1 thilo.boehm 1.9 //%2006////////////////////////////////////////////////////////////////////////
2 //
3 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
6 // IBM Corp.; EMC Corporation, The Open Group.
7 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
9 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
11 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
13 //
14 // Permission is hereby granted, free of charge, to any person obtaining a copy
15 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
18 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
21 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
22 thilo.boehm 1.9 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
24 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
27 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
|
30 kumpf 1.11 //==============================================================================
31 //
|
32 thilo.boehm 1.9 //%/////////////////////////////////////////////////////////////////////////////
|
33 kumpf 1.11
|
34 thilo.boehm 1.9 #ifndef SocketzOS_inline_h
35 #define SocketzOS_inline_h
36
|
37 kumpf 1.11 #include <Pegasus/Common/Logger.h>
|
38 thilo.boehm 1.18 #include <Pegasus/Common/AuthenticationInfo.h>
|
39 thilo.boehm 1.9 #include <sys/ioctl.h>
40 #include <net/rtrouteh.h>
41 #include <net/if.h>
42 #include "//'SYS1.SEZANMAC(EZBZTLSC)'"
43
44
45 PEGASUS_NAMESPACE_BEGIN
46
47
48 MP_Socket::MP_Socket(SocketHandle socket)
|
49 kumpf 1.11 : _socket(socket), _isSecure(false),
|
50 marek 1.12 _userAuthenticated(false),
51 _socketWriteTimeout(PEGASUS_DEFAULT_SOCKETWRITE_TIMEOUT_SECONDS)
|
52 thilo.boehm 1.9 {
|
53 kumpf 1.11 _username[0]=0;
|
54 thilo.boehm 1.9 }
55
56 MP_Socket::MP_Socket(
57 SocketHandle socket,
58 SSLContext * sslcontext,
|
59 sushma.fernandes 1.16 ReadWriteSem * sslContextObjectLock,
60 const String& ipAddress)
|
61 kumpf 1.11 : _socket(socket),
|
62 marek 1.12 _userAuthenticated(false),
|
63 thilo.boehm 1.18 _socketWriteTimeout(PEGASUS_DEFAULT_SOCKETWRITE_TIMEOUT_SECONDS)
|
64 thilo.boehm 1.9 {
65 PEG_METHOD_ENTER(TRC_SSL, "MP_Socket::MP_Socket()");
|
66 kumpf 1.11 _username[0]=0;
|
67 thilo.boehm 1.9 if (sslcontext != NULL)
68 {
69 _isSecure = true;
70 }
71 else
72 {
73 _isSecure = false;
74 }
75 PEG_METHOD_EXIT();
76 }
77
78 int MP_Socket::ATTLS_zOS_query()
79 {
|
80 thilo.boehm 1.18 // ioctl data structure
81 struct TTLS_IOCTL ioc;
82 int rcIoctl;
83 int errnoIoctl;
84 int errno2Ioctl;
85
86 PEG_METHOD_ENTER(TRC_SSL, "ATTLS_zOS_query()");
87
88 // clean the structure
89 memset(&ioc,0,sizeof(ioc));
90 // set used version of structure
91 ioc.TTLSi_Ver = TTLS_VERSION1;
92 // initialize for query only
93 ioc.TTLSi_Req_Type = TTLS_QUERY_ONLY;
94 // no buffer for the certificate
95 ioc.TTLSi_BufferPtr = NULL;
96 // will not use it
97 ioc.TTLSi_BufferLen = 0;
98
99 rcIoctl = ioctl(_socket,SIOCTTLSCTL,(char *)&ioc);
100 errnoIoctl = errno;
101 thilo.boehm 1.18 errno2Ioctl =__errno2();
102
103 if (rcIoctl < 0)
104 {
105 switch(errnoIoctl)
|
106 thilo.boehm 1.9 {
|
107 thilo.boehm 1.18 case(EINPROGRESS):
108 case(EWOULDBLOCK):
109 {
|
110 thilo.boehm 1.22 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
111 "Accept pending: %s (error code %d, reason code 0x%08X).",
112 strerror(errnoIoctl),
113 errnoIoctl,
114 errno2Ioctl));
115 PEG_METHOD_EXIT();
|
116 thilo.boehm 1.18 // accept pending
117 return 0;
118 }
119 case(ECONNRESET):
120 {
121 Logger::put_l(
122 Logger::STANDARD_LOG, System::CIMSERVER,
123 Logger::INFORMATION,
124 "Pegasus.Common.SocketzOS_inline.CONNECTION_RESET_ERROR",
125 "ATTLS reset the connection due to handshake failure. "
126 "Connection closed.");
127 PEG_METHOD_EXIT();
|
128 thilo.boehm 1.22 // close socket
129 return -1;
130 }
131 case(ENOTCONN):
132 {
133 int socket_errno;
134 SocketLength optlen = sizeof(int);
135 getsockopt(_socket, SOL_SOCKET, SO_ERROR,
136 (char*)&socket_errno, &optlen);
137 PEG_TRACE((TRC_DISCARDED_DATA, Tracer::LEVEL2,
138 "Client not connected to ATTLS. Closing socket %d : "
139 "%s (error code %d)",
140 _socket,strerror(socket_errno),socket_errno));
141 PEG_METHOD_EXIT();
142 // close socket
|
143 thilo.boehm 1.18 return -1;
144 }
145 default:
146 {
147 char str_errno2[10];
148 sprintf(str_errno2,"%08X",errno2Ioctl);
149 Logger::put_l(
150 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
151 "Pegasus.Common.SocketzOS_inline.UNEXPECTED_ERROR",
|
152 thilo.boehm 1.22 "An unexpected error occurs: $0 ( errno $1, reason code "
153 "0x$2 ). Connection closed.",
|
154 thilo.boehm 1.18 strerror(errnoIoctl),
155 errnoIoctl,
156 str_errno2);
157 PEG_METHOD_EXIT();
|
158 thilo.boehm 1.22 // close socket
|
159 thilo.boehm 1.18 return -1;
160 }
161 } // end switch(errnoIoctl)
162 } // -1 ioctl()
163
164 // this should be a secured connection so
165 // check the configuration of ATTLS policy.
166 switch(ioc.TTLSi_Stat_Policy)
167 {
168 case(TTLS_POL_OFF):
|
169 thilo.boehm 1.22 {
170 Logger::put_l(
171 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
172 "Pegasus.Common.SocketzOS_inline.POLICY_OFF",
173 "ATTLS is not active for TCP-IP stack the CIM server "
174 "is using for HTTPS connections. "
175 "Communication not secured. Connection closed.");
176 PEG_METHOD_EXIT();
177 // close socket
178 return -1;
179 }
|
180 thilo.boehm 1.18 case(TTLS_POL_NO_POLICY):
|
181 thilo.boehm 1.22 {
182 Logger::put_l(
183 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
184 "Pegasus.Common.SocketzOS_inline.NO_POLICY",
185 "There is no ATTLS policy found for the CIM server "
186 "HTTPS connections. "
187 "Communication not secured. Connection closed.");
188 PEG_METHOD_EXIT();
189 // close socket
190 return -1;
191 }
|
192 thilo.boehm 1.18 case(TTLS_POL_NOT_ENABLED):
193 {
194 Logger::put_l(
195 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
196 "Pegasus.Common.SocketzOS_inline.POLICY_NOT_ENABLED",
|
197 thilo.boehm 1.19 "ATTLS policy is not active for the CIM Server HTTPS port. "
|
198 thilo.boehm 1.18 "Communication not secured. Connection closed.");
199 PEG_METHOD_EXIT();
|
200 thilo.boehm 1.22 // close socket
|
201 thilo.boehm 1.18 return -1;
202 }
203 case(TTLS_POL_ENABLED):
204 {
205 // a policy exists so it is ensured that a secured connection will
206 // be established
207 break;
208 }
209 case(TTLS_POL_APPLCNTRL):
210 {
211 Logger::put_l(
212 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
213 "Pegasus.Common.SocketzOS_inline.APPLCNTRL",
214 "ATTLS policy not valid for CIM Server. "
215 "Set ApplicationControlled to OFF. Connection closed.");
216 PEG_METHOD_EXIT();
|
217 thilo.boehm 1.22 // close socket
|
218 thilo.boehm 1.18 return -1;
219 }
220
221 } // end switch(ioc.TTLSi_Stat_Policy)
|
222 kumpf 1.11
|
223 thilo.boehm 1.18 // check status of connection, configuration is ok for the CIM Server
224 switch(ioc.TTLSi_Stat_Conn)
225 {
226 case(TTLS_CONN_NOTSECURE):
227 case(TTLS_CONN_HS_INPROGRESS):
228 {
229 // the SSL handshake has not been finished yet, try late again.
|
230 thilo.boehm 1.22 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
231 "ATTLS reports SSL handshake pending.");
232 // accept pending
|
233 thilo.boehm 1.18 return 0;
234 }
235 case(TTLS_CONN_SECURE):
236 {
237 // the connection is secure
238 break;
239 }
|
240 thilo.boehm 1.9
241
|
242 thilo.boehm 1.18 } // end switch(ioc.TTLSi_Stat_Conn)
|
243 thilo.boehm 1.9
|
244 thilo.boehm 1.18 //
245 switch(ioc.TTLSi_Sec_Type)
246 {
247 case(TTLS_SEC_UNKNOWN):
248 case(TTLS_SEC_CLIENT):
249 {
250 Logger::put_l(
251 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
252 "Pegasus.Common.SocketzOS_inline.WRONG_ROLE",
253 "ATTLS policy specifies the wrong HandshakeRole for the "
254 "CIM Server HTTPS port. Communication not secured. "
255 "Connection closed.");
256 PEG_METHOD_EXIT();
|
257 thilo.boehm 1.22 // close connection
|
258 thilo.boehm 1.18 return -1;
259
260 }
261
262 case(TTLS_SEC_SERVER):
263 case(TTLS_SEC_SRV_CA_PASS):
264 case(TTLS_SEC_SRV_CA_FULL):
265 case(TTLS_SEC_SRV_CA_REQD):
266 {
267 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
268 "ATTLS Security Type is valid but no SAFCHK.");
269 PEG_METHOD_EXIT();
|
270 thilo.boehm 1.22 // successfull return
|
271 thilo.boehm 1.18 return 1;
272 }
273
274 case(TTLS_SEC_SRV_CA_SAFCHK):
275 {
276 _userAuthenticated=true;
277 _authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_ATTLS;
278 memcpy(_username,ioc.TTLSi_UserID,ioc.TTLSi_UserID_Len);
279 _username[ioc.TTLSi_UserID_Len]=0; // null terminated string
280 __e2a_s(_username); // the user name is in EBCDIC!
281 PEG_TRACE((TRC_SSL, Tracer::LEVEL2,
282 "ATTLS Security Type is SAFCHK. Resolved user ID \'%s\'",
283 _username));
284 PEG_METHOD_EXIT();
|
285 thilo.boehm 1.22 // successfull return
|
286 thilo.boehm 1.18 return 1;
287
288 }
289 } // end switch(ioc.TTLSi_Sec_Type)
290 // This should never be reached
291 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
292 "Received unexpected return value of ioctl(SIOCTTLSCTL).");
293 PEG_METHOD_EXIT();
294 return -1;
|
295 thilo.boehm 1.9 } // end ATTLS_zOS_Query
296
|
297 thilo.boehm 1.18 int MP_Socket::LocalSocket_zOS_query()
298 {
299 // This function is only available in z/OS 1.8 and greater
300 #if (__TARGET_LIB__ >= 0x41080000)
301
302 struct __sect_s ioSec;
303 int rcIoctl;
304 int errnoIoctl;
305 int errno2Ioctl;
306
307 PEG_METHOD_ENTER(TRC_SSL, "LocalSocket_zOS_query()");
308
309
310 // clean the structure
311 memset(&ioSec,0,sizeof(ioSec));
312
313 // Query the local socket for security information.
314 rcIoctl = ioctl(_socket,SECIGET_T,(char *)&ioSec);
315 errnoIoctl = errno;
316 errno2Ioctl =__errno2();
317
318 thilo.boehm 1.18 // If an error occures, the error is written to the trace
319 // but the function will successfully return.
320
321 if (rcIoctl < 0)
322 {
323 switch (errnoIoctl)
324 {
325 case(EBADF):
326 {
327 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
328 "Not a valid socket descriptor for "
329 "query local authentication.");
330 break;
331 }
332 case(EINVAL):
333 {
334 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
335 "The local authentication request is not valid"
336 " or not supported on this socket.");
337 break;
338 }
339 thilo.boehm 1.18 case(ENODEV):
340 {
341 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
342 "Not a local socket descriptor.");
343 break;
344 }
345 default:
346 {
347 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
348 "An unexpected error occurs: %s ( errno $d, reason code "
349 "0x%08X ). ",
350 strerror(errnoIoctl),
351 errnoIoctl,
352 errno2Ioctl));
353 break;
354 } // end default
355 } // end switch errnoIoctl
356
357 PEG_METHOD_EXIT();
358 return 1;
359
360 thilo.boehm 1.18 } // if rcIoctl < 0
361
362 // Is client task level security information available ?
363 if (ioSec.__sectt_useridlen != 0)
364 {
365 _userAuthenticated=true;
366 _authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_LOCAL_DOMIAN_SOCKET;
367 memcpy(_username,ioSec.__sectt_userid,ioSec.__sectt_useridlen);
368 // null terminated string
369 _username[ioSec.__sectt_useridlen]=0;
370 // the user name is in EBCDIC!
371 __e2a_s(_username);
372 PEG_TRACE((TRC_SSL, Tracer::LEVEL2,
373 "Local Socket authentication. Resolved task level user ID \'%s\'",
374 _username));
375 PEG_METHOD_EXIT();
376 return 1;
377
378 }
379
380 // Is client process level security information available ?
381 thilo.boehm 1.18 if (ioSec.__sectp_useridlen != 0)
382 {
383 _userAuthenticated=true;
384 _authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_LOCAL_DOMIAN_SOCKET;
385 memcpy(_username,ioSec.__sectp_userid,ioSec.__sectp_useridlen);
386 // null terminated string
387 _username[ioSec.__sectp_useridlen]=0;
388 // the user name is in EBCDIC!
389 __e2a_s(_username);
390 PEG_TRACE((TRC_SSL, Tracer::LEVEL2,
391 "Local Socket authentication. "
392 "Resolved process level user ID \'%s\'",
393 _username));
394 PEG_METHOD_EXIT();
395 return 1;
396
397 }
398
399 // This should never be reached
400 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
401 "Received unexpected return value of ioctl(SECIGET_T).");
402 thilo.boehm 1.18 PEG_METHOD_EXIT();
403 return -1;
404 #else
405 return 1;
406 #endif // (__TARGET_LIB__ >= 0x41080000)
407 }
408
|
409 thilo.boehm 1.9
410 PEGASUS_NAMESPACE_END
411 #endif
412
|