use strict;
use warnings;
use IO::Socket::SSL;
use IO::Socket::SSL::Utils;
use IO::Select;
use Socket 'MSG_PEEK';

use Getopt::Long qw(:config posix_default bundling);

my $DEBUG;
{
    my $addr = '0.0.0.0:8080';
    my $ciphers;
    my $version;
    my $deny_tls12 = my $deny_tls11 = 0;
    my $issuer;
    my $wildcards = 0;
    GetOptions(
        'h|help'      => sub { usage() },
        'd|debug'     => \$DEBUG,
        'C|ciphers=s' => \$ciphers,
        'V|version=s' => \$version,
        'deny-tls12'  => \$deny_tls12,
        'deny-tls11'  => \$deny_tls11,
	'wildcards=i' => \$wildcards,
	'issuer=s'    => \$issuer,
    );

    sub usage {
        print STDERR <<USAGE;

Usage: $0 [options] [listen-ip:port]
Simulates Proxy, listens on listen-ip:port (default $addr).
Will automatically distinguish between normal HTTP requests, proxy requests 
and direct SSL connects
Options:
  -h|--help      - this usage
  -d|--debug     - some debugging messages
  -C|--ciphers C - specify the ciphers to use instead of builtin
  -V|--version V - specify SSL version to use instead of builtin
  --issuer F     - use CA in file F (containing certificate and key in PEM) as 
                   issuer instead of builtin
  --deny-tls12   - close connection on TLSv12 handshakes from client
  --deny-tls11   - close connection on TLSv11 handshakes from client
  --wildcards N  - generate certificate with N left wildcards (default 0)
USAGE
	exit(1);
    }

    $addr = shift if @ARGV;
    usage() if @ARGV;

    my $data = $issuer ? do {
	open( my $fh,'<',$issuer ) or die "open $issuer: $!";
	local $/; <$fh> 
    } : do { 
	local $/; <DATA> 
    };
    my $issuer_cert = PEM_string2cert($data) or die "no issuer cert found";
    my $issuer_key  = PEM_string2key($data) or die "no issuer key found";

    proxy_server( $addr, 
	deny_tls12 => $deny_tls12,
	deny_tls11 => $deny_tls11,
	$ciphers ? ( SSL_cipher_list => $ciphers ):(),
	$version ? ( SSL_version => $version ):(),
	issuer_cert => $issuer_cert,
	issuer_key  => $issuer_key,
	wildcards   => $wildcards,
    );
}



# ----------------------------------------------------------------------------
# simulate Proxy
# ----------------------------------------------------------------------------
sub proxy_server {
    my ($addr,%args) = @_;
    my %sslargs;
    $sslargs{$_} = delete $args{$_} for grep { m{^SSL_} } keys %args;

    # dynamically create server certs
    my $wildcards   = delete $args{wildcards} || 0;
    my $issuer_cert = delete $args{issuer_cert};
    my $issuer_key  = delete $args{issuer_key};
    my $get_cert = do {
	my %cache;
	sub {
	    my $host = my $cn = shift;
	    $cn =~s{(^|\.)([\w\-]+)}{$1*} for(1..$wildcards);
	    if ( $cache{$cn} ) {
		debug("reusing cert for $cn ($host) wildcards=$wildcards");
	    } else {
		debug("creating cert for $cn ($host) wildcards=$wildcards");
		$cache{$cn} = [ CERT_create(
		    subject => { commonName => $cn },
		    issuer_cert => $issuer_cert,
		    issuer_key => $issuer_key,
		)];
	    }
	    return @{ $cache{$cn} };
	}
    };

    debug("listen on $addr");
    my $srv = IO::Socket::INET->new(
	LocalAddr => $addr,
	Listen => 1,
	Reuse => 1
    ) or die $!;

    my $cl;
    while (1) {
	ACCEPT:
	$cl = undef;
	debug("waiting for request...");
	$cl = $srv->accept or next;

	# peek into socket to determine if this is SSL or not
	# minimal request is "GET / HTTP/1.1\n\n"
	my $buf = '';
	_peek($cl,\$buf,15) or do {
	    debug("failed to get data from client");
	    goto ACCEPT;
	};

	my $ssl_host = undef;
	if ( $buf =~m{\A[A-Z]{3,} } ) {
	    # looks like HTTP
	    $buf = '';
	} else {
	    # does not look like HTTP, assume direct SSL
	    $ssl_host = "direct.ssl.access";
	}

	SSL_UPGRADE:
	my $got_ciphers = '';
	if ( $ssl_host ) {

	    if ( $args{deny_tls12} || $args{deny_tls11} ) {
		_peek($cl,\$buf,11) or do {
		    debug("failed to get client hello");
		    goto ACCEPT;
		};
		if ( $args{deny_tls12} && $buf =~m{^.{9}\x03\x03}s ) {
		    debug("got TLSv1.2 handshake - cut!");
		    goto ACCEPT;
		} elsif ( $args{deny_tls11} && $buf =~m{^.{9}\x03\x02}s ) {
		    debug("got TLSv1.1 handshake - cut!");
		    goto ACCEPT;
		}
	    }

	    my ($cert,$key) = $get_cert->($ssl_host);
	    debug("upgrade to SSL with certificate for $ssl_host");
	    IO::Socket::SSL->start_SSL( $cl,
		SSL_server => 1,
		SSL_cert => $cert,
		SSL_key  => $key,
		%sslargs,
	    ) or do {
		debug("SSL handshake failed: $SSL_ERROR");
		goto ACCEPT;
	    };
	    $got_ciphers = $cl->get_cipher;
	}

	REQUEST:
	# read header
	my $req = '';
	while (<$cl>) {
	    $_ eq "\r\n" and last;
	    $req .= $_;
	}
	if ( $req =~m{\ACONNECT ([^\s:]+)} ) {
	    if ( $ssl_host ) {
		debug("CONNECT inside SSL tunnel - cut");
		next ACCEPT;
	    }
	    $ssl_host = $1;

	    # simulate proxy
	    print $cl "HTTP/1.0 200 ok\r\n\r\n";
	    debug("got proxy request to establish tunnel: CONNECT $ssl_host");
	    goto SSL_UPGRADE;
	}

	my ($met,$ver,$hdr) = $req 
	    =~m{\A([A-Z]+) \S+ HTTP/(1\.[01])\r?\n(.*)\Z}s or do {
	    debug("bad request $req");
	    goto ACCEPT;
	};
	$hdr =~s{\r?\n([ \t])}{$1}g; # continuation lines

	my $rqbody = '';
	my $rqchunked;
	if ( $ver eq '1.1' and $hdr =~m{^Transfer-Encoding: *chunked}mi ) {
	    $rqchunked = 1;
	    debug("chunked request body");
	    while (1) {
		my $h = <$cl>;
		my $len = $h =~m{\A([\da-fA-F]+)\s*(?:;.*)?\r?\n\Z} && hex($1) // do {
		    debug("bad chunking header in request body");
		    goto ACCEPT
		};
		if ($len) {
		    my $n = read($cl,$rqbody,$len,length($rqbody));
		    if ( $n != $len ) {
			debug("eof inside chunk in request body");
			goto ACCEPT;
		    }
		}
		$h = <$cl>; 
		$h =~m{\A\r?\n\Z} or do {
		    debug("expected newline after chunk, got '$h'");
		    goto ACCEPT;
		};
		last if ! $len;
	    }
	} elsif ( my $len = $hdr=~m{^Content-length: *(\d+)}mi && $1 ) {
	    debug("request body with content-length=$len");
	    my $n = read($cl,$rqbody,$len);
	    if ( $n != $len ) {
		debug("eof while reading request body, got $n of $len bytes");
		goto ACCEPT;
	    }
	}

	my $body = 
	    ( $ssl_host ? "SSL_HOST: $ssl_host\nCIPHERS: $got_ciphers\n": "NO SSL\n" )
	    . "---------\n"
	    . $req;
	if ( $rqchunked ) {
	    $body .= "--------- (chunked) body size=".(length($rqbody))."------\n$rqbody\n";
	} elsif ( $rqbody ne '' ) {
	    $body .= "--------- body size=".(length($rqbody))." ------\n$rqbody\n";
	}

	print $cl "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n".
	    "Content-length: ".length($body)."\r\n".
	    "\r\n".
	    $body;
    }
}


sub debug {
    $DEBUG or return;
    my $msg = shift;
    $msg = sprintf($msg,@_) if @_;
    print STDERR "DEBUG: $msg\n";
}

sub _peek {
    my ($cl,$rbuf,$len) = @_;
    while (length($$rbuf)<$len) { 
	my $lbuf;
	if ( ! IO::Select->new($cl)->can_read(30)
	    or ! defined recv($cl,$lbuf,20,MSG_PEEK)) {
	    return;
	}
	$$rbuf .= $lbuf;
    }
    return 1;
}

# ----------------------------------------------------------------------------
# this was used to create CA cert
# ----------------------------------------------------------------------------
#| use IO::Socket::SSL::Utils;
#| my ($cacert,$key) = CERT_create( CA => 1,
#|     subject => { organizationName => 'genua mbh', commonName => 'Test CA' }
#| );
#| print PEM_cert2string($cacert).PEM_key2string($key);

__DATA__
-----BEGIN CERTIFICATE-----
MIICVjCCAb+gAwIBAgIFAIbQ7t4wDQYJKoZIhvcNAQEFBQAwJjEQMA4GA1UEAxMH
VGVzdCBDQTESMBAGA1UEChMJZ2VudWEgbWJoMB4XDTEzMTAyMzA4MjI0MFoXDTE0
MTAyMzA4MjI0MFowJjEQMA4GA1UEAxMHVGVzdCBDQTESMBAGA1UEChMJZ2VudWEg
bWJoMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBD9oBSf8pueg3BxNdf6Mm
PKGmh46R0O3xNOE/HfXc9Z2WxgLEX4PaYMwdzgFuPcVTZycI5NdhM53yydnTilsX
eFct5D2Bz3faiIOB2WnoiNft15YGCdyeue9kf2NkYRLs3eBQDPeU/cXKyfcHb1dS
QpQNKiyL/ono1c0kZRoP3wIDAQABo4GPMIGMMB0GA1UdDgQWBBReUpKjaiNSYfZT
X2+XsfQsYZef0zAfBgNVHSMEGDAWgBReUpKjaiNSYfZTX2+XsfQsYZef0zA8BgNV
HSMENTAzoSqkKDAmMRAwDgYDVQQDEwdUZXN0IENBMRIwEAYDVQQKEwlnZW51YSBt
YmiCBQCG0O7eMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg9H/7umS
4bKSEyyCzzqyR1vf735wPnUmTL7NrduPCaT/bLVRPmDwhyRrpNVedICxyU3NK9fc
r0Fj12oBBbvLACm8Xfnt23x8IbnGXIz7n5aTFvrv2l3rVMkZOFqo/DFtFnfYGuY8
/N4DtEHG21dwpMrDxXE1pAE5IY+vRMlNEtA=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMEP2gFJ/ym56DcH
E11/oyY8oaaHjpHQ7fE04T8d9dz1nZbGAsRfg9pgzB3OAW49xVNnJwjk12EznfLJ
2dOKWxd4Vy3kPYHPd9qIg4HZaeiI1+3XlgYJ3J6572R/Y2RhEuzd4FAM95T9xcrJ
9wdvV1JClA0qLIv+iejVzSRlGg/fAgMBAAECgYBK8Hs/6tg3+yjPS1jR/zx2GCzr
Nk05/q6N5WfVlyybg1+TafMjBKxqtQ4mN5PIlgOldzHouuN7oIyb9IwwF9F5YeUb
8WTK1iLzTmrcfFJmtRyj0ITF5gb+r6PhPxGr4yt8f9bzaIj7G57a+QT9gXKnLKao
AN4Vxx51MAPvMeREYQJBAPstPjOyWxLsT8yBphlok2w4MnWQASsrflrL6MzuJYOq
zpVxQF3lwSHukhoUhDoyee9miY2kcB9H9PoXWbq4io8CQQDExOwxTlYnyqyvKjFq
vXchcNZ4wCU5sf6pzXF2l6Hb6eCuqYlarMu2JN0h7CC0Jq4qr1BalgesS3WUT1M8
dw2xAkB6Kfgd5rp7CqqJOemSZBWHxhFssnyPBZlwCcsRmSZv0qylbK60vKFhooo2
2xGwyIob0RBH7tmFrVbOKHtA4K6rAkA3sRi8t9RQvN91UHbeJDP0phA96vxeQQ+4
Faq4iyBHswFhziBPJrsdmX9xG3kCJDSFZktS6EXRsSXdTTpc0cFxAkEAo5GS9dAY
7WLAcqNDUorHhFOcZouCYX3LRssikmwc0/dvc9DjwqpNqF1BHT6ucX0pqdQI+fp1
VHJ5f4e/SUTV3g==
-----END PRIVATE KEY-----
;