[BACK]Return to lonssl.pm CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom

Diff for /loncom/lonssl.pm between versions 1.6 and 1.15

version 1.6, 2004/05/28 09:37:03 version 1.15, 2017/02/28 05:42:06
Line 35  use strict; Line 35  use strict;
   
 # CPAN/Standard  modules:  # CPAN/Standard  modules:
   
 use English;  
 use IO::Socket::INET;  use IO::Socket::INET;
 use IO::Socket::SSL;  use IO::Socket::SSL;
   use Net::SSLeay;
   
   use Fcntl;
   use POSIX;
   
 #  Loncapa modules:  #  Loncapa modules:
   
Line 50  my $perlvar;   #  this refers to the apa Line 53  my $perlvar;   #  this refers to the apa
   
 my $pathsep = "/"; # We're on unix after all.  my $pathsep = "/"; # We're on unix after all.
   
   my $DEBUG = 0; # Set to non zero to enable debug output.
   
   
 # Initialization code:  # Initialization code:
   
 $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');  $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
   
   
   my $lasterror="";
   
   
   
   sub LastError {
       return $lasterror;
   }
   
   sub Debug {
       my $msg  = shift;
       if ($DEBUG) {
    print STDERR $msg;
       }
   }
   
   #-------------------------------------------------------------------------
   # Name SetFdBlocking - 
   #      Turn blocking mode on on the file handle.  This is required for
   #      SSL key negotiation.
   #
   # Parameters:
   #      Handle   - Reference to the handle to modify.
   # Returns:
   #      prior flag settings.
   #
   sub SetFdBlocking {
       Debug("SetFdBlocking called \n");
       my $Handle = shift;
   
   
   
       my $flags  = fcntl($Handle, F_GETFL, 0);
       if(!$flags) {
    Debug("SetBLocking fcntl get faild $!\n");
       }
       my $newflags  = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
       if(!fcntl($Handle, F_SETFL, $newflags)) {
    Debug("Can't set non block mode  $!\n");
       }
       return $flags;
   }
   
 #--------------------------------------------------------------------------  #--------------------------------------------------------------------------
 #  #
Line 74  $perlvar = LONCAPA::Configuration::read_ Line 120  $perlvar = LONCAPA::Configuration::read_
 # - Reference to an SSL socket on success  # - Reference to an SSL socket on success
 #       - undef on failure.  Reason for failure can be interrogated from   #       - undef on failure.  Reason for failure can be interrogated from 
 #               IO::Socket::SSL  #               IO::Socket::SSL
   # Side effects:  socket is left in blocking mode!!
   #
   
 sub PromoteClientSocket {  sub PromoteClientSocket {
     my ($PlaintextSocket,      my ($PlaintextSocket,
  $CACert,   $CACert,
  $MyCert,   $MyCert,
  $KeyFile)          = @ARG;   $KeyFile)          = @_;
           
           
       Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n");
   
     # To create the ssl socket we need to duplicate the existing      # To create the ssl socket we need to duplicate the existing
     # socket.  Otherwise closing the ssl socket will close the plaintext socket      # socket.  Otherwise closing the ssl socket will close the plaintext socket
     # too:      # too.  We also must flip into blocking mode for the duration of the
       # ssl negotiation phase.. the caller will have to flip to non block if
       # that's what they want
   
       my $oldflags = SetFdBlocking($PlaintextSocket);
       my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
       Debug("Client promotion got dup = $dupfno\n");
   
       # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify 
       # mode of SSL_VERIFY_NONE should be explicitly set for client, if 
       # verification is not to be used, and SSL_verify_mode is not set.
       # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
       # prevents connections to lond.
       # Set SSL_verify_mode to Net::SSLeay::VERIFY_NONE() instead of to
       # SSL_VERIFY_NONE for compatibility with IO::Socket::SSL rev. 1.01
       # used by CentOS/RHEL/Scientific Linux 5).
           
     open (DUPLICATE, "+>$PlaintextSocket");      my $client = IO::Socket::SSL->new_from_fd($dupfno,
             SSL_use_cert => 1,
     my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),  
       SSL_user_cert => 1,  
       SSL_key_file  => $KeyFile,        SSL_key_file  => $KeyFile,
       SSL_cert_file => $MyCert,        SSL_cert_file => $MyCert,
       SSL_ca_fie    => $$CACert);        SSL_ca_file   => $CACert,
         SSL_verify_mode => Net::SSLeay::VERIFY_NONE());
           
       if(!$client) {
    $lasterror = IO::Socket::SSL::errstr();
    return undef;
       }
     return $client; # Undef if the client negotiation fails.      return $client; # Undef if the client negotiation fails.
 }  }
   
Line 113  sub PromoteClientSocket { Line 181  sub PromoteClientSocket {
 # - Reference to an SSL socket on success  # - Reference to an SSL socket on success
 #       - undef on failure.  Reason for failure can be interrogated from   #       - undef on failure.  Reason for failure can be interrogated from 
 #               IO::Socket::SSL  #               IO::Socket::SSL
   # Side Effects:
   #       Socket is left in blocking mode!!!
   #
 sub PromoteServerSocket {  sub PromoteServerSocket {
     my ($PlaintextSocket,      my ($PlaintextSocket,
  $CACert,   $CACert,
  $MyCert,   $MyCert,
  $KeyFile)          = @ARG;   $KeyFile)          = @_;
   
   
   
Line 125  sub PromoteServerSocket { Line 196  sub PromoteServerSocket {
     # socket.  Otherwise closing the ssl socket will close the plaintext socket      # socket.  Otherwise closing the ssl socket will close the plaintext socket
     # too:      # too:
   
     open (DUPLICATE, "+>$PlaintextSocket");      Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
    
     my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),      my $oldflags = SetFdBlocking($PlaintextSocket);
       my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
       if (!$dupfno) {
    Debug("dup failed: $!\n");
       }
       Debug(" Fileno = $dupfno\n");
       my $client = IO::Socket::SSL->new_from_fd($dupfno,
       SSL_server    => 1, # Server role.        SSL_server    => 1, # Server role.
       SSL_user_cert => 1,        SSL_use_cert  => 1,
       SSL_key_file  => $KeyFile,        SSL_key_file  => $KeyFile,
       SSL_cert_file => $MyCert,        SSL_cert_file => $MyCert,
       SSL_ca_fie    => $$CACert);        SSL_ca_file   => $CACert);
       if(!$client) {
    $lasterror = IO::Socket::SSL::errstr();
    return undef;
       }
     return $client;      return $client;
 }  }
   
Line 171  sub GetPeerCertificate { Line 252  sub GetPeerCertificate {
     my $CertOwner = $SSLSocket->peer_certificate("owner");      my $CertOwner = $SSLSocket->peer_certificate("owner");
     my $CertCA    = $SSLSocket->peer_certificate("authority");      my $CertCA    = $SSLSocket->peer_certificate("authority");
           
     return \($CertCA, $CertOwner);      return ($CertCA, $CertOwner);
 }  }
 #----------------------------------------------------------------------------  #----------------------------------------------------------------------------
 #  #
Line 194  sub CertificateFile { Line 275  sub CertificateFile {
     #  Ensure the existence of these variables:      #  Ensure the existence of these variables:
           
     if((!$CertificateDir)  || (!$CaFilename) || (!$CertFilename)) {      if((!$CertificateDir)  || (!$CaFilename) || (!$CertFilename)) {
    $lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
               ."Cert: $CertFilename";
  return undef;   return undef;
     }      }
           
     #   Build the actual filenames and check for their existence and      #   Build the actual filenames and check for their existence and
     #   readability.      #   readability.
           
     my $CaFilename   = $CertificateDir.$pathsep.$CaFilename;      $CaFilename   = $CertificateDir.$pathsep.$CaFilename;
     my $CertFilename = $CertificateDir.$pathsep.$CertFilename;      $CertFilename = $CertificateDir.$pathsep.$CertFilename;
           
     if((! -r $CaFilename) || (! -r $CertFilename)) {      if((! -r $CaFilename) || (! -r $CertFilename)) {
    $lasterror = "CA file $CaFilename or Cert File: $CertFilename "
               ."not readable";
  return undef;   return undef;
     }      }
           
     # Everything works fine!!      # Everything works fine!!
           
     return \($CaFilename, $CertFilename);      return ($CaFilename, $CertFilename);
   
 }  }
 #------------------------------------------------------------------------  #------------------------------------------------------------------------
Line 231  sub KeyFile { Line 316  sub KeyFile {
     # Ensure the variables exist:      # Ensure the variables exist:
           
     if((!$CertificateDir) || (!$KeyFilename)) {      if((!$CertificateDir) || (!$KeyFilename)) {
    $lasterror = "Missing parameter dir: $CertificateDir "
               ."key: $KeyFilename";
  return undef;   return undef;
     }      }
           
     # Build the actual filename and ensure that it not only exists but      # Build the actual filename and ensure that it not only exists but
     # is also readable:      # is also readable:
           
     my $KeyFilename    = $CertificateDir.$pathsep.$KeyFilename;      $KeyFilename    = $CertificateDir.$pathsep.$KeyFilename;
     if(! (-r $KeyFilename)) {      if(! (-r $KeyFilename)) {
    $lasterror = "Unreadable key file $KeyFilename";
  return undef;   return undef;
     }      }
           
     return $KeyFilename;      return $KeyFilename;
 }  }
   
   sub Read_Connect_Config {
       my ($secureconf,$perlvarref) = @_;
       return unless (ref($secureconf) eq 'HASH');
   
       unless (ref($perlvarref) eq 'HASH') {
           $perlvarref = $perlvar;
       }
       
       # Clean out the old table first.
       foreach my $key (keys(%{$secureconf})) {
           delete($secureconf->{$key});
       }
   
       my $result;
       my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab";
       if (open(my $fh,"<$tablename")) {
           while (my $line = <$fh>) {
               chomp($line);
               my ($name,$value) = split(/=/,$line);
               if ($value =~ /^(?:no|yes|req)$/) {
                   if ($name =~ /^conn(to|from)_(dom|intdom|other)$/) {
                       $secureconf->{'conn'.$1}{$2} = $value;
                   }
               }
           }
           close($fh);
           return 'ok';
       }
       return;
   }
   
   sub Read_Host_Types {
       my ($hosttypes,$perlvarref) = @_;
       return unless (ref($hosttypes) eq 'HASH');
   
       unless (ref($perlvarref) eq 'HASH') {
           $perlvarref = $perlvar;
       }
      
       # Clean out the old table first.
       foreach my $key (keys(%{$hosttypes})) {
           delete($hosttypes->{$key});
       }
   
       my $result;
       my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab";
       if (open(my $fh,"<$tablename")) {
           while (my $line = <$fh>) {
               chomp($line);
               my ($name,$value) = split(/:/,$line);
               if (($name ne '') && ($value =~ /^(dom|intdom|other)$/)) { 
                   $hosttypes->{$name} = $value;
               }
           }
           close($fh);
           return 'ok';
       }
       return;
   }
   
 1;  1;
Removed from v.1.6  
changed lines
  Added in v.1.15

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>