--- loncom/lonssl.pm 2004/05/28 09:37:03 1.6
+++ loncom/lonssl.pm 2004/06/17 10:15:46 1.9
@@ -1,5 +1,5 @@
#
-# $Id: lonssl.pm,v 1.6 2004/05/28 09:37:03 foxr Exp $
+# $Id: lonssl.pm,v 1.9 2004/06/17 10:15:46 foxr Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -35,10 +35,12 @@ use strict;
# CPAN/Standard modules:
-use English;
use IO::Socket::INET;
use IO::Socket::SSL;
+use Fcntl;
+use POSIX;
+
# Loncapa modules:
use LONCAPA::Configuration;
@@ -50,12 +52,55 @@ my $perlvar; # this refers to the apa
my $pathsep = "/"; # We're on unix after all.
+my $DEBUG = 0; # Set to non zero to enable debug output.
+
# Initialization code:
$perlvar = LONCAPA::Configuration::read_conf('loncapa.conf');
+my $lasterror="";
+
+
+
+sub LastError {
+ return $lasterror;
+}
+
+sub Debug {
+ my $msg = shift;
+ if ($DEBUG) {
+ print STDERR $msg;
+ }
+}
+
+#-------------------------------------------------------------------------
+# Name SetFdBlocking -
+# Turn blocking mode on on the file handle. This is required for
+# SSL key negotiation.
+#
+# Parameters:
+# Handle - Reference to the handle to modify.
+# Returns:
+# prior flag settings.
+#
+sub SetFdBlocking {
+ Debug("SetFdBlocking called \n");
+ my $Handle = shift;
+
+
+
+ my $flags = fcntl($Handle, F_GETFL, 0);
+ if(!$flags) {
+ Debug("SetBLocking fcntl get faild $!\n");
+ }
+ my $newflags = $flags & (~ O_NONBLOCK); # Turn off O_NONBLOCK...
+ if(!fcntl($Handle, F_SETFL, $newflags)) {
+ Debug("Can't set non block mode $!\n");
+ }
+ return $flags;
+}
#--------------------------------------------------------------------------
#
@@ -74,26 +119,39 @@ $perlvar = LONCAPA::Configuration::read_
# - Reference to an SSL socket on success
# - undef on failure. Reason for failure can be interrogated from
# IO::Socket::SSL
+# Side effects: socket is left in blocking mode!!
+#
sub PromoteClientSocket {
my ($PlaintextSocket,
$CACert,
$MyCert,
- $KeyFile) = @ARG;
+ $KeyFile) = @_;
+ Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n");
+
# To create the ssl socket we need to duplicate the existing
# socket. Otherwise closing the ssl socket will close the plaintext socket
- # too:
-
- open (DUPLICATE, "+>$PlaintextSocket");
+ # too. We also must flip into blocking mode for the duration of the
+ # ssl negotiation phase.. the caller will have to flip to non block if
+ # that's what they want
+
+ my $oldflags = SetFdBlocking($PlaintextSocket);
+ my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
+ Debug("Client promotion got dup = $dupfno\n");
+
- my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),
+ my $client = IO::Socket::SSL->new_from_fd($dupfno,
SSL_user_cert => 1,
SSL_key_file => $KeyFile,
SSL_cert_file => $MyCert,
- SSL_ca_fie => $$CACert);
+ SSL_ca_fie => $CACert);
+ if(!$client) {
+ $lasterror = IO::Socket::SSL::errstr();
+ return undef;
+ }
return $client; # Undef if the client negotiation fails.
}
@@ -113,11 +171,14 @@ sub PromoteClientSocket {
# - Reference to an SSL socket on success
# - undef on failure. Reason for failure can be interrogated from
# IO::Socket::SSL
+# Side Effects:
+# Socket is left in blocking mode!!!
+#
sub PromoteServerSocket {
my ($PlaintextSocket,
$CACert,
$MyCert,
- $KeyFile) = @ARG;
+ $KeyFile) = @_;
@@ -125,14 +186,24 @@ sub PromoteServerSocket {
# socket. Otherwise closing the ssl socket will close the plaintext socket
# too:
- open (DUPLICATE, "+>$PlaintextSocket");
-
- my $client = IO::Socket::SSL->new_from_fd(fileno(DUPLICATE),
+ Debug("Server promotion: Key = $KeyFile, Cert $MyCert CA $CACert\n");
+
+ my $oldflags = SetFdBlocking($PlaintextSocket);
+ my $dupfno = fcntl($PlaintextSocket, F_DUPFD, 0);
+ if (!$dupfno) {
+ Debug("dup failed: $!\n");
+ }
+ Debug(" Fileno = $dupfno\n");
+ my $client = IO::Socket::SSL->new_from_fd($dupfno,
SSL_server => 1, # Server role.
SSL_user_cert => 1,
SSL_key_file => $KeyFile,
SSL_cert_file => $MyCert,
- SSL_ca_fie => $$CACert);
+ SSL_ca_fie => $CACert);
+ if(!$client) {
+ $lasterror = IO::Socket::SSL::errstr();
+ return undef;
+ }
return $client;
}
@@ -171,7 +242,7 @@ sub GetPeerCertificate {
my $CertOwner = $SSLSocket->peer_certificate("owner");
my $CertCA = $SSLSocket->peer_certificate("authority");
- return \($CertCA, $CertOwner);
+ return ($CertCA, $CertOwner);
}
#----------------------------------------------------------------------------
#
@@ -194,6 +265,8 @@ sub CertificateFile {
# Ensure the existence of these variables:
if((!$CertificateDir) || (!$CaFilename) || (!$CertFilename)) {
+ $lasterror = "Missing info: dir: $CertificateDir CA: $CaFilename "
+ ."Cert: $CertFilename";
return undef;
}
@@ -204,12 +277,14 @@ sub CertificateFile {
my $CertFilename = $CertificateDir.$pathsep.$CertFilename;
if((! -r $CaFilename) || (! -r $CertFilename)) {
+ $lasterror = "CA file $CaFilename or Cert File: $CertFilename "
+ ."not readable";
return undef;
}
# Everything works fine!!
- return \($CaFilename, $CertFilename);
+ return ($CaFilename, $CertFilename);
}
#------------------------------------------------------------------------
@@ -231,6 +306,8 @@ sub KeyFile {
# Ensure the variables exist:
if((!$CertificateDir) || (!$KeyFilename)) {
+ $lasterror = "Missing parameter dir: $CertificateDir "
+ ."key: $KeyFilename";
return undef;
}
@@ -239,6 +316,7 @@ sub KeyFile {
my $KeyFilename = $CertificateDir.$pathsep.$KeyFilename;
if(! (-r $KeyFilename)) {
+ $lasterror = "Unreadable key file $KeyFilename";
return undef;
}
500 Internal Server Error
Internal Server Error
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator at
root@localhost to inform them of the time this error occurred,
and the actions you performed just before this error.
More information about this error may be available
in the server error log.