summaryrefslogtreecommitdiffstats
path: root/libevent/sample/https-client.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--libevent/sample/https-client.c544
1 files changed, 544 insertions, 0 deletions
diff --git a/libevent/sample/https-client.c b/libevent/sample/https-client.c
new file mode 100644
index 0000000..5136ace
--- /dev/null
+++ b/libevent/sample/https-client.c
@@ -0,0 +1,544 @@
+/*
+ This is an example of how to hook up evhttp with bufferevent_ssl
+
+ It just GETs an https URL given on the command-line and prints the response
+ body to stdout.
+
+ Actually, it also accepts plain http URLs to make it easy to compare http vs
+ https code paths.
+
+ Loosely based on le-proxy.c.
+ */
+
+// Get rid of OSX 10.7 and greater deprecation warnings.
+#if defined(__APPLE__) && defined(__clang__)
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+#endif
+
+#include <stdio.h>
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#ifdef _WIN32
+#include <winsock2.h>
+#include <ws2tcpip.h>
+
+#define snprintf _snprintf
+#define strcasecmp _stricmp
+#else
+#include <sys/socket.h>
+#include <netinet/in.h>
+#endif
+
+#include <event2/bufferevent_ssl.h>
+#include <event2/bufferevent.h>
+#include <event2/buffer.h>
+#include <event2/listener.h>
+#include <event2/util.h>
+#include <event2/http.h>
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+#include "openssl_hostname_validation.h"
+
+static int ignore_cert = 0;
+
+static void
+http_request_done(struct evhttp_request *req, void *ctx)
+{
+ char buffer[256];
+ int nread;
+
+ if (!req || !evhttp_request_get_response_code(req)) {
+ /* If req is NULL, it means an error occurred, but
+ * sadly we are mostly left guessing what the error
+ * might have been. We'll do our best... */
+ struct bufferevent *bev = (struct bufferevent *) ctx;
+ unsigned long oslerr;
+ int printed_err = 0;
+ int errcode = EVUTIL_SOCKET_ERROR();
+ fprintf(stderr, "some request failed - no idea which one though!\n");
+ /* Print out the OpenSSL error queue that libevent
+ * squirreled away for us, if any. */
+ while ((oslerr = bufferevent_get_openssl_error(bev))) {
+ ERR_error_string_n(oslerr, buffer, sizeof(buffer));
+ fprintf(stderr, "%s\n", buffer);
+ printed_err = 1;
+ }
+ /* If the OpenSSL error queue was empty, maybe it was a
+ * socket error; let's try printing that. */
+ if (! printed_err)
+ fprintf(stderr, "socket error = %s (%d)\n",
+ evutil_socket_error_to_string(errcode),
+ errcode);
+ return;
+ }
+
+ fprintf(stderr, "Response line: %d %s\n",
+ evhttp_request_get_response_code(req),
+ evhttp_request_get_response_code_line(req));
+
+ while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req),
+ buffer, sizeof(buffer)))
+ > 0) {
+ /* These are just arbitrary chunks of 256 bytes.
+ * They are not lines, so we can't treat them as such. */
+ fwrite(buffer, nread, 1, stdout);
+ }
+}
+
+static void
+syntax(void)
+{
+ fputs("Syntax:\n", stderr);
+ fputs(" https-client -url <https-url> [-data data-file.bin] [-ignore-cert] [-retries num] [-timeout sec] [-crt crt]\n", stderr);
+ fputs("Example:\n", stderr);
+ fputs(" https-client -url https://ip.appspot.com/\n", stderr);
+}
+
+static void
+err(const char *msg)
+{
+ fputs(msg, stderr);
+}
+
+static void
+err_openssl(const char *func)
+{
+ fprintf (stderr, "%s failed:\n", func);
+
+ /* This is the OpenSSL function that prints the contents of the
+ * error stack to the specified file handle. */
+ ERR_print_errors_fp (stderr);
+
+ exit(1);
+}
+
+/* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
+static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
+{
+ char cert_str[256];
+ const char *host = (const char *) arg;
+ const char *res_str = "X509_verify_cert failed";
+ HostnameValidationResult res = Error;
+
+ /* This is the function that OpenSSL would call if we hadn't called
+ * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping"
+ * the default functionality, rather than replacing it. */
+ int ok_so_far = 0;
+
+ X509 *server_cert = NULL;
+
+ if (ignore_cert) {
+ return 1;
+ }
+
+ ok_so_far = X509_verify_cert(x509_ctx);
+
+ server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
+
+ if (ok_so_far) {
+ res = validate_hostname(host, server_cert);
+
+ switch (res) {
+ case MatchFound:
+ res_str = "MatchFound";
+ break;
+ case MatchNotFound:
+ res_str = "MatchNotFound";
+ break;
+ case NoSANPresent:
+ res_str = "NoSANPresent";
+ break;
+ case MalformedCertificate:
+ res_str = "MalformedCertificate";
+ break;
+ case Error:
+ res_str = "Error";
+ break;
+ default:
+ res_str = "WTF!";
+ break;
+ }
+ }
+
+ X509_NAME_oneline(X509_get_subject_name (server_cert),
+ cert_str, sizeof (cert_str));
+
+ if (res == MatchFound) {
+ printf("https server '%s' has this certificate, "
+ "which looks good to me:\n%s\n",
+ host, cert_str);
+ return 1;
+ } else {
+ printf("Got '%s' for hostname '%s' and certificate:\n%s\n",
+ res_str, host, cert_str);
+ return 0;
+ }
+}
+
+#ifdef _WIN32
+static int
+add_cert_for_store(X509_STORE *store, const char *name)
+{
+ HCERTSTORE sys_store = NULL;
+ PCCERT_CONTEXT ctx = NULL;
+ int r = 0;
+
+ sys_store = CertOpenSystemStore(0, name);
+ if (!sys_store) {
+ err("failed to open system certificate store");
+ return -1;
+ }
+ while ((ctx = CertEnumCertificatesInStore(sys_store, ctx))) {
+ X509 *x509 = d2i_X509(NULL, (unsigned char const **)&ctx->pbCertEncoded,
+ ctx->cbCertEncoded);
+ if (x509) {
+ X509_STORE_add_cert(store, x509);
+ X509_free(x509);
+ } else {
+ r = -1;
+ err_openssl("d2i_X509");
+ break;
+ }
+ }
+ CertCloseStore(sys_store, 0);
+ return r;
+}
+#endif
+
+int
+main(int argc, char **argv)
+{
+ int r;
+ struct event_base *base = NULL;
+ struct evhttp_uri *http_uri = NULL;
+ const char *url = NULL, *data_file = NULL;
+ const char *crt = NULL;
+ const char *scheme, *host, *path, *query;
+ char uri[256];
+ int port;
+ int retries = 0;
+ int timeout = -1;
+
+ SSL_CTX *ssl_ctx = NULL;
+ SSL *ssl = NULL;
+ struct bufferevent *bev;
+ struct evhttp_connection *evcon = NULL;
+ struct evhttp_request *req;
+ struct evkeyvalq *output_headers;
+ struct evbuffer *output_buffer;
+
+ int i;
+ int ret = 0;
+ enum { HTTP, HTTPS } type = HTTP;
+
+ for (i = 1; i < argc; i++) {
+ if (!strcmp("-url", argv[i])) {
+ if (i < argc - 1) {
+ url = argv[i + 1];
+ } else {
+ syntax();
+ goto error;
+ }
+ } else if (!strcmp("-crt", argv[i])) {
+ if (i < argc - 1) {
+ crt = argv[i + 1];
+ } else {
+ syntax();
+ goto error;
+ }
+ } else if (!strcmp("-ignore-cert", argv[i])) {
+ ignore_cert = 1;
+ } else if (!strcmp("-data", argv[i])) {
+ if (i < argc - 1) {
+ data_file = argv[i + 1];
+ } else {
+ syntax();
+ goto error;
+ }
+ } else if (!strcmp("-retries", argv[i])) {
+ if (i < argc - 1) {
+ retries = atoi(argv[i + 1]);
+ } else {
+ syntax();
+ goto error;
+ }
+ } else if (!strcmp("-timeout", argv[i])) {
+ if (i < argc - 1) {
+ timeout = atoi(argv[i + 1]);
+ } else {
+ syntax();
+ goto error;
+ }
+ } else if (!strcmp("-help", argv[i])) {
+ syntax();
+ goto error;
+ }
+ }
+
+ if (!url) {
+ syntax();
+ goto error;
+ }
+
+#ifdef _WIN32
+ {
+ WORD wVersionRequested;
+ WSADATA wsaData;
+ int err;
+
+ wVersionRequested = MAKEWORD(2, 2);
+
+ err = WSAStartup(wVersionRequested, &wsaData);
+ if (err != 0) {
+ printf("WSAStartup failed with error: %d\n", err);
+ goto error;
+ }
+ }
+#endif // _WIN32
+
+ http_uri = evhttp_uri_parse(url);
+ if (http_uri == NULL) {
+ err("malformed url");
+ goto error;
+ }
+
+ scheme = evhttp_uri_get_scheme(http_uri);
+ if (scheme == NULL || (strcasecmp(scheme, "https") != 0 &&
+ strcasecmp(scheme, "http") != 0)) {
+ err("url must be http or https");
+ goto error;
+ }
+
+ host = evhttp_uri_get_host(http_uri);
+ if (host == NULL) {
+ err("url must have a host");
+ goto error;
+ }
+
+ port = evhttp_uri_get_port(http_uri);
+ if (port == -1) {
+ port = (strcasecmp(scheme, "http") == 0) ? 80 : 443;
+ }
+
+ path = evhttp_uri_get_path(http_uri);
+ if (strlen(path) == 0) {
+ path = "/";
+ }
+
+ query = evhttp_uri_get_query(http_uri);
+ if (query == NULL) {
+ snprintf(uri, sizeof(uri) - 1, "%s", path);
+ } else {
+ snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query);
+ }
+ uri[sizeof(uri) - 1] = '\0';
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
+ // Initialize OpenSSL
+ SSL_library_init();
+ ERR_load_crypto_strings();
+ SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
+#endif
+
+ /* This isn't strictly necessary... OpenSSL performs RAND_poll
+ * automatically on first use of random number generator. */
+ r = RAND_poll();
+ if (r == 0) {
+ err_openssl("RAND_poll");
+ goto error;
+ }
+
+ /* Create a new OpenSSL context */
+ ssl_ctx = SSL_CTX_new(SSLv23_method());
+ if (!ssl_ctx) {
+ err_openssl("SSL_CTX_new");
+ goto error;
+ }
+
+ if (crt == NULL) {
+ X509_STORE *store;
+ /* Attempt to use the system's trusted root certificates. */
+ store = SSL_CTX_get_cert_store(ssl_ctx);
+#ifdef _WIN32
+ if (add_cert_for_store(store, "CA") < 0 ||
+ add_cert_for_store(store, "AuthRoot") < 0 ||
+ add_cert_for_store(store, "ROOT") < 0) {
+ goto error;
+ }
+#else // _WIN32
+ if (X509_STORE_set_default_paths(store) != 1) {
+ err_openssl("X509_STORE_set_default_paths");
+ goto error;
+ }
+#endif // _WIN32
+ } else {
+ if (SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL) != 1) {
+ err_openssl("SSL_CTX_load_verify_locations");
+ goto error;
+ }
+ }
+ /* Ask OpenSSL to verify the server certificate. Note that this
+ * does NOT include verifying that the hostname is correct.
+ * So, by itself, this means anyone with any legitimate
+ * CA-issued certificate for any website, can impersonate any
+ * other website in the world. This is not good. See "The
+ * Most Dangerous Code in the World" article at
+ * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
+ */
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+ /* This is how we solve the problem mentioned in the previous
+ * comment. We "wrap" OpenSSL's validation routine in our
+ * own routine, which also validates the hostname by calling
+ * the code provided by iSECPartners. Note that even though
+ * the "Everything You've Always Wanted to Know About
+ * Certificate Validation With OpenSSL (But Were Afraid to
+ * Ask)" paper from iSECPartners says very explicitly not to
+ * call SSL_CTX_set_cert_verify_callback (at the bottom of
+ * page 2), what we're doing here is safe because our
+ * cert_verify_callback() calls X509_verify_cert(), which is
+ * OpenSSL's built-in routine which would have been called if
+ * we hadn't set the callback. Therefore, we're just
+ * "wrapping" OpenSSL's routine, not replacing it. */
+ SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback,
+ (void *) host);
+
+ // Create event base
+ base = event_base_new();
+ if (!base) {
+ perror("event_base_new()");
+ goto error;
+ }
+
+ // Create OpenSSL bufferevent and stack evhttp on top of it
+ ssl = SSL_new(ssl_ctx);
+ if (ssl == NULL) {
+ err_openssl("SSL_new()");
+ goto error;
+ }
+
+ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ // Set hostname for SNI extension
+ SSL_set_tlsext_host_name(ssl, host);
+ #endif
+
+ if (strcasecmp(scheme, "http") == 0) {
+ bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE);
+ } else {
+ type = HTTPS;
+ bev = bufferevent_openssl_socket_new(base, -1, ssl,
+ BUFFEREVENT_SSL_CONNECTING,
+ BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
+ }
+
+ if (bev == NULL) {
+ fprintf(stderr, "bufferevent_openssl_socket_new() failed\n");
+ goto error;
+ }
+
+ bufferevent_openssl_set_allow_dirty_shutdown(bev, 1);
+
+ // For simplicity, we let DNS resolution block. Everything else should be
+ // asynchronous though.
+ evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev,
+ host, port);
+ if (evcon == NULL) {
+ fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n");
+ goto error;
+ }
+
+ if (retries > 0) {
+ evhttp_connection_set_retries(evcon, retries);
+ }
+ if (timeout >= 0) {
+ evhttp_connection_set_timeout(evcon, timeout);
+ }
+
+ // Fire off the request
+ req = evhttp_request_new(http_request_done, bev);
+ if (req == NULL) {
+ fprintf(stderr, "evhttp_request_new() failed\n");
+ goto error;
+ }
+
+ output_headers = evhttp_request_get_output_headers(req);
+ evhttp_add_header(output_headers, "Host", host);
+ evhttp_add_header(output_headers, "Connection", "close");
+
+ if (data_file) {
+ /* NOTE: In production code, you'd probably want to use
+ * evbuffer_add_file() or evbuffer_add_file_segment(), to
+ * avoid needless copying. */
+ FILE * f = fopen(data_file, "rb");
+ char buf[1024];
+ size_t s;
+ size_t bytes = 0;
+
+ if (!f) {
+ syntax();
+ goto error;
+ }
+
+ output_buffer = evhttp_request_get_output_buffer(req);
+ while ((s = fread(buf, 1, sizeof(buf), f)) > 0) {
+ evbuffer_add(output_buffer, buf, s);
+ bytes += s;
+ }
+ evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes);
+ evhttp_add_header(output_headers, "Content-Length", buf);
+ fclose(f);
+ }
+
+ r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri);
+ if (r != 0) {
+ fprintf(stderr, "evhttp_make_request() failed\n");
+ goto error;
+ }
+
+ event_base_dispatch(base);
+ goto cleanup;
+
+error:
+ ret = 1;
+cleanup:
+ if (evcon)
+ evhttp_connection_free(evcon);
+ if (http_uri)
+ evhttp_uri_free(http_uri);
+ if (base)
+ event_base_free(base);
+
+ if (ssl_ctx)
+ SSL_CTX_free(ssl_ctx);
+ if (type == HTTP && ssl)
+ SSL_free(ssl);
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
+ EVP_cleanup();
+ ERR_free_strings();
+
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+ ERR_remove_state(0);
+#else
+ ERR_remove_thread_state(NULL);
+#endif
+
+ CRYPTO_cleanup_all_ex_data();
+
+ sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
+#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) */
+
+#ifdef _WIN32
+ WSACleanup();
+#endif
+
+ return ret;
+}