| … | |
… | |
| 14 | |
14 | |
| 15 | AnyEvent::Handle - non-blocking I/O on file handles via AnyEvent |
15 | AnyEvent::Handle - non-blocking I/O on file handles via AnyEvent |
| 16 | |
16 | |
| 17 | =cut |
17 | =cut |
| 18 | |
18 | |
| 19 | our $VERSION = 4.341; |
19 | our $VERSION = 4.452; |
| 20 | |
20 | |
| 21 | =head1 SYNOPSIS |
21 | =head1 SYNOPSIS |
| 22 | |
22 | |
| 23 | use AnyEvent; |
23 | use AnyEvent; |
| 24 | use AnyEvent::Handle; |
24 | use AnyEvent::Handle; |
| … | |
… | |
| 63 | |
63 | |
| 64 | =head1 METHODS |
64 | =head1 METHODS |
| 65 | |
65 | |
| 66 | =over 4 |
66 | =over 4 |
| 67 | |
67 | |
| 68 | =item B<new (%args)> |
68 | =item $handle = B<new> AnyEvent::TLS fh => $filehandle, key => value... |
| 69 | |
69 | |
| 70 | The constructor supports these arguments (all as key => value pairs). |
70 | The constructor supports these arguments (all as C<< key => value >> pairs). |
| 71 | |
71 | |
| 72 | =over 4 |
72 | =over 4 |
| 73 | |
73 | |
| 74 | =item fh => $filehandle [MANDATORY] |
74 | =item fh => $filehandle [MANDATORY] |
| 75 | |
75 | |
| … | |
… | |
| 95 | waiting for data. |
95 | waiting for data. |
| 96 | |
96 | |
| 97 | If an EOF condition has been detected but no C<on_eof> callback has been |
97 | If an EOF condition has been detected but no C<on_eof> callback has been |
| 98 | set, then a fatal error will be raised with C<$!> set to <0>. |
98 | set, then a fatal error will be raised with C<$!> set to <0>. |
| 99 | |
99 | |
| 100 | =item on_error => $cb->($handle, $fatal) |
100 | =item on_error => $cb->($handle, $fatal, $message) |
| 101 | |
101 | |
| 102 | This is the error callback, which is called when, well, some error |
102 | This is the error callback, which is called when, well, some error |
| 103 | occured, such as not being able to resolve the hostname, failure to |
103 | occured, such as not being able to resolve the hostname, failure to |
| 104 | connect or a read error. |
104 | connect or a read error. |
| 105 | |
105 | |
| … | |
… | |
| 107 | fatal errors the handle object will be shut down and will not be usable |
107 | fatal errors the handle object will be shut down and will not be usable |
| 108 | (but you are free to look at the current C<< ->rbuf >>). Examples of fatal |
108 | (but you are free to look at the current C<< ->rbuf >>). Examples of fatal |
| 109 | errors are an EOF condition with active (but unsatisifable) read watchers |
109 | errors are an EOF condition with active (but unsatisifable) read watchers |
| 110 | (C<EPIPE>) or I/O errors. |
110 | (C<EPIPE>) or I/O errors. |
| 111 | |
111 | |
|
|
112 | AnyEvent::Handle tries to find an appropriate error code for you to check |
|
|
113 | against, but in some cases (TLS errors), this does not work well. It is |
|
|
114 | recommended to always output the C<$message> argument in human-readable |
|
|
115 | error messages (it's usually the same as C<"$!">). |
|
|
116 | |
| 112 | Non-fatal errors can be retried by simply returning, but it is recommended |
117 | Non-fatal errors can be retried by simply returning, but it is recommended |
| 113 | to simply ignore this parameter and instead abondon the handle object |
118 | to simply ignore this parameter and instead abondon the handle object |
| 114 | when this callback is invoked. Examples of non-fatal errors are timeouts |
119 | when this callback is invoked. Examples of non-fatal errors are timeouts |
| 115 | C<ETIMEDOUT>) or badly-formatted data (C<EBADMSG>). |
120 | C<ETIMEDOUT>) or badly-formatted data (C<EBADMSG>). |
| 116 | |
121 | |
| 117 | On callback entrance, the value of C<$!> contains the operating system |
122 | On callback entrance, the value of C<$!> contains the operating system |
| 118 | error (or C<ENOSPC>, C<EPIPE>, C<ETIMEDOUT> or C<EBADMSG>). |
123 | error code (or C<ENOSPC>, C<EPIPE>, C<ETIMEDOUT>, C<EBADMSG> or |
|
|
124 | C<EPROTO>). |
| 119 | |
125 | |
| 120 | While not mandatory, it is I<highly> recommended to set this callback, as |
126 | While not mandatory, it is I<highly> recommended to set this callback, as |
| 121 | you will not be notified of errors otherwise. The default simply calls |
127 | you will not be notified of errors otherwise. The default simply calls |
| 122 | C<croak>. |
128 | C<croak>. |
| 123 | |
129 | |
| … | |
… | |
| 127 | and no read request is in the queue (unlike read queue callbacks, this |
133 | and no read request is in the queue (unlike read queue callbacks, this |
| 128 | callback will only be called when at least one octet of data is in the |
134 | callback will only be called when at least one octet of data is in the |
| 129 | read buffer). |
135 | read buffer). |
| 130 | |
136 | |
| 131 | To access (and remove data from) the read buffer, use the C<< ->rbuf >> |
137 | To access (and remove data from) the read buffer, use the C<< ->rbuf >> |
| 132 | method or access the C<$handle->{rbuf}> member directly. Note that you |
138 | method or access the C<< $handle->{rbuf} >> member directly. Note that you |
| 133 | must not enlarge or modify the read buffer, you can only remove data at |
139 | must not enlarge or modify the read buffer, you can only remove data at |
| 134 | the beginning from it. |
140 | the beginning from it. |
| 135 | |
141 | |
| 136 | When an EOF condition is detected then AnyEvent::Handle will first try to |
142 | When an EOF condition is detected then AnyEvent::Handle will first try to |
| 137 | feed all the remaining data to the queued callbacks and C<on_read> before |
143 | feed all the remaining data to the queued callbacks and C<on_read> before |
| … | |
… | |
| 237 | |
243 | |
| 238 | This will not work for partial TLS data that could not be encoded |
244 | This will not work for partial TLS data that could not be encoded |
| 239 | yet. This data will be lost. Calling the C<stoptls> method in time might |
245 | yet. This data will be lost. Calling the C<stoptls> method in time might |
| 240 | help. |
246 | help. |
| 241 | |
247 | |
|
|
248 | =item peername => $string |
|
|
249 | |
|
|
250 | A string used to identify the remote site - usually the DNS hostname |
|
|
251 | (I<not> IDN!) used to create the connection, rarely the IP address. |
|
|
252 | |
|
|
253 | Apart from being useful in error messages, this string is also used in TLS |
|
|
254 | peername verification (see C<verify_peername> in L<AnyEvent::TLS>). This |
|
|
255 | verification will be skipped when C<peername> is not specified or |
|
|
256 | C<undef>. |
|
|
257 | |
| 242 | =item tls => "accept" | "connect" | Net::SSLeay::SSL object |
258 | =item tls => "accept" | "connect" | Net::SSLeay::SSL object |
| 243 | |
259 | |
| 244 | When this parameter is given, it enables TLS (SSL) mode, that means |
260 | When this parameter is given, it enables TLS (SSL) mode, that means |
| 245 | AnyEvent will start a TLS handshake as soon as the conenction has been |
261 | AnyEvent will start a TLS handshake as soon as the conenction has been |
| 246 | established and will transparently encrypt/decrypt data afterwards. |
262 | established and will transparently encrypt/decrypt data afterwards. |
|
|
263 | |
|
|
264 | All TLS protocol errors will be signalled as C<EPROTO>, with an |
|
|
265 | appropriate error message. |
| 247 | |
266 | |
| 248 | TLS mode requires Net::SSLeay to be installed (it will be loaded |
267 | TLS mode requires Net::SSLeay to be installed (it will be loaded |
| 249 | automatically when you try to create a TLS handle): this module doesn't |
268 | automatically when you try to create a TLS handle): this module doesn't |
| 250 | have a dependency on that module, so if your module requires it, you have |
269 | have a dependency on that module, so if your module requires it, you have |
| 251 | to add the dependency yourself. |
270 | to add the dependency yourself. |
| … | |
… | |
| 255 | mode. |
274 | mode. |
| 256 | |
275 | |
| 257 | You can also provide your own TLS connection object, but you have |
276 | You can also provide your own TLS connection object, but you have |
| 258 | to make sure that you call either C<Net::SSLeay::set_connect_state> |
277 | to make sure that you call either C<Net::SSLeay::set_connect_state> |
| 259 | or C<Net::SSLeay::set_accept_state> on it before you pass it to |
278 | or C<Net::SSLeay::set_accept_state> on it before you pass it to |
| 260 | AnyEvent::Handle. |
279 | AnyEvent::Handle. Also, this module will take ownership of this connection |
|
|
280 | object. |
|
|
281 | |
|
|
282 | At some future point, AnyEvent::Handle might switch to another TLS |
|
|
283 | implementation, then the option to use your own session object will go |
|
|
284 | away. |
| 261 | |
285 | |
| 262 | B<IMPORTANT:> since Net::SSLeay "objects" are really only integers, |
286 | B<IMPORTANT:> since Net::SSLeay "objects" are really only integers, |
| 263 | passing in the wrong integer will lead to certain crash. This most often |
287 | passing in the wrong integer will lead to certain crash. This most often |
| 264 | happens when one uses a stylish C<< tls => 1 >> and is surprised about the |
288 | happens when one uses a stylish C<< tls => 1 >> and is surprised about the |
| 265 | segmentation fault. |
289 | segmentation fault. |
| 266 | |
290 | |
| 267 | See the C<< ->starttls >> method for when need to start TLS negotiation later. |
291 | See the C<< ->starttls >> method for when need to start TLS negotiation later. |
| 268 | |
292 | |
| 269 | =item tls_ctx => $ssl_ctx |
293 | =item tls_ctx => $anyevent_tls |
| 270 | |
294 | |
| 271 | Use the given C<Net::SSLeay::CTX> object to create the new TLS connection |
295 | Use the given C<AnyEvent::TLS> object to create the new TLS connection |
| 272 | (unless a connection object was specified directly). If this parameter is |
296 | (unless a connection object was specified directly). If this parameter is |
| 273 | missing, then AnyEvent::Handle will use C<AnyEvent::Handle::TLS_CTX>. |
297 | missing, then AnyEvent::Handle will use C<AnyEvent::Handle::TLS_CTX>. |
|
|
298 | |
|
|
299 | Instead of an object, you can also specify a hash reference with C<< key |
|
|
300 | => value >> pairs. Those will be passed to L<AnyEvent::TLS> to create a |
|
|
301 | new TLS context object. |
|
|
302 | |
|
|
303 | =item on_starttls => $cb->($handle, $success[, $error_message]) |
|
|
304 | |
|
|
305 | This callback will be invoked when the TLS/SSL handshake has finished. If |
|
|
306 | C<$success> is true, then the TLS handshake succeeded, otherwise it failed |
|
|
307 | (C<on_stoptls> will not be called in this case). |
|
|
308 | |
|
|
309 | The session in C<< $handle->{tls} >> can still be examined in this |
|
|
310 | callback, even when the handshake was not successful. |
|
|
311 | |
|
|
312 | TLS handshake failures will not cause C<on_error> to be invoked when this |
|
|
313 | callback is in effect, instead, the error message will be passed to C<on_starttls>. |
|
|
314 | |
|
|
315 | Without this callback, handshake failures lead to C<on_error> being |
|
|
316 | called, as normal. |
|
|
317 | |
|
|
318 | Note that you cannot call C<starttls> right again in this callback. If you |
|
|
319 | need to do that, start an zero-second timer instead whose callback can |
|
|
320 | then call C<< ->starttls >> again. |
|
|
321 | |
|
|
322 | =item on_stoptls => $cb->($handle) |
|
|
323 | |
|
|
324 | When a SSLv3/TLS shutdown/close notify/EOF is detected and this callback is |
|
|
325 | set, then it will be invoked after freeing the TLS session. If it is not, |
|
|
326 | then a TLS shutdown condition will be treated like a normal EOF condition |
|
|
327 | on the handle. |
|
|
328 | |
|
|
329 | The session in C<< $handle->{tls} >> can still be examined in this |
|
|
330 | callback. |
|
|
331 | |
|
|
332 | This callback will only be called on TLS shutdowns, not when the |
|
|
333 | underlying handle signals EOF. |
| 274 | |
334 | |
| 275 | =item json => JSON or JSON::XS object |
335 | =item json => JSON or JSON::XS object |
| 276 | |
336 | |
| 277 | This is the json coder object used by the C<json> read and write types. |
337 | This is the json coder object used by the C<json> read and write types. |
| 278 | |
338 | |
| … | |
… | |
| 287 | |
347 | |
| 288 | =cut |
348 | =cut |
| 289 | |
349 | |
| 290 | sub new { |
350 | sub new { |
| 291 | my $class = shift; |
351 | my $class = shift; |
| 292 | |
|
|
| 293 | my $self = bless { @_ }, $class; |
352 | my $self = bless { @_ }, $class; |
| 294 | |
353 | |
| 295 | $self->{fh} or Carp::croak "mandatory argument fh is missing"; |
354 | $self->{fh} or Carp::croak "mandatory argument fh is missing"; |
| 296 | |
355 | |
| 297 | AnyEvent::Util::fh_nonblocking $self->{fh}, 1; |
356 | AnyEvent::Util::fh_nonblocking $self->{fh}, 1; |
|
|
357 | |
|
|
358 | $self->{_activity} = AnyEvent->now; |
|
|
359 | $self->_timeout; |
|
|
360 | |
|
|
361 | $self->no_delay (delete $self->{no_delay}) if exists $self->{no_delay}; |
| 298 | |
362 | |
| 299 | $self->starttls (delete $self->{tls}, delete $self->{tls_ctx}) |
363 | $self->starttls (delete $self->{tls}, delete $self->{tls_ctx}) |
| 300 | if $self->{tls}; |
364 | if $self->{tls}; |
| 301 | |
365 | |
| 302 | $self->{_activity} = AnyEvent->now; |
|
|
| 303 | $self->_timeout; |
|
|
| 304 | |
|
|
| 305 | $self->on_drain (delete $self->{on_drain}) if exists $self->{on_drain}; |
366 | $self->on_drain (delete $self->{on_drain}) if $self->{on_drain}; |
| 306 | $self->no_delay (delete $self->{no_delay}) if exists $self->{no_delay}; |
|
|
| 307 | |
367 | |
| 308 | $self->start_read |
368 | $self->start_read |
| 309 | if $self->{on_read}; |
369 | if $self->{on_read}; |
| 310 | |
370 | |
| 311 | $self |
371 | $self->{fh} && $self |
| 312 | } |
372 | } |
| 313 | |
373 | |
| 314 | sub _shutdown { |
374 | sub _shutdown { |
| 315 | my ($self) = @_; |
375 | my ($self) = @_; |
| 316 | |
376 | |
| 317 | delete $self->{_tw}; |
377 | delete @$self{qw(_tw _rw _ww fh wbuf on_read _queue)}; |
| 318 | delete $self->{_rw}; |
378 | $self->{_eof} = 1; # tell starttls et. al to stop trying |
| 319 | delete $self->{_ww}; |
|
|
| 320 | delete $self->{fh}; |
|
|
| 321 | |
379 | |
| 322 | &_freetls; |
380 | &_freetls; |
| 323 | |
|
|
| 324 | delete $self->{on_read}; |
|
|
| 325 | delete $self->{_queue}; |
|
|
| 326 | } |
381 | } |
| 327 | |
382 | |
| 328 | sub _error { |
383 | sub _error { |
| 329 | my ($self, $errno, $fatal) = @_; |
384 | my ($self, $errno, $fatal, $message) = @_; |
| 330 | |
385 | |
| 331 | $self->_shutdown |
386 | $self->_shutdown |
| 332 | if $fatal; |
387 | if $fatal; |
| 333 | |
388 | |
| 334 | $! = $errno; |
389 | $! = $errno; |
|
|
390 | $message ||= "$!"; |
| 335 | |
391 | |
| 336 | if ($self->{on_error}) { |
392 | if ($self->{on_error}) { |
| 337 | $self->{on_error}($self, $fatal); |
393 | $self->{on_error}($self, $fatal, $message); |
| 338 | } elsif ($self->{fh}) { |
394 | } elsif ($self->{fh}) { |
| 339 | Carp::croak "AnyEvent::Handle uncaught error: $!"; |
395 | Carp::croak "AnyEvent::Handle uncaught error: $message"; |
| 340 | } |
396 | } |
| 341 | } |
397 | } |
| 342 | |
398 | |
| 343 | =item $fh = $handle->fh |
399 | =item $fh = $handle->fh |
| 344 | |
400 | |
| … | |
… | |
| 403 | |
459 | |
| 404 | eval { |
460 | eval { |
| 405 | local $SIG{__DIE__}; |
461 | local $SIG{__DIE__}; |
| 406 | setsockopt $_[0]{fh}, &Socket::IPPROTO_TCP, &Socket::TCP_NODELAY, int $_[1]; |
462 | setsockopt $_[0]{fh}, &Socket::IPPROTO_TCP, &Socket::TCP_NODELAY, int $_[1]; |
| 407 | }; |
463 | }; |
|
|
464 | } |
|
|
465 | |
|
|
466 | =item $handle->on_starttls ($cb) |
|
|
467 | |
|
|
468 | Replace the current C<on_starttls> callback (see the C<on_starttls> constructor argument). |
|
|
469 | |
|
|
470 | =cut |
|
|
471 | |
|
|
472 | sub on_starttls { |
|
|
473 | $_[0]{on_starttls} = $_[1]; |
|
|
474 | } |
|
|
475 | |
|
|
476 | =item $handle->on_stoptls ($cb) |
|
|
477 | |
|
|
478 | Replace the current C<on_stoptls> callback (see the C<on_stoptls> constructor argument). |
|
|
479 | |
|
|
480 | =cut |
|
|
481 | |
|
|
482 | sub on_starttls { |
|
|
483 | $_[0]{on_stoptls} = $_[1]; |
| 408 | } |
484 | } |
| 409 | |
485 | |
| 410 | ############################################################################# |
486 | ############################################################################# |
| 411 | |
487 | |
| 412 | =item $handle->timeout ($seconds) |
488 | =item $handle->timeout ($seconds) |
| … | |
… | |
| 656 | |
732 | |
| 657 | pack "w/a*", Storable::nfreeze ($ref) |
733 | pack "w/a*", Storable::nfreeze ($ref) |
| 658 | }; |
734 | }; |
| 659 | |
735 | |
| 660 | =back |
736 | =back |
|
|
737 | |
|
|
738 | =item $handle->push_shutdown |
|
|
739 | |
|
|
740 | Sometimes you know you want to close the socket after writing your data |
|
|
741 | before it was actually written. One way to do that is to replace your |
|
|
742 | C<on_drain> handler by a callback that shuts down the socket (and set |
|
|
743 | C<low_water_mark> to C<0>). This method is a shorthand for just that, and |
|
|
744 | replaces the C<on_drain> callback with: |
|
|
745 | |
|
|
746 | sub { shutdown $_[0]{fh}, 1 } # for push_shutdown |
|
|
747 | |
|
|
748 | This simply shuts down the write side and signals an EOF condition to the |
|
|
749 | the peer. |
|
|
750 | |
|
|
751 | You can rely on the normal read queue and C<on_eof> handling |
|
|
752 | afterwards. This is the cleanest way to close a connection. |
|
|
753 | |
|
|
754 | =cut |
|
|
755 | |
|
|
756 | sub push_shutdown { |
|
|
757 | my ($self) = @_; |
|
|
758 | |
|
|
759 | delete $self->{low_water_mark}; |
|
|
760 | $self->on_drain (sub { shutdown $_[0]{fh}, 1 }); |
|
|
761 | } |
| 661 | |
762 | |
| 662 | =item AnyEvent::Handle::register_write_type type => $coderef->($handle, @args) |
763 | =item AnyEvent::Handle::register_write_type type => $coderef->($handle, @args) |
| 663 | |
764 | |
| 664 | This function (not method) lets you add your own types to C<push_write>. |
765 | This function (not method) lets you add your own types to C<push_write>. |
| 665 | Whenever the given C<type> is used, C<push_write> will invoke the code |
766 | Whenever the given C<type> is used, C<push_write> will invoke the code |
| … | |
… | |
| 813 | |
914 | |
| 814 | if ($self->{_eof}) { |
915 | if ($self->{_eof}) { |
| 815 | if ($self->{on_eof}) { |
916 | if ($self->{on_eof}) { |
| 816 | $self->{on_eof}($self) |
917 | $self->{on_eof}($self) |
| 817 | } else { |
918 | } else { |
| 818 | $self->_error (0, 1); |
919 | $self->_error (0, 1, "Unexpected end-of-file"); |
| 819 | } |
920 | } |
| 820 | } |
921 | } |
| 821 | |
922 | |
| 822 | # may need to restart read watcher |
923 | # may need to restart read watcher |
| 823 | unless ($self->{_rw}) { |
924 | unless ($self->{_rw}) { |
| … | |
… | |
| 1173 | =cut |
1274 | =cut |
| 1174 | |
1275 | |
| 1175 | register_read_type json => sub { |
1276 | register_read_type json => sub { |
| 1176 | my ($self, $cb) = @_; |
1277 | my ($self, $cb) = @_; |
| 1177 | |
1278 | |
| 1178 | require JSON; |
1279 | my $json = $self->{json} ||= |
|
|
1280 | eval { require JSON::XS; JSON::XS->new->utf8 } |
|
|
1281 | || do { require JSON; JSON->new->utf8 }; |
| 1179 | |
1282 | |
| 1180 | my $data; |
1283 | my $data; |
| 1181 | my $rbuf = \$self->{rbuf}; |
1284 | my $rbuf = \$self->{rbuf}; |
| 1182 | |
|
|
| 1183 | my $json = $self->{json} ||= JSON->new->utf8; |
|
|
| 1184 | |
1285 | |
| 1185 | sub { |
1286 | sub { |
| 1186 | my $ref = eval { $json->incr_parse ($self->{rbuf}) }; |
1287 | my $ref = eval { $json->incr_parse ($self->{rbuf}) }; |
| 1187 | |
1288 | |
| 1188 | if ($ref) { |
1289 | if ($ref) { |
| … | |
… | |
| 1332 | } |
1433 | } |
| 1333 | }); |
1434 | }); |
| 1334 | } |
1435 | } |
| 1335 | } |
1436 | } |
| 1336 | |
1437 | |
|
|
1438 | our $ERROR_SYSCALL; |
|
|
1439 | our $ERROR_WANT_READ; |
|
|
1440 | |
|
|
1441 | sub _tls_error { |
|
|
1442 | my ($self, $err) = @_; |
|
|
1443 | |
|
|
1444 | return $self->_error ($!, 1) |
|
|
1445 | if $err == Net::SSLeay::ERROR_SYSCALL (); |
|
|
1446 | |
|
|
1447 | my $err =Net::SSLeay::ERR_error_string (Net::SSLeay::ERR_get_error ()); |
|
|
1448 | |
|
|
1449 | # reduce error string to look less scary |
|
|
1450 | $err =~ s/^error:[0-9a-fA-F]{8}:[^:]+:([^:]+):/\L$1: /; |
|
|
1451 | |
|
|
1452 | if ($self->{_on_starttls}) { |
|
|
1453 | (delete $self->{_on_starttls})->($self, undef, $err); |
|
|
1454 | &_freetls; |
|
|
1455 | } else { |
|
|
1456 | &_freetls; |
|
|
1457 | $self->_error (&Errno::EPROTO, 1, $err); |
|
|
1458 | } |
|
|
1459 | } |
|
|
1460 | |
| 1337 | # poll the write BIO and send the data if applicable |
1461 | # poll the write BIO and send the data if applicable |
|
|
1462 | # also decode read data if possible |
|
|
1463 | # this is basiclaly our TLS state machine |
|
|
1464 | # more efficient implementations are possible with openssl, |
|
|
1465 | # but not with the buggy and incomplete Net::SSLeay. |
| 1338 | sub _dotls { |
1466 | sub _dotls { |
| 1339 | my ($self) = @_; |
1467 | my ($self) = @_; |
| 1340 | |
1468 | |
| 1341 | my $tmp; |
1469 | my $tmp; |
| 1342 | |
1470 | |
| 1343 | if (length $self->{_tls_wbuf}) { |
1471 | if (length $self->{_tls_wbuf}) { |
| 1344 | while (($tmp = Net::SSLeay::write ($self->{tls}, $self->{_tls_wbuf})) > 0) { |
1472 | while (($tmp = Net::SSLeay::write ($self->{tls}, $self->{_tls_wbuf})) > 0) { |
| 1345 | substr $self->{_tls_wbuf}, 0, $tmp, ""; |
1473 | substr $self->{_tls_wbuf}, 0, $tmp, ""; |
| 1346 | } |
1474 | } |
|
|
1475 | |
|
|
1476 | $tmp = Net::SSLeay::get_error ($self->{tls}, $tmp); |
|
|
1477 | return $self->_tls_error ($tmp) |
|
|
1478 | if $tmp != $ERROR_WANT_READ |
|
|
1479 | && ($tmp != $ERROR_SYSCALL || $!); |
| 1347 | } |
1480 | } |
| 1348 | |
1481 | |
| 1349 | while (defined ($tmp = Net::SSLeay::read ($self->{tls}))) { |
1482 | while (defined ($tmp = Net::SSLeay::read ($self->{tls}))) { |
| 1350 | unless (length $tmp) { |
1483 | unless (length $tmp) { |
| 1351 | # let's treat SSL-eof as we treat normal EOF |
1484 | $self->{_on_starttls} |
| 1352 | delete $self->{_rw}; |
1485 | and (delete $self->{_on_starttls})->($self, undef, "EOF during handshake"); # ??? |
| 1353 | $self->{_eof} = 1; |
|
|
| 1354 | &_freetls; |
1486 | &_freetls; |
|
|
1487 | |
|
|
1488 | if ($self->{on_stoptls}) { |
|
|
1489 | $self->{on_stoptls}($self); |
|
|
1490 | return; |
|
|
1491 | } else { |
|
|
1492 | # let's treat SSL-eof as we treat normal EOF |
|
|
1493 | delete $self->{_rw}; |
|
|
1494 | $self->{_eof} = 1; |
|
|
1495 | } |
| 1355 | } |
1496 | } |
| 1356 | |
1497 | |
| 1357 | $self->{_tls_rbuf} .= $tmp; |
1498 | $self->{_tls_rbuf} .= $tmp; |
| 1358 | $self->_drain_rbuf unless $self->{_in_drain}; |
1499 | $self->_drain_rbuf unless $self->{_in_drain}; |
| 1359 | $self->{tls} or return; # tls session might have gone away in callback |
1500 | $self->{tls} or return; # tls session might have gone away in callback |
| 1360 | } |
1501 | } |
| 1361 | |
1502 | |
| 1362 | $tmp = Net::SSLeay::get_error ($self->{tls}, -1); |
1503 | $tmp = Net::SSLeay::get_error ($self->{tls}, -1); |
| 1363 | |
|
|
| 1364 | if ($tmp != Net::SSLeay::ERROR_WANT_READ ()) { |
|
|
| 1365 | if ($tmp == Net::SSLeay::ERROR_SYSCALL ()) { |
|
|
| 1366 | return $self->_error ($!, 1); |
1504 | return $self->_tls_error ($tmp) |
| 1367 | } elsif ($tmp == Net::SSLeay::ERROR_SSL ()) { |
1505 | if $tmp != $ERROR_WANT_READ |
| 1368 | return $self->_error (&Errno::EIO, 1); |
1506 | && ($tmp != $ERROR_SYSCALL || $!); |
| 1369 | } |
|
|
| 1370 | |
|
|
| 1371 | # all other errors are fine for our purposes |
|
|
| 1372 | } |
|
|
| 1373 | |
1507 | |
| 1374 | while (length ($tmp = Net::SSLeay::BIO_read ($self->{_wbio}))) { |
1508 | while (length ($tmp = Net::SSLeay::BIO_read ($self->{_wbio}))) { |
| 1375 | $self->{wbuf} .= $tmp; |
1509 | $self->{wbuf} .= $tmp; |
| 1376 | $self->_drain_wbuf; |
1510 | $self->_drain_wbuf; |
| 1377 | } |
1511 | } |
|
|
1512 | |
|
|
1513 | $self->{_on_starttls} |
|
|
1514 | and Net::SSLeay::state ($self->{tls}) == Net::SSLeay::ST_OK () |
|
|
1515 | and (delete $self->{_on_starttls})->($self, 1, "TLS/SSL connection established"); |
| 1378 | } |
1516 | } |
| 1379 | |
1517 | |
| 1380 | =item $handle->starttls ($tls[, $tls_ctx]) |
1518 | =item $handle->starttls ($tls[, $tls_ctx]) |
| 1381 | |
1519 | |
| 1382 | Instead of starting TLS negotiation immediately when the AnyEvent::Handle |
1520 | Instead of starting TLS negotiation immediately when the AnyEvent::Handle |
| … | |
… | |
| 1384 | C<starttls>. |
1522 | C<starttls>. |
| 1385 | |
1523 | |
| 1386 | The first argument is the same as the C<tls> constructor argument (either |
1524 | The first argument is the same as the C<tls> constructor argument (either |
| 1387 | C<"connect">, C<"accept"> or an existing Net::SSLeay object). |
1525 | C<"connect">, C<"accept"> or an existing Net::SSLeay object). |
| 1388 | |
1526 | |
| 1389 | The second argument is the optional C<Net::SSLeay::CTX> object that is |
1527 | The second argument is the optional C<AnyEvent::TLS> object that is used |
| 1390 | used when AnyEvent::Handle has to create its own TLS connection object. |
1528 | when AnyEvent::Handle has to create its own TLS connection object, or |
|
|
1529 | a hash reference with C<< key => value >> pairs that will be used to |
|
|
1530 | construct a new context. |
| 1391 | |
1531 | |
| 1392 | The TLS connection object will end up in C<< $handle->{tls} >> after this |
1532 | The TLS connection object will end up in C<< $handle->{tls} >>, the TLS |
| 1393 | call and can be used or changed to your liking. Note that the handshake |
1533 | context in C<< $handle->{tls_ctx} >> after this call and can be used or |
| 1394 | might have already started when this function returns. |
1534 | changed to your liking. Note that the handshake might have already started |
|
|
1535 | when this function returns. |
| 1395 | |
1536 | |
| 1396 | If it an error to start a TLS handshake more than once per |
1537 | If it an error to start a TLS handshake more than once per |
| 1397 | AnyEvent::Handle object (this is due to bugs in OpenSSL). |
1538 | AnyEvent::Handle object (this is due to bugs in OpenSSL). |
| 1398 | |
1539 | |
| 1399 | =cut |
1540 | =cut |
| 1400 | |
1541 | |
|
|
1542 | our %TLS_CACHE; #TODO not yet documented, should we? |
|
|
1543 | |
| 1401 | sub starttls { |
1544 | sub starttls { |
| 1402 | my ($self, $ssl, $ctx) = @_; |
1545 | my ($self, $ssl, $ctx) = @_; |
| 1403 | |
1546 | |
| 1404 | require Net::SSLeay; |
1547 | require Net::SSLeay; |
| 1405 | |
1548 | |
| 1406 | Carp::croak "it is an error to call starttls more than once on an AnyEvent::Handle object" |
1549 | Carp::croak "it is an error to call starttls more than once on an AnyEvent::Handle object" |
| 1407 | if $self->{tls}; |
1550 | if $self->{tls}; |
|
|
1551 | |
|
|
1552 | $ERROR_SYSCALL = Net::SSLeay::ERROR_SYSCALL (); |
|
|
1553 | $ERROR_WANT_READ = Net::SSLeay::ERROR_WANT_READ (); |
|
|
1554 | |
|
|
1555 | $ctx ||= $self->{tls_ctx}; |
|
|
1556 | |
|
|
1557 | if ("HASH" eq ref $ctx) { |
|
|
1558 | require AnyEvent::TLS; |
|
|
1559 | |
|
|
1560 | local $Carp::CarpLevel = 1; # skip ourselves when creating a new context |
|
|
1561 | |
|
|
1562 | if ($ctx->{cache}) { |
|
|
1563 | my $key = $ctx+0; |
|
|
1564 | $ctx = $TLS_CACHE{$key} ||= new AnyEvent::TLS %$ctx; |
|
|
1565 | } else { |
|
|
1566 | $ctx = new AnyEvent::TLS %$ctx; |
|
|
1567 | } |
|
|
1568 | } |
| 1408 | |
1569 | |
| 1409 | if ($ssl eq "accept") { |
1570 | $self->{tls_ctx} = $ctx || TLS_CTX (); |
| 1410 | $ssl = Net::SSLeay::new ($ctx || TLS_CTX ()); |
1571 | $self->{tls} = $ssl = $self->{tls_ctx}->_get_session ($ssl, $self, $self->{peername}); |
| 1411 | Net::SSLeay::set_accept_state ($ssl); |
|
|
| 1412 | } elsif ($ssl eq "connect") { |
|
|
| 1413 | $ssl = Net::SSLeay::new ($ctx || TLS_CTX ()); |
|
|
| 1414 | Net::SSLeay::set_connect_state ($ssl); |
|
|
| 1415 | } |
|
|
| 1416 | |
|
|
| 1417 | $self->{tls} = $ssl; |
|
|
| 1418 | |
1572 | |
| 1419 | # basically, this is deep magic (because SSL_read should have the same issues) |
1573 | # basically, this is deep magic (because SSL_read should have the same issues) |
| 1420 | # but the openssl maintainers basically said: "trust us, it just works". |
1574 | # but the openssl maintainers basically said: "trust us, it just works". |
| 1421 | # (unfortunately, we have to hardcode constants because the abysmally misdesigned |
1575 | # (unfortunately, we have to hardcode constants because the abysmally misdesigned |
| 1422 | # and mismaintained ssleay-module doesn't even offer them). |
1576 | # and mismaintained ssleay-module doesn't even offer them). |
| … | |
… | |
| 1426 | # |
1580 | # |
| 1427 | # note that we do not try to keep the length constant between writes as we are required to do. |
1581 | # note that we do not try to keep the length constant between writes as we are required to do. |
| 1428 | # we assume that most (but not all) of this insanity only applies to non-blocking cases, |
1582 | # we assume that most (but not all) of this insanity only applies to non-blocking cases, |
| 1429 | # and we drive openssl fully in blocking mode here. Or maybe we don't - openssl seems to |
1583 | # and we drive openssl fully in blocking mode here. Or maybe we don't - openssl seems to |
| 1430 | # have identity issues in that area. |
1584 | # have identity issues in that area. |
| 1431 | Net::SSLeay::CTX_set_mode ($self->{tls}, |
1585 | # Net::SSLeay::CTX_set_mode ($ssl, |
| 1432 | (eval { local $SIG{__DIE__}; Net::SSLeay::MODE_ENABLE_PARTIAL_WRITE () } || 1) |
1586 | # (eval { local $SIG{__DIE__}; Net::SSLeay::MODE_ENABLE_PARTIAL_WRITE () } || 1) |
| 1433 | | (eval { local $SIG{__DIE__}; Net::SSLeay::MODE_ACCEPT_MOVING_WRITE_BUFFER () } || 2)); |
1587 | # | (eval { local $SIG{__DIE__}; Net::SSLeay::MODE_ACCEPT_MOVING_WRITE_BUFFER () } || 2)); |
|
|
1588 | Net::SSLeay::CTX_set_mode ($ssl, 1|2); |
| 1434 | |
1589 | |
| 1435 | $self->{_rbio} = Net::SSLeay::BIO_new (Net::SSLeay::BIO_s_mem ()); |
1590 | $self->{_rbio} = Net::SSLeay::BIO_new (Net::SSLeay::BIO_s_mem ()); |
| 1436 | $self->{_wbio} = Net::SSLeay::BIO_new (Net::SSLeay::BIO_s_mem ()); |
1591 | $self->{_wbio} = Net::SSLeay::BIO_new (Net::SSLeay::BIO_s_mem ()); |
| 1437 | |
1592 | |
| 1438 | Net::SSLeay::set_bio ($ssl, $self->{_rbio}, $self->{_wbio}); |
1593 | Net::SSLeay::set_bio ($ssl, $self->{_rbio}, $self->{_wbio}); |
|
|
1594 | |
|
|
1595 | $self->{_on_starttls} = sub { $_[0]{on_starttls}(@_) } |
|
|
1596 | if $self->{on_starttls}; |
| 1439 | |
1597 | |
| 1440 | &_dotls; # need to trigger the initial handshake |
1598 | &_dotls; # need to trigger the initial handshake |
| 1441 | $self->start_read; # make sure we actually do read |
1599 | $self->start_read; # make sure we actually do read |
| 1442 | } |
1600 | } |
| 1443 | |
1601 | |
| … | |
… | |
| 1456 | if ($self->{tls}) { |
1614 | if ($self->{tls}) { |
| 1457 | Net::SSLeay::shutdown ($self->{tls}); |
1615 | Net::SSLeay::shutdown ($self->{tls}); |
| 1458 | |
1616 | |
| 1459 | &_dotls; |
1617 | &_dotls; |
| 1460 | |
1618 | |
| 1461 | # we don't give a shit. no, we do, but we can't. no... |
1619 | # # we don't give a shit. no, we do, but we can't. no...#d# |
| 1462 | # we, we... have to use openssl :/ |
1620 | # # we, we... have to use openssl :/#d# |
| 1463 | &_freetls; |
1621 | # &_freetls;#d# |
| 1464 | } |
1622 | } |
| 1465 | } |
1623 | } |
| 1466 | |
1624 | |
| 1467 | sub _freetls { |
1625 | sub _freetls { |
| 1468 | my ($self) = @_; |
1626 | my ($self) = @_; |
| 1469 | |
1627 | |
| 1470 | return unless $self->{tls}; |
1628 | return unless $self->{tls}; |
| 1471 | |
1629 | |
| 1472 | Net::SSLeay::free (delete $self->{tls}); |
1630 | $self->{tls_ctx}->_put_session (delete $self->{tls}); |
| 1473 | |
1631 | |
| 1474 | delete @$self{qw(_rbio _wbio _tls_wbuf)}; |
1632 | delete @$self{qw(_rbio _wbio _tls_wbuf _on_starttls)}; |
| 1475 | } |
1633 | } |
| 1476 | |
1634 | |
| 1477 | sub DESTROY { |
1635 | sub DESTROY { |
| 1478 | my $self = shift; |
1636 | my ($self) = @_; |
| 1479 | |
1637 | |
| 1480 | &_freetls; |
1638 | &_freetls; |
| 1481 | |
1639 | |
| 1482 | my $linger = exists $self->{linger} ? $self->{linger} : 3600; |
1640 | my $linger = exists $self->{linger} ? $self->{linger} : 3600; |
| 1483 | |
1641 | |
| … | |
… | |
| 1503 | } |
1661 | } |
| 1504 | |
1662 | |
| 1505 | =item $handle->destroy |
1663 | =item $handle->destroy |
| 1506 | |
1664 | |
| 1507 | Shuts down the handle object as much as possible - this call ensures that |
1665 | Shuts down the handle object as much as possible - this call ensures that |
| 1508 | no further callbacks will be invoked and resources will be freed as much |
1666 | no further callbacks will be invoked and as many resources as possible |
| 1509 | as possible. You must not call any methods on the object afterwards. |
1667 | will be freed. You must not call any methods on the object afterwards. |
| 1510 | |
1668 | |
| 1511 | Normally, you can just "forget" any references to an AnyEvent::Handle |
1669 | Normally, you can just "forget" any references to an AnyEvent::Handle |
| 1512 | object and it will simply shut down. This works in fatal error and EOF |
1670 | object and it will simply shut down. This works in fatal error and EOF |
| 1513 | callbacks, as well as code outside. It does I<NOT> work in a read or write |
1671 | callbacks, as well as code outside. It does I<NOT> work in a read or write |
| 1514 | callback, so when you want to destroy the AnyEvent::Handle object from |
1672 | callback, so when you want to destroy the AnyEvent::Handle object from |
| … | |
… | |
| 1527 | %$self = (); |
1685 | %$self = (); |
| 1528 | } |
1686 | } |
| 1529 | |
1687 | |
| 1530 | =item AnyEvent::Handle::TLS_CTX |
1688 | =item AnyEvent::Handle::TLS_CTX |
| 1531 | |
1689 | |
| 1532 | This function creates and returns the Net::SSLeay::CTX object used by |
1690 | This function creates and returns the AnyEvent::TLS object used by default |
| 1533 | default for TLS mode. |
1691 | for TLS mode. |
| 1534 | |
1692 | |
| 1535 | The context is created like this: |
1693 | The context is created by calling L<AnyEvent::TLS> without any arguments. |
| 1536 | |
|
|
| 1537 | Net::SSLeay::load_error_strings; |
|
|
| 1538 | Net::SSLeay::SSLeay_add_ssl_algorithms; |
|
|
| 1539 | Net::SSLeay::randomize; |
|
|
| 1540 | |
|
|
| 1541 | my $CTX = Net::SSLeay::CTX_new; |
|
|
| 1542 | |
|
|
| 1543 | Net::SSLeay::CTX_set_options $CTX, Net::SSLeay::OP_ALL |
|
|
| 1544 | |
1694 | |
| 1545 | =cut |
1695 | =cut |
| 1546 | |
1696 | |
| 1547 | our $TLS_CTX; |
1697 | our $TLS_CTX; |
| 1548 | |
1698 | |
| 1549 | sub TLS_CTX() { |
1699 | sub TLS_CTX() { |
| 1550 | $TLS_CTX || do { |
1700 | $TLS_CTX ||= do { |
| 1551 | require Net::SSLeay; |
1701 | require AnyEvent::TLS; |
| 1552 | |
1702 | |
| 1553 | Net::SSLeay::load_error_strings (); |
1703 | new AnyEvent::TLS |
| 1554 | Net::SSLeay::SSLeay_add_ssl_algorithms (); |
|
|
| 1555 | Net::SSLeay::randomize (); |
|
|
| 1556 | |
|
|
| 1557 | $TLS_CTX = Net::SSLeay::CTX_new (); |
|
|
| 1558 | |
|
|
| 1559 | Net::SSLeay::CTX_set_options ($TLS_CTX, Net::SSLeay::OP_ALL ()); |
|
|
| 1560 | |
|
|
| 1561 | $TLS_CTX |
|
|
| 1562 | } |
1704 | } |
| 1563 | } |
1705 | } |
| 1564 | |
1706 | |
| 1565 | =back |
1707 | =back |
| 1566 | |
1708 | |
| … | |
… | |
| 1631 | $handle->on_drain (sub { |
1773 | $handle->on_drain (sub { |
| 1632 | warn "all data submitted to the kernel\n"; |
1774 | warn "all data submitted to the kernel\n"; |
| 1633 | undef $handle; |
1775 | undef $handle; |
| 1634 | }); |
1776 | }); |
| 1635 | |
1777 | |
|
|
1778 | If you just want to queue some data and then signal EOF to the other side, |
|
|
1779 | consider using C<< ->push_shutdown >> instead. |
|
|
1780 | |
|
|
1781 | =item I want to contact a TLS/SSL server, I don't care about security. |
|
|
1782 | |
|
|
1783 | If your TLS server is a pure TLS server (e.g. HTTPS) that only speaks TLS, |
|
|
1784 | simply connect to it and then create the AnyEvent::Handle with the C<tls> |
|
|
1785 | parameter: |
|
|
1786 | |
|
|
1787 | tcp_connect $host, $port, sub { |
|
|
1788 | my ($fh) = @_; |
|
|
1789 | |
|
|
1790 | my $handle = new AnyEvent::Handle |
|
|
1791 | fh => $fh, |
|
|
1792 | tls => "connect", |
|
|
1793 | on_error => sub { ... }; |
|
|
1794 | |
|
|
1795 | $handle->push_write (...); |
|
|
1796 | }; |
|
|
1797 | |
|
|
1798 | =item I want to contact a TLS/SSL server, I do care about security. |
|
|
1799 | |
|
|
1800 | Then you should additionally enable certificate verification, including |
|
|
1801 | peername verification, if the protocol you use supports it (see |
|
|
1802 | L<AnyEvent::TLS>, C<verify_peername>). |
|
|
1803 | |
|
|
1804 | E.g. for HTTPS: |
|
|
1805 | |
|
|
1806 | tcp_connect $host, $port, sub { |
|
|
1807 | my ($fh) = @_; |
|
|
1808 | |
|
|
1809 | my $handle = new AnyEvent::Handle |
|
|
1810 | fh => $fh, |
|
|
1811 | peername => $host, |
|
|
1812 | tls => "connect", |
|
|
1813 | tls_ctx => { verify => 1, verify_peername => "https" }, |
|
|
1814 | ... |
|
|
1815 | |
|
|
1816 | Note that you must specify the hostname you connected to (or whatever |
|
|
1817 | "peername" the protocol needs) as the C<peername> argument, otherwise no |
|
|
1818 | peername verification will be done. |
|
|
1819 | |
|
|
1820 | The above will use the system-dependent default set of trusted CA |
|
|
1821 | certificates. If you want to check against a specific CA, add the |
|
|
1822 | C<ca_file> (or C<ca_cert>) arguments to C<tls_ctx>: |
|
|
1823 | |
|
|
1824 | tls_ctx => { |
|
|
1825 | verify => 1, |
|
|
1826 | verify_peername => "https", |
|
|
1827 | ca_file => "my-ca-cert.pem", |
|
|
1828 | }, |
|
|
1829 | |
|
|
1830 | =item I want to create a TLS/SSL server, how do I do that? |
|
|
1831 | |
|
|
1832 | Well, you first need to get a server certificate and key. You have |
|
|
1833 | three options: a) ask a CA (buy one, use cacert.org etc.) b) create a |
|
|
1834 | self-signed certificate (cheap. check the search engine of your choice, |
|
|
1835 | there are many tutorials on the net) or c) make your own CA (tinyca2 is a |
|
|
1836 | nice program for that purpose). |
|
|
1837 | |
|
|
1838 | Then create a file with your private key (in PEM format, see |
|
|
1839 | L<AnyEvent::TLS>), followed by the certificate (also in PEM format). The |
|
|
1840 | file should then look like this: |
|
|
1841 | |
|
|
1842 | -----BEGIN RSA PRIVATE KEY----- |
|
|
1843 | ...header data |
|
|
1844 | ... lots of base64'y-stuff |
|
|
1845 | -----END RSA PRIVATE KEY----- |
|
|
1846 | |
|
|
1847 | -----BEGIN CERTIFICATE----- |
|
|
1848 | ... lots of base64'y-stuff |
|
|
1849 | -----END CERTIFICATE----- |
|
|
1850 | |
|
|
1851 | The important bits are the "PRIVATE KEY" and "CERTIFICATE" parts. Then |
|
|
1852 | specify this file as C<cert_file>: |
|
|
1853 | |
|
|
1854 | tcp_server undef, $port, sub { |
|
|
1855 | my ($fh) = @_; |
|
|
1856 | |
|
|
1857 | my $handle = new AnyEvent::Handle |
|
|
1858 | fh => $fh, |
|
|
1859 | tls => "accept", |
|
|
1860 | tls_ctx => { cert_file => "my-server-keycert.pem" }, |
|
|
1861 | ... |
|
|
1862 | |
|
|
1863 | When you have intermediate CA certificates that your clients might not |
|
|
1864 | know about, just append them to the C<cert_file>. |
|
|
1865 | |
| 1636 | =back |
1866 | =back |
| 1637 | |
1867 | |
| 1638 | |
1868 | |
| 1639 | =head1 SUBCLASSING AnyEvent::Handle |
1869 | =head1 SUBCLASSING AnyEvent::Handle |
| 1640 | |
1870 | |
