https-client.c revision 1.1.1.2
1 /* $NetBSD: https-client.c,v 1.1.1.2 2021/04/07 02:43:15 christos Exp $ */ 2 /* 3 This is an example of how to hook up evhttp with bufferevent_ssl 4 5 It just GETs an https URL given on the command-line and prints the response 6 body to stdout. 7 8 Actually, it also accepts plain http URLs to make it easy to compare http vs 9 https code paths. 10 11 Loosely based on le-proxy.c. 12 */ 13 14 // Get rid of OSX 10.7 and greater deprecation warnings. 15 #if defined(__APPLE__) && defined(__clang__) 16 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 17 #endif 18 19 #include <stdio.h> 20 #include <assert.h> 21 #include <stdlib.h> 22 #include <string.h> 23 #include <errno.h> 24 25 #ifdef _WIN32 26 #include <winsock2.h> 27 #include <ws2tcpip.h> 28 29 #define snprintf _snprintf 30 #define strcasecmp _stricmp 31 #else 32 #include <sys/socket.h> 33 #include <netinet/in.h> 34 #endif 35 36 #include <event2/bufferevent_ssl.h> 37 #include <event2/bufferevent.h> 38 #include <event2/buffer.h> 39 #include <event2/listener.h> 40 #include <event2/util.h> 41 #include <event2/http.h> 42 43 #include <openssl/ssl.h> 44 #include <openssl/err.h> 45 #include <openssl/rand.h> 46 47 #include "openssl_hostname_validation.h" 48 49 static int ignore_cert = 0; 50 51 static void 52 http_request_done(struct evhttp_request *req, void *ctx) 53 { 54 char buffer[256]; 55 int nread; 56 57 if (!req || !evhttp_request_get_response_code(req)) { 58 /* If req is NULL, it means an error occurred, but 59 * sadly we are mostly left guessing what the error 60 * might have been. We'll do our best... */ 61 struct bufferevent *bev = (struct bufferevent *) ctx; 62 unsigned long oslerr; 63 int printed_err = 0; 64 int errcode = EVUTIL_SOCKET_ERROR(); 65 fprintf(stderr, "some request failed - no idea which one though!\n"); 66 /* Print out the OpenSSL error queue that libevent 67 * squirreled away for us, if any. */ 68 while ((oslerr = bufferevent_get_openssl_error(bev))) { 69 ERR_error_string_n(oslerr, buffer, sizeof(buffer)); 70 fprintf(stderr, "%s\n", buffer); 71 printed_err = 1; 72 } 73 /* If the OpenSSL error queue was empty, maybe it was a 74 * socket error; let's try printing that. */ 75 if (! printed_err) 76 fprintf(stderr, "socket error = %s (%d)\n", 77 evutil_socket_error_to_string(errcode), 78 errcode); 79 return; 80 } 81 82 fprintf(stderr, "Response line: %d %s\n", 83 evhttp_request_get_response_code(req), 84 evhttp_request_get_response_code_line(req)); 85 86 while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req), 87 buffer, sizeof(buffer))) 88 > 0) { 89 /* These are just arbitrary chunks of 256 bytes. 90 * They are not lines, so we can't treat them as such. */ 91 fwrite(buffer, nread, 1, stdout); 92 } 93 } 94 95 static void 96 syntax(void) 97 { 98 fputs("Syntax:\n", stderr); 99 fputs(" https-client -url <https-url> [-data data-file.bin] [-ignore-cert] [-retries num] [-timeout sec] [-crt crt]\n", stderr); 100 fputs("Example:\n", stderr); 101 fputs(" https-client -url https://ip.appspot.com/\n", stderr); 102 } 103 104 static void 105 err(const char *msg) 106 { 107 fputs(msg, stderr); 108 } 109 110 static void 111 err_openssl(const char *func) 112 { 113 fprintf (stderr, "%s failed:\n", func); 114 115 /* This is the OpenSSL function that prints the contents of the 116 * error stack to the specified file handle. */ 117 ERR_print_errors_fp (stderr); 118 119 exit(1); 120 } 121 122 /* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */ 123 static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg) 124 { 125 char cert_str[256]; 126 const char *host = (const char *) arg; 127 const char *res_str = "X509_verify_cert failed"; 128 HostnameValidationResult res = Error; 129 130 /* This is the function that OpenSSL would call if we hadn't called 131 * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping" 132 * the default functionality, rather than replacing it. */ 133 int ok_so_far = 0; 134 135 X509 *server_cert = NULL; 136 137 if (ignore_cert) { 138 return 1; 139 } 140 141 ok_so_far = X509_verify_cert(x509_ctx); 142 143 server_cert = X509_STORE_CTX_get_current_cert(x509_ctx); 144 145 if (ok_so_far) { 146 res = validate_hostname(host, server_cert); 147 148 switch (res) { 149 case MatchFound: 150 res_str = "MatchFound"; 151 break; 152 case MatchNotFound: 153 res_str = "MatchNotFound"; 154 break; 155 case NoSANPresent: 156 res_str = "NoSANPresent"; 157 break; 158 case MalformedCertificate: 159 res_str = "MalformedCertificate"; 160 break; 161 case Error: 162 res_str = "Error"; 163 break; 164 default: 165 res_str = "WTF!"; 166 break; 167 } 168 } 169 170 X509_NAME_oneline(X509_get_subject_name (server_cert), 171 cert_str, sizeof (cert_str)); 172 173 if (res == MatchFound) { 174 printf("https server '%s' has this certificate, " 175 "which looks good to me:\n%s\n", 176 host, cert_str); 177 return 1; 178 } else { 179 printf("Got '%s' for hostname '%s' and certificate:\n%s\n", 180 res_str, host, cert_str); 181 return 0; 182 } 183 } 184 185 #ifdef _WIN32 186 static int 187 add_cert_for_store(X509_STORE *store, const char *name) 188 { 189 HCERTSTORE sys_store = NULL; 190 PCCERT_CONTEXT ctx = NULL; 191 int r = 0; 192 193 sys_store = CertOpenSystemStore(0, name); 194 if (!sys_store) { 195 err("failed to open system certificate store"); 196 return -1; 197 } 198 while ((ctx = CertEnumCertificatesInStore(sys_store, ctx))) { 199 X509 *x509 = d2i_X509(NULL, (unsigned char const **)&ctx->pbCertEncoded, 200 ctx->cbCertEncoded); 201 if (x509) { 202 X509_STORE_add_cert(store, x509); 203 X509_free(x509); 204 } else { 205 r = -1; 206 err_openssl("d2i_X509"); 207 break; 208 } 209 } 210 CertCloseStore(sys_store, 0); 211 return r; 212 } 213 #endif 214 215 int 216 main(int argc, char **argv) 217 { 218 int r; 219 struct event_base *base = NULL; 220 struct evhttp_uri *http_uri = NULL; 221 const char *url = NULL, *data_file = NULL; 222 const char *crt = NULL; 223 const char *scheme, *host, *path, *query; 224 char uri[256]; 225 int port; 226 int retries = 0; 227 int timeout = -1; 228 229 SSL_CTX *ssl_ctx = NULL; 230 SSL *ssl = NULL; 231 struct bufferevent *bev; 232 struct evhttp_connection *evcon = NULL; 233 struct evhttp_request *req; 234 struct evkeyvalq *output_headers; 235 struct evbuffer *output_buffer; 236 237 int i; 238 int ret = 0; 239 enum { HTTP, HTTPS } type = HTTP; 240 241 for (i = 1; i < argc; i++) { 242 if (!strcmp("-url", argv[i])) { 243 if (i < argc - 1) { 244 url = argv[i + 1]; 245 } else { 246 syntax(); 247 goto error; 248 } 249 } else if (!strcmp("-crt", argv[i])) { 250 if (i < argc - 1) { 251 crt = argv[i + 1]; 252 } else { 253 syntax(); 254 goto error; 255 } 256 } else if (!strcmp("-ignore-cert", argv[i])) { 257 ignore_cert = 1; 258 } else if (!strcmp("-data", argv[i])) { 259 if (i < argc - 1) { 260 data_file = argv[i + 1]; 261 } else { 262 syntax(); 263 goto error; 264 } 265 } else if (!strcmp("-retries", argv[i])) { 266 if (i < argc - 1) { 267 retries = atoi(argv[i + 1]); 268 } else { 269 syntax(); 270 goto error; 271 } 272 } else if (!strcmp("-timeout", argv[i])) { 273 if (i < argc - 1) { 274 timeout = atoi(argv[i + 1]); 275 } else { 276 syntax(); 277 goto error; 278 } 279 } else if (!strcmp("-help", argv[i])) { 280 syntax(); 281 goto error; 282 } 283 } 284 285 if (!url) { 286 syntax(); 287 goto error; 288 } 289 290 #ifdef _WIN32 291 { 292 WORD wVersionRequested; 293 WSADATA wsaData; 294 int err; 295 296 wVersionRequested = MAKEWORD(2, 2); 297 298 err = WSAStartup(wVersionRequested, &wsaData); 299 if (err != 0) { 300 printf("WSAStartup failed with error: %d\n", err); 301 goto error; 302 } 303 } 304 #endif // _WIN32 305 306 http_uri = evhttp_uri_parse(url); 307 if (http_uri == NULL) { 308 err("malformed url"); 309 goto error; 310 } 311 312 scheme = evhttp_uri_get_scheme(http_uri); 313 if (scheme == NULL || (strcasecmp(scheme, "https") != 0 && 314 strcasecmp(scheme, "http") != 0)) { 315 err("url must be http or https"); 316 goto error; 317 } 318 319 host = evhttp_uri_get_host(http_uri); 320 if (host == NULL) { 321 err("url must have a host"); 322 goto error; 323 } 324 325 port = evhttp_uri_get_port(http_uri); 326 if (port == -1) { 327 port = (strcasecmp(scheme, "http") == 0) ? 80 : 443; 328 } 329 330 path = evhttp_uri_get_path(http_uri); 331 if (strlen(path) == 0) { 332 path = "/"; 333 } 334 335 query = evhttp_uri_get_query(http_uri); 336 if (query == NULL) { 337 snprintf(uri, sizeof(uri) - 1, "%s", path); 338 } else { 339 snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query); 340 } 341 uri[sizeof(uri) - 1] = '\0'; 342 343 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ 344 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) 345 // Initialize OpenSSL 346 SSL_library_init(); 347 ERR_load_crypto_strings(); 348 SSL_load_error_strings(); 349 OpenSSL_add_all_algorithms(); 350 #endif 351 352 /* This isn't strictly necessary... OpenSSL performs RAND_poll 353 * automatically on first use of random number generator. */ 354 r = RAND_poll(); 355 if (r == 0) { 356 err_openssl("RAND_poll"); 357 goto error; 358 } 359 360 /* Create a new OpenSSL context */ 361 ssl_ctx = SSL_CTX_new(SSLv23_method()); 362 if (!ssl_ctx) { 363 err_openssl("SSL_CTX_new"); 364 goto error; 365 } 366 367 if (crt == NULL) { 368 X509_STORE *store; 369 /* Attempt to use the system's trusted root certificates. */ 370 store = SSL_CTX_get_cert_store(ssl_ctx); 371 #ifdef _WIN32 372 if (add_cert_for_store(store, "CA") < 0 || 373 add_cert_for_store(store, "AuthRoot") < 0 || 374 add_cert_for_store(store, "ROOT") < 0) { 375 goto error; 376 } 377 #else // _WIN32 378 if (X509_STORE_set_default_paths(store) != 1) { 379 err_openssl("X509_STORE_set_default_paths"); 380 goto error; 381 } 382 #endif // _WIN32 383 } else { 384 if (SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL) != 1) { 385 err_openssl("SSL_CTX_load_verify_locations"); 386 goto error; 387 } 388 } 389 /* Ask OpenSSL to verify the server certificate. Note that this 390 * does NOT include verifying that the hostname is correct. 391 * So, by itself, this means anyone with any legitimate 392 * CA-issued certificate for any website, can impersonate any 393 * other website in the world. This is not good. See "The 394 * Most Dangerous Code in the World" article at 395 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html 396 */ 397 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); 398 /* This is how we solve the problem mentioned in the previous 399 * comment. We "wrap" OpenSSL's validation routine in our 400 * own routine, which also validates the hostname by calling 401 * the code provided by iSECPartners. Note that even though 402 * the "Everything You've Always Wanted to Know About 403 * Certificate Validation With OpenSSL (But Were Afraid to 404 * Ask)" paper from iSECPartners says very explicitly not to 405 * call SSL_CTX_set_cert_verify_callback (at the bottom of 406 * page 2), what we're doing here is safe because our 407 * cert_verify_callback() calls X509_verify_cert(), which is 408 * OpenSSL's built-in routine which would have been called if 409 * we hadn't set the callback. Therefore, we're just 410 * "wrapping" OpenSSL's routine, not replacing it. */ 411 SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback, 412 (void *) host); 413 414 // Create event base 415 base = event_base_new(); 416 if (!base) { 417 perror("event_base_new()"); 418 goto error; 419 } 420 421 // Create OpenSSL bufferevent and stack evhttp on top of it 422 ssl = SSL_new(ssl_ctx); 423 if (ssl == NULL) { 424 err_openssl("SSL_new()"); 425 goto error; 426 } 427 428 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 429 // Set hostname for SNI extension 430 SSL_set_tlsext_host_name(ssl, host); 431 #endif 432 433 if (strcasecmp(scheme, "http") == 0) { 434 bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE); 435 } else { 436 type = HTTPS; 437 bev = bufferevent_openssl_socket_new(base, -1, ssl, 438 BUFFEREVENT_SSL_CONNECTING, 439 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 440 } 441 442 if (bev == NULL) { 443 fprintf(stderr, "bufferevent_openssl_socket_new() failed\n"); 444 goto error; 445 } 446 447 bufferevent_openssl_set_allow_dirty_shutdown(bev, 1); 448 449 // For simplicity, we let DNS resolution block. Everything else should be 450 // asynchronous though. 451 evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev, 452 host, port); 453 if (evcon == NULL) { 454 fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n"); 455 goto error; 456 } 457 458 if (retries > 0) { 459 evhttp_connection_set_retries(evcon, retries); 460 } 461 if (timeout >= 0) { 462 evhttp_connection_set_timeout(evcon, timeout); 463 } 464 465 // Fire off the request 466 req = evhttp_request_new(http_request_done, bev); 467 if (req == NULL) { 468 fprintf(stderr, "evhttp_request_new() failed\n"); 469 goto error; 470 } 471 472 output_headers = evhttp_request_get_output_headers(req); 473 evhttp_add_header(output_headers, "Host", host); 474 evhttp_add_header(output_headers, "Connection", "close"); 475 476 if (data_file) { 477 /* NOTE: In production code, you'd probably want to use 478 * evbuffer_add_file() or evbuffer_add_file_segment(), to 479 * avoid needless copying. */ 480 FILE * f = fopen(data_file, "rb"); 481 char buf[1024]; 482 size_t s; 483 size_t bytes = 0; 484 485 if (!f) { 486 syntax(); 487 goto error; 488 } 489 490 output_buffer = evhttp_request_get_output_buffer(req); 491 while ((s = fread(buf, 1, sizeof(buf), f)) > 0) { 492 evbuffer_add(output_buffer, buf, s); 493 bytes += s; 494 } 495 evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes); 496 evhttp_add_header(output_headers, "Content-Length", buf); 497 fclose(f); 498 } 499 500 r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri); 501 if (r != 0) { 502 fprintf(stderr, "evhttp_make_request() failed\n"); 503 goto error; 504 } 505 506 event_base_dispatch(base); 507 goto cleanup; 508 509 error: 510 ret = 1; 511 cleanup: 512 if (evcon) 513 evhttp_connection_free(evcon); 514 if (http_uri) 515 evhttp_uri_free(http_uri); 516 if (base) 517 event_base_free(base); 518 519 if (ssl_ctx) 520 SSL_CTX_free(ssl_ctx); 521 if (type == HTTP && ssl) 522 SSL_free(ssl); 523 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ 524 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) 525 EVP_cleanup(); 526 ERR_free_strings(); 527 528 #if OPENSSL_VERSION_NUMBER < 0x10000000L 529 ERR_remove_state(0); 530 #else 531 ERR_remove_thread_state(NULL); 532 #endif 533 534 CRYPTO_cleanup_all_ex_data(); 535 536 sk_SSL_COMP_free(SSL_COMP_get_compression_methods()); 537 #endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ 538 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) */ 539 540 #ifdef _WIN32 541 WSACleanup(); 542 #endif 543 544 return ret; 545 } 546
Indexes created Sat Apr 18 00:22:28 UTC 2026