1 |
|
%%%============================================================================= |
2 |
|
%%% @copyright (C) 1999-2018, Erlang Solutions Ltd |
3 |
|
%%% @author Denys Gonchar <denys.gonchar@erlang-solutions.com> |
4 |
|
%%% @doc this module provides general TLS interface for MongooseIM. |
5 |
|
%%% |
6 |
|
%%% by default tls_module is set to fast_tls, alternatively it can be any |
7 |
|
%%% module that implements mongoose_tls behaviour |
8 |
|
%%% @end |
9 |
|
%%%============================================================================= |
10 |
|
-module(mongoose_tls). |
11 |
|
-copyright("2018, Erlang Solutions Ltd."). |
12 |
|
-author('denys.gonchar@erlang-solutions.com'). |
13 |
|
|
14 |
|
%% tls interfaces required by mongoose_transport module. |
15 |
|
-export([prepare_options/2, |
16 |
|
tcp_to_tls/2, |
17 |
|
default_ciphers/0, |
18 |
|
send/2, |
19 |
|
recv_data/2, |
20 |
|
controlling_process/2, |
21 |
|
sockname/1, |
22 |
|
peername/1, |
23 |
|
setopts/2, |
24 |
|
get_peer_certificate/1, |
25 |
|
close/1]). |
26 |
|
|
27 |
|
-export([get_sockmod/1]). |
28 |
|
|
29 |
|
-ignore_xref([behaviour_info/1, close/1, controlling_process/2, peername/1, |
30 |
|
send/2, setopts/2, sockname/1]). |
31 |
|
|
32 |
|
-ignore_xref([get_sockmod/1]). |
33 |
|
|
34 |
|
-type tls_socket() :: fast_tls:tls_socket() | just_tls:tls_socket(). |
35 |
|
-type cert() :: {ok, Cert::any()} | {bad_cert, bitstring()} | no_peer_cert. |
36 |
|
|
37 |
|
%% Options used for client-side and server-side TLS connections. |
38 |
|
%% All modules implementing this behaviour have to support the mandatory 'verify_mode' option. |
39 |
|
%% Other options should be supported if the implementing module supports it. |
40 |
|
-type options() :: #{module => module(), % fast_tls by default |
41 |
|
connect => boolean(), % set to 'true' for a client-side call to tcp_to_tls/2 |
42 |
|
verify_mode := peer | selfsigned_peer | none, |
43 |
|
certfile => string(), |
44 |
|
cacertfile => string(), |
45 |
|
ciphers => string(), |
46 |
|
dhfile => string(), % server-only |
47 |
|
|
48 |
|
%% only for just_tls |
49 |
|
disconnect_on_failure => boolean(), |
50 |
|
keyfile => string(), |
51 |
|
password => string(), |
52 |
|
versions => [atom()], |
53 |
|
server_name_indication => sni_options(), % client-only |
54 |
|
|
55 |
|
% only for fast_tls |
56 |
|
protocol_options => [string()]}. |
57 |
|
|
58 |
|
-type sni_options() :: #{enabled := boolean, |
59 |
|
protocol := default | https, |
60 |
|
host => string()}. |
61 |
|
|
62 |
|
-export_type([options/0, |
63 |
|
tls_socket/0, |
64 |
|
cert/0]). |
65 |
|
|
66 |
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
67 |
|
%% behaviour definition |
68 |
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
69 |
|
-callback tcp_to_tls(inet:socket(), options()) -> {ok, tls_socket()} | {error, any()}. |
70 |
|
|
71 |
|
-callback send(tls_socket(), binary()) -> ok | {error , any()}. |
72 |
|
|
73 |
|
-callback recv_data(tls_socket(), binary()) -> {ok, binary()} | {error, any()}. |
74 |
|
|
75 |
|
-callback controlling_process(tls_socket(), pid()) -> ok | {error, any()}. |
76 |
|
|
77 |
|
-callback sockname(tls_socket()) -> {ok, mongoose_transport:peer()} | |
78 |
|
{error, any()}. |
79 |
|
|
80 |
|
-callback peername(tls_socket()) -> {ok, mongoose_transport:peer()} | |
81 |
|
{error, any()}. |
82 |
|
|
83 |
|
-callback setopts(tls_socket(), Opts::list()) -> ok | {error, any()}. |
84 |
|
|
85 |
|
-callback get_peer_certificate(tls_socket()) -> cert(). |
86 |
|
|
87 |
|
-callback close(tls_socket()) -> ok. |
88 |
|
|
89 |
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
90 |
|
%% socket type definition |
91 |
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
92 |
|
|
93 |
|
-record(mongoose_tls_socket, {tls_module :: module(), |
94 |
|
tcp_socket :: inet:socket(), |
95 |
|
tls_socket :: tls_socket(), |
96 |
|
tls_opts :: options(), |
97 |
|
has_cert :: boolean() |
98 |
|
}). |
99 |
|
|
100 |
|
-type socket() :: #mongoose_tls_socket{}. |
101 |
|
|
102 |
|
-export_type([socket/0]). |
103 |
|
|
104 |
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
105 |
|
%% APIs |
106 |
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
107 |
|
|
108 |
|
-spec tcp_to_tls(inet:socket(), options()) -> {ok, socket()} | {error, any()}. |
109 |
|
tcp_to_tls(TCPSocket, Opts) -> |
110 |
39 |
Module = maps:get(module, Opts, fast_tls), |
111 |
39 |
PreparedOpts = prepare_options(Module, maps:remove(module, Opts)), |
112 |
39 |
case Module:tcp_to_tls(TCPSocket, PreparedOpts) of |
113 |
|
{ok, TLSSocket} -> |
114 |
39 |
HasCert = has_peer_cert(Opts), |
115 |
39 |
{ok, #mongoose_tls_socket{tls_module = Module, |
116 |
|
tcp_socket = TCPSocket, |
117 |
|
tls_socket = TLSSocket, |
118 |
|
tls_opts = Opts, |
119 |
|
has_cert = HasCert}}; |
120 |
:-( |
Error -> Error |
121 |
|
end. |
122 |
|
|
123 |
|
-spec prepare_options(module(), options()) -> any(). |
124 |
|
prepare_options(fast_tls, Opts) -> |
125 |
|
%% fast_tls is an external library and its API cannot use Opts directly |
126 |
1739 |
lists:flatmap(fun({K, V}) -> fast_tls_opt(K, V) end, maps:to_list(Opts)); |
127 |
|
prepare_options(_Module, Opts) -> |
128 |
:-( |
Opts. |
129 |
|
|
130 |
593 |
fast_tls_opt(connect, true) -> [connect]; |
131 |
22 |
fast_tls_opt(connect, false) -> []; |
132 |
527 |
fast_tls_opt(mode, _) -> []; |
133 |
1739 |
fast_tls_opt(verify_mode, peer) -> []; |
134 |
:-( |
fast_tls_opt(verify_mode, none) -> [verify_none]; |
135 |
1681 |
fast_tls_opt(cacertfile, File) -> [{cafile, File}]; |
136 |
368 |
fast_tls_opt(dhfile, File) -> [{dhfile, File}]; |
137 |
1739 |
fast_tls_opt(certfile, File) -> [{certfile, File}]; |
138 |
1739 |
fast_tls_opt(ciphers, Ciphers) -> [{ciphers, Ciphers}]; |
139 |
1722 |
fast_tls_opt(protocol_options, ProtoOpts) -> [{protocol_options, string:join(ProtoOpts, "|")}]. |
140 |
|
|
141 |
|
default_ciphers() -> |
142 |
491 |
"TLSv1.2:TLSv1.3". |
143 |
|
|
144 |
|
-spec send(socket(), binary()) -> ok | {error, any()}. |
145 |
129 |
send(#mongoose_tls_socket{tls_module = M, tls_socket = S}, B) -> M:send(S, B). |
146 |
|
|
147 |
|
-spec recv_data(socket(), binary()) -> {ok, binary()} | {error, any()}. |
148 |
258 |
recv_data(#mongoose_tls_socket{tls_module = M, tls_socket = S}, B) -> M:recv_data(S, B). |
149 |
|
|
150 |
|
-spec controlling_process(socket(), pid()) -> ok | {error, any()}. |
151 |
|
controlling_process(#mongoose_tls_socket{tls_module = M, tls_socket = S}, Pid) -> |
152 |
:-( |
M:controlling_process(S, Pid). |
153 |
|
|
154 |
|
-spec sockname(socket()) -> {ok, mongoose_transport:peer()} | {error, any()}. |
155 |
:-( |
sockname(#mongoose_tls_socket{tls_module = M, tls_socket = S}) -> M:sockname(S). |
156 |
|
|
157 |
|
-spec peername(socket()) -> {ok, mongoose_transport:peer()} | {error, any()}. |
158 |
258 |
peername(#mongoose_tls_socket{tls_module = M, tls_socket = S}) -> M:peername(S). |
159 |
|
|
160 |
|
-spec setopts(socket(), Opts::list()) -> ok | {error, any()}. |
161 |
258 |
setopts(#mongoose_tls_socket{tls_module = M, tls_socket = S}, Opts) -> M:setopts(S, Opts). |
162 |
|
|
163 |
|
-spec get_peer_certificate(socket()) -> cert(). |
164 |
|
get_peer_certificate(#mongoose_tls_socket{has_cert = false}) -> |
165 |
:-( |
no_peer_cert; |
166 |
|
get_peer_certificate(#mongoose_tls_socket{tls_module = just_tls, tls_socket = S}) -> |
167 |
:-( |
just_tls:get_peer_certificate(S); |
168 |
|
get_peer_certificate(#mongoose_tls_socket{tls_module = fast_tls, tls_socket = S, |
169 |
|
tls_opts = TLSOpts}) -> |
170 |
25 |
case {fast_tls:get_verify_result(S), fast_tls:get_peer_certificate(S)} of |
171 |
10 |
{0, {ok, Cert}} -> {ok, Cert}; |
172 |
|
{Error, {ok, Cert}} -> |
173 |
15 |
maybe_allow_selfsigned(Error, Cert, TLSOpts); |
174 |
:-( |
{_, error} -> no_peer_cert |
175 |
|
end. |
176 |
|
|
177 |
|
-spec close(socket()) -> ok. |
178 |
39 |
close(#mongoose_tls_socket{tls_module = M, tls_socket = S}) -> M:close(S). |
179 |
|
|
180 |
|
-spec get_sockmod(socket()) -> module(). |
181 |
:-( |
get_sockmod(#mongoose_tls_socket{tls_module = Module}) -> Module. |
182 |
|
|
183 |
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
184 |
|
%% local functions |
185 |
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
186 |
|
-spec has_peer_cert(options()) -> boolean(). |
187 |
|
has_peer_cert(#{connect := true}) -> |
188 |
17 |
true; % server always provides cert |
189 |
|
has_peer_cert(#{verify_mode := VerifyMode}) -> |
190 |
22 |
VerifyMode =/= none. % client provides cert only when requested |
191 |
|
|
192 |
|
%% 18 is OpenSSL's and fast_tls's error code for self-signed certs |
193 |
|
maybe_allow_selfsigned(18, Cert, #{verify_mode := selfsigned_peer}) -> |
194 |
:-( |
{ok, Cert}; |
195 |
|
maybe_allow_selfsigned(Error, Cert, _SSLOpts) -> |
196 |
15 |
cert_verification_error(Error, Cert). |
197 |
|
|
198 |
|
cert_verification_error(Error, Cert) -> |
199 |
15 |
{bad_cert, fast_tls:get_cert_verify_string(Error, Cert)}. |