Annotation of loncom/lonssl.pm, revision 1.16
1.2 foxr 1: #
1.16 ! raeburn 2: # $Id: lonssl.pm,v 1.15 2017/02/28 05:42:06 raeburn Exp $
1.2 foxr 3: #
4: # Copyright Michigan State University Board of Trustees
5: #
6: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
7: #
8: # LON-CAPA is free software; you can redistribute it and/or modify
9: # it under the terms of the GNU General Public License as published by
10: # the Free Software Foundation; either version 2 of the License, or
11: # (at your option) any later version.
12: #
13: # LON-CAPA is distributed in the hope that it will be useful,
14: # but WITHOUT ANY WARRANTY; without even the implied warranty of
15: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16: # GNU General Public License for more details.
17: #
18: # You should have received a copy of the GNU General Public License
19: # along with LON-CAPA; if not, write to the Free Software
20: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21: #
22: # /home/httpd/html/adm/gpl.txt
23: #
24: # http://www.lon-capa.org/
25: #
1.6 foxr 26: package lonssl;
1.2 foxr 27: # lonssl.pm
28: # This file contains common functions used by lond and lonc when
29: # negotiating the exchange of the session encryption key via an
30: # SSL tunnel.
31: # See the POD sections and function documentation for more information.
32: #
33:
34: use strict;
1.4 foxr 35:
1.6 foxr 36: # CPAN/Standard modules:
1.4 foxr 37:
1.2 foxr 38: use IO::Socket::INET;
39: use IO::Socket::SSL;
1.14 raeburn 40: use Net::SSLeay;
1.2 foxr 41:
1.8 foxr 42: use Fcntl;
43: use POSIX;
44:
1.4 foxr 45: # Loncapa modules:
46:
47: use LONCAPA::Configuration;
48:
49: # Global storage:
50:
1.5 foxr 51: my $perlvar; # this refers to the apache perlsetvar
52: # variable hash.
1.4 foxr 53:
54: my $pathsep = "/"; # We're on unix after all.
55:
1.9 foxr 56: my $DEBUG = 0; # Set to non zero to enable debug output.
57:
1.4 foxr 58:
59: # Initialization code:
60:
61: $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
62:
63:
1.8 foxr 64: my $lasterror="";
65:
66:
1.9 foxr 67:
1.8 foxr 68: sub LastError {
69: return $lasterror;
70: }
71:
1.9 foxr 72: sub Debug {
73: my $msg = shift;
74: if ($DEBUG) {
75: print STDERR $msg;
76: }
77: }
78:
1.8 foxr 79: #-------------------------------------------------------------------------
80: # Name SetFdBlocking -
81: # Turn blocking mode on on the file handle. This is required for
82: # SSL key negotiation.
83: #
84: # Parameters:
85: # Handle - Reference to the handle to modify.
86: # Returns:
87: # prior flag settings.
88: #
89: sub SetFdBlocking {
1.9 foxr 90: Debug("SetFdBlocking called \n");
1.8 foxr 91: my $Handle = shift;
92:
93:
94:
95: my $flags = fcntl($Handle, F_GETFL, 0);
96: if(!$flags) {
1.9 foxr 97: Debug("SetBLocking fcntl get faild $!\n");
1.8 foxr 98: }
99: my $newflags = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
100: if(!fcntl($Handle, F_SETFL, $newflags)) {
1.9 foxr 101: Debug("Can't set non block mode $!\n");
1.8 foxr 102: }
103: return $flags;
104: }
1.2 foxr 105:
106: #--------------------------------------------------------------------------
107: #
108: # Name PromoteClientSocket
109: # Description Given an ordinary IO::Socket::INET Creates an SSL socket
110: # for a client that is connected to the same server.
111: # Parameters Name Type Description
112: # Socket IO::Socket::INET Original ordinary socket.
113: # CACert string Full path name to the certificate
114: # authority certificate file.
115: # MyCert string Full path name to the certificate
116: # issued to this host.
117: # KeyFile string Full pathname to the host's private
118: # key file for the certificate.
1.16 ! raeburn 119: # peer string lonHostID of remote LON-CAPA server
1.2 foxr 120: # Returns
121: # - Reference to an SSL socket on success
122: # - undef on failure. Reason for failure can be interrogated from
123: # IO::Socket::SSL
1.8 foxr 124: # Side effects: socket is left in blocking mode!!
125: #
1.2 foxr 126:
127: sub PromoteClientSocket {
1.6 foxr 128: my ($PlaintextSocket,
129: $CACert,
130: $MyCert,
1.16 ! raeburn 131: $KeyFile,
! 132: $peer) = @_;
1.6 foxr 133:
134:
1.16 ! raeburn 135: Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, Remote Host: $peer\n");
1.8 foxr 136:
1.3 albertel 137: # To create the ssl socket we need to duplicate the existing
138: # socket. Otherwise closing the ssl socket will close the plaintext socket
1.8 foxr 139: # too. We also must flip into blocking mode for the duration of the
140: # ssl negotiation phase.. the caller will have to flip to non block if
141: # that's what they want
142:
143: my $oldflags = SetFdBlocking($PlaintextSocket);
144: my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
1.9 foxr 145: Debug("Client promotion got dup = $dupfno\n");
1.8 foxr 146:
1.14 raeburn 147: # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify
148: # mode of SSL_VERIFY_NONE should be explicitly set for client, if
149: # verification is not to be used, and SSL_verify_mode is not set.
150: # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
1.16 ! raeburn 151: # prevents an SSL connection to lond unless SSL_verifycn_name is set
! 152: # to the lonHostID of the remote host, (and the remote certificate has
! 153: # the remote lonHostID as CN, and has been signed by the LON-CAPA CA.
! 154: # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to
! 155: # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01
1.14 raeburn 156: # used by CentOS/RHEL/Scientific Linux 5).
1.6 foxr 157:
1.8 foxr 158: my $client = IO::Socket::SSL->new_from_fd($dupfno,
1.12 raeburn 159: SSL_use_cert => 1,
1.3 albertel 160: SSL_key_file => $KeyFile,
161: SSL_cert_file => $MyCert,
1.14 raeburn 162: SSL_ca_file => $CACert,
1.16 ! raeburn 163: SSL_verifycn_name => $peer,
! 164: SSL_verify_mode => Net::SSLeay::VERIFY_PEER());
1.6 foxr 165:
1.8 foxr 166: if(!$client) {
167: $lasterror = IO::Socket::SSL::errstr();
168: return undef;
169: }
1.3 albertel 170: return $client; # Undef if the client negotiation fails.
1.2 foxr 171: }
172:
173: #----------------------------------------------------------------------
174: # Name PromoteServerSocket
175: # Description Given an ordinary IO::Socket::INET Creates an SSL socket
1.16 ! raeburn 176: # for a server that is connected to the same client.
1.2 foxr 177: # Parameters Name Type Description
178: # Socket IO::Socket::INET Original ordinary socket.
179: # CACert string Full path name to the certificate
180: # authority certificate file.
181: # MyCert string Full path name to the certificate
182: # issued to this host.
183: # KeyFile string Full pathname to the host's private
184: # key file for the certificate.
1.16 ! raeburn 185: # peer string lonHostID of remote LON-CAPA client
1.2 foxr 186: # Returns
187: # - Reference to an SSL socket on success
188: # - undef on failure. Reason for failure can be interrogated from
189: # IO::Socket::SSL
1.8 foxr 190: # Side Effects:
191: # Socket is left in blocking mode!!!
192: #
1.3 albertel 193: sub PromoteServerSocket {
1.6 foxr 194: my ($PlaintextSocket,
195: $CACert,
196: $MyCert,
1.16 ! raeburn 197: $KeyFile,
! 198: $peer) = @_;
1.6 foxr 199:
1.3 albertel 200:
201:
202: # To create the ssl socket we need to duplicate the existing
203: # socket. Otherwise closing the ssl socket will close the plaintext socket
204: # too:
205:
1.9 foxr 206: Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
1.8 foxr 207:
208: my $oldflags = SetFdBlocking($PlaintextSocket);
209: my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
210: if (!$dupfno) {
1.9 foxr 211: Debug("dup failed: $!\n");
1.8 foxr 212: }
1.9 foxr 213: Debug(" Fileno = $dupfno\n");
1.8 foxr 214: my $client = IO::Socket::SSL->new_from_fd($dupfno,
1.3 albertel 215: SSL_server => 1, # Server role.
1.13 raeburn 216: SSL_use_cert => 1,
1.3 albertel 217: SSL_key_file => $KeyFile,
218: SSL_cert_file => $MyCert,
1.16 ! raeburn 219: SSL_ca_file => $CACert,
! 220: SSL_verifycn_name => $peer,
! 221: SSL_verify_mode => Net::SSLeay::VERIFY_PEER());
1.8 foxr 222: if(!$client) {
223: $lasterror = IO::Socket::SSL::errstr();
224: return undef;
225: }
1.3 albertel 226: return $client;
1.2 foxr 227: }
228:
229: #-------------------------------------------------------------------------
230: #
231: # Name: Close
232: # Description: Properly closes an ssl client or ssl server socket in
233: # a way that keeps the parent socket open.
234: # Parameters: Name Type Description
235: # Socket IO::Socket::SSL SSL Socket gotten from either
236: # PromoteClientSocket or
237: # PromoteServerSocket
238: # Returns:
239: # NONE
240: #
241: sub Close {
1.3 albertel 242: my $Socket = shift;
1.4 foxr 243:
1.3 albertel 244: $Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket
245: # gets torn down.
1.2 foxr 246: }
1.4 foxr 247: #---------------------------------------------------------------------------
248: #
249: # Name GetPeerCertificate
250: # Description Inquires about the certificate of the peer of a connection.
251: # Parameters Name Type Description
252: # SSLSocket IO::Socket::SSL SSL tunnel socket open on
253: # the peer.
254: # Returns
255: # A two element list. The first element of the list is the name of
256: # the certificate authority. The second element of the list is the name
257: # of the owner of the certificate.
258: sub GetPeerCertificate {
1.6 foxr 259: my $SSLSocket = shift;
260:
261: my $CertOwner = $SSLSocket->peer_certificate("owner");
262: my $CertCA = $SSLSocket->peer_certificate("authority");
263:
1.8 foxr 264: return ($CertCA, $CertOwner);
1.4 foxr 265: }
266: #----------------------------------------------------------------------------
267: #
268: # Name CertificateFile
269: # Description Locate the certificate files for this host.
270: # Returns
271: # Returns a two element array. The first element contains the name of
272: # the certificate file for this host. The second element contains the name
273: # of the certificate file for the CA that granted the certificate. If
274: # either file cannot be located, returns undef.
275: #
276: sub CertificateFile {
277:
1.6 foxr 278: # I need some perl variables from the configuration file for this:
279:
280: my $CertificateDir = $perlvar->{lonCertificateDirectory};
281: my $CaFilename = $perlvar->{lonnetCertificateAuthority};
282: my $CertFilename = $perlvar->{lonnetCertificate};
283:
284: # Ensure the existence of these variables:
285:
286: if((!$CertificateDir) || (!$CaFilename) || (!$CertFilename)) {
1.8 foxr 287: $lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
288: ."Cert: $CertFilename";
1.6 foxr 289: return undef;
290: }
291:
292: # Build the actual filenames and check for their existence and
293: # readability.
294:
1.10 albertel 295: $CaFilename = $CertificateDir.$pathsep.$CaFilename;
296: $CertFilename = $CertificateDir.$pathsep.$CertFilename;
1.6 foxr 297:
298: if((! -r $CaFilename) || (! -r $CertFilename)) {
1.8 foxr 299: $lasterror = "CA file $CaFilename or Cert File: $CertFilename "
300: ."not readable";
1.6 foxr 301: return undef;
302: }
303:
304: # Everything works fine!!
305:
1.8 foxr 306: return ($CaFilename, $CertFilename);
1.4 foxr 307:
308: }
309: #------------------------------------------------------------------------
310: #
311: # Name KeyFile
312: # Description
313: # Returns the name of the private key file of the current host.
314: # Returns
315: # Returns the name of the key file or undef if the file cannot
316: # be found.
317: #
318: sub KeyFile {
319:
1.6 foxr 320: # I need some perl variables from the configuration file for this:
321:
322: my $CertificateDir = $perlvar->{lonCertificateDirectory};
323: my $KeyFilename = $perlvar->{lonnetPrivateKey};
324:
325: # Ensure the variables exist:
326:
327: if((!$CertificateDir) || (!$KeyFilename)) {
1.8 foxr 328: $lasterror = "Missing parameter dir: $CertificateDir "
329: ."key: $KeyFilename";
1.6 foxr 330: return undef;
331: }
332:
333: # Build the actual filename and ensure that it not only exists but
334: # is also readable:
335:
1.10 albertel 336: $KeyFilename = $CertificateDir.$pathsep.$KeyFilename;
1.6 foxr 337: if(! (-r $KeyFilename)) {
1.8 foxr 338: $lasterror = "Unreadable key file $KeyFilename";
1.6 foxr 339: return undef;
340: }
341:
342: return $KeyFilename;
1.4 foxr 343: }
1.2 foxr 344:
1.15 raeburn 345: sub Read_Connect_Config {
346: my ($secureconf,$perlvarref) = @_;
347: return unless (ref($secureconf) eq 'HASH');
348:
349: unless (ref($perlvarref) eq 'HASH') {
350: $perlvarref = $perlvar;
351: }
352:
353: # Clean out the old table first.
354: foreach my $key (keys(%{$secureconf})) {
355: delete($secureconf->{$key});
356: }
357:
358: my $result;
359: my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab";
360: if (open(my $fh,"<$tablename")) {
361: while (my $line = <$fh>) {
362: chomp($line);
363: my ($name,$value) = split(/=/,$line);
364: if ($value =~ /^(?:no|yes|req)$/) {
365: if ($name =~ /^conn(to|from)_(dom|intdom|other)$/) {
366: $secureconf->{'conn'.$1}{$2} = $value;
367: }
368: }
369: }
370: close($fh);
371: return 'ok';
372: }
373: return;
374: }
375:
376: sub Read_Host_Types {
377: my ($hosttypes,$perlvarref) = @_;
378: return unless (ref($hosttypes) eq 'HASH');
379:
380: unless (ref($perlvarref) eq 'HASH') {
381: $perlvarref = $perlvar;
382: }
383:
384: # Clean out the old table first.
385: foreach my $key (keys(%{$hosttypes})) {
386: delete($hosttypes->{$key});
387: }
388:
389: my $result;
390: my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab";
391: if (open(my $fh,"<$tablename")) {
392: while (my $line = <$fh>) {
393: chomp($line);
394: my ($name,$value) = split(/:/,$line);
395: if (($name ne '') && ($value =~ /^(dom|intdom|other)$/)) {
396: $hosttypes->{$name} = $value;
397: }
398: }
399: close($fh);
400: return 'ok';
401: }
402: return;
403: }
404:
1.4 foxr 405: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>