1 /*
2 * lws-minimal-http-client-jit-trust
3 *
4 * Written in 2010-2021 by Andy Green <[email protected]>
5 *
6 * This file is made available under the Creative Commons CC0 1.0
7 * Universal Public Domain Dedication.
8 *
9 * This demonstrates the a minimal http client using lws.
10 *
11 * It visits https://warmcat.com/ and receives the html page there. You
12 * can dump the page data by changing the #if 0 below.
13 */
14
15 #include <libwebsockets.h>
16 #include <string.h>
17 #include <signal.h>
18
19 static int interrupted, bad = 1, status, conmon;
20 #if defined(LWS_WITH_HTTP2)
21 static int long_poll;
22 #endif
23 static struct lws *client_wsi;
24 static const char *ba_user, *ba_password;
25 static int budget = 6;
26
27 /*
28 * For this example, we import the C-formatted array version of the trust blob
29 * directly. This is produced by running scripts/mozilla-trust-gen.sh and can
30 * be found in ./_trust after that.
31 */
32
33 static uint8_t jit_trust_blob[] = {
34 #include "./trust_blob.h"
35 };
36
37 static const lws_retry_bo_t retry = {
38 .secs_since_valid_ping = 3,
39 .secs_since_valid_hangup = 10,
40 };
41
42 #if defined(LWS_WITH_CONMON)
43 void
dump_conmon_data(struct lws * wsi)44 dump_conmon_data(struct lws *wsi)
45 {
46 const struct addrinfo *ai;
47 struct lws_conmon cm;
48 char ads[48];
49
50 lws_conmon_wsi_take(wsi, &cm);
51
52 lws_sa46_write_numeric_address(&cm.peer46, ads, sizeof(ads));
53 lwsl_notice("%s: peer %s, dns: %uus, sockconn: %uus, "
54 "tls: %uus, txn_resp: %uus\n",
55 __func__, ads,
56 (unsigned int)cm.ciu_dns,
57 (unsigned int)cm.ciu_sockconn,
58 (unsigned int)cm.ciu_tls,
59 (unsigned int)cm.ciu_txn_resp);
60
61 ai = cm.dns_results_copy;
62 while (ai) {
63 lws_sa46_write_numeric_address((lws_sockaddr46 *)ai->ai_addr,
64 ads, sizeof(ads));
65 lwsl_notice("%s: DNS %s\n", __func__, ads);
66 ai = ai->ai_next;
67 }
68
69 /*
70 * This destroys the DNS list in the lws_conmon that we took
71 * responsibility for when we used lws_conmon_wsi_take()
72 */
73
74 lws_conmon_release(&cm);
75 }
76 #endif
77
78 struct args {
79 int argc;
80 const char **argv;
81 };
82
83 static const struct lws_protocols protocols[];
84
85 static int
try_connect(struct lws_context * cx)86 try_connect(struct lws_context *cx)
87 {
88 struct lws_client_connect_info i;
89 struct args *a = lws_context_user(cx);
90 const char *p;
91
92 memset(&i, 0, sizeof i); /* otherwise uninitialized garbage */
93 i.context = cx;
94 if (!lws_cmdline_option(a->argc, a->argv, "-n")) {
95 i.ssl_connection = LCCSCF_USE_SSL;
96 #if defined(LWS_WITH_HTTP2)
97 /* requires h2 */
98 if (lws_cmdline_option(a->argc, a->argv, "--long-poll")) {
99 lwsl_user("%s: long poll mode\n", __func__);
100 long_poll = 1;
101 }
102 #endif
103 }
104
105 if (lws_cmdline_option(a->argc, a->argv, "-l")) {
106 i.port = 7681;
107 i.address = "localhost";
108 i.ssl_connection |= LCCSCF_ALLOW_SELFSIGNED;
109 } else {
110 i.port = 443;
111 i.address = "warmcat.com";
112 }
113
114 if (lws_cmdline_option(a->argc, a->argv, "--nossl"))
115 i.ssl_connection = 0;
116
117 i.ssl_connection |= LCCSCF_H2_QUIRK_OVERFLOWS_TXCR |
118 LCCSCF_H2_QUIRK_NGHTTP2_END_STREAM |
119 LCCSCF_ACCEPT_TLS_DOWNGRADE_REDIRECTS;
120
121 i.alpn = "h2,http/1.1";
122 if (lws_cmdline_option(a->argc, a->argv, "--h1"))
123 i.alpn = "http/1.1";
124
125 if (lws_cmdline_option(a->argc, a->argv, "--h2-prior-knowledge"))
126 i.ssl_connection |= LCCSCF_H2_PRIOR_KNOWLEDGE;
127
128 if ((p = lws_cmdline_option(a->argc, a->argv, "-p")))
129 i.port = atoi(p);
130
131 if ((p = lws_cmdline_option(a->argc, a->argv, "--user")))
132 ba_user = p;
133 if ((p = lws_cmdline_option(a->argc, a->argv, "--password")))
134 ba_password = p;
135
136 if (lws_cmdline_option(a->argc, a->argv, "-j"))
137 i.ssl_connection |= LCCSCF_ALLOW_SELFSIGNED;
138
139 if (lws_cmdline_option(a->argc, a->argv, "-k"))
140 i.ssl_connection |= LCCSCF_ALLOW_INSECURE;
141
142 if (lws_cmdline_option(a->argc, a->argv, "-m"))
143 i.ssl_connection |= LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK;
144
145 if (lws_cmdline_option(a->argc, a->argv, "-e"))
146 i.ssl_connection |= LCCSCF_ALLOW_EXPIRED;
147
148 if ((p = lws_cmdline_option(a->argc, a->argv, "-f"))) {
149 i.ssl_connection |= LCCSCF_H2_MANUAL_RXFLOW;
150 i.manual_initial_tx_credit = atoi(p);
151 lwsl_notice("%s: manual peer tx credit %d\n", __func__,
152 i.manual_initial_tx_credit);
153 }
154
155 #if defined(LWS_WITH_CONMON)
156 if (lws_cmdline_option(a->argc, a->argv, "--conmon")) {
157 i.ssl_connection |= LCCSCF_CONMON;
158 conmon = 1;
159 }
160 #endif
161
162 /* the default validity check is 5m / 5m10s... -v = 3s / 10s */
163
164 if (lws_cmdline_option(a->argc, a->argv, "-v"))
165 i.retry_and_idle_policy = &retry;
166
167 if ((p = lws_cmdline_option(a->argc, a->argv, "--server")))
168 i.address = p;
169
170 if ((p = lws_cmdline_option(a->argc, a->argv, "--path")))
171 i.path = p;
172 else
173 i.path = "/";
174
175 i.host = i.address;
176 i.origin = i.address;
177 i.method = "GET";
178
179 i.protocol = protocols[0].name;
180 i.pwsi = &client_wsi;
181 i.fi_wsi_name = "user";
182
183 if (!lws_client_connect_via_info(&i)) {
184 lwsl_err("Client creation failed\n");
185 interrupted = 1;
186 bad = 2; /* could not even start client connection */
187 lws_cancel_service(cx);
188
189 return 1;
190 }
191
192 return 0;
193 }
194
195 static const char *ua = "Mozilla/5.0 (X11; Linux x86_64) "
196 "AppleWebKit/537.36 (KHTML, like Gecko) "
197 "Chrome/51.0.2704.103 Safari/537.36",
198 *acc = "*/*";
199
200 static int
callback_http(struct lws * wsi,enum lws_callback_reasons reason,void * user,void * in,size_t len)201 callback_http(struct lws *wsi, enum lws_callback_reasons reason,
202 void *user, void *in, size_t len)
203 {
204 switch (reason) {
205
206 /* because we are protocols[0] ... */
207 case LWS_CALLBACK_CLIENT_CONNECTION_ERROR:
208 lwsl_err("CLIENT_CONNECTION_ERROR: %s\n",
209 in ? (char *)in : "(null)");
210
211 if (budget--) {
212 try_connect(lws_get_context(wsi));
213 break;
214 }
215
216 interrupted = 1;
217 bad = 3; /* connection failed before we could make connection */
218 lws_cancel_service(lws_get_context(wsi));
219
220 #if defined(LWS_WITH_CONMON)
221 if (conmon)
222 dump_conmon_data(wsi);
223 #endif
224 break;
225
226 case LWS_CALLBACK_ESTABLISHED_CLIENT_HTTP:
227 {
228 char buf[128];
229
230 lws_get_peer_simple(wsi, buf, sizeof(buf));
231 status = (int)lws_http_client_http_response(wsi);
232
233 lwsl_user("Connected to %s, http response: %d\n",
234 buf, status);
235 }
236 #if defined(LWS_WITH_HTTP2)
237 if (long_poll) {
238 lwsl_user("%s: Client entering long poll mode\n", __func__);
239 lws_h2_client_stream_long_poll_rxonly(wsi);
240 }
241 #endif
242
243 if (lws_fi_user_wsi_fi(wsi, "user_reject_at_est"))
244 return -1;
245
246 break;
247
248
249 case LWS_CALLBACK_CLIENT_APPEND_HANDSHAKE_HEADER:
250 {
251 unsigned char **p = (unsigned char **)in, *end = (*p) + len;
252
253 if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_USER_AGENT,
254 (unsigned char *)ua, (int)strlen(ua), p, end))
255 return -1;
256
257 if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_ACCEPT,
258 (unsigned char *)acc, (int)strlen(acc), p, end))
259 return -1;
260
261 #if defined(LWS_WITH_HTTP_BASIC_AUTH)
262 {
263 char b[128];
264
265 /* you only need this if you need to do Basic Auth */
266
267 if (!ba_user || !ba_password)
268 break;
269
270 if (lws_http_basic_auth_gen(ba_user, ba_password, b, sizeof(b)))
271 break;
272 if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_AUTHORIZATION,
273 (unsigned char *)b, (int)strlen(b), p, end))
274 return -1;
275 }
276 #endif
277
278 break;
279 }
280
281 /* chunks of chunked content, with header removed */
282 case LWS_CALLBACK_RECEIVE_CLIENT_HTTP_READ:
283 lwsl_user("RECEIVE_CLIENT_HTTP_READ: read %d\n", (int)len);
284 #if defined(LWS_WITH_HTTP2)
285 if (long_poll) {
286 char dotstar[128];
287 lws_strnncpy(dotstar, (const char *)in, len,
288 sizeof(dotstar));
289 lwsl_notice("long poll rx: %d '%s'\n", (int)len,
290 dotstar);
291 }
292 #endif
293 #if 0
294 lwsl_hexdump_notice(in, len);
295 #endif
296
297 return 0; /* don't passthru */
298
299 /* uninterpreted http content */
300 case LWS_CALLBACK_RECEIVE_CLIENT_HTTP:
301 {
302 char buffer[1024 + LWS_PRE];
303 char *px = buffer + LWS_PRE;
304 int lenx = sizeof(buffer) - LWS_PRE;
305
306 if (lws_fi_user_wsi_fi(wsi, "user_reject_at_rx"))
307 return -1;
308
309 if (lws_http_client_read(wsi, &px, &lenx) < 0)
310 return -1;
311 }
312 return 0; /* don't passthru */
313
314 case LWS_CALLBACK_COMPLETED_CLIENT_HTTP:
315 lwsl_user("LWS_CALLBACK_COMPLETED_CLIENT_HTTP\n");
316 interrupted = 1;
317 bad = 0; // we accept 403 or whatever for this test status != 200;
318 lws_cancel_service(lws_get_context(wsi)); /* abort poll wait */
319 break;
320
321 case LWS_CALLBACK_CLOSED_CLIENT_HTTP:
322 lwsl_notice("%s: LWS_CALLBACK_CLOSED_CLIENT_HTTP\n", __func__);
323 interrupted = 1;
324 bad = 0; // status != 200;
325 lws_cancel_service(lws_get_context(wsi)); /* abort poll wait */
326 #if defined(LWS_WITH_CONMON)
327 if (conmon)
328 dump_conmon_data(wsi);
329 #endif
330 break;
331
332 default:
333 break;
334 }
335
336 return lws_callback_http_dummy(wsi, reason, user, in, len);
337 }
338
339 static const struct lws_protocols protocols[] = {
340 {
341 "http",
342 callback_http,
343 0, 0, 0, NULL, 0
344 },
345 LWS_PROTOCOL_LIST_TERM
346 };
347
348 static void
sigint_handler(int sig)349 sigint_handler(int sig)
350 {
351 interrupted = 1;
352 }
353
354 static int
system_notify_cb(lws_state_manager_t * mgr,lws_state_notify_link_t * link,int current,int target)355 system_notify_cb(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
356 int current, int target)
357 {
358 struct lws_context *cx = mgr->parent;
359
360 if (current != LWS_SYSTATE_OPERATIONAL ||
361 target != LWS_SYSTATE_OPERATIONAL)
362 return 0;
363
364 lwsl_info("%s: operational\n", __func__);
365
366 try_connect(cx);
367
368 return 0;
369 }
370
371 static int
jit_trust_query(struct lws_context * cx,const uint8_t * skid,size_t skid_len,void * got_opaque)372 jit_trust_query(struct lws_context *cx, const uint8_t *skid,
373 size_t skid_len, void *got_opaque)
374 {
375 const uint8_t *der = NULL;
376 size_t der_len = 0;
377
378 lwsl_info("%s\n", __func__);
379 lwsl_hexdump_info(skid, skid_len);
380
381 /*
382 * For this example, we look up SKIDs using a trust table that's
383 * compiled in, synchronously. Lws provides the necessary helper.
384 *
385 * DER will remain NULL if no match.
386 */
387
388 lws_tls_jit_trust_blob_queury_skid(jit_trust_blob,
389 sizeof(jit_trust_blob), skid,
390 skid_len, &der, &der_len);
391
392 if (der)
393 lwsl_info("%s: found len %d\n", __func__, (int)der_len);
394 else
395 lwsl_info("%s: not trusted\n", __func__);
396
397 /* Once we have a result, pass it to the completion helper */
398
399 return lws_tls_jit_trust_got_cert_cb(cx, got_opaque, skid, skid_len,
400 der, der_len);
401 }
402
403 static lws_system_ops_t system_ops = {
404 .jit_trust_query = jit_trust_query
405 };
406
main(int argc,const char ** argv)407 int main(int argc, const char **argv)
408 {
409 lws_state_notify_link_t notifier = { { NULL, NULL, NULL },
410 system_notify_cb, "app" };
411 lws_state_notify_link_t *na[] = { ¬ifier, NULL };
412 struct lws_context_creation_info info;
413 struct lws_context *context;
414 int n = 0, expected = 0;
415 struct args args;
416 const char *p;
417
418 args.argc = argc;
419 args.argv = argv;
420
421 signal(SIGINT, sigint_handler);
422
423 memset(&info, 0, sizeof info); /* otherwise uninitialized garbage */
424 lws_cmdline_option_handle_builtin(argc, argv, &info);
425
426 lwsl_user("LWS minimal http client JIT Trust [-d<verbosity>] [-l] [--h1]\n");
427
428 info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
429 /* we start off not trusting anything */
430 LWS_SERVER_OPTION_DISABLE_OS_CA_CERTS |
431 LWS_SERVER_OPTION_H2_JUST_FIX_WINDOW_UPDATE_OVERFLOW;
432 info.port = CONTEXT_PORT_NO_LISTEN; /* we do not run any server */
433 info.protocols = protocols;
434 info.user = &args;
435 info.register_notifier_list = na;
436 info.connect_timeout_secs = 30;
437 info.system_ops = &system_ops;
438 info.fd_limit_per_thread = 1 + 6 + 1;
439 info.max_http_header_data = 8192;
440
441 context = lws_create_context(&info);
442 if (!context) {
443 lwsl_err("lws init failed\n");
444 bad = 5;
445 goto bail;
446 }
447
448 while (n >= 0 && !interrupted)
449 n = lws_service(context, 0);
450
451 lwsl_err("%s: destroying context, interrupted = %d\n", __func__,
452 interrupted);
453
454 lws_context_destroy(context);
455
456 bail:
457 if ((p = lws_cmdline_option(argc, argv, "--expected-exit")))
458 expected = atoi(p);
459
460 if (bad == expected) {
461 lwsl_user("Completed: OK (seen expected %d)\n", expected);
462 return 0;
463 }
464
465 lwsl_err("Completed: failed: exit %d, expected %d\n", bad, expected);
466
467 return 1;
468 }
469