bullno1/ranch_ssl_hack.erl

## ranch_ssl_hack.erl
%% Copyright (c) 2011-2018, Loïc Hoguin <essen@ninenines.eu>
%%
%% Permission to use, copy, modify, and/or distribute this software for any
%% purpose with or without fee is hereby granted, provided that the above
%% copyright notice and this permission notice appear in all copies.
%%
%% THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
%% WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
%% MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
%% ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
%% WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
%% ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
%% OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-module(ranch_ssl_hack).
-behaviour(ranch_transport).

-export([name/0]).
-export([secure/0]).
-export([messages/0]).
-export([listen/1]).
-export([accept/2]).
-export([handshake/3]).
-export([connect/3]).
-export([connect/4]).
-export([recv/3]).
-export([recv_proxy_header/2]).
-export([send/2]).
-export([sendfile/2]).
-export([sendfile/4]).
-export([sendfile/5]).
-export([setopts/2]).
-export([getopts/2]).
-export([getstat/1]).
-export([getstat/2]).
-export([controlling_process/2]).
-export([peername/1]).
-export([sockname/1]).
-export([shutdown/2]).
-export([close/1]).

-type ssl_opt() :: {alpn_preferred_protocols, [binary()]}
	| {beast_mitigation, one_n_minus_one | zero_n | disabled}
	| {cacertfile, string()}
	| {cacerts, [public_key:der_encoded()]}
	| {cert, public_key:der_encoded()}
	| {certfile, string()}
	| {ciphers, [ssl:erl_cipher_suite()]}
	| {client_renegotiation, boolean()}
	| {crl_cache, {module(), {internal | any(), list()}}}
	| {crl_check, boolean() | peer | best_effort}
	| {depth, 0..255}
	| {dh, public_key:der_encoded()}
	| {dhfile, string()}
	| {fail_if_no_peer_cert, boolean()}
	| {hibernate_after, integer() | undefined}
	| {honor_cipher_order, boolean()}
	| {key, {'RSAPrivateKey' | 'DSAPrivateKey' | 'PrivateKeyInfo', public_key:der_encoded()}}
	| {keyfile, string()}
	| {log_alert, boolean()}
	| {next_protocols_advertised, [binary()]}
	| {padding_check, boolean()}
	| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} | unknown_ca)}
	| {password, string()}
	| {psk_identity, string()}
	| {reuse_session, fun()}
	| {reuse_sessions, boolean()}
	| {secure_renegotiate, boolean()}
	| {signature_algs, [{atom(), atom()}]}
	| {sni_fun, fun()}
	| {sni_hosts, [{string(), ssl_opt()}]}
	| {user_lookup_fun, {fun(), any()}}
	| {v2_hello_compatible, boolean()}
	| {verify, verify_none | verify_peer}
	| {verify_fun, {fun(), any()}}
	| {versions, [atom()]}.
-export_type([ssl_opt/0]).

-type opt() :: ranch_tcp:opt() | ssl_opt().
-export_type([opt/0]).

-type opts() :: [opt()].
-export_type([opts/0]).

-type tcp_socket() :: {tcp, gen_tcp:socket(), opts()}.
-type ssl_socket() :: ssl:sslsocket().
-type socket() :: tcp_socket() | ssl_socket().
-export_type([socket/0]).

name() -> ssl.

-spec secure() -> boolean().
secure() ->
    true.

messages() -> {ssl, ssl_closed, ssl_error}.

-spec listen(opts()) -> {ok, tcp_socket()} | {error, atom()}.
listen(Opts0) ->
	Opts1 = ranch:set_option_default(Opts0, backlog, 1024),
	Opts2 = ranch:set_option_default(Opts1, nodelay, true),
	Opts3 = ranch:set_option_default(Opts2, send_timeout, 30000),
	Opts = ranch:set_option_default(Opts3, send_timeout_close, true),
	%% We set the port to 0 because it is given in the Opts directly.
	%% The port in the options takes precedence over the one in the
	%% first argument.
	case gen_tcp:listen(
		proplists:get_value(port, Opts, 0),
		ranch:filter_options(
			Opts,
			[ssl],
			[binary, {active, false}, {packet, raw}, {reuseaddr, true}]
		)
	) of
		{ok, TcpSocket} ->
			{ok, {tcp, TcpSocket, proplists:get_value(ssl, Opts, [])}};
		{error, _} = Err ->
			Err
	end.

-spec accept(tcp_socket(), timeout())
	-> {ok, tcp_socket()} | {error, closed | timeout | atom()}.
accept({tcp, Socket, Opts}, Timeout) ->
	case gen_tcp:accept(Socket, Timeout) of
		{ok, ClientSock} ->
			{ok, {tcp, ClientSock, Opts}};
		{error, _} = Err ->
			Err
	end.

-spec handshake(tcp_socket(), [ssl_opt()], timeout())
	-> {ok, ssl_socket()} | {error, any()}.
handshake({tcp, Socket, AcceptOpts}, Opts, Timeout) ->
	MergedOpts = lists:keymerge(1, AcceptOpts, Opts),
	ssl:handshake(Socket, MergedOpts, Timeout).

-spec connect(inet:ip_address() | inet:hostname(),
	inet:port_number(), any())
	-> {ok, ssl_socket()} | {error, atom()}.
connect(Host, Port, Opts) when is_integer(Port) ->
	ssl:connect(Host, Port,
		Opts ++ [binary, {active, false}, {packet, raw}]).

%% @todo Probably filter Opts?
-spec connect(inet:ip_address() | inet:hostname(),
	inet:port_number(), any(), timeout())
	-> {ok, ssl_socket()} | {error, atom()}.
connect(Host, Port, Opts, Timeout) when is_integer(Port) ->
	ssl:connect(Host, Port,
		Opts ++ [binary, {active, false}, {packet, raw}], Timeout).

-spec recv(ssl_socket(), non_neg_integer(), timeout())
	-> {ok, any()} | {error, closed | atom()}.
recv(Socket, Length, Timeout) ->
	ssl:recv(Socket, Length, Timeout).

-spec recv_proxy_header(tcp_socket(), timeout())
	-> {ok, ranch_proxy_header:proxy_info()}
	| {error, closed | atom()}
	| {error, protocol_error, atom()}.
recv_proxy_header({tcp, Socket, _}, Timeout) ->
	ranch_tcp:recv_proxy_header(Socket, Timeout).

-spec send(ssl_socket(), iodata()) -> ok | {error, atom()}.
send(Socket, Packet) ->
	ssl:send(Socket, Packet).

-spec sendfile(ssl_socket(), file:name_all() | file:fd())
	-> {ok, non_neg_integer()} | {error, atom()}.
sendfile(Socket, Filename) ->
	sendfile(Socket, Filename, 0, 0, []).

-spec sendfile(ssl_socket(), file:name_all() | file:fd(),
		non_neg_integer(), non_neg_integer())
	-> {ok, non_neg_integer()} | {error, atom()}.
sendfile(Socket, File, Offset, Bytes) ->
	sendfile(Socket, File, Offset, Bytes, []).

%% Unlike with TCP, no syscall can be used here, so sending files
%% through SSL will be much slower in comparison. Note that unlike
%% file:sendfile/5 this function accepts either a file or a file name.
-spec sendfile(ssl_socket(), file:name_all() | file:fd(),
		non_neg_integer(), non_neg_integer(), ranch_transport:sendfile_opts())
	-> {ok, non_neg_integer()} | {error, atom()}.
sendfile(Socket, File, Offset, Bytes, Opts) ->
	ranch_transport:sendfile(?MODULE, Socket, File, Offset, Bytes, Opts).

%% @todo Probably filter Opts?
-spec setopts(socket(), list()) -> ok | {error, atom()}.
setopts({tcp, Socket, _}, Opts) ->
	inet:setopts(Socket, Opts);
setopts(Socket, Opts) ->
	ssl:setopts(Socket, Opts).

-spec getopts(socket(), [atom()]) -> {ok, list()} | {error, atom()}.
getopts({tcp, Socket, _}, Opts) ->
	inet:getopts(Socket, Opts);
getopts(Socket, Opts) ->
	ssl:getopts(Socket, Opts).

-spec getstat(socket()) -> {ok, list()} | {error, atom()}.
getstat({tcp, Socket, _}) ->
	inet:getstat(Socket);
getstat(Socket) ->
	ssl:getstat(Socket).

-spec getstat(socket(), [atom()]) -> {ok, list()} | {error, atom()}.
getstat({tcp, Socket, _}, OptionNames) ->
	inet:getstat(Socket, OptionNames);
getstat(Socket, OptionNames) ->
	ssl:getstat(Socket, OptionNames).

-spec controlling_process(socket(), pid())
	-> ok | {error, closed | not_owner | atom()}.
controlling_process({tcp, Socket, _}, Pid) ->
	gen_tcp:controlling_process(Socket, Pid);
controlling_process(Socket, Pid) ->
	ssl:controlling_process(Socket, Pid).

-spec peername(socket())
	-> {ok, {inet:ip_address(), inet:port_number()}} | {error, atom()}.
peername({tcp, Socket, _}) ->
	inet:peername(Socket);
peername(Socket) ->
	ssl:peername(Socket).

-spec sockname(socket())
	-> {ok, {inet:ip_address(), inet:port_number()}} | {error, atom()}.
sockname({tcp, Socket, _}) ->
	inet:sockname(Socket);
sockname(Socket) ->
	ssl:sockname(Socket).

-spec shutdown(socket(), read | write | read_write)
	-> ok | {error, atom()}.
shutdown({tcp, Socket, _}, How) ->
	gen_tcp:shutdown(Socket, How);
shutdown(Socket, How) ->
	ssl:shutdown(Socket, How).

-spec close(socket()) -> ok.
close({tcp, Socket, _}) ->
	gen_tcp:close(Socket);
close(Socket) ->
	ssl:close(Socket).
	%% Copyright (c) 2011-2018, Loïc Hoguin <essen@ninenines.eu>
	%%
	%% Permission to use, copy, modify, and/or distribute this software for any
	%% purpose with or without fee is hereby granted, provided that the above
	%% copyright notice and this permission notice appear in all copies.
	%%
	%% THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	%% WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	%% MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	%% ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	%% WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	%% ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	%% OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

	-module(ranch_ssl_hack).
	-behaviour(ranch_transport).

	-export([name/0]).
	-export([secure/0]).
	-export([messages/0]).
	-export([listen/1]).
	-export([accept/2]).
	-export([handshake/3]).
	-export([connect/3]).
	-export([connect/4]).
	-export([recv/3]).
	-export([recv_proxy_header/2]).
	-export([send/2]).
	-export([sendfile/2]).
	-export([sendfile/4]).
	-export([sendfile/5]).
	-export([setopts/2]).
	-export([getopts/2]).
	-export([getstat/1]).
	-export([getstat/2]).
	-export([controlling_process/2]).
	-export([peername/1]).
	-export([sockname/1]).
	-export([shutdown/2]).
	-export([close/1]).

	-type ssl_opt() :: {alpn_preferred_protocols, [binary()]}
	\| {beast_mitigation, one_n_minus_one \| zero_n \| disabled}
	\| {cacertfile, string()}
	\| {cacerts, [public_key:der_encoded()]}
	\| {cert, public_key:der_encoded()}
	\| {certfile, string()}
	\| {ciphers, [ssl:erl_cipher_suite()]}
	\| {client_renegotiation, boolean()}
	\| {crl_cache, {module(), {internal \| any(), list()}}}
	\| {crl_check, boolean() \| peer \| best_effort}
	\| {depth, 0..255}
	\| {dh, public_key:der_encoded()}
	\| {dhfile, string()}
	\| {fail_if_no_peer_cert, boolean()}
	\| {hibernate_after, integer() \| undefined}
	\| {honor_cipher_order, boolean()}
	\| {key, {'RSAPrivateKey' \| 'DSAPrivateKey' \| 'PrivateKeyInfo', public_key:der_encoded()}}
	\| {keyfile, string()}
	\| {log_alert, boolean()}
	\| {next_protocols_advertised, [binary()]}
	\| {padding_check, boolean()}
	\| {partial_chain, fun(([public_key:der_encoded()]) -> {trusted_ca, public_key:der_encoded()} \| unknown_ca)}
	\| {password, string()}
	\| {psk_identity, string()}
	\| {reuse_session, fun()}
	\| {reuse_sessions, boolean()}
	\| {secure_renegotiate, boolean()}
	\| {signature_algs, [{atom(), atom()}]}
	\| {sni_fun, fun()}
	\| {sni_hosts, [{string(), ssl_opt()}]}
	\| {user_lookup_fun, {fun(), any()}}
	\| {v2_hello_compatible, boolean()}
	\| {verify, verify_none \| verify_peer}
	\| {verify_fun, {fun(), any()}}
	\| {versions, [atom()]}.
	-export_type([ssl_opt/0]).

	-type opt() :: ranch_tcp:opt() \| ssl_opt().
	-export_type([opt/0]).

	-type opts() :: [opt()].
	-export_type([opts/0]).

	-type tcp_socket() :: {tcp, gen_tcp:socket(), opts()}.
	-type ssl_socket() :: ssl:sslsocket().
	-type socket() :: tcp_socket() \| ssl_socket().
	-export_type([socket/0]).

	name() -> ssl.

	-spec secure() -> boolean().
	secure() ->
	true.

	messages() -> {ssl, ssl_closed, ssl_error}.

	-spec listen(opts()) -> {ok, tcp_socket()} \| {error, atom()}.
	listen(Opts0) ->
	Opts1 = ranch:set_option_default(Opts0, backlog, 1024),
	Opts2 = ranch:set_option_default(Opts1, nodelay, true),
	Opts3 = ranch:set_option_default(Opts2, send_timeout, 30000),
	Opts = ranch:set_option_default(Opts3, send_timeout_close, true),
	%% We set the port to 0 because it is given in the Opts directly.
	%% The port in the options takes precedence over the one in the
	%% first argument.
	case gen_tcp:listen(
	proplists:get_value(port, Opts, 0),
	ranch:filter_options(
	Opts,
	[ssl],
	[binary, {active, false}, {packet, raw}, {reuseaddr, true}]
	)
	) of
	{ok, TcpSocket} ->
	{ok, {tcp, TcpSocket, proplists:get_value(ssl, Opts, [])}};
	{error, _} = Err ->
	Err
	end.

	-spec accept(tcp_socket(), timeout())
	-> {ok, tcp_socket()} \| {error, closed \| timeout \| atom()}.
	accept({tcp, Socket, Opts}, Timeout) ->
	case gen_tcp:accept(Socket, Timeout) of
	{ok, ClientSock} ->
	{ok, {tcp, ClientSock, Opts}};
	{error, _} = Err ->
	Err
	end.

	-spec handshake(tcp_socket(), [ssl_opt()], timeout())
	-> {ok, ssl_socket()} \| {error, any()}.
	handshake({tcp, Socket, AcceptOpts}, Opts, Timeout) ->
	MergedOpts = lists:keymerge(1, AcceptOpts, Opts),
	ssl:handshake(Socket, MergedOpts, Timeout).

	-spec connect(inet:ip_address() \| inet:hostname(),
	inet:port_number(), any())
	-> {ok, ssl_socket()} \| {error, atom()}.
	connect(Host, Port, Opts) when is_integer(Port) ->
	ssl:connect(Host, Port,
	Opts ++ [binary, {active, false}, {packet, raw}]).

	%% @todo Probably filter Opts?
	-spec connect(inet:ip_address() \| inet:hostname(),
	inet:port_number(), any(), timeout())
	-> {ok, ssl_socket()} \| {error, atom()}.
	connect(Host, Port, Opts, Timeout) when is_integer(Port) ->
	ssl:connect(Host, Port,
	Opts ++ [binary, {active, false}, {packet, raw}], Timeout).

	-spec recv(ssl_socket(), non_neg_integer(), timeout())
	-> {ok, any()} \| {error, closed \| atom()}.
	recv(Socket, Length, Timeout) ->
	ssl:recv(Socket, Length, Timeout).

	-spec recv_proxy_header(tcp_socket(), timeout())
	-> {ok, ranch_proxy_header:proxy_info()}
	\| {error, closed \| atom()}
	\| {error, protocol_error, atom()}.
	recv_proxy_header({tcp, Socket, _}, Timeout) ->
	ranch_tcp:recv_proxy_header(Socket, Timeout).

	-spec send(ssl_socket(), iodata()) -> ok \| {error, atom()}.
	send(Socket, Packet) ->
	ssl:send(Socket, Packet).

	-spec sendfile(ssl_socket(), file:name_all() \| file:fd())
	-> {ok, non_neg_integer()} \| {error, atom()}.
	sendfile(Socket, Filename) ->
	sendfile(Socket, Filename, 0, 0, []).

	-spec sendfile(ssl_socket(), file:name_all() \| file:fd(),
	non_neg_integer(), non_neg_integer())
	-> {ok, non_neg_integer()} \| {error, atom()}.
	sendfile(Socket, File, Offset, Bytes) ->
	sendfile(Socket, File, Offset, Bytes, []).

	%% Unlike with TCP, no syscall can be used here, so sending files
	%% through SSL will be much slower in comparison. Note that unlike
	%% file:sendfile/5 this function accepts either a file or a file name.
	-spec sendfile(ssl_socket(), file:name_all() \| file:fd(),
	non_neg_integer(), non_neg_integer(), ranch_transport:sendfile_opts())
	-> {ok, non_neg_integer()} \| {error, atom()}.
	sendfile(Socket, File, Offset, Bytes, Opts) ->
	ranch_transport:sendfile(?MODULE, Socket, File, Offset, Bytes, Opts).

	%% @todo Probably filter Opts?
	-spec setopts(socket(), list()) -> ok \| {error, atom()}.
	setopts({tcp, Socket, _}, Opts) ->
	inet:setopts(Socket, Opts);
	setopts(Socket, Opts) ->
	ssl:setopts(Socket, Opts).

	-spec getopts(socket(), [atom()]) -> {ok, list()} \| {error, atom()}.
	getopts({tcp, Socket, _}, Opts) ->
	inet:getopts(Socket, Opts);
	getopts(Socket, Opts) ->
	ssl:getopts(Socket, Opts).

	-spec getstat(socket()) -> {ok, list()} \| {error, atom()}.
	getstat({tcp, Socket, _}) ->
	inet:getstat(Socket);
	getstat(Socket) ->
	ssl:getstat(Socket).

	-spec getstat(socket(), [atom()]) -> {ok, list()} \| {error, atom()}.
	getstat({tcp, Socket, _}, OptionNames) ->
	inet:getstat(Socket, OptionNames);
	getstat(Socket, OptionNames) ->
	ssl:getstat(Socket, OptionNames).

	-spec controlling_process(socket(), pid())
	-> ok \| {error, closed \| not_owner \| atom()}.
	controlling_process({tcp, Socket, _}, Pid) ->
	gen_tcp:controlling_process(Socket, Pid);
	controlling_process(Socket, Pid) ->
	ssl:controlling_process(Socket, Pid).

	-spec peername(socket())
	-> {ok, {inet:ip_address(), inet:port_number()}} \| {error, atom()}.
	peername({tcp, Socket, _}) ->
	inet:peername(Socket);
	peername(Socket) ->
	ssl:peername(Socket).

	-spec sockname(socket())
	-> {ok, {inet:ip_address(), inet:port_number()}} \| {error, atom()}.
	sockname({tcp, Socket, _}) ->
	inet:sockname(Socket);
	sockname(Socket) ->
	ssl:sockname(Socket).

	-spec shutdown(socket(), read \| write \| read_write)
	-> ok \| {error, atom()}.
	shutdown({tcp, Socket, _}, How) ->
	gen_tcp:shutdown(Socket, How);
	shutdown(Socket, How) ->
	ssl:shutdown(Socket, How).

	-spec close(socket()) -> ok.
	close({tcp, Socket, _}) ->
	gen_tcp:close(Socket);
	close(Socket) ->
	ssl:close(Socket).