1 thilo.boehm 1.9 //%2006////////////////////////////////////////////////////////////////////////
2 //
3 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
6 // IBM Corp.; EMC Corporation, The Open Group.
7 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
9 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
11 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
13 //
14 // Permission is hereby granted, free of charge, to any person obtaining a copy
15 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
18 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
21 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
22 thilo.boehm 1.9 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
24 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
27 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
|
30 kumpf 1.11 //==============================================================================
31 //
|
32 thilo.boehm 1.9 //%/////////////////////////////////////////////////////////////////////////////
|
33 kumpf 1.11
|
34 thilo.boehm 1.9 #ifndef SocketzOS_inline_h
35 #define SocketzOS_inline_h
36
|
37 kumpf 1.11 #include <Pegasus/Common/Logger.h>
|
38 sushma.fernandes 1.16 #include <Pegasus/Common/AuditLogger.h>
|
39 thilo.boehm 1.9 #include <sys/ioctl.h>
40 #include <net/rtrouteh.h>
41 #include <net/if.h>
42 #include "//'SYS1.SEZANMAC(EZBZTLSC)'"
43
44
45 PEGASUS_NAMESPACE_BEGIN
46
47
48 MP_Socket::MP_Socket(SocketHandle socket)
|
49 kumpf 1.11 : _socket(socket), _isSecure(false),
|
50 marek 1.12 _userAuthenticated(false),
51 _socketWriteTimeout(PEGASUS_DEFAULT_SOCKETWRITE_TIMEOUT_SECONDS)
|
52 thilo.boehm 1.9 {
|
53 kumpf 1.11 _username[0]=0;
|
54 thilo.boehm 1.9 }
55
56 MP_Socket::MP_Socket(
57 SocketHandle socket,
58 SSLContext * sslcontext,
|
59 sushma.fernandes 1.16 ReadWriteSem * sslContextObjectLock,
60 const String& ipAddress)
|
61 kumpf 1.11 : _socket(socket),
|
62 marek 1.12 _userAuthenticated(false),
|
63 sushma.fernandes 1.16 _socketWriteTimeout(PEGASUS_DEFAULT_SOCKETWRITE_TIMEOUT_SECONDS),
64 _clientIPAddress(ipAddress)
|
65 thilo.boehm 1.9 {
66 PEG_METHOD_ENTER(TRC_SSL, "MP_Socket::MP_Socket()");
|
67 kumpf 1.11 _username[0]=0;
|
68 thilo.boehm 1.9 if (sslcontext != NULL)
69 {
70 _isSecure = true;
71 }
72 else
73 {
74 _isSecure = false;
75 }
76 PEG_METHOD_EXIT();
77 }
78
79 int MP_Socket::ATTLS_zOS_query()
80 {
81 struct TTLS_IOCTL ioc; // ioctl data structure
82 int rcIoctl;
83 int errnoIoctl;
84 int errno2Ioctl;
85
86 PEG_METHOD_ENTER(TRC_SSL, "ATTLS_zOS_query()");
87
88 memset(&ioc,0,sizeof(ioc)); // clean the structure
89 thilo.boehm 1.9 ioc.TTLSi_Ver = TTLS_VERSION1; // set used version of structure
90 ioc.TTLSi_Req_Type = TTLS_QUERY_ONLY; // initialize for query only
91 ioc.TTLSi_BufferPtr = NULL; // no buffer for the certificate
92 ioc.TTLSi_BufferLen = 0; // will not use it
93
94 rcIoctl = ioctl(_socket,SIOCTTLSCTL,(char *)&ioc);
95 errnoIoctl = errno;
96 errno2Ioctl =__errno2();
97
|
98 kumpf 1.11 if (rcIoctl < 0)
|
99 thilo.boehm 1.9 {
100 switch(errnoIoctl)
|
101 kumpf 1.11 {
|
102 thilo.boehm 1.9 case(EINPROGRESS):
103 case(EWOULDBLOCK):
104 {
|
105 marek 1.14 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
|
106 kumpf 1.11 "---> Accept pending (EWB).");
|
107 thilo.boehm 1.9 return 0; // accept pending
108 }
109 case(ECONNRESET):
110 {
|
111 kumpf 1.11 Logger::put_l(
|
112 thilo.boehm 1.13 Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION,
|
113 kumpf 1.11 "Pegasus.Common.SocketzOS_inline.CONNECTION_RESET_ERROR",
114 "ATTLS reset the connection due to handshake failure. "
115 "Connection closed.");
|
116 thilo.boehm 1.9 PEG_METHOD_EXIT();
|
117 kumpf 1.11 return -1;
|
118 thilo.boehm 1.9 }
119 default:
120 {
121 char str_errno2[10];
122 sprintf(str_errno2,"%08X",errno2Ioctl);
|
123 kumpf 1.11 Logger::put_l(
124 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
125 "Pegasus.Common.SocketzOS_inline.UNEXPECTED_ERROR",
126 "An unexpected error occurs: $0 ( errno $1, reason code "
127 "0x$2 ). Connection closed.",
128 strerror(errnoIoctl),
129 errnoIoctl,
130 str_errno2);
|
131 thilo.boehm 1.9 PEG_METHOD_EXIT();
132 return -1;
133 }
134 } // end switch(errnoIoctl)
|
135 kumpf 1.11 } // -1 ioctl()
|
136 thilo.boehm 1.9
|
137 kumpf 1.11 // this should be a secured connection so
|
138 thilo.boehm 1.9 // check the configuration of ATTLS policy.
139 switch(ioc.TTLSi_Stat_Policy)
140 {
141 case(TTLS_POL_OFF):
142 case(TTLS_POL_NO_POLICY):
143 case(TTLS_POL_NOT_ENABLED):
144 {
|
145 kumpf 1.11 Logger::put_l(
146 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
147 "Pegasus.Common.SocketzOS_inline.POLICY_NOT_ENABLED",
148 "ATTLS policy is not aktive for the CIM Server HTTPS port. "
149 "Communication not secured. Connection closed.");
|
150 thilo.boehm 1.9 PEG_METHOD_EXIT();
151 return -1;
152 }
153 case(TTLS_POL_ENABLED):
154 {
|
155 kumpf 1.11 // a policy exists so it is ensured that a secured connection will
156 // be established
157 break;
|
158 thilo.boehm 1.9 }
159 case(TTLS_POL_APPLCNTRL):
160 {
|
161 kumpf 1.11 Logger::put_l(
162 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
163 "Pegasus.Common.SocketzOS_inline.APPLCNTRL",
164 "ATTLS policy not valid for CIM Server. "
165 "Set ApplicationControlled to OFF. Connection closed.");
|
166 thilo.boehm 1.9 PEG_METHOD_EXIT();
167 return -1;
|
168 kumpf 1.11 }
|
169 thilo.boehm 1.9
170 } // end switch(ioc.TTLSi_Stat_Policy)
171
172 // check status of connection, configuration is ok for the CIM Server
173 switch(ioc.TTLSi_Stat_Conn)
174 {
175 case(TTLS_CONN_NOTSECURE):
176 case(TTLS_CONN_HS_INPROGRESS):
177 {
178 // the SSL handshake has not been finished yet, try late again.
|
179 marek 1.14 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "---> Accept pending.");
|
180 thilo.boehm 1.9 return 0;
181 }
182 case(TTLS_CONN_SECURE):
183 {
184 break; // the connection is secure
185 }
|
186 kumpf 1.11
|
187 thilo.boehm 1.9
188 } // end switch(ioc.TTLSi_Stat_Conn)
189
|
190 kumpf 1.11 //
|
191 thilo.boehm 1.9 switch(ioc.TTLSi_Sec_Type)
192 {
193 case(TTLS_SEC_UNKNOWN):
194 case(TTLS_SEC_CLIENT):
195 {
|
196 kumpf 1.11 Logger::put_l(
197 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
198 "Pegasus.Common.SocketzOS_inline.WRONG_ROLE",
199 "ATTLS policy specifies the wrong HandshakeRole for the "
200 "CIM Server HTTPS port. Communication not secured. "
201 "Connection closed.");
|
202 thilo.boehm 1.9 PEG_METHOD_EXIT();
203 return -1;
204
205 }
206
207 case(TTLS_SEC_SERVER):
208 case(TTLS_SEC_SRV_CA_PASS):
209 case(TTLS_SEC_SRV_CA_FULL):
210 case(TTLS_SEC_SRV_CA_REQD):
211 {
|
212 marek 1.14 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
|
213 marek 1.15 "---> ATTLS Security Type is valid but no SAFCHK.");
|
214 thilo.boehm 1.9 PEG_METHOD_EXIT();
215 return 1;
216 }
217
218 case(TTLS_SEC_SRV_CA_SAFCHK):
219 {
220 _userAuthenticated=true;
221 memcpy(_username,ioc.TTLSi_UserID,ioc.TTLSi_UserID_Len);
|
222 kumpf 1.11 _username[ioc.TTLSi_UserID_Len]=0; // null terminated string
223 __etoa(_username); // the user name is in EBCDIC !
224 PEG_TRACE((TRC_SSL, Tracer::LEVEL2,
|
225 marek 1.15 "---> ATTLS Security Type is SAFCHK. Resolved user ID \'%s\'",
|
226 kumpf 1.11 _username));
|
227 sushma.fernandes 1.16 // For audit loging, only the mapping of the client IP to the
228 // resolved user ID is from interest.
229 // The SAF facility logs the certificate validation and the
230 // mapping of certificate subject to a local userID.
231 PEG_AUDIT_LOG(logCertificateBasedUserValidation(
232 _username,
233 String::EMPTY,
234 String::EMPTY,
235 String::EMPTY,
236 _clientIPAddress,
237 true));
238
|
239 thilo.boehm 1.9 PEG_METHOD_EXIT();
240 return 1;
241
242 }
243 } // end switch(ioc.TTLSi_Sec_Type)
244 // This should never be reached
|
245 marek 1.14 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
|
246 kumpf 1.11 "---> Never reach this! New/wrong return value of ioctl().");
|
247 thilo.boehm 1.9 PEG_METHOD_EXIT();
248 return -1;
249 } // end ATTLS_zOS_Query
250
251
252 PEGASUS_NAMESPACE_END
253 #endif
254
|