Annotation of loncom/lonssl.pm, revision 1.12
1.2 foxr 1: #
1.12 ! raeburn 2: # $Id: lonssl.pm,v 1.11 2014/11/06 02:22:11 raeburn Exp $
1.2 foxr 3: #
4: # Copyright Michigan State University Board of Trustees
5: #
6: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
7: #
8: # LON-CAPA is free software; you can redistribute it and/or modify
9: # it under the terms of the GNU General Public License as published by
10: # the Free Software Foundation; either version 2 of the License, or
11: # (at your option) any later version.
12: #
13: # LON-CAPA is distributed in the hope that it will be useful,
14: # but WITHOUT ANY WARRANTY; without even the implied warranty of
15: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16: # GNU General Public License for more details.
17: #
18: # You should have received a copy of the GNU General Public License
19: # along with LON-CAPA; if not, write to the Free Software
20: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21: #
22: # /home/httpd/html/adm/gpl.txt
23: #
24: # http://www.lon-capa.org/
25: #
1.6 foxr 26: package lonssl;
1.2 foxr 27: # lonssl.pm
28: # This file contains common functions used by lond and lonc when
29: # negotiating the exchange of the session encryption key via an
30: # SSL tunnel.
31: # See the POD sections and function documentation for more information.
32: #
33:
34: use strict;
1.4 foxr 35:
1.6 foxr 36: # CPAN/Standard modules:
1.4 foxr 37:
1.2 foxr 38: use IO::Socket::INET;
39: use IO::Socket::SSL;
40:
1.8 foxr 41: use Fcntl;
42: use POSIX;
43:
1.4 foxr 44: # Loncapa modules:
45:
46: use LONCAPA::Configuration;
47:
48: # Global storage:
49:
1.5 foxr 50: my $perlvar; # this refers to the apache perlsetvar
51: # variable hash.
1.4 foxr 52:
53: my $pathsep = "/"; # We're on unix after all.
54:
1.9 foxr 55: my $DEBUG = 0; # Set to non zero to enable debug output.
56:
1.4 foxr 57:
58: # Initialization code:
59:
60: $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
61:
62:
1.8 foxr 63: my $lasterror="";
64:
65:
1.9 foxr 66:
1.8 foxr 67: sub LastError {
68: return $lasterror;
69: }
70:
1.9 foxr 71: sub Debug {
72: my $msg = shift;
73: if ($DEBUG) {
74: print STDERR $msg;
75: }
76: }
77:
1.8 foxr 78: #-------------------------------------------------------------------------
79: # Name SetFdBlocking -
80: # Turn blocking mode on on the file handle. This is required for
81: # SSL key negotiation.
82: #
83: # Parameters:
84: # Handle - Reference to the handle to modify.
85: # Returns:
86: # prior flag settings.
87: #
88: sub SetFdBlocking {
1.9 foxr 89: Debug("SetFdBlocking called \n");
1.8 foxr 90: my $Handle = shift;
91:
92:
93:
94: my $flags = fcntl($Handle, F_GETFL, 0);
95: if(!$flags) {
1.9 foxr 96: Debug("SetBLocking fcntl get faild $!\n");
1.8 foxr 97: }
98: my $newflags = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
99: if(!fcntl($Handle, F_SETFL, $newflags)) {
1.9 foxr 100: Debug("Can't set non block mode $!\n");
1.8 foxr 101: }
102: return $flags;
103: }
1.2 foxr 104:
105: #--------------------------------------------------------------------------
106: #
107: # Name PromoteClientSocket
108: # Description Given an ordinary IO::Socket::INET Creates an SSL socket
109: # for a client that is connected to the same server.
110: # Parameters Name Type Description
111: # Socket IO::Socket::INET Original ordinary socket.
112: # CACert string Full path name to the certificate
113: # authority certificate file.
114: # MyCert string Full path name to the certificate
115: # issued to this host.
116: # KeyFile string Full pathname to the host's private
117: # key file for the certificate.
118: # Returns
119: # - Reference to an SSL socket on success
120: # - undef on failure. Reason for failure can be interrogated from
121: # IO::Socket::SSL
1.8 foxr 122: # Side effects: socket is left in blocking mode!!
123: #
1.2 foxr 124:
125: sub PromoteClientSocket {
1.6 foxr 126: my ($PlaintextSocket,
127: $CACert,
128: $MyCert,
1.7 foxr 129: $KeyFile) = @_;
1.6 foxr 130:
131:
1.9 foxr 132: Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n");
1.8 foxr 133:
1.3 albertel 134: # To create the ssl socket we need to duplicate the existing
135: # socket. Otherwise closing the ssl socket will close the plaintext socket
1.8 foxr 136: # too. We also must flip into blocking mode for the duration of the
137: # ssl negotiation phase.. the caller will have to flip to non block if
138: # that's what they want
139:
140: my $oldflags = SetFdBlocking($PlaintextSocket);
141: my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
1.9 foxr 142: Debug("Client promotion got dup = $dupfno\n");
1.8 foxr 143:
1.6 foxr 144:
1.8 foxr 145: my $client = IO::Socket::SSL->new_from_fd($dupfno,
1.12 ! raeburn 146: SSL_use_cert => 1,
1.3 albertel 147: SSL_key_file => $KeyFile,
148: SSL_cert_file => $MyCert,
1.11 raeburn 149: SSL_ca_file => $CACert);
1.6 foxr 150:
1.8 foxr 151: if(!$client) {
152: $lasterror = IO::Socket::SSL::errstr();
153: return undef;
154: }
1.3 albertel 155: return $client; # Undef if the client negotiation fails.
1.2 foxr 156: }
157:
158: #----------------------------------------------------------------------
159: # Name PromoteServerSocket
160: # Description Given an ordinary IO::Socket::INET Creates an SSL socket
161: # for a server that is connected to the same client.l
162: # Parameters Name Type Description
163: # Socket IO::Socket::INET Original ordinary socket.
164: # CACert string Full path name to the certificate
165: # authority certificate file.
166: # MyCert string Full path name to the certificate
167: # issued to this host.
168: # KeyFile string Full pathname to the host's private
169: # key file for the certificate.
170: # Returns
171: # - Reference to an SSL socket on success
172: # - undef on failure. Reason for failure can be interrogated from
173: # IO::Socket::SSL
1.8 foxr 174: # Side Effects:
175: # Socket is left in blocking mode!!!
176: #
1.3 albertel 177: sub PromoteServerSocket {
1.6 foxr 178: my ($PlaintextSocket,
179: $CACert,
180: $MyCert,
1.7 foxr 181: $KeyFile) = @_;
1.6 foxr 182:
1.3 albertel 183:
184:
185: # To create the ssl socket we need to duplicate the existing
186: # socket. Otherwise closing the ssl socket will close the plaintext socket
187: # too:
188:
1.9 foxr 189: Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
1.8 foxr 190:
191: my $oldflags = SetFdBlocking($PlaintextSocket);
192: my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
193: if (!$dupfno) {
1.9 foxr 194: Debug("dup failed: $!\n");
1.8 foxr 195: }
1.9 foxr 196: Debug(" Fileno = $dupfno\n");
1.8 foxr 197: my $client = IO::Socket::SSL->new_from_fd($dupfno,
1.3 albertel 198: SSL_server => 1, # Server role.
199: SSL_user_cert => 1,
200: SSL_key_file => $KeyFile,
201: SSL_cert_file => $MyCert,
1.11 raeburn 202: SSL_ca_file => $CACert);
1.8 foxr 203: if(!$client) {
204: $lasterror = IO::Socket::SSL::errstr();
205: return undef;
206: }
1.3 albertel 207: return $client;
1.2 foxr 208: }
209:
210: #-------------------------------------------------------------------------
211: #
212: # Name: Close
213: # Description: Properly closes an ssl client or ssl server socket in
214: # a way that keeps the parent socket open.
215: # Parameters: Name Type Description
216: # Socket IO::Socket::SSL SSL Socket gotten from either
217: # PromoteClientSocket or
218: # PromoteServerSocket
219: # Returns:
220: # NONE
221: #
222: sub Close {
1.3 albertel 223: my $Socket = shift;
1.4 foxr 224:
1.3 albertel 225: $Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket
226: # gets torn down.
1.2 foxr 227: }
1.4 foxr 228: #---------------------------------------------------------------------------
229: #
230: # Name GetPeerCertificate
231: # Description Inquires about the certificate of the peer of a connection.
232: # Parameters Name Type Description
233: # SSLSocket IO::Socket::SSL SSL tunnel socket open on
234: # the peer.
235: # Returns
236: # A two element list. The first element of the list is the name of
237: # the certificate authority. The second element of the list is the name
238: # of the owner of the certificate.
239: sub GetPeerCertificate {
1.6 foxr 240: my $SSLSocket = shift;
241:
242: my $CertOwner = $SSLSocket->peer_certificate("owner");
243: my $CertCA = $SSLSocket->peer_certificate("authority");
244:
1.8 foxr 245: return ($CertCA, $CertOwner);
1.4 foxr 246: }
247: #----------------------------------------------------------------------------
248: #
249: # Name CertificateFile
250: # Description Locate the certificate files for this host.
251: # Returns
252: # Returns a two element array. The first element contains the name of
253: # the certificate file for this host. The second element contains the name
254: # of the certificate file for the CA that granted the certificate. If
255: # either file cannot be located, returns undef.
256: #
257: sub CertificateFile {
258:
1.6 foxr 259: # I need some perl variables from the configuration file for this:
260:
261: my $CertificateDir = $perlvar->{lonCertificateDirectory};
262: my $CaFilename = $perlvar->{lonnetCertificateAuthority};
263: my $CertFilename = $perlvar->{lonnetCertificate};
264:
265: # Ensure the existence of these variables:
266:
267: if((!$CertificateDir) || (!$CaFilename) || (!$CertFilename)) {
1.8 foxr 268: $lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
269: ."Cert: $CertFilename";
1.6 foxr 270: return undef;
271: }
272:
273: # Build the actual filenames and check for their existence and
274: # readability.
275:
1.10 albertel 276: $CaFilename = $CertificateDir.$pathsep.$CaFilename;
277: $CertFilename = $CertificateDir.$pathsep.$CertFilename;
1.6 foxr 278:
279: if((! -r $CaFilename) || (! -r $CertFilename)) {
1.8 foxr 280: $lasterror = "CA file $CaFilename or Cert File: $CertFilename "
281: ."not readable";
1.6 foxr 282: return undef;
283: }
284:
285: # Everything works fine!!
286:
1.8 foxr 287: return ($CaFilename, $CertFilename);
1.4 foxr 288:
289: }
290: #------------------------------------------------------------------------
291: #
292: # Name KeyFile
293: # Description
294: # Returns the name of the private key file of the current host.
295: # Returns
296: # Returns the name of the key file or undef if the file cannot
297: # be found.
298: #
299: sub KeyFile {
300:
1.6 foxr 301: # I need some perl variables from the configuration file for this:
302:
303: my $CertificateDir = $perlvar->{lonCertificateDirectory};
304: my $KeyFilename = $perlvar->{lonnetPrivateKey};
305:
306: # Ensure the variables exist:
307:
308: if((!$CertificateDir) || (!$KeyFilename)) {
1.8 foxr 309: $lasterror = "Missing parameter dir: $CertificateDir "
310: ."key: $KeyFilename";
1.6 foxr 311: return undef;
312: }
313:
314: # Build the actual filename and ensure that it not only exists but
315: # is also readable:
316:
1.10 albertel 317: $KeyFilename = $CertificateDir.$pathsep.$KeyFilename;
1.6 foxr 318: if(! (-r $KeyFilename)) {
1.8 foxr 319: $lasterror = "Unreadable key file $KeyFilename";
1.6 foxr 320: return undef;
321: }
322:
323: return $KeyFilename;
1.4 foxr 324: }
1.2 foxr 325:
1.4 foxr 326: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>