File:  [LON-CAPA] / loncom / lonssl.pm
Revision 1.14: download - view: text, annotated - select for diffs
Sun Nov 8 03:15:13 2015 UTC (8 years, 4 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_11_X, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, version_2_11_3_uiuc, version_2_11_3_msu, version_2_11_3, version_2_11_2_uiuc, version_2_11_2_msu, version_2_11_2_educog, version_2_11_2, HEAD
- Eliminate warnings in lonc_errors where SSL is in use for internal
  LON-CAPA communication and distro has IO::Socket::SSL rev. 1.79 or
  newer.

    1: #
    2: # $Id: lonssl.pm,v 1.14 2015/11/08 03:15:13 raeburn Exp $
    3: #
    4: # Copyright Michigan State University Board of Trustees
    5: #
    6: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    7: #
    8: # LON-CAPA is free software; you can redistribute it and/or modify
    9: # it under the terms of the GNU General Public License as published by
   10: # the Free Software Foundation; either version 2 of the License, or
   11: # (at your option) any later version.
   12: #
   13: # LON-CAPA is distributed in the hope that it will be useful,
   14: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   15: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   16: # GNU General Public License for more details.
   17: #
   18: # You should have received a copy of the GNU General Public License
   19: # along with LON-CAPA; if not, write to the Free Software
   20: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
   21: #
   22: # /home/httpd/html/adm/gpl.txt
   23: #
   24: # http://www.lon-capa.org/
   25: #
   26: package lonssl;
   27: #  lonssl.pm
   28: #    This file contains common functions used by lond and lonc when 
   29: #    negotiating the exchange of the session encryption key via an 
   30: #    SSL tunnel.
   31: #     See the POD sections and function documentation for more information.
   32: #
   33: 
   34: use strict;
   35: 
   36: # CPAN/Standard  modules:
   37: 
   38: use IO::Socket::INET;
   39: use IO::Socket::SSL;
   40: use Net::SSLeay;
   41: 
   42: use Fcntl;
   43: use POSIX;
   44: 
   45: #  Loncapa modules:
   46: 
   47: use LONCAPA::Configuration;
   48: 
   49: #  Global storage:
   50: 
   51: my $perlvar;			#  this refers to the apache perlsetvar 
   52:                                 # variable hash.
   53: 
   54: my $pathsep = "/";		# We're on unix after all.
   55: 
   56: my $DEBUG = 0;			# Set to non zero to enable debug output.
   57: 
   58: 
   59: # Initialization code:
   60: 
   61: $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
   62: 
   63: 
   64: my $lasterror="";
   65: 
   66: 
   67: 
   68: sub LastError {
   69:     return $lasterror;
   70: }
   71: 
   72: sub Debug {
   73:     my $msg  = shift;
   74:     if ($DEBUG) {
   75: 	print STDERR $msg;
   76:     }
   77: }
   78: 
   79: #-------------------------------------------------------------------------
   80: # Name SetFdBlocking - 
   81: #      Turn blocking mode on on the file handle.  This is required for
   82: #      SSL key negotiation.
   83: #
   84: # Parameters:
   85: #      Handle   - Reference to the handle to modify.
   86: # Returns:
   87: #      prior flag settings.
   88: #
   89: sub SetFdBlocking {
   90:     Debug("SetFdBlocking called \n");
   91:     my $Handle = shift;
   92: 
   93: 
   94: 
   95:     my $flags  = fcntl($Handle, F_GETFL, 0);
   96:     if(!$flags) {
   97: 	Debug("SetBLocking fcntl get faild $!\n");
   98:     }
   99:     my $newflags  = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
  100:     if(!fcntl($Handle, F_SETFL, $newflags)) {
  101: 	Debug("Can't set non block mode  $!\n");
  102:     }
  103:     return $flags;
  104: }
  105: 
  106: #--------------------------------------------------------------------------
  107: #
  108: # Name	PromoteClientSocket
  109: # Description	Given an ordinary IO::Socket::INET Creates an SSL socket 
  110: #               for a client that is connected to the same server.
  111: # Parameters	Name	Type	           Description
  112: #               Socket	IO::Socket::INET   Original ordinary socket.
  113: #               CACert	string	           Full path name to the certificate 
  114: #                                          authority certificate file.
  115: #                MyCert	string	           Full path name to the certificate 
  116: #                                          issued to this host.
  117: #                KeyFile string    	   Full pathname to the host's private 
  118: #                                          key file for the certificate.
  119: # Returns
  120: #	-	Reference to an SSL socket on success
  121: #       -	undef on failure.  Reason for failure can be interrogated from 
  122: #               IO::Socket::SSL
  123: # Side effects:  socket is left in blocking mode!!
  124: #
  125: 
  126: sub PromoteClientSocket {
  127:     my ($PlaintextSocket,
  128: 	$CACert,
  129: 	$MyCert,
  130: 	$KeyFile)          = @_;
  131:     
  132:     
  133:     Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n");
  134: 
  135:     # To create the ssl socket we need to duplicate the existing
  136:     # socket.  Otherwise closing the ssl socket will close the plaintext socket
  137:     # too.  We also must flip into blocking mode for the duration of the
  138:     # ssl negotiation phase.. the caller will have to flip to non block if
  139:     # that's what they want
  140: 
  141:     my $oldflags = SetFdBlocking($PlaintextSocket);
  142:     my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
  143:     Debug("Client promotion got dup = $dupfno\n");
  144: 
  145:     # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify 
  146:     # mode of SSL_VERIFY_NONE should be explicitly set for client, if 
  147:     # verification is not to be used, and SSL_verify_mode is not set.
  148:     # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
  149:     # prevents connections to lond.
  150:     # Set SSL_verify_mode to Net::SSLeay::VERIFY_NONE() instead of to
  151:     # SSL_VERIFY_NONE for compatibility with IO::Socket::SSL rev. 1.01
  152:     # used by CentOS/RHEL/Scientific Linux 5).
  153:     
  154:     my $client = IO::Socket::SSL->new_from_fd($dupfno,
  155: 					      SSL_use_cert => 1,
  156: 					      SSL_key_file  => $KeyFile,
  157: 					      SSL_cert_file => $MyCert,
  158: 					      SSL_ca_file   => $CACert,
  159: 					      SSL_verify_mode => Net::SSLeay::VERIFY_NONE());
  160:     
  161:     if(!$client) {
  162: 	$lasterror = IO::Socket::SSL::errstr();
  163: 	return undef;
  164:     }
  165:     return $client;		# Undef if the client negotiation fails.
  166: }
  167: 
  168: #----------------------------------------------------------------------
  169: # Name	PromoteServerSocket
  170: # Description	Given an ordinary IO::Socket::INET Creates an SSL socket 
  171: #               for a server that is connected to the same client.l
  172: # Parameters	Name	Type	           Description
  173: #               Socket	IO::Socket::INET   Original ordinary socket.
  174: #               CACert	string	           Full path name to the certificate 
  175: #                                          authority certificate file.
  176: #                MyCert	string	           Full path name to the certificate 
  177: #                                          issued to this host.
  178: #                KeyFile string    	   Full pathname to the host's private 
  179: #                                          key file for the certificate.
  180: # Returns
  181: #	-	Reference to an SSL socket on success
  182: #       -	undef on failure.  Reason for failure can be interrogated from 
  183: #               IO::Socket::SSL
  184: # Side Effects:
  185: #       Socket is left in blocking mode!!!
  186: #
  187: sub PromoteServerSocket {
  188:     my ($PlaintextSocket,
  189: 	$CACert,
  190: 	$MyCert,
  191: 	$KeyFile)          = @_;
  192: 
  193: 
  194: 
  195:     # To create the ssl socket we need to duplicate the existing
  196:     # socket.  Otherwise closing the ssl socket will close the plaintext socket
  197:     # too:
  198: 
  199:     Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
  200:  
  201:     my $oldflags = SetFdBlocking($PlaintextSocket);
  202:     my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
  203:     if (!$dupfno) {
  204: 	Debug("dup failed: $!\n");
  205:     }
  206:     Debug(" Fileno = $dupfno\n");
  207:     my $client = IO::Socket::SSL->new_from_fd($dupfno,
  208: 					      SSL_server    => 1, # Server role.
  209: 					      SSL_use_cert  => 1,
  210: 					      SSL_key_file  => $KeyFile,
  211: 					      SSL_cert_file => $MyCert,
  212: 					      SSL_ca_file   => $CACert);
  213:     if(!$client) {
  214: 	$lasterror = IO::Socket::SSL::errstr();
  215: 	return undef;
  216:     }
  217:     return $client;
  218: }
  219: 
  220: #-------------------------------------------------------------------------
  221: #
  222: # Name: Close
  223: # Description: Properly closes an ssl client or ssl server socket in
  224: #              a way that keeps the parent socket open.
  225: # Parameters:  Name      Type            Description
  226: #              Socket   IO::Socket::SSL  SSL Socket gotten from either
  227: #                                        PromoteClientSocket or 
  228: #                                        PromoteServerSocket
  229: # Returns:
  230: #   NONE
  231: #
  232: sub Close {
  233:     my $Socket = shift;
  234:     
  235:     $Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket 
  236:                                          # gets torn down.
  237: }
  238: #---------------------------------------------------------------------------
  239: #
  240: # Name   	GetPeerCertificate
  241: # Description	Inquires about the certificate of the peer of a connection.
  242: # Parameters	Name	        Type	          Description
  243: #               SSLSocket	IO::Socket::SSL	  SSL tunnel socket open on 
  244: #                                                 the peer.
  245: # Returns
  246: #	A two element list.  The first element of the list is the name of 
  247: #       the certificate authority.  The second element of the list is the name 
  248: #       of the owner of the certificate.
  249: sub GetPeerCertificate {
  250:     my $SSLSocket = shift;
  251:     
  252:     my $CertOwner = $SSLSocket->peer_certificate("owner");
  253:     my $CertCA    = $SSLSocket->peer_certificate("authority");
  254:     
  255:     return ($CertCA, $CertOwner);
  256: }
  257: #----------------------------------------------------------------------------
  258: #
  259: # Name  	CertificateFile
  260: # Description	Locate the certificate files for this host.
  261: # Returns
  262: #	Returns a two element array.  The first element contains the name of
  263: #  the certificate file for this host.  The second element contains the name
  264: #  of the  certificate file for the CA that granted the certificate.  If 
  265: #  either file cannot be located, returns undef.
  266: #
  267: sub CertificateFile {
  268: 
  269:     # I need some perl variables from the configuration file for this:
  270:     
  271:     my $CertificateDir  = $perlvar->{lonCertificateDirectory};
  272:     my $CaFilename      = $perlvar->{lonnetCertificateAuthority};
  273:     my $CertFilename    = $perlvar->{lonnetCertificate};
  274:     
  275:     #  Ensure the existence of these variables:
  276:     
  277:     if((!$CertificateDir)  || (!$CaFilename) || (!$CertFilename)) {
  278: 	$lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
  279: 	            ."Cert: $CertFilename";
  280: 	return undef;
  281:     }
  282:     
  283:     #   Build the actual filenames and check for their existence and
  284:     #   readability.
  285:     
  286:     $CaFilename   = $CertificateDir.$pathsep.$CaFilename;
  287:     $CertFilename = $CertificateDir.$pathsep.$CertFilename;
  288:     
  289:     if((! -r $CaFilename) || (! -r $CertFilename)) {
  290: 	$lasterror = "CA file $CaFilename or Cert File: $CertFilename "
  291: 	            ."not readable";
  292: 	return undef;
  293:     }
  294:     
  295:     # Everything works fine!!
  296:     
  297:     return ($CaFilename, $CertFilename);
  298: 
  299: }
  300: #------------------------------------------------------------------------
  301: #
  302: # Name	        KeyFile
  303: # Description
  304: #      Returns the name of the private key file of the current host.
  305: # Returns
  306: #      Returns the name of the key file or undef if the file cannot 
  307: #      be found.
  308: #
  309: sub KeyFile {
  310: 
  311:     # I need some perl variables from the configuration file for this:
  312:     
  313:     my $CertificateDir   = $perlvar->{lonCertificateDirectory};
  314:     my $KeyFilename      = $perlvar->{lonnetPrivateKey};
  315:     
  316:     # Ensure the variables exist:
  317:     
  318:     if((!$CertificateDir) || (!$KeyFilename)) {
  319: 	$lasterror = "Missing parameter dir: $CertificateDir "
  320: 	            ."key: $KeyFilename";
  321: 	return undef;
  322:     }
  323:     
  324:     # Build the actual filename and ensure that it not only exists but
  325:     # is also readable:
  326:     
  327:     $KeyFilename    = $CertificateDir.$pathsep.$KeyFilename;
  328:     if(! (-r $KeyFilename)) {
  329: 	$lasterror = "Unreadable key file $KeyFilename";
  330: 	return undef;
  331:     }
  332:     
  333:     return $KeyFilename;
  334: }
  335: 
  336: 1;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>