|
version 1.17, 2007/06/04 15:16:24
|
version 1.18, 2007/08/22 07:43:37
|
|
|
|
| #define SocketzOS_inline_h | #define SocketzOS_inline_h |
| | |
| #include <Pegasus/Common/Logger.h> | #include <Pegasus/Common/Logger.h> |
| #ifdef PEGASUS_ZOS_SECURITY |
#include <Pegasus/Common/AuthenticationInfo.h> |
| // This include file will not be provided in the OpenGroup CVS for now. |
|
| // Do NOT try to include it in your compile |
|
| #include <Pegasus/Common/safCheckzOS_inline.h> |
|
| #endif |
|
| #include <Pegasus/Common/AuditLogger.h> |
|
| #include <sys/ioctl.h> | #include <sys/ioctl.h> |
| #include <net/rtrouteh.h> | #include <net/rtrouteh.h> |
| #include <net/if.h> | #include <net/if.h> |
|
|
|
| const String& ipAddress) | const String& ipAddress) |
| : _socket(socket), | : _socket(socket), |
| _userAuthenticated(false), | _userAuthenticated(false), |
| _socketWriteTimeout(PEGASUS_DEFAULT_SOCKETWRITE_TIMEOUT_SECONDS), |
_socketWriteTimeout(PEGASUS_DEFAULT_SOCKETWRITE_TIMEOUT_SECONDS) |
| _clientIPAddress(ipAddress) |
|
| { | { |
| PEG_METHOD_ENTER(TRC_SSL, "MP_Socket::MP_Socket()"); | PEG_METHOD_ENTER(TRC_SSL, "MP_Socket::MP_Socket()"); |
| _username[0]=0; | _username[0]=0; |
|
|
|
| | |
| int MP_Socket::ATTLS_zOS_query() | int MP_Socket::ATTLS_zOS_query() |
| { | { |
| struct TTLS_IOCTL ioc; // ioctl data structure |
// ioctl data structure |
| |
struct TTLS_IOCTL ioc; |
| int rcIoctl; | int rcIoctl; |
| int errnoIoctl; | int errnoIoctl; |
| int errno2Ioctl; | int errno2Ioctl; |
| | |
| PEG_METHOD_ENTER(TRC_SSL, "ATTLS_zOS_query()"); | PEG_METHOD_ENTER(TRC_SSL, "ATTLS_zOS_query()"); |
| | |
| memset(&ioc,0,sizeof(ioc)); // clean the structure |
// clean the structure |
| ioc.TTLSi_Ver = TTLS_VERSION1; // set used version of structure |
memset(&ioc,0,sizeof(ioc)); |
| ioc.TTLSi_Req_Type = TTLS_QUERY_ONLY; // initialize for query only |
// set used version of structure |
| ioc.TTLSi_BufferPtr = NULL; // no buffer for the certificate |
ioc.TTLSi_Ver = TTLS_VERSION1; |
| ioc.TTLSi_BufferLen = 0; // will not use it |
// initialize for query only |
| |
ioc.TTLSi_Req_Type = TTLS_QUERY_ONLY; |
| |
// no buffer for the certificate |
| |
ioc.TTLSi_BufferPtr = NULL; |
| |
// will not use it |
| |
ioc.TTLSi_BufferLen = 0; |
| | |
| rcIoctl = ioctl(_socket,SIOCTTLSCTL,(char *)&ioc); | rcIoctl = ioctl(_socket,SIOCTTLSCTL,(char *)&ioc); |
| errnoIoctl = errno; | errnoIoctl = errno; |
|
|
|
| case(EWOULDBLOCK): | case(EWOULDBLOCK): |
| { | { |
| PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, | PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
| "---> Accept pending (EWB)."); |
"Accept pending (EWB)."); |
| return 0; // accept pending |
// accept pending |
| |
return 0; |
| } | } |
| case(ECONNRESET): | case(ECONNRESET): |
| { | { |
| Logger::put_l( | Logger::put_l( |
| Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION, |
Logger::STANDARD_LOG, System::CIMSERVER, |
| |
Logger::INFORMATION, |
| "Pegasus.Common.SocketzOS_inline.CONNECTION_RESET_ERROR", | "Pegasus.Common.SocketzOS_inline.CONNECTION_RESET_ERROR", |
| "ATTLS reset the connection due to handshake failure. " | "ATTLS reset the connection due to handshake failure. " |
| "Connection closed."); | "Connection closed."); |
|
|
|
| Logger::put_l( | Logger::put_l( |
| Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE, | Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE, |
| "Pegasus.Common.SocketzOS_inline.UNEXPECTED_ERROR", | "Pegasus.Common.SocketzOS_inline.UNEXPECTED_ERROR", |
| "An unexpected error occurs: $0 ( errno $1, reason code " |
"An unexpected error occurs: $0 ( errno $1, reason " |
| "0x$2 ). Connection closed.", |
"code 0x$2 ). Connection closed.", |
| strerror(errnoIoctl), | strerror(errnoIoctl), |
| errnoIoctl, | errnoIoctl, |
| str_errno2); | str_errno2); |
|
|
|
| } | } |
| case(TTLS_CONN_SECURE): | case(TTLS_CONN_SECURE): |
| { | { |
| break; // the connection is secure |
// the connection is secure |
| |
break; |
| } | } |
| | |
| | |
|
|
|
| case(TTLS_SEC_SRV_CA_REQD): | case(TTLS_SEC_SRV_CA_REQD): |
| { | { |
| PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, | PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
| "---> ATTLS Security Type is valid but no SAFCHK."); |
"ATTLS Security Type is valid but no SAFCHK."); |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| return 1; | return 1; |
| } | } |
|
|
|
| case(TTLS_SEC_SRV_CA_SAFCHK): | case(TTLS_SEC_SRV_CA_SAFCHK): |
| { | { |
| _userAuthenticated=true; | _userAuthenticated=true; |
| |
_authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_ATTLS; |
| memcpy(_username,ioc.TTLSi_UserID,ioc.TTLSi_UserID_Len); | memcpy(_username,ioc.TTLSi_UserID,ioc.TTLSi_UserID_Len); |
| _username[ioc.TTLSi_UserID_Len]=0; // null terminated string | _username[ioc.TTLSi_UserID_Len]=0; // null terminated string |
| __etoa(_username); // the user name is in EBCDIC ! |
__e2a_s(_username); // the user name is in EBCDIC! |
| PEG_TRACE((TRC_SSL, Tracer::LEVEL2, | PEG_TRACE((TRC_SSL, Tracer::LEVEL2, |
| "---> ATTLS Security Type is SAFCHK. Resolved user ID \'%s\'", |
"ATTLS Security Type is SAFCHK. Resolved user ID \'%s\'", |
| _username)); | _username)); |
| |
PEG_METHOD_EXIT(); |
| |
return 1; |
| | |
| // Check if the user is authorized to CIMSERV |
} |
| #ifdef PEGASUS_ZOS_SECURITY |
} // end switch(ioc.TTLSi_Sec_Type) |
| if ( !CheckProfileCIMSERVclassWBEM(_username, __READ_RESOURCE) ) |
// This should never be reached |
| { |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
| Logger::put_l(Logger::STANDARD_LOG, ZOS_SECURITY_NAME, |
"Received unexpected return value of ioctl(SIOCTTLSCTL)."); |
| Logger::WARNING, |
PEG_METHOD_EXIT(); |
| "Pegasus.Common.SocketzOS_inline.NOREAD_CIMSERV_ACCESS", |
|
| "Request UserID $0 doesn't have READ permission" |
|
| " to profile CIMSERV CL(WBEM).", |
|
| _username); |
|
| return -1; | return -1; |
| |
} // end ATTLS_zOS_Query |
| |
|
| |
int MP_Socket::LocalSocket_zOS_query() |
| |
{ |
| |
// This function is only available in z/OS 1.8 and greater |
| |
#if (__TARGET_LIB__ >= 0x41080000) |
| |
|
| |
struct __sect_s ioSec; |
| |
int rcIoctl; |
| |
int errnoIoctl; |
| |
int errno2Ioctl; |
| |
|
| |
PEG_METHOD_ENTER(TRC_SSL, "LocalSocket_zOS_query()"); |
| |
|
| |
|
| |
// clean the structure |
| |
memset(&ioSec,0,sizeof(ioSec)); |
| |
|
| |
// Query the local socket for security information. |
| |
rcIoctl = ioctl(_socket,SECIGET_T,(char *)&ioSec); |
| |
errnoIoctl = errno; |
| |
errno2Ioctl =__errno2(); |
| |
|
| |
// If an error occures, the error is written to the trace |
| |
// but the function will successfully return. |
| |
|
| |
if (rcIoctl < 0) |
| |
{ |
| |
switch (errnoIoctl) |
| |
{ |
| |
case(EBADF): |
| |
{ |
| |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
| |
"Not a valid socket descriptor for " |
| |
"query local authentication."); |
| |
break; |
| |
} |
| |
case(EINVAL): |
| |
{ |
| |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
| |
"The local authentication request is not valid" |
| |
" or not supported on this socket."); |
| |
break; |
| |
} |
| |
case(ENODEV): |
| |
{ |
| |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
| |
"Not a local socket descriptor."); |
| |
break; |
| |
} |
| |
default: |
| |
{ |
| |
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
| |
"An unexpected error occurs: %s ( errno $d, reason code " |
| |
"0x%08X ). ", |
| |
strerror(errnoIoctl), |
| |
errnoIoctl, |
| |
errno2Ioctl)); |
| |
break; |
| |
} // end default |
| |
} // end switch errnoIoctl |
| |
|
| |
PEG_METHOD_EXIT(); |
| |
return 1; |
| |
|
| |
} // if rcIoctl < 0 |
| |
|
| |
// Is client task level security information available ? |
| |
if (ioSec.__sectt_useridlen != 0) |
| |
{ |
| |
_userAuthenticated=true; |
| |
_authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_LOCAL_DOMIAN_SOCKET; |
| |
memcpy(_username,ioSec.__sectt_userid,ioSec.__sectt_useridlen); |
| |
// null terminated string |
| |
_username[ioSec.__sectt_useridlen]=0; |
| |
// the user name is in EBCDIC! |
| |
__e2a_s(_username); |
| |
PEG_TRACE((TRC_SSL, Tracer::LEVEL2, |
| |
"Local Socket authentication. Resolved task level user ID \'%s\'", |
| |
_username)); |
| |
PEG_METHOD_EXIT(); |
| |
return 1; |
| |
|
| } | } |
| #endif |
|
| // For audit loging, only the mapping of the client IP to the |
|
| // resolved user ID is from interest. |
|
| // The SAF facility logs the certificate validation and the |
|
| // mapping of certificate subject to a local userID. |
|
| PEG_AUDIT_LOG(logCertificateBasedUserValidation( |
|
| _username, |
|
| String::EMPTY, |
|
| String::EMPTY, |
|
| String::EMPTY, |
|
| _clientIPAddress, |
|
| true)); |
|
| | |
| |
// Is client process level security information available ? |
| |
if (ioSec.__sectp_useridlen != 0) |
| |
{ |
| |
_userAuthenticated=true; |
| |
_authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_LOCAL_DOMIAN_SOCKET; |
| |
memcpy(_username,ioSec.__sectp_userid,ioSec.__sectp_useridlen); |
| |
// null terminated string |
| |
_username[ioSec.__sectp_useridlen]=0; |
| |
// the user name is in EBCDIC! |
| |
__e2a_s(_username); |
| |
PEG_TRACE((TRC_SSL, Tracer::LEVEL2, |
| |
"Local Socket authentication. " |
| |
"Resolved process level user ID \'%s\'", |
| |
_username)); |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| return 1; | return 1; |
| | |
| } | } |
| } // end switch(ioc.TTLSi_Sec_Type) |
|
| // This should never be reached | // This should never be reached |
| PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, | PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
| "---> Never reach this! New/wrong return value of ioctl()."); |
"Received unexpected return value of ioctl(SECIGET_T)."); |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| return -1; | return -1; |
| } // end ATTLS_zOS_Query |
#else |
| |
return 1; |
| |
#endif // (__TARGET_LIB__ >= 0x41080000) |
| |
} |
| | |
| | |
| PEGASUS_NAMESPACE_END | PEGASUS_NAMESPACE_END |
Return to
SocketzOS_inline.h
CVS log
Up to [Pegasus] / pegasus / src / Pegasus / Common