1 /* $NetBSD: https-client.c,v 1.1.1.1 2017/01/31 21:14:53 christos Exp $ */ 2 /* 3 This is an example of how to hook up evhttp with bufferevent_ssl 4 5 It just GETs an https URL given on the command-line and prints the response 6 body to stdout. 7 8 Actually, it also accepts plain http URLs to make it easy to compare http vs 9 https code paths. 10 11 Loosely based on le-proxy.c. 12 */ 13 14 // Get rid of OSX 10.7 and greater deprecation warnings. 15 #if defined(__APPLE__) && defined(__clang__) 16 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 17 #endif 18 19 #include <stdio.h> 20 #include <assert.h> 21 #include <stdlib.h> 22 #include <string.h> 23 #include <errno.h> 24 25 #ifdef _WIN32 26 #include <winsock2.h> 27 #include <ws2tcpip.h> 28 29 #define snprintf _snprintf 30 #define strcasecmp _stricmp 31 #else 32 #include <sys/socket.h> 33 #include <netinet/in.h> 34 #endif 35 36 #include <event2/bufferevent_ssl.h> 37 #include <event2/bufferevent.h> 38 #include <event2/buffer.h> 39 #include <event2/listener.h> 40 #include <event2/util.h> 41 #include <event2/http.h> 42 43 #include <openssl/ssl.h> 44 #include <openssl/err.h> 45 #include <openssl/rand.h> 46 47 #include "openssl_hostname_validation.h" 48 49 static struct event_base *base; 50 static int ignore_cert = 0; 51 52 static void 53 http_request_done(struct evhttp_request *req, void *ctx) 54 { 55 char buffer[256]; 56 int nread; 57 58 if (req == NULL) { 59 /* If req is NULL, it means an error occurred, but 60 * sadly we are mostly left guessing what the error 61 * might have been. We'll do our best... */ 62 struct bufferevent *bev = (struct bufferevent *) ctx; 63 unsigned long oslerr; 64 int printed_err = 0; 65 int errcode = EVUTIL_SOCKET_ERROR(); 66 fprintf(stderr, "some request failed - no idea which one though!\n"); 67 /* Print out the OpenSSL error queue that libevent 68 * squirreled away for us, if any. */ 69 while ((oslerr = bufferevent_get_openssl_error(bev))) { 70 ERR_error_string_n(oslerr, buffer, sizeof(buffer)); 71 fprintf(stderr, "%s\n", buffer); 72 printed_err = 1; 73 } 74 /* If the OpenSSL error queue was empty, maybe it was a 75 * socket error; let's try printing that. */ 76 if (! printed_err) 77 fprintf(stderr, "socket error = %s (%d)\n", 78 evutil_socket_error_to_string(errcode), 79 errcode); 80 return; 81 } 82 83 fprintf(stderr, "Response line: %d %s\n", 84 evhttp_request_get_response_code(req), 85 evhttp_request_get_response_code_line(req)); 86 87 while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req), 88 buffer, sizeof(buffer))) 89 > 0) { 90 /* These are just arbitrary chunks of 256 bytes. 91 * They are not lines, so we can't treat them as such. */ 92 fwrite(buffer, nread, 1, stdout); 93 } 94 } 95 96 static void 97 syntax(void) 98 { 99 fputs("Syntax:\n", stderr); 100 fputs(" https-client -url <https-url> [-data data-file.bin] [-ignore-cert] [-retries num] [-timeout sec] [-crt crt]\n", stderr); 101 fputs("Example:\n", stderr); 102 fputs(" https-client -url https://ip.appspot.com/\n", stderr); 103 } 104 105 static void 106 err(const char *msg) 107 { 108 fputs(msg, stderr); 109 } 110 111 static void 112 err_openssl(const char *func) 113 { 114 fprintf (stderr, "%s failed:\n", func); 115 116 /* This is the OpenSSL function that prints the contents of the 117 * error stack to the specified file handle. */ 118 ERR_print_errors_fp (stderr); 119 120 exit(1); 121 } 122 123 #ifndef _WIN32 124 /* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */ 125 static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg) 126 { 127 char cert_str[256]; 128 const char *host = (const char *) arg; 129 const char *res_str = "X509_verify_cert failed"; 130 HostnameValidationResult res = Error; 131 132 /* This is the function that OpenSSL would call if we hadn't called 133 * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping" 134 * the default functionality, rather than replacing it. */ 135 int ok_so_far = 0; 136 137 X509 *server_cert = NULL; 138 139 if (ignore_cert) { 140 return 1; 141 } 142 143 ok_so_far = X509_verify_cert(x509_ctx); 144 145 server_cert = X509_STORE_CTX_get_current_cert(x509_ctx); 146 147 if (ok_so_far) { 148 res = validate_hostname(host, server_cert); 149 150 switch (res) { 151 case MatchFound: 152 res_str = "MatchFound"; 153 break; 154 case MatchNotFound: 155 res_str = "MatchNotFound"; 156 break; 157 case NoSANPresent: 158 res_str = "NoSANPresent"; 159 break; 160 case MalformedCertificate: 161 res_str = "MalformedCertificate"; 162 break; 163 case Error: 164 res_str = "Error"; 165 break; 166 default: 167 res_str = "WTF!"; 168 break; 169 } 170 } 171 172 X509_NAME_oneline(X509_get_subject_name (server_cert), 173 cert_str, sizeof (cert_str)); 174 175 if (res == MatchFound) { 176 printf("https server '%s' has this certificate, " 177 "which looks good to me:\n%s\n", 178 host, cert_str); 179 return 1; 180 } else { 181 printf("Got '%s' for hostname '%s' and certificate:\n%s\n", 182 res_str, host, cert_str); 183 return 0; 184 } 185 } 186 #endif 187 188 int 189 main(int argc, char **argv) 190 { 191 int r; 192 193 struct evhttp_uri *http_uri = NULL; 194 const char *url = NULL, *data_file = NULL; 195 const char *crt = "/etc/ssl/certs/ca-certificates.crt"; 196 const char *scheme, *host, *path, *query; 197 char uri[256]; 198 int port; 199 int retries = 0; 200 int timeout = -1; 201 202 SSL_CTX *ssl_ctx = NULL; 203 SSL *ssl = NULL; 204 struct bufferevent *bev; 205 struct evhttp_connection *evcon = NULL; 206 struct evhttp_request *req; 207 struct evkeyvalq *output_headers; 208 struct evbuffer *output_buffer; 209 210 int i; 211 int ret = 0; 212 enum { HTTP, HTTPS } type = HTTP; 213 214 for (i = 1; i < argc; i++) { 215 if (!strcmp("-url", argv[i])) { 216 if (i < argc - 1) { 217 url = argv[i + 1]; 218 } else { 219 syntax(); 220 goto error; 221 } 222 } else if (!strcmp("-crt", argv[i])) { 223 if (i < argc - 1) { 224 crt = argv[i + 1]; 225 } else { 226 syntax(); 227 goto error; 228 } 229 } else if (!strcmp("-ignore-cert", argv[i])) { 230 ignore_cert = 1; 231 } else if (!strcmp("-data", argv[i])) { 232 if (i < argc - 1) { 233 data_file = argv[i + 1]; 234 } else { 235 syntax(); 236 goto error; 237 } 238 } else if (!strcmp("-retries", argv[i])) { 239 if (i < argc - 1) { 240 retries = atoi(argv[i + 1]); 241 } else { 242 syntax(); 243 goto error; 244 } 245 } else if (!strcmp("-timeout", argv[i])) { 246 if (i < argc - 1) { 247 timeout = atoi(argv[i + 1]); 248 } else { 249 syntax(); 250 goto error; 251 } 252 } else if (!strcmp("-help", argv[i])) { 253 syntax(); 254 goto error; 255 } 256 } 257 258 if (!url) { 259 syntax(); 260 goto error; 261 } 262 263 #ifdef _WIN32 264 { 265 WORD wVersionRequested; 266 WSADATA wsaData; 267 int err; 268 269 wVersionRequested = MAKEWORD(2, 2); 270 271 err = WSAStartup(wVersionRequested, &wsaData); 272 if (err != 0) { 273 printf("WSAStartup failed with error: %d\n", err); 274 goto error; 275 } 276 } 277 #endif // _WIN32 278 279 http_uri = evhttp_uri_parse(url); 280 if (http_uri == NULL) { 281 err("malformed url"); 282 goto error; 283 } 284 285 scheme = evhttp_uri_get_scheme(http_uri); 286 if (scheme == NULL || (strcasecmp(scheme, "https") != 0 && 287 strcasecmp(scheme, "http") != 0)) { 288 err("url must be http or https"); 289 goto error; 290 } 291 292 host = evhttp_uri_get_host(http_uri); 293 if (host == NULL) { 294 err("url must have a host"); 295 goto error; 296 } 297 298 port = evhttp_uri_get_port(http_uri); 299 if (port == -1) { 300 port = (strcasecmp(scheme, "http") == 0) ? 80 : 443; 301 } 302 303 path = evhttp_uri_get_path(http_uri); 304 if (strlen(path) == 0) { 305 path = "/"; 306 } 307 308 query = evhttp_uri_get_query(http_uri); 309 if (query == NULL) { 310 snprintf(uri, sizeof(uri) - 1, "%s", path); 311 } else { 312 snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query); 313 } 314 uri[sizeof(uri) - 1] = '\0'; 315 316 #if OPENSSL_VERSION_NUMBER < 0x10100000L 317 // Initialize OpenSSL 318 SSL_library_init(); 319 ERR_load_crypto_strings(); 320 SSL_load_error_strings(); 321 OpenSSL_add_all_algorithms(); 322 #endif 323 324 /* This isn't strictly necessary... OpenSSL performs RAND_poll 325 * automatically on first use of random number generator. */ 326 r = RAND_poll(); 327 if (r == 0) { 328 err_openssl("RAND_poll"); 329 goto error; 330 } 331 332 /* Create a new OpenSSL context */ 333 ssl_ctx = SSL_CTX_new(SSLv23_method()); 334 if (!ssl_ctx) { 335 err_openssl("SSL_CTX_new"); 336 goto error; 337 } 338 339 #ifndef _WIN32 340 /* TODO: Add certificate loading on Windows as well */ 341 342 /* Attempt to use the system's trusted root certificates. 343 * (This path is only valid for Debian-based systems.) */ 344 if (1 != SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL)) { 345 err_openssl("SSL_CTX_load_verify_locations"); 346 goto error; 347 } 348 /* Ask OpenSSL to verify the server certificate. Note that this 349 * does NOT include verifying that the hostname is correct. 350 * So, by itself, this means anyone with any legitimate 351 * CA-issued certificate for any website, can impersonate any 352 * other website in the world. This is not good. See "The 353 * Most Dangerous Code in the World" article at 354 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html 355 */ 356 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); 357 /* This is how we solve the problem mentioned in the previous 358 * comment. We "wrap" OpenSSL's validation routine in our 359 * own routine, which also validates the hostname by calling 360 * the code provided by iSECPartners. Note that even though 361 * the "Everything You've Always Wanted to Know About 362 * Certificate Validation With OpenSSL (But Were Afraid to 363 * Ask)" paper from iSECPartners says very explicitly not to 364 * call SSL_CTX_set_cert_verify_callback (at the bottom of 365 * page 2), what we're doing here is safe because our 366 * cert_verify_callback() calls X509_verify_cert(), which is 367 * OpenSSL's built-in routine which would have been called if 368 * we hadn't set the callback. Therefore, we're just 369 * "wrapping" OpenSSL's routine, not replacing it. */ 370 SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback, 371 (void *) host); 372 #else // _WIN32 373 (void)crt; 374 #endif // _WIN32 375 376 // Create event base 377 base = event_base_new(); 378 if (!base) { 379 perror("event_base_new()"); 380 goto error; 381 } 382 383 // Create OpenSSL bufferevent and stack evhttp on top of it 384 ssl = SSL_new(ssl_ctx); 385 if (ssl == NULL) { 386 err_openssl("SSL_new()"); 387 goto error; 388 } 389 390 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 391 // Set hostname for SNI extension 392 SSL_set_tlsext_host_name(ssl, host); 393 #endif 394 395 if (strcasecmp(scheme, "http") == 0) { 396 bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE); 397 } else { 398 type = HTTPS; 399 bev = bufferevent_openssl_socket_new(base, -1, ssl, 400 BUFFEREVENT_SSL_CONNECTING, 401 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 402 } 403 404 if (bev == NULL) { 405 fprintf(stderr, "bufferevent_openssl_socket_new() failed\n"); 406 goto error; 407 } 408 409 bufferevent_openssl_set_allow_dirty_shutdown(bev, 1); 410 411 // For simplicity, we let DNS resolution block. Everything else should be 412 // asynchronous though. 413 evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev, 414 host, port); 415 if (evcon == NULL) { 416 fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n"); 417 goto error; 418 } 419 420 if (retries > 0) { 421 evhttp_connection_set_retries(evcon, retries); 422 } 423 if (timeout >= 0) { 424 evhttp_connection_set_timeout(evcon, timeout); 425 } 426 427 // Fire off the request 428 req = evhttp_request_new(http_request_done, bev); 429 if (req == NULL) { 430 fprintf(stderr, "evhttp_request_new() failed\n"); 431 goto error; 432 } 433 434 output_headers = evhttp_request_get_output_headers(req); 435 evhttp_add_header(output_headers, "Host", host); 436 evhttp_add_header(output_headers, "Connection", "close"); 437 438 if (data_file) { 439 /* NOTE: In production code, you'd probably want to use 440 * evbuffer_add_file() or evbuffer_add_file_segment(), to 441 * avoid needless copying. */ 442 FILE * f = fopen(data_file, "rb"); 443 char buf[1024]; 444 size_t s; 445 size_t bytes = 0; 446 447 if (!f) { 448 syntax(); 449 goto error; 450 } 451 452 output_buffer = evhttp_request_get_output_buffer(req); 453 while ((s = fread(buf, 1, sizeof(buf), f)) > 0) { 454 evbuffer_add(output_buffer, buf, s); 455 bytes += s; 456 } 457 evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes); 458 evhttp_add_header(output_headers, "Content-Length", buf); 459 fclose(f); 460 } 461 462 r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri); 463 if (r != 0) { 464 fprintf(stderr, "evhttp_make_request() failed\n"); 465 goto error; 466 } 467 468 event_base_dispatch(base); 469 goto cleanup; 470 471 error: 472 ret = 1; 473 cleanup: 474 if (evcon) 475 evhttp_connection_free(evcon); 476 if (http_uri) 477 evhttp_uri_free(http_uri); 478 event_base_free(base); 479 480 if (ssl_ctx) 481 SSL_CTX_free(ssl_ctx); 482 if (type == HTTP && ssl) 483 SSL_free(ssl); 484 #if OPENSSL_VERSION_NUMBER < 0x10100000L 485 EVP_cleanup(); 486 ERR_free_strings(); 487 488 #ifdef EVENT__HAVE_ERR_REMOVE_THREAD_STATE 489 ERR_remove_thread_state(NULL); 490 #else 491 ERR_remove_state(0); 492 #endif 493 CRYPTO_cleanup_all_ex_data(); 494 495 sk_SSL_COMP_free(SSL_COMP_get_compression_methods()); 496 #endif /*OPENSSL_VERSION_NUMBER < 0x10100000L */ 497 498 #ifdef _WIN32 499 WSACleanup(); 500 #endif 501 502 return ret; 503 } 504