loncom/lonssl.pm - diff

Return to lonssl.pm CVS log

Up to [LON-CAPA] / loncom

Diff for /loncom/lonssl.pm between versions 1.6 and 1.12

version 1.6, 2004/05/28 09:37:03	version 1.12, 2015/10/15 13:40:27
Line 35 use strict;	Line 35 use strict;

# CPAN/Standard modules:	# CPAN/Standard modules:

use English;
use IO::Socket::INET;	use IO::Socket::INET;
use IO::Socket::SSL;	use IO::Socket::SSL;

	use Fcntl;
	use POSIX;

# Loncapa modules:	# Loncapa modules:

use LONCAPA::Configuration;	use LONCAPA::Configuration;
Line 50 my $perlvar; # this refers to the apa	Line 52 my $perlvar; # this refers to the apa

my $pathsep = "/"; # We're on unix after all.	my $pathsep = "/"; # We're on unix after all.

	my $DEBUG = 0; # Set to non zero to enable debug output.


# Initialization code:	# Initialization code:

$perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');	$perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');


	my $lasterror="";



	sub LastError {
	return $lasterror;
	}

	sub Debug {
	my $msg = shift;
	if ($DEBUG) {
	print STDERR $msg;
	}
	}

	#-------------------------------------------------------------------------
	# Name SetFdBlocking -
	# Turn blocking mode on on the file handle. This is required for
	# SSL key negotiation.
	#
	# Parameters:
	# Handle - Reference to the handle to modify.
	# Returns:
	# prior flag settings.
	#
	sub SetFdBlocking {
	Debug("SetFdBlocking called \n");
	my $Handle = shift;



	my $flags = fcntl($Handle, F_GETFL, 0);
	if(!$flags) {
	Debug("SetBLocking fcntl get faild $!\n");
	}
	my $newflags = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
	if(!fcntl($Handle, F_SETFL, $newflags)) {
	Debug("Can't set non block mode $!\n");
	}
	return $flags;
	}

#--------------------------------------------------------------------------	#--------------------------------------------------------------------------
#	#
Line 74 $perlvar = LONCAPA::Configuration::read_	Line 119 $perlvar = LONCAPA::Configuration::read_
# - Reference to an SSL socket on success	# - Reference to an SSL socket on success
# - undef on failure. Reason for failure can be interrogated from	# - undef on failure. Reason for failure can be interrogated from
# IO::Socket::SSL	# IO::Socket::SSL
	# Side effects: socket is left in blocking mode!!
	#

sub PromoteClientSocket {	sub PromoteClientSocket {
my ($PlaintextSocket,	my ($PlaintextSocket,
$CACert,	$CACert,
$MyCert,	$MyCert,
$KeyFile) = @ARG;	$KeyFile) = @_;


	Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n");

# To create the ssl socket we need to duplicate the existing	# To create the ssl socket we need to duplicate the existing
# socket. Otherwise closing the ssl socket will close the plaintext socket	# socket. Otherwise closing the ssl socket will close the plaintext socket
# too:	# too. We also must flip into blocking mode for the duration of the
	# ssl negotiation phase.. the caller will have to flip to non block if
open (DUPLICATE, "+>$PlaintextSocket");	# that's what they want

	my $oldflags = SetFdBlocking($PlaintextSocket);
	my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
	Debug("Client promotion got dup = $dupfno\n");


my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),	my $client = IO::Socket::SSL->new_from_fd($dupfno,
SSL_user_cert => 1,	SSL_use_cert => 1,
SSL_key_file => $KeyFile,	SSL_key_file => $KeyFile,
SSL_cert_file => $MyCert,	SSL_cert_file => $MyCert,
SSL_ca_fie => $$CACert);	SSL_ca_file => $CACert);

	if(!$client) {
	$lasterror = IO::Socket::SSL::errstr();
	return undef;
	}
return $client; # Undef if the client negotiation fails.	return $client; # Undef if the client negotiation fails.
}	}

Line 113 sub PromoteClientSocket {	Line 171 sub PromoteClientSocket {
# - Reference to an SSL socket on success	# - Reference to an SSL socket on success
# - undef on failure. Reason for failure can be interrogated from	# - undef on failure. Reason for failure can be interrogated from
# IO::Socket::SSL	# IO::Socket::SSL
	# Side Effects:
	# Socket is left in blocking mode!!!
	#
sub PromoteServerSocket {	sub PromoteServerSocket {
my ($PlaintextSocket,	my ($PlaintextSocket,
$CACert,	$CACert,
$MyCert,	$MyCert,
$KeyFile) = @ARG;	$KeyFile) = @_;



Line 125 sub PromoteServerSocket {	Line 186 sub PromoteServerSocket {
# socket. Otherwise closing the ssl socket will close the plaintext socket	# socket. Otherwise closing the ssl socket will close the plaintext socket
# too:	# too:

open (DUPLICATE, "+>$PlaintextSocket");	Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");

my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),	my $oldflags = SetFdBlocking($PlaintextSocket);
	my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
	if (!$dupfno) {
	Debug("dup failed: $!\n");
	}
	Debug(" Fileno = $dupfno\n");
	my $client = IO::Socket::SSL->new_from_fd($dupfno,
SSL_server => 1, # Server role.	SSL_server => 1, # Server role.
SSL_user_cert => 1,	SSL_user_cert => 1,
SSL_key_file => $KeyFile,	SSL_key_file => $KeyFile,
SSL_cert_file => $MyCert,	SSL_cert_file => $MyCert,
SSL_ca_fie => $$CACert);	SSL_ca_file => $CACert);
	if(!$client) {
	$lasterror = IO::Socket::SSL::errstr();
	return undef;
	}
return $client;	return $client;
}	}

Line 171 sub GetPeerCertificate {	Line 242 sub GetPeerCertificate {
my $CertOwner = $SSLSocket->peer_certificate("owner");	my $CertOwner = $SSLSocket->peer_certificate("owner");
my $CertCA = $SSLSocket->peer_certificate("authority");	my $CertCA = $SSLSocket->peer_certificate("authority");

return \($CertCA, $CertOwner);	return ($CertCA, $CertOwner);
}	}
#----------------------------------------------------------------------------	#----------------------------------------------------------------------------
#	#
Line 194 sub CertificateFile {	Line 265 sub CertificateFile {
# Ensure the existence of these variables:	# Ensure the existence of these variables:

if((!$CertificateDir) \|\| (!$CaFilename) \|\| (!$CertFilename)) {	if((!$CertificateDir) \|\| (!$CaFilename) \|\| (!$CertFilename)) {
	$lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
	."Cert: $CertFilename";
return undef;	return undef;
}	}

# Build the actual filenames and check for their existence and	# Build the actual filenames and check for their existence and
# readability.	# readability.

my $CaFilename = $CertificateDir.$pathsep.$CaFilename;	$CaFilename = $CertificateDir.$pathsep.$CaFilename;
my $CertFilename = $CertificateDir.$pathsep.$CertFilename;	$CertFilename = $CertificateDir.$pathsep.$CertFilename;

if((! -r $CaFilename) \|\| (! -r $CertFilename)) {	if((! -r $CaFilename) \|\| (! -r $CertFilename)) {
	$lasterror = "CA file $CaFilename or Cert File: $CertFilename "
	."not readable";
return undef;	return undef;
}	}

# Everything works fine!!	# Everything works fine!!

return \($CaFilename, $CertFilename);	return ($CaFilename, $CertFilename);

}	}
#------------------------------------------------------------------------	#------------------------------------------------------------------------
Line 231 sub KeyFile {	Line 306 sub KeyFile {
# Ensure the variables exist:	# Ensure the variables exist:

if((!$CertificateDir) \|\| (!$KeyFilename)) {	if((!$CertificateDir) \|\| (!$KeyFilename)) {
	$lasterror = "Missing parameter dir: $CertificateDir "
	."key: $KeyFilename";
return undef;	return undef;
}	}

# Build the actual filename and ensure that it not only exists but	# Build the actual filename and ensure that it not only exists but
# is also readable:	# is also readable:

my $KeyFilename = $CertificateDir.$pathsep.$KeyFilename;	$KeyFilename = $CertificateDir.$pathsep.$KeyFilename;
if(! (-r $KeyFilename)) {	if(! (-r $KeyFilename)) {
	$lasterror = "Unreadable key file $KeyFilename";
return undef;	return undef;
}	}

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.6
changed lines
	Added in v.1.12