From db509dd5debcd72d7f1d024d289315274f9b788b Mon Sep 17 00:00:00 2001
From: Qijiang Fan <fqj1994@gmail.com>
Date: Thu, 16 Apr 2015 22:25:57 +0800
Subject: ssl: add option sni_fun

The newly added function sni_fun allows dynamic update of SSL options
like keys and certificates depending on different SNI hostname, rather
than a predefined rules of SSL options.
---
 lib/ssl/src/ssl.erl            | 19 ++++++++++++++++++-
 lib/ssl/src/ssl_internal.hrl   |  1 +
 lib/ssl/src/tls_connection.erl | 20 +++++++++++++-------
 3 files changed, 32 insertions(+), 8 deletions(-)

(limited to 'lib/ssl/src')

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 956c699c45..9f76612ee3 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -700,6 +700,7 @@ handle_options(Opts0) ->
 		    log_alert = handle_option(log_alert, Opts, true),
 		    server_name_indication = handle_option(server_name_indication, Opts, undefined),
 		    sni_hosts = handle_option(sni_hosts, Opts, []),
+		    sni_fun = handle_option(sni_fun, Opts, {}),
 		    honor_cipher_order = handle_option(honor_cipher_order, Opts, false),
 		    protocol = proplists:get_value(protocol, Opts, tls),
 		    padding_check =  proplists:get_value(padding_check, Opts, true),
@@ -716,7 +717,7 @@ handle_options(Opts0) ->
 		  user_lookup_fun, psk_identity, srp_identity, ciphers,
 		  reuse_session, reuse_sessions, ssl_imp,
 		  cb_info, renegotiate_at, secure_renegotiate, hibernate_after,
-		  erl_dist, alpn_advertised_protocols, sni_hosts,
+		  erl_dist, alpn_advertised_protocols, sni_hosts, sni_fun,
 		  alpn_preferred_protocols, next_protocols_advertised,
 		  client_preferred_next_protocols, log_alert,
 		  server_name_indication, honor_cipher_order, padding_check, crl_check, crl_cache,
@@ -733,6 +734,18 @@ handle_options(Opts0) ->
 		 inet_user = SockOpts, transport_info = CbInfo, connection_cb = ConnetionCb
 		}}.
 
+handle_option(sni_fun, Opts, Default) ->
+    OptFun = validate_option(sni_fun,
+                             proplists:get_value(sni_fun, Opts, Default)),
+    OptHosts = proplists:get_value(sni_hosts, Opts, undefined),
+    case {OptFun, OptHosts} of
+        {Default, _} ->
+            Default;
+        {_, undefined} ->
+            OptFun;
+        _ ->
+            throw({error, {conflict_options, [sni_fun, sni_hosts]}})
+    end;
 handle_option(OptionName, Opts, Default) ->
     validate_option(OptionName,
 		    proplists:get_value(OptionName, Opts, Default)).
@@ -920,6 +933,10 @@ validate_option(sni_hosts, [{Hostname, SSLOptions} | Tail]) when is_list(Hostnam
 		_ ->
 			throw({error, {options, {sni_hosts, RecursiveSNIOptions}}})
 	end;
+validate_option(sni_fun, {}) ->
+    {};
+validate_option(sni_fun, Fun) when is_function(Fun) ->
+    Fun;
 validate_option(honor_cipher_order, Value) when is_boolean(Value) ->
     Value;
 validate_option(padding_check, Value) when is_boolean(Value) ->
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index e285f48202..b6b4fc44df 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -123,6 +123,7 @@
 	  log_alert             :: boolean(),
 	  server_name_indication = undefined,
 	  sni_hosts  :: [{inet:hostname(), [tuple()]}],
+	  sni_fun :: function(),
 	  %% Should the server prefer its own cipher order over the one provided by
 	  %% the client?
 	  honor_cipher_order = false :: boolean(),
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index d804d7ad37..1ee47f28b1 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -400,12 +400,19 @@ initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions, Tracker}, Us
 
 
 update_ssl_options_from_sni(OrigSSLOptions, SNIHostname) ->
-	case proplists:get_value(SNIHostname, OrigSSLOptions#ssl_options.sni_hosts) of
-		undefined ->
-			undefined;
-		SSLOption ->
-			ssl:handle_options(SSLOption, OrigSSLOptions)
-	end.
+    SSLOption = 
+    case OrigSSLOptions#ssl_options.sni_fun of
+        {} ->
+            proplists:get_value(SNIHostname, OrigSSLOptions#ssl_options.sni_hosts);
+        SNIFun ->
+            SNIFun(SNIHostname)
+    end,
+    case SSLOption of
+        undefined ->
+            undefined;
+        _ ->
+            ssl:handle_options(SSLOption, OrigSSLOptions)
+    end.
 
 next_state(Current,_, #alert{} = Alert, #state{negotiated_version = Version} = State) ->
     handle_own_alert(Alert, Version, Current, State);
@@ -454,7 +461,6 @@ next_state(Current, Next, #ssl_tls{type = ?HANDSHAKE, fragment = Data},
                          undefined ->
                              State0;
                          #sni{hostname = Hostname} ->
-                             OrigSSLOptions = State0#state.ssl_options,
                              NewOptions = update_ssl_options_from_sni(State0#state.ssl_options, Hostname),
                              case NewOptions of
                                  undefined ->
-- 
cgit v1.2.3