Created
September 30, 2021 08:25
-
-
Save bullno1/6f8d44b360cf81d86e8f74391303f211 to your computer and use it in GitHub Desktop.
Separate ssl options
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
%% Copyright (c) 2011-2018, Loïc Hoguin <essen@ninenines.eu> | |
%% | |
%% Permission to use, copy, modify, and/or distribute this software for any | |
%% purpose with or without fee is hereby granted, provided that the above | |
%% copyright notice and this permission notice appear in all copies. | |
%% | |
%% THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | |
%% WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | |
%% MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | |
%% ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |
%% WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |
%% ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |
%% OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |
-module(ranch_ssl_hack). | |
-behaviour(ranch_transport). | |
-export([name/0]). | |
-export([secure/0]). | |
-export([messages/0]). | |
-export([listen/1]). | |
-export([accept/2]). | |
-export([handshake/3]). | |
-export([connect/3]). | |
-export([connect/4]). | |
-export([recv/3]). | |
-export([recv_proxy_header/2]). | |
-export([send/2]). | |
-export([sendfile/2]). | |
-export([sendfile/4]). | |
-export([sendfile/5]). | |
-export([setopts/2]). | |
-export([getopts/2]). | |
-export([getstat/1]). | |
-export([getstat/2]). | |
-export([controlling_process/2]). | |
-export([peername/1]). | |
-export([sockname/1]). | |
-export([shutdown/2]). | |
-export([close/1]). | |
-type ssl_opt() :: {alpn_preferred_protocols, [binary()]} | |
| {beast_mitigation, one_n_minus_one | zero_n | disabled} | |
| {cacertfile, string()} | |
| {cacerts, [public_key:der_encoded()]} | |
| {cert, public_key:der_encoded()} | |
| {certfile, string()} | |
| {ciphers, [ssl:erl_cipher_suite()]} | |
| {client_renegotiation, boolean()} | |
| {crl_cache, {module(), {internal | any(), list()}}} | |
| {crl_check, boolean() | peer | best_effort} | |
| {depth, 0..255} | |
| {dh, public_key:der_encoded()} | |
| {dhfile, string()} | |
| {fail_if_no_peer_cert, boolean()} | |
| {hibernate_after, integer() | undefined} | |
| {honor_cipher_order, boolean()} | |
| {key, {'RSAPrivateKey' | 'DSAPrivateKey' | 'PrivateKeyInfo', public_key:der_encoded()}} | |
| {keyfile, string()} | |
| {log_alert, boolean()} | |
| {next_protocols_advertised, [binary()]} | |
| {padding_check, boolean()} | |
| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)} | |
| {password, string()} | |
| {psk_identity, string()} | |
| {reuse_session, fun()} | |
| {reuse_sessions, boolean()} | |
| {secure_renegotiate, boolean()} | |
| {signature_algs, [{atom(), atom()}]} | |
| {sni_fun, fun()} | |
| {sni_hosts, [{string(), ssl_opt()}]} | |
| {user_lookup_fun, {fun(), any()}} | |
| {v2_hello_compatible, boolean()} | |
| {verify, verify_none | verify_peer} | |
| {verify_fun, {fun(), any()}} | |
| {versions, [atom()]}. | |
-export_type([ssl_opt/0]). | |
-type opt() :: ranch_tcp:opt() | ssl_opt(). | |
-export_type([opt/0]). | |
-type opts() :: [opt()]. | |
-export_type([opts/0]). | |
-type tcp_socket() :: {tcp, gen_tcp:socket(), opts()}. | |
-type ssl_socket() :: ssl:sslsocket(). | |
-type socket() :: tcp_socket() | ssl_socket(). | |
-export_type([socket/0]). | |
name() -> ssl. | |
-spec secure() -> boolean(). | |
secure() -> | |
true. | |
messages() -> {ssl, ssl_closed, ssl_error}. | |
-spec listen(opts()) -> {ok, tcp_socket()} | {error, atom()}. | |
listen(Opts0) -> | |
Opts1 = ranch:set_option_default(Opts0, backlog, 1024), | |
Opts2 = ranch:set_option_default(Opts1, nodelay, true), | |
Opts3 = ranch:set_option_default(Opts2, send_timeout, 30000), | |
Opts = ranch:set_option_default(Opts3, send_timeout_close, true), | |
%% We set the port to 0 because it is given in the Opts directly. | |
%% The port in the options takes precedence over the one in the | |
%% first argument. | |
case gen_tcp:listen( | |
proplists:get_value(port, Opts, 0), | |
ranch:filter_options( | |
Opts, | |
[ssl], | |
[binary, {active, false}, {packet, raw}, {reuseaddr, true}] | |
) | |
) of | |
{ok, TcpSocket} -> | |
{ok, {tcp, TcpSocket, proplists:get_value(ssl, Opts, [])}}; | |
{error, _} = Err -> | |
Err | |
end. | |
-spec accept(tcp_socket(), timeout()) | |
-> {ok, tcp_socket()} | {error, closed | timeout | atom()}. | |
accept({tcp, Socket, Opts}, Timeout) -> | |
case gen_tcp:accept(Socket, Timeout) of | |
{ok, ClientSock} -> | |
{ok, {tcp, ClientSock, Opts}}; | |
{error, _} = Err -> | |
Err | |
end. | |
-spec handshake(tcp_socket(), [ssl_opt()], timeout()) | |
-> {ok, ssl_socket()} | {error, any()}. | |
handshake({tcp, Socket, AcceptOpts}, Opts, Timeout) -> | |
MergedOpts = lists:keymerge(1, AcceptOpts, Opts), | |
ssl:handshake(Socket, MergedOpts, Timeout). | |
-spec connect(inet:ip_address() | inet:hostname(), | |
inet:port_number(), any()) | |
-> {ok, ssl_socket()} | {error, atom()}. | |
connect(Host, Port, Opts) when is_integer(Port) -> | |
ssl:connect(Host, Port, | |
Opts ++ [binary, {active, false}, {packet, raw}]). | |
%% @todo Probably filter Opts? | |
-spec connect(inet:ip_address() | inet:hostname(), | |
inet:port_number(), any(), timeout()) | |
-> {ok, ssl_socket()} | {error, atom()}. | |
connect(Host, Port, Opts, Timeout) when is_integer(Port) -> | |
ssl:connect(Host, Port, | |
Opts ++ [binary, {active, false}, {packet, raw}], Timeout). | |
-spec recv(ssl_socket(), non_neg_integer(), timeout()) | |
-> {ok, any()} | {error, closed | atom()}. | |
recv(Socket, Length, Timeout) -> | |
ssl:recv(Socket, Length, Timeout). | |
-spec recv_proxy_header(tcp_socket(), timeout()) | |
-> {ok, ranch_proxy_header:proxy_info()} | |
| {error, closed | atom()} | |
| {error, protocol_error, atom()}. | |
recv_proxy_header({tcp, Socket, _}, Timeout) -> | |
ranch_tcp:recv_proxy_header(Socket, Timeout). | |
-spec send(ssl_socket(), iodata()) -> ok | {error, atom()}. | |
send(Socket, Packet) -> | |
ssl:send(Socket, Packet). | |
-spec sendfile(ssl_socket(), file:name_all() | file:fd()) | |
-> {ok, non_neg_integer()} | {error, atom()}. | |
sendfile(Socket, Filename) -> | |
sendfile(Socket, Filename, 0, 0, []). | |
-spec sendfile(ssl_socket(), file:name_all() | file:fd(), | |
non_neg_integer(), non_neg_integer()) | |
-> {ok, non_neg_integer()} | {error, atom()}. | |
sendfile(Socket, File, Offset, Bytes) -> | |
sendfile(Socket, File, Offset, Bytes, []). | |
%% Unlike with TCP, no syscall can be used here, so sending files | |
%% through SSL will be much slower in comparison. Note that unlike | |
%% file:sendfile/5 this function accepts either a file or a file name. | |
-spec sendfile(ssl_socket(), file:name_all() | file:fd(), | |
non_neg_integer(), non_neg_integer(), ranch_transport:sendfile_opts()) | |
-> {ok, non_neg_integer()} | {error, atom()}. | |
sendfile(Socket, File, Offset, Bytes, Opts) -> | |
ranch_transport:sendfile(?MODULE, Socket, File, Offset, Bytes, Opts). | |
%% @todo Probably filter Opts? | |
-spec setopts(socket(), list()) -> ok | {error, atom()}. | |
setopts({tcp, Socket, _}, Opts) -> | |
inet:setopts(Socket, Opts); | |
setopts(Socket, Opts) -> | |
ssl:setopts(Socket, Opts). | |
-spec getopts(socket(), [atom()]) -> {ok, list()} | {error, atom()}. | |
getopts({tcp, Socket, _}, Opts) -> | |
inet:getopts(Socket, Opts); | |
getopts(Socket, Opts) -> | |
ssl:getopts(Socket, Opts). | |
-spec getstat(socket()) -> {ok, list()} | {error, atom()}. | |
getstat({tcp, Socket, _}) -> | |
inet:getstat(Socket); | |
getstat(Socket) -> | |
ssl:getstat(Socket). | |
-spec getstat(socket(), [atom()]) -> {ok, list()} | {error, atom()}. | |
getstat({tcp, Socket, _}, OptionNames) -> | |
inet:getstat(Socket, OptionNames); | |
getstat(Socket, OptionNames) -> | |
ssl:getstat(Socket, OptionNames). | |
-spec controlling_process(socket(), pid()) | |
-> ok | {error, closed | not_owner | atom()}. | |
controlling_process({tcp, Socket, _}, Pid) -> | |
gen_tcp:controlling_process(Socket, Pid); | |
controlling_process(Socket, Pid) -> | |
ssl:controlling_process(Socket, Pid). | |
-spec peername(socket()) | |
-> {ok, {inet:ip_address(), inet:port_number()}} | {error, atom()}. | |
peername({tcp, Socket, _}) -> | |
inet:peername(Socket); | |
peername(Socket) -> | |
ssl:peername(Socket). | |
-spec sockname(socket()) | |
-> {ok, {inet:ip_address(), inet:port_number()}} | {error, atom()}. | |
sockname({tcp, Socket, _}) -> | |
inet:sockname(Socket); | |
sockname(Socket) -> | |
ssl:sockname(Socket). | |
-spec shutdown(socket(), read | write | read_write) | |
-> ok | {error, atom()}. | |
shutdown({tcp, Socket, _}, How) -> | |
gen_tcp:shutdown(Socket, How); | |
shutdown(Socket, How) -> | |
ssl:shutdown(Socket, How). | |
-spec close(socket()) -> ok. | |
close({tcp, Socket, _}) -> | |
gen_tcp:close(Socket); | |
close(Socket) -> | |
ssl:close(Socket). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment