Diff for /loncom/lonssl.pm between versions 1.7 and 1.12

version 1.7, 2004/06/01 09:53:44 version 1.12, 2015/10/15 13:40:27
Line 38  use strict; Line 38  use strict;
 use IO::Socket::INET;  use IO::Socket::INET;
 use IO::Socket::SSL;  use IO::Socket::SSL;
   
   use Fcntl;
   use POSIX;
   
 #  Loncapa modules:  #  Loncapa modules:
   
 use LONCAPA::Configuration;  use LONCAPA::Configuration;
Line 49  my $perlvar;   #  this refers to the apa Line 52  my $perlvar;   #  this refers to the apa
   
 my $pathsep = "/"; # We're on unix after all.  my $pathsep = "/"; # We're on unix after all.
   
   my $DEBUG = 0; # Set to non zero to enable debug output.
   
   
 # Initialization code:  # Initialization code:
   
 $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');  $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
   
   
   my $lasterror="";
   
   
   
   sub LastError {
       return $lasterror;
   }
   
   sub Debug {
       my $msg  = shift;
       if ($DEBUG) {
    print STDERR $msg;
       }
   }
   
   #-------------------------------------------------------------------------
   # Name SetFdBlocking - 
   #      Turn blocking mode on on the file handle.  This is required for
   #      SSL key negotiation.
   #
   # Parameters:
   #      Handle   - Reference to the handle to modify.
   # Returns:
   #      prior flag settings.
   #
   sub SetFdBlocking {
       Debug("SetFdBlocking called \n");
       my $Handle = shift;
   
   
   
       my $flags  = fcntl($Handle, F_GETFL, 0);
       if(!$flags) {
    Debug("SetBLocking fcntl get faild $!\n");
       }
       my $newflags  = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
       if(!fcntl($Handle, F_SETFL, $newflags)) {
    Debug("Can't set non block mode  $!\n");
       }
       return $flags;
   }
   
 #--------------------------------------------------------------------------  #--------------------------------------------------------------------------
 #  #
Line 73  $perlvar = LONCAPA::Configuration::read_ Line 119  $perlvar = LONCAPA::Configuration::read_
 # - Reference to an SSL socket on success  # - Reference to an SSL socket on success
 #       - undef on failure.  Reason for failure can be interrogated from   #       - undef on failure.  Reason for failure can be interrogated from 
 #               IO::Socket::SSL  #               IO::Socket::SSL
   # Side effects:  socket is left in blocking mode!!
   #
   
 sub PromoteClientSocket {  sub PromoteClientSocket {
     my ($PlaintextSocket,      my ($PlaintextSocket,
Line 81  sub PromoteClientSocket { Line 129  sub PromoteClientSocket {
  $KeyFile)          = @_;   $KeyFile)          = @_;
           
           
       Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n");
   
     # To create the ssl socket we need to duplicate the existing      # To create the ssl socket we need to duplicate the existing
     # socket.  Otherwise closing the ssl socket will close the plaintext socket      # socket.  Otherwise closing the ssl socket will close the plaintext socket
     # too:      # too.  We also must flip into blocking mode for the duration of the
           # ssl negotiation phase.. the caller will have to flip to non block if
     open (DUPLICATE, "+>$PlaintextSocket");      # that's what they want
   
       my $oldflags = SetFdBlocking($PlaintextSocket);
       my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
       Debug("Client promotion got dup = $dupfno\n");
   
           
     my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),      my $client = IO::Socket::SSL->new_from_fd($dupfno,
       SSL_user_cert => 1,        SSL_use_cert => 1,
       SSL_key_file  => $KeyFile,        SSL_key_file  => $KeyFile,
       SSL_cert_file => $MyCert,        SSL_cert_file => $MyCert,
       SSL_ca_fie    => $$CACert);        SSL_ca_file   => $CACert);
           
       if(!$client) {
    $lasterror = IO::Socket::SSL::errstr();
    return undef;
       }
     return $client; # Undef if the client negotiation fails.      return $client; # Undef if the client negotiation fails.
 }  }
   
Line 112  sub PromoteClientSocket { Line 171  sub PromoteClientSocket {
 # - Reference to an SSL socket on success  # - Reference to an SSL socket on success
 #       - undef on failure.  Reason for failure can be interrogated from   #       - undef on failure.  Reason for failure can be interrogated from 
 #               IO::Socket::SSL  #               IO::Socket::SSL
   # Side Effects:
   #       Socket is left in blocking mode!!!
   #
 sub PromoteServerSocket {  sub PromoteServerSocket {
     my ($PlaintextSocket,      my ($PlaintextSocket,
  $CACert,   $CACert,
Line 124  sub PromoteServerSocket { Line 186  sub PromoteServerSocket {
     # socket.  Otherwise closing the ssl socket will close the plaintext socket      # socket.  Otherwise closing the ssl socket will close the plaintext socket
     # too:      # too:
   
     open (DUPLICATE, "+>$PlaintextSocket");      Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
    
     my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),      my $oldflags = SetFdBlocking($PlaintextSocket);
       my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
       if (!$dupfno) {
    Debug("dup failed: $!\n");
       }
       Debug(" Fileno = $dupfno\n");
       my $client = IO::Socket::SSL->new_from_fd($dupfno,
       SSL_server    => 1, # Server role.        SSL_server    => 1, # Server role.
       SSL_user_cert => 1,        SSL_user_cert => 1,
       SSL_key_file  => $KeyFile,        SSL_key_file  => $KeyFile,
       SSL_cert_file => $MyCert,        SSL_cert_file => $MyCert,
       SSL_ca_fie    => $$CACert);        SSL_ca_file   => $CACert);
       if(!$client) {
    $lasterror = IO::Socket::SSL::errstr();
    return undef;
       }
     return $client;      return $client;
 }  }
   
Line 170  sub GetPeerCertificate { Line 242  sub GetPeerCertificate {
     my $CertOwner = $SSLSocket->peer_certificate("owner");      my $CertOwner = $SSLSocket->peer_certificate("owner");
     my $CertCA    = $SSLSocket->peer_certificate("authority");      my $CertCA    = $SSLSocket->peer_certificate("authority");
           
     return \($CertCA, $CertOwner);      return ($CertCA, $CertOwner);
 }  }
 #----------------------------------------------------------------------------  #----------------------------------------------------------------------------
 #  #
Line 193  sub CertificateFile { Line 265  sub CertificateFile {
     #  Ensure the existence of these variables:      #  Ensure the existence of these variables:
           
     if((!$CertificateDir)  || (!$CaFilename) || (!$CertFilename)) {      if((!$CertificateDir)  || (!$CaFilename) || (!$CertFilename)) {
    $lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
               ."Cert: $CertFilename";
  return undef;   return undef;
     }      }
           
     #   Build the actual filenames and check for their existence and      #   Build the actual filenames and check for their existence and
     #   readability.      #   readability.
           
     my $CaFilename   = $CertificateDir.$pathsep.$CaFilename;      $CaFilename   = $CertificateDir.$pathsep.$CaFilename;
     my $CertFilename = $CertificateDir.$pathsep.$CertFilename;      $CertFilename = $CertificateDir.$pathsep.$CertFilename;
           
     if((! -r $CaFilename) || (! -r $CertFilename)) {      if((! -r $CaFilename) || (! -r $CertFilename)) {
    $lasterror = "CA file $CaFilename or Cert File: $CertFilename "
               ."not readable";
  return undef;   return undef;
     }      }
           
     # Everything works fine!!      # Everything works fine!!
           
     return \($CaFilename, $CertFilename);      return ($CaFilename, $CertFilename);
   
 }  }
 #------------------------------------------------------------------------  #------------------------------------------------------------------------
Line 230  sub KeyFile { Line 306  sub KeyFile {
     # Ensure the variables exist:      # Ensure the variables exist:
           
     if((!$CertificateDir) || (!$KeyFilename)) {      if((!$CertificateDir) || (!$KeyFilename)) {
    $lasterror = "Missing parameter dir: $CertificateDir "
               ."key: $KeyFilename";
  return undef;   return undef;
     }      }
           
     # Build the actual filename and ensure that it not only exists but      # Build the actual filename and ensure that it not only exists but
     # is also readable:      # is also readable:
           
     my $KeyFilename    = $CertificateDir.$pathsep.$KeyFilename;      $KeyFilename    = $CertificateDir.$pathsep.$KeyFilename;
     if(! (-r $KeyFilename)) {      if(! (-r $KeyFilename)) {
    $lasterror = "Unreadable key file $KeyFilename";
  return undef;   return undef;
     }      }
           

Removed from v.1.7  
changed lines
  Added in v.1.12


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>