xref: /libevent-2.1.12/sample/https-client.c (revision 90786eb0) 
1 /*
2   This is an example of how to hook up evhttp with bufferevent_ssl
3 
4   It just GETs an https URL given on the command-line and prints the response
5   body to stdout.
6 
7   Actually, it also accepts plain http URLs to make it easy to compare http vs
8   https code paths.
9 
10   Loosely based on le-proxy.c.
11  */
12 
13 #include <stdio.h>
14 #include <assert.h>
15 #include <stdlib.h>
16 #include <string.h>
17 #include <errno.h>
18 
19 #ifdef WIN32
20 #include <winsock2.h>
21 #include <ws2tcpip.h>
22 #else
23 #include <sys/socket.h>
24 #include <netinet/in.h>
25 #endif
26 
27 #include <event2/bufferevent_ssl.h>
28 #include <event2/bufferevent.h>
29 #include <event2/buffer.h>
30 #include <event2/listener.h>
31 #include <event2/util.h>
32 #include <event2/http.h>
33 
34 #include <openssl/ssl.h>
35 #include <openssl/err.h>
36 #include <openssl/rand.h>
37 
38 #include "openssl_hostname_validation.h"
39 
40 static struct event_base *base;
41 static int ignore_cert = 0;
42 
43 static void
44 http_request_done(struct evhttp_request *req, void *ctx)
45 {
46 	char buffer[256];
47 	int nread;
48 
49 	if (req == NULL) {
50 		/* If req is NULL, it means an error occurred, but
51 		 * sadly we are mostly left guessing what the error
52 		 * might have been.  We'll do our best... */
53 		struct bufferevent *bev = (struct bufferevent *) ctx;
54 		unsigned long oslerr;
55 		int printed_err = 0;
56 		int errcode = EVUTIL_SOCKET_ERROR();
57 		fprintf(stderr, "some request failed - no idea which one though!\n");
58 		/* Print out the OpenSSL error queue that libevent
59 		 * squirreled away for us, if any. */
60 		while ((oslerr = bufferevent_get_openssl_error(bev))) {
61 			ERR_error_string_n(oslerr, buffer, sizeof(buffer));
62 			fprintf(stderr, "%s\n", buffer);
63 			printed_err = 1;
64 		}
65 		/* If the OpenSSL error queue was empty, maybe it was a
66 		 * socket error; let's try printing that. */
67 		if (! printed_err)
68 			fprintf(stderr, "socket error = %s (%d)\n",
69 				evutil_socket_error_to_string(errcode),
70 				errcode);
71 		return;
72 	}
73 
74 	fprintf(stderr, "Response line: %d %s\n",
75 	    evhttp_request_get_response_code(req),
76 	    evhttp_request_get_response_code_line(req));
77 
78 	while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req),
79 		    buffer, sizeof(buffer)))
80 	       > 0) {
81 		/* These are just arbitrary chunks of 256 bytes.
82 		 * They are not lines, so we can't treat them as such. */
83 		fwrite(buffer, nread, 1, stdout);
84 	}
85 }
86 
87 static void
88 syntax(void)
89 {
90 	fputs("Syntax:\n", stderr);
91 	fputs("   https-client -url <https-url> [-data data-file.bin] [-ignore-cert]\n", stderr);
92 	fputs("Example:\n", stderr);
93 	fputs("   https-client -url https://ip.appspot.com/\n", stderr);
94 
95 	exit(1);
96 }
97 
98 static void
99 die(const char *msg)
100 {
101 	fputs(msg, stderr);
102 	exit(1);
103 }
104 
105 static void
106 die_openssl(const char *func)
107 {
108 	fprintf (stderr, "%s failed:\n", func);
109 
110 	/* This is the OpenSSL function that prints the contents of the
111 	 * error stack to the specified file handle. */
112 	ERR_print_errors_fp (stderr);
113 
114 	exit(1);
115 }
116 
117 /* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
118 static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
119 {
120 	char cert_str[256];
121 	const char *host = (const char *) arg;
122 	const char *res_str = "X509_verify_cert failed";
123 	HostnameValidationResult res = Error;
124 
125 	/* This is the function that OpenSSL would call if we hadn't called
126 	 * SSL_CTX_set_cert_verify_callback().  Therefore, we are "wrapping"
127 	 * the default functionality, rather than replacing it. */
128 	int ok_so_far = 0;
129 
130 	X509 *server_cert = NULL;
131 
132 	if (ignore_cert) {
133 		return 1;
134 	}
135 
136 	ok_so_far = X509_verify_cert(x509_ctx);
137 
138 	server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
139 
140 	if (ok_so_far) {
141 		res = validate_hostname(host, server_cert);
142 
143 		switch (res) {
144 		case MatchFound:
145 			res_str = "MatchFound";
146 			break;
147 		case MatchNotFound:
148 			res_str = "MatchNotFound";
149 			break;
150 		case NoSANPresent:
151 			res_str = "NoSANPresent";
152 			break;
153 		case MalformedCertificate:
154 			res_str = "MalformedCertificate";
155 			break;
156 		case Error:
157 			res_str = "Error";
158 			break;
159 		default:
160 			res_str = "WTF!";
161 			break;
162 		}
163 	}
164 
165 	X509_NAME_oneline(X509_get_subject_name (server_cert),
166 			  cert_str, sizeof (cert_str));
167 
168 	if (res == MatchFound) {
169 		printf("https server '%s' has this certificate, "
170 		       "which looks good to me:\n%s\n",
171 		       host, cert_str);
172 		return 1;
173 	} else {
174 		printf("Got '%s' for hostname '%s' and certificate:\n%s\n",
175 		       res_str, host, cert_str);
176 		return 0;
177 	}
178 }
179 
180 int
181 main(int argc, char **argv)
182 {
183 	int r;
184 
185 	struct evhttp_uri *http_uri;
186 	const char *url = NULL, *data_file = NULL;
187 	const char *scheme, *host, *path, *query;
188 	char uri[256];
189 	int port;
190 
191 	SSL_CTX *ssl_ctx;
192 	SSL *ssl;
193 	struct bufferevent *bev;
194 	struct evhttp_connection *evcon;
195 	struct evhttp_request *req;
196 	struct evkeyvalq *output_headers;
197 	struct evbuffer * output_buffer;
198 
199 	int i;
200 
201 	for (i = 1; i < argc; i++) {
202 		if (!strcmp("-url", argv[i])) {
203 			if (i < argc - 1) {
204 				url = argv[i + 1];
205 			} else {
206 				syntax();
207 			}
208 		} else if (!strcmp("-ignore-cert", argv[i])) {
209 			ignore_cert = 1;
210 		} else if (!strcmp("-data", argv[i])) {
211 			if (i < argc - 1) {
212 				data_file = argv[i + 1];
213 			} else {
214 				syntax();
215 			}
216 		} else if (!strcmp("-help", argv[i])) {
217 			syntax();
218 		}
219 	}
220 
221 	if (!url) {
222 		syntax();
223 	}
224 
225 	http_uri = evhttp_uri_parse(url);
226 	if (http_uri == NULL) {
227 		die("malformed url");
228 	}
229 
230 	scheme = evhttp_uri_get_scheme(http_uri);
231 	if (scheme == NULL || (strcasecmp(scheme, "https") != 0 &&
232 	                       strcasecmp(scheme, "http") != 0)) {
233 		die("url must be http or https");
234 	}
235 
236 	host = evhttp_uri_get_host(http_uri);
237 	if (host == NULL) {
238 		die("url must have a host");
239 	}
240 
241 	port = evhttp_uri_get_port(http_uri);
242 	if (port == -1) {
243 		port = (strcasecmp(scheme, "http") == 0) ? 80 : 443;
244 	}
245 
246 	path = evhttp_uri_get_path(http_uri);
247 	if (path == NULL) {
248 		path = "/";
249 	}
250 
251 	query = evhttp_uri_get_query(http_uri);
252 	if (query == NULL) {
253 		snprintf(uri, sizeof(uri) - 1, "%s", path);
254 	} else {
255 		snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query);
256 	}
257 	uri[sizeof(uri) - 1] = '\0';
258 
259 	// Initialize OpenSSL
260 	SSL_library_init();
261 	ERR_load_crypto_strings();
262 	SSL_load_error_strings();
263 	OpenSSL_add_all_algorithms();
264 
265 	/* This isn't strictly necessary... OpenSSL performs RAND_poll
266 	 * automatically on first use of random number generator. */
267 	r = RAND_poll();
268 	if (r == 0) {
269 		die_openssl("RAND_poll");
270 	}
271 
272 	/* Create a new OpenSSL context */
273 	ssl_ctx = SSL_CTX_new(SSLv23_method());
274 	if (!ssl_ctx)
275 		die_openssl("SSL_CTX_new");
276 
277 	/* Attempt to use the system's trusted root certificates.
278 	 * (This path is only valid for Debian-based systems.) */
279 	if (1 != SSL_CTX_load_verify_locations(ssl_ctx,
280 					       "/etc/ssl/certs/ca-certificates.crt",
281 					       NULL))
282 		die_openssl("SSL_CTX_load_verify_locations");
283 	/* Ask OpenSSL to verify the server certificate.  Note that this
284 	 * does NOT include verifying that the hostname is correct.
285 	 * So, by itself, this means anyone with any legitimate
286 	 * CA-issued certificate for any website, can impersonate any
287 	 * other website in the world.  This is not good.  See "The
288 	 * Most Dangerous Code in the World" article at
289 	 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
290 	 */
291 	SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
292 	/* This is how we solve the problem mentioned in the previous
293 	 * comment.  We "wrap" OpenSSL's validation routine in our
294 	 * own routine, which also validates the hostname by calling
295 	 * the code provided by iSECPartners.  Note that even though
296 	 * the "Everything You've Always Wanted to Know About
297 	 * Certificate Validation With OpenSSL (But Were Afraid to
298 	 * Ask)" paper from iSECPartners says very explicitly not to
299 	 * call SSL_CTX_set_cert_verify_callback (at the bottom of
300 	 * page 2), what we're doing here is safe because our
301 	 * cert_verify_callback() calls X509_verify_cert(), which is
302 	 * OpenSSL's built-in routine which would have been called if
303 	 * we hadn't set the callback.  Therefore, we're just
304 	 * "wrapping" OpenSSL's routine, not replacing it. */
305 	SSL_CTX_set_cert_verify_callback (ssl_ctx, cert_verify_callback,
306 					  (void *) host);
307 
308 	// Create event base
309 	base = event_base_new();
310 	if (!base) {
311 		perror("event_base_new()");
312 		return 1;
313 	}
314 
315 	// Create OpenSSL bufferevent and stack evhttp on top of it
316 	ssl = SSL_new(ssl_ctx);
317 	if (ssl == NULL) {
318 		die_openssl("SSL_new()");
319 	}
320 
321 	if (strcasecmp(scheme, "http") == 0) {
322 		bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE);
323 	} else {
324 		bev = bufferevent_openssl_socket_new(base, -1, ssl,
325 			BUFFEREVENT_SSL_CONNECTING,
326 			BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
327 	}
328 
329 	if (bev == NULL) {
330 		fprintf(stderr, "bufferevent_openssl_socket_new() failed\n");
331 		return 1;
332 	}
333 
334 	bufferevent_openssl_set_allow_dirty_shutdown(bev, 1);
335 
336 	// For simplicity, we let DNS resolution block. Everything else should be
337 	// asynchronous though.
338 	evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev,
339 		host, port);
340 	if (evcon == NULL) {
341 		fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n");
342 		return 1;
343 	}
344 
345 	// Fire off the request
346 	req = evhttp_request_new(http_request_done, bev);
347 	if (req == NULL) {
348 		fprintf(stderr, "evhttp_request_new() failed\n");
349 		return 1;
350 	}
351 
352 	output_headers = evhttp_request_get_output_headers(req);
353 	evhttp_add_header(output_headers, "Host", host);
354 	evhttp_add_header(output_headers, "Connection", "close");
355 
356 	if (data_file) {
357 		/* NOTE: In production code, you'd probably want to use
358 		 * evbuffer_add_file() or evbuffer_add_file_segment(), to
359 		 * avoid needless copying. */
360 		FILE * f = fopen(data_file, "rb");
361 		char buf[1024];
362 		ssize_t s;
363 		size_t bytes = 0;
364 
365 		if (!f) {
366 			syntax();
367 		}
368 
369 		output_buffer = evhttp_request_get_output_buffer(req);
370 		while ((s = fread(buf, 1, sizeof(buf), f)) > 0) {
371 			evbuffer_add(output_buffer, buf, s);
372 			bytes += s;
373 		}
374 		evutil_snprintf(buf, sizeof(buf)-1, "%lu", bytes);
375 		evhttp_add_header(output_headers, "Content-Length", buf);
376 		fclose(f);
377 	}
378 
379 	r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri);
380 	if (r != 0) {
381 		fprintf(stderr, "evhttp_make_request() failed\n");
382 		return 1;
383 	}
384 
385 	event_base_dispatch(base);
386 
387 	evhttp_connection_free(evcon);
388 	event_base_free(base);
389 
390 	return 0;
391 }
392