20579846577

Committed 29 Dec 2025 06:24PM UTC coverage: 90.415% (+0.2%) from 90.243%

Build # 20579846577

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #5167 from randombit/jack/src-size-reductions

Changes to reduce unnecessary inclusions

Run Details

101523 of 112285 relevant lines covered (90.42%)

12817276.56 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

84.09

/src/cli/tls_proxy.cpp

/*
* TLS Server Proxy
* (C) 2014,2015,2019 Jack Lloyd
* (C) 2016 Matthias Gierlings
* (C) 2023 René Meusel, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include "cli.h"

#if defined(BOTAN_HAS_TLS) && defined(BOTAN_HAS_BOOST_ASIO) && defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)

   #include <atomic>
   #include <iostream>
   #include <string>
   #include <thread>
   #include <utility>
   #include <vector>

   #include <boost/asio.hpp>
   #include <boost/bind.hpp>

   #include <botan/hex.h>
   #include <botan/pkcs8.h>
   #include <botan/rng.h>
   #include <botan/tls_callbacks.h>
   #include <botan/tls_server.h>
   #include <botan/tls_session_manager_memory.h>
   #include <botan/x509cert.h>

   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
      #include <botan/tls_session_manager_sqlite.h>
   #endif

   #if defined(BOTAN_HAS_OS_UTILS)
      #include <botan/internal/os_utils.h>
   #endif

   #include "tls_helpers.h"

namespace Botan_CLI {

namespace {

// NOLINTBEGIN(*-avoid-endl,*-avoid-bind)

using boost::asio::ip::tcp;

template <typename T>
boost::asio::io_context& get_io_service(T& s) {
   #if BOOST_VERSION >= 107000
   //NOLINTNEXTLINE(*-type-static-cast-downcast)
   return static_cast<boost::asio::io_context&>((s).get_executor().context());
   #else
   return s.get_io_service();
   #endif
}

void log_info(const std::string& msg) {
   std::cout << msg << std::endl;
}

void log_exception(const char* where, const std::exception& e) {
   std::cout << where << ' ' << e.what() << std::endl;
}

void log_error(const char* where, const boost::system::error_code& error) {
   std::cout << where << ' ' << error.message() << std::endl;
}

void log_error(const char* msg) {
   std::cout << msg << std::endl;
}

void log_binary_message(const char* where, const uint8_t buf[], size_t buf_len) {
   BOTAN_UNUSED(where, buf, buf_len);
   //std::cout << where << ' ' << Botan::hex_encode(buf, buf_len) << std::endl;
}

void log_text_message(const char* where, const uint8_t buf[], size_t buf_len) {
   BOTAN_UNUSED(where, buf, buf_len);
   //const char* c = reinterpret_cast<const char*>(buf);
   //std::cout << where << ' ' << std::string(c, c + buf_len)  << std::endl;
}

class ServerStatus {
   public:
      explicit ServerStatus(size_t max_clients) : m_max_clients(max_clients), m_clients_serviced(0) {}

      bool should_exit() const {
         if(m_max_clients == 0) {
            return false;
         }

         return clients_serviced() >= m_max_clients;
      }

      void client_serviced() { m_clients_serviced++; }

      size_t clients_serviced() const { return m_clients_serviced.load(); }

   private:
      size_t m_max_clients;
      std::atomic<size_t> m_clients_serviced;
};

class tls_proxy_session final : public std::enable_shared_from_this<tls_proxy_session>,
                                public Botan::TLS::Callbacks {
   public:
      static constexpr size_t readbuf_size = 17 * 1024;

      typedef std::shared_ptr<tls_proxy_session> pointer;

      static pointer create(boost::asio::io_context& io,
                            const std::shared_ptr<Botan::TLS::Session_Manager>& session_manager,
                            const std::shared_ptr<Botan::Credentials_Manager>& credentials,
                            const std::shared_ptr<Botan::TLS::Policy>& policy,
                            const tcp::resolver::results_type& endpoints) {
         auto session = std::make_shared<tls_proxy_session>(io, endpoints);

         // Defer the setup of the TLS server to make use of
         // shared_from_this() which wouldn't work in the c'tor.
         session->setup(session_manager, credentials, policy);

         return session;
      }

      tcp::socket& client_socket() { return m_client_socket; }

      void start() {
         m_c2p.resize(readbuf_size);
         client_read(boost::system::error_code(), 0);  // start read loop
      }

      void stop() {
         if(!m_is_closed) {
            /*
            Don't need to talk to the server anymore
            Client socket is closed during write callback
            */
            m_server_socket.close();
            m_tls->close();

            // Need to explicitly destroy the TLS::Server object to break the
            // circular ownership of shared_from_this() and the shared_ptr of
            // this kept inside the TLS::Channel.
            m_tls.reset();
            m_is_closed = true;
         }
      }

      tls_proxy_session(boost::asio::io_context& io, tcp::resolver::results_type endpoints) :
            m_strand(io),
            m_server_endpoints(std::move(endpoints)),
            m_client_socket(io),
            m_server_socket(io),
            m_rng(cli_make_rng()) {}

   private:
      void setup(const std::shared_ptr<Botan::TLS::Session_Manager>& session_manager,
                 const std::shared_ptr<Botan::Credentials_Manager>& credentials,
                 const std::shared_ptr<Botan::TLS::Policy>& policy) {
         m_tls = std::make_unique<Botan::TLS::Server>(shared_from_this(), session_manager, credentials, policy, m_rng);
      }

      void client_read(const boost::system::error_code& error, size_t bytes_transferred) {
         if(error) {
            log_error("Read failed", error);
            stop();
            return;
         }

         if(m_is_closed) {
            log_error("Received client data after close");
            return;
         }

         try {
            if(!m_tls->is_active()) {
               log_binary_message("From client", m_c2p.data(), bytes_transferred);
            }
            m_tls->received_data(m_c2p.data(), bytes_transferred);
         } catch(Botan::Exception& e) {
            log_exception("TLS connection failed", e);
            stop();
            return;
         }

         m_client_socket.async_read_some(
            boost::asio::buffer(m_c2p),
            boost::asio::bind_executor(
               m_strand, [self = shared_from_this()](const boost::system::error_code& ec, std::size_t bytes) {
                  self->client_read(ec, bytes);
               }));
      }

      void handle_client_write_completion(const boost::system::error_code& error) {
         if(error) {
            log_error("Client write", error);
            stop();
            return;
         }

         m_p2c.clear();

         if(m_p2c_pending.empty() && (!m_tls || m_tls->is_closed())) {
            m_client_socket.close();
         }
         tls_emit_data({});  // initiate another write if needed
      }

      void handle_server_write_completion(const boost::system::error_code& error) {
         if(error) {
            log_error("Server write", error);
            stop();
            return;
         }

         m_p2s.clear();
         proxy_write_to_server({});  // initiate another write if needed
      }

      void tls_record_received(uint64_t /*rec_no*/, std::span<const uint8_t> buf) override {
         // Immediately bounce message to server
         proxy_write_to_server(buf);
      }

      void tls_emit_data(std::span<const uint8_t> buf) override {
         if(!buf.empty()) {
            m_p2c_pending.insert(m_p2c_pending.end(), buf.begin(), buf.end());
         }

         // no write now active and we still have output pending
         if(m_p2c.empty() && !m_p2c_pending.empty()) {
            std::swap(m_p2c_pending, m_p2c);

            log_binary_message("To Client", m_p2c.data(), m_p2c.size());

            boost::asio::async_write(
               m_client_socket,
               boost::asio::buffer(m_p2c),
               boost::asio::bind_executor(
                  m_strand, [self = shared_from_this()](const boost::system::error_code& ec, std::size_t /*bytes*/) {
                     self->handle_client_write_completion(ec);
                  }));
         }
      }

      void proxy_write_to_server(std::span<const uint8_t> buf) {
         if(!buf.empty()) {
            m_p2s_pending.insert(m_p2s_pending.end(), buf.begin(), buf.end());
         }

         // no write now active and we still have output pending
         if(m_p2s.empty() && !m_p2s_pending.empty()) {
            std::swap(m_p2s_pending, m_p2s);

            log_text_message("To Server", m_p2s.data(), m_p2s.size());

            boost::asio::async_write(
               m_server_socket,
               boost::asio::buffer(m_p2s),
               boost::asio::bind_executor(
                  m_strand, [self = shared_from_this()](const boost::system::error_code& ec, std::size_t /*bytes*/) {
                     self->handle_server_write_completion(ec);
                  }));
         }
      }

      void server_read(const boost::system::error_code& error, size_t bytes_transferred) {
         if(error) {
            log_error("Server read failed", error);
            stop();
            return;
         }

         try {
            if(bytes_transferred > 0) {
               log_text_message("Server to client", m_s2p.data(), m_s2p.size());
               log_binary_message("Server to client", m_s2p.data(), m_s2p.size());
               m_tls->send(m_s2p.data(), bytes_transferred);
            }
         } catch(Botan::Exception& e) {
            log_exception("TLS connection failed", e);
            stop();
            return;
         }

         m_s2p.resize(readbuf_size);

         m_server_socket.async_read_some(
            boost::asio::buffer(m_s2p),
            boost::asio::bind_executor(
               m_strand, [self = shared_from_this()](const boost::system::error_code& ec, std::size_t bytes) {
                  self->server_read(ec, bytes);
               }));
      }

      void tls_session_activated() override {
         auto onConnect = [self = weak_from_this()](boost::system::error_code ec,
                                                    const tcp::resolver::results_type::iterator& /*endpoint*/) {
            if(ec) {
               log_error("Server connection", ec);
               return;
            }

            if(auto ptr = self.lock()) {
               ptr->server_read(boost::system::error_code(), 0);  // start read loop
               ptr->proxy_write_to_server({});
            } else {
               log_error("Server connection established, but client session already closed");
               return;
            }
         };
         async_connect(m_server_socket, m_server_endpoints.begin(), m_server_endpoints.end(), onConnect);
      }

      void tls_session_established(const Botan::TLS::Session_Summary& session) override {
         m_hostname = session.server_info().hostname();
      }

      void tls_alert(Botan::TLS::Alert alert) override {
         if(alert.type() == Botan::TLS::Alert::CloseNotify) {
            m_tls->close();
            return;
         }
      }

      boost::asio::io_context::strand m_strand;

      tcp::resolver::results_type m_server_endpoints;

      tcp::socket m_client_socket;
      tcp::socket m_server_socket;

      std::shared_ptr<Botan::RandomNumberGenerator> m_rng;
      std::unique_ptr<Botan::TLS::Server> m_tls;
      std::string m_hostname;

      std::vector<uint8_t> m_c2p;
      std::vector<uint8_t> m_p2c;
      std::vector<uint8_t> m_p2c_pending;

      std::vector<uint8_t> m_s2p;
      std::vector<uint8_t> m_p2s;
      std::vector<uint8_t> m_p2s_pending;

      bool m_is_closed = false;
};

class tls_proxy_server final {
   public:
      typedef tls_proxy_session session;

      tls_proxy_server(boost::asio::io_context& io,
                       unsigned short port,
                       tcp::resolver::results_type endpoints,
                       std::shared_ptr<Botan::Credentials_Manager> creds,
                       std::shared_ptr<Botan::TLS::Policy> policy,
                       std::shared_ptr<Botan::TLS::Session_Manager> session_mgr,
                       size_t max_clients) :
            m_acceptor(io, tcp::endpoint(tcp::v4(), port)),
            m_server_endpoints(std::move(endpoints)),
            m_creds(std::move(creds)),
            m_policy(std::move(policy)),
            m_session_manager(std::move(session_mgr)),
            m_status(max_clients) {
         log_info("Listening for new connections on port " + std::to_string(port));
         serve_one_session();
      }

   private:
      session::pointer make_session() {
         return session::create(get_io_service(m_acceptor), m_session_manager, m_creds, m_policy, m_server_endpoints);
      }

      void serve_one_session() {
         const session::pointer new_session = make_session();

         m_acceptor.async_accept(
            new_session->client_socket(),
            boost::bind(&tls_proxy_server::handle_accept, this, new_session, boost::asio::placeholders::error));
      }

      void handle_accept(const session::pointer& new_session, const boost::system::error_code& error) {
         if(!error) {
            new_session->start();
            m_status.client_serviced();

            if(!m_status.should_exit()) {
               serve_one_session();
            }
         }
      }

      tcp::acceptor m_acceptor;
      tcp::resolver::results_type m_server_endpoints;

      std::shared_ptr<Botan::Credentials_Manager> m_creds;
      std::shared_ptr<Botan::TLS::Policy> m_policy;
      std::shared_ptr<Botan::TLS::Session_Manager> m_session_manager;
      ServerStatus m_status;
};

}  // namespace

class TLS_Proxy final : public Command {
   public:
      TLS_Proxy() :
            Command(
               "tls_proxy listen_port target_host target_port server_cert server_key "
               "--policy=default --threads=0 --max-clients=0 --session-db= --session-db-pass=") {}

      std::string group() const override { return "tls"; }

      std::string description() const override { return "Proxies requests between a TLS client and a TLS server"; }

      size_t thread_count() const {
         if(const size_t t = get_arg_sz("threads")) {
            return t;
         }
   #if defined(BOTAN_HAS_OS_UTILS)
         if(const size_t t = Botan::OS::get_cpu_available()) {
            return t;
         }
   #endif
         return 2;
      }

      void go() override {
         const uint16_t listen_port = get_arg_u16("listen_port");
         const std::string target = get_arg("target_host");
         const std::string target_port = get_arg("target_port");

         const std::string server_crt = get_arg("server_cert");
         const std::string server_key = get_arg("server_key");

         const size_t num_threads = thread_count();
         const size_t max_clients = get_arg_sz("max-clients");

         auto creds = std::make_shared<Basic_Credentials_Manager>(server_crt, server_key);

         auto policy = load_tls_policy(get_arg("policy"));

         boost::asio::io_context io;

         tcp::resolver resolver(io);
         auto server_endpoint_iterator = resolver.resolve(target, target_port);

         std::shared_ptr<Botan::TLS::Session_Manager> session_mgr;

   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
         const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass");
         const std::string sessions_db = get_arg("session-db");

         if(!sessions_db.empty()) {
            session_mgr =
               std::make_shared<Botan::TLS::Session_Manager_SQLite>(sessions_passphrase, rng_as_shared(), sessions_db);
         }
   #endif
         if(!session_mgr) {
            session_mgr = std::make_shared<Botan::TLS::Session_Manager_In_Memory>(rng_as_shared());
         }

         const tls_proxy_server server(
            io, listen_port, server_endpoint_iterator, creds, policy, session_mgr, max_clients);

         std::vector<std::shared_ptr<std::thread>> threads;

         // run forever... first thread is main calling io.run below
         for(size_t i = 2; i <= num_threads; ++i) {
            threads.push_back(std::make_shared<std::thread>([&io]() { io.run(); }));
         }

         io.run();

         for(auto& thread : threads) {
            thread->join();
         }
      }
};

// NOLINTEND(*-avoid-endl,*-avoid-bind)

BOTAN_REGISTER_COMMAND("tls_proxy", TLS_Proxy);

}  // namespace Botan_CLI

#endif

1	/*
2	* TLS Server Proxy
3	* (C) 2014,2015,2019 Jack Lloyd
4	* (C) 2016 Matthias Gierlings
5	* (C) 2023 René Meusel, Rohde & Schwarz Cybersecurity
6	*
7	* Botan is released under the Simplified BSD License (see license.txt)
8	*/
9
10	#include "cli.h"
11
12	#if defined(BOTAN_HAS_TLS) && defined(BOTAN_HAS_BOOST_ASIO) && defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
13
14	#include <atomic>
15	#include <iostream>
16	#include <string>
17	#include <thread>
18	#include <utility>
19	#include <vector>
20
21	#include <boost/asio.hpp>
22	#include <boost/bind.hpp>
23
24	#include <botan/hex.h>
25	#include <botan/pkcs8.h>
26	#include <botan/rng.h>
27	#include <botan/tls_callbacks.h>
28	#include <botan/tls_server.h>
29	#include <botan/tls_session_manager_memory.h>
30	#include <botan/x509cert.h>
31
32	#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
33	#include <botan/tls_session_manager_sqlite.h>
34	#endif
35
36	#if defined(BOTAN_HAS_OS_UTILS)
37	#include <botan/internal/os_utils.h>
38	#endif
39
40	#include "tls_helpers.h"
41
42	namespace Botan_CLI {
43
44	namespace {
45
46	// NOLINTBEGIN(-avoid-endl,-avoid-bind)
47
48	using boost::asio::ip::tcp;
49
50	template <typename T>
51	boost::asio::io_context& get_io_service(T& s) {	4✔
52	#if BOOST_VERSION >= 107000
53	//NOLINTNEXTLINE(*-type-static-cast-downcast)
54	return static_cast<boost::asio::io_context&>((s).get_executor().context());	4✔
55	#else
56	return s.get_io_service();
57	#endif
58	}
59
60	void log_info(const std::string& msg) {	1✔
61	std::cout << msg << std::endl;	1✔
62	}	1✔
63
64	void log_exception(const char* where, const std::exception& e) {	×
65	std::cout << where << ' ' << e.what() << std::endl;	×
66	}	×
67
68	void log_error(const char* where, const boost::system::error_code& error) {	8✔
69	std::cout << where << ' ' << error.message() << std::endl;	16✔
70	}	8✔
71
72	void log_error(const char* msg) {	×
73	std::cout << msg << std::endl;	×
74	}	×
75
76	void log_binary_message(const char* where, const uint8_t buf[], size_t buf_len) {
77	BOTAN_UNUSED(where, buf, buf_len);	27✔
78	//std::cout << where << ' ' << Botan::hex_encode(buf, buf_len) << std::endl;
79	}
80
81	void log_text_message(const char* where, const uint8_t buf[], size_t buf_len) {
82	BOTAN_UNUSED(where, buf, buf_len);	9✔
83	//const char* c = reinterpret_cast<const char*>(buf);
84	//std::cout << where << ' ' << std::string(c, c + buf_len) << std::endl;
85	}
86
87	class ServerStatus {
88	public:
89	explicit ServerStatus(size_t max_clients) : m_max_clients(max_clients), m_clients_serviced(0) {}	1✔
90
91	bool should_exit() const {	4✔
92	if(m_max_clients == 0) {	4✔
93	return false;
94	}
95
96	return clients_serviced() >= m_max_clients;	4✔
97	}
98
99	void client_serviced() { m_clients_serviced++; }	4✔
100
101	size_t clients_serviced() const { return m_clients_serviced.load(); }	4✔
102
103	private:
104	size_t m_max_clients;
105	std::atomic<size_t> m_clients_serviced;
106	};
107
108	class tls_proxy_session final : public std::enable_shared_from_this<tls_proxy_session>,
109	public Botan::TLS::Callbacks {
110	public:
111	static constexpr size_t readbuf_size = 17 * 1024;
112
113	typedef std::shared_ptr<tls_proxy_session> pointer;
114
115	static pointer create(boost::asio::io_context& io,	4✔
116	const std::shared_ptr<Botan::TLS::Session_Manager>& session_manager,
117	const std::shared_ptr<Botan::Credentials_Manager>& credentials,
118	const std::shared_ptr<Botan::TLS::Policy>& policy,
119	const tcp::resolver::results_type& endpoints) {
120	auto session = std::make_shared<tls_proxy_session>(io, endpoints);	4✔
121
122	// Defer the setup of the TLS server to make use of
123	// shared_from_this() which wouldn't work in the c'tor.
124	session->setup(session_manager, credentials, policy);	4✔
125
126	return session;	4✔
127	}	×
128
129	tcp::socket& client_socket() { return m_client_socket; }
130
131	void start() {	4✔
132	m_c2p.resize(readbuf_size);	4✔
133	client_read(boost::system::error_code(), 0); // start read loop	4✔
134	}	4✔
135
136	void stop() {	8✔
137	if(!m_is_closed) {	8✔
138	/*
139	Don't need to talk to the server anymore
140	Client socket is closed during write callback
141	*/
142	m_server_socket.close();	4✔
143	m_tls->close();	4✔
144
145	// Need to explicitly destroy the TLS::Server object to break the
146	// circular ownership of shared_from_this() and the shared_ptr of
147	// this kept inside the TLS::Channel.
148	m_tls.reset();	4✔
149	m_is_closed = true;	4✔
150	}
151	}	8✔
152
153	tls_proxy_session(boost::asio::io_context& io, tcp::resolver::results_type endpoints) :	4✔
154	m_strand(io),	4✔
155	m_server_endpoints(std::move(endpoints)),	4✔
156	m_client_socket(io),	4✔
157	m_server_socket(io),	8✔
158	m_rng(cli_make_rng()) {}	12✔
159
160	private:
161	void setup(const std::shared_ptr<Botan::TLS::Session_Manager>& session_manager,	4✔
162	const std::shared_ptr<Botan::Credentials_Manager>& credentials,
163	const std::shared_ptr<Botan::TLS::Policy>& policy) {
164	m_tls = std::make_unique<Botan::TLS::Server>(shared_from_this(), session_manager, credentials, policy, m_rng);	4✔
165	}	4✔
166
167	void client_read(const boost::system::error_code& error, size_t bytes_transferred) {	19✔
168	if(error) {	19✔
169	log_error("Read failed", error);	4✔
170	stop();	4✔
171	return;	4✔
172	}
173
174	if(m_is_closed) {	15✔
175	log_error("Received client data after close");	×
176	return;	×
177	}
178
179	try {	15✔
180	if(!m_tls->is_active()) {	15✔
181	log_binary_message("From client", m_c2p.data(), bytes_transferred);
182	}
183	m_tls->received_data(m_c2p.data(), bytes_transferred);	15✔
184	} catch(Botan::Exception& e) {	×
185	log_exception("TLS connection failed", e);	×
186	stop();	×
187	return;	×
188	}	×
189
190	m_client_socket.async_read_some(	30✔
191	boost::asio::buffer(m_c2p),	15✔
192	boost::asio::bind_executor(	30✔
193	m_strand, [self = shared_from_this()](const boost::system::error_code& ec, std::size_t bytes) {	180✔
194	self->client_read(ec, bytes);	15✔
195	}));
196	}
197
198	void handle_client_write_completion(const boost::system::error_code& error) {	22✔
199	if(error) {	22✔
200	log_error("Client write", error);	×
201	stop();	×
202	return;	×
203	}
204
205	m_p2c.clear();	22✔
206
207	if(m_p2c_pending.empty() && (!m_tls \|\| m_tls->is_closed())) {	22✔
208	m_client_socket.close();	4✔
209	}
210	tls_emit_data({}); // initiate another write if needed	22✔
211	}
212
213	void handle_server_write_completion(const boost::system::error_code& error) {	4✔
214	if(error) {	4✔
215	log_error("Server write", error);	×
216	stop();	×
217	return;	×
218	}
219
220	m_p2s.clear();	4✔
221	proxy_write_to_server({}); // initiate another write if needed	4✔
222	}
223
224	void tls_record_received(uint64_t /rec_no/, std::span<const uint8_t> buf) override {	4✔
225	// Immediately bounce message to server
226	proxy_write_to_server(buf);	4✔
227	}	4✔
228
229	void tls_emit_data(std::span<const uint8_t> buf) override {	49✔
230	if(!buf.empty()) {	49✔
231	m_p2c_pending.insert(m_p2c_pending.end(), buf.begin(), buf.end());	27✔
232	}
233
234	// no write now active and we still have output pending
235	if(m_p2c.empty() && !m_p2c_pending.empty()) {	49✔
236	std::swap(m_p2c_pending, m_p2c);	22✔
237
238	log_binary_message("To Client", m_p2c.data(), m_p2c.size());	22✔
239
240	boost::asio::async_write(	44✔
241	m_client_socket,	22✔
242	boost::asio::buffer(m_p2c),	22✔
243	boost::asio::bind_executor(	44✔
244	m_strand, [self = shared_from_this()](const boost::system::error_code& ec, std::size_t /bytes/) {	264✔
245	self->handle_client_write_completion(ec);	22✔
246	}));
247	}
248	}	49✔
249
250	void proxy_write_to_server(std::span<const uint8_t> buf) {	12✔
251	if(!buf.empty()) {	12✔
252	m_p2s_pending.insert(m_p2s_pending.end(), buf.begin(), buf.end());	4✔
253	}
254
255	// no write now active and we still have output pending
256	if(m_p2s.empty() && !m_p2s_pending.empty()) {	12✔
257	std::swap(m_p2s_pending, m_p2s);	4✔
258
259	log_text_message("To Server", m_p2s.data(), m_p2s.size());	4✔
260
261	boost::asio::async_write(	8✔
262	m_server_socket,	4✔
263	boost::asio::buffer(m_p2s),	4✔
264	boost::asio::bind_executor(	8✔
265	m_strand, [self = shared_from_this()](const boost::system::error_code& ec, std::size_t /bytes/) {	48✔
266	self->handle_server_write_completion(ec);	4✔
267	}));
268	}
269	}	12✔
270
271	void server_read(const boost::system::error_code& error, size_t bytes_transferred) {	13✔
272	if(error) {	13✔
273	log_error("Server read failed", error);	4✔
274	stop();	4✔
275	return;	4✔
276	}
277
278	try {	9✔
279	if(bytes_transferred > 0) {	9✔
280	log_text_message("Server to client", m_s2p.data(), m_s2p.size());	5✔
281	log_binary_message("Server to client", m_s2p.data(), m_s2p.size());	5✔
282	m_tls->send(m_s2p.data(), bytes_transferred);	5✔
283	}
284	} catch(Botan::Exception& e) {	×
285	log_exception("TLS connection failed", e);	×
286	stop();	×
287	return;	×
288	}	×
289
290	m_s2p.resize(readbuf_size);	9✔
291
292	m_server_socket.async_read_some(	18✔
293	boost::asio::buffer(m_s2p),	9✔
294	boost::asio::bind_executor(	18✔
295	m_strand, [self = shared_from_this()](const boost::system::error_code& ec, std::size_t bytes) {	108✔
296	self->server_read(ec, bytes);	9✔
297	}));
298	}
299
300	void tls_session_activated() override {	4✔
301	auto onConnect = [self = weak_from_this()](boost::system::error_code ec,	12✔
302	const tcp::resolver::results_type::iterator& /endpoint/) {
303	if(ec) {	4✔
304	log_error("Server connection", ec);	×
305	return;	×
306	}
307
308	if(auto ptr = self.lock()) {	4✔
309	ptr->server_read(boost::system::error_code(), 0); // start read loop	4✔
310	ptr->proxy_write_to_server({});	4✔
311	} else {
312	log_error("Server connection established, but client session already closed");	×
313	return;	×
314	}	4✔
315	};	4✔
316	async_connect(m_server_socket, m_server_endpoints.begin(), m_server_endpoints.end(), onConnect);	8✔
317	}	4✔
318
319	void tls_session_established(const Botan::TLS::Session_Summary& session) override {	4✔
320	m_hostname = session.server_info().hostname();	4✔
321	}	4✔
322
323	void tls_alert(Botan::TLS::Alert alert) override {	×
324	if(alert.type() == Botan::TLS::Alert::CloseNotify) {	×
325	m_tls->close();	×
326	return;	×
327	}
328	}
329
330	boost::asio::io_context::strand m_strand;
331
332	tcp::resolver::results_type m_server_endpoints;
333
334	tcp::socket m_client_socket;
335	tcp::socket m_server_socket;
336
337	std::shared_ptr<Botan::RandomNumberGenerator> m_rng;
338	std::unique_ptr<Botan::TLS::Server> m_tls;
339	std::string m_hostname;
340
341	std::vector<uint8_t> m_c2p;
342	std::vector<uint8_t> m_p2c;
343	std::vector<uint8_t> m_p2c_pending;
344
345	std::vector<uint8_t> m_s2p;
346	std::vector<uint8_t> m_p2s;
347	std::vector<uint8_t> m_p2s_pending;
348
349	bool m_is_closed = false;
350	};
351
352	class tls_proxy_server final {
353	public:
354	typedef tls_proxy_session session;
355
356	tls_proxy_server(boost::asio::io_context& io,	1✔
357	unsigned short port,
358	tcp::resolver::results_type endpoints,
359	std::shared_ptr<Botan::Credentials_Manager> creds,
360	std::shared_ptr<Botan::TLS::Policy> policy,
361	std::shared_ptr<Botan::TLS::Session_Manager> session_mgr,
362	size_t max_clients) :	1✔
363	m_acceptor(io, tcp::endpoint(tcp::v4(), port)),	1✔
364	m_server_endpoints(std::move(endpoints)),	1✔
365	m_creds(std::move(creds)),	1✔
366	m_policy(std::move(policy)),	1✔
367	m_session_manager(std::move(session_mgr)),	1✔
368	m_status(max_clients) {	1✔
369	log_info("Listening for new connections on port " + std::to_string(port));	3✔
370	serve_one_session();	1✔
371	}	1✔
372
373	private:
374	session::pointer make_session() {	4✔
375	return session::create(get_io_service(m_acceptor), m_session_manager, m_creds, m_policy, m_server_endpoints);	4✔
376	}
377
378	void serve_one_session() {	4✔
379	const session::pointer new_session = make_session();	4✔
380
381	m_acceptor.async_accept(	8✔
382	new_session->client_socket(),	4✔
383	boost::bind(&tls_proxy_server::handle_accept, this, new_session, boost::asio::placeholders::error));	12✔
384	}	4✔
385
386	void handle_accept(const session::pointer& new_session, const boost::system::error_code& error) {	4✔
387	if(!error) {	4✔
388	new_session->start();	4✔
389	m_status.client_serviced();	4✔
390
391	if(!m_status.should_exit()) {	4✔
392	serve_one_session();	3✔
393	}
394	}
395	}	4✔
396
397	tcp::acceptor m_acceptor;
398	tcp::resolver::results_type m_server_endpoints;
399
400	std::shared_ptr<Botan::Credentials_Manager> m_creds;
401	std::shared_ptr<Botan::TLS::Policy> m_policy;
402	std::shared_ptr<Botan::TLS::Session_Manager> m_session_manager;
403	ServerStatus m_status;
404	};
405
406	} // namespace
407
408	class TLS_Proxy final : public Command {
409	public:
410	TLS_Proxy() :	2✔
411	Command(
412	"tls_proxy listen_port target_host target_port server_cert server_key "
413	"--policy=default --threads=0 --max-clients=0 --session-db= --session-db-pass=") {}	4✔
414
415	std::string group() const override { return "tls"; }	1✔
416
417	std::string description() const override { return "Proxies requests between a TLS client and a TLS server"; }	1✔
418
419	size_t thread_count() const {	1✔
420	if(const size_t t = get_arg_sz("threads")) {	1✔
421	return t;
422	}
423	#if defined(BOTAN_HAS_OS_UTILS)
424	if(const size_t t = Botan::OS::get_cpu_available()) {	1✔
425	return t;	1✔
426	}
427	#endif
428	return 2;
429	}
430
431	void go() override {	1✔
432	const uint16_t listen_port = get_arg_u16("listen_port");	1✔
433	const std::string target = get_arg("target_host");	1✔
434	const std::string target_port = get_arg("target_port");	1✔
435
436	const std::string server_crt = get_arg("server_cert");	1✔
437	const std::string server_key = get_arg("server_key");	1✔
438
439	const size_t num_threads = thread_count();	1✔
440	const size_t max_clients = get_arg_sz("max-clients");	1✔
441
442	auto creds = std::make_shared<Basic_Credentials_Manager>(server_crt, server_key);	1✔
443
444	auto policy = load_tls_policy(get_arg("policy"));	2✔
445
446	boost::asio::io_context io;	1✔
447
448	tcp::resolver resolver(io);	1✔
449	auto server_endpoint_iterator = resolver.resolve(target, target_port);	1✔
450
451	std::shared_ptr<Botan::TLS::Session_Manager> session_mgr;	1✔
452
453	#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
454	const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass");	2✔
455	const std::string sessions_db = get_arg("session-db");	1✔
456
457	if(!sessions_db.empty()) {	1✔
458	session_mgr =	×
459	std::make_shared<Botan::TLS::Session_Manager_SQLite>(sessions_passphrase, rng_as_shared(), sessions_db);	×
460	}
461	#endif
462	if(!session_mgr) {	1✔
463	session_mgr = std::make_shared<Botan::TLS::Session_Manager_In_Memory>(rng_as_shared());	3✔
464	}
465
466	const tls_proxy_server server(	1✔
467	io, listen_port, server_endpoint_iterator, creds, policy, session_mgr, max_clients);	2✔
468
469	std::vector<std::shared_ptr<std::thread>> threads;	1✔
470
471	// run forever... first thread is main calling io.run below
472	for(size_t i = 2; i <= num_threads; ++i) {	4✔
473	threads.push_back(std::make_shared<std::thread>([&io]() { io.run(); }));	6✔
474	}
475
476	io.run();	1✔
477
478	for(auto& thread : threads) {	4✔
479	thread->join();	3✔
480	}
481	}	5✔
482	};
483
484	// NOLINTEND(-avoid-endl,-avoid-bind)
485
486	BOTAN_REGISTER_COMMAND("tls_proxy", TLS_Proxy);	2✔
487
488	} // namespace Botan_CLI
489
490	#endif

randombit / botan / 20579846577

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous