1 /* $NetBSD: le-proxy.c,v 1.1.1.1 2013/04/11 16:43:31 christos Exp $ */
3 This example code shows how to write an (optionally encrypting) SSL proxy
4 with Libevent's bufferevent layer.
6 XXX It's a little ugly and should probably be cleaned up.
19 #include <sys/socket.h>
20 #include <netinet/in.h>
23 #include <event2/bufferevent_ssl.h>
24 #include <event2/bufferevent.h>
25 #include <event2/buffer.h>
26 #include <event2/listener.h>
27 #include <event2/util.h>
29 #include <openssl/ssl.h>
30 #include <openssl/err.h>
31 #include <openssl/rand.h>
33 static struct event_base
*base
;
34 static struct sockaddr_storage listen_on_addr
;
35 static struct sockaddr_storage connect_to_addr
;
36 static int connect_to_addrlen
;
37 static int use_wrapper
= 1;
39 static SSL_CTX
*ssl_ctx
= NULL
;
41 #define MAX_OUTPUT (512*1024)
43 static void drained_writecb(struct bufferevent
*bev
, void *ctx
);
44 static void eventcb(struct bufferevent
*bev
, short what
, void *ctx
);
47 readcb(struct bufferevent
*bev
, void *ctx
)
49 struct bufferevent
*partner
= ctx
;
50 struct evbuffer
*src
, *dst
;
52 src
= bufferevent_get_input(bev
);
53 len
= evbuffer_get_length(src
);
55 evbuffer_drain(src
, len
);
58 dst
= bufferevent_get_output(partner
);
59 evbuffer_add_buffer(dst
, src
);
61 if (evbuffer_get_length(dst
) >= MAX_OUTPUT
) {
62 /* We're giving the other side data faster than it can
63 * pass it on. Stop reading here until we have drained the
64 * other side to MAX_OUTPUT/2 bytes. */
65 bufferevent_setcb(partner
, readcb
, drained_writecb
,
67 bufferevent_setwatermark(partner
, EV_WRITE
, MAX_OUTPUT
/2,
69 bufferevent_disable(bev
, EV_READ
);
74 drained_writecb(struct bufferevent
*bev
, void *ctx
)
76 struct bufferevent
*partner
= ctx
;
78 /* We were choking the other side until we drained our outbuf a bit.
79 * Now it seems drained. */
80 bufferevent_setcb(bev
, readcb
, NULL
, eventcb
, partner
);
81 bufferevent_setwatermark(bev
, EV_WRITE
, 0, 0);
83 bufferevent_enable(partner
, EV_READ
);
87 close_on_finished_writecb(struct bufferevent
*bev
, void *ctx
)
89 struct evbuffer
*b
= bufferevent_get_output(bev
);
91 if (evbuffer_get_length(b
) == 0) {
92 bufferevent_free(bev
);
97 eventcb(struct bufferevent
*bev
, short what
, void *ctx
)
99 struct bufferevent
*partner
= ctx
;
101 if (what
& (BEV_EVENT_EOF
|BEV_EVENT_ERROR
)) {
102 if (what
& BEV_EVENT_ERROR
) {
104 while ((err
= (bufferevent_get_openssl_error(bev
)))) {
105 const char *msg
= (const char*)
106 ERR_reason_error_string(err
);
107 const char *lib
= (const char*)
108 ERR_lib_error_string(err
);
109 const char *func
= (const char*)
110 ERR_func_error_string(err
);
112 "%s in %s %s\n", msg
, lib
, func
);
115 perror("connection error");
119 /* Flush all pending data */
122 if (evbuffer_get_length(
123 bufferevent_get_output(partner
))) {
124 /* We still have to flush data from the other
125 * side, but when that's done, close the other
127 bufferevent_setcb(partner
,
128 NULL
, close_on_finished_writecb
,
130 bufferevent_disable(partner
, EV_READ
);
132 /* We have nothing left to say to the other
134 bufferevent_free(partner
);
137 bufferevent_free(bev
);
144 fputs("Syntax:\n", stderr
);
145 fputs(" le-proxy [-s] [-W] <listen-on-addr> <connect-to-addr>\n", stderr
);
146 fputs("Example:\n", stderr
);
147 fputs(" le-proxy 127.0.0.1:8888 1.2.3.4:80\n", stderr
);
153 accept_cb(struct evconnlistener
*listener
, evutil_socket_t fd
,
154 struct sockaddr
*a
, int slen
, void *p
)
156 struct bufferevent
*b_out
, *b_in
;
157 /* Create two linked bufferevent objects: one to connect, one for the
159 b_in
= bufferevent_socket_new(base
, fd
,
160 BEV_OPT_CLOSE_ON_FREE
|BEV_OPT_DEFER_CALLBACKS
);
162 if (!ssl_ctx
|| use_wrapper
)
163 b_out
= bufferevent_socket_new(base
, -1,
164 BEV_OPT_CLOSE_ON_FREE
|BEV_OPT_DEFER_CALLBACKS
);
166 SSL
*ssl
= SSL_new(ssl_ctx
);
167 b_out
= bufferevent_openssl_socket_new(base
, -1, ssl
,
168 BUFFEREVENT_SSL_CONNECTING
,
169 BEV_OPT_CLOSE_ON_FREE
|BEV_OPT_DEFER_CALLBACKS
);
172 assert(b_in
&& b_out
);
174 if (bufferevent_socket_connect(b_out
,
175 (struct sockaddr
*)&connect_to_addr
, connect_to_addrlen
)<0) {
176 perror("bufferevent_socket_connect");
177 bufferevent_free(b_out
);
178 bufferevent_free(b_in
);
182 if (ssl_ctx
&& use_wrapper
) {
183 struct bufferevent
*b_ssl
;
184 SSL
*ssl
= SSL_new(ssl_ctx
);
185 b_ssl
= bufferevent_openssl_filter_new(base
,
186 b_out
, ssl
, BUFFEREVENT_SSL_CONNECTING
,
187 BEV_OPT_CLOSE_ON_FREE
|BEV_OPT_DEFER_CALLBACKS
);
189 perror("Bufferevent_openssl_new");
190 bufferevent_free(b_out
);
191 bufferevent_free(b_in
);
196 bufferevent_setcb(b_in
, readcb
, NULL
, eventcb
, b_out
);
197 bufferevent_setcb(b_out
, readcb
, NULL
, eventcb
, b_in
);
199 bufferevent_enable(b_in
, EV_READ
|EV_WRITE
);
200 bufferevent_enable(b_out
, EV_READ
|EV_WRITE
);
204 main(int argc
, char **argv
)
210 struct evconnlistener
*listener
;
215 for (i
=1; i
< argc
; ++i
) {
216 if (!strcmp(argv
[i
], "-s")) {
218 } else if (!strcmp(argv
[i
], "-W")) {
220 } else if (argv
[i
][0] == '-') {
229 memset(&listen_on_addr
, 0, sizeof(listen_on_addr
));
230 socklen
= sizeof(listen_on_addr
);
231 if (evutil_parse_sockaddr_port(argv
[i
],
232 (struct sockaddr
*)&listen_on_addr
, &socklen
)<0) {
233 int p
= atoi(argv
[i
]);
234 struct sockaddr_in
*sin
= (struct sockaddr_in
*)&listen_on_addr
;
235 if (p
< 1 || p
> 65535)
237 sin
->sin_port
= htons(p
);
238 sin
->sin_addr
.s_addr
= htonl(0x7f000001);
239 sin
->sin_family
= AF_INET
;
240 socklen
= sizeof(struct sockaddr_in
);
243 memset(&connect_to_addr
, 0, sizeof(connect_to_addr
));
244 connect_to_addrlen
= sizeof(connect_to_addr
);
245 if (evutil_parse_sockaddr_port(argv
[i
+1],
246 (struct sockaddr
*)&connect_to_addr
, &connect_to_addrlen
)<0)
249 base
= event_base_new();
251 perror("event_base_new()");
258 ERR_load_crypto_strings();
259 SSL_load_error_strings();
260 OpenSSL_add_all_algorithms();
263 fprintf(stderr
, "RAND_poll() failed.\n");
266 ssl_ctx
= SSL_CTX_new(SSLv23_method());
269 listener
= evconnlistener_new_bind(base
, accept_cb
, NULL
,
270 LEV_OPT_CLOSE_ON_FREE
|LEV_OPT_CLOSE_ON_EXEC
|LEV_OPT_REUSEABLE
,
271 -1, (struct sockaddr
*)&listen_on_addr
, socklen
);
273 event_base_dispatch(base
);
275 evconnlistener_free(listener
);
276 event_base_free(base
);