loncom/LondConnection.pm - diff

Return to LondConnection.pm CVS log

Up to [LON-CAPA] / loncom

Diff for /loncom/LondConnection.pm between versions 1.53.2.1 and 1.57

version 1.53.2.1, 2018/09/02 18:30:54	version 1.57, 2018/08/07 17:12:09
Line 40 use LONCAPA::lonlocal;	Line 40 use LONCAPA::lonlocal;
use LONCAPA::lonssl;	use LONCAPA::lonssl;




my $DebugLevel=0;	my $DebugLevel=0;
my %perlvar;	my %perlvar;
	my %secureconf;
	my %badcerts;
	my %hosttypes;
	my %crlchecked;
my $InsecureOk;	my $InsecureOk;

#	#
Line 70 sub ReadConfig {	Line 72 sub ReadConfig {
my $perlvarref = read_conf('loncapa.conf');	my $perlvarref = read_conf('loncapa.conf');
%perlvar = %{$perlvarref};	%perlvar = %{$perlvarref};
$ConfigRead = 1;	$ConfigRead = 1;

$InsecureOk = $perlvar{loncAllowInsecure};	$InsecureOk = $perlvar{loncAllowInsecure};

	unless (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') {
	Debug(1,"Failed to retrieve secureconf hash.\n");
	}
	unless (lonssl::Read_Host_Types(\%hosttypes,\%perlvar) eq 'ok') {
	Debug(1,"Failed to retrieve hosttypes hash.\n");
	}
	%badcerts = ();
	%crlchecked = ();
	}

	sub ResetReadConfig {
	$ConfigRead = 0;
}	}

sub Debug {	sub Debug {
Line 161 sub new {	Line 176 sub new {
}	}
&Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.")\n");	&Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.")\n");

	my ($conntype,$gotconninfo,$allowinsecure);
	if ((ref($secureconf{'connto'}) eq 'HASH') &&
	(exists($hosttypes{$lonid}))) {
	$conntype = $secureconf{'connto'}{$hosttypes{$lonid}};
	if ($conntype ne '') {
	if ($conntype ne 'req') {
	$allowinsecure = 1;
	}
	$gotconninfo = 1;
	}
	}
	unless ($gotconninfo) {
	$allowinsecure = $InsecureOk;
	}

# The host must map to an entry in the hosts table:	# The host must map to an entry in the hosts table:
# We connect to the dns host that corresponds to that	# We connect to the dns host that corresponds to that
# system and use the hostname for the encryption key	# system and use the hostname for the encryption key
Line 176 sub new {	Line 206 sub new {
Port => $Port,	Port => $Port,
State => "Initialized",	State => "Initialized",
AuthenticationMode => "",	AuthenticationMode => "",
	InsecureOK => $allowinsecure,
TransactionRequest => "",	TransactionRequest => "",
TransactionReply => "",	TransactionReply => "",
NextRequest => "",	NextRequest => "",
Line 216 sub new {	Line 247 sub new {
# allowed...else give up right away.	# allowed...else give up right away.

if(!(defined $key) \|\| !(defined $keyfile)) {	if(!(defined $key) \|\| !(defined $keyfile)) {
if($InsecureOk) {	my $canconnect = 0;
	if (ref($secureconf{'connto'}) eq 'HASH') {
	unless ($secureconf{'connto'}->{'dom'} eq 'req') {
	$canconnect = 1;
	}
	} else {
	$canconnect = $InsecureOk;
	}
	if ($canconnect) {
$self->{AuthenticationMode} = "insecure";	$self->{AuthenticationMode} = "insecure";
$self->{TransactionRequest} = "init\n";	$self->{TransactionRequest} = "init\n";
}	}
Line 239 sub new {	Line 278 sub new {

my ($ca, $cert) = lonssl::CertificateFile;	my ($ca, $cert) = lonssl::CertificateFile;
my $sslkeyfile = lonssl::KeyFile;	my $sslkeyfile = lonssl::KeyFile;
	my $badcertfile = lonssl::has_badcert_file($self->{LoncapaHim});

if((defined $ca) && (defined $cert) && (defined $sslkeyfile)) {	if (($conntype ne 'no') && (defined($ca)) && (defined($cert)) && (defined($sslkeyfile)) &&
	(!exists($badcerts{$self->{LoncapaHim}})) && !$badcertfile) {
$self->{AuthenticationMode} = "ssl";	$self->{AuthenticationMode} = "ssl";
$self->{TransactionRequest} = "init:ssl:$perlvar{'lonVersion'}\n";	$self->{TransactionRequest} = "init:ssl:$perlvar{'lonVersion'}\n";
	} elsif ($self->{InsecureOK}) {
	# Allowed to do insecure:
	$self->{AuthenticationMode} = "insecure";
	$self->{TransactionRequest} = "init::$perlvar{'lonVersion'}\n";
} else {	} else {
if($InsecureOk) { # Allowed to do insecure:	# Not allowed to do insecure...
$self->{AuthenticationMode} = "insecure";	$socket->close;
$self->{TransactionRequest} = "init::$perlvar{'lonVersion'}\n";	return undef;
}
else { # Not allowed to do insecure...
$socket->close;
return undef;
}
}	}
}	}

Line 399 sub Readable {	Line 438 sub Readable {
}	}
elsif ($ConnectionMode eq "ssl") {	elsif ($ConnectionMode eq "ssl") {
if($Response =~ /^ok:ssl/) { # Good ssl...	if($Response =~ /^ok:ssl/) { # Good ssl...
if($self->ExchangeKeysViaSSL()) { # Success skip to vsn stuff	my $sslresult = $self->ExchangeKeysViaSSL();
	if ($sslresult == 1) { # Success skip to vsn stuff
# Need to reset to non blocking:	# Need to reset to non blocking:

my $flags = fcntl($socket, F_GETFL, 0);	my $flags = fcntl($socket, F_GETFL, 0);
fcntl($socket, F_SETFL, $flags \| O_NONBLOCK);	fcntl($socket, F_SETFL, $flags \| O_NONBLOCK);
$self->ToVersionRequest();	$self->ToVersionRequest();
return 0;	return 0;
}	}
else { # Failed in ssl exchange.	else { # Failed in ssl exchange.
	if (($sslresult == -1) && (lonssl::LastError == -1) && ($self->{InsecureOK})) {
	my $badcertdir = &lonssl::BadCertDir();
	if (($badcertdir) && $self->{LoncapaHim}) {
	if (open(my $fh,'>',"$badcertdir/".$self->{LoncapaHim})) {
	close($fh);
	}
	}
	$badcerts{$self->{LoncapaHim}} = 1;
	&Debug(3,"SSL verification failed: close socket and initiate insecure connection");
	$self->Transition("ReInitNoSSL");
	$socket->close;
	return -1;
	}
&Debug(3,"init:ssl failed key negotiation!");	&Debug(3,"init:ssl failed key negotiation!");
$self->Transition("Disconnected");	$self->Transition("Disconnected");
$socket->close;	$socket->close;
return -1;	return -1;
}	}
}	}
elsif ($Response =~ /^[0-9]+/) { # Old style lond.	elsif ($Response =~ /^[0-9]+/) { # Old style lond.
return $self->CompleteInsecure();	return $self->CompleteInsecure();
Line 1002 sub CreateCipher {	Line 1055 sub CreateCipher {
sub ExchangeKeysViaSSL {	sub ExchangeKeysViaSSL {
my $self = shift;	my $self = shift;
my $socket = $self->{Socket};	my $socket = $self->{Socket};
	my $peer = $self->{LoncapaHim};

# Get our signed certificate, the certificate authority's	# Get our signed certificate, the certificate authority's
# certificate and our private key file. All of these	# certificate and our private key file. All of these
Line 1010 sub ExchangeKeysViaSSL {	Line 1064 sub ExchangeKeysViaSSL {
my ($SSLCACertificate,	my ($SSLCACertificate,
$SSLCertificate) = lonssl::CertificateFile();	$SSLCertificate) = lonssl::CertificateFile();
my $SSLKey = lonssl::KeyFile();	my $SSLKey = lonssl::KeyFile();
	my $CRLFile;
	unless ($crlchecked{$peer}) {
	$CRLFile = lonssl::CRLFile();
	$crlchecked{$peer} = 1;
	}
# Promote our connection to ssl and read the key from lond.	# Promote our connection to ssl and read the key from lond.

my $SSLSocket = lonssl::PromoteClientSocket($socket,	my $SSLSocket = lonssl::PromoteClientSocket($socket,
$SSLCACertificate,	$SSLCACertificate,
$SSLCertificate,	$SSLCertificate,
$SSLKey);	$SSLKey,
	$peer,
	$CRLFile);
if(defined $SSLSocket) {	if(defined $SSLSocket) {
my $key = <$SSLSocket>;	my $key = <$SSLSocket>;
lonssl::Close($SSLSocket);	lonssl::Close($SSLSocket);
Line 1032 sub ExchangeKeysViaSSL {	Line 1092 sub ExchangeKeysViaSSL {
else {	else {
# Failed!!	# Failed!!
Debug(3, "Failed to negotiate SSL connection!");	Debug(3, "Failed to negotiate SSL connection!");
return 0;	return -1;
}	}
# should not get here	# should not get here
return 0;	return 0;
Line 1057 sub ExchangeKeysViaSSL {	Line 1117 sub ExchangeKeysViaSSL {
#	#
sub CompleteInsecure {	sub CompleteInsecure {
my $self = shift;	my $self = shift;
if($InsecureOk) {	if ($self->{InsecureOK}) {
$self->{AuthenticationMode} = "insecure";	$self->{AuthenticationMode} = "insecure";
&Debug(8," Transition out of Initialized:insecure");	&Debug(8," Transition out of Initialized:insecure");
$self->{TransactionRequest} = $self->{TransactionReply};	$self->{TransactionRequest} = $self->{TransactionReply};
Line 1169 sub PeerLoncapaHim {	Line 1229 sub PeerLoncapaHim {
return $self->{LoncapaHim};	return $self->{LoncapaHim};
}	}

	#
	# Get the Authentication mode
	#

	sub GetKeyMode {
	my $self = shift;
	return $self->{AuthenticationMode};
	}

1;	1;

=pod	=pod

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.53.2.1
changed lines
	Added in v.1.57