1 thilo.boehm 1.9 //%2006////////////////////////////////////////////////////////////////////////
2 //
3 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
6 // IBM Corp.; EMC Corporation, The Open Group.
7 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
9 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
11 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
13 //
14 // Permission is hereby granted, free of charge, to any person obtaining a copy
15 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
18 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
21 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
22 thilo.boehm 1.9 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
24 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
27 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
|
30 kumpf 1.11 //==============================================================================
31 //
|
32 thilo.boehm 1.9 //%/////////////////////////////////////////////////////////////////////////////
|
33 kumpf 1.11
|
34 thilo.boehm 1.9 #ifndef SocketzOS_inline_h
35 #define SocketzOS_inline_h
36
|
37 kumpf 1.11 #include <Pegasus/Common/Logger.h>
|
38 thilo.boehm 1.18 #include <Pegasus/Common/AuthenticationInfo.h>
|
39 thilo.boehm 1.9 #include <sys/ioctl.h>
40 #include <net/rtrouteh.h>
41 #include <net/if.h>
42 #include "//'SYS1.SEZANMAC(EZBZTLSC)'"
43
44
45 PEGASUS_NAMESPACE_BEGIN
46
47
48 MP_Socket::MP_Socket(SocketHandle socket)
|
49 kumpf 1.11 : _socket(socket), _isSecure(false),
|
50 marek 1.12 _userAuthenticated(false),
51 _socketWriteTimeout(PEGASUS_DEFAULT_SOCKETWRITE_TIMEOUT_SECONDS)
|
52 thilo.boehm 1.9 {
|
53 kumpf 1.11 _username[0]=0;
|
54 thilo.boehm 1.9 }
55
56 MP_Socket::MP_Socket(
57 SocketHandle socket,
58 SSLContext * sslcontext,
|
59 sushma.fernandes 1.16 ReadWriteSem * sslContextObjectLock,
60 const String& ipAddress)
|
61 kumpf 1.11 : _socket(socket),
|
62 marek 1.12 _userAuthenticated(false),
|
63 thilo.boehm 1.18 _socketWriteTimeout(PEGASUS_DEFAULT_SOCKETWRITE_TIMEOUT_SECONDS)
|
64 thilo.boehm 1.9 {
65 PEG_METHOD_ENTER(TRC_SSL, "MP_Socket::MP_Socket()");
|
66 kumpf 1.11 _username[0]=0;
|
67 thilo.boehm 1.9 if (sslcontext != NULL)
68 {
69 _isSecure = true;
70 }
71 else
72 {
73 _isSecure = false;
74 }
75 PEG_METHOD_EXIT();
76 }
77
78 int MP_Socket::ATTLS_zOS_query()
79 {
|
80 thilo.boehm 1.18 // ioctl data structure
81 struct TTLS_IOCTL ioc;
82 int rcIoctl;
83 int errnoIoctl;
84 int errno2Ioctl;
85
86 PEG_METHOD_ENTER(TRC_SSL, "ATTLS_zOS_query()");
87
88 // clean the structure
89 memset(&ioc,0,sizeof(ioc));
90 // set used version of structure
91 ioc.TTLSi_Ver = TTLS_VERSION1;
92 // initialize for query only
93 ioc.TTLSi_Req_Type = TTLS_QUERY_ONLY;
94 // no buffer for the certificate
95 ioc.TTLSi_BufferPtr = NULL;
96 // will not use it
97 ioc.TTLSi_BufferLen = 0;
98
99 rcIoctl = ioctl(_socket,SIOCTTLSCTL,(char *)&ioc);
100 errnoIoctl = errno;
101 thilo.boehm 1.18 errno2Ioctl =__errno2();
102
103 if (rcIoctl < 0)
104 {
105 switch(errnoIoctl)
|
106 thilo.boehm 1.9 {
|
107 thilo.boehm 1.18 case(EINPROGRESS):
108 case(EWOULDBLOCK):
109 {
|
110 thilo.boehm 1.22 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
111 "Accept pending: %s (error code %d, reason code 0x%08X).",
112 strerror(errnoIoctl),
113 errnoIoctl,
114 errno2Ioctl));
115 PEG_METHOD_EXIT();
|
116 thilo.boehm 1.18 // accept pending
117 return 0;
118 }
119 case(ECONNRESET):
120 {
121 Logger::put_l(
122 Logger::STANDARD_LOG, System::CIMSERVER,
123 Logger::INFORMATION,
|
124 kumpf 1.24 MessageLoaderParms(
125 "Pegasus.Common.SocketzOS_inline.CONNECTION_RESET_ERROR",
126 "ATTLS reset the connection due to handshake "
127 "failure. Connection closed."));
|
128 thilo.boehm 1.18 PEG_METHOD_EXIT();
|
129 thilo.boehm 1.22 // close socket
130 return -1;
131 }
132 case(ENOTCONN):
133 {
134 int socket_errno;
135 SocketLength optlen = sizeof(int);
136 getsockopt(_socket, SOL_SOCKET, SO_ERROR,
137 (char*)&socket_errno, &optlen);
|
138 marek 1.23 PEG_TRACE((TRC_DISCARDED_DATA, Tracer::LEVEL1,
|
139 thilo.boehm 1.22 "Client not connected to ATTLS. Closing socket %d : "
140 "%s (error code %d)",
141 _socket,strerror(socket_errno),socket_errno));
142 PEG_METHOD_EXIT();
143 // close socket
|
144 thilo.boehm 1.18 return -1;
145 }
146 default:
147 {
148 char str_errno2[10];
149 sprintf(str_errno2,"%08X",errno2Ioctl);
150 Logger::put_l(
151 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
152 kumpf 1.24 MessageLoaderParms(
153 "Pegasus.Common.SocketzOS_inline.UNEXPECTED_ERROR",
154 "An unexpected error occurs: $0 ( errno $1, reason code "
155 "0x$2 ). Connection closed.",
156 strerror(errnoIoctl),
157 errnoIoctl,
158 str_errno2));
|
159 thilo.boehm 1.18 PEG_METHOD_EXIT();
|
160 thilo.boehm 1.22 // close socket
|
161 thilo.boehm 1.18 return -1;
162 }
163 } // end switch(errnoIoctl)
164 } // -1 ioctl()
165
166 // this should be a secured connection so
167 // check the configuration of ATTLS policy.
168 switch(ioc.TTLSi_Stat_Policy)
169 {
170 case(TTLS_POL_OFF):
|
171 thilo.boehm 1.22 {
172 Logger::put_l(
173 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
174 kumpf 1.24 MessageLoaderParms(
175 "Pegasus.Common.SocketzOS_inline.POLICY_OFF",
176 "ATTLS is not active for TCP-IP stack the CIM server "
177 "is using for HTTPS connections. "
178 "Communication not secured. Connection closed."));
|
179 thilo.boehm 1.22 PEG_METHOD_EXIT();
180 // close socket
181 return -1;
182 }
|
183 thilo.boehm 1.18 case(TTLS_POL_NO_POLICY):
|
184 thilo.boehm 1.22 {
185 Logger::put_l(
186 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
187 kumpf 1.24 MessageLoaderParms(
188 "Pegasus.Common.SocketzOS_inline.NO_POLICY",
189 "There is no ATTLS policy found for the CIM server "
190 "HTTPS connections. "
191 "Communication not secured. Connection closed."));
|
192 thilo.boehm 1.22 PEG_METHOD_EXIT();
193 // close socket
194 return -1;
195 }
|
196 thilo.boehm 1.18 case(TTLS_POL_NOT_ENABLED):
197 {
198 Logger::put_l(
199 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
200 kumpf 1.24 MessageLoaderParms(
201 "Pegasus.Common.SocketzOS_inline.POLICY_NOT_ENABLED",
202 "ATTLS policy is not active for the CIM Server HTTPS port. "
203 "Communication not secured. Connection closed."));
|
204 thilo.boehm 1.18 PEG_METHOD_EXIT();
|
205 thilo.boehm 1.22 // close socket
|
206 thilo.boehm 1.18 return -1;
207 }
208 case(TTLS_POL_ENABLED):
209 {
210 // a policy exists so it is ensured that a secured connection will
211 // be established
212 break;
213 }
214 case(TTLS_POL_APPLCNTRL):
215 {
216 Logger::put_l(
217 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
218 kumpf 1.24 MessageLoaderParms(
219 "Pegasus.Common.SocketzOS_inline.APPLCNTRL",
220 "ATTLS policy not valid for CIM Server. Set "
221 "ApplicationControlled to OFF. Connection closed."));
|
222 thilo.boehm 1.18 PEG_METHOD_EXIT();
|
223 thilo.boehm 1.22 // close socket
|
224 thilo.boehm 1.18 return -1;
225 }
226
227 } // end switch(ioc.TTLSi_Stat_Policy)
|
228 kumpf 1.11
|
229 thilo.boehm 1.18 // check status of connection, configuration is ok for the CIM Server
230 switch(ioc.TTLSi_Stat_Conn)
231 {
232 case(TTLS_CONN_NOTSECURE):
233 case(TTLS_CONN_HS_INPROGRESS):
234 {
235 // the SSL handshake has not been finished yet, try late again.
|
236 thilo.boehm 1.22 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
237 "ATTLS reports SSL handshake pending.");
238 // accept pending
|
239 thilo.boehm 1.18 return 0;
240 }
241 case(TTLS_CONN_SECURE):
242 {
243 // the connection is secure
244 break;
245 }
|
246 thilo.boehm 1.9
247
|
248 thilo.boehm 1.18 } // end switch(ioc.TTLSi_Stat_Conn)
|
249 thilo.boehm 1.9
|
250 thilo.boehm 1.18 //
251 switch(ioc.TTLSi_Sec_Type)
252 {
253 case(TTLS_SEC_UNKNOWN):
254 case(TTLS_SEC_CLIENT):
255 {
256 Logger::put_l(
257 Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
258 kumpf 1.24 MessageLoaderParms(
259 "Pegasus.Common.SocketzOS_inline.WRONG_ROLE",
260 "ATTLS policy specifies the wrong HandshakeRole for the "
261 "CIM Server HTTPS port. Communication not secured. "
262 "Connection closed."));
|
263 thilo.boehm 1.18 PEG_METHOD_EXIT();
|
264 thilo.boehm 1.22 // close connection
|
265 thilo.boehm 1.18 return -1;
266
267 }
268
269 case(TTLS_SEC_SERVER):
270 case(TTLS_SEC_SRV_CA_PASS):
271 case(TTLS_SEC_SRV_CA_FULL):
272 case(TTLS_SEC_SRV_CA_REQD):
273 {
274 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
275 "ATTLS Security Type is valid but no SAFCHK.");
276 PEG_METHOD_EXIT();
|
277 thilo.boehm 1.22 // successfull return
|
278 thilo.boehm 1.18 return 1;
279 }
280
281 case(TTLS_SEC_SRV_CA_SAFCHK):
282 {
283 _userAuthenticated=true;
284 _authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_ATTLS;
285 memcpy(_username,ioc.TTLSi_UserID,ioc.TTLSi_UserID_Len);
286 _username[ioc.TTLSi_UserID_Len]=0; // null terminated string
287 __e2a_s(_username); // the user name is in EBCDIC!
288 PEG_TRACE((TRC_SSL, Tracer::LEVEL2,
289 "ATTLS Security Type is SAFCHK. Resolved user ID \'%s\'",
290 _username));
291 PEG_METHOD_EXIT();
|
292 thilo.boehm 1.22 // successfull return
|
293 thilo.boehm 1.18 return 1;
294
295 }
296 } // end switch(ioc.TTLSi_Sec_Type)
297 // This should never be reached
|
298 marek 1.23 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL1,
|
299 thilo.boehm 1.18 "Received unexpected return value of ioctl(SIOCTTLSCTL).");
300 PEG_METHOD_EXIT();
301 return -1;
|
302 thilo.boehm 1.9 } // end ATTLS_zOS_Query
303
|
304 thilo.boehm 1.18 int MP_Socket::LocalSocket_zOS_query()
305 {
306 // This function is only available in z/OS 1.8 and greater
307 #if (__TARGET_LIB__ >= 0x41080000)
308
309 struct __sect_s ioSec;
310 int rcIoctl;
311 int errnoIoctl;
312 int errno2Ioctl;
313
314 PEG_METHOD_ENTER(TRC_SSL, "LocalSocket_zOS_query()");
315
316
317 // clean the structure
318 memset(&ioSec,0,sizeof(ioSec));
319
320 // Query the local socket for security information.
321 rcIoctl = ioctl(_socket,SECIGET_T,(char *)&ioSec);
322 errnoIoctl = errno;
323 errno2Ioctl =__errno2();
324
325 thilo.boehm 1.18 // If an error occures, the error is written to the trace
326 // but the function will successfully return.
327
328 if (rcIoctl < 0)
329 {
330 switch (errnoIoctl)
331 {
332 case(EBADF):
333 {
|
334 marek 1.23 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL1,
|
335 thilo.boehm 1.18 "Not a valid socket descriptor for "
336 "query local authentication.");
337 break;
338 }
339 case(EINVAL):
340 {
|
341 marek 1.23 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL1,
|
342 thilo.boehm 1.18 "The local authentication request is not valid"
343 " or not supported on this socket.");
344 break;
345 }
346 case(ENODEV):
347 {
|
348 marek 1.23 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL2,
|
349 thilo.boehm 1.18 "Not a local socket descriptor.");
350 break;
351 }
352 default:
353 {
|
354 marek 1.23 PEG_TRACE((TRC_SSL, Tracer::LEVEL1,
|
355 thilo.boehm 1.18 "An unexpected error occurs: %s ( errno $d, reason code "
356 "0x%08X ). ",
357 strerror(errnoIoctl),
358 errnoIoctl,
359 errno2Ioctl));
360 break;
361 } // end default
362 } // end switch errnoIoctl
363
364 PEG_METHOD_EXIT();
365 return 1;
366
367 } // if rcIoctl < 0
368
369 // Is client task level security information available ?
370 if (ioSec.__sectt_useridlen != 0)
371 {
372 _userAuthenticated=true;
373 _authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_LOCAL_DOMIAN_SOCKET;
374 memcpy(_username,ioSec.__sectt_userid,ioSec.__sectt_useridlen);
375 // null terminated string
376 thilo.boehm 1.18 _username[ioSec.__sectt_useridlen]=0;
377 // the user name is in EBCDIC!
378 __e2a_s(_username);
|
379 marek 1.23 PEG_TRACE((TRC_SSL, Tracer::LEVEL3,
|
380 thilo.boehm 1.18 "Local Socket authentication. Resolved task level user ID \'%s\'",
381 _username));
382 PEG_METHOD_EXIT();
383 return 1;
384
385 }
386
387 // Is client process level security information available ?
388 if (ioSec.__sectp_useridlen != 0)
389 {
390 _userAuthenticated=true;
391 _authType=AuthenticationInfoRep::AUTH_TYPE_ZOS_LOCAL_DOMIAN_SOCKET;
392 memcpy(_username,ioSec.__sectp_userid,ioSec.__sectp_useridlen);
393 // null terminated string
394 _username[ioSec.__sectp_useridlen]=0;
395 // the user name is in EBCDIC!
396 __e2a_s(_username);
|
397 marek 1.23 PEG_TRACE((TRC_SSL, Tracer::LEVEL3,
|
398 thilo.boehm 1.18 "Local Socket authentication. "
399 "Resolved process level user ID \'%s\'",
400 _username));
401 PEG_METHOD_EXIT();
402 return 1;
403
404 }
405
406 // This should never be reached
|
407 marek 1.23 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL1,
|
408 thilo.boehm 1.18 "Received unexpected return value of ioctl(SECIGET_T).");
409 PEG_METHOD_EXIT();
410 return -1;
411 #else
412 return 1;
413 #endif // (__TARGET_LIB__ >= 0x41080000)
414 }
415
|
416 thilo.boehm 1.9
417 PEGASUS_NAMESPACE_END
418 #endif
419
|