1/*
2 * lws-minimal-http-client-jit-trust
3 *
4 * Written in 2010-2021 by Andy Green <andy@warmcat.com>
5 *
6 * This file is made available under the Creative Commons CC0 1.0
7 * Universal Public Domain Dedication.
8 *
9 * This demonstrates the a minimal http client using lws.
10 *
11 * It visits https://warmcat.com/ and receives the html page there.  You
12 * can dump the page data by changing the #if 0 below.
13 */
14
15#include <libwebsockets.h>
16#include <string.h>
17#include <signal.h>
18
19static int interrupted, bad = 1, status, conmon;
20#if defined(LWS_WITH_HTTP2)
21static int long_poll;
22#endif
23static struct lws *client_wsi;
24static const char *ba_user, *ba_password;
25static int budget = 6;
26
27/*
28 * For this example, we import the C-formatted array version of the trust blob
29 * directly.  This is produced by running scripts/mozilla-trust-gen.sh and can
30 * be found in ./_trust after that.
31 */
32
33static uint8_t jit_trust_blob[] = {
34#include "./trust_blob.h"
35};
36
37static const lws_retry_bo_t retry = {
38	.secs_since_valid_ping = 3,
39	.secs_since_valid_hangup = 10,
40};
41
42#if defined(LWS_WITH_CONMON)
43void
44dump_conmon_data(struct lws *wsi)
45{
46	const struct addrinfo *ai;
47	struct lws_conmon cm;
48	char ads[48];
49
50	lws_conmon_wsi_take(wsi, &cm);
51
52	lws_sa46_write_numeric_address(&cm.peer46, ads, sizeof(ads));
53	lwsl_notice("%s: peer %s, dns: %uus, sockconn: %uus, "
54		    "tls: %uus, txn_resp: %uus\n",
55		    __func__, ads,
56		    (unsigned int)cm.ciu_dns,
57		    (unsigned int)cm.ciu_sockconn,
58		    (unsigned int)cm.ciu_tls,
59		    (unsigned int)cm.ciu_txn_resp);
60
61	ai = cm.dns_results_copy;
62	while (ai) {
63		lws_sa46_write_numeric_address((lws_sockaddr46 *)ai->ai_addr,
64						ads, sizeof(ads));
65		lwsl_notice("%s: DNS %s\n", __func__, ads);
66		ai = ai->ai_next;
67	}
68
69	/*
70	 * This destroys the DNS list in the lws_conmon that we took
71	 * responsibility for when we used lws_conmon_wsi_take()
72	 */
73
74	lws_conmon_release(&cm);
75}
76#endif
77
78struct args {
79	int argc;
80	const char **argv;
81};
82
83static const struct lws_protocols protocols[];
84
85static int
86try_connect(struct lws_context *cx)
87{
88	struct lws_client_connect_info i;
89	struct args *a = lws_context_user(cx);
90	const char *p;
91
92	memset(&i, 0, sizeof i); /* otherwise uninitialized garbage */
93	i.context = cx;
94	if (!lws_cmdline_option(a->argc, a->argv, "-n")) {
95		i.ssl_connection = LCCSCF_USE_SSL;
96#if defined(LWS_WITH_HTTP2)
97		/* requires h2 */
98		if (lws_cmdline_option(a->argc, a->argv, "--long-poll")) {
99			lwsl_user("%s: long poll mode\n", __func__);
100			long_poll = 1;
101		}
102#endif
103	}
104
105	if (lws_cmdline_option(a->argc, a->argv, "-l")) {
106		i.port = 7681;
107		i.address = "localhost";
108		i.ssl_connection |= LCCSCF_ALLOW_SELFSIGNED;
109	} else {
110		i.port = 443;
111		i.address = "warmcat.com";
112	}
113
114	if (lws_cmdline_option(a->argc, a->argv, "--nossl"))
115		i.ssl_connection = 0;
116
117	i.ssl_connection |= LCCSCF_H2_QUIRK_OVERFLOWS_TXCR |
118			    LCCSCF_H2_QUIRK_NGHTTP2_END_STREAM |
119			    LCCSCF_ACCEPT_TLS_DOWNGRADE_REDIRECTS;
120
121	i.alpn = "h2,http/1.1";
122	if (lws_cmdline_option(a->argc, a->argv, "--h1"))
123		i.alpn = "http/1.1";
124
125	if (lws_cmdline_option(a->argc, a->argv, "--h2-prior-knowledge"))
126		i.ssl_connection |= LCCSCF_H2_PRIOR_KNOWLEDGE;
127
128	if ((p = lws_cmdline_option(a->argc, a->argv, "-p")))
129		i.port = atoi(p);
130
131	if ((p = lws_cmdline_option(a->argc, a->argv, "--user")))
132		ba_user = p;
133	if ((p = lws_cmdline_option(a->argc, a->argv, "--password")))
134		ba_password = p;
135
136	if (lws_cmdline_option(a->argc, a->argv, "-j"))
137		i.ssl_connection |= LCCSCF_ALLOW_SELFSIGNED;
138
139	if (lws_cmdline_option(a->argc, a->argv, "-k"))
140		i.ssl_connection |= LCCSCF_ALLOW_INSECURE;
141
142	if (lws_cmdline_option(a->argc, a->argv, "-m"))
143		i.ssl_connection |= LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK;
144
145	if (lws_cmdline_option(a->argc, a->argv, "-e"))
146		i.ssl_connection |= LCCSCF_ALLOW_EXPIRED;
147
148	if ((p = lws_cmdline_option(a->argc, a->argv, "-f"))) {
149		i.ssl_connection |= LCCSCF_H2_MANUAL_RXFLOW;
150		i.manual_initial_tx_credit = atoi(p);
151		lwsl_notice("%s: manual peer tx credit %d\n", __func__,
152				i.manual_initial_tx_credit);
153	}
154
155#if defined(LWS_WITH_CONMON)
156	if (lws_cmdline_option(a->argc, a->argv, "--conmon")) {
157		i.ssl_connection |= LCCSCF_CONMON;
158		conmon = 1;
159	}
160#endif
161
162	/* the default validity check is 5m / 5m10s... -v = 3s / 10s */
163
164	if (lws_cmdline_option(a->argc, a->argv, "-v"))
165		i.retry_and_idle_policy = &retry;
166
167	if ((p = lws_cmdline_option(a->argc, a->argv, "--server")))
168		i.address = p;
169
170	if ((p = lws_cmdline_option(a->argc, a->argv, "--path")))
171		i.path = p;
172	else
173		i.path = "/";
174
175	i.host = i.address;
176	i.origin = i.address;
177	i.method = "GET";
178
179	i.protocol = protocols[0].name;
180	i.pwsi = &client_wsi;
181	i.fi_wsi_name = "user";
182
183	if (!lws_client_connect_via_info(&i)) {
184		lwsl_err("Client creation failed\n");
185		interrupted = 1;
186		bad = 2; /* could not even start client connection */
187		lws_cancel_service(cx);
188
189		return 1;
190	}
191
192	return 0;
193}
194
195static const char *ua = "Mozilla/5.0 (X11; Linux x86_64) "
196			"AppleWebKit/537.36 (KHTML, like Gecko) "
197			"Chrome/51.0.2704.103 Safari/537.36",
198		  *acc = "*/*";
199
200static int
201callback_http(struct lws *wsi, enum lws_callback_reasons reason,
202	      void *user, void *in, size_t len)
203{
204	switch (reason) {
205
206	/* because we are protocols[0] ... */
207	case LWS_CALLBACK_CLIENT_CONNECTION_ERROR:
208		lwsl_err("CLIENT_CONNECTION_ERROR: %s\n",
209			 in ? (char *)in : "(null)");
210
211		if (budget--) {
212			try_connect(lws_get_context(wsi));
213			break;
214		}
215
216		interrupted = 1;
217		bad = 3; /* connection failed before we could make connection */
218		lws_cancel_service(lws_get_context(wsi));
219
220#if defined(LWS_WITH_CONMON)
221	if (conmon)
222		dump_conmon_data(wsi);
223#endif
224		break;
225
226	case LWS_CALLBACK_ESTABLISHED_CLIENT_HTTP:
227		{
228			char buf[128];
229
230			lws_get_peer_simple(wsi, buf, sizeof(buf));
231			status = (int)lws_http_client_http_response(wsi);
232
233			lwsl_user("Connected to %s, http response: %d\n",
234					buf, status);
235		}
236#if defined(LWS_WITH_HTTP2)
237		if (long_poll) {
238			lwsl_user("%s: Client entering long poll mode\n", __func__);
239			lws_h2_client_stream_long_poll_rxonly(wsi);
240		}
241#endif
242
243		if (lws_fi_user_wsi_fi(wsi, "user_reject_at_est"))
244			return -1;
245
246		break;
247
248
249	case LWS_CALLBACK_CLIENT_APPEND_HANDSHAKE_HEADER:
250	{
251		unsigned char **p = (unsigned char **)in, *end = (*p) + len;
252
253		if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_USER_AGENT,
254				(unsigned char *)ua, (int)strlen(ua), p, end))
255			return -1;
256
257		if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_ACCEPT,
258				(unsigned char *)acc, (int)strlen(acc), p, end))
259			return -1;
260
261#if defined(LWS_WITH_HTTP_BASIC_AUTH)
262		{
263		char b[128];
264
265	/* you only need this if you need to do Basic Auth */
266
267		if (!ba_user || !ba_password)
268			break;
269
270		if (lws_http_basic_auth_gen(ba_user, ba_password, b, sizeof(b)))
271			break;
272		if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_AUTHORIZATION,
273				(unsigned char *)b, (int)strlen(b), p, end))
274			return -1;
275		}
276#endif
277
278		break;
279	}
280
281	/* chunks of chunked content, with header removed */
282	case LWS_CALLBACK_RECEIVE_CLIENT_HTTP_READ:
283		lwsl_user("RECEIVE_CLIENT_HTTP_READ: read %d\n", (int)len);
284#if defined(LWS_WITH_HTTP2)
285		if (long_poll) {
286			char dotstar[128];
287			lws_strnncpy(dotstar, (const char *)in, len,
288				     sizeof(dotstar));
289			lwsl_notice("long poll rx: %d '%s'\n", (int)len,
290					dotstar);
291		}
292#endif
293#if 0
294		lwsl_hexdump_notice(in, len);
295#endif
296
297		return 0; /* don't passthru */
298
299	/* uninterpreted http content */
300	case LWS_CALLBACK_RECEIVE_CLIENT_HTTP:
301		{
302			char buffer[1024 + LWS_PRE];
303			char *px = buffer + LWS_PRE;
304			int lenx = sizeof(buffer) - LWS_PRE;
305
306			if (lws_fi_user_wsi_fi(wsi, "user_reject_at_rx"))
307				return -1;
308
309			if (lws_http_client_read(wsi, &px, &lenx) < 0)
310				return -1;
311		}
312		return 0; /* don't passthru */
313
314	case LWS_CALLBACK_COMPLETED_CLIENT_HTTP:
315		lwsl_user("LWS_CALLBACK_COMPLETED_CLIENT_HTTP\n");
316		interrupted = 1;
317		bad = 0; // we accept 403 or whatever for this test status != 200;
318		lws_cancel_service(lws_get_context(wsi)); /* abort poll wait */
319		break;
320
321	case LWS_CALLBACK_CLOSED_CLIENT_HTTP:
322		lwsl_notice("%s: LWS_CALLBACK_CLOSED_CLIENT_HTTP\n", __func__);
323		interrupted = 1;
324		bad = 0; // status != 200;
325		lws_cancel_service(lws_get_context(wsi)); /* abort poll wait */
326#if defined(LWS_WITH_CONMON)
327		if (conmon)
328			dump_conmon_data(wsi);
329#endif
330		break;
331
332	default:
333		break;
334	}
335
336	return lws_callback_http_dummy(wsi, reason, user, in, len);
337}
338
339static const struct lws_protocols protocols[] = {
340	{
341		"http",
342		callback_http,
343		0, 0, 0, NULL, 0
344	},
345	LWS_PROTOCOL_LIST_TERM
346};
347
348static void
349sigint_handler(int sig)
350{
351	interrupted = 1;
352}
353
354static int
355system_notify_cb(lws_state_manager_t *mgr, lws_state_notify_link_t *link,
356		   int current, int target)
357{
358	struct lws_context *cx = mgr->parent;
359
360	if (current != LWS_SYSTATE_OPERATIONAL ||
361	    target != LWS_SYSTATE_OPERATIONAL)
362		return 0;
363
364	lwsl_info("%s: operational\n", __func__);
365
366	try_connect(cx);
367
368	return 0;
369}
370
371static int
372jit_trust_query(struct lws_context *cx, const uint8_t *skid,
373		size_t skid_len, void *got_opaque)
374{
375	const uint8_t *der = NULL;
376	size_t der_len = 0;
377
378	lwsl_info("%s\n", __func__);
379	lwsl_hexdump_info(skid, skid_len);
380
381	/*
382	 * For this example, we look up SKIDs using a trust table that's
383	 * compiled in, synchronously.  Lws provides the necessary helper.
384	 *
385	 * DER will remain NULL if no match.
386	 */
387
388	lws_tls_jit_trust_blob_queury_skid(jit_trust_blob,
389					   sizeof(jit_trust_blob), skid,
390					   skid_len, &der, &der_len);
391
392	if (der)
393		lwsl_info("%s: found len %d\n", __func__, (int)der_len);
394	else
395		lwsl_info("%s: not trusted\n", __func__);
396
397	/* Once we have a result, pass it to the completion helper */
398
399	return lws_tls_jit_trust_got_cert_cb(cx, got_opaque, skid, skid_len,
400					     der, der_len);
401}
402
403static lws_system_ops_t system_ops = {
404	.jit_trust_query		= jit_trust_query
405};
406
407int main(int argc, const char **argv)
408{
409	lws_state_notify_link_t notifier = { { NULL, NULL, NULL },
410						system_notify_cb, "app" };
411	lws_state_notify_link_t *na[] = { &notifier, NULL };
412	struct lws_context_creation_info info;
413	struct lws_context *context;
414	int n = 0, expected = 0;
415	struct args args;
416	const char *p;
417
418	args.argc = argc;
419	args.argv = argv;
420
421	signal(SIGINT, sigint_handler);
422
423	memset(&info, 0, sizeof info); /* otherwise uninitialized garbage */
424	lws_cmdline_option_handle_builtin(argc, argv, &info);
425
426	lwsl_user("LWS minimal http client JIT Trust [-d<verbosity>] [-l] [--h1]\n");
427
428	info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
429		       /* we start off not trusting anything */
430		       LWS_SERVER_OPTION_DISABLE_OS_CA_CERTS |
431		       LWS_SERVER_OPTION_H2_JUST_FIX_WINDOW_UPDATE_OVERFLOW;
432	info.port = CONTEXT_PORT_NO_LISTEN; /* we do not run any server */
433	info.protocols = protocols;
434	info.user = &args;
435	info.register_notifier_list = na;
436	info.connect_timeout_secs = 30;
437	info.system_ops = &system_ops;
438	info.fd_limit_per_thread = 1 + 6 + 1;
439	info.max_http_header_data = 8192;
440
441	context = lws_create_context(&info);
442	if (!context) {
443		lwsl_err("lws init failed\n");
444		bad = 5;
445		goto bail;
446	}
447
448	while (n >= 0 && !interrupted)
449		n = lws_service(context, 0);
450
451	lwsl_err("%s: destroying context, interrupted = %d\n", __func__,
452			interrupted);
453
454	lws_context_destroy(context);
455
456bail:
457	if ((p = lws_cmdline_option(argc, argv, "--expected-exit")))
458		expected = atoi(p);
459
460	if (bad == expected) {
461		lwsl_user("Completed: OK (seen expected %d)\n", expected);
462		return 0;
463	}
464
465	lwsl_err("Completed: failed: exit %d, expected %d\n", bad, expected);
466
467	return 1;
468}
469