version 1.2, 2004/05/26 11:12:58
|
version 1.8, 2004/06/17 09:27:38
|
Line 23
|
Line 23
|
# |
# |
# http://www.lon-capa.org/ |
# http://www.lon-capa.org/ |
# |
# |
|
package lonssl; |
# lonssl.pm |
# lonssl.pm |
# This file contains common functions used by lond and lonc when |
# This file contains common functions used by lond and lonc when |
# negotiating the exchange of the session encryption key via an |
# negotiating the exchange of the session encryption key via an |
Line 32
|
Line 32
|
# |
# |
|
|
use strict; |
use strict; |
|
|
|
# CPAN/Standard modules: |
|
|
use IO::Socket::INET; |
use IO::Socket::INET; |
use IO::Socket::SSL; |
use IO::Socket::SSL; |
|
|
|
use Fcntl; |
|
use POSIX; |
|
|
|
# Loncapa modules: |
|
|
|
use LONCAPA::Configuration; |
|
|
|
# Global storage: |
|
|
|
my $perlvar; # this refers to the apache perlsetvar |
|
# variable hash. |
|
|
|
my $pathsep = "/"; # We're on unix after all. |
|
|
|
|
|
# Initialization code: |
|
|
|
$perlvar = LONCAPA::Configuration::read_conf('loncapa.conf'); |
|
|
|
|
|
my $lasterror=""; |
|
|
|
|
|
sub LastError { |
|
return $lasterror; |
|
} |
|
|
|
#------------------------------------------------------------------------- |
|
# Name SetFdBlocking - |
|
# Turn blocking mode on on the file handle. This is required for |
|
# SSL key negotiation. |
|
# |
|
# Parameters: |
|
# Handle - Reference to the handle to modify. |
|
# Returns: |
|
# prior flag settings. |
|
# |
|
sub SetFdBlocking { |
|
print STDERR "SetFdBlocking called \n"; |
|
my $Handle = shift; |
|
|
|
|
|
|
|
my $flags = fcntl($Handle, F_GETFL, 0); |
|
if(!$flags) { |
|
print STDERR "SetBLocking fcntl get faild $!\n"; |
|
} |
|
my $newflags = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK... |
|
if(!fcntl($Handle, F_SETFL, $newflags)) { |
|
print STDERR "Can't set non block mode $!\n"; |
|
} |
|
return $flags; |
|
} |
|
|
#-------------------------------------------------------------------------- |
#-------------------------------------------------------------------------- |
# |
# |
Line 53 use IO::Socket::SSL;
|
Line 109 use IO::Socket::SSL;
|
# - Reference to an SSL socket on success |
# - Reference to an SSL socket on success |
# - undef on failure. Reason for failure can be interrogated from |
# - undef on failure. Reason for failure can be interrogated from |
# IO::Socket::SSL |
# IO::Socket::SSL |
|
# Side effects: socket is left in blocking mode!! |
|
# |
|
|
sub PromoteClientSocket { |
sub PromoteClientSocket { |
my $PlaintextSocket = shift; |
my ($PlaintextSocket, |
my $CACert = shift; |
$CACert, |
my $MyCert = shift; |
$MyCert, |
my $KeyFile = shift; |
$KeyFile) = @_; |
|
|
# To create the ssl socket we need to duplicate the existing |
|
# socket. Otherwise closing the ssl socket will close the plaintext socket |
print STDERR "Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n"; |
# too: |
|
|
# To create the ssl socket we need to duplicate the existing |
open (DUPLICATE, "+>$PlaintextSocket"); |
# socket. Otherwise closing the ssl socket will close the plaintext socket |
|
# too. We also must flip into blocking mode for the duration of the |
my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE), |
# ssl negotiation phase.. the caller will have to flip to non block if |
SSL_user_cert => 1, |
# that's what they want |
SSL_key_file => $KeyFile, |
|
SSL_cert_file => $MyCert, |
my $oldflags = SetFdBlocking($PlaintextSocket); |
SSL_ca_fie => $$CACert); |
my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0); |
|
print STDERR "Client promotion got dup = $dupfno\n"; |
return $client; # Undef if the client negotiation fails. |
|
|
|
|
my $client = IO::Socket::SSL->new_from_fd($dupfno, |
|
SSL_user_cert => 1, |
|
SSL_key_file => $KeyFile, |
|
SSL_cert_file => $MyCert, |
|
SSL_ca_fie => $CACert); |
|
|
|
if(!$client) { |
|
$lasterror = IO::Socket::SSL::errstr(); |
|
return undef; |
|
} |
|
return $client; # Undef if the client negotiation fails. |
} |
} |
|
|
#---------------------------------------------------------------------- |
#---------------------------------------------------------------------- |
Line 91 sub PromoteClientSocket {
|
Line 161 sub PromoteClientSocket {
|
# - Reference to an SSL socket on success |
# - Reference to an SSL socket on success |
# - undef on failure. Reason for failure can be interrogated from |
# - undef on failure. Reason for failure can be interrogated from |
# IO::Socket::SSL |
# IO::Socket::SSL |
sub PromoteServerSocket |
# Side Effects: |
{ |
# Socket is left in blocking mode!!! |
my $PlaintextSocket = shift; |
# |
my $CACert = shift; |
sub PromoteServerSocket { |
my $MyCert = shift; |
my ($PlaintextSocket, |
my $KeyFile = shift; |
$CACert, |
|
$MyCert, |
|
$KeyFile) = @_; |
# To create the ssl socket we need to duplicate the existing |
|
# socket. Otherwise closing the ssl socket will close the plaintext socket |
|
# too: |
|
|
# To create the ssl socket we need to duplicate the existing |
open (DUPLICATE, "+>$PlaintextSocket"); |
# socket. Otherwise closing the ssl socket will close the plaintext socket |
|
# too: |
my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE), |
|
SSL_server => 1, # Server role. |
print STDERR "Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n"; |
SSL_user_cert => 1, |
|
SSL_key_file => $KeyFile, |
my $oldflags = SetFdBlocking($PlaintextSocket); |
SSL_cert_file => $MyCert, |
my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0); |
SSL_ca_fie => $$CACert); |
if (!$dupfno) { |
return $client; |
print STDERR "dup failed: $!\n"; |
|
} |
|
print STDERR " Fileno = $dupfno\n"; |
|
my $client = IO::Socket::SSL->new_from_fd($dupfno, |
|
SSL_server => 1, # Server role. |
|
SSL_user_cert => 1, |
|
SSL_key_file => $KeyFile, |
|
SSL_cert_file => $MyCert, |
|
SSL_ca_fie => $CACert); |
|
if(!$client) { |
|
$lasterror = IO::Socket::SSL::errstr(); |
|
return undef; |
|
} |
|
return $client; |
} |
} |
|
|
#------------------------------------------------------------------------- |
#------------------------------------------------------------------------- |
Line 127 sub PromoteServerSocket
|
Line 210 sub PromoteServerSocket
|
# NONE |
# NONE |
# |
# |
sub Close { |
sub Close { |
my $Socket = shift; |
my $Socket = shift; |
|
|
|
$Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket |
|
# gets torn down. |
|
} |
|
#--------------------------------------------------------------------------- |
|
# |
|
# Name GetPeerCertificate |
|
# Description Inquires about the certificate of the peer of a connection. |
|
# Parameters Name Type Description |
|
# SSLSocket IO::Socket::SSL SSL tunnel socket open on |
|
# the peer. |
|
# Returns |
|
# A two element list. The first element of the list is the name of |
|
# the certificate authority. The second element of the list is the name |
|
# of the owner of the certificate. |
|
sub GetPeerCertificate { |
|
my $SSLSocket = shift; |
|
|
|
my $CertOwner = $SSLSocket->peer_certificate("owner"); |
|
my $CertCA = $SSLSocket->peer_certificate("authority"); |
|
|
|
return ($CertCA, $CertOwner); |
|
} |
|
#---------------------------------------------------------------------------- |
|
# |
|
# Name CertificateFile |
|
# Description Locate the certificate files for this host. |
|
# Returns |
|
# Returns a two element array. The first element contains the name of |
|
# the certificate file for this host. The second element contains the name |
|
# of the certificate file for the CA that granted the certificate. If |
|
# either file cannot be located, returns undef. |
|
# |
|
sub CertificateFile { |
|
|
|
# I need some perl variables from the configuration file for this: |
|
|
|
my $CertificateDir = $perlvar->{lonCertificateDirectory}; |
|
my $CaFilename = $perlvar->{lonnetCertificateAuthority}; |
|
my $CertFilename = $perlvar->{lonnetCertificate}; |
|
|
|
# Ensure the existence of these variables: |
|
|
|
if((!$CertificateDir) || (!$CaFilename) || (!$CertFilename)) { |
|
$lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename " |
|
."Cert: $CertFilename"; |
|
return undef; |
|
} |
|
|
|
# Build the actual filenames and check for their existence and |
|
# readability. |
|
|
|
my $CaFilename = $CertificateDir.$pathsep.$CaFilename; |
|
my $CertFilename = $CertificateDir.$pathsep.$CertFilename; |
|
|
|
if((! -r $CaFilename) || (! -r $CertFilename)) { |
|
$lasterror = "CA file $CaFilename or Cert File: $CertFilename " |
|
."not readable"; |
|
return undef; |
|
} |
|
|
|
# Everything works fine!! |
|
|
|
return ($CaFilename, $CertFilename); |
|
|
|
} |
|
#------------------------------------------------------------------------ |
|
# |
|
# Name KeyFile |
|
# Description |
|
# Returns the name of the private key file of the current host. |
|
# Returns |
|
# Returns the name of the key file or undef if the file cannot |
|
# be found. |
|
# |
|
sub KeyFile { |
|
|
$Socket->close(SSL_no_shutdown =>1); # Otherwise the parent socket |
# I need some perl variables from the configuration file for this: |
# gets torn down. |
|
|
my $CertificateDir = $perlvar->{lonCertificateDirectory}; |
|
my $KeyFilename = $perlvar->{lonnetPrivateKey}; |
|
|
|
# Ensure the variables exist: |
|
|
|
if((!$CertificateDir) || (!$KeyFilename)) { |
|
$lasterror = "Missing parameter dir: $CertificateDir " |
|
."key: $KeyFilename"; |
|
return undef; |
|
} |
|
|
|
# Build the actual filename and ensure that it not only exists but |
|
# is also readable: |
|
|
|
my $KeyFilename = $CertificateDir.$pathsep.$KeyFilename; |
|
if(! (-r $KeyFilename)) { |
|
$lasterror = "Unreadable key file $KeyFilename"; |
|
return undef; |
|
} |
|
|
|
return $KeyFilename; |
} |
} |
|
|
|
1; |