File:
[LON-CAPA] /
loncom /
lonssl.pm
Revision
1.24:
download - view:
text,
annotated -
select for diffs
Fri Dec 14 02:05:38 2018 UTC (5 years, 4 months ago) by
raeburn
Branches:
MAIN
CVS tags:
version_2_12_X,
HEAD
- Include verification of common name when creating SSL tunnel unless
connecting to/from pre-2.12 node.
- $IO::Socket::SSL::DEBUG is set to current $DEBUG value so debugging
from IO/Socket/SSL.pm is written to lond_errors or lonc_errors.
1: #
2: # $Id: lonssl.pm,v 1.24 2018/12/14 02:05:38 raeburn Exp $
3: #
4: # Copyright Michigan State University Board of Trustees
5: #
6: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
7: #
8: # LON-CAPA is free software; you can redistribute it and/or modify
9: # it under the terms of the GNU General Public License as published by
10: # the Free Software Foundation; either version 2 of the License, or
11: # (at your option) any later version.
12: #
13: # LON-CAPA is distributed in the hope that it will be useful,
14: # but WITHOUT ANY WARRANTY; without even the implied warranty of
15: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16: # GNU General Public License for more details.
17: #
18: # You should have received a copy of the GNU General Public License
19: # along with LON-CAPA; if not, write to the Free Software
20: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21: #
22: # /home/httpd/html/adm/gpl.txt
23: #
24: # http://www.lon-capa.org/
25: #
26: package lonssl;
27: # lonssl.pm
28: # This file contains common functions used by lond and lonc when
29: # negotiating the exchange of the session encryption key via an
30: # SSL tunnel.
31: # See the POD sections and function documentation for more information.
32: #
33:
34: use strict;
35:
36: # CPAN/Standard modules:
37:
38: use IO::Socket::INET;
39: use IO::Socket::SSL;
40: use Net::SSLeay;
41:
42: use Fcntl;
43: use POSIX;
44:
45: # Loncapa modules:
46:
47: use LONCAPA::Configuration;
48:
49: # Global storage:
50:
51: my $perlvar; # this refers to the apache perlsetvar
52: # variable hash.
53:
54: my $pathsep = "/"; # We're on unix after all.
55:
56: my $DEBUG = 0; # Set to non zero to enable debug output.
57:
58:
59: # Initialization code:
60:
61: $perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
62:
63:
64: my $lasterror="";
65:
66:
67:
68: sub LastError {
69: return $lasterror;
70: }
71:
72: sub Debug {
73: my $msg = shift;
74: if ($DEBUG) {
75: print STDERR $msg;
76: }
77: }
78:
79: #-------------------------------------------------------------------------
80: # Name SetFdBlocking -
81: # Turn blocking mode on on the file handle. This is required for
82: # SSL key negotiation.
83: #
84: # Parameters:
85: # Handle - Reference to the handle to modify.
86: # Returns:
87: # prior flag settings.
88: #
89: sub SetFdBlocking {
90: Debug("SetFdBlocking called \n");
91: my $Handle = shift;
92:
93:
94:
95: my $flags = fcntl($Handle, F_GETFL, 0);
96: if(!$flags) {
97: Debug("SetBLocking fcntl get faild $!\n");
98: }
99: my $newflags = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
100: if(!fcntl($Handle, F_SETFL, $newflags)) {
101: Debug("Can't set non block mode $!\n");
102: }
103: return $flags;
104: }
105:
106: #--------------------------------------------------------------------------
107: #
108: # Name PromoteClientSocket
109: # Description Given an ordinary IO::Socket::INET Creates an SSL socket
110: # for a client that is connected to the same server.
111: # Parameters Name Type Description
112: # Socket IO::Socket::INET Original ordinary socket.
113: # CACert string Full path name to the certificate
114: # authority certificate file.
115: # MyCert string Full path name to the certificate
116: # issued to this host.
117: # KeyFile string Full pathname to the host's private
118: # key file for the certificate.
119: # peer string lonid of remote LON-CAPA server
120: # peerdef string default lonHostID of remote server
121: # CRLFile Full path name to the certificate
122: # revocation list file for the cluster
123: # to which server belongs (optional)
124: # serverversion LON-CAPA version running on remote
125: # server.
126:
127: # Returns
128: # - Reference to an SSL socket on success
129: # - undef on failure. Reason for failure can be interrogated from
130: # IO::Socket::SSL
131: # Side effects: socket is left in blocking mode!!
132: #
133:
134: sub PromoteClientSocket {
135: my ($PlaintextSocket,
136: $CACert,
137: $MyCert,
138: $KeyFile,
139: $peer,
140: $peerdef,
141: $CRLFile,
142: $serverversion) = @_;
143:
144: Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, CRL: $CRLFile, Remote Host: $peer, RemoteDefHost: $peerdef, RemoteLCVersion: $serverversion\n");
145:
146: # To create the ssl socket we need to duplicate the existing
147: # socket. Otherwise closing the ssl socket will close the plaintext socket
148: # too. We also must flip into blocking mode for the duration of the
149: # ssl negotiation phase.. the caller will have to flip to non block if
150: # that's what they want
151:
152: my $oldflags = SetFdBlocking($PlaintextSocket);
153: my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
154: Debug("Client promotion got dup = $dupfno\n");
155:
156: # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify
157: # mode of SSL_VERIFY_NONE should be explicitly set for client, if
158: # verification is not to be used, and SSL_verify_mode is not set.
159: # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
160: # prevents an SSL connection to lond unless SSL_verifycn_name is set
161: # to the lonHostID of the remote host, (and the remote certificate has
162: # the remote lonHostID as CN, and has been signed by the LON-CAPA CA.
163: # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to
164: # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01
165: # used by CentOS/RHEL/Scientific Linux 5).
166:
167: my $verify_cn = $peerdef;
168: if ($verify_cn eq '') {
169: $verify_cn = $peer;
170: }
171:
172: my %sslargs = (SSL_use_cert => 1,
173: SSL_key_file => $KeyFile,
174: SSL_cert_file => $MyCert,
175: SSL_ca_file => $CACert);
176: my ($major,$minor) = split(/\./,$serverversion);
177: if (($major < 2) || ($major == 2 && $minor < 12)) {
178: $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
179: } else {
180: $sslargs{SSL_verifycn_scheme} = 'http',
181: $sslargs{SSL_verifycn_name} = $verify_cn,
182: $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
183: if (($CRLFile ne '') && (-e $CRLFile)) {
184: $sslargs{SSL_check_crl} = 1;
185: $sslargs{SSL_crl_file} = $CRLFile;
186: }
187: }
188: # Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging
189: # $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4
190: # # to write debugging to lonc_errors
191: my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
192: # $IO::Socket::SSL::DEBUG = 0; # Do not change
193: if(!$client) {
194: if ($IO::Socket::SSL::SSL_ERROR == -1) {
195: $lasterror = -1;
196: }
197: return undef;
198: }
199: return $client; # Undef if the client negotiation fails.
200: }
201:
202: #----------------------------------------------------------------------
203: # Name PromoteServerSocket
204: # Description Given an ordinary IO::Socket::INET Creates an SSL socket
205: # for a server that is connected to the same client.
206: # Parameters Name Type Description
207: # Socket IO::Socket::INET Original ordinary socket.
208: # CACert string Full path name to the certificate
209: # authority certificate file.
210: # MyCert string Full path name to the certificate
211: # issued to this host.
212: # KeyFile string Full pathname to the host's private
213: # key file for the certificate.
214: # peer string lonHostID of remote LON-CAPA client
215: # CRLFile Full path name to the certificate
216: # revocation list file for the cluster
217: # to which server belongs (optional)
218: # clientversion LON-CAPA version running on remote
219: # client
220: # Returns
221: # - Reference to an SSL socket on success
222: # - undef on failure. Reason for failure can be interrogated from
223: # IO::Socket::SSL
224: # Side Effects:
225: # Socket is left in blocking mode!!!
226: #
227: sub PromoteServerSocket {
228: my ($PlaintextSocket,
229: $CACert,
230: $MyCert,
231: $KeyFile,
232: $peer,
233: $CRLFile,
234: $clientversion) = @_;
235:
236: # To create the ssl socket we need to duplicate the existing
237: # socket. Otherwise closing the ssl socket will close the plaintext socket
238: # too:
239:
240: Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
241:
242: my $oldflags = SetFdBlocking($PlaintextSocket);
243: my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
244: if (!$dupfno) {
245: Debug("dup failed: $!\n");
246: }
247: Debug(" Fileno = $dupfno\n");
248: my %sslargs = (SSL_server => 1, # Server role.
249: SSL_use_cert => 1,
250: SSL_key_file => $KeyFile,
251: SSL_cert_file => $MyCert,
252: SSL_ca_file => $CACert);
253: my ($major,$minor) = split(/\./,$clientversion);
254: if (($major < 2) || ($major == 2 && $minor < 12)) {
255: $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_NONE();
256: } else {
257: $sslargs{SSL_verifycn_scheme} = 'http';
258: $sslargs{SSL_verifycn_name} = $peer;
259: $sslargs{SSL_verify_mode} = Net::SSLeay::VERIFY_PEER();
260: if (($CRLFile ne '') && (-e $CRLFile)) {
261: $sslargs{SSL_check_crl} = 1;
262: $sslargs{SSL_crl_file} = $CRLFile;
263: }
264: }
265: # Uncomment next two $IO::Socket::SSL::DEBUG lines, for debugging
266: # $IO::Socket::SSL::DEBUG = 0; # Set to integer >0 and <4
267: # # to write debugging to lond_errors
268: my $client = IO::Socket::SSL->new_from_fd($dupfno,%sslargs);
269: # $IO::Socket::SSL::DEBUG = 0; # Do not change
270: if(!$client) {
271: if ($IO::Socket::SSL::SSL_ERROR == -1) {
272: $lasterror = -1;
273: }
274: return undef;
275: }
276: return $client;
277: }
278:
279: #-------------------------------------------------------------------------
280: #
281: # Name: Close
282: # Description: Properly closes an ssl client or ssl server socket in
283: # a way that keeps the parent socket open.
284: # Parameters: Name Type Description
285: # Socket IO::Socket::SSL SSL Socket gotten from either
286: # PromoteClientSocket or
287: # PromoteServerSocket
288: # Returns:
289: # NONE
290: #
291: sub Close {
292: my $Socket = shift;
293:
294: $Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket
295: # gets torn down.
296: }
297: #---------------------------------------------------------------------------
298: #
299: # Name GetPeerCertificate
300: # Description Inquires about the certificate of the peer of a connection.
301: # Parameters Name Type Description
302: # SSLSocket IO::Socket::SSL SSL tunnel socket open on
303: # the peer.
304: # Returns
305: # A two element list. The first element of the list is the name of
306: # the certificate authority. The second element of the list is the name
307: # of the owner of the certificate.
308: sub GetPeerCertificate {
309: my $SSLSocket = shift;
310:
311: my $CertOwner = $SSLSocket->peer_certificate("owner");
312: my $CertCA = $SSLSocket->peer_certificate("authority");
313:
314: return ($CertCA, $CertOwner);
315: }
316: #----------------------------------------------------------------------------
317: #
318: # Name CertificateFile
319: # Description Locate the certificate files for this host.
320: # Returns
321: # Returns a two element array. The first element contains the name of
322: # the certificate file for this host. The second element contains the name
323: # of the certificate file for the CA that granted the certificate. If
324: # either file cannot be located, returns undef.
325: #
326: sub CertificateFile {
327:
328: # I need some perl variables from the configuration file for this:
329:
330: my $CertificateDir = $perlvar->{lonCertificateDirectory};
331: my $CaFilename = $perlvar->{lonnetCertificateAuthority};
332: my $CertFilename = $perlvar->{lonnetCertificate};
333:
334: # Ensure the existence of these variables:
335:
336: if((!$CertificateDir) || (!$CaFilename) || (!$CertFilename)) {
337: $lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
338: ."Cert: $CertFilename";
339: return undef;
340: }
341:
342: # Build the actual filenames and check for their existence and
343: # readability.
344:
345: $CaFilename = $CertificateDir.$pathsep.$CaFilename;
346: $CertFilename = $CertificateDir.$pathsep.$CertFilename;
347:
348: if((! -r $CaFilename) || (! -r $CertFilename)) {
349: $lasterror = "CA file $CaFilename or Cert File: $CertFilename "
350: ."not readable";
351: return undef;
352: }
353:
354: # Everything works fine!!
355:
356: return ($CaFilename, $CertFilename);
357:
358: }
359: #------------------------------------------------------------------------
360: #
361: # Name KeyFile
362: # Description
363: # Returns the name of the private key file of the current host.
364: # Returns
365: # Returns the name of the key file or undef if the file cannot
366: # be found.
367: #
368: sub KeyFile {
369:
370: # I need some perl variables from the configuration file for this:
371:
372: my $CertificateDir = $perlvar->{lonCertificateDirectory};
373: my $KeyFilename = $perlvar->{lonnetPrivateKey};
374:
375: # Ensure the variables exist:
376:
377: if((!$CertificateDir) || (!$KeyFilename)) {
378: $lasterror = "Missing parameter dir: $CertificateDir "
379: ."key: $KeyFilename";
380: return undef;
381: }
382:
383: # Build the actual filename and ensure that it not only exists but
384: # is also readable:
385:
386: $KeyFilename = $CertificateDir.$pathsep.$KeyFilename;
387: if(! (-r $KeyFilename)) {
388: $lasterror = "Unreadable key file $KeyFilename";
389: return undef;
390: }
391:
392: return $KeyFilename;
393: }
394:
395: sub CRLFile {
396:
397: # I need some perl variables from the configuration file for this:
398:
399: my $CertificateDir = $perlvar->{lonCertificateDirectory};
400: my $CRLFilename = $perlvar->{lonnetCertRevocationList};
401:
402: # Ensure the variables exist:
403:
404: if((!$CertificateDir) || (!$CRLFilename)) {
405: $lasterror = "Missing parameter dir: $CertificateDir "
406: ."CRL file: $CRLFilename";
407: return undef;
408: }
409:
410: # Build the actual filename and ensure that it not only exists but
411: # is also readable:
412:
413: $CRLFilename = $CertificateDir.$pathsep.$CRLFilename;
414: if(! (-r $CRLFilename)) {
415: $lasterror = "Unreadable key file $CRLFilename";
416: return undef;
417: }
418:
419: return $CRLFilename;
420: }
421:
422: sub BadCertDir {
423: my $SocketDir = $perlvar->{lonSockDir};
424: if (-d "$SocketDir/nosslverify/") {
425: return "$SocketDir/nosslverify"
426: }
427: }
428:
429: sub has_badcert_file {
430: my ($client) = @_;
431: my $SocketDir = $perlvar->{lonSockDir};
432: if (-e "$SocketDir/nosslverify/$client") {
433: return 1;
434: }
435: return;
436: }
437:
438: sub Read_Connect_Config {
439: my ($secureconf,$perlvarref,$crlcheckedref) = @_;
440: return unless (ref($secureconf) eq 'HASH');
441:
442: unless (ref($perlvarref) eq 'HASH') {
443: $perlvarref = $perlvar;
444: }
445:
446: # Clear hash of clients in lond for which Certificate Revocation List checked
447: if (ref($crlcheckedref) eq 'HASH') {
448: foreach my $key (keys(%{$crlcheckedref})) {
449: delete($crlcheckedref->{$key});
450: }
451: }
452: # Clean out the old table first.
453: foreach my $key (keys(%{$secureconf})) {
454: delete($secureconf->{$key});
455: }
456:
457: my $result;
458: my $tablename = $perlvarref->{'lonTabDir'}."/connectionrules.tab";
459: if (open(my $fh,'<',$tablename)) {
460: while (my $line = <$fh>) {
461: chomp($line);
462: my ($name,$value) = split(/=/,$line);
463: if ($value =~ /^(?:no|yes|req)$/) {
464: if ($name =~ /^conn(to|from)_(dom|intdom|other)$/) {
465: $secureconf->{'conn'.$1}{$2} = $value;
466: }
467: }
468: }
469: close($fh);
470: return 'ok';
471: }
472: return;
473: }
474:
475: sub Read_Host_Types {
476: my ($hosttypes,$perlvarref) = @_;
477: return unless (ref($hosttypes) eq 'HASH');
478:
479: unless (ref($perlvarref) eq 'HASH') {
480: $perlvarref = $perlvar;
481: }
482:
483: # Clean out the old table first.
484: foreach my $key (keys(%{$hosttypes})) {
485: delete($hosttypes->{$key});
486: }
487:
488: my $result;
489: my $tablename = $perlvarref->{'lonTabDir'}."/hosttypes.tab";
490: if (open(my $fh,'<',$tablename)) {
491: while (my $line = <$fh>) {
492: chomp($line);
493: my ($name,$value) = split(/:/,$line);
494: if (($name ne '') && ($value =~ /^(dom|intdom|other)$/)) {
495: $hosttypes->{$name} = $value;
496: }
497: }
498: close($fh);
499: return 'ok';
500: }
501: return;
502: }
503:
504: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonssl.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom