File Coverage

blib/lib/Net/SSLeay/OO/Context.pm

Criterion	Covered	Total	%
statement	1	3	33.3
branch			n/a
condition			n/a
subroutine	1	1	100.0
pod			n/a
total	2	4	50.0

line	stmt	sub	time	code
1
2				package Net::SSLeay::OO::Context;
3
4	2	2	29228	use Moose;
	0
	0
5
6				use Net::SSLeay;
7				use Net::SSLeay::OO::Error;
8
9				=head1 NAME
10
11				Net::SSLeay::OO::Context - OO interface to Net::SSLeay CTX_ methods
12
13				=head1 SYNOPSIS
14
15				use Net::SSLeay::OO::Constants qw(OP_ALL FILETYPE_PEM OP_NO_SSLv2);
16				use Net::SSLeay::OO::Context;
17
18				# create an SSL object, disable SSLv2
19				my $ctx = Net::SSLeay::OO::Context->new;
20				$ctx->set_options(OP_ALL & OP_NO_SSLv2);
21
22				# specify path to your CA certificates for verifying peer
23				$ctx->load_verify_locations($ca_filename, $db_dir);
24
25				# optional for clients - load our own certificate/key
26				$ctx->use_certificate_chain_file($cert_filename);
27				$ctx->use_PrivateKey_file($key_filename, FILETYPE_PEM);
28
29				# optional for servers - require peer certificates
30				$ctx->set_verify(VERIFY_PEER & VERIFY_FAIL_IF_NO_PEER_CERT);
31
32				# now make SSL objects with these options!
33				use Net::SSLeay::OO::SSL;
34				my $ssl = Net::SSLeay::OO::SSL->new( ctx => $ctx );
35
36				# convenience method for the above, plus attach to a socket
37				my $ssl = $ctx->new_ssl($socket);
38
39				=head1 DESCRIPTION
40
41				Every SSL connection has a context, which specifies various options.
42				You can also specify these options on Net::SSLeay::OO::SSL objects, but
43				you would normally want to set up as much as possible early on, then
44				re-use the context to create new SSL handles.
45
46				The OpenSSL library initialization functions are called the first time
47				that a Net::SSLeay::OO::Context object is instantiated.
48
49				=cut
50
51				has 'ctx' => (
52				is => "ro",
53				isa => "Int",
54				);
55
56				=head1 ATTRIBUTES
57
58				=over
59
60				=item ctx : Int
61
62				The raw ctx object. Use at your own risk.
63
64				=item ssl_version: ( undef \| 2 \| 3 \| 10 )
65
66				Specify the SSL version to allow. 10 means TLSv1, 2 and 3 mean SSLv2
67				and SSLv3, respectively. No options means 'SSLv23'; if you want to
68				permit the secure protocols only (SSLv3 and TLSv1) you need to use:
69
70				use Net::SSLeay::OO::Constants qw(OP_NO_SSLv2);
71				my $ctx = Net::SSLeay::OO::Context->new();
72				$ctx->set_options( OP_NO_SSLv2 )
73
74				This option must be specified at object creation time.
75
76				=back
77
78				=cut
79
80				has 'ssl_version' => (
81				is => "ro",
82				isa => "Int",
83				);
84
85				our $INITIALIZED;
86
87				sub BUILD {
88				my $self = shift;
89				if ( !$INITIALIZED++ ) {
90				Net::SSLeay::load_error_strings();
91				Net::SSLeay::SSLeay_add_ssl_algorithms();
92				Net::SSLeay::randomize();
93				}
94				if ( !$self->ctx ) {
95				my $ctx = Net::SSLeay::new_x_ctx( $self->ssl_version );
96				$self->{ctx} = $ctx;
97				$self->set_default_verify_paths;
98				}
99				}
100
101				sub DESTROY {
102				my $self = shift;
103				if ( $self->ctx ) {
104				$self->free;
105				delete $self->{ctx};
106				}
107				}
108
109				=head1 METHODS
110
111				All of the CTX_ methods in Net::SSLeay are converted to methods of
112				the Net::SSLeay::OO::Context class.
113
114				The documentation that follows is a core set, sufficient for running
115				up a server and verifying client certificates. However most functions
116				from the OpenSSL library are actually imported.
117
118				=head2 Handshake configuration methods
119
120				=over
121
122				=item B<set_options(OP_XXX \| OP_XXX ...)>
123
124				Set options that apply to this Context. The valid values and
125				descriptions can be found on L<SSL_CTX_set_options(3ssl)>; for this
126				module they must be imported from L<Net::SSLeay::OO::Constants>.
127
128				=item B<get_options()>
129
130				Returns the current options bitmask; mask with the option you're
131				interested in to see if it is set:
132
133				unless ($ctx->get_options & OP_NO_SSLv2) {
134				die "SSL v2 was not disabled!";
135				}
136
137				=item B<load_verify_locations($filename, $path)>
138
139				Specify where CA certificates in PEM format are to be found.
140				C<$filename> is a single file containing one or more certificates.
141				C<$path> refers to a directory with C<9d66eef0.1> etc files as would
142				be made by L<c_rehash>. See L<SSL_CTX_load_verify_locations(3ssl)>.
143
144				=item B<set_default_verify_paths()>
145
146				Sets up system-dependent certificate store location. This is probably
147				quite a good default.
148
149				=item B<set_verify($mode, [$verify_callback])>
150
151				Mode should be either VERIFY_NONE, or a combination of VERIFY_PEER,
152				VERIFY_CLIENT_ONCE and/or VERIFY_FAIL_IF_NO_PEER_CERT. If you don't
153				set this as a server, you cannot later call
154				C<-E<gt>get_peer_certificate> to find out if the client configured a
155				certificate (though there are references to repeating SSL negotiation,
156				eg in L<SSL_read(3ssl)>, not sure how this is performed though).
157
158				During the handshake phase, the $verify_callback is called once for
159				every certificate in the chain of the peer, starting with the root
160				certificate. Each time, it is passed two arguments: the first a
161				boolean (1 or 0) which indicates whether the in-built certificate
162				verification passed, and the second argument is the actual
163				B<certficate> which is being verified (a L<Net::SSLeay::OO::X509> object).
164				Note this is different to the calling convention of OpenSSL and
165				Net::SSLeay, which instead (logically, anyway) pass a
166				L<Net::SSLeay::OO::X509::Context> object. However there is little of
167				interest in this other object, so for convenience the current
168				certificate is passed instead as the second object. The
169				L<Net::SSLeay::OO::X509::Context> is passed as a third argument should you
170				need it.
171
172				The passed L<Net::SSLeay::OO::X509> object will not work outside of the
173				callback; get everything out of it that you need inside it, or use the
174				C<get_peer_certificate> method of L<Net::SSLeay::OO::SSL> later.
175
176				Example:
177
178				my @names;
179				$ctx->set_verify(VERIFY_PEER, sub {
180				my ($ok, $x509) = @_;
181				push @names, $x509->subject_name->cn;
182				return $ok;
183				});
184
185				$ssl = $ctx->new_ssl($fd);
186				$ssl->accept();
187
188				print "Client identity chain: @names\n";
189
190				=cut
191
192				use Net::SSLeay::OO::Constants qw(VERIFY_NONE);
193
194				has 'verify_cb', is => "ro";
195
196				sub set_verify {
197				my $self = shift;
198				my $mode = shift;
199				my $callback = shift;
200				require Net::SSLeay::OO::X509::Context;
201
202				# always set a callback, unless VERIFY_NONE "is set"
203				my $real_cb = $mode == VERIFY_NONE ? undef : sub {
204				my ( $preverify_ok, $x509_store_ctx ) = @_;
205				my $x509_ctx =
206				Net::SSLeay::OO::X509::Context->new(
207				x509_store_ctx => $x509_store_ctx,);
208				my $cert = $x509_ctx->get_current_cert;
209				my $ok;
210				if ($callback) {
211				$ok = $callback->( $preverify_ok, $cert, $x509_ctx );
212				}
213				else {
214				$ok = $preverify_ok;
215				}
216				$cert->free;
217				$ok;
218				};
219				$self->_set_verify( $mode, $real_cb );
220				&Net::SSLeay::OO::Error::die_if_ssl_error("set_verify");
221				}
222
223				sub _set_verify {
224				my $self = shift;
225				my $mode = shift;
226				my $real_cb = shift;
227				my $ctx = $self->ctx;
228				$self->{verify_cb} = $real_cb;
229				Net::SSLeay::CTX_set_verify( $ctx, $mode, $real_cb );
230				}
231
232				=item use_certificate_file($filename, $type)
233
234				C<$filename> is the name of a local file. This becomes your local
235				cert - client or server.
236
237				C<$type> may be FILETYPE_PEM or FILETYPE_ASN1.
238
239				=item use_certificate_chain_file($filename)
240
241				C<$filename> is the name of a local PEM file, containing a chain of
242				certificates which lead back to a valid root certificate. In general,
243				this is the more useful method of loading a certificate.
244
245				=item use_PrivateKey_file($filename, $type);
246
247				If using a certificate, you need to specify the private key of the end
248				of the chain. Specify it here; set C<$type> as with
249				C<use_certificate_file>
250
251				=back
252
253				=head2 Setup methods
254
255				=over
256
257				=item B<set_mode($mode)>
258
259				=item B<get_mode>
260
261				Sets/gets the mode of SSL objects created from this context. See
262				L<SSL_set_mode(3ssl)>. This is documented more fully at
263				L<Net::SSLeay::OO::SSL/set_mode>
264
265				=back
266
267				=head2 Handshake/SSL session methods
268
269				=over
270
271				=item B<new_ssl($socket)>
272
273				Makes a new L<Net::SSLeay::OO::SSL> object using this Context, and attach
274				it to the given socket (if passed).
275
276				=cut
277
278				sub new_ssl {
279				my $self = shift;
280				my $socket = shift;
281				my $ssl = Net::SSLeay::OO::SSL->new( ctx => $self );
282				if ($socket) {
283				$ssl->set_fd( fileno($socket) );
284				}
285				$ssl;
286				}
287
288				=item B<connect($socket)>
289
290				=item B<accept($socket)>
291
292				Further convenience methods, which create a new L<Net::SSLeay::OO::SSL>
293				object, wire it up to the passed socket, then call either C<connect>
294				or C<accept>. Returns the L<Net::SSLeay::OO::SSL> object.
295
296				=cut
297
298				sub connect {
299				my $self = shift;
300				my $ssl = $self->new_ssl(@_);
301				$ssl->connect();
302				$ssl;
303				}
304
305				sub accept {
306				my $self = shift;
307				my $ssl = $self->new_ssl(@_);
308				$ssl->accept();
309				$ssl;
310				}
311
312				=back
313
314				=head1 Informative methods
315
316				=over
317
318				=item B<get_cert_store()>
319
320				Returns the L<Net::SSLeay::OO::X509::Store> associated with this context.
321
322				=cut
323
324				sub get_cert_store {
325				my $self = shift;
326				require Net::SSLeay::OO::X509::Store;
327				my $store = Net::SSLeay::CTX_get_cert_store( $self->ctx ),
328				&Net::SSLeay::OO::Error::die_if_ssl_error("get_cert_store");
329				Net::SSLeay::OO::X509::Store->new( x509_store => $store );
330				}
331
332				=back
333
334				=cut
335
336				use Net::SSLeay::OO::Functions "ctx",
337				-include => { set_cert_and_key => "set_cert_and_key" };
338
339				1;
340
341				__END__
342
343				=head2 un-triaged
344
345				The following methods were defined in Net::SSLeay 1.35, and may work
346				via this interface.
347
348				v2_new()
349				v3_new()
350				v23_new()
351				tlsv1_new()
352				new_with_method(meth)
353				add_session(ctx,ses)
354				remove_session(ctx,ses)
355				flush_sessions(ctx,tm)
356				use_RSAPrivateKey_file(ctx,file,type)
357				set_cipher_list(s,str)
358				ctrl(ctx,cmd,larg,parg)
359				get_options(ctx)
360				set_options(ctx,op)
361				sessions(ctx)
362				sess_number(ctx)
363				sess_connect(ctx)
364				sess_connect_good(ctx)
365				sess_connect_renegotiate(ctx)
366				sess_accept(ctx)
367				sess_accept_renegotiate(ctx)
368				sess_accept_good(ctx)
369				sess_hits(ctx)
370				sess_cb_hits(ctx)
371				sess_misses(ctx)
372				sess_timeouts(ctx)
373				sess_cache_full(ctx)
374				sess_get_cache_size(ctx)
375				sess_set_cache_size(ctx,size)
376				add_client_CA(ctx,x)
377				callback_ctrl(ctx,i,fp)
378				check_private_key(ctx)
379				get_ex_data(ssl,idx)
380				get_quiet_shutdown(ctx)
381				get_timeout(ctx)
382				get_verify_depth(ctx)
383				get_verify_mode(ctx)
384				set_cert_store(ctx,store)
385				get_cert_store(ctx)
386				set_cert_verify_callback(ctx,func,data=NULL)
387				set_client_CA_list(ctx,list)
388				set_default_passwd_cb(ctx,func=NULL)
389				set_default_passwd_cb_userdata(ctx,u=NULL)
390				set_ex_data(ssl,idx,data)
391				set_purpose(s,purpose)
392				set_quiet_shutdown(ctx,mode)
393				set_ssl_version(ctx,meth)
394				set_timeout(ctx,t)
395				set_trust(s,trust)
396				set_verify_depth(ctx,depth)
397				use_RSAPrivateKey(ctx,rsa)
398				get_ex_new_index(argl,argp,new_func,dup_func,free_func)
399				set_session_id_context(ctx,sid_ctx,sid_ctx_len)
400				set_tmp_rsa_callback(ctx, cb)
401				set_tmp_dh_callback(ctx, dh)
402				add_extra_chain_cert(ctx,x509)
403				get_app_data(ctx)
404				get_mode(ctx)
405				get_read_ahead(ctx)
406				get_session_cache_mode(ctx)
407				need_tmp_RSA(ctx)
408				set_app_data(ctx,arg)
409				set_mode(ctx,op)
410				set_read_ahead(ctx,m)
411				set_session_cache_mode(ctx,m)
412				set_tmp_dh(ctx,dh)
413				set_tmp_rsa(ctx,rsa)
414
415				=head1 AUTHOR
416
417				Sam Vilain, L<samv@cpan.org>
418
419				=head1 COPYRIGHT
420
421				Copyright (C) 2009 NZ Registry Services
422
423				This program is free software: you can redistribute it and/or modify
424				it under the terms of the Artistic License 2.0 or later. You should
425				have received a copy of the Artistic License the file COPYING.txt. If
426				not, see <http://www.perlfoundation.org/artistic_license_2_0>
427
428				=head1 SEE ALSO
429
430				L<Net::SSLeay::OO>, L<Net::SSLeay::OO::Constants>, L<Net::SSLeay::SSL>,
431				L<Net::SSLeay::OO::X509>, L<Net::SSLeay::Error>
432
433				=cut
434
435				# Local Variables:
436				# mode:cperl
437				# indent-tabs-mode: t
438				# cperl-continued-statement-offset: 8
439				# cperl-brace-offset: 0
440				# cperl-close-paren-offset: 0
441				# cperl-continued-brace-offset: 0
442				# cperl-continued-statement-offset: 8
443				# cperl-extra-newline-before-brace: nil
444				# cperl-indent-level: 8
445				# cperl-indent-parens-as-block: t
446				# cperl-indent-wrt-brace: nil
447				# cperl-label-offset: -8
448				# cperl-merge-trailing-else: t
449				# End:
450				# vim: filetype=perl:noexpandtab:ts=3:sw=3