socket_error = 0; + socklen_t len = sizeof(socket_error); + + if(::getsockopt(m_socket, SOL_SOCKET, SO_ERROR, reinterpret_cast<char*>(&socket_error), &len) < 0) + throw Exception("Error calling getsockopt"); + + if(socket_error != 0) + { + active = 0; + } + } + } + + if(active == 0) + { + close_socket(m_socket); + m_socket = invalid_socket(); + continue; + } + } + } + + ::freeaddrinfo(res); + + if(m_socket == invalid_socket()) + { + throw Exception("Connecting to " + hostname + + " for service " + service + " failed"); + } + } + + ~BSD_Socket() + { + close_socket(m_socket); + m_socket = invalid_socket(); + socket_fini(); + } + + void write(const uint8_t buf[], size_t len) override + { + fd_set write_set; + FD_ZERO(&write_set); + FD_SET(m_socket, &write_set); + + size_t sent_so_far = 0; + while(sent_so_far != len) + { + struct timeval timeout = make_timeout_tv(); + int active = ::select(m_socket + 1, nullptr, &write_set, nullptr, &timeout); + + if(active == 0) + throw Exception("Timeout during socket write"); + + const size_t left = len - sent_so_far; + socket_op_ret_type sent = ::send(m_socket, cast_uint8_ptr_to_char(&buf[sent_so_far]), left, 0); + if(sent < 0) + throw Exception("Socket write failed with error '" + + std::string(::strerror(errno)) + "'"); + else + sent_so_far += static_cast<size_t>(sent); + } + } + + size_t read(uint8_t buf[], size_t len) override + { + fd_set read_set; + FD_ZERO(&read_set); + FD_SET(m_socket, &read_set); + + struct timeval timeout = make_timeout_tv(); + int active = ::select(m_socket + 1, &read_set, nullptr, nullptr, &timeout); + + if(active == 0) + throw Exception("Timeout during socket read"); + + socket_op_ret_type got = ::recv(m_socket, cast_uint8_ptr_to_char(buf), len, 0); + + if(got < 0) + throw Exception("Socket read failed with error '" + + std::string(::strerror(errno)) + "'"); + return static_cast<size_t>(got); + } + + private: + struct timeval make_timeout_tv() const + { + struct timeval tv; + tv.tv_sec = m_timeout.count() / 1000000; + tv.tv_usec = m_timeout.count() % 1000000; + return tv; + } + + const std::chrono::microseconds m_timeout; + socket_type m_socket; + }; + +#endif + +} + +std::unique_ptr<OS::Socket> +OS::open_socket(const std::string& hostname, + const std::string& service, + std::chrono::milliseconds timeout) + { +#if defined(BOTAN_HAS_BOOST_ASIO) + return std::unique_ptr<OS::Socket>(new Asio_Socket(hostname, service, timeout)); + +#elif defined(BOTAN_TARGET_OS_TYPE_IS_UNIX) || defined(BOTAN_TARGET_OS_TYPE_IS_WINDOWS) + return std::unique_ptr<OS::Socket>(new BSD_Socket(hostname, service, timeout)); + +#else + // No sockets for you + return std::unique_ptr<Socket>(); +#endif + } + +} diff --git a/src/lib/utils/http_util/socket.h b/src/lib/utils/socket/socket.h index 4961738ae..03a951478 100644 --- a/src/lib/utils/http_util/socket.h +++ b/src/lib/utils/socket/socket.h @@ -9,7 +9,8 @@ #define BOTAN_SOCKET_H_ #include <botan/types.h> -#include <functional> +#include <string> +#include <chrono> namespace Botan { @@ -54,7 +55,8 @@ class BOTAN_TEST_API Socket */ std::unique_ptr<Socket> BOTAN_TEST_API open_socket(const std::string& hostname, - const std::string& service); + const std::string& service, + std::chrono::milliseconds timeout); } // OS } // Botan diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp index cf0c1064b..6d8d66687 100644 --- a/src/lib/x509/ocsp.cpp +++ b/src/lib/x509/ocsp.cpp @@ -283,7 +283,8 @@ Certificate_Status_Code Response::status_for(const X509_Certificate& issuer, Response online_check(const X509_Certificate& issuer, const BigInt& subject_serial, const std::string& ocsp_responder, - Certificate_Store* trusted_roots) + Certificate_Store* trusted_roots, + std::chrono::milliseconds timeout) { if(ocsp_responder.empty()) throw Invalid_Argument("No OCSP responder specified"); @@ -292,7 +293,9 @@ Response online_check(const X509_Certificate& issuer, auto http = HTTP::POST_sync(ocsp_responder, "application/ocsp-request", - req.BER_encode()); + req.BER_encode(), + 1, + timeout); http.throw_unless_ok(); @@ -312,7 +315,8 @@ Response online_check(const X509_Certificate& issuer, Response online_check(const X509_Certificate& issuer, const X509_Certificate& subject, - Certificate_Store* trusted_roots) + Certificate_Store* trusted_roots, + std::chrono::milliseconds timeout) { if(subject.issuer_dn() != issuer.subject_dn()) throw Invalid_Argument("Invalid cert pair to OCSP::online_check (mismatched issuer,subject args?)"); @@ -320,7 +324,8 @@ Response online_check(const X509_Certificate& issuer, return online_check(issuer, BigInt::decode(subject.serial_number()), subject.ocsp_responder(), - trusted_roots); + trusted_roots, + timeout); } #endif diff --git a/src/lib/x509/ocsp.h b/src/lib/x509/ocsp.h index 33177dc59..1b780d63f 100644 --- a/src/lib/x509/ocsp.h +++ b/src/lib/x509/ocsp.h @@ -11,6 +11,7 @@ #include <botan/cert_status.h> #include <botan/ocsp_types.h> #include <botan/x509_dn.h> +#include <chrono> namespace Botan { @@ -164,23 +165,35 @@ class BOTAN_PUBLIC_API(2,0) Response final #if defined(BOTAN_HAS_HTTP_UTIL) +/** +* Makes an online OCSP request via HTTP and returns the OCSP response. +* @param issuer issuer certificate +* @param subject_serial the subject's serial number +* @param ocsp_responder the OCSP responder to query +* @param trusted_roots trusted roots for the OCSP response +* @param timeout a timeout on the HTTP request +* @return OCSP response +*/ BOTAN_PUBLIC_API(2,1) Response online_check(const X509_Certificate& issuer, const BigInt& subject_serial, const std::string& ocsp_responder, - Certificate_Store* trusted_roots); + Certificate_Store* trusted_roots, + std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); /** * Makes an online OCSP request via HTTP and returns the OCSP response. * @param issuer issuer certificate * @param subject subject certificate * @param trusted_roots trusted roots for the OCSP response +* @param timeout a timeout on the HTTP request * @return OCSP response */ BOTAN_PUBLIC_API(2,0) Response online_check(const X509_Certificate& issuer, const X509_Certificate& subject, - Certificate_Store* trusted_roots); + Certificate_Store* trusted_roots, + std::chrono::milliseconds timeout = std::chrono::milliseconds(3000)); #endif diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp index 11bcdbb12..237ac33a5 100644 --- a/src/lib/x509/x509path.cpp +++ b/src/lib/x509/x509path.cpp @@ -320,7 +320,9 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate auto http = HTTP::POST_sync(subject->ocsp_responder(), "application/ocsp-request", - req.BER_encode()); + req.BER_encode(), + /*redirects*/1, + timeout); http.throw_unless_ok(); // Check the MIME type? @@ -330,30 +332,11 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate } } - std::vector<std::shared_ptr<const OCSP::Response>> ocsp_responses(ocsp_response_futures.size()); + std::vector<std::shared_ptr<const OCSP::Response>> ocsp_responses; - for(size_t pass = 1; pass < 3; ++pass) + for(size_t i = 0; i < ocsp_response_futures.size(); ++i) { - for(size_t i = 0; i < ocsp_response_futures.size(); ++i) - { - try - { - if(ocsp_responses[i] == nullptr && ocsp_response_futures[i].valid()) - { - std::future_status status = ocsp_response_futures[i].wait_for(timeout); - - if(status == std::future_status::ready || - status == std::future_status::deferred) - { - ocsp_responses[i] = ocsp_response_futures[i].get(); - } - } - } - catch(std::exception&) - { - // value is default initialized to null, no need to do anything - } - } + ocsp_responses.push_back(ocsp_response_futures[i].get()); } return PKIX::check_ocsp(cert_path, ocsp_responses, trusted_certstores, ref_time); diff --git a/src/lib/x509/x509path.h b/src/lib/x509/x509path.h index 17932c871..6898d0679 100644 --- a/src/lib/x509/x509path.h +++ b/src/lib/x509/x509path.h @@ -207,7 +207,7 @@ Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate( * @param hostname if not empty, compared against the DNS name in end_cert * @param usage if not set to UNSPECIFIED, compared against the key usage in end_cert * @param validation_time what reference time to use for validation -* @param ocsp_timeout timeoutput for OCSP operations, 0 disables OCSP check +* @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check * @param ocsp_resp additional OCSP responses to consider (eg from peer) * @return result of the path validation */ @@ -251,7 +251,7 @@ Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate( * @param hostname if not empty, compared against the DNS name in end_certs[0] * @param usage if not set to UNSPECIFIED, compared against the key usage in end_certs[0] * @param validation_time what reference time to use for validation -* @param ocsp_timeout timeoutput for OCSP operations, 0 disables OCSP check +* @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check * @param ocsp_resp additional OCSP responses to consider (eg from peer) * @return result of the path validation */ diff --git a/src/scripts/ci_build.py b/src/scripts/ci_build.py index 011e9b3fc..69617dee0 100755 --- a/src/scripts/ci_build.py +++ b/src/scripts/ci_build.py @@ -71,7 +71,7 @@ def determine_flags(target, target_os, target_cpu, target_cc, cc_bin, ccache, ro if target in ['mini-static', 'mini-shared']: flags += ['--minimized-build', '--enable-modules=system_rng,sha2_32,sha2_64,aes'] - if target == 'shared': + if target == 'shared' and target_os != 'osx': # Enabling amalgamation build for shared is somewhat arbitrary, but we want to test it # somewhere. In addition the majority of the Windows builds are shared, and MSVC is # much faster compiling via the amalgamation than individual files. |