Attachment #80132 for bug #195644

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.




#include "tptp/TPTPMessageHeader.h"
#include "tptp/hashtable.h"

#ifndef _WIN32
	#include <openssl/ssl.h>
#endif

#define SOCKET_LISTENER_OBJECT_ID  20001

/** instance-specific data block */

	transport_layer_data_t	agentControllerDataBlk ;
	processMessage_ptr_t    processMessage;
	tptp_object*            nexto;
	int						securityEnabled;

	/* hash table of connections for easy and fast search */
    HashTable               *  connectionTable ;


	BOOL                isForConsole ;
	
	BOOL                authenticated;
	BOOL                secured;

#ifndef _WIN32
  	SSL*    			ssl;
  	SSL_CTX* 			sslCtx;
#endif

	Lock_t				locker ; 

} request_block_t ;




  #include <unistd.h>
  #include <signal.h>
  #include <sys/wait.h>
  #include <openssl/ssl.h> 
  #include <tptp/TPTPConfig.h>
#endif


int handleCONNECT(request_block_ptr_t pBlk, char *pMsg) ;

int handleCONNECT_DATA(request_block_ptr_t pBlk, char *pMsg) ;
tptp_int32 writeData(request_block_ptr_t pBlock, char* buffer, int length); 
tptp_int32 closeConnection(request_block_ptr_t pBlock);
int closeSocket (int socket);
int handleAUTHENTICATE(request_block_ptr_t pBlk, char *pMsg) ;

BOOL vrfusrpwd(tptp_string *userid, tptp_string *password);

static int sslinit = 1;
static char* certFile = NULL;
static char* keyFile = NULL;

/**
 *********************************************************


	addBasicMsgHeader(cmd, cmdLength, &buffer, &bufferLength, flags) ;
	/* send the response */
	writeToSocket(pBlk->clientSock, buffer, bufferLength);

	if (cmd) tptp_free(cmd);
	if (buffer) tptp_free(buffer);

	return ( rc ) ;
}

#ifndef _WIN32
int setSSL(request_block_ptr_t pBlk) {
  	SSL_METHOD *meth;
  	SSL_CTX* ctx;
  	SSL*     ssl;
  	int err;
  	
	if (sslinit) {  	
  		SSL_load_error_strings();
  		SSL_library_init();
  		sslinit = 0;
	}
  	
  	meth = SSLv23_server_method();

  	ctx = SSL_CTX_new (meth);
  	if (!ctx) {
		TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "SSL: context error");
    	return -1;
    }

  	if (certFile == NULL) {
		TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "SSL: no certificate file found");
    	return -1;
  	}

  	if (SSL_CTX_use_certificate_file(ctx, certFile, SSL_FILETYPE_PEM) <= 0) {
		TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "SSL: illegal certificate file %s", certFile);
    	return -1;
  	}

  	if (keyFile == NULL) {
		TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "SSL: no key file found");
    	return -1;
  	}

  	if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) <= 0) {
		TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "SSL: illegal key file %s", keyFile);
    	return -1;
  	}

  	if (!SSL_CTX_check_private_key(ctx)) { 
		TPTP_LOG_DEBUG_MSG2(pBlk->pServerData, "SSL: Private key %s does not match the certificate public key %s",
			keyFile, certFile);
    	return -1;
  	}
    
  	ssl = SSL_new (ctx);
  	if (ssl < 0) {
		TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "SSL.new error");
  		return -1;
  	}
  	                          
  	SSL_set_fd (ssl, pBlk->clientSock);
  	err = SSL_accept (ssl);
	if (err < 0) {
		TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "SSL: ssl_accept error %d", SSL_get_error(ssl, err));
		return -1;
	}  	

	pBlk->sslCtx = ctx;
	pBlk->ssl = ssl;
	pBlk->secured = TRUE;

	return 0;
}
#endif

/**
 *********************************************************
 *

	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "Socket: handle CONNECT request (Control channel).");
	pBlk->connectionType = CONTROL_CHANNEL ;

#ifndef _WIN32
	if (pBlk->pServerData->securityEnabled && !pBlk->secured) {
		processCONNECTCall(pBlk, pMsg, CONNECTION_REFUSED | SECURITY_REQUIRED);
										// no race condition here since incoming ssl request
		return setSSL(pBlk);			// will wait for processing in input buffer
	}
#endif	

	/* tell the agent controller about the new connection  */
	/*    and receive the assigned connection id           */
	pFunc = pBlk->pServerData->agentControllerDataBlk.addConnectionEntry ;

	pTab = pBlk->pServerData->connectionTable ;
	tablePut(pTab, connId, (Entry_value_ptr_t) pBlk) ;

#ifndef _WIN32
	/* CONNECT command. Go handle it. */
	if (pBlk->pServerData->securityEnabled) {
		processCONNECTCall(pBlk, pMsg, CONNECTION_COMPLETE | AUTHENTICATION_FAILED);
	}
	else {
		processCONNECTCall(pBlk, pMsg, CONNECTION_COMPLETE);
		pBlk->authenticated = TRUE;
	}
#else
	processCONNECTCall(pBlk, pMsg, CONNECTION_COMPLETE);
	pBlk->authenticated = TRUE;
#endif

	return 0 ;
}

/**
 *********************************************************
 *
 * @brief
 *    handle the AUTHENTICATE request
 *
 *********************************************************/
int handleAUTHENTICATE(request_block_ptr_t pBlk, char *pMsg) {
	char *name=NULL, *psw=NULL;
	BOOL success;

	pMsg = readStringFromBuffer(pMsg, &name);
	pMsg = readStringFromBuffer(pMsg, &psw);

	if (name != NULL && psw != NULL){
		success = vrfusrpwd(name, psw);
	}
	else{
		success = FALSE;
	}
			
	if (success) {			
		TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "User %s is authenticated", name);
	}
	else if (name != NULL) {
		TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "User %s is not authenticated", name);
	}
	else {
		TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "User <null> is not authenticated");
	}
	
	pBlk->authenticated = success;
	if (success) {
	 	processCONNECTCall(pBlk, pMsg, AUTHENTICATION_SUCCESSFUL);
	}
	else {
		processCONNECTCall(pBlk, pMsg, AUTHENTICATION_FAILED);
	}

	if (name != NULL) tptp_free(name);
	if (psw != NULL) tptp_free(psw);
	
	return 0 ;
}



	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "Socket: handle CONNECT_DATA/CONNECT_CONSOLE request (Data channel).");

#ifndef _WIN32	
	if (pBlk->pServerData->securityEnabled && !pBlk->secured) {
		processCONNECTCall(pBlk, pMsg, CONNECTION_REFUSED | SECURITY_REQUIRED);
										// no race condition here since incoming ssl request
		return setSSL(pBlk);			// will wait for processing in input buffer 
	}
#endif

	pBlk->connectionType = DATA_CHANNEL ;

	/* tell the agent controller about the new connection  */

		/* prevent it from forwarding to the AC */
		pMsg = NULL ;
	}
#ifndef _WIN32	
	else if (pBlk->pServerData->securityEnabled && !pBlk->secured) { 
		pMsg = NULL ;
	}
	else if ((flags & AUTHENTICATE) != 0) {
		handleAUTHENTICATE(pBlk, pMsg) ;

		/* prevent it from forwarding to the AC */
		pMsg = NULL ;
	}
	else if (pBlk->pServerData->securityEnabled && !pBlk->authenticated) {
		processCONNECTCall(pBlk, pMsg, AUTHENTICATION_FAILED);
		pMsg = NULL ;
	}
#endif	
	else if ((flags & DISCONNECT) != 0)
	{
		handleDISCONNECT(pBlk, pMsg) ;

	return ( bytesToBeProcessed ) ;
}

#ifndef _WIN32

int recvData (request_block_ptr_t pRdb, char *buffer, int length, int *bytesRead) {
	int result;
	if (pRdb->secured) {
		 result = SSL_read (pRdb->ssl, buffer, length);
		 *bytesRead = result;
	}
	else {
		result = readFromSocket(pRdb->clientSock, buffer, length, bytesRead);
	}
		
	return result;
}

#else

int recvData (request_block_ptr_t pRdb, char *buffer, int length, int *bytesRead) {
	return readFromSocket(pRdb->clientSock, buffer, length, bytesRead);
}

#endif

/**
 *********************************************************
 *


		/* Another message might come in while we're processing
		 *    so we read until the pipe is empty                 */
		while ( (rc = readFromSocket(pRdb->clientSock, buffer, bufferLength, &bytesRead)) > 0)
		{
			TPTP_LOG_DEBUG_MSG1(pRdb->pServerData, "Socket processClientRequest: Read %d bytes.", bytesRead) ;



	pRequestDataBlock->isForConsole = FALSE ;
	
	pRequestDataBlock->authenticated = FALSE;
	pRequestDataBlock->secured = FALSE;

#ifndef _WIN32
	pRequestDataBlock->ssl = NULL;
	pRequestDataBlock->sslCtx = NULL;
#endif	

	pRequestDataBlock->pSendFunc = NULL ;

	tptp_initializeLock( & pRequestDataBlock->locker );

	return ( 0 );
}

int getACHome (char* buf, int len) {
	char* acHome;
	
	acHome = getenv(CONFIGURATION_HOME);
	if (acHome != NULL) {
		strncpy(buf, acHome, len);
		return 0;
	}
	
#ifdef _WIN32
	acHome = _getcwd(buf, 1024);
	if (acHome == NULL) return -1;

	strcat(buf, "\\..");
#else
	acHome = getcwd(buf, 1024);
	if (acHome == NULL) return -1;

	strcat(buf, "/..");
#endif
	
	return 0;
}

int initSSL() {
	char buf[1024];
	
	if (getACHome(buf, 1024) < 0) {
		certFile = (char*) malloc(strlen(CERTF) + 1);
		strcpy(certFile, CERTF);
		
		keyFile = (char*) malloc(strlen(KEYF) + 1);
		strcpy(keyFile, CERTF);
	}
	else {
#ifdef _WIN32
		strcat(buf, "\\security\\");
#else
		strcat(buf, "/security/");
#endif		

		certFile = (char*) malloc(strlen(buf) + strlen(CERTF) + 1);
		strcpy(certFile, buf);
		strcat(certFile, CERTF);

		keyFile = (char*) malloc(strlen(buf) + strlen(KEYF) + 1);
		strcpy(keyFile, buf);
		strcat(keyFile, KEYF);
	}
	
	return 0;	
}

/**
 *********************************************************
 *

{
	int       rc = 0 ;

	initSSL();
	
	rc = initForSocketCalls() ;

	if (rc == 0)

		if (rc != -1) 
		{
			pServerData->port = socketInfo.portNumber;
			pServerData->securityEnabled = socketInfo.securityEnabled; 
		} 
		else 
		{
			pServerData->port = DEFAULT_PORT_NUM;
			pServerData->securityEnabled = 0;
		}

		tlo->data = pServerData;

tptp_int32 closeConnection(request_block_ptr_t pBlock) {
	if (pBlock == NULL) return -1;

#ifndef _WIN32	
	if (pBlock->ssl != NULL) { 
		SSL_free(pBlock->ssl);  
		pBlock->ssl = NULL; 
	}
	
	if (pBlock->sslCtx != NULL) { 
		SSL_CTX_free(pBlock->sslCtx);  
		pBlock->sslCtx = NULL; 
	}
#endif
	
  	pBlock->secured = FALSE;
  	
  	return closeSocket(pBlock->clientSock);
}


	return ( sendThisMessage(pServerData, connectionID, cmdSize, pCmdBlock, TRUE ) ) ;
}

#ifndef _WIN32

tptp_int32 writeData(request_block_ptr_t pBlock, char* buffer, int length) { 
	if (pBlock->secured) {
		return SSL_write(pBlock->ssl, buffer, length);
	}
	else {
		return writeToSocket(pBlock->clientSock, buffer, length);
	}
}

#else

tptp_int32 writeData(request_block_ptr_t pBlock, char* buffer, int length) { 
	return writeToSocket(pBlock->clientSock, buffer, length);
}

#endif

/**
 *********************************************************
 *

	tptp_getWriteLock( & pBlock->locker );

	/* go send the message */
	bytesSent = writeToSocket(pBlock->clientSock, pSendBuffer, bufferLength);
	if (bytesSent < 0)
	{
		TPTP_LOG_ERROR_MSG1(pServerData, "Socket: Failed to send data on connection ID %d", connectionID);

	if (pBlock == NULL) return -1;

	/* go send the message */
	bytesSent = writeToSocket(pBlock->clientSock, pDataBlock, dataSize); 
	if (bytesSent < 0)
	{
		TPTP_LOG_ERROR_MSG1(pServerData,"Socket: Failed to send data on connection ID %d", connectionID);

	return (forwardDataToPartner(pBlk, dataLen, pBuffer)) ;
}

/*
 * --------------------------------------------------------------------------------
 * All the platform-dependent vrfusrpwd() functions below
 * --------------------------------------------------------------------------------
 */


#if defined(_WIN32)
/*
 *	Windows/IA32 section, in-process authentication
 */
BOOL vrfusrpwd(tptp_string *userid, tptp_string *password) {
	HANDLE handle;

	return LogonUser(userid, NULL, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &handle);
}
#elif defined(__MVS__)
/*
 *	OS/390 section, in-process authentication. BPX.DAEMON is needed.
 */
BOOL vrfusrpwd(tptp_string *userid, tptp_string *password) {
	return __passwd(userid, password, NULL) ? FALSE : TRUE;
}
#elif defined(__OS400__)
/*
 *	OS/400 section, in-process authentication
 */
BOOL vrfusrpwd(tptp_string *userid, tptp_string *password) {
	struct error_code_t errorCode;
	char profileHandle[12];  /* profile handle, required by QSYGETPH API */
	char useridBuf[10] = "          ";

	/* In descrypted case, the password is in code page of 437 */
	errorCode.bytesProvided = 64;
	errorCode.bytesAvailable = 0;

	if(userid[0] == '*') {
		return FALSE;
	}
	else if(strlen(userid) > 10) {
		return FALSE;
	}
	else {
		int i;
		for(i = 0; i < strlen(userid); i++) {
			useridBuf[i] = toupper(userid[i]); /* change it all to upper case */
		}
	}

	QSYGETPH(useridBuf, password, profileHandle, &errorCode, strlen(password), 37); /* CCSID of password is 37 (EBCDIC) */

	if(errorCode.bytesAvailable > 0) {
		char *exc = (char*)ra_malloc(sizeof(char) * 8);
		BZERO(exc, 8);
		strncpy(exc, errorCode.exceptionID, 7);
		ra_free(exc);

		return FALSE;
	}
	else {
		return TRUE;  /* authentication successful */
	}
}
#else /* non-Windows, non-OS/400 */
/*
 * Launch a separate process to authenticate user name and password
 */
BOOL vrfusrpwd(tptp_string *userid, tptp_string *password) {
	FILE *fp;
	BOOL success = FALSE;
	char *serverHome;
	char *authCmd;
	int authLen;
	int status;
	int rc = 0;

	struct sigaction ignoreHandler; /* Use this handler for bypassing pre-configured signal handler */
	struct sigaction oldHandler; /* Used to temporary storing the configured signal handler */

	serverHome = getCacheEnv("default", "RASERVER_HOME");
	/* Do not pass user ID and password since they will be shown by running 'ps' */
	authLen = strlen(serverHome) + 1 + strlen("bin") + 1 + strlen("ChkPass") + 1; /* Bug 168705 : need a null at the end for strcat() */
	authCmd = (char*)malloc(sizeof(char) * authLen);
	BZERO(authCmd, authLen);
	strcpy(authCmd, serverHome);
	strcat(authCmd, "/");
	strcat(authCmd, "bin");
	strcat(authCmd, "/");
	strcat(authCmd, "ChkPass");

	/* Disable default SIGCHLD handler since system() call doesn't work with user-supplied signal handlers */
	BZERO(&ignoreHandler, sizeof(struct sigaction));
	BZERO(&oldHandler, sizeof(struct sigaction));

	ignoreHandler.sa_handler = SIG_DFL; /* Reset to default SIGCHLD handler */
	sigaction(SIGCHLD, &ignoreHandler, &oldHandler); /* Store the previous signal handler */

	fp = popen(authCmd, "w");
	fprintf(fp, "%s\n", userid);
	fprintf(fp, "%s\n", password);
	status = pclose(fp);
	if(WIFEXITED(status)) {
		rc = WEXITSTATUS(status);
	}

	if(rc == 100) { /* 100 indicates success */
		success = TRUE;
	}
	else {
		success = FALSE;
	}

	/* Re-enable the user-specified SIGCHLD handler */
	sigaction(SIGCHLD, &oldHandler, NULL);

	free(authCmd);

	return success;
}

#endif

#ifdef __linux__
int closeSocket (int socket) {
	struct linger linger;

Lines 44-50 Link Here

(-)src-native-new/src/transport/socketTL/SocketTL.make (-1 / +1 lines)
44	# list of additional libraries to be linked with	44	# list of additional libraries to be linked with
45	# (separated by blanks)	45	# (separated by blanks)
46	#-----------------------------------	46	#-----------------------------------
47	LIBS := dl tptpUtils transportSupport ssl	47	LIBS := dl tptpUtils transportSupport
48		48
49	#-----------------------------------	49	#-----------------------------------
50	# list of additional library directories to search from	50	# list of additional library directories to search from




	
$KEYTOOL -genkey -alias sample -keyalg RSA -sigalg MD5withRSA -dname "CN=Sample, OU=Sample, O=Sample, C=US" -validity 3650 -keypass $PASSWORD -storetype jks -keystore $KEYSTORE -storepass $PASSWORD
$KEYTOOL -export -alias sample -file $CERT -keystore $KEYSTORE -storepass $PASSWORD

CERTF=cert.pem
KEYF=key.pem
REQF=req.pem
LOG=openssl.log

echo `date` > $LOG
openssl genrsa -out $KEYF 1024 >> $LOG 2>&1
openssl req -new -key $KEYF -out $REQF -batch >> $LOG 2>&1
openssl x509 -req -in $REQF -signkey $KEYF -out $CERTF >> $LOG 2>&1

Lines 29-35 Link Here

(-)src-native-new/src/agentController/AgentController.make (-1 / +1 lines)
29	# (separated by blanks)	29	# (separated by blanks)
30	#-----------------------------------	30	#-----------------------------------
31		31
32	LIBS := tptpUtils tptpLogUtils tptpConfig processControlUtil xerces-c pthread ssl	32	LIBS := tptpUtils tptpLogUtils tptpConfig processControlUtil xerces-c pthread
33		33
34	#-----------------------------------	34	#-----------------------------------
35	# list of additional library directories to search from	35	# list of additional library directories to search from

Return to bug 195644

Lines 22-31 Link Here

(-)src-native-new/src/transport/socketTL/SocketListener.h (-13 lines)
22	#include "tptp/TPTPMessageHeader.h"	22	#include "tptp/TPTPMessageHeader.h"
23	#include "tptp/hashtable.h"	23	#include "tptp/hashtable.h"
24		24
25	#ifndef _WIN32
26	#include <openssl/ssl.h>
27	#endif
28
29	#define SOCKET_LISTENER_OBJECT_ID 20001	25	#define SOCKET_LISTENER_OBJECT_ID 20001
30		26
31	/** instance-specific data block */	27	/** instance-specific data block */
Lines 37-43 Link Here
37	transport_layer_data_t agentControllerDataBlk ;	33	transport_layer_data_t agentControllerDataBlk ;
38	processMessage_ptr_t processMessage;	34	processMessage_ptr_t processMessage;
39	tptp_object* nexto;	35	tptp_object* nexto;
40	int securityEnabled;
41		36
42	/* hash table of connections for easy and fast search */	37	/* hash table of connections for easy and fast search */
43	HashTable * connectionTable ;	38	HashTable * connectionTable ;
Lines 205-218 Link Here
205		200
206	BOOL isForConsole ;	201	BOOL isForConsole ;
207		202
208	BOOL authenticated;
209	BOOL secured;
210
211	#ifndef _WIN32
212	SSL* ssl;
213	SSL_CTX* sslCtx;
214	#endif
215
216	Lock_t locker ;	203	Lock_t locker ;
217		204
218	} request_block_t ;	205	} request_block_t ;

Lines 67-73 Link Here

(-)src-native-new/src/transport/socketTL/SocketListener.c (-412 / +4 lines)
67	#include <unistd.h>	67	#include <unistd.h>
68	#include <signal.h>	68	#include <signal.h>
69	#include <sys/wait.h>	69	#include <sys/wait.h>
70	#include <openssl/ssl.h>
71	#include <tptp/TPTPConfig.h>	70	#include <tptp/TPTPConfig.h>
72	#endif	71	#endif
73		72
Lines 112-127 Link Here
112	int handleCONNECT(request_block_ptr_t pBlk, char *pMsg) ;	111	int handleCONNECT(request_block_ptr_t pBlk, char *pMsg) ;
113		112
114	int handleCONNECT_DATA(request_block_ptr_t pBlk, char *pMsg) ;	113	int handleCONNECT_DATA(request_block_ptr_t pBlk, char *pMsg) ;
115	tptp_int32 writeData(request_block_ptr_t pBlock, char* buffer, int length);
116	tptp_int32 closeConnection(request_block_ptr_t pBlock);	114	tptp_int32 closeConnection(request_block_ptr_t pBlock);
117	int closeSocket (int socket);	115	int closeSocket (int socket);
118	int handleAUTHENTICATE(request_block_ptr_t pBlk, char *pMsg) ;
119
120	BOOL vrfusrpwd(tptp_string userid, tptp_string password);
121
122	static int sslinit = 1;
123	static char* certFile = NULL;
124	static char* keyFile = NULL;
125		116
126	/**	117	/**
127	*********************************************************	118	*********************************************************
Lines 171-177 Link Here
171		162
172	addBasicMsgHeader(cmd, cmdLength, &buffer, &bufferLength, flags) ;	163	addBasicMsgHeader(cmd, cmdLength, &buffer, &bufferLength, flags) ;
173	/* send the response */	164	/* send the response */
174	writeData(pBlk, buffer, bufferLength);	165	writeToSocket(pBlk->clientSock, buffer, bufferLength);
175		166
176	if (cmd) tptp_free(cmd);	167	if (cmd) tptp_free(cmd);
177	if (buffer) tptp_free(buffer);	168	if (buffer) tptp_free(buffer);
Lines 179-252 Link Here
179	return ( rc ) ;	170	return ( rc ) ;
180	}	171	}
181		172
182	#ifndef _WIN32
183	int setSSL(request_block_ptr_t pBlk) {
184	SSL_METHOD *meth;
185	SSL_CTX* ctx;
186	SSL* ssl;
187	int err;
188
189	if (sslinit) {
190	SSL_load_error_strings();
191	SSL_library_init();
192	sslinit = 0;
193	}
194
195	meth = SSLv23_server_method();
196
197	ctx = SSL_CTX_new (meth);
198	if (!ctx) {
199	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "SSL: context error");
200	return -1;
201	}
202
203	if (certFile == NULL) {
204	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "SSL: no certificate file found");
205	return -1;
206	}
207
208	if (SSL_CTX_use_certificate_file(ctx, certFile, SSL_FILETYPE_PEM) <= 0) {
209	TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "SSL: illegal certificate file %s", certFile);
210	return -1;
211	}
212
213	if (keyFile == NULL) {
214	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "SSL: no key file found");
215	return -1;
216	}
217
218	if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) <= 0) {
219	TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "SSL: illegal key file %s", keyFile);
220	return -1;
221	}
222
223	if (!SSL_CTX_check_private_key(ctx)) {
224	TPTP_LOG_DEBUG_MSG2(pBlk->pServerData, "SSL: Private key %s does not match the certificate public key %s",
225	keyFile, certFile);
226	return -1;
227	}
228
229	ssl = SSL_new (ctx);
230	if (ssl < 0) {
231	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "SSL.new error");
232	return -1;
233	}
234
235	SSL_set_fd (ssl, pBlk->clientSock);
236	err = SSL_accept (ssl);
237	if (err < 0) {
238	TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "SSL: ssl_accept error %d", SSL_get_error(ssl, err));
239	return -1;
240	}
241
242	pBlk->sslCtx = ctx;
243	pBlk->ssl = ssl;
244	pBlk->secured = TRUE;
245
246	return 0;
247	}
248	#endif
249
250	/**	173	/**
251	*********************************************************	174	*********************************************************
252	*	175	*
Lines 264-277 Link Here
264	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "Socket: handle CONNECT request (Control channel).");	187	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "Socket: handle CONNECT request (Control channel).");
265	pBlk->connectionType = CONTROL_CHANNEL ;	188	pBlk->connectionType = CONTROL_CHANNEL ;
266		189
267	#ifndef _WIN32
268	if (pBlk->pServerData->securityEnabled && !pBlk->secured) {
269	processCONNECTCall(pBlk, pMsg, CONNECTION_REFUSED \| SECURITY_REQUIRED);
270	// no race condition here since incoming ssl request
271	return setSSL(pBlk); // will wait for processing in input buffer
272	}
273	#endif
274
275	/* tell the agent controller about the new connection */	190	/* tell the agent controller about the new connection */
276	/* and receive the assigned connection id */	191	/* and receive the assigned connection id */
277	pFunc = pBlk->pServerData->agentControllerDataBlk.addConnectionEntry ;	192	pFunc = pBlk->pServerData->agentControllerDataBlk.addConnectionEntry ;
Lines 288-352 Link Here
288	pTab = pBlk->pServerData->connectionTable ;	203	pTab = pBlk->pServerData->connectionTable ;
289	tablePut(pTab, connId, (Entry_value_ptr_t) pBlk) ;	204	tablePut(pTab, connId, (Entry_value_ptr_t) pBlk) ;
290		205
291	#ifndef _WIN32
292	/* CONNECT command. Go handle it. */
293	if (pBlk->pServerData->securityEnabled) {
294	processCONNECTCall(pBlk, pMsg, CONNECTION_COMPLETE \| AUTHENTICATION_FAILED);
295	}
296	else {
297	processCONNECTCall(pBlk, pMsg, CONNECTION_COMPLETE);
298	pBlk->authenticated = TRUE;
299	}
300	#else
301	processCONNECTCall(pBlk, pMsg, CONNECTION_COMPLETE);	206	processCONNECTCall(pBlk, pMsg, CONNECTION_COMPLETE);
302	pBlk->authenticated = TRUE;
303	#endif
304
305	return 0 ;
306	}
307
308	/**
309	*********************************************************
310	*
311	* @brief
312	* handle the AUTHENTICATE request
313	*
314	*********************************************************/
315	int handleAUTHENTICATE(request_block_ptr_t pBlk, char *pMsg) {
316	char name=NULL, psw=NULL;
317	BOOL success;
318
319	pMsg = readStringFromBuffer(pMsg, &name);
320	pMsg = readStringFromBuffer(pMsg, &psw);
321
322	if (name != NULL && psw != NULL){
323	success = vrfusrpwd(name, psw);
324	}
325	else{
326	success = FALSE;
327	}
328
329	if (success) {
330	TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "User %s is authenticated", name);
331	}
332	else if (name != NULL) {
333	TPTP_LOG_DEBUG_MSG1(pBlk->pServerData, "User %s is not authenticated", name);
334	}
335	else {
336	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "User <null> is not authenticated");
337	}
338
339	pBlk->authenticated = success;
340	if (success) {
341	processCONNECTCall(pBlk, pMsg, AUTHENTICATION_SUCCESSFUL);
342	}
343	else {
344	processCONNECTCall(pBlk, pMsg, AUTHENTICATION_FAILED);
345	}
346		207
347	if (name != NULL) tptp_free(name);
348	if (psw != NULL) tptp_free(psw);
349
350	return 0 ;	208	return 0 ;
351	}	209	}
352		210
Lines 366-379 Link Here
366		224
367	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "Socket: handle CONNECT_DATA/CONNECT_CONSOLE request (Data channel).");	225	TPTP_LOG_DEBUG_MSG(pBlk->pServerData, "Socket: handle CONNECT_DATA/CONNECT_CONSOLE request (Data channel).");
368		226
369	#ifndef _WIN32
370	if (pBlk->pServerData->securityEnabled && !pBlk->secured) {
371	processCONNECTCall(pBlk, pMsg, CONNECTION_REFUSED \| SECURITY_REQUIRED);
372	// no race condition here since incoming ssl request
373	return setSSL(pBlk); // will wait for processing in input buffer
374	}
375	#endif
376
377	pBlk->connectionType = DATA_CHANNEL ;	227	pBlk->connectionType = DATA_CHANNEL ;
378		228
379	/* tell the agent controller about the new connection */	229	/* tell the agent controller about the new connection */
Lines 477-497 Link Here
477	/* prevent it from forwarding to the AC */	327	/* prevent it from forwarding to the AC */
478	pMsg = NULL ;	328	pMsg = NULL ;
479	}	329	}
480	#ifndef _WIN32
481	else if (pBlk->pServerData->securityEnabled && !pBlk->secured) {
482	pMsg = NULL ;
483	}
484	else if ((flags & AUTHENTICATE) != 0) {
485	handleAUTHENTICATE(pBlk, pMsg) ;
486
487	/* prevent it from forwarding to the AC */
488	pMsg = NULL ;
489	}
490	else if (pBlk->pServerData->securityEnabled && !pBlk->authenticated) {
491	processCONNECTCall(pBlk, pMsg, AUTHENTICATION_FAILED);
492	pMsg = NULL ;
493	}
494	#endif
495	else if ((flags & DISCONNECT) != 0)	330	else if ((flags & DISCONNECT) != 0)
496	{	331	{
497	handleDISCONNECT(pBlk, pMsg) ;	332	handleDISCONNECT(pBlk, pMsg) ;
Lines 690-718 Link Here
690	return ( bytesToBeProcessed ) ;	525	return ( bytesToBeProcessed ) ;
691	}	526	}
692		527
693	#ifndef _WIN32
694
695	int recvData (request_block_ptr_t pRdb, char buffer, int length, int bytesRead) {
696	int result;
697	if (pRdb->secured) {
698	result = SSL_read (pRdb->ssl, buffer, length);
699	*bytesRead = result;
700	}
701	else {
702	result = readFromSocket(pRdb->clientSock, buffer, length, bytesRead);
703	}
704
705	return result;
706	}
707
708	#else
709
710	int recvData (request_block_ptr_t pRdb, char buffer, int length, int bytesRead) {
711	return readFromSocket(pRdb->clientSock, buffer, length, bytesRead);
712	}
713
714	#endif
715
716	/**	528	/**
717	*********************************************************	529	*********************************************************
718	*	530	*
Lines 748-754 Link Here
748		560
749	/* Another message might come in while we're processing	561	/* Another message might come in while we're processing
750	* so we read until the pipe is empty */	562	* so we read until the pipe is empty */
751	while ( (rc = recvData(pRdb, buffer, bufferLength, &bytesRead)) > 0)	563	while ( (rc = readFromSocket(pRdb->clientSock, buffer, bufferLength, &bytesRead)) > 0)
752	{	564	{
753	TPTP_LOG_DEBUG_MSG1(pRdb->pServerData, "Socket processClientRequest: Read %d bytes.", bytesRead) ;	565	TPTP_LOG_DEBUG_MSG1(pRdb->pServerData, "Socket processClientRequest: Read %d bytes.", bytesRead) ;
754		566
Lines 807-820 Link Here
807		619
808	pRequestDataBlock->isForConsole = FALSE ;	620	pRequestDataBlock->isForConsole = FALSE ;
809		621
810	pRequestDataBlock->authenticated = FALSE;
811	pRequestDataBlock->secured = FALSE;
812
813	#ifndef _WIN32
814	pRequestDataBlock->ssl = NULL;
815	pRequestDataBlock->sslCtx = NULL;
816	#endif
817
818	pRequestDataBlock->pSendFunc = NULL ;	622	pRequestDataBlock->pSendFunc = NULL ;
819		623
820	tptp_initializeLock( & pRequestDataBlock->locker );	624	tptp_initializeLock( & pRequestDataBlock->locker );
Lines 915-973 Link Here
915	return ( 0 );	719	return ( 0 );
916	}	720	}
917		721
918	int getACHome (char* buf, int len) {
919	char* acHome;
920
921	acHome = getenv(CONFIGURATION_HOME);
922	if (acHome != NULL) {
923	strncpy(buf, acHome, len);
924	return 0;
925	}
926
927	#ifdef _WIN32
928	acHome = _getcwd(buf, 1024);
929	if (acHome == NULL) return -1;
930
931	strcat(buf, "\\..");
932	#else
933	acHome = getcwd(buf, 1024);
934	if (acHome == NULL) return -1;
935
936	strcat(buf, "/..");
937	#endif
938
939	return 0;
940	}
941
942	int initSSL() {
943	char buf[1024];
944
945	if (getACHome(buf, 1024) < 0) {
946	certFile = (char*) malloc(strlen(CERTF) + 1);
947	strcpy(certFile, CERTF);
948
949	keyFile = (char*) malloc(strlen(KEYF) + 1);
950	strcpy(keyFile, CERTF);
951	}
952	else {
953	#ifdef _WIN32
954	strcat(buf, "\\security\\");
955	#else
956	strcat(buf, "/security/");
957	#endif
958
959	certFile = (char*) malloc(strlen(buf) + strlen(CERTF) + 1);
960	strcpy(certFile, buf);
961	strcat(certFile, CERTF);
962
963	keyFile = (char*) malloc(strlen(buf) + strlen(KEYF) + 1);
964	strcpy(keyFile, buf);
965	strcat(keyFile, KEYF);
966	}
967
968	return 0;
969	}
970
971	/**	722	/**
972	*********************************************************	723	*********************************************************
973	*	724	*
Lines 982-989 Link Here
982	{	733	{
983	int rc = 0 ;	734	int rc = 0 ;
984		735
985	initSSL();
986
987	rc = initForSocketCalls() ;	736	rc = initForSocketCalls() ;
988		737
989	if (rc == 0)	738	if (rc == 0)
Lines 1004-1015 Link Here
1004	if (rc != -1)	753	if (rc != -1)
1005	{	754	{
1006	pServerData->port = socketInfo.portNumber;	755	pServerData->port = socketInfo.portNumber;
1007	pServerData->securityEnabled = socketInfo.securityEnabled;
1008	}	756	}
1009	else	757	else
1010	{	758	{
1011	pServerData->port = DEFAULT_PORT_NUM;	759	pServerData->port = DEFAULT_PORT_NUM;
1012	pServerData->securityEnabled = 0;
1013	}	760	}
1014		761
1015	tlo->data = pServerData;	762	tlo->data = pServerData;
Lines 1111-1130 Link Here
1111	tptp_int32 closeConnection(request_block_ptr_t pBlock) {	858	tptp_int32 closeConnection(request_block_ptr_t pBlock) {
1112	if (pBlock == NULL) return -1;	859	if (pBlock == NULL) return -1;
1113		860
1114	#ifndef _WIN32
1115	if (pBlock->ssl != NULL) {
1116	SSL_free(pBlock->ssl);
1117	pBlock->ssl = NULL;
1118	}
1119
1120	if (pBlock->sslCtx != NULL) {
1121	SSL_CTX_free(pBlock->sslCtx);
1122	pBlock->sslCtx = NULL;
1123	}
1124	#endif
1125
1126	pBlock->secured = FALSE;
1127
1128	return closeSocket(pBlock->clientSock);	861	return closeSocket(pBlock->clientSock);
1129	}	862	}
1130		863
Lines 1172-1196 Link Here
1172	return ( sendThisMessage(pServerData, connectionID, cmdSize, pCmdBlock, TRUE ) ) ;	905	return ( sendThisMessage(pServerData, connectionID, cmdSize, pCmdBlock, TRUE ) ) ;
1173	}	906	}
1174		907
1175	#ifndef _WIN32
1176
1177	tptp_int32 writeData(request_block_ptr_t pBlock, char* buffer, int length) {
1178	if (pBlock->secured) {
1179	return SSL_write(pBlock->ssl, buffer, length);
1180	}
1181	else {
1182	return writeToSocket(pBlock->clientSock, buffer, length);
1183	}
1184	}
1185
1186	#else
1187
1188	tptp_int32 writeData(request_block_ptr_t pBlock, char* buffer, int length) {
1189	return writeToSocket(pBlock->clientSock, buffer, length);
1190	}
1191
1192	#endif
1193
1194	/**	908	/**
1195	*********************************************************	909	*********************************************************
1196	*	910	*
Lines 1237-1243 Link Here
1237	tptp_getWriteLock( & pBlock->locker );	951	tptp_getWriteLock( & pBlock->locker );
1238		952
1239	/* go send the message */	953	/* go send the message */
1240	bytesSent = writeData(pBlock, pSendBuffer, bufferLength);	954	bytesSent = writeToSocket(pBlock->clientSock, pSendBuffer, bufferLength);
1241	if (bytesSent < 0)	955	if (bytesSent < 0)
1242	{	956	{
1243	TPTP_LOG_ERROR_MSG1(pServerData, "Socket: Failed to send data on connection ID %d", connectionID);	957	TPTP_LOG_ERROR_MSG1(pServerData, "Socket: Failed to send data on connection ID %d", connectionID);
Lines 1481-1487 Link Here
1481	if (pBlock == NULL) return -1;	1195	if (pBlock == NULL) return -1;
1482		1196
1483	/* go send the message */	1197	/* go send the message */
1484	bytesSent = writeData(pBlock, pDataBlock, dataSize);	1198	bytesSent = writeToSocket(pBlock->clientSock, pDataBlock, dataSize);
1485	if (bytesSent < 0)	1199	if (bytesSent < 0)
1486	{	1200	{
1487	TPTP_LOG_ERROR_MSG1(pServerData,"Socket: Failed to send data on connection ID %d", connectionID);	1201	TPTP_LOG_ERROR_MSG1(pServerData,"Socket: Failed to send data on connection ID %d", connectionID);
Lines 1547-1674 Link Here
1547	return (forwardDataToPartner(pBlk, dataLen, pBuffer)) ;	1261	return (forwardDataToPartner(pBlk, dataLen, pBuffer)) ;
1548	}	1262	}
1549		1263
1550	/*
1551	* --------------------------------------------------------------------------------
1552	* All the platform-dependent vrfusrpwd() functions below
1553	* --------------------------------------------------------------------------------
1554	*/
1555
1556
1557	#if defined(_WIN32)
1558	/*
1559	* Windows/IA32 section, in-process authentication
1560	*/
1561	BOOL vrfusrpwd(tptp_string userid, tptp_string password) {
1562	HANDLE handle;
1563
1564	return LogonUser(userid, NULL, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &handle);
1565	}
1566	#elif defined(__MVS__)
1567	/*
1568	* OS/390 section, in-process authentication. BPX.DAEMON is needed.
1569	*/
1570	BOOL vrfusrpwd(tptp_string userid, tptp_string password) {
1571	return __passwd(userid, password, NULL) ? FALSE : TRUE;
1572	}
1573	#elif defined(__OS400__)
1574	/*
1575	* OS/400 section, in-process authentication
1576	*/
1577	BOOL vrfusrpwd(tptp_string userid, tptp_string password) {
1578	struct error_code_t errorCode;
1579	char profileHandle[12]; /* profile handle, required by QSYGETPH API */
1580	char useridBuf[10] = " ";
1581
1582	/* In descrypted case, the password is in code page of 437 */
1583	errorCode.bytesProvided = 64;
1584	errorCode.bytesAvailable = 0;
1585
1586	if(userid[0] == '*') {
1587	return FALSE;
1588	}
1589	else if(strlen(userid) > 10) {
1590	return FALSE;
1591	}
1592	else {
1593	int i;
1594	for(i = 0; i < strlen(userid); i++) {
1595	useridBuf[i] = toupper(userid[i]); /* change it all to upper case */
1596	}
1597	}
1598
1599	QSYGETPH(useridBuf, password, profileHandle, &errorCode, strlen(password), 37); /* CCSID of password is 37 (EBCDIC) */
1600
1601	if(errorCode.bytesAvailable > 0) {
1602	char exc = (char)ra_malloc(sizeof(char) * 8);
1603	BZERO(exc, 8);
1604	strncpy(exc, errorCode.exceptionID, 7);
1605	ra_free(exc);
1606
1607	return FALSE;
1608	}
1609	else {
1610	return TRUE; /* authentication successful */
1611	}
1612	}
1613	#else /* non-Windows, non-OS/400 */
1614	/*
1615	* Launch a separate process to authenticate user name and password
1616	*/
1617	BOOL vrfusrpwd(tptp_string userid, tptp_string password) {
1618	FILE *fp;
1619	BOOL success = FALSE;
1620	char *serverHome;
1621	char *authCmd;
1622	int authLen;
1623	int status;
1624	int rc = 0;
1625
1626	struct sigaction ignoreHandler; /* Use this handler for bypassing pre-configured signal handler */
1627	struct sigaction oldHandler; /* Used to temporary storing the configured signal handler */
1628
1629	serverHome = getCacheEnv("default", "RASERVER_HOME");
1630	/* Do not pass user ID and password since they will be shown by running 'ps' */
1631	authLen = strlen(serverHome) + 1 + strlen("bin") + 1 + strlen("ChkPass") + 1; /* Bug 168705 : need a null at the end for strcat() */
1632	authCmd = (char)malloc(sizeof(char) authLen);
1633	BZERO(authCmd, authLen);
1634	strcpy(authCmd, serverHome);
1635	strcat(authCmd, "/");
1636	strcat(authCmd, "bin");
1637	strcat(authCmd, "/");
1638	strcat(authCmd, "ChkPass");
1639
1640	/* Disable default SIGCHLD handler since system() call doesn't work with user-supplied signal handlers */
1641	BZERO(&ignoreHandler, sizeof(struct sigaction));
1642	BZERO(&oldHandler, sizeof(struct sigaction));
1643
1644	ignoreHandler.sa_handler = SIG_DFL; /* Reset to default SIGCHLD handler */
1645	sigaction(SIGCHLD, &ignoreHandler, &oldHandler); /* Store the previous signal handler */
1646
1647	fp = popen(authCmd, "w");
1648	fprintf(fp, "%s\n", userid);
1649	fprintf(fp, "%s\n", password);
1650	status = pclose(fp);
1651	if(WIFEXITED(status)) {
1652	rc = WEXITSTATUS(status);
1653	}
1654
1655	if(rc == 100) { /* 100 indicates success */
1656	success = TRUE;
1657	}
1658	else {
1659	success = FALSE;
1660	}
1661
1662	/* Re-enable the user-specified SIGCHLD handler */
1663	sigaction(SIGCHLD, &oldHandler, NULL);
1664
1665	free(authCmd);
1666
1667	return success;
1668	}
1669
1670	#endif
1671
1672	#ifdef __linux__	1264	#ifdef __linux__
1673	int closeSocket (int socket) {	1265	int closeSocket (int socket) {
1674	struct linger linger;	1266	struct linger linger;

Lines 9-21 Link Here

(-)src-native/collection/packaging/security/generateKey.sh (-10 lines)
9		9
10	$KEYTOOL -genkey -alias sample -keyalg RSA -sigalg MD5withRSA -dname "CN=Sample, OU=Sample, O=Sample, C=US" -validity 3650 -keypass $PASSWORD -storetype jks -keystore $KEYSTORE -storepass $PASSWORD	10	$KEYTOOL -genkey -alias sample -keyalg RSA -sigalg MD5withRSA -dname "CN=Sample, OU=Sample, O=Sample, C=US" -validity 3650 -keypass $PASSWORD -storetype jks -keystore $KEYSTORE -storepass $PASSWORD
11	$KEYTOOL -export -alias sample -file $CERT -keystore $KEYSTORE -storepass $PASSWORD	11	$KEYTOOL -export -alias sample -file $CERT -keystore $KEYSTORE -storepass $PASSWORD
12
13	CERTF=cert.pem
14	KEYF=key.pem
15	REQF=req.pem
16	LOG=openssl.log
17
18	echo `date` > $LOG
19	openssl genrsa -out $KEYF 1024 >> $LOG 2>&1
20	openssl req -new -key $KEYF -out $REQF -batch >> $LOG 2>&1
21	openssl x509 -req -in $REQF -signkey $KEYF -out $CERTF >> $LOG 2>&1