diff options
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | ebin/ranch.app | 2 | ||||
-rw-r--r-- | src/ranch_proxy_header.erl | 561 |
3 files changed, 566 insertions, 1 deletions
@@ -33,6 +33,10 @@ AUTO_CI_WINDOWS ?= OTP-18+ include erlang.mk +# Compile options. + +TEST_ERLC_OPTS += +'{parse_transform, eunit_autoexport}' + # Dialyze the tests. DIALYZER_OPTS += --src -r test diff --git a/ebin/ranch.app b/ebin/ranch.app index aab5626..0c5bf36 100644 --- a/ebin/ranch.app +++ b/ebin/ranch.app @@ -1,7 +1,7 @@ {application, 'ranch', [ {description, "Socket acceptor pool for TCP protocols."}, {vsn, "1.6.2"}, - {modules, ['ranch','ranch_acceptor','ranch_acceptors_sup','ranch_app','ranch_conns_sup','ranch_listener_sup','ranch_protocol','ranch_server','ranch_ssl','ranch_sup','ranch_tcp','ranch_transport']}, + {modules, ['ranch','ranch_acceptor','ranch_acceptors_sup','ranch_app','ranch_conns_sup','ranch_listener_sup','ranch_protocol','ranch_proxy_header','ranch_server','ranch_ssl','ranch_sup','ranch_tcp','ranch_transport']}, {registered, [ranch_sup,ranch_server]}, {applications, [kernel,stdlib,ssl]}, {mod, {ranch_app, []}}, diff --git a/src/ranch_proxy_header.erl b/src/ranch_proxy_header.erl new file mode 100644 index 0000000..0397b70 --- /dev/null +++ b/src/ranch_proxy_header.erl @@ -0,0 +1,561 @@ +%% Copyright (c) 2018, Loïc Hoguin <[email protected]> +%% +%% Permission to use, copy, modify, and/or distribute this software for any +%% purpose with or without fee is hereby granted, provided that the above +%% copyright notice and this permission notice appear in all copies. +%% +%% THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +%% WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +%% MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +%% ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +%% WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +%% ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +%% OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +-module(ranch_proxy_header). + +-export([parse/1]). + +-type proxy_info() :: #{ + %% Mandatory part. + version := 1 | 2, + command := local | proxy, + transport_family => undefined | ipv4 | ipv6 | unix, + transport_protocol => undefined | stream | dgram, + %% Addresses. + src_address => inet:ip_address() | binary(), + src_port => inet:port_number(), + dest_address => inet:ip_address() | binary(), + dest_port => inet:port_number(), + %% Extra TLV-encoded data. + alpn => binary(), %% US-ASCII. + authority => binary(), %% UTF-8. + ssl => #{ + client := [ssl | cert_conn | cert_sess], + verified := boolean(), + version => binary(), %% US-ASCII. + cipher => binary(), %% US-ASCII. + sig_alg => binary(), %% US-ASCII. + key_alg => binary(), %% US-ASCII. + cn => binary() %% UTF-8. + }, + netns => binary(), %% US-ASCII. + %% Unknown TLVs can't be parsed so the raw data is given. + raw_tlvs => [{0..255, binary()}] +}. +-export_type([proxy_info/0]). + +-spec parse(Data) -> {ok, proxy_info(), Data} | {error, atom()} when Data::binary(). +parse(<<"\r\n\r\n\0\r\nQUIT\n", Rest/bits>>) -> + parse_v2(Rest); +parse(<<"PROXY ", Rest/bits>>) -> + parse_v1(Rest); +parse(_) -> + {error, 'The PROXY protocol header signature was not recognized. (PP 2.1, PP 2.2)'}. + +-ifdef(TEST). +parse_unrecognized_header_test() -> + {error, _} = parse(<<"GET / HTTP/1.1\r\n">>), + ok. +-endif. + +%% Human-readable header format (Version 1). +parse_v1(<<"TCP4 ", Rest/bits>>) -> + parse_v1(Rest, ipv4); +parse_v1(<<"TCP6 ", Rest/bits>>) -> + parse_v1(Rest, ipv6); +parse_v1(<<"UNKNOWN\r\n", Rest/bits>>) -> + {ok, #{ + version => 1, + command => proxy, + transport_family => undefined, + transport_protocol => undefined + }, Rest}; +parse_v1(<<"UNKNOWN ", Rest0/bits>>) -> + case binary:split(Rest0, <<"\r\n">>) of + [_, Rest] -> + {ok, #{ + version => 1, + command => proxy, + transport_family => undefined, + transport_protocol => undefined + }, Rest}; + [_] -> + {error, 'Malformed or incomplete PROXY protocol header line. (PP 2.1)'} + end; +parse_v1(_) -> + {error, 'The INET protocol and family string was not recognized. (PP 2.1)'}. + +parse_v1(Rest0, Family) -> + try + {ok, SrcAddr, Rest1} = parse_ip(Rest0, Family), + {ok, DestAddr, Rest2} = parse_ip(Rest1, Family), + {ok, SrcPort, Rest3} = parse_port(Rest2, $\s), + {ok, DestPort, Rest4} = parse_port(Rest3, $\r), + <<"\n", Rest/bits>> = Rest4, + {ok, #{ + version => 1, + command => proxy, + transport_family => Family, + transport_protocol => stream, + src_address => SrcAddr, + src_port => SrcPort, + dest_address => DestAddr, + dest_port => DestPort + }, Rest} + catch + throw:parse_ipv4_error -> + {error, 'Failed to parse an IPv4 address in the PROXY protocol header line. (PP 2.1)'}; + throw:parse_ipv6_error -> + {error, 'Failed to parse an IPv6 address in the PROXY protocol header line. (PP 2.1)'}; + throw:parse_port_error -> + {error, 'Failed to parse a port number in the PROXY protocol header line. (PP 2.1)'}; + _:_ -> + {error, 'Malformed or incomplete PROXY protocol header line. (PP 2.1)'} + end. + +parse_ip(<<Addr:7/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:8/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:9/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:10/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:11/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:12/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:13/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:14/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:15/binary, $\s, Rest/binary>>, ipv4) -> parse_ipv4(Addr, Rest); +parse_ip(<<Addr:39/binary, $\s, Rest/binary>>, ipv6) -> parse_ipv6(Addr, Rest). + +parse_ipv4(Addr0, Rest) -> + case inet:parse_ipv4strict_address(binary_to_list(Addr0)) of + {ok, Addr} -> {ok, Addr, Rest}; + {error, einval} -> throw(parse_ipv4_error) + end. + +parse_ipv6(Addr0, Rest) -> + case inet:parse_ipv6strict_address(binary_to_list(Addr0)) of + {ok, Addr} -> {ok, Addr, Rest}; + {error, einval} -> throw(parse_ipv6_error) + end. + +parse_port(<<Port:1/binary, C, Rest/bits>>, C) -> parse_port(Port, Rest); +parse_port(<<Port:2/binary, C, Rest/bits>>, C) -> parse_port(Port, Rest); +parse_port(<<Port:3/binary, C, Rest/bits>>, C) -> parse_port(Port, Rest); +parse_port(<<Port:4/binary, C, Rest/bits>>, C) -> parse_port(Port, Rest); +parse_port(<<Port:5/binary, C, Rest/bits>>, C) -> parse_port(Port, Rest); + +parse_port(Port0, Rest) -> + try binary_to_integer(Port0) of + Port when Port >= 0, Port =< 65535 -> + {ok, Port, Rest}; + _ -> + throw(parse_port_error) + catch _:_ -> + throw(parse_port_error) + end. + +-ifdef(TEST). +parse_v1_test() -> + %% Examples taken from the PROXY protocol header specification. + {ok, #{ + version := 1, + command := proxy, + transport_family := ipv4, + transport_protocol := stream, + src_address := {255, 255, 255, 255}, + src_port := 65535, + dest_address := {255, 255, 255, 255}, + dest_port := 65535 + }, <<>>} = parse(<<"PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\n">>), + {ok, #{ + version := 1, + command := proxy, + transport_family := ipv6, + transport_protocol := stream, + src_address := {65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535}, + src_port := 65535, + dest_address := {65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535}, + dest_port := 65535 + }, <<>>} = parse(<<"PROXY TCP6 " + "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff " + "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 65535 65535\r\n">>), + {ok, #{ + version := 1, + command := proxy, + transport_family := undefined, + transport_protocol := undefined + }, <<>>} = parse(<<"PROXY UNKNOWN\r\n">>), + {ok, #{ + version := 1, + command := proxy, + transport_family := undefined, + transport_protocol := undefined + }, <<>>} = parse(<<"PROXY UNKNOWN " + "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff " + "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 65535 65535\r\n">>), + {ok, #{ + version := 1, + command := proxy, + transport_family := ipv4, + transport_protocol := stream, + src_address := {192, 168, 0, 1}, + src_port := 56324, + dest_address := {192, 168, 0, 11}, + dest_port := 443 + }, <<"GET / HTTP/1.1\r\nHost: 192.168.0.11\r\n\r\n">>} = parse(<< + "PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n" + "GET / HTTP/1.1\r\n" + "Host: 192.168.0.11\r\n" + "\r\n">>), + %% Test cases taken from tomciopp/proxy_protocol. + {ok, #{ + version := 1, + command := proxy, + transport_family := ipv4, + transport_protocol := stream, + src_address := {192, 168, 0, 1}, + src_port := 56324, + dest_address := {192, 168, 0, 11}, + dest_port := 443 + }, <<"GET / HTTP/1.1\r">>} = parse(<< + "PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\nGET / HTTP/1.1\r">>), + {error, _} = parse(<<"PROXY TCP4 192.1638.0.1 192.168.0.11 56324 443\r\nGET / HTTP/1.1\r">>), + {error, _} = parse(<<"PROXY TCP4 192.168.0.1 192.168.0.11 1111111 443\r\nGET / HTTP/1.1\r">>), + {ok, #{ + version := 1, + command := proxy, + transport_family := ipv6, + transport_protocol := stream, + src_address := {8193, 3512, 0, 66, 0, 35374, 880, 29492}, + src_port := 4124, + dest_address := {8193, 3512, 0, 66, 0, 35374, 880, 29493}, + dest_port := 443 + }, <<"GET / HTTP/1.1\r">>} = parse(<<"PROXY TCP6 " + "2001:0db8:0000:0042:0000:8a2e:0370:7334 " + "2001:0db8:0000:0042:0000:8a2e:0370:7335 4124 443\r\nGET / HTTP/1.1\r">>), + {error, _} = parse(<<"PROXY TCP6 " + "2001:0db8:0000:0042:0000:8a2e:0370:7334 " + "2001:0db8:00;0:0042:0000:8a2e:0370:7335 4124 443\r\nGET / HTTP/1.1\r">>), + {error, _} = parse(<<"PROXY TCP6 " + "2001:0db8:0000:0042:0000:8a2e:0370:7334 " + "2001:0db8:0000:0042:0000:8a2e:0370:7335 4124 foo\r\nGET / HTTP/1.1\r">>), + {ok, #{ + version := 1, + command := proxy, + transport_family := undefined, + transport_protocol := undefined + }, <<"GET / HTTP/1.1\r">>} = parse(<<"PROXY UNKNOWN 4124 443\r\nGET / HTTP/1.1\r">>), + {ok, #{ + version := 1, + command := proxy, + transport_family := undefined, + transport_protocol := undefined + }, <<"GET / HTTP/1.1\r">>} = parse(<<"PROXY UNKNOWN\r\nGET / HTTP/1.1\r">>), + ok. +-endif. + +%% Binary header format (version 2). + +%% LOCAL. +parse_v2(<<2:4, 0:4, _:8, Len:16, Rest0/bits>>) -> + case Rest0 of + <<_:Len/binary, Rest/bits>> -> + {ok, #{ + version => 2, + command => local + }, Rest}; + _ -> + {error, 'Missing data in the PROXY protocol binary header. (PP 2.2)'} + end; +%% PROXY. +parse_v2(<<2:4, 1:4, Family:4, Protocol:4, Len:16, Rest/bits>>) + when Family =< 3, Protocol =< 2 -> + case Rest of + <<Header:Len/binary, _/bits>> -> + parse_v2(Rest, Len, family(Family), protocol(Protocol), + <<Family:4, Protocol:4, Len:16, Header:Len/binary>>); + _ -> + {error, 'Missing data in the PROXY protocol binary header. (PP 2.2)'} + end; +%% Errors. +parse_v2(<<Version:4, _/bits>>) when Version =/= 2 -> + {error, 'Invalid version in the PROXY protocol binary header. (PP 2.2)'}; +parse_v2(<<_:4, Command:4, _/bits>>) when Command > 1 -> + {error, 'Invalid command in the PROXY protocol binary header. (PP 2.2)'}; +parse_v2(<<_:8, Family:4, _/bits>>) when Family > 3 -> + {error, 'Invalid address family in the PROXY protocol binary header. (PP 2.2)'}; +parse_v2(<<_:12, Protocol:4, _/bits>>) when Protocol > 2 -> + {error, 'Invalid transport protocol in the PROXY protocol binary header. (PP 2.2)'}. + +family(0) -> undefined; +family(1) -> ipv4; +family(2) -> ipv6; +family(3) -> unix. + +protocol(0) -> undefined; +protocol(1) -> stream; +protocol(2) -> dgram. + +parse_v2(Data, Len, Family, Protocol, _) + when Family =:= undefined; Protocol =:= undefined -> + <<_:Len/binary, Rest/bits>> = Data, + {ok, #{ + version => 2, + command => proxy, + %% In case only one value was undefined, we set both explicitly. + %% It doesn't make sense to have only one known value. + transport_family => undefined, + transport_protocol => undefined + }, Rest}; +parse_v2(<< + S1, S2, S3, S4, + D1, D2, D3, D4, + SrcPort:16, DestPort:16, Rest/bits>>, Len, Family=ipv4, Protocol, Header) + when Len >= 12 -> + parse_tlv(Rest, Len - 12, #{ + version => 2, + command => proxy, + transport_family => Family, + transport_protocol => Protocol, + src_address => {S1, S2, S3, S4}, + src_port => SrcPort, + dest_address => {D1, D2, D3, D4}, + dest_port => DestPort + }, Header); +parse_v2(<< + S1:16, S2:16, S3:16, S4:16, S5:16, S6:16, S7:16, S8:16, + D1:16, D2:16, D3:16, D4:16, D5:16, D6:16, D7:16, D8:16, + SrcPort:16, DestPort:16, Rest/bits>>, Len, Family=ipv6, Protocol, Header) + when Len >= 36 -> + parse_tlv(Rest, Len - 36, #{ + version => 2, + command => proxy, + transport_family => Family, + transport_protocol => Protocol, + src_address => {S1, S2, S3, S4, S5, S6, S7, S8}, + src_port => SrcPort, + dest_address => {D1, D2, D3, D4, D5, D6, D7, D8}, + dest_port => DestPort + }, Header); +parse_v2(<<SrcAddr0:108/binary, DestAddr0:108/binary, Rest/bits>>, + Len, Family=unix, Protocol, Header) + when Len >= 216 -> + try + [SrcAddr, _] = binary:split(SrcAddr0, <<0>>), + true = byte_size(SrcAddr) > 0, + [DestAddr, _] = binary:split(DestAddr0, <<0>>), + true = byte_size(DestAddr) > 0, + parse_tlv(Rest, Len - 216, #{ + version => 2, + command => proxy, + transport_family => Family, + transport_protocol => Protocol, + src_address => SrcAddr, + dest_address => DestAddr + }, Header) + catch _:_ -> + {error, 'Invalid UNIX address in PROXY protocol binary header. (PP 2.2)'} + end; +parse_v2(_, _, _, _, _) -> + {error, 'Invalid length in the PROXY protocol binary header. (PP 2.2)'}. + +-ifdef(TEST). +parse_v2_test() -> + %% Test cases taken from tomciopp/proxy_protocol. + {ok, #{ + version := 2, + command := proxy, + transport_family := ipv4, + transport_protocol := stream, + src_address := {127, 0, 0, 1}, + src_port := 444, + dest_address := {192, 168, 0, 1}, + dest_port := 443 + }, <<"GET / HTTP/1.1\r\n">>} = parse(<< + 13, 10, 13, 10, 0, 13, 10, 81, 85, 73, 84, 10, %% Signature. + 33, %% Version and command. + 17, %% Family and protocol. + 0, 12, %% Length. + 127, 0, 0, 1, %% Source address. + 192, 168, 0, 1, %% Destination address. + 1, 188, %% Source port. + 1, 187, %% Destination port. + "GET / HTTP/1.1\r\n">>), + {ok, #{ + version := 2, + command := proxy, + transport_family := ipv4, + transport_protocol := dgram, + src_address := {127, 0, 0, 1}, + src_port := 444, + dest_address := {192, 168, 0, 1}, + dest_port := 443 + }, <<"GET / HTTP/1.1\r\n">>} = parse(<< + 13, 10, 13, 10, 0, 13, 10, 81, 85, 73, 84, 10, %% Signature. + 33, %% Version and command. + 18, %% Family and protocol. + 0, 12, %% Length. + 127, 0, 0, 1, %% Source address. + 192, 168, 0, 1, %% Destination address. + 1, 188, %% Source port. + 1, 187, %% Destination port. + "GET / HTTP/1.1\r\n">>), + {ok, #{ + version := 2, + command := proxy, + transport_family := ipv6, + transport_protocol := stream, + src_address := {5532, 4240, 1, 0, 0, 0, 0, 0}, + src_port := 444, + dest_address := {8193, 3512, 1, 0, 0, 0, 0, 0}, + dest_port := 443 + }, <<"GET / HTTP/1.1\r\n">>} = parse(<< + 13, 10, 13, 10, 0, 13, 10, 81, 85, 73, 84, 10, %% Signature. + 33, %% Version and command. + 33, %% Family and protocol. + 0, 36, %% Length. + 21, 156, 16, 144, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, %% Source address. + 32, 1, 13, 184, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, %% Destination address. + 1, 188, %% Source port. + 1, 187, %% Destination port. + "GET / HTTP/1.1\r\n">>), + {ok, #{ + version := 2, + command := proxy, + transport_family := ipv6, + transport_protocol := dgram, + src_address := {5532, 4240, 1, 0, 0, 0, 0, 0}, + src_port := 444, + dest_address := {8193, 3512, 1, 0, 0, 0, 0, 0}, + dest_port := 443 + }, <<"GET / HTTP/1.1\r\n">>} = parse(<< + 13, 10, 13, 10, 0, 13, 10, 81, 85, 73, 84, 10, %% Signature. + 33, %% Version and command. + 34, %% Family and protocol. + 0, 36, %% Length. + 21, 156, 16, 144, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, %% Source address. + 32, 1, 13, 184, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, %% Destination address. + 1, 188, %% Source port. + 1, 187, %% Destination port. + "GET / HTTP/1.1\r\n">>), + Path = <<"/var/pgsql_sock">>, + Len = byte_size(Path), + Padding = 8 * (108 - Len), + {ok, #{ + version := 2, + command := proxy, + transport_family := unix, + transport_protocol := stream, + src_address := Path, + dest_address := Path + }, <<"GET / HTTP/1.1\r\n">>} = parse(<< + 13, 10, 13, 10, 0, 13, 10, 81, 85, 73, 84, 10, + 33, + 49, + 0, 216, + Path/binary, 0:Padding, + Path/binary, 0:Padding, + "GET / HTTP/1.1\r\n">>), + {ok, #{ + version := 2, + command := proxy, + transport_family := unix, + transport_protocol := dgram, + src_address := Path, + dest_address := Path + }, <<"GET / HTTP/1.1\r\n">>} = parse(<< + 13, 10, 13, 10, 0, 13, 10, 81, 85, 73, 84, 10, + 33, + 50, + 0, 216, + Path/binary, 0:Padding, + Path/binary, 0:Padding, + "GET / HTTP/1.1\r\n">>), + ok. +-endif. + +parse_tlv(Rest, 0, Info, _) -> + {ok, Info, Rest}; +%% PP2_TYPE_ALPN. +parse_tlv(<<16#1, TLVLen:16, ALPN:TLVLen/binary, Rest/bits>>, Len, Info, Header) -> + parse_tlv(Rest, Len - TLVLen - 3, Info#{alpn => ALPN}, Header); +%% PP2_TYPE_AUTHORITY. +parse_tlv(<<16#2, TLVLen:16, Authority:TLVLen/binary, Rest/bits>>, Len, Info, Header) -> + parse_tlv(Rest, Len - TLVLen - 3, Info#{authority => Authority}, Header); +%% PP2_TYPE_CRC32C. +parse_tlv(<<16#3, TLVLen:16, CRC32C:32, Rest/bits>>, Len0, Info, Header) when TLVLen =:= 4 -> + Len = Len0 - TLVLen - 3, + BeforeLen = byte_size(Header) - Len - 7, %% 3 Family/Protocol/Len, 4 CRC32C + <<Before:BeforeLen/binary, _:32, After:Len/binary>> = Header, + %% The initial CRC is erlang:crc32(<<"\r\n\r\n\0\r\nQUIT\n", 2:4, 1:4>>). + case erlang:crc32(1302506282, [Before, <<0:32>>, After]) of + CRC32C -> + parse_tlv(Rest, Len - TLVLen - 3, Info, Header); + _ -> + {error, 'Failed CRC32C verification in PROXY protocol binary header. (PP 2.2)'} + end; +%% PP2_TYPE_NOOP. +parse_tlv(<<16#4, TLVLen:16, _:TLVLen/binary, Rest/bits>>, Len, Info, Header) -> + parse_tlv(Rest, Len - TLVLen - 3, Info, Header); +%% PP2_TYPE_SSL. +parse_tlv(<<16#20, TLVLen:16, Client, Verify:32, Rest0/bits>>, Len, Info, Header) -> + SubsLen = TLVLen - 5, + case Rest0 of + <<Subs:SubsLen/binary, Rest/bits>> -> + SSL0 = #{ + client => client(<<Client>>), + verified => Verify =:= 0 + }, + case parse_ssl_tlv(Subs, SubsLen, SSL0) of + {ok, SSL, <<>>} -> + parse_tlv(Rest, Len - TLVLen - 3, Info#{ssl => SSL}, Header); + Error={error, _} -> + Error + end; + _ -> + {error, 'Invalid TLV length in the PROXY protocol binary header. (PP 2.2)'} + end; +%% PP2_TYPE_NETNS. +parse_tlv(<<16#30, TLVLen:16, NetNS:TLVLen/binary, Rest/bits>>, Len, Info, Header) -> + parse_tlv(Rest, Len - TLVLen - 3, Info#{netns => NetNS}, Header); +%% Unknown TLV. +parse_tlv(<<TLVType, TLVLen:16, TLVValue:TLVLen/binary, Rest/bits>>, Len, Info, Header) -> + RawTLVs = maps:get(raw_tlvs, Info, []), + parse_tlv(Rest, Len - TLVLen - 3, Info#{raw_tlvs => [{TLVType, TLVValue}|RawTLVs]}, Header); +%% Invalid TLV length. +parse_tlv(_, _, _, _) -> + {error, 'Invalid TLV length in the PROXY protocol binary header. (PP 2.2)'}. + +client(<<_:5, ClientCertSess:1, ClientCertConn:1, ClientSSL:1>>) -> + Client0 = case ClientCertSess of + 0 -> []; + 1 -> [cert_sess] + end, + Client1 = case ClientCertConn of + 0 -> Client0; + 1 -> [cert_conn|Client0] + end, + case ClientSSL of + 0 -> Client1; + 1 -> [ssl|Client1] + end. + +parse_ssl_tlv(Rest, 0, Info) -> + {ok, Info, Rest}; +%% Valid TLVs. +parse_ssl_tlv(<<TLVType, TLVLen:16, TLVValue:TLVLen/binary, Rest/bits>>, Len, Info) -> + case ssl_subtype(TLVType) of + undefined -> + {error, 'Invalid TLV subtype for PP2_TYPE_SSL in PROXY protocol binary header. (PP 2.2)'}; + Type -> + parse_ssl_tlv(Rest, Len - TLVLen - 3, Info#{Type => TLVValue}) + end; +%% Invalid TLV length. +parse_ssl_tlv(_, _, _) -> + {error, 'Invalid TLV length in the PROXY protocol binary header. (PP 2.2)'}. + +ssl_subtype(16#21) -> version; +ssl_subtype(16#22) -> cn; +ssl_subtype(16#23) -> cipher; +ssl_subtype(16#24) -> sig_alg; +ssl_subtype(16#25) -> key_alg; +ssl_subtype(_) -> undefined. |