2 This example code shows how to write an (optionally encrypting) SSL proxy
3 with Libevent's bufferevent layer.
5 XXX It's a little ugly and should probably be cleaned up.
8 // Get rid of OSX 10.7 and greater deprecation warnings.
9 #if defined(__APPLE__) && defined(__clang__)
10 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
23 #include <sys/socket.h>
24 #include <netinet/in.h>
27 #include <event2/bufferevent_ssl.h>
28 #include <event2/bufferevent.h>
29 #include <event2/buffer.h>
30 #include <event2/listener.h>
31 #include <event2/util.h>
33 #include "util-internal.h"
34 #include <openssl/ssl.h>
35 #include <openssl/err.h>
36 #include <openssl/rand.h>
37 #include "openssl-compat.h"
39 static struct event_base *base;
40 static struct sockaddr_storage listen_on_addr;
41 static struct sockaddr_storage connect_to_addr;
42 static int connect_to_addrlen;
43 static int use_wrapper = 1;
45 static SSL_CTX *ssl_ctx = NULL;
47 #define MAX_OUTPUT (512*1024)
49 static void drained_writecb(struct bufferevent *bev, void *ctx);
50 static void eventcb(struct bufferevent *bev, short what, void *ctx);
53 readcb(struct bufferevent *bev, void *ctx)
55 struct bufferevent *partner = ctx;
56 struct evbuffer *src, *dst;
58 src = bufferevent_get_input(bev);
59 len = evbuffer_get_length(src);
61 evbuffer_drain(src, len);
64 dst = bufferevent_get_output(partner);
65 evbuffer_add_buffer(dst, src);
67 if (evbuffer_get_length(dst) >= MAX_OUTPUT) {
68 /* We're giving the other side data faster than it can
69 * pass it on. Stop reading here until we have drained the
70 * other side to MAX_OUTPUT/2 bytes. */
71 bufferevent_setcb(partner, readcb, drained_writecb,
73 bufferevent_setwatermark(partner, EV_WRITE, MAX_OUTPUT/2,
75 bufferevent_disable(bev, EV_READ);
80 drained_writecb(struct bufferevent *bev, void *ctx)
82 struct bufferevent *partner = ctx;
84 /* We were choking the other side until we drained our outbuf a bit.
85 * Now it seems drained. */
86 bufferevent_setcb(bev, readcb, NULL, eventcb, partner);
87 bufferevent_setwatermark(bev, EV_WRITE, 0, 0);
89 bufferevent_enable(partner, EV_READ);
93 close_on_finished_writecb(struct bufferevent *bev, void *ctx)
95 struct evbuffer *b = bufferevent_get_output(bev);
97 if (evbuffer_get_length(b) == 0) {
98 bufferevent_free(bev);
103 eventcb(struct bufferevent *bev, short what, void *ctx)
105 struct bufferevent *partner = ctx;
107 if (what & (BEV_EVENT_EOF|BEV_EVENT_ERROR)) {
108 if (what & BEV_EVENT_ERROR) {
110 while ((err = (bufferevent_get_openssl_error(bev)))) {
111 const char *msg = (const char*)
112 ERR_reason_error_string(err);
113 const char *lib = (const char*)
114 ERR_lib_error_string(err);
115 const char *func = (const char*)
116 ERR_func_error_string(err);
118 "%s in %s %s\n", msg, lib, func);
121 perror("connection error");
125 /* Flush all pending data */
128 if (evbuffer_get_length(
129 bufferevent_get_output(partner))) {
130 /* We still have to flush data from the other
131 * side, but when that's done, close the other
133 bufferevent_setcb(partner,
134 NULL, close_on_finished_writecb,
136 bufferevent_disable(partner, EV_READ);
138 /* We have nothing left to say to the other
140 bufferevent_free(partner);
143 bufferevent_free(bev);
150 fputs("Syntax:\n", stderr);
151 fputs(" le-proxy [-s] [-W] <listen-on-addr> <connect-to-addr>\n", stderr);
152 fputs("Example:\n", stderr);
153 fputs(" le-proxy 127.0.0.1:8888 1.2.3.4:80\n", stderr);
159 accept_cb(struct evconnlistener *listener, evutil_socket_t fd,
160 struct sockaddr *a, int slen, void *p)
162 struct bufferevent *b_out, *b_in;
163 /* Create two linked bufferevent objects: one to connect, one for the
165 b_in = bufferevent_socket_new(base, fd,
166 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
168 if (!ssl_ctx || use_wrapper)
169 b_out = bufferevent_socket_new(base, -1,
170 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
172 SSL *ssl = SSL_new(ssl_ctx);
173 b_out = bufferevent_openssl_socket_new(base, -1, ssl,
174 BUFFEREVENT_SSL_CONNECTING,
175 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
178 assert(b_in && b_out);
180 if (bufferevent_socket_connect(b_out,
181 (struct sockaddr*)&connect_to_addr, connect_to_addrlen)<0) {
182 perror("bufferevent_socket_connect");
183 bufferevent_free(b_out);
184 bufferevent_free(b_in);
188 if (ssl_ctx && use_wrapper) {
189 struct bufferevent *b_ssl;
190 SSL *ssl = SSL_new(ssl_ctx);
191 b_ssl = bufferevent_openssl_filter_new(base,
192 b_out, ssl, BUFFEREVENT_SSL_CONNECTING,
193 BEV_OPT_CLOSE_ON_FREE|BEV_OPT_DEFER_CALLBACKS);
195 perror("Bufferevent_openssl_new");
196 bufferevent_free(b_out);
197 bufferevent_free(b_in);
203 bufferevent_setcb(b_in, readcb, NULL, eventcb, b_out);
204 bufferevent_setcb(b_out, readcb, NULL, eventcb, b_in);
206 bufferevent_enable(b_in, EV_READ|EV_WRITE);
207 bufferevent_enable(b_out, EV_READ|EV_WRITE);
211 main(int argc, char **argv)
217 struct evconnlistener *listener;
220 WORD wVersionRequested;
222 wVersionRequested = MAKEWORD(2, 2);
223 (void) WSAStartup(wVersionRequested, &wsaData);
229 for (i=1; i < argc; ++i) {
230 if (!strcmp(argv[i], "-s")) {
232 } else if (!strcmp(argv[i], "-W")) {
234 } else if (argv[i][0] == '-') {
243 memset(&listen_on_addr, 0, sizeof(listen_on_addr));
244 socklen = sizeof(listen_on_addr);
245 if (evutil_parse_sockaddr_port(argv[i],
246 (struct sockaddr*)&listen_on_addr, &socklen)<0) {
247 int p = atoi(argv[i]);
248 struct sockaddr_in *sin = (struct sockaddr_in*)&listen_on_addr;
249 if (p < 1 || p > 65535)
251 sin->sin_port = htons(p);
252 sin->sin_addr.s_addr = htonl(0x7f000001);
253 sin->sin_family = AF_INET;
254 socklen = sizeof(struct sockaddr_in);
257 memset(&connect_to_addr, 0, sizeof(connect_to_addr));
258 connect_to_addrlen = sizeof(connect_to_addr);
259 if (evutil_parse_sockaddr_port(argv[i+1],
260 (struct sockaddr*)&connect_to_addr, &connect_to_addrlen)<0)
263 base = event_base_new();
265 perror("event_base_new()");
271 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
272 (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
274 ERR_load_crypto_strings();
275 SSL_load_error_strings();
276 OpenSSL_add_all_algorithms();
280 fprintf(stderr, "RAND_poll() failed.\n");
283 ssl_ctx = SSL_CTX_new(TLS_method());
286 listener = evconnlistener_new_bind(base, accept_cb, NULL,
287 LEV_OPT_CLOSE_ON_FREE|LEV_OPT_CLOSE_ON_EXEC|LEV_OPT_REUSEABLE,
288 -1, (struct sockaddr*)&listen_on_addr, socklen);
291 fprintf(stderr, "Couldn't open listener.\n");
292 event_base_free(base);
295 event_base_dispatch(base);
297 evconnlistener_free(listener);
298 event_base_free(base);