Annotation of loncom/lonssl.pm, revision 1.17
1.2 foxr 1: #
1.16 raeburn 2: # $Id: lonssl.pm,v 1.15 2017/02/28 05:42:06 raeburn Exp $
1.2 foxr 3: #
4: # Copyright Michigan State University Board of Trustees
5: #
6: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
7: #
8: # LON-CAPA is free software; you can redistribute it and/or modify
9: # it under the terms of the GNU General Public License as published by
10: # the Free Software Foundation; either version 2 of the License, or
11: # (at your option) any later version.
12: #
13: # LON-CAPA is distributed in the hope that it will be useful,
14: # but WITHOUT ANY WARRANTY; without even the implied warranty of
15: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16: # GNU General Public License for more details.
17: #
18: # You should have received a copy of the GNU General Public License
19: # along with LON-CAPA; if not, write to the Free Software
20: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21: #
22: # /home/httpd/html/adm/gpl.txt
23: #
24: # http://www.lon-capa.org/
25: #
1.6 foxr 26: package lonssl;
1.2 foxr 27: # lonssl.pm
28: # This file contains common functions used by lond and lonc when
29: # negotiating the exchange of the session encryption key via an
30: # SSL tunnel.
31: # See the POD sections and function documentation for more information.
32: #
33:
34: use strict;
1.4 foxr 35:
1.6 foxr 36: # CPAN/Standard modules:
1.4 foxr 37:
1.2 foxr 38: use IO::Socket::INET;
39: use IO::Socket::SSL;
1.14 raeburn 40: use Net::SSLeay;
1.2 foxr 41:
1.8 foxr 42: use Fcntl;
43: use POSIX;
44:
1.4 foxr 45: # Loncapa modules:
46:
47: use LONCAPA::Configuration;
48:
49: # Global storage:
50:
1.5 foxr 51: my $perlvar; # this refers to the apache perlsetvar
52: # variable hash.
1.4 foxr 53:
54: my $pathsep = "/"; # We're on unix after all.
55:
1.9 foxr 56: my $DEBUG = 0; # Set to non zero to enable debug output.
57:
1.4 foxr 58:
59: # Initialization code:
60:
61: $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
62:
63:
1.8 foxr 64: my $lasterror="";
65:
66:
1.9 foxr 67:
1.8 foxr 68: sub LastError {
69: return $lasterror;
70: }
71:
1.9 foxr 72: sub Debug {
73: my $msg = shift;
74: if ($DEBUG) {
75: print STDERR $msg;
76: }
77: }
78:
1.8 foxr 79: #-------------------------------------------------------------------------
80: # Name SetFdBlocking -
81: # Turn blocking mode on on the file handle. This is required for
82: # SSL key negotiation.
83: #
84: # Parameters:
85: # Handle - Reference to the handle to modify.
86: # Returns:
87: # prior flag settings.
88: #
89: sub SetFdBlocking {
1.9 foxr 90: Debug("SetFdBlocking called \n");
1.8 foxr 91: my $Handle = shift;
92:
93:
94:
95: my $flags = fcntl($Handle, F_GETFL, 0);
96: if(!$flags) {
1.9 foxr 97: Debug("SetBLocking fcntl get faild $!\n");
1.8 foxr 98: }
99: my $newflags = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
100: if(!fcntl($Handle, F_SETFL, $newflags)) {
1.9 foxr 101: Debug("Can't set non block mode $!\n");
1.8 foxr 102: }
103: return $flags;
104: }
1.2 foxr 105:
106: #--------------------------------------------------------------------------
107: #
108: # Name PromoteClientSocket
109: # Description Given an ordinary IO::Socket::INET Creates an SSL socket
110: # for a client that is connected to the same server.
111: # Parameters Name Type Description
112: # Socket IO::Socket::INET Original ordinary socket.
113: # CACert string Full path name to the certificate
114: # authority certificate file.
115: # MyCert string Full path name to the certificate
116: # issued to this host.
117: # KeyFile string Full pathname to the host's private
118: # key file for the certificate.
1.17 ! raeburn 119: # peer string lonHostID of remote LON-CAPA server
! 120: # CRLFile Full path name to the certificate
! 121: # revocation list file for the cluster
! 122: # to which server belongs (optional)
! 123:
1.2 foxr 124: # Returns
125: # - Reference to an SSL socket on success
126: # - undef on failure. Reason for failure can be interrogated from
127: # IO::Socket::SSL
1.8 foxr 128: # Side effects: socket is left in blocking mode!!
129: #
1.2 foxr 130:
131: sub PromoteClientSocket {
1.6 foxr 132: my ($PlaintextSocket,
133: $CACert,
134: $MyCert,
1.16 raeburn 135: $KeyFile,
1.17 ! raeburn 136: $peer,
! 137: $CRLFile) = @_;
1.6 foxr 138:
139:
1.17 ! raeburn 140: Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer\n");
1.8 foxr 141:
1.3 albertel 142: # To create the ssl socket we need to duplicate the existing
143: # socket. Otherwise closing the ssl socket will close the plaintext socket
1.8 foxr 144: # too. We also must flip into blocking mode for the duration of the
145: # ssl negotiation phase.. the caller will have to flip to non block if
146: # that's what they want
147:
148: my $oldflags = SetFdBlocking($PlaintextSocket);
149: my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
1.9 foxr 150: Debug("Client promotion got dup = $dupfno\n");
1.8 foxr 151:
1.14 raeburn 152: # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify
153: # mode of SSL_VERIFY_NONE should be explicitly set for client, if
154: # verification is not to be used, and SSL_verify_mode is not set.
155: # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
1.16 raeburn 156: # prevents an SSL connection to lond unless SSL_verifycn_name is set
157: # to the lonHostID of the remote host, (and the remote certificate has
1.17 ! raeburn 158: # the remote lonHostID as CN, and has been signed by the LON-CAPA CA.
1.16 raeburn 159: # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to
160: # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01
1.14 raeburn 161: # used by CentOS/RHEL/Scientific Linux 5).
1.6 foxr 162:
1.17 ! raeburn 163: my %sslargs = (SSL_use_cert => 1,
! 164: SSL_key_file => $KeyFile,
! 165: SSL_cert_file => $MyCert,
! 166: SSL_ca_file => $CACert,
! 167: SSL_verifycn_name => $peer,
! 168: SSL_verify_mode => Net::SSLeay::VERIFY_PEER());
! 169: if (($CRLFile ne '') && (-e $CRLFile)) {
! 170: $sslargs{SSL_check_crl} = 1;
! 171: $sslargs{SSL_crl_file} = $CRLFile;
! 172: }
! 173: my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
1.8 foxr 174: if(!$client) {
1.17 ! raeburn 175: if ($IO::Socket::SSL::SSL_ERROR == -1) {
! 176: $lasterror = -1;
! 177: }
1.8 foxr 178: return undef;
179: }
1.3 albertel 180: return $client; # Undef if the client negotiation fails.
1.2 foxr 181: }
182:
183: #----------------------------------------------------------------------
184: # Name PromoteServerSocket
185: # Description Given an ordinary IO::Socket::INET Creates an SSL socket
1.16 raeburn 186: # for a server that is connected to the same client.
1.2 foxr 187: # Parameters Name Type Description
188: # Socket IO::Socket::INET Original ordinary socket.
189: # CACert string Full path name to the certificate
190: # authority certificate file.
191: # MyCert string Full path name to the certificate
192: # issued to this host.
193: # KeyFile string Full pathname to the host's private
194: # key file for the certificate.
1.17 ! raeburn 195: # peer string lonHostID of remote LON-CAPA client
! 196: # CRLFile Full path name to the certificate
! 197: # revocation list file for the cluster
! 198: # to which server belongs (optional)
1.2 foxr 199: # Returns
200: # - Reference to an SSL socket on success
201: # - undef on failure. Reason for failure can be interrogated from
202: # IO::Socket::SSL
1.8 foxr 203: # Side Effects:
204: # Socket is left in blocking mode!!!
205: #
1.3 albertel 206: sub PromoteServerSocket {
1.6 foxr 207: my ($PlaintextSocket,
208: $CACert,
209: $MyCert,
1.16 raeburn 210: $KeyFile,
1.17 ! raeburn 211: $peer,
! 212: $CRLFile) = @_;
1.6 foxr 213:
1.3 albertel 214:
215:
216: # To create the ssl socket we need to duplicate the existing
217: # socket. Otherwise closing the ssl socket will close the plaintext socket
218: # too:
219:
1.9 foxr 220: Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
1.8 foxr 221:
222: my $oldflags = SetFdBlocking($PlaintextSocket);
223: my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
224: if (!$dupfno) {
1.9 foxr 225: Debug("dup failed: $!\n");
1.8 foxr 226: }
1.9 foxr 227: Debug(" Fileno = $dupfno\n");
1.17 ! raeburn 228: my %sslargs = (SSL_server => 1, # Server role.
! 229: SSL_use_cert => 1,
! 230: SSL_key_file => $KeyFile,
! 231: SSL_cert_file => $MyCert,
! 232: SSL_ca_file => $CACert,
! 233: SSL_verifycn_name => $peer,
! 234: SSL_verify_mode => Net::SSLeay::VERIFY_PEER());
! 235: if (($CRLFile ne '') && (-e $CRLFile)) {
! 236: $sslargs{SSL_check_crl} = 1;
! 237: $sslargs{SSL_crl_file} = $CRLFile;
! 238: }
! 239: my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
1.8 foxr 240: if(!$client) {
1.17 ! raeburn 241: if ($IO::Socket::SSL::SSL_ERROR == -1) {
! 242: $lasterror = -1;
! 243: }
1.8 foxr 244: return undef;
245: }
1.3 albertel 246: return $client;
1.2 foxr 247: }
248:
249: #-------------------------------------------------------------------------
250: #
251: # Name: Close
252: # Description: Properly closes an ssl client or ssl server socket in
253: # a way that keeps the parent socket open.
254: # Parameters: Name Type Description
255: # Socket IO::Socket::SSL SSL Socket gotten from either
256: # PromoteClientSocket or
257: # PromoteServerSocket
258: # Returns:
259: # NONE
260: #
261: sub Close {
1.3 albertel 262: my $Socket = shift;
1.4 foxr 263:
1.3 albertel 264: $Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket
265: # gets torn down.
1.2 foxr 266: }
1.4 foxr 267: #---------------------------------------------------------------------------
268: #
269: # Name GetPeerCertificate
270: # Description Inquires about the certificate of the peer of a connection.
271: # Parameters Name Type Description
272: # SSLSocket IO::Socket::SSL SSL tunnel socket open on
273: # the peer.
274: # Returns
275: # A two element list. The first element of the list is the name of
276: # the certificate authority. The second element of the list is the name
277: # of the owner of the certificate.
278: sub GetPeerCertificate {
1.6 foxr 279: my $SSLSocket = shift;
280:
281: my $CertOwner = $SSLSocket->peer_certificate("owner");
282: my $CertCA = $SSLSocket->peer_certificate("authority");
283:
1.8 foxr 284: return ($CertCA, $CertOwner);
1.4 foxr 285: }
286: #----------------------------------------------------------------------------
287: #
288: # Name CertificateFile
289: # Description Locate the certificate files for this host.
290: # Returns
291: # Returns a two element array. The first element contains the name of
292: # the certificate file for this host. The second element contains the name
293: # of the certificate file for the CA that granted the certificate. If
294: # either file cannot be located, returns undef.
295: #
296: sub CertificateFile {
297:
1.6 foxr 298: # I need some perl variables from the configuration file for this:
299:
300: my $CertificateDir = $perlvar->{lonCertificateDirectory};
301: my $CaFilename = $perlvar->{lonnetCertificateAuthority};
302: my $CertFilename = $perlvar->{lonnetCertificate};
303:
304: # Ensure the existence of these variables:
305:
306: if((!$CertificateDir) || (!$CaFilename) || (!$CertFilename)) {
1.8 foxr 307: $lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
308: ."Cert: $CertFilename";
1.6 foxr 309: return undef;
310: }
311:
312: # Build the actual filenames and check for their existence and
313: # readability.
314:
1.10 albertel 315: $CaFilename = $CertificateDir.$pathsep.$CaFilename;
316: $CertFilename = $CertificateDir.$pathsep.$CertFilename;
1.6 foxr 317:
318: if((! -r $CaFilename) || (! -r $CertFilename)) {
1.8 foxr 319: $lasterror = "CA file $CaFilename or Cert File: $CertFilename "
320: ."not readable";
1.6 foxr 321: return undef;
322: }
323:
324: # Everything works fine!!
325:
1.8 foxr 326: return ($CaFilename, $CertFilename);
1.4 foxr 327:
328: }
329: #------------------------------------------------------------------------
330: #
331: # Name KeyFile
332: # Description
333: # Returns the name of the private key file of the current host.
334: # Returns
335: # Returns the name of the key file or undef if the file cannot
336: # be found.
337: #
338: sub KeyFile {
339:
1.6 foxr 340: # I need some perl variables from the configuration file for this:
341:
342: my $CertificateDir = $perlvar->{lonCertificateDirectory};
343: my $KeyFilename = $perlvar->{lonnetPrivateKey};
344:
345: # Ensure the variables exist:
346:
347: if((!$CertificateDir) || (!$KeyFilename)) {
1.8 foxr 348: $lasterror = "Missing parameter dir: $CertificateDir "
349: ."key: $KeyFilename";
1.6 foxr 350: return undef;
351: }
352:
353: # Build the actual filename and ensure that it not only exists but
354: # is also readable:
355:
1.10 albertel 356: $KeyFilename = $CertificateDir.$pathsep.$KeyFilename;
1.6 foxr 357: if(! (-r $KeyFilename)) {
1.8 foxr 358: $lasterror = "Unreadable key file $KeyFilename";
1.6 foxr 359: return undef;
360: }
361:
362: return $KeyFilename;
1.4 foxr 363: }
1.2 foxr 364:
1.17 ! raeburn 365: sub CRLFile {
! 366:
! 367: # I need some perl variables from the configuration file for this:
! 368:
! 369: my $CertificateDir = $perlvar->{lonCertificateDirectory};
! 370: my $CRLFilename = $perlvar->{lonnetCertRevocationList};
! 371:
! 372: # Ensure the variables exist:
! 373:
! 374: if((!$CertificateDir) || (!$CRLFilename)) {
! 375: $lasterror = "Missing parameter dir: $CertificateDir "
! 376: ."CRL file: $CRLFilename";
! 377: return undef;
! 378: }
! 379:
! 380: # Build the actual filename and ensure that it not only exists but
! 381: # is also readable:
! 382:
! 383: $CRLFilename = $CertificateDir.$pathsep.$CRLFilename;
! 384: if(! (-r $CRLFilename)) {
! 385: $lasterror = "Unreadable key file $CRLFilename";
! 386: return undef;
! 387: }
! 388:
! 389: return $CRLFilename;
! 390: }
! 391:
! 392: sub BadCertDir {
! 393: my $SocketDir = $perlvar->{lonSockDir};
! 394: if (-d "$SocketDir/nosslverify/") {
! 395: return "$SocketDir/nosslverify"
! 396: }
! 397: }
! 398:
! 399: sub has_badcert_file {
! 400: my ($client) = @_;
! 401: my $SocketDir = $perlvar->{lonSockDir};
! 402: if (-e "$SocketDir/nosslverify/$client") {
! 403: return 1;
! 404: }
! 405: return;
! 406: }
! 407:
1.15 raeburn 408: sub Read_Connect_Config {
1.17 ! raeburn 409: my ($secureconf,$checkedcrl,$perlvarref) = @_;
! 410: return unless ((ref($secureconf) eq 'HASH') && (ref($checkedcrl) eq 'HASH'));
1.15 raeburn 411:
412: unless (ref($perlvarref) eq 'HASH') {
413: $perlvarref = $perlvar;
414: }
1.17 ! raeburn 415:
! 416: # Clear hash of clients for which Certificate Revocation List checked
! 417: foreach my $key (keys(%{$checkedcrl})) {
! 418: delete($checkedcrl->{$key});
! 419: }
1.15 raeburn 420: # Clean out the old table first.
421: foreach my $key (keys(%{$secureconf})) {
422: delete($secureconf->{$key});
423: }
424:
425: my $result;
426: my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab";
427: if (open(my $fh,"<$tablename")) {
428: while (my $line = <$fh>) {
429: chomp($line);
430: my ($name,$value) = split(/=/,$line);
431: if ($value =~ /^(?:no|yes|req)$/) {
432: if ($name =~ /^conn(to|from)_(dom|intdom|other)$/) {
433: $secureconf->{'conn'.$1}{$2} = $value;
434: }
435: }
436: }
437: close($fh);
438: return 'ok';
439: }
440: return;
441: }
442:
443: sub Read_Host_Types {
444: my ($hosttypes,$perlvarref) = @_;
445: return unless (ref($hosttypes) eq 'HASH');
446:
447: unless (ref($perlvarref) eq 'HASH') {
448: $perlvarref = $perlvar;
449: }
450:
451: # Clean out the old table first.
452: foreach my $key (keys(%{$hosttypes})) {
453: delete($hosttypes->{$key});
454: }
455:
456: my $result;
457: my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab";
458: if (open(my $fh,"<$tablename")) {
459: while (my $line = <$fh>) {
460: chomp($line);
461: my ($name,$value) = split(/:/,$line);
462: if (($name ne '') && ($value =~ /^(dom|intdom|other)$/)) {
463: $hosttypes->{$name} = $value;
464: }
465: }
466: close($fh);
467: return 'ok';
468: }
469: return;
470: }
471:
1.4 foxr 472: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonssl.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom