1 /* $NetBSD: https-client.c,v 1.1.1.2 2021/04/07 02:43:15 christos Exp $ */
2 /*
3 This is an example of how to hook up evhttp with bufferevent_ssl
4
5 It just GETs an https URL given on the command-line and prints the response
6 body to stdout.
7
8 Actually, it also accepts plain http URLs to make it easy to compare http vs
9 https code paths.
10
11 Loosely based on le-proxy.c.
12 */
13
14 // Get rid of OSX 10.7 and greater deprecation warnings.
15 #if defined(__APPLE__) && defined(__clang__)
16 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
17 #endif
18
19 #include <stdio.h>
20 #include <assert.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <errno.h>
24
25 #ifdef _WIN32
26 #include <winsock2.h>
27 #include <ws2tcpip.h>
28
29 #define snprintf _snprintf
30 #define strcasecmp _stricmp
31 #else
32 #include <sys/socket.h>
33 #include <netinet/in.h>
34 #endif
35
36 #include <event2/bufferevent_ssl.h>
37 #include <event2/bufferevent.h>
38 #include <event2/buffer.h>
39 #include <event2/listener.h>
40 #include <event2/util.h>
41 #include <event2/http.h>
42
43 #include <openssl/ssl.h>
44 #include <openssl/err.h>
45 #include <openssl/rand.h>
46
47 #include "openssl_hostname_validation.h"
48
49 static int ignore_cert = 0;
50
51 static void
http_request_done(struct evhttp_request * req,void * ctx)52 http_request_done(struct evhttp_request *req, void *ctx)
53 {
54 char buffer[256];
55 int nread;
56
57 if (!req || !evhttp_request_get_response_code(req)) {
58 /* If req is NULL, it means an error occurred, but
59 * sadly we are mostly left guessing what the error
60 * might have been. We'll do our best... */
61 struct bufferevent *bev = (struct bufferevent *) ctx;
62 unsigned long oslerr;
63 int printed_err = 0;
64 int errcode = EVUTIL_SOCKET_ERROR();
65 fprintf(stderr, "some request failed - no idea which one though!\n");
66 /* Print out the OpenSSL error queue that libevent
67 * squirreled away for us, if any. */
68 while ((oslerr = bufferevent_get_openssl_error(bev))) {
69 ERR_error_string_n(oslerr, buffer, sizeof(buffer));
70 fprintf(stderr, "%s\n", buffer);
71 printed_err = 1;
72 }
73 /* If the OpenSSL error queue was empty, maybe it was a
74 * socket error; let's try printing that. */
75 if (! printed_err)
76 fprintf(stderr, "socket error = %s (%d)\n",
77 evutil_socket_error_to_string(errcode),
78 errcode);
79 return;
80 }
81
82 fprintf(stderr, "Response line: %d %s\n",
83 evhttp_request_get_response_code(req),
84 evhttp_request_get_response_code_line(req));
85
86 while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req),
87 buffer, sizeof(buffer)))
88 > 0) {
89 /* These are just arbitrary chunks of 256 bytes.
90 * They are not lines, so we can't treat them as such. */
91 fwrite(buffer, nread, 1, stdout);
92 }
93 }
94
95 static void
syntax(void)96 syntax(void)
97 {
98 fputs("Syntax:\n", stderr);
99 fputs(" https-client -url <https-url> [-data data-file.bin] [-ignore-cert] [-retries num] [-timeout sec] [-crt crt]\n", stderr);
100 fputs("Example:\n", stderr);
101 fputs(" https-client -url https://ip.appspot.com/\n", stderr);
102 }
103
104 static void
err(const char * msg)105 err(const char *msg)
106 {
107 fputs(msg, stderr);
108 }
109
110 static void
err_openssl(const char * func)111 err_openssl(const char *func)
112 {
113 fprintf (stderr, "%s failed:\n", func);
114
115 /* This is the OpenSSL function that prints the contents of the
116 * error stack to the specified file handle. */
117 ERR_print_errors_fp (stderr);
118
119 exit(1);
120 }
121
122 /* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
cert_verify_callback(X509_STORE_CTX * x509_ctx,void * arg)123 static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
124 {
125 char cert_str[256];
126 const char *host = (const char *) arg;
127 const char *res_str = "X509_verify_cert failed";
128 HostnameValidationResult res = Error;
129
130 /* This is the function that OpenSSL would call if we hadn't called
131 * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping"
132 * the default functionality, rather than replacing it. */
133 int ok_so_far = 0;
134
135 X509 *server_cert = NULL;
136
137 if (ignore_cert) {
138 return 1;
139 }
140
141 ok_so_far = X509_verify_cert(x509_ctx);
142
143 server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
144
145 if (ok_so_far) {
146 res = validate_hostname(host, server_cert);
147
148 switch (res) {
149 case MatchFound:
150 res_str = "MatchFound";
151 break;
152 case MatchNotFound:
153 res_str = "MatchNotFound";
154 break;
155 case NoSANPresent:
156 res_str = "NoSANPresent";
157 break;
158 case MalformedCertificate:
159 res_str = "MalformedCertificate";
160 break;
161 case Error:
162 res_str = "Error";
163 break;
164 default:
165 res_str = "WTF!";
166 break;
167 }
168 }
169
170 X509_NAME_oneline(X509_get_subject_name (server_cert),
171 cert_str, sizeof (cert_str));
172
173 if (res == MatchFound) {
174 printf("https server '%s' has this certificate, "
175 "which looks good to me:\n%s\n",
176 host, cert_str);
177 return 1;
178 } else {
179 printf("Got '%s' for hostname '%s' and certificate:\n%s\n",
180 res_str, host, cert_str);
181 return 0;
182 }
183 }
184
185 #ifdef _WIN32
186 static int
add_cert_for_store(X509_STORE * store,const char * name)187 add_cert_for_store(X509_STORE *store, const char *name)
188 {
189 HCERTSTORE sys_store = NULL;
190 PCCERT_CONTEXT ctx = NULL;
191 int r = 0;
192
193 sys_store = CertOpenSystemStore(0, name);
194 if (!sys_store) {
195 err("failed to open system certificate store");
196 return -1;
197 }
198 while ((ctx = CertEnumCertificatesInStore(sys_store, ctx))) {
199 X509 *x509 = d2i_X509(NULL, (unsigned char const **)&ctx->pbCertEncoded,
200 ctx->cbCertEncoded);
201 if (x509) {
202 X509_STORE_add_cert(store, x509);
203 X509_free(x509);
204 } else {
205 r = -1;
206 err_openssl("d2i_X509");
207 break;
208 }
209 }
210 CertCloseStore(sys_store, 0);
211 return r;
212 }
213 #endif
214
215 int
main(int argc,char ** argv)216 main(int argc, char **argv)
217 {
218 int r;
219 struct event_base *base = NULL;
220 struct evhttp_uri *http_uri = NULL;
221 const char *url = NULL, *data_file = NULL;
222 const char *crt = NULL;
223 const char *scheme, *host, *path, *query;
224 char uri[256];
225 int port;
226 int retries = 0;
227 int timeout = -1;
228
229 SSL_CTX *ssl_ctx = NULL;
230 SSL *ssl = NULL;
231 struct bufferevent *bev;
232 struct evhttp_connection *evcon = NULL;
233 struct evhttp_request *req;
234 struct evkeyvalq *output_headers;
235 struct evbuffer *output_buffer;
236
237 int i;
238 int ret = 0;
239 enum { HTTP, HTTPS } type = HTTP;
240
241 for (i = 1; i < argc; i++) {
242 if (!strcmp("-url", argv[i])) {
243 if (i < argc - 1) {
244 url = argv[i + 1];
245 } else {
246 syntax();
247 goto error;
248 }
249 } else if (!strcmp("-crt", argv[i])) {
250 if (i < argc - 1) {
251 crt = argv[i + 1];
252 } else {
253 syntax();
254 goto error;
255 }
256 } else if (!strcmp("-ignore-cert", argv[i])) {
257 ignore_cert = 1;
258 } else if (!strcmp("-data", argv[i])) {
259 if (i < argc - 1) {
260 data_file = argv[i + 1];
261 } else {
262 syntax();
263 goto error;
264 }
265 } else if (!strcmp("-retries", argv[i])) {
266 if (i < argc - 1) {
267 retries = atoi(argv[i + 1]);
268 } else {
269 syntax();
270 goto error;
271 }
272 } else if (!strcmp("-timeout", argv[i])) {
273 if (i < argc - 1) {
274 timeout = atoi(argv[i + 1]);
275 } else {
276 syntax();
277 goto error;
278 }
279 } else if (!strcmp("-help", argv[i])) {
280 syntax();
281 goto error;
282 }
283 }
284
285 if (!url) {
286 syntax();
287 goto error;
288 }
289
290 #ifdef _WIN32
291 {
292 WORD wVersionRequested;
293 WSADATA wsaData;
294 int err;
295
296 wVersionRequested = MAKEWORD(2, 2);
297
298 err = WSAStartup(wVersionRequested, &wsaData);
299 if (err != 0) {
300 printf("WSAStartup failed with error: %d\n", err);
301 goto error;
302 }
303 }
304 #endif // _WIN32
305
306 http_uri = evhttp_uri_parse(url);
307 if (http_uri == NULL) {
308 err("malformed url");
309 goto error;
310 }
311
312 scheme = evhttp_uri_get_scheme(http_uri);
313 if (scheme == NULL || (strcasecmp(scheme, "https") != 0 &&
314 strcasecmp(scheme, "http") != 0)) {
315 err("url must be http or https");
316 goto error;
317 }
318
319 host = evhttp_uri_get_host(http_uri);
320 if (host == NULL) {
321 err("url must have a host");
322 goto error;
323 }
324
325 port = evhttp_uri_get_port(http_uri);
326 if (port == -1) {
327 port = (strcasecmp(scheme, "http") == 0) ? 80 : 443;
328 }
329
330 path = evhttp_uri_get_path(http_uri);
331 if (strlen(path) == 0) {
332 path = "/";
333 }
334
335 query = evhttp_uri_get_query(http_uri);
336 if (query == NULL) {
337 snprintf(uri, sizeof(uri) - 1, "%s", path);
338 } else {
339 snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query);
340 }
341 uri[sizeof(uri) - 1] = '\0';
342
343 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
344 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
345 // Initialize OpenSSL
346 SSL_library_init();
347 ERR_load_crypto_strings();
348 SSL_load_error_strings();
349 OpenSSL_add_all_algorithms();
350 #endif
351
352 /* This isn't strictly necessary... OpenSSL performs RAND_poll
353 * automatically on first use of random number generator. */
354 r = RAND_poll();
355 if (r == 0) {
356 err_openssl("RAND_poll");
357 goto error;
358 }
359
360 /* Create a new OpenSSL context */
361 ssl_ctx = SSL_CTX_new(SSLv23_method());
362 if (!ssl_ctx) {
363 err_openssl("SSL_CTX_new");
364 goto error;
365 }
366
367 if (crt == NULL) {
368 X509_STORE *store;
369 /* Attempt to use the system's trusted root certificates. */
370 store = SSL_CTX_get_cert_store(ssl_ctx);
371 #ifdef _WIN32
372 if (add_cert_for_store(store, "CA") < 0 ||
373 add_cert_for_store(store, "AuthRoot") < 0 ||
374 add_cert_for_store(store, "ROOT") < 0) {
375 goto error;
376 }
377 #else // _WIN32
378 if (X509_STORE_set_default_paths(store) != 1) {
379 err_openssl("X509_STORE_set_default_paths");
380 goto error;
381 }
382 #endif // _WIN32
383 } else {
384 if (SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL) != 1) {
385 err_openssl("SSL_CTX_load_verify_locations");
386 goto error;
387 }
388 }
389 /* Ask OpenSSL to verify the server certificate. Note that this
390 * does NOT include verifying that the hostname is correct.
391 * So, by itself, this means anyone with any legitimate
392 * CA-issued certificate for any website, can impersonate any
393 * other website in the world. This is not good. See "The
394 * Most Dangerous Code in the World" article at
395 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
396 */
397 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
398 /* This is how we solve the problem mentioned in the previous
399 * comment. We "wrap" OpenSSL's validation routine in our
400 * own routine, which also validates the hostname by calling
401 * the code provided by iSECPartners. Note that even though
402 * the "Everything You've Always Wanted to Know About
403 * Certificate Validation With OpenSSL (But Were Afraid to
404 * Ask)" paper from iSECPartners says very explicitly not to
405 * call SSL_CTX_set_cert_verify_callback (at the bottom of
406 * page 2), what we're doing here is safe because our
407 * cert_verify_callback() calls X509_verify_cert(), which is
408 * OpenSSL's built-in routine which would have been called if
409 * we hadn't set the callback. Therefore, we're just
410 * "wrapping" OpenSSL's routine, not replacing it. */
411 SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback,
412 (void *) host);
413
414 // Create event base
415 base = event_base_new();
416 if (!base) {
417 perror("event_base_new()");
418 goto error;
419 }
420
421 // Create OpenSSL bufferevent and stack evhttp on top of it
422 ssl = SSL_new(ssl_ctx);
423 if (ssl == NULL) {
424 err_openssl("SSL_new()");
425 goto error;
426 }
427
428 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
429 // Set hostname for SNI extension
430 SSL_set_tlsext_host_name(ssl, host);
431 #endif
432
433 if (strcasecmp(scheme, "http") == 0) {
434 bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE);
435 } else {
436 type = HTTPS;
437 bev = bufferevent_openssl_socket_new(base, -1, ssl,
438 BUFFEREVENT_SSL_CONNECTING,
439 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
440 }
441
442 if (bev == NULL) {
443 fprintf(stderr, "bufferevent_openssl_socket_new() failed\n");
444 goto error;
445 }
446
447 bufferevent_openssl_set_allow_dirty_shutdown(bev, 1);
448
449 // For simplicity, we let DNS resolution block. Everything else should be
450 // asynchronous though.
451 evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev,
452 host, port);
453 if (evcon == NULL) {
454 fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n");
455 goto error;
456 }
457
458 if (retries > 0) {
459 evhttp_connection_set_retries(evcon, retries);
460 }
461 if (timeout >= 0) {
462 evhttp_connection_set_timeout(evcon, timeout);
463 }
464
465 // Fire off the request
466 req = evhttp_request_new(http_request_done, bev);
467 if (req == NULL) {
468 fprintf(stderr, "evhttp_request_new() failed\n");
469 goto error;
470 }
471
472 output_headers = evhttp_request_get_output_headers(req);
473 evhttp_add_header(output_headers, "Host", host);
474 evhttp_add_header(output_headers, "Connection", "close");
475
476 if (data_file) {
477 /* NOTE: In production code, you'd probably want to use
478 * evbuffer_add_file() or evbuffer_add_file_segment(), to
479 * avoid needless copying. */
480 FILE * f = fopen(data_file, "rb");
481 char buf[1024];
482 size_t s;
483 size_t bytes = 0;
484
485 if (!f) {
486 syntax();
487 goto error;
488 }
489
490 output_buffer = evhttp_request_get_output_buffer(req);
491 while ((s = fread(buf, 1, sizeof(buf), f)) > 0) {
492 evbuffer_add(output_buffer, buf, s);
493 bytes += s;
494 }
495 evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes);
496 evhttp_add_header(output_headers, "Content-Length", buf);
497 fclose(f);
498 }
499
500 r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri);
501 if (r != 0) {
502 fprintf(stderr, "evhttp_make_request() failed\n");
503 goto error;
504 }
505
506 event_base_dispatch(base);
507 goto cleanup;
508
509 error:
510 ret = 1;
511 cleanup:
512 if (evcon)
513 evhttp_connection_free(evcon);
514 if (http_uri)
515 evhttp_uri_free(http_uri);
516 if (base)
517 event_base_free(base);
518
519 if (ssl_ctx)
520 SSL_CTX_free(ssl_ctx);
521 if (type == HTTP && ssl)
522 SSL_free(ssl);
523 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
524 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
525 EVP_cleanup();
526 ERR_free_strings();
527
528 #if OPENSSL_VERSION_NUMBER < 0x10000000L
529 ERR_remove_state(0);
530 #else
531 ERR_remove_thread_state(NULL);
532 #endif
533
534 CRYPTO_cleanup_all_ex_data();
535
536 sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
537 #endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
538 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) */
539
540 #ifdef _WIN32
541 WSACleanup();
542 #endif
543
544 return ret;
545 }
546