http_client.c File Reference

🌐 HTTPS client with BearSSL for fetching public keys from GitHub/GitLab with CA validation More...

Go to the source code of this file.

Functions
char *	https_get (const char *hostname, const char *path)

Detailed Description

🌐 HTTPS client with BearSSL for fetching public keys from GitHub/GitLab with CA validation

Definition in file http_client.c.

Function Documentation

https_get()

char * https_get	(	const char *	hostname,
		const char *	path
	)

Definition at line 109 of file http_client.c.

                                                        {
  if (!hostname || !path) {
    log_error("Invalid arguments to https_get");
    return NULL;
  }
 
  log_info("HTTPS GET https://%s%s", hostname, path);
 
  // Load system CA certificates
  char *pem_data = NULL;
  size_t pem_size = 0;
  if (platform_load_system_ca_certs(&pem_data, &pem_size) != 0) {
    log_error("Failed to load system CA certificates");
    return NULL;
  }
 
  // Parse PEM certificates into BearSSL trust anchors
  anchor_list anchors = ANCHOR_LIST_INIT;
  size_t num_anchors = read_trust_anchors_from_memory(&anchors, (unsigned char *)pem_data, pem_size);
  SAFE_FREE(pem_data);
 
  if (num_anchors == 0) {
    log_error("No trust anchors loaded");
    // Free anchors before returning to prevent leak
    goto cleanup_anchors;
  }
  log_info("Loaded %zu trust anchors", num_anchors);
 
  // Resolve hostname using getaddrinfo (modern, non-deprecated API)
  struct addrinfo hints, *result;
  memset(&hints, 0, sizeof(hints));
  hints.ai_family = AF_INET; // IPv4
  hints.ai_socktype = SOCK_STREAM;
  hints.ai_protocol = IPPROTO_TCP;
 
  if (getaddrinfo(hostname, "443", &hints, &result) != 0) {
    log_error("Failed to resolve hostname: %s", hostname);
    goto cleanup_anchors;
  }
 
  // Create TCP socket
  socket_t sock = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
  if (sock == INVALID_SOCKET_VALUE) {
    log_error("Failed to create socket");
    freeaddrinfo(result);
    goto cleanup_anchors;
  }
 
  // Connect to server
  if (connect(sock, result->ai_addr, (int)result->ai_addrlen) != 0) {
    log_error("Failed to connect to %s:443", hostname);
    socket_close(sock);
    freeaddrinfo(result);
    goto cleanup_anchors;
  }
 
  freeaddrinfo(result);
 
  log_info("Connected to %s:443", hostname);
 
  // Initialize BearSSL X.509 minimal validator
  br_x509_minimal_context xc;
  br_x509_minimal_init(&xc, &br_sha256_vtable, anchors.buf, anchors.ptr);
 
  // Initialize BearSSL client context
  br_ssl_client_context sc;
  br_ssl_client_init_full(&sc, &xc, anchors.buf, anchors.ptr);
 
  // Set I/O buffer
  unsigned char *iobuf;
  iobuf = SAFE_MALLOC(BR_SSL_BUFSIZE_BIDI, unsigned char *);
  br_ssl_engine_set_buffer(&sc.eng, iobuf, BR_SSL_BUFSIZE_BIDI, 1);
 
  // Initialize I/O context
  br_sslio_context ioc;
  br_sslio_init(&ioc, &sc.eng, sock_read, &sock, sock_write, &sock);
 
  // Start TLS handshake
  br_ssl_client_reset(&sc, hostname, 0);
 
  log_info("Starting TLS handshake with %s", hostname);
 
  // Build HTTP request
  char request[BUFFER_SIZE_LARGE];
  int request_len = safe_snprintf(request, sizeof(request),
                                  "GET %s HTTP/1.1\r\n"
                                  "Host: %s\r\n"
                                  "Connection: close\r\n"
                                  "User-Agent: ascii-chat/" ASCII_CHAT_VERSION_STRING "\r\n"
                                  "\r\n",
                                  path, hostname);
 
  // Send HTTP request over TLS
  if (br_sslio_write_all(&ioc, request, (size_t)request_len) != 0) {
    log_error("Failed to send HTTP request");
    SAFE_FREE(iobuf);
    socket_close(sock);
    goto cleanup_anchors;
  }
 
  br_sslio_flush(&ioc);
  log_info("Sent HTTP request");
 
  // Read HTTP response
  char *response_buf = NULL;
  size_t response_capacity = 8192;
  size_t response_len = 0;
  response_buf = SAFE_MALLOC(response_capacity, char *);
 
  while (1) {
    // Ensure we have space to read
    if (response_len + 1024 > response_capacity) {
      response_capacity *= 2;
      response_buf = SAFE_REALLOC(response_buf, response_capacity, char *);
    }
 
    // Read data
    int n = br_sslio_read(&ioc, response_buf + response_len, response_capacity - response_len);
    if (n < 0) {
      // Check for TLS errors
      int err = br_ssl_engine_last_error(&sc.eng);
      if (err != BR_ERR_OK) {
        log_error("TLS error: %d", err);
        SAFE_FREE(response_buf);
        SAFE_FREE(iobuf);
        socket_close(sock);
        goto cleanup_anchors;
      }
      // EOF or connection closed
      break;
    }
    if (n == 0) {
      break; // EOF
    }
 
    response_len += (size_t)n;
  }
 
  response_buf[response_len] = '\0';
  log_info("Received %zu bytes", response_len);
 
  // Close connection
  br_sslio_close(&ioc);
  socket_close(sock);
 
  // Parse HTTP response
  asciichat_error_t status = check_http_status(response_buf);
  if (status != ASCIICHAT_OK) {
    SAFE_FREE(response_buf);
    SAFE_FREE(iobuf);
    goto cleanup_anchors;
  }
 
  char *body = extract_http_body(response_buf, response_len);
  SAFE_FREE(response_buf);
  SAFE_FREE(iobuf);
 
  // Cleanup trust anchors
  for (size_t i = 0; i < anchors.ptr; i++) {
    free_ta_contents(&anchors.buf[i]);
  }
  SAFE_FREE(anchors.buf);
 
  return body;
 
cleanup_anchors:
  for (size_t i = 0; i < anchors.ptr; i++) {
    free_ta_contents(&anchors.buf[i]);
  }
  SAFE_FREE(anchors.buf);
  return NULL;
}

References free_ta_contents(), read_trust_anchors_from_memory(), and safe_snprintf().

Referenced by parse_public_key(), and update_check_perform().