loncom/lonssl.pm - diff

Return to lonssl.pm CVS log

Up to [LON-CAPA] / loncom

Diff for /loncom/lonssl.pm between versions 1.4 and 1.10

-version 1.4, 2004/05/27 10:03:58
+version 1.10, 2006/08/25 17:49:15
  Line 23
  #
  # http://www.lon-capa.org/
  #
+ package lonssl;
  #  lonssl.pm
  #    This file contains common functions used by lond and lonc when
  #    negotiating the exchange of the session encryption key via an
  Line 33
  use strict;
- # CPAN modules:
+ # CPAN/Standard  modules:
  use IO::Socket::INET;
  use IO::Socket::SSL;
+ use Fcntl;
+ use POSIX;
  #  Loncapa modules:
  use LONCAPA::Configuration;
  #  Global storage:
- my $perlvar;			# When configRead is true this refers to
+ my $perlvar;			#  this refers to the apache perlsetvar
-                                 # the apache perlsetvar variable hash.
+                                 # variable hash.
  my $pathsep = "/";		# We're on unix after all.
+ my $DEBUG = 0;			# Set to non zero to enable debug output.
  # Initialization code:
  $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
+ my $lasterror="";
+ sub LastError {
+     return $lasterror;
+ }
+ sub Debug {
+     my $msg  = shift;
+     if ($DEBUG) {
+ 	print STDERR $msg;
+     }
+ }
+ #-------------------------------------------------------------------------
+ # Name SetFdBlocking -
+ #      Turn blocking mode on on the file handle.  This is required for
+ #      SSL key negotiation.
+ #
+ # Parameters:
+ #      Handle   - Reference to the handle to modify.
+ # Returns:
+ #      prior flag settings.
+ #
+ sub SetFdBlocking {
+     Debug("SetFdBlocking called \n");
+     my $Handle = shift;
+     my $flags  = fcntl($Handle, F_GETFL, 0);
+     if(!$flags) {
+ 	Debug("SetBLocking fcntl get faild $!\n");
+     }
+     my $newflags  = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
+     if(!fcntl($Handle, F_SETFL, $newflags)) {
+ 	Debug("Can't set non block mode  $!\n");
+     }
+     return $flags;
+ }
  #--------------------------------------------------------------------------
  #
- Line 73  $perlvar = LONCAPA::Configuration::read_
+ Line 119  $perlvar = LONCAPA::Configuration::read_
  #	-	Reference to an SSL socket on success
  #       -	undef on failure.  Reason for failure can be interrogated from
  #               IO::Socket::SSL
+ # Side effects:  socket is left in blocking mode!!
+ #
  sub PromoteClientSocket {
-     my $PlaintextSocket    = shift;
+     my ($PlaintextSocket,
-     my $CACert             = shift;
+ 	$CACert,
-     my $MyCert             = shift;
+ 	$MyCert,
-     my $KeyFile            = shift;
+ 	$KeyFile)          = @_;
+     Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n");
      # To create the ssl socket we need to duplicate the existing
      # socket.  Otherwise closing the ssl socket will close the plaintext socket
-     # too:
+     # too.  We also must flip into blocking mode for the duration of the
+     # ssl negotiation phase.. the caller will have to flip to non block if
-     open (DUPLICATE, "+>$PlaintextSocket");
+     # that's what they want
+     my $oldflags = SetFdBlocking($PlaintextSocket);
+     my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
+     Debug("Client promotion got dup = $dupfno\n");
-     my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),
+     my $client = IO::Socket::SSL->new_from_fd($dupfno,
  					      SSL_user_cert => 1,
  					      SSL_key_file  => $KeyFile,
  					      SSL_cert_file => $MyCert,
- 					      SSL_ca_fie    => $$CACert);
+ 					      SSL_ca_fie    => $CACert);
+     if(!$client) {
+ 	$lasterror = IO::Socket::SSL::errstr();
+ 	return undef;
+     }
      return $client;		# Undef if the client negotiation fails.
  }
- Line 111  sub PromoteClientSocket {
+ Line 171  sub PromoteClientSocket {
  #	-	Reference to an SSL socket on success
  #       -	undef on failure.  Reason for failure can be interrogated from
  #               IO::Socket::SSL
+ # Side Effects:
+ #       Socket is left in blocking mode!!!
+ #
  sub PromoteServerSocket {
-     my $PlaintextSocket    = shift;
+     my ($PlaintextSocket,
-     my $CACert             = shift;
+ 	$CACert,
-     my $MyCert             = shift;
+ 	$MyCert,
-     my $KeyFile            = shift;
+ 	$KeyFile)          = @_;
      # To create the ssl socket we need to duplicate the existing
      # socket.  Otherwise closing the ssl socket will close the plaintext socket
      # too:
-     open (DUPLICATE, "+>$PlaintextSocket");
+     Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
-     my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),
+     my $oldflags = SetFdBlocking($PlaintextSocket);
+     my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
+     if (!$dupfno) {
+ 	Debug("dup failed: $!\n");
+     }
+     Debug(" Fileno = $dupfno\n");
+     my $client = IO::Socket::SSL->new_from_fd($dupfno,
  					      SSL_server    => 1, # Server role.
  					      SSL_user_cert => 1,
  					      SSL_key_file  => $KeyFile,
  					      SSL_cert_file => $MyCert,
- 					      SSL_ca_fie    => $$CACert);
+ 					      SSL_ca_fie    => $CACert);
+     if(!$client) {
+ 	$lasterror = IO::Socket::SSL::errstr();
+ 	return undef;
+     }
      return $client;
  }
- Line 163  sub Close {
+ Line 237  sub Close {
  #       the certificate authority.  The second element of the list is the name
  #       of the owner of the certificate.
  sub GetPeerCertificate {
-   my $SSLSocket = shift;
+     my $SSLSocket = shift;
-   my $CertOwner = $SSLSocket->peer_certificate("owner");
+     my $CertOwner = $SSLSocket->peer_certificate("owner");
-   my $CertCA    = $SSLSocket->peer_certificate("authority");
+     my $CertCA    = $SSLSocket->peer_certificate("authority");
-   return \($CertCA, $CertOwner);
+     return ($CertCA, $CertOwner);
  }
  #----------------------------------------------------------------------------
  #
- Line 182  sub GetPeerCertificate {
+ Line 256  sub GetPeerCertificate {
  #
  sub CertificateFile {
-   # I need some perl variables from the configuration file for this:
+     # I need some perl variables from the configuration file for this:
-   my $CertificateDir  = $perlvar->{lonCertificateDirectory};
+     my $CertificateDir  = $perlvar->{lonCertificateDirectory};
-   my $CaFilename      = $perlvar->{lonnetCertificateAuthority};
+     my $CaFilename      = $perlvar->{lonnetCertificateAuthority};
-   my $CertFilename    = $perlvar->{lonnetCertificate};
+     my $CertFilename    = $perlvar->{lonnetCertificate};
-   #  Ensure the existence of these variables:
+     #  Ensure the existence of these variables:
-   if((!$CertificateDir)  || (!$CaFilename) || (!$CertFilename)) {
+     if((!$CertificateDir)  || (!$CaFilename) || (!$CertFilename)) {
-     return undef;
+ 	$lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
-   }
+ 	            ."Cert: $CertFilename";
+ 	return undef;
-   #   Build the actual filenames and check for their existence and
+     }
-   #   readability.
+     #   Build the actual filenames and check for their existence and
-   my $CaFilename   = $CertificateDir.$pathsep.$CaFilename;
+     #   readability.
-   my $CertFilename = $CertificateDir.$pathsep.$CertFilename;
+     $CaFilename   = $CertificateDir.$pathsep.$CaFilename;
-   if((! -r $CaFilename) || (! -r $CertFilename)) {
+     $CertFilename = $CertificateDir.$pathsep.$CertFilename;
-     return undef;
-   }
+     if((! -r $CaFilename) || (! -r $CertFilename)) {
+ 	$lasterror = "CA file $CaFilename or Cert File: $CertFilename "
-   # Everything works fine!!
+ 	            ."not readable";
+ 	return undef;
-   return \($CaFilename, $CertFilename);
+     }
+     # Everything works fine!!
+     return ($CaFilename, $CertFilename);
  }
  #------------------------------------------------------------------------
- Line 220  sub CertificateFile {
+ Line 298  sub CertificateFile {
  #
  sub KeyFile {
-   # I need some perl variables from the configuration file for this:
+     # I need some perl variables from the configuration file for this:
-   my $CertificateDir   = $perlvar->{lonCertificateDirectory};
+     my $CertificateDir   = $perlvar->{lonCertificateDirectory};
-   my $KeyFilename      = $perlvar->{lonnetPrivateKey};
+     my $KeyFilename      = $perlvar->{lonnetPrivateKey};
-   # Ensure the variables exist:
+     # Ensure the variables exist:
-   if((!$CertificateDir) || (!$KeyFilename)) {
+     if((!$CertificateDir) || (!$KeyFilename)) {
-     return undef;
+ 	$lasterror = "Missing parameter dir: $CertificateDir "
-   }
+ 	            ."key: $KeyFilename";
+ 	return undef;
-   # Build the actual filename and ensure that it not only exists but
+     }
-   # is also readable:
+     # Build the actual filename and ensure that it not only exists but
-   my $KeyFilename    = $CertificateDir.$pathsep.$KeyFilename;
+     # is also readable:
-   if(! (-r $KeyFilename)) {
-     return undef;
+     $KeyFilename    = $CertificateDir.$pathsep.$KeyFilename;
-   }
+     if(! (-r $KeyFilename)) {
+ 	$lasterror = "Unreadable key file $KeyFilename";
-   return $KeyFilename;
+ 	return undef;
+     }
+     return $KeyFilename;
  }
 ;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.4
changed lines
	Added in v.1.10