17011479145

Committed 16 Aug 2025 06:17PM UTC coverage: 90.648% (-0.004%) from 90.652%

Build # 17011479145

Build Type

Pull #4660

github

Committed by

web-flow

Commit Message

Merge 1b0477060 into a2a0b43c3

Pull Request Pull Request #4660: Consolidation and Enhancement of BSD Socket Layer

Run Details

100083 of 110409 relevant lines covered (90.65%)

12305774.18 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

70.14

/src/cli/tls_client.cpp

/*
* (C) 2014,2015 Jack Lloyd
*     2016 Matthias Gierlings
*     2017 René Korthaus, Rohde & Schwarz Cybersecurity
*     2022 René Meusel, Hannes Rantzsch - neXenio GmbH
*     2023 René Meusel, Rohde & Schwarz Cybersecurity
*     2025 Kagan Can Sit
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include "cli.h"

#include <botan/internal/target_info.h>

#if defined(BOTAN_HAS_TLS) && defined(BOTAN_TARGET_OS_HAS_FILESYSTEM) && defined(BOTAN_TARGET_OS_HAS_SOCKETS)

   #include <botan/hex.h>
   #include <botan/ocsp.h>
   #include <botan/tls_callbacks.h>
   #include <botan/tls_client.h>
   #include <botan/tls_exceptn.h>
   #include <botan/tls_policy.h>
   #include <botan/tls_session_manager_memory.h>
   #include <botan/x509path.h>
   #include <fstream>

   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
      #include <botan/tls_session_manager_sqlite.h>
   #endif

   #include <memory>
   #include <string>

   #include "tls_helpers.h"
   #include <botan/internal/socket_platform.h>
   #include <botan/internal/stl_util.h>

namespace Botan_CLI {

class TLS_Client;

namespace {

class Callbacks : public Botan::TLS::Callbacks {
   public:
      explicit Callbacks(TLS_Client& client_command) : m_client_command(client_command), m_peer_closed(false) {}

      std::ostream& output();
      bool flag_set(const std::string& flag_name) const;
      std::string get_arg(const std::string& arg_name) const;
      void send(std::span<const uint8_t> buffer);

      bool peer_closed() const { return m_peer_closed; }

      void tls_verify_cert_chain(const std::vector<Botan::X509_Certificate>& cert_chain,
                                 const std::vector<std::optional<Botan::OCSP::Response>>& ocsp,
                                 const std::vector<Botan::Certificate_Store*>& trusted_roots,
                                 Botan::Usage_Type usage,
                                 std::string_view hostname,
                                 const Botan::TLS::Policy& policy) override {
         if(cert_chain.empty()) {
            throw Botan::Invalid_Argument("Certificate chain was empty");
         }

         Botan::Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),
                                                          policy.minimum_signature_strength());

         auto ocsp_timeout = std::chrono::milliseconds(1000);

         const std::string checked_name = flag_set("skip-hostname-check") ? "" : std::string(hostname);

         Botan::Path_Validation_Result result = Botan::x509_path_validate(
            cert_chain, restrictions, trusted_roots, checked_name, usage, tls_current_timestamp(), ocsp_timeout, ocsp);

         if(result.successful_validation()) {
            output() << "Certificate validation status: " << result.result_string() << "\n";
            const auto& status = result.all_statuses();

            if(!status.empty() && status[0].contains(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD)) {
               output() << "Valid OCSP response for this server\n";
            }
         } else {
            if(flag_set("ignore-cert-error")) {
               output() << "Certificate validation status: " << result.result_string() << "\n";
            } else {
               throw Botan::TLS::TLS_Exception(Botan::TLS::Alert::BadCertificate,
                                               "Certificate validation failure: " + result.result_string());
            }
         }
      }

      void tls_verify_raw_public_key(const Botan::Public_Key& raw_public_key,
                                     Botan::Usage_Type /* usage */,
                                     std::string_view /* hostname */,
                                     const Botan::TLS::Policy& /* policy */) override {
         const auto fingerprint = raw_public_key.fingerprint_public("SHA-256");
         const auto trusted = (fingerprint == get_arg("trusted-pubkey-sha256"));
         output() << "Raw Public Key (" << fingerprint
                  << ") validation status: " << (trusted ? "trusted" : "NOT trusted") << "\n";
      }

      void tls_session_activated() override { output() << "Handshake complete\n"; }

      void tls_session_established(const Botan::TLS::Session_Summary& session) override {
         output() << "Handshake complete, " << session.version().to_string() << "\n";

         if(const auto& psk = session.external_psk_identity()) {
            output() << "Utilized PSK identity: " << maybe_hex_encode(psk.value()) << "\n";
         }

         output() << "Negotiated ciphersuite " << session.ciphersuite().to_string() << "\n";

         if(auto kex_params = session.kex_parameters()) {
            output() << "Key exchange using " << *kex_params << "\n";
         }

         if(const auto& session_id = session.session_id(); !session_id.empty()) {
            output() << "Session ID " << Botan::hex_encode(session_id.get()) << "\n";
         }

         if(const auto& session_ticket = session.session_ticket()) {
            output() << "Session ticket " << Botan::hex_encode(session_ticket->get()) << "\n";
         }

         if(flag_set("print-certs")) {
            const std::vector<Botan::X509_Certificate>& certs = session.peer_certs();

            for(size_t i = 0; i != certs.size(); ++i) {
               output() << "Certificate " << i + 1 << "/" << certs.size() << "\n";
               output() << certs[i].to_string();
               output() << certs[i].PEM_encode();
            }
         }
         output() << std::flush;
      }

      void tls_emit_data(std::span<const uint8_t> buf) override {
         if(flag_set("debug")) {
            output() << "<< " << Botan::hex_encode(buf) << "\n";
         }

         send(buf);
      }

      void tls_alert(Botan::TLS::Alert alert) override { output() << "Alert: " << alert.type_string() << "\n"; }

      void tls_record_received(uint64_t /*seq_no*/, std::span<const uint8_t> buf) override {
         for(const auto c : buf) {
            output() << c;
         }
         output() << std::flush;
      }

      std::vector<uint8_t> tls_sign_message(const Botan::Private_Key& key,
                                            Botan::RandomNumberGenerator& rng,
                                            const std::string_view padding,
                                            Botan::Signature_Format format,
                                            const std::vector<uint8_t>& msg) override {
         output() << "Performing client authentication\n";
         return Botan::TLS::Callbacks::tls_sign_message(key, rng, padding, format, msg);
      }

      bool tls_peer_closed_connection() override {
         m_peer_closed = true;
         return Botan::TLS::Callbacks::tls_peer_closed_connection();
      }

   private:
      TLS_Client& m_client_command;
      bool m_peer_closed;
};

}  // namespace

class TLS_Client final : public Command {
   public:
      TLS_Client() :
            Command(
               "tls_client host --port=443 --print-certs --policy=default "
               "--skip-system-cert-store --trusted-cas= --trusted-pubkey-sha256= "
               "--skip-hostname-check --ignore-cert-error "
               "--tls-version=default --session-db= --session-db-pass= "
               "--next-protocols= --type=tcp --client-cert= --client-cert-key= "
               "--psk= --psk-identity= --psk-prf=SHA-256 --debug") {
         Botan::OS::Socket_Platform::socket_init();
      }

      ~TLS_Client() override { Botan::OS::Socket_Platform::socket_fini(); }

      TLS_Client(const TLS_Client& other) = delete;
      TLS_Client(TLS_Client&& other) = delete;
      TLS_Client& operator=(const TLS_Client& other) = delete;
      TLS_Client& operator=(TLS_Client&& other) = delete;

      std::string group() const override { return "tls"; }

      std::string description() const override { return "Connect to a host using TLS/DTLS"; }

      void go() override {
         std::shared_ptr<Botan::TLS::Session_Manager> session_mgr;

         auto callbacks = std::make_shared<Callbacks>(*this);

         const std::string sessions_db = get_arg("session-db");
         const std::string host = get_arg("host");
         const uint16_t port = get_arg_u16("port");
         const std::string transport = get_arg("type");
         const std::string next_protos = get_arg("next-protocols");
         const bool use_system_cert_store = !flag_set("skip-system-cert-store");
         const std::string trusted_CAs = get_arg("trusted-cas");
         const auto tls_version = get_arg("tls-version");

         if(!sessions_db.empty()) {
   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
            const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass");
            session_mgr =
               std::make_shared<Botan::TLS::Session_Manager_SQLite>(sessions_passphrase, rng_as_shared(), sessions_db);
   #else
            error_output() << "Ignoring session DB file, sqlite not enabled\n";
   #endif
         }

         if(!session_mgr) {
            session_mgr = std::make_shared<Botan::TLS::Session_Manager_In_Memory>(rng_as_shared());
         }

         auto policy = load_tls_policy(get_arg("policy"));

         if(transport != "tcp" && transport != "udp") {
            throw CLI_Usage_Error("Invalid transport type '" + transport + "' for TLS");
         }

         const std::vector<std::string> protocols_to_offer = Command::split_on(next_protos, ',');

         if(!policy) {
            policy = std::make_shared<Botan::TLS::Policy>();
         }

         const bool use_tcp = (transport == "tcp");
         Botan::TLS::Protocol_Version version = policy->latest_supported_version(!use_tcp);

         if(tls_version != "default") {
            if(tls_version == "1.2") {
               version = use_tcp ? Botan::TLS::Protocol_Version::TLS_V12 : Botan::TLS::Protocol_Version::DTLS_V12;
            } else if(tls_version == "1.3") {
               version = use_tcp ? Botan::TLS::Protocol_Version::TLS_V13 : Botan::TLS::Protocol_Version::DTLS_V13;
            } else {
               error_output() << "Unknown TLS protocol version " << tls_version << '\n';
            }
         }

         m_sockfd = connect_to_host(host, port, use_tcp);

         const auto client_crt_path = get_arg_maybe("client-cert");
         const auto client_key_path = get_arg_maybe("client-cert-key");

         auto psk = [this]() -> std::optional<Botan::secure_vector<uint8_t>> {
            auto psk_hex = get_arg_maybe("psk");
            if(psk_hex) {
               return Botan::hex_decode_locked(psk_hex.value());
            } else {
               return {};
            }
         }();
         const std::optional<std::string> psk_identity = get_arg_maybe("psk-identity");
         const std::optional<std::string> psk_prf = get_arg_maybe("psk-prf");

         auto creds = std::make_shared<Basic_Credentials_Manager>(use_system_cert_store,
                                                                  trusted_CAs,
                                                                  client_crt_path,
                                                                  client_key_path,
                                                                  std::move(psk),
                                                                  psk_identity,
                                                                  psk_prf);

         Botan::TLS::Client client(callbacks,
                                   session_mgr,
                                   creds,
                                   policy,
                                   rng_as_shared(),
                                   Botan::TLS::Server_Information(host, port),
                                   version,
                                   protocols_to_offer);

         bool first_active = true;
         bool we_closed = false;

         while(!client.is_closed()) {
            fd_set readfds;
            FD_ZERO(&readfds);
            FD_SET(m_sockfd, &readfds);

            if(client.is_active()) {
               FD_SET(STDIN_FILENO, &readfds);
               if(first_active && !protocols_to_offer.empty()) {
                  std::string app = client.application_protocol();
                  if(!app.empty()) {
                     output() << "Server choose protocol: " << client.application_protocol() << "\n";
                  }
                  first_active = false;
               }
            }

            struct timeval timeout = {1, 0};

            ::select(static_cast<int>(m_sockfd + 1), &readfds, nullptr, nullptr, &timeout);

            if(FD_ISSET(m_sockfd, &readfds)) {
               uint8_t buf[4 * 1024] = {0};

               ssize_t got = ::read(m_sockfd, buf, sizeof(buf));

               if(got == 0) {
                  output() << "EOF on socket\n";
                  break;
               } else if(got == -1) {
                  output() << "Socket error: " << errno << " " << Botan::OS::Socket_Platform::get_last_socket_error()
                           << "\n";
                  continue;
               }

               if(flag_set("debug")) {
                  output() << ">> " << Botan::hex_encode(buf, got) << "\n";
               }

               client.received_data(buf, got);
            }

            if(FD_ISSET(STDIN_FILENO, &readfds)) {
               uint8_t buf[1024] = {0};
               ssize_t got = read(STDIN_FILENO, buf, sizeof(buf));

               if(got == 0) {
                  output() << "EOF on stdin\n";
                  client.close();
                  we_closed = true;
                  break;
               } else if(got == -1) {
                  output() << "Stdin error: " << errno << " " << Botan::OS::Socket_Platform::get_last_socket_error()
                           << "\n";
                  continue;
               }

               if(got == 2 && buf[1] == '\n') {
                  char cmd = buf[0];

                  if(cmd == 'R' || cmd == 'r') {
                     output() << "Client initiated renegotiation\n";
                     client.renegotiate(cmd == 'R');
                  } else if(cmd == 'Q') {
                     output() << "Client initiated close\n";
                     client.close();
                     we_closed = true;
                  }
               } else {
                  client.send(buf, got);
               }
            }

            if(client.timeout_check()) {
               output() << "Timeout detected\n";
            }
         }

         set_return_code((we_closed || callbacks->peer_closed()) ? 0 : 1);

         ::close(m_sockfd);
      }

   public:
      using Command::flag_set;
      using Command::get_arg;
      using Command::output;

      void send(std::span<const uint8_t> buf) const {
         while(!buf.empty()) {
            ssize_t sent = ::send(m_sockfd, buf.data(), buf.size(), MSG_NOSIGNAL);

            if(sent == -1) {
               if(errno == EINTR) {
                  sent = 0;
               } else {
                  throw CLI_Error("Socket write failed errno=" + std::to_string(errno) + " - " +
                                  Botan::OS::Socket_Platform::get_last_socket_error());
               }
            }

            buf = buf.subspan(sent);
         }
      }

   private:
      using socket_type = Botan::OS::Socket_Platform::socket_type;
      using socket_op_ret_type = Botan::OS::Socket_Platform::socket_op_ret_type;
      using socklen_type = Botan::OS::Socket_Platform::socklen_type;
      using sendrecv_len_type = Botan::OS::Socket_Platform::sendrecv_len_type;

      static socket_type connect_to_host(const std::string& host, uint16_t port, bool tcp) {
         addrinfo hints{};
         std::memset(&hints, 0, sizeof(hints));
         hints.ai_family = AF_UNSPEC;
         hints.ai_socktype = tcp ? SOCK_STREAM : SOCK_DGRAM;

         Botan::OS::Socket_Platform::unique_addrinfo_ptr res = nullptr;
         if(::getaddrinfo(host.c_str(), std::to_string(port).c_str(), &hints, Botan::out_ptr(res)) != 0) {
            throw CLI_Error("getaddrinfo failed for " + host);
         }

         for(addrinfo* rp = res.get(); rp != nullptr; rp = rp->ai_next) {
            socket_type fd = ::socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);

            if(fd == Botan::OS::Socket_Platform::invalid_socket()) {
               continue;
            }

            if(::connect(fd, rp->ai_addr, rp->ai_addrlen) != 0) {
               ::close(fd);
               continue;
            }
            return fd;
         }

         throw CLI_Error("Connect failed");
      }

      static void dgram_socket_write(int sockfd, const uint8_t buf[], size_t length) {
         auto r = ::send(sockfd, buf, length, MSG_NOSIGNAL);
         if(r == -1) {
            throw CLI_Error("Socket write failed errno=" + Botan::OS::Socket_Platform::get_last_socket_error());
         }
      }

      socket_type m_sockfd = Botan::OS::Socket_Platform::invalid_socket();
};

namespace {

std::ostream& Callbacks::output() {
   return m_client_command.output();
}

bool Callbacks::flag_set(const std::string& flag_name) const {
   return m_client_command.flag_set(flag_name);
}

std::string Callbacks::get_arg(const std::string& arg_name) const {
   return m_client_command.get_arg(arg_name);
}

void Callbacks::send(std::span<const uint8_t> buffer) {
   m_client_command.send(buffer);
}

}  // namespace

BOTAN_REGISTER_COMMAND("tls_client", TLS_Client);

}  // namespace Botan_CLI

#endif

1	/*
2	* (C) 2014,2015 Jack Lloyd
3	* 2016 Matthias Gierlings
4	* 2017 René Korthaus, Rohde & Schwarz Cybersecurity
5	* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
6	* 2023 René Meusel, Rohde & Schwarz Cybersecurity
7	* 2025 Kagan Can Sit
8	*
9	* Botan is released under the Simplified BSD License (see license.txt)
10	*/
11
12	#include "cli.h"
13
14	#include <botan/internal/target_info.h>
15
16	#if defined(BOTAN_HAS_TLS) && defined(BOTAN_TARGET_OS_HAS_FILESYSTEM) && defined(BOTAN_TARGET_OS_HAS_SOCKETS)
17
18	#include <botan/hex.h>
19	#include <botan/ocsp.h>
20	#include <botan/tls_callbacks.h>
21	#include <botan/tls_client.h>
22	#include <botan/tls_exceptn.h>
23	#include <botan/tls_policy.h>
24	#include <botan/tls_session_manager_memory.h>
25	#include <botan/x509path.h>
26	#include <fstream>
27
28	#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
29	#include <botan/tls_session_manager_sqlite.h>
30	#endif
31
32	#include <memory>
33	#include <string>
34
35	#include "tls_helpers.h"
36	#include <botan/internal/socket_platform.h>
37	#include <botan/internal/stl_util.h>
38
39	namespace Botan_CLI {
40
41	class TLS_Client;
42
43	namespace {
44
45	class Callbacks : public Botan::TLS::Callbacks {	10✔
46	public:
47	explicit Callbacks(TLS_Client& client_command) : m_client_command(client_command), m_peer_closed(false) {}	10✔
48
49	std::ostream& output();
50	bool flag_set(const std::string& flag_name) const;
51	std::string get_arg(const std::string& arg_name) const;
52	void send(std::span<const uint8_t> buffer);
53
54	bool peer_closed() const { return m_peer_closed; }	1✔
55
56	void tls_verify_cert_chain(const std::vector<Botan::X509_Certificate>& cert_chain,	7✔
57	const std::vector<std::optional<Botan::OCSP::Response>>& ocsp,
58	const std::vector<Botan::Certificate_Store*>& trusted_roots,
59	Botan::Usage_Type usage,
60	std::string_view hostname,
61	const Botan::TLS::Policy& policy) override {
62	if(cert_chain.empty()) {	7✔
63	throw Botan::Invalid_Argument("Certificate chain was empty");	×
64	}
65
66	Botan::Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),	7✔
67	policy.minimum_signature_strength());	21✔
68
69	auto ocsp_timeout = std::chrono::milliseconds(1000);	7✔
70
71	const std::string checked_name = flag_set("skip-hostname-check") ? "" : std::string(hostname);	21✔
72
73	Botan::Path_Validation_Result result = Botan::x509_path_validate(	7✔
74	cert_chain, restrictions, trusted_roots, checked_name, usage, tls_current_timestamp(), ocsp_timeout, ocsp);	7✔
75
76	if(result.successful_validation()) {	7✔
77	output() << "Certificate validation status: " << result.result_string() << "\n";	14✔
78	const auto& status = result.all_statuses();	7✔
79
80	if(!status.empty() && status[0].contains(Botan::Certificate_Status_Code::OCSP_RESPONSE_GOOD)) {	14✔
81	output() << "Valid OCSP response for this server\n";	×
82	}
83	} else {
84	if(flag_set("ignore-cert-error")) {	×
85	output() << "Certificate validation status: " << result.result_string() << "\n";	×
86	} else {
87	throw Botan::TLS::TLS_Exception(Botan::TLS::Alert::BadCertificate,	×
88	"Certificate validation failure: " + result.result_string());	×
89	}
90	}
91	}	7✔
92
93	void tls_verify_raw_public_key(const Botan::Public_Key& raw_public_key,	×
94	Botan::Usage_Type /* usage */,
95	std::string_view /* hostname */,
96	const Botan::TLS::Policy& /* policy */) override {
97	const auto fingerprint = raw_public_key.fingerprint_public("SHA-256");	×
98	const auto trusted = (fingerprint == get_arg("trusted-pubkey-sha256"));	×
99	output() << "Raw Public Key (" << fingerprint	×
100	<< ") validation status: " << (trusted ? "trusted" : "NOT trusted") << "\n";	×
101	}	×
102
103	void tls_session_activated() override { output() << "Handshake complete\n"; }	9✔
104
105	void tls_session_established(const Botan::TLS::Session_Summary& session) override {	9✔
106	output() << "Handshake complete, " << session.version().to_string() << "\n";	18✔
107
108	if(const auto& psk = session.external_psk_identity()) {	9✔
109	output() << "Utilized PSK identity: " << maybe_hex_encode(psk.value()) << "\n";	6✔
110	}
111
112	output() << "Negotiated ciphersuite " << session.ciphersuite().to_string() << "\n";	18✔
113
114	if(auto kex_params = session.kex_parameters()) {	9✔
115	output() << "Key exchange using " << *kex_params << "\n";	6✔
116	}	×
117
118	if(const auto& session_id = session.session_id(); !session_id.empty()) {	9✔
119	output() << "Session ID " << Botan::hex_encode(session_id.get()) << "\n";	18✔
120	}
121
122	if(const auto& session_ticket = session.session_ticket()) {	9✔
123	output() << "Session ticket " << Botan::hex_encode(session_ticket->get()) << "\n";	×
124	}
125
126	if(flag_set("print-certs")) {	18✔
127	const std::vector<Botan::X509_Certificate>& certs = session.peer_certs();
128
129	for(size_t i = 0; i != certs.size(); ++i) {	×
130	output() << "Certificate " << i + 1 << "/" << certs.size() << "\n";	×
131	output() << certs[i].to_string();	×
132	output() << certs[i].PEM_encode();	×
133	}
134	}
135	output() << std::flush;	9✔
136	}	9✔
137
138	void tls_emit_data(std::span<const uint8_t> buf) override {	47✔
139	if(flag_set("debug")) {	94✔
140	output() << "<< " << Botan::hex_encode(buf) << "\n";	×
141	}
142
143	send(buf);	94✔
144	}	47✔
145
146	void tls_alert(Botan::TLS::Alert alert) override { output() << "Alert: " << alert.type_string() << "\n"; }	3✔
147
148	void tls_record_received(uint64_t /seq_no/, std::span<const uint8_t> buf) override {	12✔
149	for(const auto c : buf) {	2,064✔
150	output() << c;	2,052✔
151	}
152	output() << std::flush;	12✔
153	}	12✔
154
155	std::vector<uint8_t> tls_sign_message(const Botan::Private_Key& key,	×
156	Botan::RandomNumberGenerator& rng,
157	const std::string_view padding,
158	Botan::Signature_Format format,
159	const std::vector<uint8_t>& msg) override {
160	output() << "Performing client authentication\n";	×
161	return Botan::TLS::Callbacks::tls_sign_message(key, rng, padding, format, msg);	×
162	}
163
164	bool tls_peer_closed_connection() override {	×
165	m_peer_closed = true;	×
166	return Botan::TLS::Callbacks::tls_peer_closed_connection();	×
167	}
168
169	private:
170	TLS_Client& m_client_command;
171	bool m_peer_closed;
172	};
173
174	} // namespace
175
176	class TLS_Client final : public Command {
177	public:
178	TLS_Client() :	11✔
179	Command(
180	"tls_client host --port=443 --print-certs --policy=default "
181	"--skip-system-cert-store --trusted-cas= --trusted-pubkey-sha256= "
182	"--skip-hostname-check --ignore-cert-error "
183	"--tls-version=default --session-db= --session-db-pass= "
184	"--next-protocols= --type=tcp --client-cert= --client-cert-key= "
185	"--psk= --psk-identity= --psk-prf=SHA-256 --debug") {	22✔
186	Botan::OS::Socket_Platform::socket_init();	11✔
187	}	11✔
188
189	~TLS_Client() override { Botan::OS::Socket_Platform::socket_fini(); }	11✔
190
191	TLS_Client(const TLS_Client& other) = delete;
192	TLS_Client(TLS_Client&& other) = delete;
193	TLS_Client& operator=(const TLS_Client& other) = delete;
194	TLS_Client& operator=(TLS_Client&& other) = delete;
195
196	std::string group() const override { return "tls"; }	1✔
197
198	std::string description() const override { return "Connect to a host using TLS/DTLS"; }	1✔
199
200	void go() override {	10✔
201	std::shared_ptr<Botan::TLS::Session_Manager> session_mgr;	10✔
202
203	auto callbacks = std::make_shared<Callbacks>(*this);	10✔
204
205	const std::string sessions_db = get_arg("session-db");	10✔
206	const std::string host = get_arg("host");	10✔
207	const uint16_t port = get_arg_u16("port");	10✔
208	const std::string transport = get_arg("type");	10✔
209	const std::string next_protos = get_arg("next-protocols");	10✔
210	const bool use_system_cert_store = !flag_set("skip-system-cert-store");	10✔
211	const std::string trusted_CAs = get_arg("trusted-cas");	10✔
212	const auto tls_version = get_arg("tls-version");	10✔
213
214	if(!sessions_db.empty()) {	10✔
215	#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
216	const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass");	×
217	session_mgr =	×
218	std::make_shared<Botan::TLS::Session_Manager_SQLite>(sessions_passphrase, rng_as_shared(), sessions_db);	×
219	#else
220	error_output() << "Ignoring session DB file, sqlite not enabled\n";
221	#endif
222	}	×
223
224	if(!session_mgr) {	10✔
225	session_mgr = std::make_shared<Botan::TLS::Session_Manager_In_Memory>(rng_as_shared());	30✔
226	}
227
228	auto policy = load_tls_policy(get_arg("policy"));	20✔
229
230	if(transport != "tcp" && transport != "udp") {	10✔
231	throw CLI_Usage_Error("Invalid transport type '" + transport + "' for TLS");	×
232	}
233
234	const std::vector<std::string> protocols_to_offer = Command::split_on(next_protos, ',');	10✔
235
236	if(!policy) {	10✔
237	policy = std::make_shared<Botan::TLS::Policy>();	×
238	}
239
240	const bool use_tcp = (transport == "tcp");	10✔
241	Botan::TLS::Protocol_Version version = policy->latest_supported_version(!use_tcp);	10✔
242
243	if(tls_version != "default") {	10✔
244	if(tls_version == "1.2") {	10✔
245	version = use_tcp ? Botan::TLS::Protocol_Version::TLS_V12 : Botan::TLS::Protocol_Version::DTLS_V12;	3✔
246	} else if(tls_version == "1.3") {	7✔
247	version = use_tcp ? Botan::TLS::Protocol_Version::TLS_V13 : Botan::TLS::Protocol_Version::DTLS_V13;	7✔
248	} else {
249	error_output() << "Unknown TLS protocol version " << tls_version << '\n';	×
250	}
251	}
252
253	m_sockfd = connect_to_host(host, port, use_tcp);	10✔
254
255	const auto client_crt_path = get_arg_maybe("client-cert");	10✔
256	const auto client_key_path = get_arg_maybe("client-cert-key");	10✔
257
258	auto psk = [this]() -> std::optional<Botan::secure_vector<uint8_t>> {	×
259	auto psk_hex = get_arg_maybe("psk");	10✔
260	if(psk_hex) {	10✔
261	return Botan::hex_decode_locked(psk_hex.value());	2✔
262	} else {
263	return {};	8✔
264	}
265	}();	20✔
266	const std::optional<std::string> psk_identity = get_arg_maybe("psk-identity");	10✔
267	const std::optional<std::string> psk_prf = get_arg_maybe("psk-prf");	10✔
268
269	auto creds = std::make_shared<Basic_Credentials_Manager>(use_system_cert_store,	10✔
270	trusted_CAs,
271	client_crt_path,
272	client_key_path,
273	std::move(psk),
274	psk_identity,
275	psk_prf);	10✔
276
277	Botan::TLS::Client client(callbacks,	10✔
278	session_mgr,
279	creds,
280	policy,
281	rng_as_shared(),	10✔
282	Botan::TLS::Server_Information(host, port),	10✔
283	version,
284	protocols_to_offer);	40✔
285
286	bool first_active = true;	10✔
287	bool we_closed = false;	10✔
288
289	while(!client.is_closed()) {	57✔
290	fd_set readfds;
291	FD_ZERO(&readfds);	952✔
292	FD_SET(m_sockfd, &readfds);	56✔
293
294	if(client.is_active()) {	56✔
295	FD_SET(STDIN_FILENO, &readfds);	30✔
296	if(first_active && !protocols_to_offer.empty()) {	30✔
297	std::string app = client.application_protocol();	×
298	if(!app.empty()) {	×
299	output() << "Server choose protocol: " << client.application_protocol() << "\n";	×
300	}
301	first_active = false;	×
302	}	×
303	}
304
305	struct timeval timeout = {1, 0};	56✔
306
307	::select(static_cast<int>(m_sockfd + 1), &readfds, nullptr, nullptr, &timeout);	56✔
308
309	if(FD_ISSET(m_sockfd, &readfds)) {	56✔
310	uint8_t buf[4 * 1024] = {0};	40✔
311
312	ssize_t got = ::read(m_sockfd, buf, sizeof(buf));	40✔
313
314	if(got == 0) {	40✔
315	output() << "EOF on socket\n";	×
316	break;	×
317	} else if(got == -1) {	40✔
318	output() << "Socket error: " << errno << " " << Botan::OS::Socket_Platform::get_last_socket_error()	×
319	<< "\n";	×
320	continue;	×
321	}
322
323	if(flag_set("debug")) {	40✔
324	output() << ">> " << Botan::hex_encode(buf, got) << "\n";	×
325	}
326
327	client.received_data(buf, got);	40✔
328	}
329
330	if(FD_ISSET(STDIN_FILENO, &readfds)) {	56✔
331	uint8_t buf[1024] = {0};	18✔
332	ssize_t got = read(STDIN_FILENO, buf, sizeof(buf));	18✔
333
334	if(got == 0) {	18✔
335	output() << "EOF on stdin\n";	9✔
336	client.close();	9✔
337	we_closed = true;	9✔
338	break;	9✔
339	} else if(got == -1) {	9✔
340	output() << "Stdin error: " << errno << " " << Botan::OS::Socket_Platform::get_last_socket_error()	×
341	<< "\n";	×
342	continue;	×
343	}
344
345	if(got == 2 && buf[1] == '\n') {	9✔
346	char cmd = buf[0];	×
347
348	if(cmd == 'R' \|\| cmd == 'r') {	×
349	output() << "Client initiated renegotiation\n";	×
350	client.renegotiate(cmd == 'R');	×
351	} else if(cmd == 'Q') {	×
352	output() << "Client initiated close\n";	×
353	client.close();	×
354	we_closed = true;
355	}
356	} else {
357	client.send(buf, got);	9✔
358	}
359	}
360
361	if(client.timeout_check()) {	47✔
362	output() << "Timeout detected\n";	×
363	}
364	}
365
366	set_return_code((we_closed \|\| callbacks->peer_closed()) ? 0 : 1);	19✔
367
368	::close(m_sockfd);	10✔
369	}	62✔
370
371	public:
372	using Command::flag_set;
373	using Command::get_arg;
374	using Command::output;
375
376	void send(std::span<const uint8_t> buf) const {	47✔
377	while(!buf.empty()) {	94✔
378	ssize_t sent = ::send(m_sockfd, buf.data(), buf.size(), MSG_NOSIGNAL);	47✔
379
380	if(sent == -1) {	47✔
381	if(errno == EINTR) {	×
382	sent = 0;
383	} else {
384	throw CLI_Error("Socket write failed errno=" + std::to_string(errno) + " - " +	×
385	Botan::OS::Socket_Platform::get_last_socket_error());	×
386	}
387	}
388
389	buf = buf.subspan(sent);	47✔
390	}
391	}	47✔
392
393	private:
394	using socket_type = Botan::OS::Socket_Platform::socket_type;
395	using socket_op_ret_type = Botan::OS::Socket_Platform::socket_op_ret_type;
396	using socklen_type = Botan::OS::Socket_Platform::socklen_type;
397	using sendrecv_len_type = Botan::OS::Socket_Platform::sendrecv_len_type;
398
399	static socket_type connect_to_host(const std::string& host, uint16_t port, bool tcp) {	10✔
400	addrinfo hints{};	10✔
401	std::memset(&hints, 0, sizeof(hints));	10✔
402	hints.ai_family = AF_UNSPEC;	10✔
403	hints.ai_socktype = tcp ? SOCK_STREAM : SOCK_DGRAM;	10✔
404
405	Botan::OS::Socket_Platform::unique_addrinfo_ptr res = nullptr;	10✔
406	if(::getaddrinfo(host.c_str(), std::to_string(port).c_str(), &hints, Botan::out_ptr(res)) != 0) {	10✔
407	throw CLI_Error("getaddrinfo failed for " + host);	×
408	}
409
410	for(addrinfo* rp = res.get(); rp != nullptr; rp = rp->ai_next) {	20✔
411	socket_type fd = ::socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);	20✔
412
413	if(fd == Botan::OS::Socket_Platform::invalid_socket()) {	20✔
414	continue;	×
415	}
416
417	if(::connect(fd, rp->ai_addr, rp->ai_addrlen) != 0) {	20✔
418	::close(fd);	10✔
419	continue;	10✔
420	}
421	return fd;	10✔
422	}
423
424	throw CLI_Error("Connect failed");	×
425	}	10✔
426
427	static void dgram_socket_write(int sockfd, const uint8_t buf[], size_t length) {
428	auto r = ::send(sockfd, buf, length, MSG_NOSIGNAL);
429	if(r == -1) {
430	throw CLI_Error("Socket write failed errno=" + Botan::OS::Socket_Platform::get_last_socket_error());
431	}
432	}
433
434	socket_type m_sockfd = Botan::OS::Socket_Platform::invalid_socket();
435	};
436
437	namespace {
438
439	std::ostream& Callbacks::output() {	2,125✔
440	return m_client_command.output();	2,125✔
441	}
442
443	bool Callbacks::flag_set(const std::string& flag_name) const {	63✔
444	return m_client_command.flag_set(flag_name);	63✔
445	}
446
447	std::string Callbacks::get_arg(const std::string& arg_name) const {	×
448	return m_client_command.get_arg(arg_name);	×
449	}
450
451	void Callbacks::send(std::span<const uint8_t> buffer) {	47✔
452	m_client_command.send(buffer);	47✔
453	}
454
455	} // namespace
456
457	BOTAN_REGISTER_COMMAND("tls_client", TLS_Client);	11✔
458
459	} // namespace Botan_CLI
460
461	#endif

randombit / botan / 17011479145

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous