1 /* 2 This is an example of how to hook up evhttp with bufferevent_ssl 3 4 It just GETs an https URL given on the command-line and prints the response 5 body to stdout. 6 7 Actually, it also accepts plain http URLs to make it easy to compare http vs 8 https code paths. 9 10 Loosely based on le-proxy.c. 11 */ 12 13 #include <stdio.h> 14 #include <assert.h> 15 #include <stdlib.h> 16 #include <string.h> 17 #include <errno.h> 18 19 #ifdef WIN32 20 #include <winsock2.h> 21 #include <ws2tcpip.h> 22 #else 23 #include <sys/socket.h> 24 #include <netinet/in.h> 25 #endif 26 27 #include <event2/bufferevent_ssl.h> 28 #include <event2/bufferevent.h> 29 #include <event2/buffer.h> 30 #include <event2/listener.h> 31 #include <event2/util.h> 32 #include <event2/http.h> 33 #include <event2/http_struct.h> 34 35 #include <openssl/ssl.h> 36 #include <openssl/err.h> 37 #include <openssl/rand.h> 38 39 #include "openssl_hostname_validation.h" 40 41 static struct event_base *base; 42 static int ignore_cert = 0; 43 44 static void 45 http_request_done(struct evhttp_request *req, void *ctx) 46 { 47 char buffer[256]; 48 int nread; 49 50 if (req == NULL) { 51 /* If req is NULL, it means an error occurred, but 52 * sadly we are mostly left guessing what the error 53 * might have been. We'll do our best... */ 54 struct bufferevent *bev = (struct bufferevent *) ctx; 55 unsigned long oslerr; 56 int printed_err = 0; 57 int errcode = EVUTIL_SOCKET_ERROR(); 58 fprintf(stderr, "some request failed - no idea which one though!\n"); 59 /* Print out the OpenSSL error queue that libevent 60 * squirreled away for us, if any. */ 61 while ((oslerr = bufferevent_get_openssl_error(bev))) { 62 ERR_error_string_n(oslerr, buffer, sizeof(buffer)); 63 fprintf(stderr, "%s\n", buffer); 64 printed_err = 1; 65 } 66 /* If the OpenSSL error queue was empty, maybe it was a 67 * socket error; let's try printing that. */ 68 if (! printed_err) 69 fprintf(stderr, "socket error = %s (%d)\n", 70 evutil_socket_error_to_string(errcode), 71 errcode); 72 return; 73 } 74 75 fprintf(stderr, "Response line: %d %s\n", 76 req->response_code, req->response_code_line); 77 78 while ((nread = evbuffer_remove(req->input_buffer, buffer, sizeof(buffer))) 79 > 0) { 80 /* These are just arbitrary chunks of 256 bytes. 81 * They are not lines, so we can't treat them as such. */ 82 fwrite(buffer, nread, 1, stdout); 83 } 84 } 85 86 static void 87 syntax(void) 88 { 89 fputs("Syntax:\n", stderr); 90 fputs(" https-client -url <https-url> [-data data-file.bin] [-ignore-cert]\n", stderr); 91 fputs("Example:\n", stderr); 92 fputs(" https-client -url https://ip.appspot.com/\n", stderr); 93 94 exit(1); 95 } 96 97 static void 98 die(const char *msg) 99 { 100 fputs(msg, stderr); 101 exit(1); 102 } 103 104 static void 105 die_openssl(const char *func) 106 { 107 fprintf (stderr, "%s failed:\n", func); 108 109 /* This is the OpenSSL function that prints the contents of the 110 * error stack to the specified file handle. */ 111 ERR_print_errors_fp (stderr); 112 113 exit(1); 114 } 115 116 /* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */ 117 static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg) 118 { 119 if (ignore_cert) { 120 return 1; 121 } 122 123 char cert_str[256]; 124 const char *host = (const char *) arg; 125 const char *res_str = "X509_verify_cert failed"; 126 HostnameValidationResult res = Error; 127 128 /* This is the function that OpenSSL would call if we hadn't called 129 * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping" 130 * the default functionality, rather than replacing it. */ 131 int ok_so_far = X509_verify_cert(x509_ctx); 132 133 X509 *server_cert = X509_STORE_CTX_get_current_cert(x509_ctx); 134 135 if (ok_so_far) { 136 res = validate_hostname(host, server_cert); 137 138 switch (res) { 139 case MatchFound: 140 res_str = "MatchFound"; 141 break; 142 case MatchNotFound: 143 res_str = "MatchNotFound"; 144 break; 145 case NoSANPresent: 146 res_str = "NoSANPresent"; 147 break; 148 case MalformedCertificate: 149 res_str = "MalformedCertificate"; 150 break; 151 case Error: 152 res_str = "Error"; 153 break; 154 default: 155 res_str = "WTF!"; 156 break; 157 } 158 } 159 160 X509_NAME_oneline(X509_get_subject_name (server_cert), 161 cert_str, sizeof (cert_str)); 162 163 if (res == MatchFound) { 164 printf("https server '%s' has this certificate, " 165 "which looks good to me:\n%s\n", 166 host, cert_str); 167 return 1; 168 } else { 169 printf("Got '%s' for hostname '%s' and certificate:\n%s\n", 170 res_str, host, cert_str); 171 return 0; 172 } 173 } 174 175 int 176 main(int argc, char **argv) 177 { 178 int r; 179 180 struct evhttp_uri *http_uri; 181 const char *url = 0, *scheme, *host, *path, *query, *data_file = 0; 182 char uri[256]; 183 int port; 184 185 SSL_CTX *ssl_ctx; 186 SSL *ssl; 187 struct bufferevent *bev; 188 struct evhttp_connection *evcon; 189 struct evhttp_request *req; 190 191 int i; 192 193 for (i = 1; i < argc; i++) { 194 if (!strcmp("-url", argv[i])) { 195 if (i < argc - 1) { 196 url = argv[i + 1]; 197 } else { 198 syntax(); 199 } 200 } else if (!strcmp("-ignore-cert", argv[i])) { 201 ignore_cert = 1; 202 } else if (!strcmp("-data", argv[i])) { 203 if (i < argc - 1) { 204 data_file = argv[i + 1]; 205 } else { 206 syntax(); 207 } 208 } else if (!strcmp("-help", argv[i])) { 209 syntax(); 210 } 211 } 212 213 if (!url) { 214 syntax(); 215 } 216 217 http_uri = evhttp_uri_parse(url); 218 if (http_uri == NULL) { 219 die("malformed url"); 220 } 221 222 scheme = evhttp_uri_get_scheme(http_uri); 223 if (scheme == NULL || (strcasecmp(scheme, "https") != 0 && 224 strcasecmp(scheme, "http") != 0)) { 225 die("url must be http or https"); 226 } 227 228 host = evhttp_uri_get_host(http_uri); 229 if (host == NULL) { 230 die("url must have a host"); 231 } 232 233 port = evhttp_uri_get_port(http_uri); 234 if (port == -1) { 235 port = (strcasecmp(scheme, "http") == 0) ? 80 : 443; 236 } 237 238 path = evhttp_uri_get_path(http_uri); 239 if (path == NULL) { 240 path = "/"; 241 } 242 243 query = evhttp_uri_get_query(http_uri); 244 if (query == NULL) { 245 snprintf(uri, sizeof(uri) - 1, "%s", path); 246 } else { 247 snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query); 248 } 249 uri[sizeof(uri) - 1] = '\0'; 250 251 // Initialize OpenSSL 252 SSL_library_init(); 253 ERR_load_crypto_strings(); 254 SSL_load_error_strings(); 255 OpenSSL_add_all_algorithms(); 256 257 /* This isn't strictly necessary... OpenSSL performs RAND_poll 258 * automatically on first use of random number generator. */ 259 r = RAND_poll(); 260 if (r == 0) { 261 die_openssl("RAND_poll"); 262 } 263 264 /* Create a new OpenSSL context */ 265 ssl_ctx = SSL_CTX_new(SSLv23_method()); 266 if (!ssl_ctx) 267 die_openssl("SSL_CTX_new"); 268 269 /* Attempt to use the system's trusted root certificates. 270 * (This path is only valid for Debian-based systems.) */ 271 if (1 != SSL_CTX_load_verify_locations(ssl_ctx, 272 "/etc/ssl/certs/ca-certificates.crt", 273 NULL)) 274 die_openssl("SSL_CTX_load_verify_locations"); 275 /* Ask OpenSSL to verify the server certificate. Note that this 276 * does NOT include verifying that the hostname is correct. 277 * So, by itself, this means anyone with any legitimate 278 * CA-issued certificate for any website, can impersonate any 279 * other website in the world. This is not good. See "The 280 * Most Dangerous Code in the World" article at 281 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html 282 */ 283 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); 284 /* This is how we solve the problem mentioned in the previous 285 * comment. We "wrap" OpenSSL's validation routine in our 286 * own routine, which also validates the hostname by calling 287 * the code provided by iSECPartners. Note that even though 288 * the "Everything You've Always Wanted to Know About 289 * Certificate Validation With OpenSSL (But Were Afraid to 290 * Ask)" paper from iSECPartners says very explicitly not to 291 * call SSL_CTX_set_cert_verify_callback (at the bottom of 292 * page 2), what we're doing here is safe because our 293 * cert_verify_callback() calls X509_verify_cert(), which is 294 * OpenSSL's built-in routine which would have been called if 295 * we hadn't set the callback. Therefore, we're just 296 * "wrapping" OpenSSL's routine, not replacing it. */ 297 SSL_CTX_set_cert_verify_callback (ssl_ctx, cert_verify_callback, 298 (void *) host); 299 300 // Create event base 301 base = event_base_new(); 302 if (!base) { 303 perror("event_base_new()"); 304 return 1; 305 } 306 307 // Create OpenSSL bufferevent and stack evhttp on top of it 308 ssl = SSL_new(ssl_ctx); 309 if (ssl == NULL) { 310 die_openssl("SSL_new()"); 311 } 312 313 if (strcasecmp(scheme, "http") == 0) { 314 bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE); 315 } else { 316 bev = bufferevent_openssl_socket_new(base, -1, ssl, 317 BUFFEREVENT_SSL_CONNECTING, 318 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 319 } 320 321 if (bev == NULL) { 322 fprintf(stderr, "bufferevent_openssl_socket_new() failed\n"); 323 return 1; 324 } 325 326 bufferevent_openssl_set_allow_dirty_shutdown(bev, 1); 327 328 // For simplicity, we let DNS resolution block. Everything else should be 329 // asynchronous though. 330 evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev, 331 host, port); 332 if (evcon == NULL) { 333 fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n"); 334 return 1; 335 } 336 337 // Fire off the request 338 req = evhttp_request_new(http_request_done, bev); 339 if (req == NULL) { 340 fprintf(stderr, "evhttp_request_new() failed\n"); 341 return 1; 342 } 343 344 evhttp_add_header(req->output_headers, "Host", host); 345 evhttp_add_header(req->output_headers, "Connection", "close"); 346 347 if (data_file) { 348 FILE * f = fopen(data_file, "rb"); 349 char buf[1024]; 350 ssize_t s; 351 size_t bytes = 0; 352 353 if (!f) { 354 syntax(); 355 } 356 357 while ((s = fread(buf, 1, sizeof(buf), f)) > 0) { 358 evbuffer_add(req->output_buffer, buf, s); 359 bytes += s; 360 } 361 snprintf(buf, sizeof(buf)-1, "%lu", bytes); 362 evhttp_add_header(req->output_headers, "Content-Length", buf); 363 fclose(f); 364 } 365 366 r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri); 367 if (r != 0) { 368 fprintf(stderr, "evhttp_make_request() failed\n"); 369 return 1; 370 } 371 372 event_base_dispatch(base); 373 374 evhttp_connection_free(evcon); 375 event_base_free(base); 376 377 return 0; 378 } 379