2004-07-25 23:27:56 +02:00
|
|
|
%%%----------------------------------------------------------------------
|
|
|
|
%%% File : tls.erl
|
2007-12-24 14:57:53 +01:00
|
|
|
%%% Author : Alexey Shchepin <alexey@process-one.net>
|
2004-07-25 23:27:56 +02:00
|
|
|
%%% Purpose : Interface to openssl
|
2007-12-24 14:57:53 +01:00
|
|
|
%%% Created : 24 Jul 2004 by Alexey Shchepin <alexey@process-one.net>
|
|
|
|
%%%
|
|
|
|
%%%
|
2010-01-12 17:11:32 +01:00
|
|
|
%%% ejabberd, Copyright (C) 2002-2010 ProcessOne
|
2007-12-24 14:57:53 +01:00
|
|
|
%%%
|
|
|
|
%%% This program is free software; you can redistribute it and/or
|
|
|
|
%%% modify it under the terms of the GNU General Public License as
|
|
|
|
%%% published by the Free Software Foundation; either version 2 of the
|
|
|
|
%%% License, or (at your option) any later version.
|
|
|
|
%%%
|
|
|
|
%%% This program is distributed in the hope that it will be useful,
|
|
|
|
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
%%% General Public License for more details.
|
2009-01-12 15:44:42 +01:00
|
|
|
%%%
|
2007-12-24 14:57:53 +01:00
|
|
|
%%% You should have received a copy of the GNU General Public License
|
|
|
|
%%% along with this program; if not, write to the Free Software
|
|
|
|
%%% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
|
|
|
|
%%% 02111-1307 USA
|
|
|
|
%%%
|
2004-07-25 23:27:56 +02:00
|
|
|
%%%----------------------------------------------------------------------
|
|
|
|
|
|
|
|
-module(tls).
|
2007-12-24 14:57:53 +01:00
|
|
|
-author('alexey@process-one.net').
|
2004-07-25 23:27:56 +02:00
|
|
|
|
|
|
|
-behaviour(gen_server).
|
|
|
|
|
2004-07-27 00:37:24 +02:00
|
|
|
-export([start/0, start_link/0,
|
|
|
|
tcp_to_tls/2, tls_to_tcp/1,
|
|
|
|
send/2,
|
2004-08-01 22:12:20 +02:00
|
|
|
recv/2, recv/3, recv_data/2,
|
2006-01-13 02:55:20 +01:00
|
|
|
setopts/2,
|
2006-10-19 06:46:24 +02:00
|
|
|
sockname/1, peername/1,
|
2006-01-13 02:55:20 +01:00
|
|
|
controlling_process/2,
|
2004-07-27 00:37:24 +02:00
|
|
|
close/1,
|
2005-11-03 06:04:54 +01:00
|
|
|
get_peer_certificate/1,
|
|
|
|
get_verify_result/1,
|
2004-07-27 00:37:24 +02:00
|
|
|
test/0]).
|
2004-07-25 23:27:56 +02:00
|
|
|
|
|
|
|
%% Internal exports, call-back functions.
|
|
|
|
-export([init/1,
|
|
|
|
handle_call/3,
|
|
|
|
handle_cast/2,
|
|
|
|
handle_info/2,
|
|
|
|
code_change/3,
|
|
|
|
terminate/2]).
|
|
|
|
|
2008-03-21 15:44:16 +01:00
|
|
|
-include("ejabberd.hrl").
|
|
|
|
|
2005-10-25 03:08:37 +02:00
|
|
|
-define(SET_CERTIFICATE_FILE_ACCEPT, 1).
|
|
|
|
-define(SET_CERTIFICATE_FILE_CONNECT, 2).
|
|
|
|
-define(SET_ENCRYPTED_INPUT, 3).
|
|
|
|
-define(SET_DECRYPTED_OUTPUT, 4).
|
|
|
|
-define(GET_ENCRYPTED_OUTPUT, 5).
|
|
|
|
-define(GET_DECRYPTED_INPUT, 6).
|
2005-11-03 06:04:54 +01:00
|
|
|
-define(GET_PEER_CERTIFICATE, 7).
|
|
|
|
-define(GET_VERIFY_RESULT, 8).
|
2009-01-05 18:21:10 +01:00
|
|
|
-define(VERIFY_NONE, 16#10000).
|
2004-07-25 23:27:56 +02:00
|
|
|
|
2010-07-09 20:02:29 +02:00
|
|
|
-ifdef(SSL40).
|
|
|
|
-define(CERT_DECODE, {public_key, pkix_decode_cert, plain}).
|
|
|
|
-else.
|
|
|
|
-define(CERT_DECODE, {ssl_pkix, decode_cert, [pkix]}).
|
|
|
|
-endif.
|
|
|
|
|
|
|
|
|
2004-07-26 18:45:38 +02:00
|
|
|
-record(tlssock, {tcpsock, tlsport}).
|
2004-07-25 23:27:56 +02:00
|
|
|
|
|
|
|
start() ->
|
|
|
|
gen_server:start({local, ?MODULE}, ?MODULE, [], []).
|
|
|
|
|
|
|
|
start_link() ->
|
|
|
|
gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).
|
|
|
|
|
|
|
|
init([]) ->
|
2005-10-25 04:19:01 +02:00
|
|
|
case erl_ddll:load_driver(ejabberd:get_so_path(), tls_drv) of
|
|
|
|
ok -> ok;
|
|
|
|
{error, already_loaded} -> ok
|
|
|
|
end,
|
2004-07-25 23:27:56 +02:00
|
|
|
Port = open_port({spawn, tls_drv}, [binary]),
|
2005-10-25 03:08:37 +02:00
|
|
|
Res = port_control(Port, ?SET_CERTIFICATE_FILE_ACCEPT, "./ssl.pem" ++ [0]),
|
2004-07-25 23:27:56 +02:00
|
|
|
case Res of
|
2004-07-28 22:08:53 +02:00
|
|
|
<<0>> ->
|
2004-07-25 23:27:56 +02:00
|
|
|
%ets:new(iconv_table, [set, public, named_table]),
|
|
|
|
%ets:insert(iconv_table, {port, Port}),
|
|
|
|
{ok, Port};
|
2004-07-28 22:08:53 +02:00
|
|
|
<<1, Error/binary>> ->
|
|
|
|
{error, binary_to_list(Error)}
|
2004-07-25 23:27:56 +02:00
|
|
|
end.
|
|
|
|
|
|
|
|
|
|
|
|
%%% --------------------------------------------------------
|
|
|
|
%%% The call-back functions.
|
|
|
|
%%% --------------------------------------------------------
|
|
|
|
|
|
|
|
handle_call(_, _, State) ->
|
|
|
|
{noreply, State}.
|
|
|
|
|
|
|
|
handle_cast(_, State) ->
|
|
|
|
{noreply, State}.
|
|
|
|
|
|
|
|
handle_info({'EXIT', Port, Reason}, Port) ->
|
|
|
|
{stop, {port_died, Reason}, Port};
|
2005-11-03 06:04:54 +01:00
|
|
|
|
|
|
|
handle_info({'EXIT', _Pid, _Reason}, Port) ->
|
|
|
|
{noreply, Port};
|
|
|
|
|
2004-07-25 23:27:56 +02:00
|
|
|
handle_info(_, State) ->
|
|
|
|
{noreply, State}.
|
|
|
|
|
2005-11-03 06:04:54 +01:00
|
|
|
code_change(_OldVsn, State, _Extra) ->
|
2004-07-25 23:27:56 +02:00
|
|
|
{ok, State}.
|
|
|
|
|
|
|
|
terminate(_Reason, Port) ->
|
|
|
|
Port ! {self, close},
|
|
|
|
ok.
|
|
|
|
|
|
|
|
|
2004-07-26 18:45:38 +02:00
|
|
|
tcp_to_tls(TCPSocket, Options) ->
|
|
|
|
case lists:keysearch(certfile, 1, Options) of
|
|
|
|
{value, {certfile, CertFile}} ->
|
2005-10-25 04:19:01 +02:00
|
|
|
case erl_ddll:load_driver(ejabberd:get_so_path(), tls_drv) of
|
|
|
|
ok -> ok;
|
|
|
|
{error, already_loaded} -> ok
|
|
|
|
end,
|
2004-07-26 18:45:38 +02:00
|
|
|
Port = open_port({spawn, tls_drv}, [binary]),
|
2009-01-05 18:21:10 +01:00
|
|
|
Flags =
|
|
|
|
case lists:member(verify_none, Options) of
|
|
|
|
true ->
|
|
|
|
?VERIFY_NONE;
|
|
|
|
false ->
|
|
|
|
0
|
|
|
|
end,
|
2005-10-25 03:08:37 +02:00
|
|
|
Command = case lists:member(connect, Options) of
|
|
|
|
true ->
|
|
|
|
?SET_CERTIFICATE_FILE_CONNECT;
|
|
|
|
false ->
|
|
|
|
?SET_CERTIFICATE_FILE_ACCEPT
|
|
|
|
end,
|
2009-01-05 18:21:10 +01:00
|
|
|
case port_control(Port, Command bor Flags, CertFile ++ [0]) of
|
2004-07-28 22:08:53 +02:00
|
|
|
<<0>> ->
|
2004-07-26 18:45:38 +02:00
|
|
|
{ok, #tlssock{tcpsock = TCPSocket, tlsport = Port}};
|
2004-07-28 22:08:53 +02:00
|
|
|
<<1, Error/binary>> ->
|
|
|
|
{error, binary_to_list(Error)}
|
2004-07-26 18:45:38 +02:00
|
|
|
end;
|
|
|
|
false ->
|
|
|
|
{error, no_certfile}
|
|
|
|
end.
|
|
|
|
|
|
|
|
tls_to_tcp(#tlssock{tcpsock = TCPSocket, tlsport = Port}) ->
|
|
|
|
port_close(Port),
|
|
|
|
TCPSocket.
|
|
|
|
|
|
|
|
recv(Socket, Length) ->
|
|
|
|
recv(Socket, Length, infinity).
|
2005-11-03 06:04:54 +01:00
|
|
|
recv(#tlssock{tcpsock = TCPSocket} = TLSSock,
|
2010-10-22 19:51:23 +02:00
|
|
|
_Length, Timeout) ->
|
|
|
|
%% The Length argument cannot be used for gen_tcp:recv/3, because the
|
|
|
|
%% compressed size does not equal the desired uncompressed one.
|
|
|
|
case gen_tcp:recv(TCPSocket, 0, Timeout) of
|
2004-07-26 18:45:38 +02:00
|
|
|
{ok, Packet} ->
|
2004-08-01 22:12:20 +02:00
|
|
|
recv_data(TLSSock, Packet);
|
|
|
|
{error, _Reason} = Error ->
|
|
|
|
Error
|
|
|
|
end.
|
|
|
|
|
2008-03-03 12:55:19 +01:00
|
|
|
recv_data(TLSSock, Packet) ->
|
|
|
|
case catch recv_data1(TLSSock, Packet) of
|
|
|
|
{'EXIT', Reason} ->
|
|
|
|
{error, Reason};
|
|
|
|
Res ->
|
|
|
|
Res
|
|
|
|
end.
|
|
|
|
|
|
|
|
recv_data1(#tlssock{tcpsock = TCPSocket, tlsport = Port}, Packet) ->
|
2004-08-01 22:12:20 +02:00
|
|
|
case port_control(Port, ?SET_ENCRYPTED_INPUT, Packet) of
|
|
|
|
<<0>> ->
|
|
|
|
case port_control(Port, ?GET_DECRYPTED_INPUT, []) of
|
|
|
|
<<0, In/binary>> ->
|
|
|
|
case port_control(Port, ?GET_ENCRYPTED_OUTPUT, []) of
|
|
|
|
<<0, Out/binary>> ->
|
|
|
|
case gen_tcp:send(TCPSocket, Out) of
|
|
|
|
ok ->
|
2008-03-21 15:44:16 +01:00
|
|
|
%?PRINT("IN: ~p~n", [{TCPSocket, binary_to_list(In)}]),
|
2004-08-01 22:12:20 +02:00
|
|
|
{ok, In};
|
|
|
|
Error ->
|
|
|
|
Error
|
2004-07-27 00:37:24 +02:00
|
|
|
end;
|
2004-07-28 22:08:53 +02:00
|
|
|
<<1, Error/binary>> ->
|
|
|
|
{error, binary_to_list(Error)}
|
2004-07-27 00:37:24 +02:00
|
|
|
end;
|
2004-07-28 22:08:53 +02:00
|
|
|
<<1, Error/binary>> ->
|
|
|
|
{error, binary_to_list(Error)}
|
2004-07-27 00:37:24 +02:00
|
|
|
end;
|
2004-08-01 22:12:20 +02:00
|
|
|
<<1, Error/binary>> ->
|
|
|
|
{error, binary_to_list(Error)}
|
2004-07-26 18:45:38 +02:00
|
|
|
end.
|
2004-07-28 22:08:53 +02:00
|
|
|
|
2010-10-22 19:35:25 +02:00
|
|
|
send(#tlssock{tcpsock = TCPSocket, tlsport = Port} = TLSSock, Packet) ->
|
2004-07-27 00:37:24 +02:00
|
|
|
case port_control(Port, ?SET_DECRYPTED_OUTPUT, Packet) of
|
2004-07-28 22:08:53 +02:00
|
|
|
<<0>> ->
|
2008-03-21 15:44:16 +01:00
|
|
|
%?PRINT("OUT: ~p~n", [{TCPSocket, lists:flatten(Packet)}]),
|
2004-07-27 00:37:24 +02:00
|
|
|
case port_control(Port, ?GET_ENCRYPTED_OUTPUT, []) of
|
2004-07-28 22:08:53 +02:00
|
|
|
<<0, Out/binary>> ->
|
2004-07-27 00:37:24 +02:00
|
|
|
gen_tcp:send(TCPSocket, Out);
|
2004-07-28 22:08:53 +02:00
|
|
|
<<1, Error/binary>> ->
|
|
|
|
{error, binary_to_list(Error)}
|
2004-07-27 00:37:24 +02:00
|
|
|
end;
|
2004-07-28 22:08:53 +02:00
|
|
|
<<1, Error/binary>> ->
|
2005-10-25 03:08:37 +02:00
|
|
|
{error, binary_to_list(Error)};
|
|
|
|
<<2>> -> % Dirty hack
|
2005-11-03 06:04:54 +01:00
|
|
|
receive
|
|
|
|
{timeout, _Timer, _} ->
|
|
|
|
{error, timeout}
|
|
|
|
after 100 ->
|
2010-10-22 19:35:25 +02:00
|
|
|
send(TLSSock, Packet)
|
2005-11-03 06:04:54 +01:00
|
|
|
end
|
2004-07-27 00:37:24 +02:00
|
|
|
end.
|
2004-07-25 23:27:56 +02:00
|
|
|
|
2004-07-27 00:37:24 +02:00
|
|
|
|
2006-01-13 02:55:20 +01:00
|
|
|
setopts(#tlssock{tcpsock = TCPSocket}, Opts) ->
|
|
|
|
inet:setopts(TCPSocket, Opts).
|
|
|
|
|
2006-10-19 06:46:24 +02:00
|
|
|
sockname(#tlssock{tcpsock = TCPSocket}) ->
|
|
|
|
inet:sockname(TCPSocket).
|
|
|
|
|
|
|
|
peername(#tlssock{tcpsock = TCPSocket}) ->
|
|
|
|
inet:peername(TCPSocket).
|
|
|
|
|
2006-01-13 02:55:20 +01:00
|
|
|
controlling_process(#tlssock{tcpsock = TCPSocket}, Pid) ->
|
|
|
|
gen_tcp:controlling_process(TCPSocket, Pid).
|
|
|
|
|
2004-07-27 00:37:24 +02:00
|
|
|
close(#tlssock{tcpsock = TCPSocket, tlsport = Port}) ->
|
|
|
|
gen_tcp:close(TCPSocket),
|
|
|
|
port_close(Port).
|
2004-07-25 23:27:56 +02:00
|
|
|
|
2005-11-03 06:04:54 +01:00
|
|
|
get_peer_certificate(#tlssock{tlsport = Port}) ->
|
|
|
|
case port_control(Port, ?GET_PEER_CERTIFICATE, []) of
|
|
|
|
<<0, BCert/binary>> ->
|
2010-07-09 20:02:29 +02:00
|
|
|
{CertMod, CertFun, CertSecondArg} = ?CERT_DECODE,
|
|
|
|
case catch apply(CertMod, CertFun, [BCert, CertSecondArg]) of
|
2005-11-03 06:04:54 +01:00
|
|
|
{ok, Cert} ->
|
|
|
|
{ok, Cert};
|
|
|
|
_ ->
|
|
|
|
error
|
|
|
|
end;
|
|
|
|
<<1>> ->
|
|
|
|
error
|
|
|
|
end.
|
|
|
|
|
|
|
|
get_verify_result(#tlssock{tlsport = Port}) ->
|
|
|
|
<<Res>> = port_control(Port, ?GET_VERIFY_RESULT, []),
|
|
|
|
Res.
|
|
|
|
|
2004-07-25 23:27:56 +02:00
|
|
|
|
|
|
|
test() ->
|
2005-10-25 04:19:01 +02:00
|
|
|
case erl_ddll:load_driver(ejabberd:get_so_path(), tls_drv) of
|
|
|
|
ok -> ok;
|
|
|
|
{error, already_loaded} -> ok
|
|
|
|
end,
|
2004-07-25 23:27:56 +02:00
|
|
|
Port = open_port({spawn, tls_drv}, [binary]),
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("open_port: ~p~n", [Port]),
|
2005-10-25 03:08:37 +02:00
|
|
|
PCRes = port_control(Port, ?SET_CERTIFICATE_FILE_ACCEPT,
|
|
|
|
"./ssl.pem" ++ [0]),
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("port_control: ~p~n", [PCRes]),
|
2004-07-25 23:27:56 +02:00
|
|
|
{ok, ListenSocket} = gen_tcp:listen(1234, [binary,
|
|
|
|
{packet, 0},
|
|
|
|
{active, true},
|
|
|
|
{reuseaddr, true},
|
|
|
|
{nodelay, true}]),
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("listen: ~p~n", [ListenSocket]),
|
2004-07-25 23:27:56 +02:00
|
|
|
{ok, Socket} = gen_tcp:accept(ListenSocket),
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("accept: ~p~n", [Socket]),
|
2004-07-25 23:27:56 +02:00
|
|
|
loop(Port, Socket).
|
|
|
|
|
|
|
|
|
|
|
|
loop(Port, Socket) ->
|
|
|
|
receive
|
|
|
|
{tcp, Socket, Data} ->
|
2008-03-21 15:44:16 +01:00
|
|
|
%?PRINT("read: ~p~n", [Data]),
|
2004-07-25 23:27:56 +02:00
|
|
|
Res = port_control(Port, ?SET_ENCRYPTED_INPUT, Data),
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("SET_ENCRYPTED_INPUT: ~p~n", [Res]),
|
2004-07-25 23:27:56 +02:00
|
|
|
|
|
|
|
DIRes = port_control(Port, ?GET_DECRYPTED_INPUT, Data),
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("GET_DECRYPTED_INPUT: ~p~n", [DIRes]),
|
2004-07-25 23:27:56 +02:00
|
|
|
case DIRes of
|
2004-07-28 22:08:53 +02:00
|
|
|
<<0, In/binary>> ->
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("input: ~s~n", [binary_to_list(In)]);
|
2004-07-28 22:08:53 +02:00
|
|
|
<<1, DIError/binary>> ->
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("GET_DECRYPTED_INPUT error: ~p~n", [binary_to_list(DIError)])
|
2004-07-25 23:27:56 +02:00
|
|
|
end,
|
|
|
|
|
|
|
|
EORes = port_control(Port, ?GET_ENCRYPTED_OUTPUT, Data),
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("GET_ENCRYPTED_OUTPUT: ~p~n", [EORes]),
|
2004-07-25 23:27:56 +02:00
|
|
|
case EORes of
|
2004-07-28 22:08:53 +02:00
|
|
|
<<0, Out/binary>> ->
|
2004-07-25 23:27:56 +02:00
|
|
|
gen_tcp:send(Socket, Out);
|
2004-07-28 22:08:53 +02:00
|
|
|
<<1, EOError/binary>> ->
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("GET_ENCRYPTED_OUTPUT error: ~p~n", [binary_to_list(EOError)])
|
2004-07-25 23:27:56 +02:00
|
|
|
end,
|
|
|
|
|
|
|
|
|
|
|
|
loop(Port, Socket);
|
|
|
|
Msg ->
|
2008-03-21 15:44:16 +01:00
|
|
|
?PRINT("receive: ~p~n", [Msg]),
|
2004-07-25 23:27:56 +02:00
|
|
|
loop(Port, Socket)
|
|
|
|
end.
|
|
|
|
|
|
|
|
|