1 /* 2 This is an example of how to hook up evhttp with bufferevent_ssl 3 4 It just GETs an https URL given on the command-line and prints the response 5 body to stdout. 6 7 Actually, it also accepts plain http URLs to make it easy to compare http vs 8 https code paths. 9 10 Loosely based on le-proxy.c. 11 */ 12 13 // Get rid of OSX 10.7 and greater deprecation warnings. 14 #if defined(__APPLE__) && defined(__clang__) 15 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 16 #endif 17 18 #include <stdio.h> 19 #include <assert.h> 20 #include <stdlib.h> 21 #include <string.h> 22 #include <errno.h> 23 24 #ifdef _WIN32 25 #include <winsock2.h> 26 #include <ws2tcpip.h> 27 28 #define snprintf _snprintf 29 #define strcasecmp _stricmp 30 #else 31 #include <sys/socket.h> 32 #include <netinet/in.h> 33 #endif 34 35 #include <event2/bufferevent_ssl.h> 36 #include <event2/bufferevent.h> 37 #include <event2/buffer.h> 38 #include <event2/listener.h> 39 #include <event2/util.h> 40 #include <event2/http.h> 41 42 #include <openssl/ssl.h> 43 #include <openssl/err.h> 44 #include <openssl/rand.h> 45 46 #include "openssl_hostname_validation.h" 47 48 static int ignore_cert = 0; 49 50 static void 51 http_request_done(struct evhttp_request *req, void *ctx) 52 { 53 char buffer[256]; 54 int nread; 55 56 if (!req || !evhttp_request_get_response_code(req)) { 57 /* If req is NULL, it means an error occurred, but 58 * sadly we are mostly left guessing what the error 59 * might have been. We'll do our best... */ 60 struct bufferevent *bev = (struct bufferevent *) ctx; 61 unsigned long oslerr; 62 int printed_err = 0; 63 int errcode = EVUTIL_SOCKET_ERROR(); 64 fprintf(stderr, "some request failed - no idea which one though!\n"); 65 /* Print out the OpenSSL error queue that libevent 66 * squirreled away for us, if any. */ 67 while ((oslerr = bufferevent_get_openssl_error(bev))) { 68 ERR_error_string_n(oslerr, buffer, sizeof(buffer)); 69 fprintf(stderr, "%s\n", buffer); 70 printed_err = 1; 71 } 72 /* If the OpenSSL error queue was empty, maybe it was a 73 * socket error; let's try printing that. */ 74 if (! printed_err) 75 fprintf(stderr, "socket error = %s (%d)\n", 76 evutil_socket_error_to_string(errcode), 77 errcode); 78 return; 79 } 80 81 fprintf(stderr, "Response line: %d %s\n", 82 evhttp_request_get_response_code(req), 83 evhttp_request_get_response_code_line(req)); 84 85 while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req), 86 buffer, sizeof(buffer))) 87 > 0) { 88 /* These are just arbitrary chunks of 256 bytes. 89 * They are not lines, so we can't treat them as such. */ 90 fwrite(buffer, nread, 1, stdout); 91 } 92 } 93 94 static void 95 syntax(void) 96 { 97 fputs("Syntax:\n", stderr); 98 fputs(" https-client -url <https-url> [-data data-file.bin] [-ignore-cert] [-retries num] [-timeout sec] [-crt crt]\n", stderr); 99 fputs("Example:\n", stderr); 100 fputs(" https-client -url https://ip.appspot.com/\n", stderr); 101 } 102 103 static void 104 err(const char *msg) 105 { 106 fputs(msg, stderr); 107 } 108 109 static void 110 err_openssl(const char *func) 111 { 112 fprintf (stderr, "%s failed:\n", func); 113 114 /* This is the OpenSSL function that prints the contents of the 115 * error stack to the specified file handle. */ 116 ERR_print_errors_fp (stderr); 117 118 exit(1); 119 } 120 121 /* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */ 122 static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg) 123 { 124 char cert_str[256]; 125 const char *host = (const char *) arg; 126 const char *res_str = "X509_verify_cert failed"; 127 HostnameValidationResult res = Error; 128 129 /* This is the function that OpenSSL would call if we hadn't called 130 * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping" 131 * the default functionality, rather than replacing it. */ 132 int ok_so_far = 0; 133 134 X509 *server_cert = NULL; 135 136 if (ignore_cert) { 137 return 1; 138 } 139 140 ok_so_far = X509_verify_cert(x509_ctx); 141 142 server_cert = X509_STORE_CTX_get_current_cert(x509_ctx); 143 144 if (ok_so_far) { 145 res = validate_hostname(host, server_cert); 146 147 switch (res) { 148 case MatchFound: 149 res_str = "MatchFound"; 150 break; 151 case MatchNotFound: 152 res_str = "MatchNotFound"; 153 break; 154 case NoSANPresent: 155 res_str = "NoSANPresent"; 156 break; 157 case MalformedCertificate: 158 res_str = "MalformedCertificate"; 159 break; 160 case Error: 161 res_str = "Error"; 162 break; 163 default: 164 res_str = "WTF!"; 165 break; 166 } 167 } 168 169 X509_NAME_oneline(X509_get_subject_name (server_cert), 170 cert_str, sizeof (cert_str)); 171 172 if (res == MatchFound) { 173 printf("https server '%s' has this certificate, " 174 "which looks good to me:\n%s\n", 175 host, cert_str); 176 return 1; 177 } else { 178 printf("Got '%s' for hostname '%s' and certificate:\n%s\n", 179 res_str, host, cert_str); 180 return 0; 181 } 182 } 183 184 #ifdef _WIN32 185 static int 186 add_cert_for_store(X509_STORE *store, const char *name) 187 { 188 HCERTSTORE sys_store = NULL; 189 PCCERT_CONTEXT ctx = NULL; 190 int r = 0; 191 192 sys_store = CertOpenSystemStore(0, name); 193 if (!sys_store) { 194 err("failed to open system certificate store"); 195 return -1; 196 } 197 while ((ctx = CertEnumCertificatesInStore(sys_store, ctx))) { 198 X509 *x509 = d2i_X509(NULL, (unsigned char const **)&ctx->pbCertEncoded, 199 ctx->cbCertEncoded); 200 if (x509) { 201 X509_STORE_add_cert(store, x509); 202 X509_free(x509); 203 } else { 204 r = -1; 205 err_openssl("d2i_X509"); 206 break; 207 } 208 } 209 CertCloseStore(sys_store, 0); 210 return r; 211 } 212 #endif 213 214 int 215 main(int argc, char **argv) 216 { 217 int r; 218 struct event_base *base = NULL; 219 struct evhttp_uri *http_uri = NULL; 220 const char *url = NULL, *data_file = NULL; 221 const char *crt = NULL; 222 const char *scheme, *host, *path, *query; 223 char uri[256]; 224 int port; 225 int retries = 0; 226 int timeout = -1; 227 228 SSL_CTX *ssl_ctx = NULL; 229 SSL *ssl = NULL; 230 struct bufferevent *bev; 231 struct evhttp_connection *evcon = NULL; 232 struct evhttp_request *req; 233 struct evkeyvalq *output_headers; 234 struct evbuffer *output_buffer; 235 236 int i; 237 int ret = 0; 238 enum { HTTP, HTTPS } type = HTTP; 239 240 for (i = 1; i < argc; i++) { 241 if (!strcmp("-url", argv[i])) { 242 if (i < argc - 1) { 243 url = argv[i + 1]; 244 } else { 245 syntax(); 246 goto error; 247 } 248 } else if (!strcmp("-crt", argv[i])) { 249 if (i < argc - 1) { 250 crt = argv[i + 1]; 251 } else { 252 syntax(); 253 goto error; 254 } 255 } else if (!strcmp("-ignore-cert", argv[i])) { 256 ignore_cert = 1; 257 } else if (!strcmp("-data", argv[i])) { 258 if (i < argc - 1) { 259 data_file = argv[i + 1]; 260 } else { 261 syntax(); 262 goto error; 263 } 264 } else if (!strcmp("-retries", argv[i])) { 265 if (i < argc - 1) { 266 retries = atoi(argv[i + 1]); 267 } else { 268 syntax(); 269 goto error; 270 } 271 } else if (!strcmp("-timeout", argv[i])) { 272 if (i < argc - 1) { 273 timeout = atoi(argv[i + 1]); 274 } else { 275 syntax(); 276 goto error; 277 } 278 } else if (!strcmp("-help", argv[i])) { 279 syntax(); 280 goto error; 281 } 282 } 283 284 if (!url) { 285 syntax(); 286 goto error; 287 } 288 289 #ifdef _WIN32 290 { 291 WORD wVersionRequested; 292 WSADATA wsaData; 293 int err; 294 295 wVersionRequested = MAKEWORD(2, 2); 296 297 err = WSAStartup(wVersionRequested, &wsaData); 298 if (err != 0) { 299 printf("WSAStartup failed with error: %d\n", err); 300 goto error; 301 } 302 } 303 #endif // _WIN32 304 305 http_uri = evhttp_uri_parse(url); 306 if (http_uri == NULL) { 307 err("malformed url"); 308 goto error; 309 } 310 311 scheme = evhttp_uri_get_scheme(http_uri); 312 if (scheme == NULL || (strcasecmp(scheme, "https") != 0 && 313 strcasecmp(scheme, "http") != 0)) { 314 err("url must be http or https"); 315 goto error; 316 } 317 318 host = evhttp_uri_get_host(http_uri); 319 if (host == NULL) { 320 err("url must have a host"); 321 goto error; 322 } 323 324 port = evhttp_uri_get_port(http_uri); 325 if (port == -1) { 326 port = (strcasecmp(scheme, "http") == 0) ? 80 : 443; 327 } 328 329 path = evhttp_uri_get_path(http_uri); 330 if (strlen(path) == 0) { 331 path = "/"; 332 } 333 334 query = evhttp_uri_get_query(http_uri); 335 if (query == NULL) { 336 snprintf(uri, sizeof(uri) - 1, "%s", path); 337 } else { 338 snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query); 339 } 340 uri[sizeof(uri) - 1] = '\0'; 341 342 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ 343 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) 344 // Initialize OpenSSL 345 SSL_library_init(); 346 ERR_load_crypto_strings(); 347 SSL_load_error_strings(); 348 OpenSSL_add_all_algorithms(); 349 #endif 350 351 /* This isn't strictly necessary... OpenSSL performs RAND_poll 352 * automatically on first use of random number generator. */ 353 r = RAND_poll(); 354 if (r == 0) { 355 err_openssl("RAND_poll"); 356 goto error; 357 } 358 359 /* Create a new OpenSSL context */ 360 ssl_ctx = SSL_CTX_new(SSLv23_method()); 361 if (!ssl_ctx) { 362 err_openssl("SSL_CTX_new"); 363 goto error; 364 } 365 366 if (crt == NULL) { 367 X509_STORE *store; 368 /* Attempt to use the system's trusted root certificates. */ 369 store = SSL_CTX_get_cert_store(ssl_ctx); 370 #ifdef _WIN32 371 if (add_cert_for_store(store, "CA") < 0 || 372 add_cert_for_store(store, "AuthRoot") < 0 || 373 add_cert_for_store(store, "ROOT") < 0) { 374 goto error; 375 } 376 #else // _WIN32 377 if (X509_STORE_set_default_paths(store) != 1) { 378 err_openssl("X509_STORE_set_default_paths"); 379 goto error; 380 } 381 #endif // _WIN32 382 } else { 383 if (SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL) != 1) { 384 err_openssl("SSL_CTX_load_verify_locations"); 385 goto error; 386 } 387 } 388 /* Ask OpenSSL to verify the server certificate. Note that this 389 * does NOT include verifying that the hostname is correct. 390 * So, by itself, this means anyone with any legitimate 391 * CA-issued certificate for any website, can impersonate any 392 * other website in the world. This is not good. See "The 393 * Most Dangerous Code in the World" article at 394 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html 395 */ 396 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); 397 /* This is how we solve the problem mentioned in the previous 398 * comment. We "wrap" OpenSSL's validation routine in our 399 * own routine, which also validates the hostname by calling 400 * the code provided by iSECPartners. Note that even though 401 * the "Everything You've Always Wanted to Know About 402 * Certificate Validation With OpenSSL (But Were Afraid to 403 * Ask)" paper from iSECPartners says very explicitly not to 404 * call SSL_CTX_set_cert_verify_callback (at the bottom of 405 * page 2), what we're doing here is safe because our 406 * cert_verify_callback() calls X509_verify_cert(), which is 407 * OpenSSL's built-in routine which would have been called if 408 * we hadn't set the callback. Therefore, we're just 409 * "wrapping" OpenSSL's routine, not replacing it. */ 410 SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback, 411 (void *) host); 412 413 // Create event base 414 base = event_base_new(); 415 if (!base) { 416 perror("event_base_new()"); 417 goto error; 418 } 419 420 // Create OpenSSL bufferevent and stack evhttp on top of it 421 ssl = SSL_new(ssl_ctx); 422 if (ssl == NULL) { 423 err_openssl("SSL_new()"); 424 goto error; 425 } 426 427 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 428 // Set hostname for SNI extension 429 SSL_set_tlsext_host_name(ssl, host); 430 #endif 431 432 if (strcasecmp(scheme, "http") == 0) { 433 bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE); 434 } else { 435 type = HTTPS; 436 bev = bufferevent_openssl_socket_new(base, -1, ssl, 437 BUFFEREVENT_SSL_CONNECTING, 438 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 439 } 440 441 if (bev == NULL) { 442 fprintf(stderr, "bufferevent_openssl_socket_new() failed\n"); 443 goto error; 444 } 445 446 bufferevent_openssl_set_allow_dirty_shutdown(bev, 1); 447 448 // For simplicity, we let DNS resolution block. Everything else should be 449 // asynchronous though. 450 evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev, 451 host, port); 452 if (evcon == NULL) { 453 fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n"); 454 goto error; 455 } 456 457 if (retries > 0) { 458 evhttp_connection_set_retries(evcon, retries); 459 } 460 if (timeout >= 0) { 461 evhttp_connection_set_timeout(evcon, timeout); 462 } 463 464 // Fire off the request 465 req = evhttp_request_new(http_request_done, bev); 466 if (req == NULL) { 467 fprintf(stderr, "evhttp_request_new() failed\n"); 468 goto error; 469 } 470 471 output_headers = evhttp_request_get_output_headers(req); 472 evhttp_add_header(output_headers, "Host", host); 473 evhttp_add_header(output_headers, "Connection", "close"); 474 475 if (data_file) { 476 /* NOTE: In production code, you'd probably want to use 477 * evbuffer_add_file() or evbuffer_add_file_segment(), to 478 * avoid needless copying. */ 479 FILE * f = fopen(data_file, "rb"); 480 char buf[1024]; 481 size_t s; 482 size_t bytes = 0; 483 484 if (!f) { 485 syntax(); 486 goto error; 487 } 488 489 output_buffer = evhttp_request_get_output_buffer(req); 490 while ((s = fread(buf, 1, sizeof(buf), f)) > 0) { 491 evbuffer_add(output_buffer, buf, s); 492 bytes += s; 493 } 494 evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes); 495 evhttp_add_header(output_headers, "Content-Length", buf); 496 fclose(f); 497 } 498 499 r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri); 500 if (r != 0) { 501 fprintf(stderr, "evhttp_make_request() failed\n"); 502 goto error; 503 } 504 505 event_base_dispatch(base); 506 goto cleanup; 507 508 error: 509 ret = 1; 510 cleanup: 511 if (evcon) 512 evhttp_connection_free(evcon); 513 if (http_uri) 514 evhttp_uri_free(http_uri); 515 if (base) 516 event_base_free(base); 517 518 if (ssl_ctx) 519 SSL_CTX_free(ssl_ctx); 520 if (type == HTTP && ssl) 521 SSL_free(ssl); 522 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ 523 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) 524 EVP_cleanup(); 525 ERR_free_strings(); 526 527 #if OPENSSL_VERSION_NUMBER < 0x10000000L 528 ERR_remove_state(0); 529 #else 530 ERR_remove_thread_state(NULL); 531 #endif 532 533 CRYPTO_cleanup_all_ex_data(); 534 535 sk_SSL_COMP_free(SSL_COMP_get_compression_methods()); 536 #endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || \ 537 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) */ 538 539 #ifdef _WIN32 540 WSACleanup(); 541 #endif 542 543 return ret; 544 } 545