1 | package Mojo::IOLoop::TLS;
|
---|
2 | use Mojo::Base 'Mojo::EventEmitter';
|
---|
3 |
|
---|
4 | use Mojo::File 'path';
|
---|
5 | use Mojo::IOLoop;
|
---|
6 | use Scalar::Util 'weaken';
|
---|
7 |
|
---|
8 | # TLS support requires IO::Socket::SSL
|
---|
9 | use constant TLS => $ENV{MOJO_NO_TLS}
|
---|
10 | ? 0
|
---|
11 | : eval { require IO::Socket::SSL; IO::Socket::SSL->VERSION('2.009'); 1 };
|
---|
12 | use constant READ => TLS ? IO::Socket::SSL::SSL_WANT_READ() : 0;
|
---|
13 | use constant WRITE => TLS ? IO::Socket::SSL::SSL_WANT_WRITE() : 0;
|
---|
14 |
|
---|
15 | has reactor => sub { Mojo::IOLoop->singleton->reactor };
|
---|
16 |
|
---|
17 | # To regenerate the certificate run this command (18.04.2012)
|
---|
18 | # openssl req -new -x509 -keyout server.key -out server.crt -nodes -days 7300
|
---|
19 | my $CERT = path(__FILE__)->sibling('resources', 'server.crt')->to_string;
|
---|
20 | my $KEY = path(__FILE__)->sibling('resources', 'server.key')->to_string;
|
---|
21 |
|
---|
22 | sub DESTROY { shift->_cleanup }
|
---|
23 |
|
---|
24 | sub can_tls {TLS}
|
---|
25 |
|
---|
26 | sub negotiate {
|
---|
27 | my ($self, $args) = (shift, ref $_[0] ? $_[0] : {@_});
|
---|
28 |
|
---|
29 | return $self->emit(error => 'IO::Socket::SSL 2.009+ required for TLS support')
|
---|
30 | unless TLS;
|
---|
31 |
|
---|
32 | my $handle = $self->{handle};
|
---|
33 | return $self->emit(error => $IO::Socket::SSL::SSL_ERROR)
|
---|
34 | unless IO::Socket::SSL->start_SSL($handle, %{$self->_expand($args)});
|
---|
35 | $self->reactor->io($handle
|
---|
36 | = $handle => sub { $self->_tls($handle, $args->{server}) });
|
---|
37 | }
|
---|
38 |
|
---|
39 | sub new { shift->SUPER::new(handle => shift) }
|
---|
40 |
|
---|
41 | sub _cleanup {
|
---|
42 | my $self = shift;
|
---|
43 | return unless my $reactor = $self->reactor;
|
---|
44 | $reactor->remove($self->{handle}) if $self->{handle};
|
---|
45 | return $self;
|
---|
46 | }
|
---|
47 |
|
---|
48 | sub _expand {
|
---|
49 | my ($self, $args) = @_;
|
---|
50 |
|
---|
51 | weaken $self;
|
---|
52 | my $tls = {
|
---|
53 | SSL_error_trap => sub { $self->_cleanup->emit(error => $_[1]) },
|
---|
54 | SSL_startHandshake => 0
|
---|
55 | };
|
---|
56 | $tls->{SSL_alpn_protocols} = $args->{tls_protocols} if $args->{tls_protocols};
|
---|
57 | $tls->{SSL_ca_file} = $args->{tls_ca}
|
---|
58 | if $args->{tls_ca} && -T $args->{tls_ca};
|
---|
59 | $tls->{SSL_cert_file} = $args->{tls_cert} if $args->{tls_cert};
|
---|
60 | $tls->{SSL_cipher_list} = $args->{tls_ciphers} if $args->{tls_ciphers};
|
---|
61 | $tls->{SSL_key_file} = $args->{tls_key} if $args->{tls_key};
|
---|
62 | $tls->{SSL_server} = $args->{server} if $args->{server};
|
---|
63 | $tls->{SSL_verify_mode} = $args->{tls_verify} if defined $args->{tls_verify};
|
---|
64 | $tls->{SSL_version} = $args->{tls_version} if $args->{tls_version};
|
---|
65 |
|
---|
66 | if ($args->{server}) {
|
---|
67 | $tls->{SSL_cert_file} ||= $CERT;
|
---|
68 | $tls->{SSL_key_file} ||= $KEY;
|
---|
69 | }
|
---|
70 | else {
|
---|
71 | $tls->{SSL_hostname}
|
---|
72 | = IO::Socket::SSL->can_client_sni ? $args->{address} : '';
|
---|
73 | $tls->{SSL_verifycn_name} = $args->{address};
|
---|
74 | }
|
---|
75 |
|
---|
76 | return $tls;
|
---|
77 | }
|
---|
78 |
|
---|
79 | sub _tls {
|
---|
80 | my ($self, $handle, $server) = @_;
|
---|
81 |
|
---|
82 | return $self->_cleanup->emit(upgrade => delete $self->{handle})
|
---|
83 | if $server ? $handle->accept_SSL : $handle->connect_SSL;
|
---|
84 |
|
---|
85 | # Switch between reading and writing
|
---|
86 | my $err = $IO::Socket::SSL::SSL_ERROR;
|
---|
87 | if ($err == READ) { $self->reactor->watch($handle, 1, 0) }
|
---|
88 | elsif ($err == WRITE) { $self->reactor->watch($handle, 1, 1) }
|
---|
89 | }
|
---|
90 |
|
---|
91 | 1;
|
---|
92 |
|
---|
93 | =encoding utf8
|
---|
94 |
|
---|
95 | =head1 NAME
|
---|
96 |
|
---|
97 | Mojo::IOLoop::TLS - Non-blocking TLS handshake
|
---|
98 |
|
---|
99 | =head1 SYNOPSIS
|
---|
100 |
|
---|
101 | use Mojo::IOLoop::TLS;
|
---|
102 |
|
---|
103 | # Negotiate TLS
|
---|
104 | my $tls = Mojo::IOLoop::TLS->new($old_handle);
|
---|
105 | $tls->on(upgrade => sub {
|
---|
106 | my ($tls, $new_handle) = @_;
|
---|
107 | ...
|
---|
108 | });
|
---|
109 | $tls->on(error => sub {
|
---|
110 | my ($tls, $err) = @_;
|
---|
111 | ...
|
---|
112 | });
|
---|
113 | $tls->negotiate(server => 1, tls_version => 'TLSv1_2');
|
---|
114 |
|
---|
115 | # Start reactor if necessary
|
---|
116 | $tls->reactor->start unless $tls->reactor->is_running;
|
---|
117 |
|
---|
118 | =head1 DESCRIPTION
|
---|
119 |
|
---|
120 | L<Mojo::IOLoop::TLS> negotiates TLS for L<Mojo::IOLoop>.
|
---|
121 |
|
---|
122 | =head1 EVENTS
|
---|
123 |
|
---|
124 | L<Mojo::IOLoop::TLS> inherits all events from L<Mojo::EventEmitter> and can
|
---|
125 | emit the following new ones.
|
---|
126 |
|
---|
127 | =head2 upgrade
|
---|
128 |
|
---|
129 | $tls->on(upgrade => sub {
|
---|
130 | my ($tls, $handle) = @_;
|
---|
131 | ...
|
---|
132 | });
|
---|
133 |
|
---|
134 | Emitted once TLS has been negotiated.
|
---|
135 |
|
---|
136 | =head2 error
|
---|
137 |
|
---|
138 | $tls->on(error => sub {
|
---|
139 | my ($tls, $err) = @_;
|
---|
140 | ...
|
---|
141 | });
|
---|
142 |
|
---|
143 | Emitted if an error occurs during negotiation, fatal if unhandled.
|
---|
144 |
|
---|
145 | =head1 ATTRIBUTES
|
---|
146 |
|
---|
147 | L<Mojo::IOLoop::TLS> implements the following attributes.
|
---|
148 |
|
---|
149 | =head2 reactor
|
---|
150 |
|
---|
151 | my $reactor = $tls->reactor;
|
---|
152 | $tls = $tls->reactor(Mojo::Reactor::Poll->new);
|
---|
153 |
|
---|
154 | Low-level event reactor, defaults to the C<reactor> attribute value of the
|
---|
155 | global L<Mojo::IOLoop> singleton.
|
---|
156 |
|
---|
157 | =head1 METHODS
|
---|
158 |
|
---|
159 | L<Mojo::IOLoop::TLS> inherits all methods from L<Mojo::EventEmitter> and
|
---|
160 | implements the following new ones.
|
---|
161 |
|
---|
162 | =head2 can_tls
|
---|
163 |
|
---|
164 | my $bool = Mojo::IOLoop::TLS->can_tls;
|
---|
165 |
|
---|
166 | True if L<IO::Socket::SSL> 2.009+ is installed and TLS support enabled.
|
---|
167 |
|
---|
168 | =head2 negotiate
|
---|
169 |
|
---|
170 | $tls->negotiate(server => 1, tls_version => 'TLSv1_2');
|
---|
171 | $tls->negotiate({server => 1, tls_version => 'TLSv1_2'});
|
---|
172 |
|
---|
173 | Negotiate TLS.
|
---|
174 |
|
---|
175 | These options are currently available:
|
---|
176 |
|
---|
177 | =over 2
|
---|
178 |
|
---|
179 | =item server
|
---|
180 |
|
---|
181 | server => 1
|
---|
182 |
|
---|
183 | Negotiate TLS from the server-side, defaults to the client-side.
|
---|
184 |
|
---|
185 | =item tls_ca
|
---|
186 |
|
---|
187 | tls_ca => '/etc/tls/ca.crt'
|
---|
188 |
|
---|
189 | Path to TLS certificate authority file.
|
---|
190 |
|
---|
191 | =item tls_cert
|
---|
192 |
|
---|
193 | tls_cert => '/etc/tls/server.crt'
|
---|
194 | tls_cert => {'mojolicious.org' => '/etc/tls/mojo.crt'}
|
---|
195 |
|
---|
196 | Path to the TLS cert file, defaults to a built-in test certificate on the
|
---|
197 | server-side.
|
---|
198 |
|
---|
199 | =item tls_ciphers
|
---|
200 |
|
---|
201 | tls_ciphers => 'AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH'
|
---|
202 |
|
---|
203 | TLS cipher specification string. For more information about the format see
|
---|
204 | L<https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-STRINGS>.
|
---|
205 |
|
---|
206 | =item tls_key
|
---|
207 |
|
---|
208 | tls_key => '/etc/tls/server.key'
|
---|
209 | tls_key => {'mojolicious.org' => '/etc/tls/mojo.key'}
|
---|
210 |
|
---|
211 | Path to the TLS key file, defaults to a built-in test key on the server-side.
|
---|
212 |
|
---|
213 | =item tls_protocols
|
---|
214 |
|
---|
215 | tls_protocols => ['foo', 'bar']
|
---|
216 |
|
---|
217 | ALPN protocols to negotiate.
|
---|
218 |
|
---|
219 | =item tls_verify
|
---|
220 |
|
---|
221 | tls_verify => 0x00
|
---|
222 |
|
---|
223 | TLS verification mode.
|
---|
224 |
|
---|
225 | =item tls_version
|
---|
226 |
|
---|
227 | tls_version => 'TLSv1_2'
|
---|
228 |
|
---|
229 | TLS protocol version.
|
---|
230 |
|
---|
231 | =back
|
---|
232 |
|
---|
233 | =head2 new
|
---|
234 |
|
---|
235 | my $tls = Mojo::IOLoop::TLS->new($handle);
|
---|
236 |
|
---|
237 | Construct a new L<Mojo::IOLoop::Stream> object.
|
---|
238 |
|
---|
239 | =head1 SEE ALSO
|
---|
240 |
|
---|
241 | L<Mojolicious>, L<Mojolicious::Guides>, L<https://mojolicious.org>.
|
---|
242 |
|
---|
243 | =cut
|
---|