File Coverage

blib/lib/Net/Server/Proto/SSL.pm

Criterion	Covered	Total	%
statement	105	153	68.6
branch	38	84	45.2
condition	5	26	19.2
subroutine	19	22	86.3
pod	2	15	13.3
total	169	300	56.3

line	stmt	bran	cond	sub	pod	time	code
1							# -- perl --
2							#
3							# Net::Server::Proto::SSL - Net::Server Protocol module
4							#
5							# Copyright (C) 2001-2017
6							#
7							# Paul Seamons
8							#
9							# This package may be distributed under the terms of either the
10							# GNU General Public License
11							# or the
12							# Perl Artistic License
13							#
14							# All rights reserved.
15							#
16							################################################################
17
18							package Net::Server::Proto::SSL;
19
20	3			3		192849	use strict;
	3					62
	3					119
21	3			3		20	use warnings;
	3					8
	3					251
22
23							BEGIN {
24							# IO::Socket::SSL will automatically become IO::Socket::INET6 if it is available.
25							# This is different from Net::Server::Proto::SSLEAY that only does it if IPv6 is requested.
26	3	50		3		12	if (! eval { require IO::Socket::SSL }) {
	3					5447
27	0					0	die "Module IO::Socket::SSL is required for SSL - you may alternately try SSLEAY. $@";
28							}
29							}
30
31							our @ISA = qw(IO::Socket::SSL);
32							our $AUTOLOAD;
33
34							my @ssl_args = qw(
35							SSL_use_cert
36							SSL_verify_mode
37							SSL_key_file
38							SSL_cert_file
39							SSL_ca_path
40							SSL_ca_file
41							SSL_cipher_list
42							SSL_passwd_cb
43							SSL_max_getline_length
44							SSL_error_callback
45							SSL_verify_callback
46							);
47
48	8			8	0	41	sub NS_proto { 'SSL' }
49	8	100		8	0	16	sub NS_port { my $sock = shift; ${$sock}{'NS_port'} = shift if @_; return ${$sock}{'NS_port'} }
	8					26
	3					13
	8					14
	8					28
50	8	100		8	0	19	sub NS_host { my $sock = shift; ${$sock}{'NS_host'} = shift if @_; return ${$sock}{'NS_host'} }
	8					25
	3					19
	8					16
	8					31
51	8	100		8	0	17	sub NS_ipv { my $sock = shift; ${$sock}{'NS_ipv'} = shift if @_; return ${$sock}{'NS_ipv'} }
	8					23
	3					18
	8					15
	8					30
52	4	100		4	0	9	sub NS_listen { my $sock = shift; ${$sock}{'NS_listen'} = shift if @_; return ${$sock}{'NS_listen'} }
	4					11
	2					15
	4					9
	4					15
53
54							sub object {
55	2			2	0	18	my ($class, $info, $server) = @_;
56
57	2		33			28	my $ssl = $server->{'server'}->{'ssl_args'} \|\|= do {
58	2					18	my %temp = map {$_ => undef} @ssl_args;
	22					147
59	2					11	$server->configure({map {$_ => \$temp{$_}} @ssl_args});
	22					59
60	2					13	\%temp;
61							};
62
63	2					106	my @sock = $class->SUPER::new();
64	2					700	foreach my $sock (@sock) {
65	2					14	$sock->NS_host($info->{'host'});
66	2					9	$sock->NS_port($info->{'port'});
67	2					11	$sock->NS_ipv( $info->{'ipv'} );
68							$sock->NS_listen(defined($info->{'listen'}) ? $info->{'listen'}
69	2	50				27	: defined($server->{'server'}->{'listen'}) ? $server->{'server'}->{'listen'}
		50
70							: Socket::SOMAXCONN());
71	2	50				9	${*$sock}{'NS_orig_port'} = $info->{'orig_port'} if defined $info->{'orig_port'};
	0					0
72
73	2					4	my %seen;
74	2					11	for my $key (grep {!$seen{$_}++} (@ssl_args, sort grep {/^SSL_/} keys %$info)) { # allow for any SSL_ arg to get passed in via
	22					51
	8					40
75							my $val = defined($info->{$key}) ? $info->{$key}
76							: defined($ssl->{$key}) ? $ssl->{$key}
77	22	100				170	: $server->can($key) ? $server->$key($info->{'host'}, $info->{'port'}, 'SSL')
		100
		50
78							: undef;
79	22	100				90	next if ! defined $val;
80	3	50				78	$sock->$key($val) if defined $val;
81							}
82							}
83	2	50				21	return wantarray ? @sock : $sock[0];
84							}
85
86							sub log_connect {
87	1			1	0	5	my ($sock, $server) = @_;
88	1					4	$server->log(2, "Binding to ".$sock->NS_proto." port ".$sock->NS_port." on host ".$sock->NS_host." with IPv".($sock->NS_ipv));
89							}
90
91							sub connect {
92	1			1	1	5	my ($sock, $server) = @_;
93	1					10	my $host = $sock->NS_host;
94	1					3	my $port = $sock->NS_port;
95	1					3	my $ipv = $sock->NS_ipv;
96	1					4	my $lstn = $sock->NS_listen;
97
98							$sock->SUPER::configure({
99							LocalPort => $port,
100							Proto => 'tcp',
101							Listen => $lstn,
102							ReuseAddr => 1,
103							Reuse => 1,
104							(($host ne '') ? (LocalAddr => $host) : ()), # is all
105							($sock->isa('IO::Socket::INET6') ? (Domain => ($ipv eq '6') ? Socket6::AF_INET6() : ($ipv eq '4') ? Socket::AF_INET() : Socket::AF_UNSPEC()) : ()),
106	1	50				24	(map {$_ => $sock->$_();} grep {/^SSL_/} keys %{*$sock}),
	2	0				7
	7	0				44
	1	50				5
		50
107							SSL_server => 1,
108							}) or $server->fatal("Cannot connect to SSL port $port on $host [$!]");
109
110	1	50	33			5741	if ($port eq '0' and $port = $sock->sockport) {
		50	33
111	0					0	$server->log(2, " Bound to auto-assigned port $port");
112	0					0	${*$sock}{'NS_orig_port'} = $sock->NS_port;
	0					0
113	0					0	$sock->NS_port($port);
114							} elsif ($port =~ /\D/ and $port = $sock->sockport) {
115	0					0	$server->log(2, " Bound to service port ".$sock->NS_port()."($port)");
116	0					0	${*$sock}{'NS_orig_port'} = $sock->NS_port;
	0					0
117	0					0	$sock->NS_port($port);
118							}
119							}
120
121							sub reconnect { # after a sig HUP
122	0			0	0	0	my ($sock, $fd, $server, $port) = @_;
123	0					0	$server->log(3,"Reassociating file descriptor $fd with ".$sock->NS_proto." on [".$sock->NS_host."]:".$sock->NS_port.", using IPv".$sock->NS_ipv);
124
125							$sock->configure_SSL({
126	0					0	(map {$_ => $sock->$_();} grep {/^SSL_/} keys %{*$sock}),
	0					0
	0					0
	0					0
127							SSL_server => 1,
128							});
129	0	0				0	$sock->IO::Socket::INET::fdopen($fd, 'w') or $server->fatal("Error opening to file descriptor ($fd) [$!]");
130
131	0	0				0	if ($sock->isa("IO::Socket::INET6")) {
132	0					0	my $ipv = $sock->NS_ipv;
133	0	0				0	${*$sock}{'io_socket_domain'} = ($ipv eq '6') ? Socket6::AF_INET6() : ($ipv eq '4') ? Socket::AF_INET() : Socket::AF_UNSPEC();
	0	0				0
134							}
135
136	0	0				0	if ($port ne $sock->NS_port) {
137	0					0	$server->log(2, " Re-bound to previously assigned port $port");
138	0					0	${*$sock}{'NS_orig_port'} = $sock->NS_port;
	0					0
139	0					0	$sock->NS_port($port);
140							}
141							}
142
143							sub accept {
144	1			1	1	6	my ($sock, $class) = @_;
145	1					3	my ($client, $peername);
146	1	50				77	my $code = $sock->isa('IO::Socket::INET6') ? 'IO::Socket::INET6'->can('accept') : 'IO::Socket::INET'->can('accept'); # TODO - cache this lookup
147	1	50				7	if (wantarray) {
148	0		0			0	($client, $peername) = $code->($sock, $class \|\| ref($sock));
149							} else {
150	1		33			26	$client = $code->($sock, $class \|\| ref($sock));
151							}
152	1					5120	${*$client}{'_parent_sock'} = $sock;
	1					7
153
154	1	50				7	if (defined $client) {
155	1					9	$client->NS_proto($sock->NS_proto);
156	1					6	$client->NS_ipv( $sock->NS_ipv);
157	1					6	$client->NS_host( $sock->NS_host);
158	1					4	$client->NS_port( $sock->NS_port);
159							}
160
161	1	50				9	return wantarray ? ($client, $peername) : $client;
162							}
163
164							sub hup_string {
165	1			1	0	300	my $sock = shift;
166	1	50				4	return join "\|", $sock->NS_host, $sock->NS_port, $sock->NS_proto, 'ipv'.$sock->NS_ipv, (defined(${$sock}{'NS_orig_port'}) ? ${$sock}{'NS_orig_port'} : ());
	1					9
	0					0
167							}
168
169							sub show {
170	0			0	0	0	my $sock = shift;
171	0					0	my $t = "Ref = \"".ref($sock). "\" (".$sock->hup_string.")\n";
172	0					0	foreach my $prop (qw(SSLeay_context SSLeay_is_client)) {
173	0					0	$t .= " $prop = \"" .$sock->$prop()."\"\n";
174							}
175	0					0	return $t;
176							}
177
178							sub AUTOLOAD {
179	3			3		9	my $sock = shift;
180	3	50				42	my $prop = $AUTOLOAD =~ /::([^:]+)$/ ? $1 : die "Missing property in AUTOLOAD.";
181	3	50				16	die "Unknown method or property [$prop]" if $prop !~ /^(SSL_\w+)$/;
182
183	3			3		45	no strict 'refs';
	3					12
	3					1594
184	3					27	*{__PACKAGE__."::${prop}"} = sub {
185	6			6		122	my $sock = shift;
186	6	100				20	if (@_) {
187	3					4	${*$sock}{$prop} = shift;
	3					25
188	3	50				7	return delete ${$sock}{$prop} if ! defined ${$sock}{$prop};
	0					0
	3					25
189							} else {
190	3					7	return ${*$sock}{$prop};
	3					90
191							}
192	3					47	};
193	3					14	return $sock->$prop(@_);
194							}
195
196	1			1	0	9	sub tie_stdout { 1 }
197
198							sub post_accept {
199	1			1	0	47	my $client = shift;
200	1	50				5	$client->_accept_ssl if !${*$client}{'_accept_ssl'};
	1					11
201							}
202
203							sub _accept_ssl {
204	1			1		3	my $client = shift;
205	1					3	${*$client}{'_accept_ssl'} = 1;
	1					2
206	1		50			3	my $sock = delete(${*$client}{'_parent_sock'}) \|\| die "Could not get handshake from accept\n";
207	1	50				37	$sock->accept_SSL($client) \|\| die "Could not finalize SSL connection with client handle ($@)\n";
208							}
209
210							sub read_until { # allow for an interface that can be tied to STDOUT
211	0			0	0		my ($client, $bytes, $end_qr) = @_;
212	0	0	0				die "One of bytes or end_qr should be defined for TCP read_until\n" if !defined($bytes) && !defined($end_qr);
213
214	0	0					$client->_accept_ssl if !${*$client}{'_accept_ssl'};
	0
215
216	0						my $content = '';
217	0						my $ok = 0;
218	0						while (1) {
219	0						$client->read($content, 1, length($content));
220	0	0	0				if (defined($bytes) && length($content) >= $bytes) {
		0	0
221	0						$ok = 2;
222	0						last;
223							} elsif (defined($end_qr) && $content =~ $end_qr) {
224	0						$ok = 1;
225	0						last;
226							}
227							}
228	0	0					return wantarray ? ($ok, $content) : $content;
229							}
230
231							1;
232
233							=head1 NAME
234
235							Net::Server::Proto::SSL - Net::Server SSL protocol.
236
237							=head1 SYNOPSIS
238
239							Until this release, it was preferrable to use the Net::Server::Proto::SSLEAY
240							module. Recent versions include code that overcomes original limitations.
241
242							See L.
243							See L.
244
245							use base qw(Net::Server::HTTP);
246							main->run(
247							proto => 'ssl',
248							SSL_key_file => "/path/to/my/file.key",
249							SSL_cert_file => "/path/to/my/file.crt",
250							);
251
252
253							# OR
254
255							sub SSL_key_file { "/path/to/my/file.key" }
256							sub SSL_cert_file { "/path/to/my/file.crt" }
257							main->run(proto = 'ssl');
258
259
260							# OR
261
262							main->run(
263							port => [443, 8443, "80/tcp"], # bind to two ssl ports and one tcp
264							proto => "ssl", # use ssl as the default
265							ipv => "*", # bind both IPv4 and IPv6 interfaces
266							SSL_key_file => "/path/to/my/file.key",
267							SSL_cert_file => "/path/to/my/file.crt",
268							);
269
270
271							# OR
272
273							main->run(port => [{
274							port => "443",
275							proto => "ssl",
276							# ipv => 4, # default - only do IPv4
277							SSL_key_file => "/path/to/my/file.key",
278							SSL_cert_file => "/path/to/my/file.crt",
279							}, {
280							port => "8443",
281							proto => "ssl",
282							ipv => "*", # IPv4 and IPv6
283							SSL_key_file => "/path/to/my/file2.key", # separate key
284							SSL_cert_file => "/path/to/my/file2.crt", # separate cert
285
286							SSL_foo => 1, # Any key prefixed with SSL_ passed as a port hashref
287							# key/value will automatically be passed to IO::Socket::SSL
288							}]);
289
290
291							=head1 DESCRIPTION
292
293							Protocol module for Net::Server based on IO::Socket::SSL. This module
294							implements a secure socket layer over tcp (also known as SSL) via the
295							IO::Socket::SSL module. If this module does not work in your
296							situation, please also consider using the SSLEAY protocol
297							(Net::Server::Proto::SSLEAY) which interfaces directly with
298							Net::SSLeay. See L.
299
300							If you know that your server will only need IPv4 (which is the default
301							for Net::Server), you can load IO::Socket::SSL in inet4 mode which
302							will prevent it from using Socket6 and IO::Socket::INET6 since they
303							would represent additional and unsued overhead.
304
305							use IO::Socket::SSL qw(inet4);
306							use base qw(Net::Server::Fork);
307
308							__PACKAGE__->run(proto => "ssl");
309
310							=head1 PARAMETERS
311
312							In addition to the normal Net::Server parameters, any of the SSL
313							parameters from IO::Socket::SSL may also be specified. See
314							L for information on setting this up. All arguments
315							prefixed with SSL_ will be passed to the IO::Socket::SSL->configure
316							method.
317
318							=head1 BUGS
319
320							Until version Net::Server version 2, Net::Server::Proto::SSL used the
321							default IO::Socket::SSL::accept method. This old approach introduces a
322							DDOS vulnerability into the server, where the socket is accepted, but
323							the parent server then has to block until the client negotiates the
324							SSL connection. This has now been overcome by overriding the accept
325							method and accepting the SSL negotiation after the parent socket has
326							had the chance to go back to listening.
327
328							=head1 LICENCE
329
330							Distributed under the same terms as Net::Server
331
332							=head1 THANKS
333
334							Thanks to Vadim for pointing out the IO::Socket::SSL accept
335							was returning objects blessed into the wrong class.
336
337							=cut