--- loncom/LondConnection.pm 2011/01/24 11:02:32 1.52 +++ loncom/LondConnection.pm 2018/12/14 02:05:38 1.62 @@ -1,7 +1,7 @@ # This module defines and implements a class that represents # a connection to a lond daemon. # -# $Id: LondConnection.pm,v 1.52 2011/01/24 11:02:32 foxr Exp $ +# $Id: LondConnection.pm,v 1.62 2018/12/14 02:05:38 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -40,10 +40,12 @@ use LONCAPA::lonlocal; use LONCAPA::lonssl; - - my $DebugLevel=0; my %perlvar; +my %secureconf; +my %badcerts; +my %hosttypes; +my %crlchecked; my $InsecureOk; # @@ -70,8 +72,21 @@ sub ReadConfig { my $perlvarref = read_conf('loncapa.conf'); %perlvar = %{$perlvarref}; $ConfigRead = 1; - + $InsecureOk = $perlvar{loncAllowInsecure}; + + unless (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') { + Debug(1,"Failed to retrieve secureconf hash.\n"); + } + unless (lonssl::Read_Host_Types(\%hosttypes,\%perlvar) eq 'ok') { + Debug(1,"Failed to retrieve hosttypes hash.\n"); + } + %badcerts = (); + %crlchecked = (); +} + +sub ResetReadConfig { + $ConfigRead = 0; } sub Debug { @@ -150,16 +165,39 @@ host the remote lond is on. This host is port number the remote lond is listening on. +=item lonid + + lonid of the remote lond is listening on. + +=item deflonid + + default lonhostID of the remote lond is listening on. + =cut sub new { - my ($class, $DnsName, $Port, $lonid) = @_; + my ($class, $DnsName, $Port, $lonid, $deflonid, $loncaparev) = @_; if (!$ConfigRead) { ReadConfig(); $ConfigRead = 1; } - &Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.")\n"); + &Debug(4,$class."::new( ".$DnsName.",".$Port.",".$lonid.",".$deflonid.",".$loncaparev.")\n"); + + my ($conntype,$gotconninfo,$allowinsecure); + if ((ref($secureconf{'connto'}) eq 'HASH') && + (exists($hosttypes{$lonid}))) { + $conntype = $secureconf{'connto'}{$hosttypes{$lonid}}; + if ($conntype ne '') { + if ($conntype ne 'req') { + $allowinsecure = 1; + } + $gotconninfo = 1; + } + } + unless ($gotconninfo) { + $allowinsecure = $InsecureOk; + } # The host must map to an entry in the hosts table: # We connect to the dns host that corresponds to that @@ -173,9 +211,12 @@ sub new { # Now create the object... my $self = { Host => $DnsName, LoncapaHim => $lonid, + LoncapaDefid => $deflonid, + LoncapaRev => $loncaparev, Port => $Port, State => "Initialized", AuthenticationMode => "", + InsecureOK => $allowinsecure, TransactionRequest => "", TransactionReply => "", NextRequest => "", @@ -216,7 +257,15 @@ sub new { # allowed...else give up right away. if(!(defined $key) || !(defined $keyfile)) { - if($InsecureOk) { + my $canconnect = 0; + if (ref($secureconf{'connto'}) eq 'HASH') { + unless ($secureconf{'connto'}->{'dom'} eq 'req') { + $canconnect = 1; + } + } else { + $canconnect = $InsecureOk; + } + if ($canconnect) { $self->{AuthenticationMode} = "insecure"; $self->{TransactionRequest} = "init\n"; } @@ -239,20 +288,21 @@ sub new { my ($ca, $cert) = lonssl::CertificateFile; my $sslkeyfile = lonssl::KeyFile; + my $badcertfile = lonssl::has_badcert_file($self->{LoncapaHim}); + my ($loncaparev) = ($perlvar{'lonVersion'} =~ /^[\'\"]?([\w.\-]+)[\'\"]?$/); - if((defined $ca) && (defined $cert) && (defined $sslkeyfile)) { - + if (($conntype ne 'no') && (defined($ca)) && (defined($cert)) && (defined($sslkeyfile)) && + (!exists($badcerts{$self->{LoncapaHim}})) && !$badcertfile) { $self->{AuthenticationMode} = "ssl"; - $self->{TransactionRequest} = "init:ssl:$perlvar{'lonVersion'}\n"; + $self->{TransactionRequest} = "init:ssl:$loncaparev\n"; + } elsif ($self->{InsecureOK}) { + # Allowed to do insecure: + $self->{AuthenticationMode} = "insecure"; + $self->{TransactionRequest} = "init::$loncaparev\n"; } else { - if($InsecureOk) { # Allowed to do insecure: - $self->{AuthenticationMode} = "insecure"; - $self->{TransactionRequest} = "init::$perlvar{'lonVersion'}\n"; - } - else { # Not allowed to do insecure... - $socket->close; - return undef; - } + # Not allowed to do insecure... + $socket->close; + return undef; } } @@ -342,9 +392,12 @@ sub Readable { $self->Transition("Disconnected"); return -1; } - # Append the data to the buffer. And figure out if the read is done: + # If we actually got data, reset the timeout. - $self->{TimeoutRemaining} = $self->{TimeoutValue}; # getting data resets the timeout period. + if (length $data) { + $self->{TimeoutRemaining} = $self->{TimeoutValue}; # getting data resets the timeout period. + } + # Append the data to the buffer. And figure out if the read is done: &Debug(9,"Received from host: ".$data); $self->{TransactionReply} .= $data; @@ -396,20 +449,34 @@ sub Readable { } elsif ($ConnectionMode eq "ssl") { if($Response =~ /^ok:ssl/) { # Good ssl... - if($self->ExchangeKeysViaSSL()) { # Success skip to vsn stuff + my $sslresult = $self->ExchangeKeysViaSSL(); + if ($sslresult == 1) { # Success skip to vsn stuff # Need to reset to non blocking: my $flags = fcntl($socket, F_GETFL, 0); fcntl($socket, F_SETFL, $flags | O_NONBLOCK); $self->ToVersionRequest(); return 0; - } - else { # Failed in ssl exchange. + } + else { # Failed in ssl exchange. + if (($sslresult == -1) && (lonssl::LastError == -1) && ($self->{InsecureOK})) { + my $badcertdir = &lonssl::BadCertDir(); + if (($badcertdir) && $self->{LoncapaHim}) { + if (open(my $fh,'>',"$badcertdir/".$self->{LoncapaHim})) { + close($fh); + } + } + $badcerts{$self->{LoncapaHim}} = 1; + &Debug(3,"SSL verification failed: close socket and initiate insecure connection"); + $self->Transition("ReInitNoSSL"); + $socket->close; + return -1; + } &Debug(3,"init:ssl failed key negotiation!"); $self->Transition("Disconnected"); $socket->close; return -1; - } + } } elsif ($Response =~ /^[0-9]+/) { # Old style lond. return $self->CompleteInsecure(); @@ -474,6 +541,7 @@ sub Readable { } } elsif ($self->{State} eq "ReceivingKey") { my $buildkey = $self->{TransactionReply}; + chomp($buildkey); my $key = $self->{LoncapaHim}.$perlvar{'lonHostID'}; $key=~tr/a-z/A-Z/; $key=~tr/G-P/0-9/; @@ -999,6 +1067,9 @@ sub CreateCipher { sub ExchangeKeysViaSSL { my $self = shift; my $socket = $self->{Socket}; + my $peer = $self->{LoncapaHim}; + my $peerdef = $self->{LoncapaDefid}; + my $loncaparev = $self->{LoncapaRev}; # Get our signed certificate, the certificate authority's # certificate and our private key file. All of these @@ -1007,13 +1078,21 @@ sub ExchangeKeysViaSSL { my ($SSLCACertificate, $SSLCertificate) = lonssl::CertificateFile(); my $SSLKey = lonssl::KeyFile(); - + my $CRLFile; + unless ($crlchecked{$peerdef}) { + $CRLFile = lonssl::CRLFile(); + $crlchecked{$peerdef} = 1; + } # Promote our connection to ssl and read the key from lond. my $SSLSocket = lonssl::PromoteClientSocket($socket, $SSLCACertificate, $SSLCertificate, - $SSLKey); + $SSLKey, + $peer, + $peerdef, + $CRLFile, + $loncaparev); if(defined $SSLSocket) { my $key = <$SSLSocket>; lonssl::Close($SSLSocket); @@ -1029,7 +1108,7 @@ sub ExchangeKeysViaSSL { else { # Failed!! Debug(3, "Failed to negotiate SSL connection!"); - return 0; + return -1; } # should not get here return 0; @@ -1054,7 +1133,7 @@ sub ExchangeKeysViaSSL { # sub CompleteInsecure { my $self = shift; - if($InsecureOk) { + if ($self->{InsecureOK}) { $self->{AuthenticationMode} = "insecure"; &Debug(8," Transition out of Initialized:insecure"); $self->{TransactionRequest} = $self->{TransactionReply}; @@ -1157,6 +1236,24 @@ sub GetClientData { return $self->{ClientData}; } +# +# Get the HostID of our peer +# + +sub PeerLoncapaHim { + my $self = shift; + return $self->{LoncapaHim}; +} + +# +# Get the Authentication mode +# + +sub GetKeyMode { + my $self = shift; + return $self->{AuthenticationMode}; +} + 1; =pod