File:  [LON-CAPA] / loncom / lonssl.pm
Revision 1.24: download - view: text, annotated - select for diffs
Fri Dec 14 02:05:38 2018 UTC (6 years, 1 month ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, HEAD
- Include verification of common name when creating SSL tunnel unless
  connecting to/from pre-2.12 node.
- $IO::Socket::SSL::DEBUG is set to current $DEBUG value so debugging
  from IO/Socket/SSL.pm is written to lond_errors or lonc_errors.

#
# $Id: lonssl.pm,v 1.24 2018/12/14 02:05:38 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
package lonssl;
#  lonssl.pm
#    This file contains common functions used by lond and lonc when 
#    negotiating the exchange of the session encryption key via an 
#    SSL tunnel.
#     See the POD sections and function documentation for more information.
#

use strict;

# CPAN/Standard  modules:

use IO::Socket::INET;
use IO::Socket::SSL;
use Net::SSLeay;

use Fcntl;
use POSIX;

#  Loncapa modules:

use LONCAPA::Configuration;

#  Global storage:

my $perlvar;			#  this refers to the apache perlsetvar 
                                # variable hash.

my $pathsep = "/";		# We're on unix after all.

my $DEBUG = 0;			# Set to non zero to enable debug output.


# Initialization code:

$perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');


my $lasterror="";



sub LastError {
    return $lasterror;
}

sub Debug {
    my $msg  = shift;
    if ($DEBUG) {
	print STDERR $msg;
    }
}

#-------------------------------------------------------------------------
# Name SetFdBlocking - 
#      Turn blocking mode on on the file handle.  This is required for
#      SSL key negotiation.
#
# Parameters:
#      Handle   - Reference to the handle to modify.
# Returns:
#      prior flag settings.
#
sub SetFdBlocking {
    Debug("SetFdBlocking called \n");
    my $Handle = shift;



    my $flags  = fcntl($Handle, F_GETFL, 0);
    if(!$flags) {
	Debug("SetBLocking fcntl get faild $!\n");
    }
    my $newflags  = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
    if(!fcntl($Handle, F_SETFL, $newflags)) {
	Debug("Can't set non block mode  $!\n");
    }
    return $flags;
}

#--------------------------------------------------------------------------
#
# Name	PromoteClientSocket
# Description	Given an ordinary IO::Socket::INET Creates an SSL socket 
#               for a client that is connected to the same server.
# Parameters	Name	Type	           Description
#               Socket	IO::Socket::INET   Original ordinary socket.
#               CACert	string	           Full path name to the certificate 
#                                          authority certificate file.
#               MyCert	string	           Full path name to the certificate 
#                                          issued to this host.
#               KeyFile string    	   Full pathname to the host's private 
#                                          key file for the certificate.
#               peer    string             lonid of remote LON-CAPA server
#               peerdef string             default lonHostID of remote server
#               CRLFile                    Full path name to the certificate
#                                          revocation list file for the cluster
#                                          to which server belongs (optional)
#               serverversion              LON-CAPA version running on remote
#                                          server.

# Returns
#	-	Reference to an SSL socket on success
#       -	undef on failure.  Reason for failure can be interrogated from 
#               IO::Socket::SSL
# Side effects:  socket is left in blocking mode!!
#

sub PromoteClientSocket {
    my ($PlaintextSocket,
	$CACert,
	$MyCert,
	$KeyFile,
        $peer,
        $peerdef,
        $CRLFile,
        $serverversion) = @_;

    Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef, RemoteLCVersion: $serverversion\n");

    # To create the ssl socket we need to duplicate the existing
    # socket.  Otherwise closing the ssl socket will close the plaintext socket
    # too.  We also must flip into blocking mode for the duration of the
    # ssl negotiation phase.. the caller will have to flip to non block if
    # that's what they want

    my $oldflags = SetFdBlocking($PlaintextSocket);
    my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
    Debug("Client promotion got dup = $dupfno\n");

    # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify 
    # mode of SSL_VERIFY_NONE should be explicitly set for client, if 
    # verification is not to be used, and SSL_verify_mode is not set.
    # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
    # prevents an SSL connection to lond unless SSL_verifycn_name is set
    # to the lonHostID of the remote host, (and the remote certificate has
    # the remote lonHostID as CN, and has been signed by the LON-CAPA CA.
    # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to
    # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01
    # used by CentOS/RHEL/Scientific Linux 5).

    my $verify_cn = $peerdef;
    if ($verify_cn eq '') {
        $verify_cn = $peer;
    }

    my %sslargs = (SSL_use_cert      => 1,
                   SSL_key_file      => $KeyFile,
                   SSL_cert_file     => $MyCert,
                   SSL_ca_file       => $CACert);
    my ($major,$minor) = split(/\./,$serverversion);
    if (($major < 2) || ($major == 2 && $minor < 12)) {
        $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
    } else {
        $sslargs{SSL_verifycn_scheme} = 'http',
        $sslargs{SSL_verifycn_name} = $verify_cn,
        $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
        if (($CRLFile ne '') && (-e $CRLFile)) {
            $sslargs{SSL_check_crl} = 1;
            $sslargs{SSL_crl_file} = $CRLFile;
        }
    }
# Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging
#    $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4
#                                 # to write debugging to lonc_errors
    my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
#    $IO::Socket::SSL::DEBUG = 0; # Do not change
    if(!$client) {
        if ($IO::Socket::SSL::SSL_ERROR == -1) {
	    $lasterror = -1;
        }
	return undef;
    }
    return $client;		# Undef if the client negotiation fails.
}

#----------------------------------------------------------------------
# Name	PromoteServerSocket
# Description	Given an ordinary IO::Socket::INET Creates an SSL socket 
#               for a server that is connected to the same client.
# Parameters	Name	Type	           Description
#               Socket	IO::Socket::INET   Original ordinary socket.
#               CACert	string	           Full path name to the certificate 
#                                          authority certificate file.
#                MyCert	string	           Full path name to the certificate 
#                                          issued to this host.
#                KeyFile string    	   Full pathname to the host's private 
#                                          key file for the certificate.
#               peer   string              lonHostID of remote LON-CAPA client
#               CRLFile                    Full path name to the certificate
#                                          revocation list file for the cluster
#                                          to which server belongs (optional)
#               clientversion              LON-CAPA version running on remote
#                                          client
# Returns
#	-	Reference to an SSL socket on success
#       -	undef on failure.  Reason for failure can be interrogated from 
#               IO::Socket::SSL
# Side Effects:
#       Socket is left in blocking mode!!!
#
sub PromoteServerSocket {
    my ($PlaintextSocket,
	$CACert,
	$MyCert,
	$KeyFile,
        $peer,
        $CRLFile,
        $clientversion) = @_;

    # To create the ssl socket we need to duplicate the existing
    # socket.  Otherwise closing the ssl socket will close the plaintext socket
    # too:

    Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
 
    my $oldflags = SetFdBlocking($PlaintextSocket);
    my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
    if (!$dupfno) {
	Debug("dup failed: $!\n");
    }
    Debug(" Fileno = $dupfno\n");
    my %sslargs = (SSL_server        => 1, # Server role.
                   SSL_use_cert      => 1,
                   SSL_key_file      => $KeyFile,
                   SSL_cert_file     => $MyCert,
                   SSL_ca_file       => $CACert);
    my ($major,$minor) = split(/\./,$clientversion);
    if (($major < 2) || ($major == 2 && $minor < 12)) {
        $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
    } else {
        $sslargs{SSL_verifycn_scheme} = 'http'; 
        $sslargs{SSL_verifycn_name} = $peer;
        $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
        if (($CRLFile ne '') && (-e $CRLFile)) {
            $sslargs{SSL_check_crl} = 1;
            $sslargs{SSL_crl_file} = $CRLFile;
        }
    }
# Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging
#    $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4
#                                 # to write debugging to lond_errors
    my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
#    $IO::Socket::SSL::DEBUG = 0; # Do not change
    if(!$client) {
        if ($IO::Socket::SSL::SSL_ERROR == -1) {
            $lasterror = -1;
        }
	return undef;
    }
    return $client;
}

#-------------------------------------------------------------------------
#
# Name: Close
# Description: Properly closes an ssl client or ssl server socket in
#              a way that keeps the parent socket open.
# Parameters:  Name      Type            Description
#              Socket   IO::Socket::SSL  SSL Socket gotten from either
#                                        PromoteClientSocket or 
#                                        PromoteServerSocket
# Returns:
#   NONE
#
sub Close {
    my $Socket = shift;
    
    $Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket 
                                         # gets torn down.
}
#---------------------------------------------------------------------------
#
# Name   	GetPeerCertificate
# Description	Inquires about the certificate of the peer of a connection.
# Parameters	Name	        Type	          Description
#               SSLSocket	IO::Socket::SSL	  SSL tunnel socket open on 
#                                                 the peer.
# Returns
#	A two element list.  The first element of the list is the name of 
#       the certificate authority.  The second element of the list is the name 
#       of the owner of the certificate.
sub GetPeerCertificate {
    my $SSLSocket = shift;
    
    my $CertOwner = $SSLSocket->peer_certificate("owner");
    my $CertCA    = $SSLSocket->peer_certificate("authority");
    
    return ($CertCA, $CertOwner);
}
#----------------------------------------------------------------------------
#
# Name  	CertificateFile
# Description	Locate the certificate files for this host.
# Returns
#	Returns a two element array.  The first element contains the name of
#  the certificate file for this host.  The second element contains the name
#  of the  certificate file for the CA that granted the certificate.  If 
#  either file cannot be located, returns undef.
#
sub CertificateFile {

    # I need some perl variables from the configuration file for this:
    
    my $CertificateDir  = $perlvar->{lonCertificateDirectory};
    my $CaFilename      = $perlvar->{lonnetCertificateAuthority};
    my $CertFilename    = $perlvar->{lonnetCertificate};
    
    #  Ensure the existence of these variables:
    
    if((!$CertificateDir)  || (!$CaFilename) || (!$CertFilename)) {
	$lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
	            ."Cert: $CertFilename";
	return undef;
    }
    
    #   Build the actual filenames and check for their existence and
    #   readability.
    
    $CaFilename   = $CertificateDir.$pathsep.$CaFilename;
    $CertFilename = $CertificateDir.$pathsep.$CertFilename;
    
    if((! -r $CaFilename) || (! -r $CertFilename)) {
	$lasterror = "CA file $CaFilename or Cert File: $CertFilename "
	            ."not readable";
	return undef;
    }
    
    # Everything works fine!!
    
    return ($CaFilename, $CertFilename);

}
#------------------------------------------------------------------------
#
# Name	        KeyFile
# Description
#      Returns the name of the private key file of the current host.
# Returns
#      Returns the name of the key file or undef if the file cannot 
#      be found.
#
sub KeyFile {

    # I need some perl variables from the configuration file for this:
    
    my $CertificateDir   = $perlvar->{lonCertificateDirectory};
    my $KeyFilename      = $perlvar->{lonnetPrivateKey};
    
    # Ensure the variables exist:
    
    if((!$CertificateDir) || (!$KeyFilename)) {
	$lasterror = "Missing parameter dir: $CertificateDir "
	            ."key: $KeyFilename";
	return undef;
    }
    
    # Build the actual filename and ensure that it not only exists but
    # is also readable:
    
    $KeyFilename    = $CertificateDir.$pathsep.$KeyFilename;
    if(! (-r $KeyFilename)) {
	$lasterror = "Unreadable key file $KeyFilename";
	return undef;
    }
    
    return $KeyFilename;
}

sub CRLFile {

    # I need some perl variables from the configuration file for this:

    my $CertificateDir   = $perlvar->{lonCertificateDirectory};
    my $CRLFilename      = $perlvar->{lonnetCertRevocationList};

    # Ensure the variables exist:

    if((!$CertificateDir) || (!$CRLFilename)) {
        $lasterror = "Missing parameter dir: $CertificateDir "
                    ."CRL file: $CRLFilename";
        return undef;
    }

    # Build the actual filename and ensure that it not only exists but
    # is also readable:

    $CRLFilename    = $CertificateDir.$pathsep.$CRLFilename;
    if(! (-r $CRLFilename)) {
        $lasterror = "Unreadable key file $CRLFilename";
        return undef;
    }

    return $CRLFilename;
}

sub BadCertDir {
    my $SocketDir = $perlvar->{lonSockDir};
    if (-d "$SocketDir/nosslverify/") {
        return "$SocketDir/nosslverify"
    }
}

sub has_badcert_file {
    my ($client) = @_;
    my $SocketDir = $perlvar->{lonSockDir};
    if (-e "$SocketDir/nosslverify/$client") {
        return 1;
    }
    return;
}

sub Read_Connect_Config {
    my ($secureconf,$perlvarref,$crlcheckedref) = @_;
    return unless (ref($secureconf) eq 'HASH');

    unless (ref($perlvarref) eq 'HASH') {
        $perlvarref = $perlvar;
    }

    # Clear hash of clients in lond for which Certificate Revocation List checked
    if (ref($crlcheckedref) eq 'HASH') {
        foreach my $key (keys(%{$crlcheckedref})) {
            delete($crlcheckedref->{$key});
        }
    }
    # Clean out the old table first.
    foreach my $key (keys(%{$secureconf})) {
        delete($secureconf->{$key});
    }

    my $result;
    my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab";
    if (open(my $fh,'<',$tablename)) {
        while (my $line = <$fh>) {
            chomp($line);
            my ($name,$value) = split(/=/,$line);
            if ($value =~ /^(?:no|yes|req)$/) {
                if ($name =~ /^conn(to|from)_(dom|intdom|other)$/) {
                    $secureconf->{'conn'.$1}{$2} = $value;
                }
            }
        }
        close($fh);
        return 'ok';
    }
    return;
}

sub Read_Host_Types {
    my ($hosttypes,$perlvarref) = @_;
    return unless (ref($hosttypes) eq 'HASH');

    unless (ref($perlvarref) eq 'HASH') {
        $perlvarref = $perlvar;
    }

    # Clean out the old table first.
    foreach my $key (keys(%{$hosttypes})) {
        delete($hosttypes->{$key});
    }

    my $result;
    my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab";
    if (open(my $fh,'<',$tablename)) {
        while (my $line = <$fh>) {
            chomp($line);
            my ($name,$value) = split(/:/,$line);
            if (($name ne '') && ($value =~ /^(dom|intdom|other)$/)) { 
                $hosttypes->{$name} = $value;
            }
        }
        close($fh);
        return 'ok';
    }
    return;
}

1;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>