1/*
2  This is an example of how to hook up evhttp with bufferevent_ssl
3
4  It just GETs an https URL given on the command-line and prints the response
5  body to stdout.
6
7  Actually, it also accepts plain http URLs to make it easy to compare http vs
8  https code paths.
9
10  Loosely based on le-proxy.c.
11 */
12
13// Get rid of OSX 10.7 and greater deprecation warnings.
14#if defined(__APPLE__) && defined(__clang__)
15#pragma clang diagnostic ignored "-Wdeprecated-declarations"
16#endif
17
18#include <stdio.h>
19#include <assert.h>
20#include <stdlib.h>
21#include <string.h>
22#include <errno.h>
23
24#ifdef _WIN32
25#include <winsock2.h>
26#include <ws2tcpip.h>
27
28#define snprintf _snprintf
29#define strcasecmp _stricmp
30#else
31#include <sys/socket.h>
32#include <netinet/in.h>
33#endif
34
35#include <event2/bufferevent_ssl.h>
36#include <event2/bufferevent.h>
37#include <event2/buffer.h>
38#include <event2/listener.h>
39#include <event2/util.h>
40#include <event2/http.h>
41
42#include <openssl/ssl.h>
43#include <openssl/err.h>
44#include <openssl/rand.h>
45
46#include "openssl_hostname_validation.h"
47
48static int ignore_cert = 0;
49
50static void
51http_request_done(struct evhttp_request *req, void *ctx)
52{
53	char buffer[256];
54	int nread;
55
56	if (!req || !evhttp_request_get_response_code(req)) {
57		/* If req is NULL, it means an error occurred, but
58		 * sadly we are mostly left guessing what the error
59		 * might have been.  We'll do our best... */
60		struct bufferevent *bev = (struct bufferevent *) ctx;
61		unsigned long oslerr;
62		int printed_err = 0;
63		int errcode = EVUTIL_SOCKET_ERROR();
64		fprintf(stderr, "some request failed - no idea which one though!\n");
65		/* Print out the OpenSSL error queue that libevent
66		 * squirreled away for us, if any. */
67		while ((oslerr = bufferevent_get_openssl_error(bev))) {
68			ERR_error_string_n(oslerr, buffer, sizeof(buffer));
69			fprintf(stderr, "%s\n", buffer);
70			printed_err = 1;
71		}
72		/* If the OpenSSL error queue was empty, maybe it was a
73		 * socket error; let's try printing that. */
74		if (! printed_err)
75			fprintf(stderr, "socket error = %s (%d)\n",
76				evutil_socket_error_to_string(errcode),
77				errcode);
78		return;
79	}
80
81	fprintf(stderr, "Response line: %d %s\n",
82	    evhttp_request_get_response_code(req),
83	    evhttp_request_get_response_code_line(req));
84
85	while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req),
86		    buffer, sizeof(buffer)))
87	       > 0) {
88		/* These are just arbitrary chunks of 256 bytes.
89		 * They are not lines, so we can't treat them as such. */
90		fwrite(buffer, nread, 1, stdout);
91	}
92}
93
94static void
95syntax(void)
96{
97	fputs("Syntax:\n", stderr);
98	fputs("   https-client -url <https-url> [-data data-file.bin] [-ignore-cert] [-retries num] [-timeout sec] [-crt crt]\n", stderr);
99	fputs("Example:\n", stderr);
100	fputs("   https-client -url https://ip.appspot.com/\n", stderr);
101}
102
103static void
104err(const char *msg)
105{
106	fputs(msg, stderr);
107}
108
109static void
110err_openssl(const char *func)
111{
112	fprintf (stderr, "%s failed:\n", func);
113
114	/* This is the OpenSSL function that prints the contents of the
115	 * error stack to the specified file handle. */
116	ERR_print_errors_fp (stderr);
117
118	exit(1);
119}
120
121/* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
122static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
123{
124	char cert_str[256];
125	const char *host = (const char *) arg;
126	const char *res_str = "X509_verify_cert failed";
127	HostnameValidationResult res = Error;
128
129	/* This is the function that OpenSSL would call if we hadn't called
130	 * SSL_CTX_set_cert_verify_callback().  Therefore, we are "wrapping"
131	 * the default functionality, rather than replacing it. */
132	int ok_so_far = 0;
133
134	X509 *server_cert = NULL;
135
136	if (ignore_cert) {
137		return 1;
138	}
139
140	ok_so_far = X509_verify_cert(x509_ctx);
141
142	server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
143
144	if (ok_so_far) {
145		res = validate_hostname(host, server_cert);
146
147		switch (res) {
148		case MatchFound:
149			res_str = "MatchFound";
150			break;
151		case MatchNotFound:
152			res_str = "MatchNotFound";
153			break;
154		case NoSANPresent:
155			res_str = "NoSANPresent";
156			break;
157		case MalformedCertificate:
158			res_str = "MalformedCertificate";
159			break;
160		case Error:
161			res_str = "Error";
162			break;
163		default:
164			res_str = "WTF!";
165			break;
166		}
167	}
168
169	X509_NAME_oneline(X509_get_subject_name (server_cert),
170			  cert_str, sizeof (cert_str));
171
172	if (res == MatchFound) {
173		printf("https server '%s' has this certificate, "
174		       "which looks good to me:\n%s\n",
175		       host, cert_str);
176		return 1;
177	} else {
178		printf("Got '%s' for hostname '%s' and certificate:\n%s\n",
179		       res_str, host, cert_str);
180		return 0;
181	}
182}
183
184#ifdef _WIN32
185static int
186add_cert_for_store(X509_STORE *store, const char *name)
187{
188	HCERTSTORE sys_store = NULL;
189	PCCERT_CONTEXT ctx = NULL;
190	int r = 0;
191
192	sys_store = CertOpenSystemStore(0, name);
193	if (!sys_store) {
194		err("failed to open system certificate store");
195		return -1;
196	}
197	while ((ctx = CertEnumCertificatesInStore(sys_store, ctx))) {
198		X509 *x509 = d2i_X509(NULL, (unsigned char const **)&ctx->pbCertEncoded,
199			ctx->cbCertEncoded);
200		if (x509) {
201			X509_STORE_add_cert(store, x509);
202			X509_free(x509);
203		} else {
204			r = -1;
205			err_openssl("d2i_X509");
206			break;
207		}
208	}
209	CertCloseStore(sys_store, 0);
210	return r;
211}
212#endif
213
214int
215main(int argc, char **argv)
216{
217	int r;
218	struct event_base *base = NULL;
219	struct evhttp_uri *http_uri = NULL;
220	const char *url = NULL, *data_file = NULL;
221	const char *crt = NULL;
222	const char *scheme, *host, *path, *query;
223	char uri[256];
224	int port;
225	int retries = 0;
226	int timeout = -1;
227
228	SSL_CTX *ssl_ctx = NULL;
229	SSL *ssl = NULL;
230	struct bufferevent *bev;
231	struct evhttp_connection *evcon = NULL;
232	struct evhttp_request *req;
233	struct evkeyvalq *output_headers;
234	struct evbuffer *output_buffer;
235
236	int i;
237	int ret = 0;
238	enum { HTTP, HTTPS } type = HTTP;
239
240	for (i = 1; i < argc; i++) {
241		if (!strcmp("-url", argv[i])) {
242			if (i < argc - 1) {
243				url = argv[i + 1];
244			} else {
245				syntax();
246				goto error;
247			}
248		} else if (!strcmp("-crt", argv[i])) {
249			if (i < argc - 1) {
250				crt = argv[i + 1];
251			} else {
252				syntax();
253				goto error;
254			}
255		} else if (!strcmp("-ignore-cert", argv[i])) {
256			ignore_cert = 1;
257		} else if (!strcmp("-data", argv[i])) {
258			if (i < argc - 1) {
259				data_file = argv[i + 1];
260			} else {
261				syntax();
262				goto error;
263			}
264		} else if (!strcmp("-retries", argv[i])) {
265			if (i < argc - 1) {
266				retries = atoi(argv[i + 1]);
267			} else {
268				syntax();
269				goto error;
270			}
271		} else if (!strcmp("-timeout", argv[i])) {
272			if (i < argc - 1) {
273				timeout = atoi(argv[i + 1]);
274			} else {
275				syntax();
276				goto error;
277			}
278		} else if (!strcmp("-help", argv[i])) {
279			syntax();
280			goto error;
281		}
282	}
283
284	if (!url) {
285		syntax();
286		goto error;
287	}
288
289#ifdef _WIN32
290	{
291		WORD wVersionRequested;
292		WSADATA wsaData;
293		int err;
294
295		wVersionRequested = MAKEWORD(2, 2);
296
297		err = WSAStartup(wVersionRequested, &wsaData);
298		if (err != 0) {
299			printf("WSAStartup failed with error: %d\n", err);
300			goto error;
301		}
302	}
303#endif // _WIN32
304
305	http_uri = evhttp_uri_parse(url);
306	if (http_uri == NULL) {
307		err("malformed url");
308		goto error;
309	}
310
311	scheme = evhttp_uri_get_scheme(http_uri);
312	if (scheme == NULL || (strcasecmp(scheme, "https") != 0 &&
313	                       strcasecmp(scheme, "http") != 0)) {
314		err("url must be http or https");
315		goto error;
316	}
317
318	host = evhttp_uri_get_host(http_uri);
319	if (host == NULL) {
320		err("url must have a host");
321		goto error;
322	}
323
324	port = evhttp_uri_get_port(http_uri);
325	if (port == -1) {
326		port = (strcasecmp(scheme, "http") == 0) ? 80 : 443;
327	}
328
329	path = evhttp_uri_get_path(http_uri);
330	if (strlen(path) == 0) {
331		path = "/";
332	}
333
334	query = evhttp_uri_get_query(http_uri);
335	if (query == NULL) {
336		snprintf(uri, sizeof(uri) - 1, "%s", path);
337	} else {
338		snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query);
339	}
340	uri[sizeof(uri) - 1] = '\0';
341
342#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
343	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
344	// Initialize OpenSSL
345	SSL_library_init();
346	ERR_load_crypto_strings();
347	SSL_load_error_strings();
348	OpenSSL_add_all_algorithms();
349#endif
350
351	/* This isn't strictly necessary... OpenSSL performs RAND_poll
352	 * automatically on first use of random number generator. */
353	r = RAND_poll();
354	if (r == 0) {
355		err_openssl("RAND_poll");
356		goto error;
357	}
358
359	/* Create a new OpenSSL context */
360	ssl_ctx = SSL_CTX_new(SSLv23_method());
361	if (!ssl_ctx) {
362		err_openssl("SSL_CTX_new");
363		goto error;
364	}
365
366	if (crt == NULL) {
367		X509_STORE *store;
368		/* Attempt to use the system's trusted root certificates. */
369		store = SSL_CTX_get_cert_store(ssl_ctx);
370#ifdef _WIN32
371		if (add_cert_for_store(store, "CA") < 0 ||
372		    add_cert_for_store(store, "AuthRoot") < 0 ||
373		    add_cert_for_store(store, "ROOT") < 0) {
374			goto error;
375		}
376#else // _WIN32
377		if (X509_STORE_set_default_paths(store) != 1) {
378			err_openssl("X509_STORE_set_default_paths");
379			goto error;
380		}
381#endif // _WIN32
382	} else {
383		if (SSL_CTX_load_verify_locations(ssl_ctx, crt, NULL) != 1) {
384			err_openssl("SSL_CTX_load_verify_locations");
385			goto error;
386		}
387	}
388	/* Ask OpenSSL to verify the server certificate.  Note that this
389	 * does NOT include verifying that the hostname is correct.
390	 * So, by itself, this means anyone with any legitimate
391	 * CA-issued certificate for any website, can impersonate any
392	 * other website in the world.  This is not good.  See "The
393	 * Most Dangerous Code in the World" article at
394	 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
395	 */
396	SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
397	/* This is how we solve the problem mentioned in the previous
398	 * comment.  We "wrap" OpenSSL's validation routine in our
399	 * own routine, which also validates the hostname by calling
400	 * the code provided by iSECPartners.  Note that even though
401	 * the "Everything You've Always Wanted to Know About
402	 * Certificate Validation With OpenSSL (But Were Afraid to
403	 * Ask)" paper from iSECPartners says very explicitly not to
404	 * call SSL_CTX_set_cert_verify_callback (at the bottom of
405	 * page 2), what we're doing here is safe because our
406	 * cert_verify_callback() calls X509_verify_cert(), which is
407	 * OpenSSL's built-in routine which would have been called if
408	 * we hadn't set the callback.  Therefore, we're just
409	 * "wrapping" OpenSSL's routine, not replacing it. */
410	SSL_CTX_set_cert_verify_callback(ssl_ctx, cert_verify_callback,
411					  (void *) host);
412
413	// Create event base
414	base = event_base_new();
415	if (!base) {
416		perror("event_base_new()");
417		goto error;
418	}
419
420	// Create OpenSSL bufferevent and stack evhttp on top of it
421	ssl = SSL_new(ssl_ctx);
422	if (ssl == NULL) {
423		err_openssl("SSL_new()");
424		goto error;
425	}
426
427	#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
428	// Set hostname for SNI extension
429	SSL_set_tlsext_host_name(ssl, host);
430	#endif
431
432	if (strcasecmp(scheme, "http") == 0) {
433		bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE);
434	} else {
435		type = HTTPS;
436		bev = bufferevent_openssl_socket_new(base, -1, ssl,
437			BUFFEREVENT_SSL_CONNECTING,
438			BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
439	}
440
441	if (bev == NULL) {
442		fprintf(stderr, "bufferevent_openssl_socket_new() failed\n");
443		goto error;
444	}
445
446	bufferevent_openssl_set_allow_dirty_shutdown(bev, 1);
447
448	// For simplicity, we let DNS resolution block. Everything else should be
449	// asynchronous though.
450	evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev,
451		host, port);
452	if (evcon == NULL) {
453		fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n");
454		goto error;
455	}
456
457	if (retries > 0) {
458		evhttp_connection_set_retries(evcon, retries);
459	}
460	if (timeout >= 0) {
461		evhttp_connection_set_timeout(evcon, timeout);
462	}
463
464	// Fire off the request
465	req = evhttp_request_new(http_request_done, bev);
466	if (req == NULL) {
467		fprintf(stderr, "evhttp_request_new() failed\n");
468		goto error;
469	}
470
471	output_headers = evhttp_request_get_output_headers(req);
472	evhttp_add_header(output_headers, "Host", host);
473	evhttp_add_header(output_headers, "Connection", "close");
474
475	if (data_file) {
476		/* NOTE: In production code, you'd probably want to use
477		 * evbuffer_add_file() or evbuffer_add_file_segment(), to
478		 * avoid needless copying. */
479		FILE * f = fopen(data_file, "rb");
480		char buf[1024];
481		size_t s;
482		size_t bytes = 0;
483
484		if (!f) {
485			syntax();
486			goto error;
487		}
488
489		output_buffer = evhttp_request_get_output_buffer(req);
490		while ((s = fread(buf, 1, sizeof(buf), f)) > 0) {
491			evbuffer_add(output_buffer, buf, s);
492			bytes += s;
493		}
494		evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes);
495		evhttp_add_header(output_headers, "Content-Length", buf);
496		fclose(f);
497	}
498
499	r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri);
500	if (r != 0) {
501		fprintf(stderr, "evhttp_make_request() failed\n");
502		goto error;
503	}
504
505	event_base_dispatch(base);
506	goto cleanup;
507
508error:
509	ret = 1;
510cleanup:
511	if (evcon)
512		evhttp_connection_free(evcon);
513	if (http_uri)
514		evhttp_uri_free(http_uri);
515	if (base)
516		event_base_free(base);
517
518	if (ssl_ctx)
519		SSL_CTX_free(ssl_ctx);
520	if (type == HTTP && ssl)
521		SSL_free(ssl);
522#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
523	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
524	EVP_cleanup();
525	ERR_free_strings();
526
527#if OPENSSL_VERSION_NUMBER < 0x10000000L
528	ERR_remove_state(0);
529#else
530	ERR_remove_thread_state(NULL);
531#endif
532
533	CRYPTO_cleanup_all_ex_data();
534
535	sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
536#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
537	(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) */
538
539#ifdef _WIN32
540	WSACleanup();
541#endif
542
543	return ret;
544}
545