1 /* $NetBSD: le-proxy.c,v 1.1.1.2 2017/01/31 21:14:53 christos Exp $ */ 2 /* 3 This example code shows how to write an (optionally encrypting) SSL proxy 4 with Libevent's bufferevent layer. 5 6 XXX It's a little ugly and should probably be cleaned up. 7 */ 8 9 // Get rid of OSX 10.7 and greater deprecation warnings. 10 #if defined(__APPLE__) && defined(__clang__) 11 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 12 #endif 13 14 #include <stdio.h> 15 #include <assert.h> 16 #include <stdlib.h> 17 #include <string.h> 18 #include <errno.h> 19 20 #ifdef _WIN32 21 #include <winsock2.h> 22 #include <ws2tcpip.h> 23 #else 24 #include <sys/socket.h> 25 #include <netinet/in.h> 26 #endif 27 28 #include <event2/bufferevent_ssl.h> 29 #include <event2/bufferevent.h> 30 #include <event2/buffer.h> 31 #include <event2/listener.h> 32 #include <event2/util.h> 33 34 #include <openssl/ssl.h> 35 #include <openssl/err.h> 36 #include <openssl/rand.h> 37 #include "openssl-compat.h" 38 39 static struct event_base *base; 40 static struct sockaddr_storage listen_on_addr; 41 static struct sockaddr_storage connect_to_addr; 42 static int connect_to_addrlen; 43 static int use_wrapper = 1; 44 45 static SSL_CTX *ssl_ctx = NULL; 46 47 #define MAX_OUTPUT (512*1024) 48 49 static void drained_writecb(struct bufferevent *bev, void *ctx); 50 static void eventcb(struct bufferevent *bev, short what, void *ctx); 51 52 static void 53 readcb(struct bufferevent *bev, void *ctx) 54 { 55 struct bufferevent *partner = ctx; 56 struct evbuffer *src, *dst; 57 size_t len; 58 src = bufferevent_get_input(bev); 59 len = evbuffer_get_length(src); 60 if (!partner) { 61 evbuffer_drain(src, len); 62 return; 63 } 64 dst = bufferevent_get_output(partner); 65 evbuffer_add_buffer(dst, src); 66 67 if (evbuffer_get_length(dst) >= MAX_OUTPUT) { 68 /* We're giving the other side data faster than it can 69 * pass it on. Stop reading here until we have drained the 70 * other side to MAX_OUTPUT/2 bytes. */ 71 bufferevent_setcb(partner, readcb, drained_writecb, 72 eventcb, bev); 73 bufferevent_setwatermark(partner, EV_WRITE, MAX_OUTPUT/2, 74 MAX_OUTPUT); 75 bufferevent_disable(bev, EV_READ); 76 } 77 } 78 79 static void 80 drained_writecb(struct bufferevent *bev, void *ctx) 81 { 82 struct bufferevent *partner = ctx; 83 84 /* We were choking the other side until we drained our outbuf a bit. 85 * Now it seems drained. */ 86 bufferevent_setcb(bev, readcb, NULL, eventcb, partner); 87 bufferevent_setwatermark(bev, EV_WRITE, 0, 0); 88 if (partner) 89 bufferevent_enable(partner, EV_READ); 90 } 91 92 static void 93 close_on_finished_writecb(struct bufferevent *bev, void *ctx) 94 { 95 struct evbuffer *b = bufferevent_get_output(bev); 96 97 if (evbuffer_get_length(b) == 0) { 98 bufferevent_free(bev); 99 } 100 } 101 102 static void 103 eventcb(struct bufferevent *bev, short what, void *ctx) 104 { 105 struct bufferevent *partner = ctx; 106 107 if (what & (BEV_EVENT_EOF|BEV_EVENT_ERROR)) { 108 if (what & BEV_EVENT_ERROR) { 109 unsigned long err; 110 while ((err = (bufferevent_get_openssl_error(bev)))) { 111 const char *msg = (const char*) 112 ERR_reason_error_string(err); 113 const char *lib = (const char*) 114 ERR_lib_error_string(err); 115 const char *func = (const char*) 116 ERR_func_error_string(err); 117 fprintf(stderr, 118 "%s in %s %s\n", msg, lib, func); 119 } 120 if (errno) 121 perror("connection error"); 122 } 123 124 if (partner) { 125 /* Flush all pending data */ 126 readcb(bev, ctx); 127 128 if (evbuffer_get_length( 129 bufferevent_get_output(partner))) { 130 /* We still have to flush data from the other 131 * side, but when that's done, close the other 132 * side. */ 133 bufferevent_setcb(partner, 134 NULL, close_on_finished_writecb, 135 eventcb, NULL); 136 bufferevent_disable(partner, EV_READ); 137 } else { 138 /* We have nothing left to say to the other 139 * side; close it. */ 140 bufferevent_free(partner); 141 } 142 } 143 bufferevent_free(bev); 144 } 145 } 146 147 static void 148 syntax(void) 149 { 150 fputs("Syntax:\n", stderr); 151 fputs(" le-proxy [-s] [-W] <listen-on-addr> <connect-to-addr>\n", stderr); 152 fputs("Example:\n", stderr); 153 fputs(" le-proxy 127.0.0.1:8888 1.2.3.4:80\n", stderr); 154 155 exit(1); 156 } 157 158 static void 159 accept_cb(struct evconnlistener *listener, evutil_socket_t fd, 160 struct sockaddr *a, int slen, void *p) 161 { 162 struct bufferevent *b_out, *b_in; 163 /* Create two linked bufferevent objects: one to connect, one for the 164 * new connection */ 165 b_in = bufferevent_socket_new(base, fd, 166 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 167 168 if (!ssl_ctx || use_wrapper) 169 b_out = bufferevent_socket_new(base, -1, 170 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 171 else { 172 SSL *ssl = SSL_new(ssl_ctx); 173 b_out = bufferevent_openssl_socket_new(base, -1, ssl, 174 BUFFEREVENT_SSL_CONNECTING, 175 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 176 } 177 178 assert(b_in && b_out); 179 180 if (bufferevent_socket_connect(b_out, 181 (struct sockaddr*)&connect_to_addr, connect_to_addrlen)<0) { 182 perror("bufferevent_socket_connect"); 183 bufferevent_free(b_out); 184 bufferevent_free(b_in); 185 return; 186 } 187 188 if (ssl_ctx && use_wrapper) { 189 struct bufferevent *b_ssl; 190 SSL *ssl = SSL_new(ssl_ctx); 191 b_ssl = bufferevent_openssl_filter_new(base, 192 b_out, ssl, BUFFEREVENT_SSL_CONNECTING, 193 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS); 194 if (!b_ssl) { 195 perror("Bufferevent_openssl_new"); 196 bufferevent_free(b_out); 197 bufferevent_free(b_in); 198 } 199 b_out = b_ssl; 200 } 201 202 bufferevent_setcb(b_in, readcb, NULL, eventcb, b_out); 203 bufferevent_setcb(b_out, readcb, NULL, eventcb, b_in); 204 205 bufferevent_enable(b_in, EV_READ|EV_WRITE); 206 bufferevent_enable(b_out, EV_READ|EV_WRITE); 207 } 208 209 int 210 main(int argc, char **argv) 211 { 212 int i; 213 int socklen; 214 215 int use_ssl = 0; 216 struct evconnlistener *listener; 217 218 if (argc < 3) 219 syntax(); 220 221 for (i=1; i < argc; ++i) { 222 if (!strcmp(argv[i], "-s")) { 223 use_ssl = 1; 224 } else if (!strcmp(argv[i], "-W")) { 225 use_wrapper = 0; 226 } else if (argv[i][0] == '-') { 227 syntax(); 228 } else 229 break; 230 } 231 232 if (i+2 != argc) 233 syntax(); 234 235 memset(&listen_on_addr, 0, sizeof(listen_on_addr)); 236 socklen = sizeof(listen_on_addr); 237 if (evutil_parse_sockaddr_port(argv[i], 238 (struct sockaddr*)&listen_on_addr, &socklen)<0) { 239 int p = atoi(argv[i]); 240 struct sockaddr_in *sin = (struct sockaddr_in*)&listen_on_addr; 241 if (p < 1 || p > 65535) 242 syntax(); 243 sin->sin_port = htons(p); 244 sin->sin_addr.s_addr = htonl(0x7f000001); 245 sin->sin_family = AF_INET; 246 socklen = sizeof(struct sockaddr_in); 247 } 248 249 memset(&connect_to_addr, 0, sizeof(connect_to_addr)); 250 connect_to_addrlen = sizeof(connect_to_addr); 251 if (evutil_parse_sockaddr_port(argv[i+1], 252 (struct sockaddr*)&connect_to_addr, &connect_to_addrlen)<0) 253 syntax(); 254 255 base = event_base_new(); 256 if (!base) { 257 perror("event_base_new()"); 258 return 1; 259 } 260 261 if (use_ssl) { 262 int r; 263 #if OPENSSL_VERSION_NUMBER < 0x10100000L 264 SSL_library_init(); 265 ERR_load_crypto_strings(); 266 SSL_load_error_strings(); 267 OpenSSL_add_all_algorithms(); 268 #endif 269 r = RAND_poll(); 270 if (r == 0) { 271 fprintf(stderr, "RAND_poll() failed.\n"); 272 return 1; 273 } 274 ssl_ctx = SSL_CTX_new(TLS_method()); 275 } 276 277 listener = evconnlistener_new_bind(base, accept_cb, NULL, 278 LEV_OPT_CLOSE_ON_FREE|LEV_OPT_CLOSE_ON_EXEC|LEV_OPT_REUSEABLE, 279 -1, (struct sockaddr*)&listen_on_addr, socklen); 280 281 if (! listener) { 282 fprintf(stderr, "Couldn't open listener.\n"); 283 event_base_free(base); 284 return 1; 285 } 286 event_base_dispatch(base); 287 288 evconnlistener_free(listener); 289 event_base_free(base); 290 291 return 0; 292 } 293