#!/usr/bin/perl #-------------------------------------------------------------- # cgi script that parses request argument to appropriate # open ssl or tstclntw options and starts ssl client. # use CGI qw/:standard/; use subs qw(debug); #-------------------------------------------------------------- # Prints out an error string and exits the script with an # exitStatus. # Param: # str : an error string # exitStat: an exit status of the program # sub svr_error { my ($str, $exitStat) = @_; if (!defined $str || $str eq "") { $str = $ERR; } print "SERVER ERROR: $str\n"; if ($exitStat) { print end_html if ($osDataArr{wservRun}); exit $exitStat; } } #-------------------------------------------------------------- # Prints out a debug message # Params: # str: debug message # inVal: additional value to print(optional) # sub debug { my ($str, $inVal) = @_; print "-- DEBUG: $str ($inVal)\n" if ($DEBUG == 1); } #-------------------------------------------------------------- # Initializes execution context depending on a webserver the # script is running under. # sub init { %osDataArr = ( loadSupportedCipthersFn => \&osSpecific, cipherIsSupportedFn => \&verifyCipherSupport, cipherListFn => \&convertCipher, buildCipherTableFn => \&buildCipherTable, execCmdFn => \&osSpecific, ); $scriptName = $ENV{'SCRIPT_NAME'}; if (!defined $scriptName) { $DEBUG=1; debug "Debug is ON"; } $DEBUG=1; $svrSoft = $ENV{'SERVER_SOFTWARE'}; if (defined $svrSoft) { $_ = $svrSoft; /.*Microsoft.*/ && ($osDataArr{wserv} = "IIS"); /.*Apache.*/ && ($osDataArr{wserv} = "Apache"); $osDataArr{wservRun} = 1; } else { $osDataArr{wserv} = "Apache"; $osDataArr{wservRun} = 0; } } #-------------------------------------------------------------- # Function-spigot to handle errors is OS specific functions are # not implemented for a particular OS. # Returns: # always returns 0(failure) # sub osSpecific { $ERR = "This function should be swapped to os specific function."; return 0; } #-------------------------------------------------------------- # Sets os specific execution context values. # Returns: # 1 upon success, or 0 upon failure(if OS was not recognized) # sub setFunctRefs { debug("Entering setFunctRefs function", $osDataArr{wserv}); if ($osDataArr{wserv} eq "Apache") { $osDataArr{osConfigFile} = "apache_unix.cfg"; $osDataArr{suppCiphersCmd} = '$opensslb ciphers ALL:NULL'; $osDataArr{clientRunCmd} = '$opensslb s_client -host $in_host -port $in_port -cert $certDir/$in_cert.crt -key $certDir/$in_cert.key -CAfile $caCertFile $proto $ciphers -ign_eof < $reqFile'; $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Unix; $osDataArr{execCmdFn} = \&execClientCmd_Unix; } elsif ($osDataArr{wserv} eq "IIS") { $osDataArr{osConfigFile} = "iis_windows.cfg"; $osDataArr{suppCiphersCmd} = '$tstclntwb'; $osDataArr{clientRunCmd} = '$tstclntwb -h $in_host -p $in_port -n $in_cert $proto $ciphers < $reqFile'; $osDataArr{loadSupportedCipthersFn} = \&getSupportedCipherList_Win; $osDataArr{execCmdFn} = \&execClientCmd_Win; } else { $ERR = "Unknown Web Server type."; return 0; } return 1; } #-------------------------------------------------------------- # Parses data from HTTP request. Will print a form if request # does not contain sufficient number of parameters. # Returns: # 1 if request has sufficient number of parameters # 0 if not. sub getReqData { my $debug = param('debug'); $in_host = param('host'); $in_port = param('port'); $in_cert = param('cert'); $in_cipher = param('cipher'); if (!$osDataArr{wservRun}) { $in_host="goa1"; $in_port="443"; $in_cert="TestUser511"; $in_cipher = "SSL3_RSA_WITH_NULL_SHA"; } debug("Entering getReqData function", "$in_port:$in_host:$in_cert:$in_cipher"); if (defined $debug && $debug == "debug on") { $DEBUG = 1; } if (!defined $in_host || $in_host eq "" || !defined $in_port || $in_port eq "" || !defined $in_cert || $in_cert eq "") { if ($osDataArr{wservRun}) { print h1('Command description form:'), start_form(-method=>"get"), "Host: ",textfield('host'),p, "Port: ",textfield('port'),p, "Cert: ",textfield('cert'),p, "Cipher: ",textfield('cipher'),p, checkbox_group(-name=>'debug', -values=>['debug on ']), submit, end_form, hr; } else { print "Printing html form to get client arguments\n"; } $ERR = "the following parameters are required: host, port, cert"; return 0; } else { print "
" if ($osDataArr{wservRun}); return 1; } } #-------------------------------------------------------------- # Building cipher conversion table from file based on the OS. # Params: # tfile: cipher conversion file. # sysName: system name # tblPrt: returned pointer to a table. sub buildCipherTable { my ($tfile, $sysName, $tblPrt) = @_; my @retArr = @$tblPrt; my %table, %rtable; my $strCount = 0; debug("Entering getReqData function", "$tfile:$sysName:$tblPrt"); ($ERR = "No system name supplied" && return 0) if ($sysName =~ /^$/); if (!open(TFILE, "$tfile")) { $ERR = "Missing cipher conversion table file."; return 0; } foreach ("; print end_html; }) { chop; /^#.*/ && next; /^\s*$/ && next; if ($strCount++ == 0) { my @sysArr = split /\s+/; $colCount = 0; for (;$colCount <= $#sysArr;$colCount++) { last if ($sysArr[$colCount] =~ /(.*:|^)$sysName.*/); } next; } my @ciphArr = split /\s+/, $_; $table{$ciphArr[0]} = $ciphArr[$colCount]; $rtable{$ciphArr[$colCount]} = $ciphArr[0]; } close(TFILE); $cipherTablePtr[0] = \%table; $cipherTablePtr[1] = \%rtable; return 1 } #-------------------------------------------------------------- # Client configuration function. Loads client configuration file. # Initiates cipher table. Loads cipher list supported by ssl client. # sub configClient { debug "Entering configClient function"; my $res = &setFunctRefs(); return $res if (!$res); open(CFILE, $osDataArr{'osConfigFile'}) || ($ERR = "Missing configuration file." && return 0); foreach ( ) { /^#.*/ && next; chop; eval $_; } close(CFILE); local @cipherTablePtr = (); $osDataArr{'buildCipherTableFn'}->($cipherTableFile, $clientSys) || return 0; $osDataArr{cipherTable} = $cipherTablePtr[0]; $osDataArr{rcipherTable} = $cipherTablePtr[1]; local $suppCiphersTablePrt; &{$osDataArr{'loadSupportedCipthersFn'}} || return 0; $osDataArr{suppCiphersTable} = $suppCiphersTablePrt; } #-------------------------------------------------------------- # Verifies that a particular cipher is supported. # Params: # checkCipher: cipher name # Returns: # 1 - cipher is supported(also echos the cipher). # 0 - not supported. # sub verifyCipherSupport { my ($checkCipher) = @_; my @suppCiphersTable = @{$osDataArr{suppCiphersTable}}; debug("Entering verifyCipherSupport", $checkCipher); foreach (@suppCiphersTable) { return 1 if ($checkCipher eq $_); } $ERR = "cipher is not supported."; return 0; } #-------------------------------------------------------------- # Converts long(?name of the type?) cipher name to # openssl/tstclntw cipher name. # Returns: # 0 if cipher was not listed. 1 upon success. # sub convertCipher { my ($cipher) = @_; my @retList; my $resStr; my %cipherTable = %{$osDataArr{cipherTable}}; debug("Entering convertCipher", $cipher); if (defined $cipher) { my $cphr = $cipherTable{$cipher}; if (!defined $cphr) { $ERR = "cipher is not listed."; return 0; } &{$osDataArr{'cipherIsSupportedFn'}}($cphr) || return 0; $ciphers = "$cphr"; return 1; } return 0; } ################################################################# # UNIX Apache Specific functions #---------------------------------------------------------------- #-------------------------------------------------------------- # Executes ssl client command to get a list of ciphers supported # by client. # sub getSupportedCipherList_Unix { my @arr, @suppCiphersTable; debug "Entering getSupportedCipherList_Unix function"; eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"'; if (!open (OUT, "$sLisrCmd|")) { $ERR="Can not run command to verify supported cipher list."; return 0; } @arr = ; chop $arr[0]; @suppCiphersTable = split /:/, $arr[0]; debug("Supported ciphers", $arr[0]); $suppCiphersTablePrt = \@suppCiphersTable; close(OUT); return 1; } #-------------------------------------------------------------- # Lunches ssl client command in response to a request. # # sub execClientCmd_Unix { my $proto; local $ciphers; debug "Entering execClientCmd_Unix"; if (defined $in_cipher && $in_cipher ne "") { my @arr = split /_/, $in_cipher, 2; $proto = "-".$arr[0]; $proto =~ tr /SLT/slt/; $proto = "-tls1" if ($proto eq "-tls"); return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher)); $ciphers = "-cipher $ciphers"; debug("Return from cipher conversion", "$ciphers"); } eval '$command = "'.$osDataArr{'clientRunCmd'}.'"'; debug("Executing command", $command); if (!open CMD_OUT, "$command 2>&1 |") { $ERR = "can not launch client"; return 0; } my @cmdOutArr = ; foreach (@cmdOutArr) { print $_; } my $haveVerify = 0; my $haveErrors = 0; foreach (@cmdOutArr) { chop; if (/unknown option/) { $haveErrors++; svr_error "unknown option\n"; next; } if (/:no ciphers available/) { $haveErrors++; svr_error "no cipthers available\n"; next; } if (/verify error:/) { $haveErrors++; svr_error "unable to do verification\n"; next; } if (/alert certificate revoked:/) { $haveErrors++; svr_error "attempt to connect with revoked sertificate\n"; next; } if (/(error|ERROR)/) { $haveErrors++; svr_error "found errors in server log\n"; next; } /verify return:1/ && ($haveVerify = 1); } if ($haveVerify == 0) { svr_error "no 'verify return:1' found in server log\n"; $haveErrors++; } if ($haveErrors > 0) { $ERR = "Have $haveErrors server errors"; debug "Exiting execClientCmd_Unix"; return 0; } debug "Exiting execClientCmd_Unix"; return 1; } ################################################################# # Windows IIS Specific functions #---------------------------------------------------------------- #-------------------------------------------------------------- # Executes ssl client command to get a list of ciphers supported # by client. # sub getSupportedCipherList_Win { my @arr, @suppCiphersTable; debug "Entering getSupportedCipherList_Win function"; eval '$sLisrCmd = "'.$osDataArr{'suppCiphersCmd'}.'"'; if (!open (OUT, "$sLisrCmd|")) { $ERR="Can not run command to verify supported cipher list."; return 0; } my $startCipherList = 0; foreach ( ) { chop; if ($startCipherList) { /^([a-zA-Z])\s+/ && push @suppCiphersTable, $1; next; } /.*from list below.*/ && ($startCipherList = 1); } debug("Supported ciphers", join ':', @suppCiphersTable); $suppCiphersTablePrt = \@suppCiphersTable; close(OUT); return 1; } #-------------------------------------------------------------- # Lunches ssl client command in response to a request. # # sub execClientCmd_Win { my $proto; local $ciphers; debug "Entering execClientCmd_Win"; if (defined $in_cipher && $in_cipher ne "") { my @arr = split /_/, $in_cipher, 2; $proto = "-2 -3 -T"; $proto =~ s/-T// if ($arr[0] eq "TLS"); $proto =~ s/-3// if ($arr[0] eq "SSL3"); $proto =~ s/-2// if ($arr[0] eq "SSL2"); return 0 if (!&{$osDataArr{'cipherListFn'}}($in_cipher)); $ciphers = "-c $ciphers"; debug("Return from cipher conversion", $ciphers); } eval '$command = "'.$osDataArr{'clientRunCmd'}.'"'; debug("Executing command", $command); if (!open CMD_OUT, "$command 2>&1 |") { $ERR = "can not launch client"; return 0; } my @cmdOutArr = ; foreach (@cmdOutArr) { print $_; } my $haveVerify = 0; my $haveErrors = 0; foreach (@cmdOutArr) { chop; if (/unknown option/) { $haveErrors++; svr_error "unknown option\n"; next; } if (/Error performing handshake/) { $haveErrors++; svr_error "Error performing handshake\n"; next; } if (/Error creating credentials/) { $haveErrors++; svr_error "Error creating credentials\n"; next; } if (/Error .* authenticating server credentials!/) { $haveErrors++; svr_error "Error authenticating server credentials\n"; next; } if (/(error|ERROR|Error)/) { $haveErrors++; svr_error "found errors in server log\n"; next; } } if ($haveErrors > 0) { $ERR = "Have $haveErrors server errors"; debug "Exiting execClientCmd_Win"; return 0; } debug "Exiting execClientCmd_Win"; return 1; } ################################################################# # Main line of execution #---------------------------------------------------------------- &init; if ($osDataArr{wservRun}) { print header('text/html'). start_html('iopr client'); } print "SCRIPT=OK\n"; if (!&getReqData) { svr_error($ERR, 1); } if (!&configClient) { svr_error($ERR, 1); } &{$osDataArr{'execCmdFn'}} || svr_error; if ($osDataArr{wservRun}) { print "