loncom/lonssl.pm - view

File: [LON-CAPA] / loncom / lonssl.pm
Revision 1.24: download - view: text, annotated - select for diffs
Fri Dec 14 02:05:38 2018 UTC (6 years ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, HEAD

- Include verification of common name when creating SSL tunnel unless
  connecting to/from pre-2.12 node.
- $IO::Socket::SSL::DEBUG is set to current $DEBUG value so debugging
  from IO/Socket/SSL.pm is written to lond_errors or lonc_errors.

# # $Id: lonssl.pm,v 1.24 2018/12/14 02:05:38 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # # This file is part of the LearningOnline Network with CAPA (LON-CAPA). # # LON-CAPA is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # LON-CAPA is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with LON-CAPA; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # /home/httpd/html/adm/gpl.txt # # http://www.lon-capa.org/ # package lonssl; # lonssl.pm # This file contains common functions used by lond and lonc when # negotiating the exchange of the session encryption key via an # SSL tunnel. # See the POD sections and function documentation for more information. # use strict; # CPAN/Standard modules: use IO::Socket::INET; use IO::Socket::SSL; use Net::SSLeay; use Fcntl; use POSIX; # Loncapa modules: use LONCAPA::Configuration; # Global storage: my $perlvar; # this refers to the apache perlsetvar # variable hash. my $pathsep = "/"; # We're on unix after all. my $DEBUG = 0; # Set to non zero to enable debug output. # Initialization code: $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf'); my $lasterror=""; sub LastError { return $lasterror; } sub Debug { my $msg = shift; if ($DEBUG) { print STDERR $msg; } } #------------------------------------------------------------------------- # Name SetFdBlocking - # Turn blocking mode on on the file handle. This is required for # SSL key negotiation. # # Parameters: # Handle - Reference to the handle to modify. # Returns: # prior flag settings. # sub SetFdBlocking { Debug("SetFdBlocking called \n"); my $Handle = shift; my $flags = fcntl($Handle, F_GETFL, 0); if(!$flags) { Debug("SetBLocking fcntl get faild $!\n"); } my $newflags = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK... if(!fcntl($Handle, F_SETFL, $newflags)) { Debug("Can't set non block mode $!\n"); } return $flags; } #-------------------------------------------------------------------------- # # Name PromoteClientSocket # Description Given an ordinary IO::Socket::INET Creates an SSL socket # for a client that is connected to the same server. # Parameters Name Type Description # Socket IO::Socket::INET Original ordinary socket. # CACert string Full path name to the certificate # authority certificate file. # MyCert string Full path name to the certificate # issued to this host. # KeyFile string Full pathname to the host's private # key file for the certificate. # peer string lonid of remote LON-CAPA server # peerdef string default lonHostID of remote server # CRLFile Full path name to the certificate # revocation list file for the cluster # to which server belongs (optional) # serverversion LON-CAPA version running on remote # server. # Returns # - Reference to an SSL socket on success # - undef on failure. Reason for failure can be interrogated from # IO::Socket::SSL # Side effects: socket is left in blocking mode!! # sub PromoteClientSocket { my ($PlaintextSocket, $CACert, $MyCert, $KeyFile, $peer, $peerdef, $CRLFile, $serverversion) = @_; Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef, RemoteLCVersion: $serverversion\n"); # To create the ssl socket we need to duplicate the existing # socket. Otherwise closing the ssl socket will close the plaintext socket # too. We also must flip into blocking mode for the duration of the # ssl negotiation phase.. the caller will have to flip to non block if # that's what they want my $oldflags = SetFdBlocking($PlaintextSocket); my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0); Debug("Client promotion got dup = $dupfno\n"); # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify # mode of SSL_VERIFY_NONE should be explicitly set for client, if # verification is not to be used, and SSL_verify_mode is not set. # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which # prevents an SSL connection to lond unless SSL_verifycn_name is set # to the lonHostID of the remote host, (and the remote certificate has # the remote lonHostID as CN, and has been signed by the LON-CAPA CA. # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01 # used by CentOS/RHEL/Scientific Linux 5). my $verify_cn = $peerdef; if ($verify_cn eq '') { $verify_cn = $peer; } my %sslargs = (SSL_use_cert => 1, SSL_key_file => $KeyFile, SSL_cert_file => $MyCert, SSL_ca_file => $CACert); my ($major,$minor) = split(/\./,$serverversion); if (($major < 2) || ($major == 2 && $minor < 12)) { $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE(); } else { $sslargs{SSL_verifycn_scheme} = 'http', $sslargs{SSL_verifycn_name} = $verify_cn, $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER(); if (($CRLFile ne '') && (-e $CRLFile)) { $sslargs{SSL_check_crl} = 1; $sslargs{SSL_crl_file} = $CRLFile; } } # Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging # $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4 # # to write debugging to lonc_errors my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs); # $IO::Socket::SSL::DEBUG = 0; # Do not change if(!$client) { if ($IO::Socket::SSL::SSL_ERROR == -1) { $lasterror = -1; } return undef; } return $client; # Undef if the client negotiation fails. } #---------------------------------------------------------------------- # Name PromoteServerSocket # Description Given an ordinary IO::Socket::INET Creates an SSL socket # for a server that is connected to the same client. # Parameters Name Type Description # Socket IO::Socket::INET Original ordinary socket. # CACert string Full path name to the certificate # authority certificate file. # MyCert string Full path name to the certificate # issued to this host. # KeyFile string Full pathname to the host's private # key file for the certificate. # peer string lonHostID of remote LON-CAPA client # CRLFile Full path name to the certificate # revocation list file for the cluster # to which server belongs (optional) # clientversion LON-CAPA version running on remote # client # Returns # - Reference to an SSL socket on success # - undef on failure. Reason for failure can be interrogated from # IO::Socket::SSL # Side Effects: # Socket is left in blocking mode!!! # sub PromoteServerSocket { my ($PlaintextSocket, $CACert, $MyCert, $KeyFile, $peer, $CRLFile, $clientversion) = @_; # To create the ssl socket we need to duplicate the existing # socket. Otherwise closing the ssl socket will close the plaintext socket # too: Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n"); my $oldflags = SetFdBlocking($PlaintextSocket); my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0); if (!$dupfno) { Debug("dup failed: $!\n"); } Debug(" Fileno = $dupfno\n"); my %sslargs = (SSL_server => 1, # Server role. SSL_use_cert => 1, SSL_key_file => $KeyFile, SSL_cert_file => $MyCert, SSL_ca_file => $CACert); my ($major,$minor) = split(/\./,$clientversion); if (($major < 2) || ($major == 2 && $minor < 12)) { $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE(); } else { $sslargs{SSL_verifycn_scheme} = 'http'; $sslargs{SSL_verifycn_name} = $peer; $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER(); if (($CRLFile ne '') && (-e $CRLFile)) { $sslargs{SSL_check_crl} = 1; $sslargs{SSL_crl_file} = $CRLFile; } } # Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging # $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4 # # to write debugging to lond_errors my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs); # $IO::Socket::SSL::DEBUG = 0; # Do not change if(!$client) { if ($IO::Socket::SSL::SSL_ERROR == -1) { $lasterror = -1; } return undef; } return $client; } #------------------------------------------------------------------------- # # Name: Close # Description: Properly closes an ssl client or ssl server socket in # a way that keeps the parent socket open. # Parameters: Name Type Description # Socket IO::Socket::SSL SSL Socket gotten from either # PromoteClientSocket or # PromoteServerSocket # Returns: # NONE # sub Close { my $Socket = shift; $Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket # gets torn down. } #--------------------------------------------------------------------------- # # Name GetPeerCertificate # Description Inquires about the certificate of the peer of a connection. # Parameters Name Type Description # SSLSocket IO::Socket::SSL SSL tunnel socket open on # the peer. # Returns # A two element list. The first element of the list is the name of # the certificate authority. The second element of the list is the name # of the owner of the certificate. sub GetPeerCertificate { my $SSLSocket = shift; my $CertOwner = $SSLSocket->peer_certificate("owner"); my $CertCA = $SSLSocket->peer_certificate("authority"); return ($CertCA, $CertOwner); } #---------------------------------------------------------------------------- # # Name CertificateFile # Description Locate the certificate files for this host. # Returns # Returns a two element array. The first element contains the name of # the certificate file for this host. The second element contains the name # of the certificate file for the CA that granted the certificate. If # either file cannot be located, returns undef. # sub CertificateFile { # I need some perl variables from the configuration file for this: my $CertificateDir = $perlvar->{lonCertificateDirectory}; my $CaFilename = $perlvar->{lonnetCertificateAuthority}; my $CertFilename = $perlvar->{lonnetCertificate}; # Ensure the existence of these variables: if((!$CertificateDir) || (!$CaFilename) || (!$CertFilename)) { $lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename " ."Cert: $CertFilename"; return undef; } # Build the actual filenames and check for their existence and # readability. $CaFilename = $CertificateDir.$pathsep.$CaFilename; $CertFilename = $CertificateDir.$pathsep.$CertFilename; if((! -r $CaFilename) || (! -r $CertFilename)) { $lasterror = "CA file $CaFilename or Cert File: $CertFilename " ."not readable"; return undef; } # Everything works fine!! return ($CaFilename, $CertFilename); } #------------------------------------------------------------------------ # # Name KeyFile # Description # Returns the name of the private key file of the current host. # Returns # Returns the name of the key file or undef if the file cannot # be found. # sub KeyFile { # I need some perl variables from the configuration file for this: my $CertificateDir = $perlvar->{lonCertificateDirectory}; my $KeyFilename = $perlvar->{lonnetPrivateKey}; # Ensure the variables exist: if((!$CertificateDir) || (!$KeyFilename)) { $lasterror = "Missing parameter dir: $CertificateDir " ."key: $KeyFilename"; return undef; } # Build the actual filename and ensure that it not only exists but # is also readable: $KeyFilename = $CertificateDir.$pathsep.$KeyFilename; if(! (-r $KeyFilename)) { $lasterror = "Unreadable key file $KeyFilename"; return undef; } return $KeyFilename; } sub CRLFile { # I need some perl variables from the configuration file for this: my $CertificateDir = $perlvar->{lonCertificateDirectory}; my $CRLFilename = $perlvar->{lonnetCertRevocationList}; # Ensure the variables exist: if((!$CertificateDir) || (!$CRLFilename)) { $lasterror = "Missing parameter dir: $CertificateDir " ."CRL file: $CRLFilename"; return undef; } # Build the actual filename and ensure that it not only exists but # is also readable: $CRLFilename = $CertificateDir.$pathsep.$CRLFilename; if(! (-r $CRLFilename)) { $lasterror = "Unreadable key file $CRLFilename"; return undef; } return $CRLFilename; } sub BadCertDir { my $SocketDir = $perlvar->{lonSockDir}; if (-d "$SocketDir/nosslverify/") { return "$SocketDir/nosslverify" } } sub has_badcert_file { my ($client) = @_; my $SocketDir = $perlvar->{lonSockDir}; if (-e "$SocketDir/nosslverify/$client") { return 1; } return; } sub Read_Connect_Config { my ($secureconf,$perlvarref,$crlcheckedref) = @_; return unless (ref($secureconf) eq 'HASH'); unless (ref($perlvarref) eq 'HASH') { $perlvarref = $perlvar; } # Clear hash of clients in lond for which Certificate Revocation List checked if (ref($crlcheckedref) eq 'HASH') { foreach my $key (keys(%{$crlcheckedref})) { delete($crlcheckedref->{$key}); } } # Clean out the old table first. foreach my $key (keys(%{$secureconf})) { delete($secureconf->{$key}); } my $result; my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab"; if (open(my $fh,'<',$tablename)) { while (my $line = <$fh>) { chomp($line); my ($name,$value) = split(/=/,$line); if ($value =~ /^(?:no|yes|req)$/) { if ($name =~ /^conn(to|from)_(dom|intdom|other)$/) { $secureconf->{'conn'.$1}{$2} = $value; } } } close($fh); return 'ok'; } return; } sub Read_Host_Types { my ($hosttypes,$perlvarref) = @_; return unless (ref($hosttypes) eq 'HASH'); unless (ref($perlvarref) eq 'HASH') { $perlvarref = $perlvar; } # Clean out the old table first. foreach my $key (keys(%{$hosttypes})) { delete($hosttypes->{$key}); } my $result; my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab"; if (open(my $fh,'<',$tablename)) { while (my $line = <$fh>) { chomp($line); my ($name,$value) = split(/:/,$line); if (($name ne '') && ($value =~ /^(dom|intdom|other)$/)) { $hosttypes->{$name} = $value; } } close($fh); return 'ok'; } return; } 1;