2 This is an example of how to hook up evhttp with bufferevent_ssl
4 It just GETs an https URL given on the command-line and prints the response
7 Actually, it also accepts plain http URLs to make it easy to compare http vs
10 Loosely based on le-proxy.c.
13 // Get rid of OSX 10.7 and greater deprecation warnings.
14 #if defined(__APPLE__) && defined(__clang__)
15 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
28 #define snprintf _snprintf
29 #define strcasecmp _stricmp
31 #include <sys/socket.h>
32 #include <netinet/in.h>
35 #include <event2/bufferevent_ssl.h>
36 #include <event2/bufferevent.h>
37 #include <event2/buffer.h>
38 #include <event2/listener.h>
39 #include <event2/util.h>
40 #include <event2/http.h>
42 #include <openssl/ssl.h>
43 #include <openssl/err.h>
44 #include <openssl/rand.h>
46 #include "openssl_hostname_validation.h"
48 static struct event_base *base;
49 static int ignore_cert = 0;
52 http_request_done(struct evhttp_request *req, void *ctx)
58 /* If req is NULL, it means an error occurred, but
59 * sadly we are mostly left guessing what the error
60 * might have been. We'll do our best... */
61 struct bufferevent *bev = (struct bufferevent *) ctx;
64 int errcode = EVUTIL_SOCKET_ERROR();
65 fprintf(stderr, "some request failed - no idea which one though!\n");
66 /* Print out the OpenSSL error queue that libevent
67 * squirreled away for us, if any. */
68 while ((oslerr = bufferevent_get_openssl_error(bev))) {
69 ERR_error_string_n(oslerr, buffer, sizeof(buffer));
70 fprintf(stderr, "%s\n", buffer);
73 /* If the OpenSSL error queue was empty, maybe it was a
74 * socket error; let's try printing that. */
76 fprintf(stderr, "socket error = %s (%d)\n",
77 evutil_socket_error_to_string(errcode),
82 fprintf(stderr, "Response line: %d %s\n",
83 evhttp_request_get_response_code(req),
84 evhttp_request_get_response_code_line(req));
86 while ((nread = evbuffer_remove(evhttp_request_get_input_buffer(req),
87 buffer, sizeof(buffer)))
89 /* These are just arbitrary chunks of 256 bytes.
90 * They are not lines, so we can't treat them as such. */
91 fwrite(buffer, nread, 1, stdout);
98 fputs("Syntax:\n", stderr);
99 fputs(" https-client -url <https-url> [-data data-file.bin] [-ignore-cert] [-retries num]\n", stderr);
100 fputs("Example:\n", stderr);
101 fputs(" https-client -url https://ip.appspot.com/\n", stderr);
114 die_openssl(const char *func)
116 fprintf (stderr, "%s failed:\n", func);
118 /* This is the OpenSSL function that prints the contents of the
119 * error stack to the specified file handle. */
120 ERR_print_errors_fp (stderr);
125 /* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
126 static int cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg)
129 const char *host = (const char *) arg;
130 const char *res_str = "X509_verify_cert failed";
131 HostnameValidationResult res = Error;
133 /* This is the function that OpenSSL would call if we hadn't called
134 * SSL_CTX_set_cert_verify_callback(). Therefore, we are "wrapping"
135 * the default functionality, rather than replacing it. */
138 X509 *server_cert = NULL;
144 ok_so_far = X509_verify_cert(x509_ctx);
146 server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
149 res = validate_hostname(host, server_cert);
153 res_str = "MatchFound";
156 res_str = "MatchNotFound";
159 res_str = "NoSANPresent";
161 case MalformedCertificate:
162 res_str = "MalformedCertificate";
173 X509_NAME_oneline(X509_get_subject_name (server_cert),
174 cert_str, sizeof (cert_str));
176 if (res == MatchFound) {
177 printf("https server '%s' has this certificate, "
178 "which looks good to me:\n%s\n",
182 printf("Got '%s' for hostname '%s' and certificate:\n%s\n",
183 res_str, host, cert_str);
189 main(int argc, char **argv)
193 struct evhttp_uri *http_uri;
194 const char *url = NULL, *data_file = NULL;
195 const char *scheme, *host, *path, *query;
202 struct bufferevent *bev;
203 struct evhttp_connection *evcon;
204 struct evhttp_request *req;
205 struct evkeyvalq *output_headers;
206 struct evbuffer * output_buffer;
210 for (i = 1; i < argc; i++) {
211 if (!strcmp("-url", argv[i])) {
217 } else if (!strcmp("-ignore-cert", argv[i])) {
219 } else if (!strcmp("-data", argv[i])) {
221 data_file = argv[i + 1];
225 } else if (!strcmp("-retries", argv[i])) {
227 retries = atoi(argv[i + 1]);
231 } else if (!strcmp("-help", argv[i])) {
242 WORD wVersionRequested;
246 wVersionRequested = MAKEWORD(2, 2);
248 err = WSAStartup(wVersionRequested, &wsaData);
250 printf("WSAStartup failed with error: %d\n", err);
256 http_uri = evhttp_uri_parse(url);
257 if (http_uri == NULL) {
258 die("malformed url");
261 scheme = evhttp_uri_get_scheme(http_uri);
262 if (scheme == NULL || (strcasecmp(scheme, "https") != 0 &&
263 strcasecmp(scheme, "http") != 0)) {
264 die("url must be http or https");
267 host = evhttp_uri_get_host(http_uri);
269 die("url must have a host");
272 port = evhttp_uri_get_port(http_uri);
274 port = (strcasecmp(scheme, "http") == 0) ? 80 : 443;
277 path = evhttp_uri_get_path(http_uri);
282 query = evhttp_uri_get_query(http_uri);
284 snprintf(uri, sizeof(uri) - 1, "%s", path);
286 snprintf(uri, sizeof(uri) - 1, "%s?%s", path, query);
288 uri[sizeof(uri) - 1] = '\0';
290 // Initialize OpenSSL
292 ERR_load_crypto_strings();
293 SSL_load_error_strings();
294 OpenSSL_add_all_algorithms();
296 /* This isn't strictly necessary... OpenSSL performs RAND_poll
297 * automatically on first use of random number generator. */
300 die_openssl("RAND_poll");
303 /* Create a new OpenSSL context */
304 ssl_ctx = SSL_CTX_new(SSLv23_method());
306 die_openssl("SSL_CTX_new");
309 /* TODO: Add certificate loading on Windows as well */
311 /* Attempt to use the system's trusted root certificates.
312 * (This path is only valid for Debian-based systems.) */
313 if (1 != SSL_CTX_load_verify_locations(ssl_ctx,
314 "/etc/ssl/certs/ca-certificates.crt",
316 die_openssl("SSL_CTX_load_verify_locations");
317 /* Ask OpenSSL to verify the server certificate. Note that this
318 * does NOT include verifying that the hostname is correct.
319 * So, by itself, this means anyone with any legitimate
320 * CA-issued certificate for any website, can impersonate any
321 * other website in the world. This is not good. See "The
322 * Most Dangerous Code in the World" article at
323 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
325 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
326 /* This is how we solve the problem mentioned in the previous
327 * comment. We "wrap" OpenSSL's validation routine in our
328 * own routine, which also validates the hostname by calling
329 * the code provided by iSECPartners. Note that even though
330 * the "Everything You've Always Wanted to Know About
331 * Certificate Validation With OpenSSL (But Were Afraid to
332 * Ask)" paper from iSECPartners says very explicitly not to
333 * call SSL_CTX_set_cert_verify_callback (at the bottom of
334 * page 2), what we're doing here is safe because our
335 * cert_verify_callback() calls X509_verify_cert(), which is
336 * OpenSSL's built-in routine which would have been called if
337 * we hadn't set the callback. Therefore, we're just
338 * "wrapping" OpenSSL's routine, not replacing it. */
339 SSL_CTX_set_cert_verify_callback (ssl_ctx, cert_verify_callback,
344 base = event_base_new();
346 perror("event_base_new()");
350 // Create OpenSSL bufferevent and stack evhttp on top of it
351 ssl = SSL_new(ssl_ctx);
353 die_openssl("SSL_new()");
356 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
357 // Set hostname for SNI extension
358 SSL_set_tlsext_host_name(ssl, host);
361 if (strcasecmp(scheme, "http") == 0) {
362 bev = bufferevent_socket_new(base, -1, BEV_OPT_CLOSE_ON_FREE);
364 bev = bufferevent_openssl_socket_new(base, -1, ssl,
365 BUFFEREVENT_SSL_CONNECTING,
366 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
370 fprintf(stderr, "bufferevent_openssl_socket_new() failed\n");
374 bufferevent_openssl_set_allow_dirty_shutdown(bev, 1);
376 // For simplicity, we let DNS resolution block. Everything else should be
377 // asynchronous though.
378 evcon = evhttp_connection_base_bufferevent_new(base, NULL, bev,
381 fprintf(stderr, "evhttp_connection_base_bufferevent_new() failed\n");
386 evhttp_connection_set_retries(evcon, retries);
389 // Fire off the request
390 req = evhttp_request_new(http_request_done, bev);
392 fprintf(stderr, "evhttp_request_new() failed\n");
396 output_headers = evhttp_request_get_output_headers(req);
397 evhttp_add_header(output_headers, "Host", host);
398 evhttp_add_header(output_headers, "Connection", "close");
401 /* NOTE: In production code, you'd probably want to use
402 * evbuffer_add_file() or evbuffer_add_file_segment(), to
403 * avoid needless copying. */
404 FILE * f = fopen(data_file, "rb");
413 output_buffer = evhttp_request_get_output_buffer(req);
414 while ((s = fread(buf, 1, sizeof(buf), f)) > 0) {
415 evbuffer_add(output_buffer, buf, s);
418 evutil_snprintf(buf, sizeof(buf)-1, "%lu", (unsigned long)bytes);
419 evhttp_add_header(output_headers, "Content-Length", buf);
423 r = evhttp_make_request(evcon, req, data_file ? EVHTTP_REQ_POST : EVHTTP_REQ_GET, uri);
425 fprintf(stderr, "evhttp_make_request() failed\n");
429 event_base_dispatch(base);
431 evhttp_connection_free(evcon);
432 event_base_free(base);