BUG#: 9743

TITLE: [SSL]pegasus will not be NIST 800-131a compliant

DESCRIPTION:

7 files changed, 266 insertions, 133 deletions

diff --git a/TestMakefile b/TestMakefile
index f42074e..97d33a9 100644
--- a/TestMakefile
+++ b/TestMakefile
@@ -313,6 +313,7 @@ endif
 	$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_ExportClientSSL_TS1
 	$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_Cimserver_Availability
 	$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_sslCipherSuiteTests
+	$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_TLSv1_2_tests
 ifeq ($(PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER),true)
 	$(MAKE) --directory=$(PEGASUS_ROOT) -f TestMakefile run_Cmpi_Sub
 endif
@@ -724,7 +725,7 @@ endif
 ##
 ############################################################################
 
-SSL_CIPHER_SUITE_TEST_CONFIG_OPTIONS= enableHttpsConnection=true sslCipherSuite=HIGH 
+SSL_CIPHER_SUITE_TEST_CONFIG_OPTIONS= enableHttpsConnection=true sslCipherSuite=HIGH
 SSL_CIPHER_SUITE_TEST_CMDS= \
 	$(MAKE)@@--directory \
             $(PEGASUS_ROOT)/src/Pegasus/Client/tests/SSLCipherVerification/ \
@@ -826,6 +827,28 @@ endif
 ###############################################################################
 
 
+###############################################################################
+##  TLS v 1.2 support test as per NIST 800-131a
+##
+##  Configuration Options: enableHttpsConnection=true sslCipherSuite = TLSv1.2
+##
+###############################################################################
+TLS_1_2_SUPPORT_CONFIG = enableHttpsConnection=true sslCipherSuite=TLSv1.2
+TLSv1_2_support_tests = \
+	$(MAKE)@@--directory=$(PEGASUS_ROOT)/src/Pegasus/Server/tests/TLSv_1_2_Support@@-f@@Makefile@@test_TLSv1_2
+
+ifdef PEGASUS_HAS_SSL
+run_TLSv1_2_tests:
+	$(MAKE) -f $(PEGASUS_ROOT)/TestMakefile runTestSuite \
+            CIMSERVER_CONFIG_OPTIONS="$(TLS_1_2_SUPPORT_CONFIG)" \
+            TESTSUITE_CMDS="$(TLSv1_2_support_tests)"
+else
+run_TLSv1_2_tests: FORCE
+	@ $(ECHO) "+++++ PEGASUS_HAS_SSL not defined: Skipping TLSv 1.2 support tests"
+endif
+
+###############################################################################
+
 
 ###############################################################################
 ##  idleConnectionTimeout Test Suite 1:  uses ChunkingStressProvider Tests
diff --git a/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp b/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp
index 981c8c1..80ee508 100644
--- a/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp
+++ b/src/Pegasus/Client/tests/SSLCipherVerification/SSLCipherVerification.cpp
@@ -50,7 +50,6 @@ const CIMNamespaceName NAMESPACE = CIMNamespaceName("root/cimv2");
  */
 
 #ifdef PEGASUS_HAS_SSL
-
 void _SslCipherTest(String &host , Uint32 &port, String &randPath)
 {
 
@@ -115,138 +114,10 @@ void _SslCipherTest(String &host , Uint32 &port, String &randPath)
 
 
 }
+#endif
 
 
-void _SslCipherAndPrtocolTest(String &host , Uint32 &port, String &randPath)
-{
-
-    String trustStorePath;
-    String certPath;
-    String keyPath;
-    String cipherSuite = "LOW";
-    Boolean sslCompatibility = false;
-    AutoPtr<CIMClient> cc(new CIMClient);
-
-    try
-    {
-        AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, 
-            certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
-            sslCompatibility)); 
-
-        if (sslContext.get())
-        {
-            cc->connect (host, port, *sslContext, "", "");
-           //
-            //Unreachable when server is started with correct versions
-            //Otherwise it informs that server is not started properly
-            //
-            PEGASUS_TEST_ASSERT( 0 &&
-                (bool)"cimserver not started with sslCipherSuite=HIGH");
-        }
-    }
-    catch(Exception &e)
-    {
-        cout << "SSLCipherTest Expected exception:  "<< e.getMessage() << endl;
-        cout << "Test passed. Connecting with cipher list " << cipherSuite
-            << " and protocol TLS1.2 failed " << endl;
-    }
-
-    cipherSuite = "LOW";
-    sslCompatibility = true;
-    try
-    {
-        AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath,
-            certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
-            sslCompatibility));
-
-        if (sslContext.get())
-        {
-            cc->connect (host, port, *sslContext, "", "");
-            //
-            //Unreachable when server is started with correct versions
-            //Otherwise it informs that server is not started properly
-            //
-            PEGASUS_TEST_ASSERT( 0 &&
-               (bool)"cimserver not started with sslCipherSuite=HIGH");
-        }
-    }
-    catch(Exception &e)
-    {
-        cout << "SSLCipherTest Expected exception:  "<< e.getMessage() << endl;
-        cout << "Test passed. Connecting with cipher list " << cipherSuite
-            << " and protocol  SSLv3 and TLSv1 failed " << endl;
-    }
-
-
-
-
-    cipherSuite = "HIGH";
-    sslCompatibility = false;
-
-    try
-    {
-
-        AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, 
-            certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
-            sslCompatibility));
-        if (sslContext.get())
-        {
-            cc->connect (host, port, *sslContext, "", "");
-            //
-            // Do a generic call. We have to do this call to test whether or
-            // not we get 401'ed.
-            //
-            CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"),
-                CIMName ("CIM_ManagedElement"), true, false, false,
-                CIMPropertyList());
-            cc->disconnect();
-        }
-    }
-    catch(Exception &e)
-    {
-        cerr << "SSLCipherTest Error: "<< e.getMessage() << endl;
-        PEGASUS_TEST_ASSERT(0);
-    }
-
-    cout << "Test passed. Connecting with cipher list " << cipherSuite
-        << " and TLS1.2" << endl;
-
-    cipherSuite = "HIGH";
-    sslCompatibility = true;
-
-    try
-    {
-
-        AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath,
-            certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
-            sslCompatibility));
-        if (sslContext.get())
-        {
-            cc->connect (host, port, *sslContext, "", "");
-            //
-            // Do a generic call. We have to do this call to test whether or
-            // not we get 401'ed.
-            //
-            CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"),
-                CIMName ("CIM_ManagedElement"), true, false, false,
-                CIMPropertyList());
-            cc->disconnect();
-        }
-    }
-    catch(Exception &e)
-    {
-        cerr << "SSLCipherTest Error: "<< e.getMessage() << endl;
-        PEGASUS_TEST_ASSERT(0);
-    }
-
-    cout << "Test passed. Connecting with cipher list " << cipherSuite 
-        << " and protocol SSLv3 and TLSv1" << endl;
-
-
-
-}
 
-#endif
 
 int main()
 {
@@ -265,7 +136,6 @@ int main()
 # endif
 
     _SslCipherTest(host , port,  randPath);
-    _SslCipherAndPrtocolTest( host ,  port,  randPath);
 
     cout << "+++++ passed all tests" << endl;
 
diff --git a/src/Pegasus/Common/SSLContext.cpp b/src/Pegasus/Common/SSLContext.cpp
index ff0397b..78e531e 100644
--- a/src/Pegasus/Common/SSLContext.cpp
+++ b/src/Pegasus/Common/SSLContext.cpp
@@ -540,7 +540,7 @@ SSLContextRep::SSLContextRep(
     // If a truststore and/or peer verification function is specified,
     // enable peer verification
     //
-    _verifyPeer = (trustStore != String::EMPTY || verifyCert != NULL);
+    _verifyPeer = (trustStore.size() != 0 || verifyCert != NULL);
 
     _randomInit(randomFile);
 
@@ -733,9 +733,18 @@ SSL_CTX* SSLContextRep::_makeSSLContext()
         // TLS v1.0, TLSv1.1)
 
         options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_SSLv3;
+#else
+        PEG_METHOD_EXIT();
+        MessageLoaderParms parms(
+            " Common.SSLContext.TLS_1_2_PROTO_NOT_SUPPORTED",
+            "TLSv1.2 protocol support is not detected on this system. "
+            " To run in less secured mode, set sslBackwardCompatibility=true"
+            " in planned config file and start cimserver.");
+        throw SSLException(parms);
 #endif
     }
 
+    // sslv2 is off permanently even if sslCompatibility is true
     options |= SSL_OP_NO_SSLv2;
     SSL_CTX_set_options(sslContext, options);
 
diff --git a/src/Pegasus/Makefile b/src/Pegasus/Makefile
index 26303b9..6072553 100644
--- a/src/Pegasus/Makefile
+++ b/src/Pegasus/Makefile
@@ -230,6 +230,7 @@ endif
 TEST_DIRS += \
     Server/tests \
     Server/tests/InterfaceRestriction \
+    Server/tests/TLSv_1_2_Support \
     Handler/CIMxmlIndicationHandler/tests/Destination \
     Handler/FileURIHandler/tests
 
diff --git a/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile b/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile
new file mode 100644
index 0000000..ed9dbc7
--- /dev/null
+++ b/src/Pegasus/Server/tests/TLSv_1_2_Support/Makefile
@@ -0,0 +1,52 @@
+#//%LICENSE////////////////////////////////////////////////////////////////
+#//
+#// Licensed to The Open Group (TOG) under one or more contributor license
+#// agreements.  Refer to the OpenPegasusNOTICE.txt file distributed with
+#// this work for additional information regarding copyright ownership.
+#// Each contributor licenses this file to you under the OpenPegasus Open
+#// Source License; you may not use this file except in compliance with the
+#// License.
+#//
+#// Permission is hereby granted, free of charge, to any person obtaining a
+#// copy of this software and associated documentation files (the "Software"),
+#// to deal in the Software without restriction, including without limitation
+#// the rights to use, copy, modify, merge, publish, distribute, sublicense,
+#// and/or sell copies of the Software, and to permit persons to whom the
+#// Software is furnished to do so, subject to the following conditions:
+#//
+#// The above copyright notice and this permission notice shall be included
+#// in all copies or substantial portions of the Software.
+#//
+#// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+#// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+#// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+#// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+#// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+#// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+#// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#//
+#//////////////////////////////////////////////////////////////////////////
+ROOT = ../../../../..
+
+DIR = Pegasus/Server/tests/TLSv_1_2_Support
+
+include $(ROOT)/mak/config.mak
+
+include ../libraries.mak
+
+LOCAL_DEFINES = -DPEGASUS_INTERNALONLY
+
+PROGRAM = TestTLSv1_2_Support
+
+SOURCES = TestTLSv1_2_Support.cpp
+
+include $(ROOT)/mak/program.mak
+
+
+tests:
+
+test_TLSv1_2:
+	$(PROGRAM)
+
+poststarttests: 
+
diff --git a/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp b/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp
new file mode 100644
index 0000000..990a7c7
--- /dev/null
+++ b/src/Pegasus/Server/tests/TLSv_1_2_Support/TestTLSv1_2_Support.cpp
@@ -0,0 +1,171 @@
+//%LICENSE////////////////////////////////////////////////////////////////
+//
+// Licensed to The Open Group (TOG) under one or more contributor license
+// agreements.  Refer to the OpenPegasusNOTICE.txt file distributed with
+// this work for additional information regarding copyright ownership.
+// Each contributor licenses this file to you under the OpenPegasus Open
+// Source License; you may not use this file except in compliance with the
+// License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the "Software"),
+// to deal in the Software without restriction, including without limitation
+// the rights to use, copy, modify, merge, publish, distribute, sublicense,
+// and/or sell copies of the Software, and to permit persons to whom the
+// Software is furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+//////////////////////////////////////////////////////////////////////////
+
+#include <Pegasus/Common/Config.h>
+#include <Pegasus/Common/PegasusAssert.h>
+#include <Pegasus/Client/CIMClient.h>
+#include <Pegasus/Common/Constants.h>
+#include <Pegasus/Common/System.h>
+#include <Pegasus/Common/FileSystem.h>
+#include <Pegasus/Common/AutoPtr.h>
+
+
+#include <openssl/tls1.h>
+
+PEGASUS_USING_PEGASUS;
+PEGASUS_USING_STD;
+
+const CIMNamespaceName NAMESPACE = CIMNamespaceName("root/cimv2");
+
+/*
+ * This tests the TLSv1.2 support in pegasus
+ *
+ * The cimserver must be configured as following to test this:
+ *
+ *  enableHttpsConnection=true and sslCipherSuite = TLSv1.2
+ *
+ */
+
+#ifdef PEGASUS_HAS_SSL
+
+void _testTLS1_2_support(String &host , Uint32 &port, String &randPath)
+{
+
+//A rudimentary way to detect TLS1_2 support on openSSL and hence on pegasus
+#ifdef TLS1_2_VERSION
+
+    String trustStorePath;
+    String certPath;
+    String keyPath;
+    String cipherSuite = "SSLv3";
+    Boolean sslCompatibility = false;
+    AutoPtr<CIMClient> cc(new CIMClient);
+
+    try
+    {
+        AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, 
+            certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
+            sslCompatibility));
+
+        if (sslContext.get())
+        {
+            cc->connect (host, port, *sslContext, "", "");
+            //
+            //Unreachable when server is started with correct versions
+            //Otherwise it informs that server is not started properly
+            //
+            PEGASUS_TEST_ASSERT( 0 &&
+                (bool)"cimserver not started with sslCipherSuite=TLSv1.2");
+        }
+    }
+    catch(CannotConnectException &e)
+    {
+        cout << "SSLCipherTest Expected exception:  "<< e.getMessage() << endl;
+        cout << "Test passed: Connecting with cipher list: " << cipherSuite
+            << " and TLS1.2 as expected" << endl;
+    }
+    catch(Exception &e)
+    {
+        cerr << "SSLCipherTest Failed:  "<< e.getMessage() << endl;
+        PEGASUS_TEST_ASSERT(0 && (bool)"Got unexpected Exception, Aborting");
+    }
+
+
+    cipherSuite = "TLSv1.2";
+    try
+    {
+
+        AutoPtr<SSLContext> sslContext(new SSLContext (trustStorePath, 
+            certPath, keyPath, String::EMPTY, 0, randPath, cipherSuite,
+            sslCompatibility));
+        if (sslContext.get())
+        {
+            cc->connect (host, port, *sslContext, "", "");
+            //
+            // Do a generic call. We have to do this call to test whether or
+            // not we get 401'ed.
+            //
+            CIMClass cimClass = cc->getClass(CIMNamespaceName("root/cimv2"),
+                CIMName ("CIM_ManagedElement"), true, false, false,
+                CIMPropertyList());
+            cc->disconnect();
+        }
+    }
+    catch(Exception &e)
+    {
+        cerr << "SSLCipherTest Error: "<< e.getMessage() << endl;
+        PEGASUS_TEST_ASSERT(0);
+    }
+
+    cout << "Test passed: Connecting with cipher list: " << cipherSuite
+        << " and TLS1.2" << endl;
+#else
+    //Hacks to stop unused param warning while compiling
+    PEGASUS_TEST_ASSERT( host == host);
+    PEGASUS_TEST_ASSERT( port == port);
+    PEGASUS_TEST_ASSERT( randPath == randPath);
+
+    cout << "TLSv1.2 is not supported on this build of pegasus. Upgrade openssl"
+        << " skipping TLSv1.2 support tests" << endl;
+#endif
+}
+
+#endif
+
+int main()
+{
+
+#ifdef PEGASUS_HAS_SSL
+    String host = System::getHostName();
+    Uint32 port = System::lookupPort(
+        WBEM_HTTPS_SERVICE_NAME, WBEM_DEFAULT_HTTPS_PORT);
+
+    String randPath;
+# ifdef PEGASUS_SSL_RANDOMFILE
+    const char* pegasusHome = getenv("PEGASUS_HOME");
+    randPath = FileSystem::getAbsolutePath(
+            pegasusHome, PEGASUS_SSLCLIENT_RANDOMFILE);
+# endif
+
+    _testTLS1_2_support( host ,  port,  randPath);
+
+    cout << "+++++ passed all tests" << endl;
+
+    return 0;
+
+#endif
+
+    //
+    // This returns a false positive result.
+    // But we should never get here since this test is only run if
+    // PEGASUS_HAS_SSL is defined.
+    //
+
+    return 0;
+}
diff --git a/src/Pegasus/msg/Server/pegasusServer_en.txt b/src/Pegasus/msg/Server/pegasusServer_en.txt
index 09fba54..32a60c5 100644
--- a/src/Pegasus/msg/Server/pegasusServer_en.txt
+++ b/src/Pegasus/msg/Server/pegasusServer_en.txt
@@ -3564,6 +3564,13 @@ en:table {
         */
         Common.SSLContext.COULD_NOT_ACCESS_SERVER_CERTIFICATE:string {"PGS09212: Could not access server certificate in {0}."}
 
+       /**
+        * @note  PGS09213:
+        *    Do not translate 'sslBackwardCompatibility=true' since it is a configuration setting
+        */
+        Common.SSLContext.TLS_1_2_PROTO_NOT_SUPPORTED:string {"PGS09213: TLSv1.2 protocol support is not detected on this system. To run in less secured mode, set sslBackwardCompatibility=true in planned config file and start cimserver."}
+ 
+
         // ==========================================================
         // Messages for TraceFileHandler
         //  Please use message prefix "PGS09400"