You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
545 lines
13 KiB
545 lines
13 KiB
/*
|
|
This is an example of how to hook up evhttp with bufferevent_ssl
|
|
|
|
It just GETs an https URL given on the command-line and prints the response
|
|
body to stdout.
|
|
|
|
Actually, it also accepts plain http URLs to make it easy to compare http vs
|
|
https code paths.
|
|
|
|
Loosely based on le-proxy.c.
|
|
*/
|
|
|
|
// Get rid of OSX 10.7 and greater deprecation warnings.
|
|
#if defined(__APPLE__) && defined(__clang__)
|
|
#pragma clang diagnostic ignored "-Wdeprecated-declarations"
|
|
#endif
|
|
|
|
#include <stdio.h>
|
|
#include <assert.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
|
|
#ifdef _WIN32
|
|
#include <winsock2.h>
|
|
#include <ws2tcpip.h>
|
|
|
|
#define snprintf _snprintf
|
|
#define strcasecmp _stricmp
|
|
#else
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#endif
|
|
|
|
#include <event2/bufferevent_ssl.h>
|
|
#include <event2/bufferevent.h>
|
|
#include <event2/buffer.h>
|
|
#include <event2/listener.h>
|
|
#include <event2/util.h>
|
|
#include <event2/http.h>
|
|
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/rand.h>
|
|
|
|
#include "openssl_hostname_validation.h"
|
|
|
|
static int ignore_cert = 0;
|
|
|
|
static void
|
|
http_request_done(struct evhttp_request *req, void *ctx)
|
|
{
|
|
char buffer[256];
|
|
int nread;
|
|
|
|
if (!req || !evhttp_request_get_response_code(req)) {
|
|
/* If req is NULL, it means an error occurred, but
|
|
* sadly we are mostly left guessing what the error
|
|
* might have been. We'll do our best... */
|
|
struct bufferevent *bev = (struct bufferevent *) ctx;
|
|
unsigned long oslerr;
|
|
int printed_err = 0;
|
|
int errcode = EVUTIL_SOCKET_ERROR();
|
|
fprintf(stderr, "some request failed - no idea which one though!\n");
|
|
/* Print out the OpenSSL error queue that libevent
|
|
* squirreled away for us, if any. */
|
|
while ((oslerr = bufferevent_get_openssl_error(bev))) {
|
|
ERR_error_string_n(oslerr, buffer, sizeof(buffer));
|
|
fprintf(stderr, "%s\n", buffer);
|
|
printed_err = 1;
|
|
}
|
|
/* If the OpenSSL error queue was empty, maybe it was a
|
|
* socket error; let's try printing that. */
|
|
if (! printed_err)
|
|
fprintf(stderr, "socket error = %s (%d)\n",
|
|
evutil_socket_error_to_string(errcode),
|
|
errcode);
|
|
return;
|
|
}
|
|
|
|
fprintf(stderr, "Response line: %d %s\n",
|
|
evhttp_request_get_response_code(req),
|
|
evhttp_request_get_response_code_line(req));
|
|
|
|
while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req),
|
|
buffer, sizeof(buffer)))
|
|
> 0) {
|
|
/* These are just arbitrary chunks of 256 bytes.
|
|
* They are not lines, so we can't treat them as such. */
|
|
fwrite(buffer, nread, 1, stdout);
|
|
}
|
|
}
|
|
|
|
static void
|
|
syntax(void)
|
|
{
|
|
fputs("Syntax:\n", stderr);
|
|
fputs(" https-client -url <https-url> [-data data-file.bin] [-ignore-cert] [-retries num] [-timeout sec] [-crt crt]\n", stderr);
|
|
fputs("Example:\n", stderr);
|
|
fputs(" https-client -url https://ip.appspot.com/\n", stderr);
|
|
}
|
|
|
|
static void
|
|
err(const char *msg)
|
|
{
|
|
fputs(msg, stderr);
|
|
}
|
|
|
|
static void
|
|
err_openssl(const char *func)
|
|
{
|
|
fprintf (stderr, "%s failed:\n", func);
|
|
|
|
/* This is the OpenSSL function that prints the contents of the
|
|
* error stack to the specified file handle. */
|
|
ERR_print_errors_fp (stderr);
|
|
|
|
exit(1);
|
|
}
|
|
|
|
/* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
|
|
static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
|
|
{
|
|
char cert_str[256];
|
|
const char *host = (const char *) arg;
|
|
const char *res_str = "X509_verify_cert failed";
|
|
HostnameValidationResult res = Error;
|
|
|
|
/* This is the function that OpenSSL would call if we hadn't called
|
|
* SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping"
|
|
* the default functionality, rather than replacing it. */
|
|
int ok_so_far = 0;
|
|
|
|
X509 *server_cert = NULL;
|
|
|
|
if (ignore_cert) {
|
|
return 1;
|
|
}
|
|
|
|
ok_so_far = X509_verify_cert(x509_ctx);
|
|
|
|
server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
|
|
|
|
if (ok_so_far) {
|
|
res = validate_hostname(host, server_cert);
|
|
|
|
switch (res) {
|
|
case MatchFound:
|
|
res_str = "MatchFound";
|
|
break;
|
|
case MatchNotFound:
|
|
res_str = "MatchNotFound";
|
|
break;
|
|
case NoSANPresent:
|
|
res_str = "NoSANPresent";
|
|
break;
|
|
case MalformedCertificate:
|
|
res_str = "MalformedCertificate";
|
|
break;
|
|
case Error:
|
|
res_str = "Error";
|
|
break;
|
|
default:
|
|
res_str = "WTF!";
|
|
break;
|
|
}
|
|
}
|
|
|
|
X509_NAME_oneline(X509_get_subject_name (server_cert),
|
|
cert_str, sizeof (cert_str));
|
|
|
|
if (res == MatchFound) {
|
|
printf("https server '%s' has this certificate, "
|
|
"which looks good to me:\n%s\n",
|
|
host, cert_str);
|
|
return 1;
|
|
} else {
|
|
printf("Got '%s' for hostname '%s' and certificate:\n%s\n",
|
|
res_str, host, cert_str);
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
#ifdef _WIN32
|
|
static int
|
|
add_cert_for_store(X509_STORE *store, const char *name)
|
|
{
|
|
HCERTSTORE sys_store = NULL;
|
|
PCCERT_CONTEXT ctx = NULL;
|
|
int r = 0;
|
|
|
|
sys_store = CertOpenSystemStore(0, name);
|
|
if (!sys_store) {
|
|
err("failed to open system certificate store");
|
|
return -1;
|
|
}
|
|
while ((ctx = CertEnumCertificatesInStore(sys_store, ctx))) {
|
|
X509 *x509 = d2i_X509(NULL, (unsigned char const **)&ctx->pbCertEncoded,
|
|
ctx->cbCertEncoded);
|
|
if (x509) {
|
|
X509_STORE_add_cert(store, x509);
|
|
X509_free(x509);
|
|
} else {
|
|
r = -1;
|
|
err_openssl("d2i_X509");
|
|
break;
|
|
}
|
|
}
|
|
CertCloseStore(sys_store, 0);
|
|
return r;
|
|
}
|
|
#endif
|
|
|
|
int
|
|
main(int argc, char **argv)
|
|
{
|
|
int r;
|
|
struct event_base *base = NULL;
|
|
struct evhttp_uri *http_uri = NULL;
|
|
const char *url = NULL, *data_file = NULL;
|
|
const char *crt = NULL;
|
|
const char *scheme, *host, *path, *query;
|
|
char uri[256];
|
|
int port;
|
|
int retries = 0;
|
|
int timeout = -1;
|
|
|
|
SSL_CTX *ssl_ctx = NULL;
|
|
SSL *ssl = NULL;
|
|
struct bufferevent *bev;
|
|
struct evhttp_connection *evcon = NULL;
|
|
struct evhttp_request *req;
|
|
struct evkeyvalq *output_headers;
|
|
struct evbuffer *output_buffer;
|
|
|
|
int i;
|
|
int ret = 0;
|
|
enum { HTTP, HTTPS } type = HTTP;
|
|
|
|
for (i = 1; i < argc; i++) {
|
|
if (!strcmp("-url", argv[i])) {
|
|
if (i < argc - 1) {
|
|
url = argv[i + 1];
|
|
} else {
|
|
syntax();
|
|
goto error;
|
|
}
|
|
} else if (!strcmp("-crt", argv[i])) {
|
|
if (i < argc - 1) {
|
|
crt = argv[i + 1];
|
|
} else {
|
|
syntax();
|
|
goto error;
|
|
}
|
|
} else if (!strcmp("-ignore-cert", argv[i])) {
|
|
ignore_cert = 1;
|
|
} else if (!strcmp("-data", argv[i])) {
|
|
if (i < argc - 1) {
|
|
data_file = argv[i + 1];
|
|
} else {
|
|
syntax();
|
|
goto error;
|
|
}
|
|
} else if (!strcmp("-retries", argv[i])) {
|
|
if (i < argc - 1) {
|
|
retries = atoi(argv[i + 1]);
|
|
} else {
|
|
syntax();
|
|
goto error;
|
|
}
|
|
} else if (!strcmp("-timeout", argv[i])) {
|
|
if (i < argc - 1) {
|
|
timeout = atoi(argv[i + 1]);
|
|
} else {
|
|
syntax();
|
|
goto error;
|
|
}
|
|
} else if (!strcmp("-help", argv[i])) {
|
|
syntax();
|
|
goto error;
|
|
}
|
|
}
|
|
|
|
if (!url) {
|
|
syntax();
|
|
goto error;
|
|
}
|
|
|
|
#ifdef _WIN32
|
|
{
|
|
WORD wVersionRequested;
|
|
WSADATA wsaData;
|
|
int err;
|
|
|
|
wVersionRequested = MAKEWORD(2, 2);
|
|
|
|
err = WSAStartup(wVersionRequested, &wsaData);
|
|
if (err != 0) {
|
|
printf("WSAStartup failed with error: %d\n", err);
|
|
goto error;
|
|
}
|
|
}
|
|
#endif // _WIN32
|
|
|
|
http_uri = evhttp_uri_parse(url);
|
|
if (http_uri == NULL) {
|
|
err("malformed url");
|
|
goto error;
|
|
}
|
|
|
|
scheme = evhttp_uri_get_scheme(http_uri);
|
|
if (scheme == NULL || (strcasecmp(scheme, "https") != 0 &&
|
|
strcasecmp(scheme, "http") != 0)) {
|
|
err("url must be http or https");
|
|
goto error;
|
|
}
|
|
|
|
host = evhttp_uri_get_host(http_uri);
|
|
if (host == NULL) {
|
|
err("url must have a host");
|
|
goto error;
|
|
}
|
|
|
|
port = evhttp_uri_get_port(http_uri);
|
|
if (port == -1) {
|
|
port = (strcasecmp(scheme, "http") == 0) ? 80 : 443;
|
|
}
|
|
|
|
path = evhttp_uri_get_path(http_uri);
|
|
if (strlen(path) == 0) {
|
|
path = "/";
|
|
}
|
|
|
|
query = evhttp_uri_get_query(http_uri);
|
|
if (query == NULL) {
|
|
snprintf(uri, sizeof(uri) - 1, "%s", path);
|
|
} else {
|
|
snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query);
|
|
}
|
|
uri[sizeof(uri) - 1] = '\0';
|
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
|
|
(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
|
|
// Initialize OpenSSL
|
|
SSL_library_init();
|
|
ERR_load_crypto_strings();
|
|
SSL_load_error_strings();
|
|
OpenSSL_add_all_algorithms();
|
|
#endif
|
|
|
|
/* This isn't strictly necessary... OpenSSL performs RAND_poll
|
|
* automatically on first use of random number generator. */
|
|
r = RAND_poll();
|
|
if (r == 0) {
|
|
err_openssl("RAND_poll");
|
|
goto error;
|
|
}
|
|
|
|
/* Create a new OpenSSL context */
|
|
ssl_ctx = SSL_CTX_new(SSLv23_method());
|
|
if (!ssl_ctx) {
|
|
err_openssl("SSL_CTX_new");
|
|
goto error;
|
|
}
|
|
|
|
if (crt == NULL) {
|
|
X509_STORE *store;
|
|
/* Attempt to use the system's trusted root certificates. */
|
|
store = SSL_CTX_get_cert_store(ssl_ctx);
|
|
#ifdef _WIN32
|
|
if (add_cert_for_store(store, "CA") < 0 ||
|
|
add_cert_for_store(store, "AuthRoot") < 0 ||
|
|
add_cert_for_store(store, "ROOT") < 0) {
|
|
goto error;
|
|
}
|
|
#else // _WIN32
|
|
if (X509_STORE_set_default_paths(store) != 1) {
|
|
err_openssl("X509_STORE_set_default_paths");
|
|
goto error;
|
|
}
|
|
#endif // _WIN32
|
|
} else {
|
|
if (SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL) != 1) {
|
|
err_openssl("SSL_CTX_load_verify_locations");
|
|
goto error;
|
|
}
|
|
}
|
|
/* Ask OpenSSL to verify the server certificate. Note that this
|
|
* does NOT include verifying that the hostname is correct.
|
|
* So, by itself, this means anyone with any legitimate
|
|
* CA-issued certificate for any website, can impersonate any
|
|
* other website in the world. This is not good. See "The
|
|
* Most Dangerous Code in the World" article at
|
|
* https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
|
|
*/
|
|
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
|
|
/* This is how we solve the problem mentioned in the previous
|
|
* comment. We "wrap" OpenSSL's validation routine in our
|
|
* own routine, which also validates the hostname by calling
|
|
* the code provided by iSECPartners. Note that even though
|
|
* the "Everything You've Always Wanted to Know About
|
|
* Certificate Validation With OpenSSL (But Were Afraid to
|
|
* Ask)" paper from iSECPartners says very explicitly not to
|
|
* call SSL_CTX_set_cert_verify_callback (at the bottom of
|
|
* page 2), what we're doing here is safe because our
|
|
* cert_verify_callback() calls X509_verify_cert(), which is
|
|
* OpenSSL's built-in routine which would have been called if
|
|
* we hadn't set the callback. Therefore, we're just
|
|
* "wrapping" OpenSSL's routine, not replacing it. */
|
|
SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback,
|
|
(void *) host);
|
|
|
|
// Create event base
|
|
base = event_base_new();
|
|
if (!base) {
|
|
perror("event_base_new()");
|
|
goto error;
|
|
}
|
|
|
|
// Create OpenSSL bufferevent and stack evhttp on top of it
|
|
ssl = SSL_new(ssl_ctx);
|
|
if (ssl == NULL) {
|
|
err_openssl("SSL_new()");
|
|
goto error;
|
|
}
|
|
|
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
|
// Set hostname for SNI extension
|
|
SSL_set_tlsext_host_name(ssl, host);
|
|
#endif
|
|
|
|
if (strcasecmp(scheme, "http") == 0) {
|
|
bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE);
|
|
} else {
|
|
type = HTTPS;
|
|
bev = bufferevent_openssl_socket_new(base, -1, ssl,
|
|
BUFFEREVENT_SSL_CONNECTING,
|
|
BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
|
|
}
|
|
|
|
if (bev == NULL) {
|
|
fprintf(stderr, "bufferevent_openssl_socket_new() failed\n");
|
|
goto error;
|
|
}
|
|
|
|
bufferevent_openssl_set_allow_dirty_shutdown(bev, 1);
|
|
|
|
// For simplicity, we let DNS resolution block. Everything else should be
|
|
// asynchronous though.
|
|
evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev,
|
|
host, port);
|
|
if (evcon == NULL) {
|
|
fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n");
|
|
goto error;
|
|
}
|
|
|
|
if (retries > 0) {
|
|
evhttp_connection_set_retries(evcon, retries);
|
|
}
|
|
if (timeout >= 0) {
|
|
evhttp_connection_set_timeout(evcon, timeout);
|
|
}
|
|
|
|
// Fire off the request
|
|
req = evhttp_request_new(http_request_done, bev);
|
|
if (req == NULL) {
|
|
fprintf(stderr, "evhttp_request_new() failed\n");
|
|
goto error;
|
|
}
|
|
|
|
output_headers = evhttp_request_get_output_headers(req);
|
|
evhttp_add_header(output_headers, "Host", host);
|
|
evhttp_add_header(output_headers, "Connection", "close");
|
|
|
|
if (data_file) {
|
|
/* NOTE: In production code, you'd probably want to use
|
|
* evbuffer_add_file() or evbuffer_add_file_segment(), to
|
|
* avoid needless copying. */
|
|
FILE * f = fopen(data_file, "rb");
|
|
char buf[1024];
|
|
size_t s;
|
|
size_t bytes = 0;
|
|
|
|
if (!f) {
|
|
syntax();
|
|
goto error;
|
|
}
|
|
|
|
output_buffer = evhttp_request_get_output_buffer(req);
|
|
while ((s = fread(buf, 1, sizeof(buf), f)) > 0) {
|
|
evbuffer_add(output_buffer, buf, s);
|
|
bytes += s;
|
|
}
|
|
evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes);
|
|
evhttp_add_header(output_headers, "Content-Length", buf);
|
|
fclose(f);
|
|
}
|
|
|
|
r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri);
|
|
if (r != 0) {
|
|
fprintf(stderr, "evhttp_make_request() failed\n");
|
|
goto error;
|
|
}
|
|
|
|
event_base_dispatch(base);
|
|
goto cleanup;
|
|
|
|
error:
|
|
ret = 1;
|
|
cleanup:
|
|
if (evcon)
|
|
evhttp_connection_free(evcon);
|
|
if (http_uri)
|
|
evhttp_uri_free(http_uri);
|
|
if (base)
|
|
event_base_free(base);
|
|
|
|
if (ssl_ctx)
|
|
SSL_CTX_free(ssl_ctx);
|
|
if (type == HTTP && ssl)
|
|
SSL_free(ssl);
|
|
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
|
|
(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
|
|
EVP_cleanup();
|
|
ERR_free_strings();
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10000000L
|
|
ERR_remove_state(0);
|
|
#else
|
|
ERR_remove_thread_state(NULL);
|
|
#endif
|
|
|
|
CRYPTO_cleanup_all_ex_data();
|
|
|
|
sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
|
|
#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
|
|
(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) */
|
|
|
|
#ifdef _WIN32
|
|
WSACleanup();
|
|
#endif
|
|
|
|
return ret;
|
|
}
|