File Coverage

blib/lib/Net/SSLeay/OO/SSL.pm

Criterion	Covered	Total	%
statement	1	3	33.3
branch			n/a
condition			n/a
subroutine	1	1	100.0
pod			n/a
total	2	4	50.0

line	stmt	sub	time	code
1
2				package Net::SSLeay::OO::SSL;
3
4	2	2	28130	use Moose;
	0
	0
5				use Net::SSLeay::OO::Context;
6
7				=head1 NAME
8
9				Net::SSLeay::OO::SSL - OO interface to Net::SSLeay methods
10
11				=head1 SYNOPSIS
12
13				use Net::SSLeay::OO::Constants qw(OP_ALL);
14				use Net::SSLeay::OO::SSL;
15
16				# basic (insecure!) use - see below
17				my $ssl = Net::SSLeay::OO::SSL->new;
18				$ssl->set_fd(fileno($socket));
19				$ssl->connect;
20
21				=head1 DESCRIPTION
22
23				This module adds some OO niceties to using the Net::SSLeay / OpenSSL
24				SSL objects.
25
26				This SSL object is a per-connection entity. In general you will
27				create one of these from a L<Net::SSLeay::OO::Context> object which you
28				set up for your process and perhaps configured more fully.
29
30				If you do not do that, then you are not certifying the authenticity of
31				the peer. This means that your program will be vulnerable to MITM
32				(man in the middle) attacks.
33
34				=cut
35
36				=head1 ATTRIBUTES
37
38				=over
39
40				=item ssl : Int
41
42				The raw *SSL pointer. Use at your own risk.
43
44				=cut
45
46				has 'ssl' => isa => "Int",
47				is => "ro",
48				required => 1,
49				lazy => 1,
50				default => sub {
51				my $self = shift;
52				Net::SSLeay::new( $self->ctx->ctx );
53				},
54				;
55
56				=item ctx : Context
57
58				A Net::SSLeay::OO::Context object. Automatically created if not assigned
59				on creation of the Net::SSLeay::OO::SSL.
60
61				=cut
62
63				has 'ctx' => isa => "Net::SSLeay::OO::Context",
64				is => "ro",
65				required => 1,
66				default => sub {
67				Net::SSLeay::OO::Context->new();
68				},
69				;
70
71				sub BUILD {
72				my $self = shift;
73				$self->ssl;
74				}
75
76				=back
77
78				=cut
79
80				sub DESTROY {
81				my $self = shift;
82				if ( $self->ssl ) {
83				$self->free;
84				delete $self->{ssl};
85				}
86				}
87
88				=head1 METHODS
89
90				All of the methods in Net::SSLeay which are not obviously a part of
91				some other class are converted to methods of the Net::SSLeay::OO::SSL
92				class.
93
94				The documentation that follows is a core set, sufficient for running
95				up a server and verifying client certificates. However most functions
96				from the OpenSSL library are actually imported.
97
98				=cut
99
100				=head2 Handshake configuration methods
101
102				These options are all intended to control the handshake phase of SSL
103				negotiations.
104
105				=over
106
107				=item B<set_options( OP_XXX & OP_XXX ... )>
108
109				=item B<get_options()>
110
111				=item B<set_verify( $mode, [$verify_callback] )>
112
113				=item B<use_certificate( Net::SSLeay::OO::X509 $cert )>
114
115				=item B<use_certificate_file( $filename, $type )>
116
117				=item B<use_PrivateKey_file( $filename, $type )>
118
119				These functions are all very much the same as in
120				C<Net::SSLeay::OO::Context> but apply only to this SSL object. Note that
121				some functions are not available, such as
122				C<use_certificate_chain_file()> and C<set_default_cb_passwd()>
123
124				=back
125
126				=cut
127
128				has 'verify_cb', is => "ro";
129
130				BEGIN {
131				no strict 'refs';
132				*$_ = \&{"Net::SSLeay::OO::Context::$_"}
133				for qw(set_verify use_certificate);
134				}
135
136				sub _set_verify {
137				my $self = shift;
138				my $mode = shift;
139				my $real_cb = shift;
140				my $ssl = $self->ssl;
141				$self->{verify_cb} = $real_cb;
142				Net::SSLeay::set_verify( $ssl, $mode, $real_cb );
143				}
144
145				=head2 Setup methods
146
147				These methods set up the SSL object within your process - connecting
148				it to filehandles and so on.
149
150				=over
151
152				=item B<set_fd( fileno($fh) )>
153
154				=item B<get_fd( fileno($fh) )>
155
156				Sets/Gets the file descriptor number for send and receive.
157
158				=item B<set_rfd( fileno($fh) )>
159
160				=item set_wfd( fileno($fh) )>
161
162				Specify the file descriptors for send and receive independently.
163				Useful when dealing with non-socket entities such as pipes.
164
165				=item B<set_read_ahead( $boolean )>
166
167				=item B<get_read_ahead()>
168
169				See L<SSL_set_read_ahead(3ssl)>
170
171				=item B<set_mode( $mode )>
172
173				=item B<get_mode()>
174
175				Sets/gets the mode of the SSL object. See L<SSL_set_mode(3ssl)>. If
176				you want non-blocking use, set:
177
178				$ssl->set_mode( MODE_ENABLE_PARTIAL_WRITE \|
179				MODE_ACCEPT_MOVING_WRITE_BUFFER );
180
181				See F<t/05-non-blocking.t> for a more complete example of using this
182				library in non-blocking mode. Note you still need to mark the
183				underlying filehandle as non-blocking.
184
185				=back
186
187				=head2 Handshake/SSL session methods
188
189				=over
190
191				=item B<accept()>
192
193				=item B<connect()>
194
195				Initiate the SSL session, from the perspective of a server or a
196				client, respectively.
197
198				=item B<clear()>
199
200				Forget the current SSL session. You probably don't want to use this.
201
202				=item B<shutdown()>
203
204				Sends a "close notify" shutdown alert to the peer. You should do this
205				before you shut down the underlying socket.
206
207				=back
208
209				=head2 IO functions
210
211				=over
212
213				=item B<ssl_read_all>
214
215				=item B<ssl_read_CRLF( $max_length? )>
216
217				=item B<ssl_read_until( $delimit?, $max_length? )>
218
219				These are L<Net::SSLeay> wrappers to the OpenSSL read methods; use
220				these if you are not sure how to use the other ones. These are
221				blocking calls. Note that C<ssl_read_all> will read from the socket
222				until the remote end shuts down. C<ssl_read_CRLF> and
223				C<ssl_read_until> use the undocumented OpenSSL function C<SSL_peek> to
224				read the entire pending buffer, figure out at what point the delimiter
225				appears and then C<SSL_read> just enough to clear that.
226
227				=item B<read($max?)>
228
229				Perform and return read of the rest of the next SSL record, or C<$max>
230				bytes, whichever is smaller. How large that record is depends on the
231				sender, but you need to receive an entire record before you can
232				extract any data from it anyway.
233
234				=item B<peek($max?)>
235
236				Like C<read()>, but doesn't clear the data from the session buffer.
237
238				=item B<ssl_write_all($message)>
239
240				=item B<ssl_write_CRLF($line)>
241
242				Convenience wrappers for writing a message or a single line to the
243				socket via SSL. Note that C<ssl_write_CRLF> sends the CRLF two-byte
244				sequence to OpenSSL in its own C<SSL_write> function call, with a
245				comment warning that this "uses less memory but might use more network
246				packets".
247
248				=item B<write($message)>
249
250				Pretty much a direct method for C<SSL_write>; writes the message and
251				returns the number of bytes written.
252
253				=item B<write_partial($from, $count, $message)>
254
255				Writes a substring of the message and returns the number of bytes
256				written.
257
258				This interface is probably unnecessary since about Perl 5.8.1, as on
259				those perls C<substr()> can refer to substrings of other strings.
260
261				=back
262
263				=head2 Informative methods
264
265				These methods return information about the current SSL object
266
267				=over
268
269				=item B<get_error>
270
271				Returns the error from the last IO operation, you can match this
272				against various constants as described on L<SSL_get_error(3ssl)>.
273
274				=item B<want>
275
276				A simpler version of C<get_error>, see C<SSL_want(3ssl)>.
277
278				=item B<get_cipher>
279
280				The cipher of the current session
281
282				=item B<get_peer_certificate>
283
284				Returns a L<Net::SSLeay::OO::X509> object corresponding to the peer
285				certificate; if you're a client, it's the server certificate. If
286				you're a server, it's the client certificate, if you requested it
287				during handshake with C<set_verify>.
288
289				=cut
290
291				sub get_peer_certificate {
292				my $self = shift;
293				my $x509 = Net::SSLeay::get_peer_certificate( $self->ssl );
294				&Net::SSLeay::OO::Error::die_if_ssl_error("get_peer_certificate");
295				if ($x509) {
296				Net::SSLeay::OO::X509->new( x509 => $x509 );
297				}
298				}
299
300				=item B<get_session>
301
302				Returns a Net::SSLeay::OO::Session object corresponding to the SSL
303				session. This actually calls C<SSL_get1_session> to try to help save
304				you from segfaults.
305
306				=item B<set_session($session)>
307
308				If for some reason you want to set the session, call this method,
309				passing a Net::SSLeay::OO::Session object.
310
311				=cut
312
313				sub get_session {
314				my $self = shift;
315				require Net::SSLeay::OO::Session;
316				my $sessid = Net::SSLeay::get1_session( $self->ssl );
317				&Net::SSLeay::OO::Error::die_if_ssl_error("get_session");
318				if ($sessid) {
319				Net::SSLeay::OO::Session->new( session => $sessid );
320				}
321				}
322
323				sub set_session {
324				my $self = shift;
325				my $session = shift;
326				Net::SSLeay::set_session( $self->ssl, $session->session );
327				&Net::SSLeay::OO::Error::die_if_ssl_error("set_session");
328				}
329
330				=item B<state_string>
331
332				=item B<state_string_long>
333
334				Return a codified or human-readable string 'indicating the current
335				state of the SSL object'.
336
337				L<SSL_state_string(3ssl)> sez ''Detailed description of possible
338				states to be included later''
339
340				=item B<rstate_string>
341
342				=item B<rstate_string_long>
343
344				Return information about the read state. In a blocking environment,
345				this should always return "RD" or "read done". Otherwise, you'll get
346				something else possibly informative.
347
348				=back
349
350				=head2 Un-triaged
351
352				The following methods I haven't looked at at all; if you use them in a
353				program, please submit a patch which moves them into one of the above
354				categories. The best information about them will be found on the
355				relevant SSL man page - use C<man -k> or C<apropros> to find a useful
356				man page.
357
358				My policy on these is that no function should take an unwrapped
359				pointer argument or return an unwrapped pointer. So long as the
360				function you use doesn't do that, you can reasonably expect its call
361				interface not to change; but of course I place no guarantees should
362				OpenSSL or Net::SSLeay ruin your day.
363
364				set_cipher_list($list)
365				add_client_CA(ssl,x)
366				alert_desc_string(value)
367				alert_desc_string_long(value)
368				alert_type_string(value)
369				alert_type_string_long(value)
370				callback_ctrl(ssl,i,fp)
371				check_private_key(ctx)
372				do_handshake(s)
373				dup(ssl)
374				get_current_cipher(s)
375				get_default_timeout(s)
376				get_ex_data(ssl,idx)
377				get_finished(s,buf,count)
378				get_peer_finished(s,buf,count)
379				get_quiet_shutdown(ssl)
380				get_shutdown(ssl)
381				get_verify_depth(s)
382				get_verify_mode(s)
383				get_verify_result(ssl)
384				renegotiate(s)
385				set_accept_state(s)
386				set_client_CA_list(s,list)
387				set_connect_state(s)
388				set_ex_data(ssl,idx,data)
389				set_info_callback(ssl,cb)
390				set_purpose(s,purpose)
391				set_quiet_shutdown(ssl,mode)
392				set_shutdown(ssl,mode)
393				set_trust(s,trust)
394				set_verify_depth(s,depth)
395				set_verify_result(ssl,v)
396				version(ssl)
397				load_client_CA_file(file)
398				add_file_cert_subjects_to_stack(stackCAs,file)
399				add_dir_cert_subjects_to_stack(stackCAs,dir)
400				set_session_id_context(ssl,sid_ctx,sid_ctx_len)
401				set_tmp_rsa_callback(ssl, cb)
402				set_tmp_dh_callback(ssl,dh)
403				get_ex_new_index(argl, argp, new_func, dup_func, free_func)
404				clear_num_renegotiations(ssl)
405				get_app_data(s)
406				get_cipher_bits(s,np)
407				get_mode(ssl)
408				get_state(ssl)
409				need_tmp_RSA(ssl)
410				num_renegotiations(ssl)
411				session_reused(ssl)
412				set_app_data(s,arg)
413				set_mode(ssl,op)
414				set_pref_cipher(s,n)
415				set_tmp_dh(ssl,dh)
416				set_tmp_rsa(ssl,rsa)
417				total_renegotiations(ssl)
418				get_client_random(s)
419				get_server_random(s)
420				get_keyblock_size(s)
421				set_hello_extension(s, type, data)
422				set_session_secret_cb(s,func,data=NULL)
423
424				=cut
425
426				# excluded because they were either named badly for their argument
427				# types, because I didn't want to implement versions which would have
428				# to take pointers directly as integers, because there was no OpenSSL
429				# man page for them, or because they were marked as not for general
430				# consumption.
431
432				use Net::SSLeay::OO::Functions 'ssl', -exclude => [
433				qw( get_time set_time get_timeout set_timeout
434				set_bio get_rbio get_wbio get0_session
435				get1_session ctrl callback_ctrl state
436				set_ssl_method get_ssl_method set_cert_and_key
437				)
438				];
439
440				1;
441
442				__END__
443
444				=head1 AUTHOR
445
446				Sam Vilain, L<samv@cpan.org>
447
448				=head1 COPYRIGHT
449
450				Copyright (C) 2009 NZ Registry Services
451
452				This program is free software: you can redistribute it and/or modify
453				it under the terms of the Artistic License 2.0 or later. You should
454				have received a copy of the Artistic License the file COPYING.txt. If
455				not, see <http://www.perlfoundation.org/artistic_license_2_0>
456
457				=head1 SEE ALSO
458
459				L<Net::SSLeay::OO>, L<Net::SSLeay::OO::Context>, L<Net::SSLeay::Session>
460
461				=cut
462
463				# Local Variables:
464				# mode:cperl
465				# indent-tabs-mode: t
466				# cperl-continued-statement-offset: 8
467				# cperl-brace-offset: 0
468				# cperl-close-paren-offset: 0
469				# cperl-continued-brace-offset: 0
470				# cperl-continued-statement-offset: 8
471				# cperl-extra-newline-before-brace: nil
472				# cperl-indent-level: 8
473				# cperl-indent-parens-as-block: t
474				# cperl-indent-wrt-brace: nil
475				# cperl-label-offset: -8
476				# cperl-merge-trailing-else: t
477				# End:
478				# vim: filetype=perl:noexpandtab:ts=3:sw=3