Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Curve customization support: extract curve array from yaml and make a list of mapped number strings #721

Open
wants to merge 3 commits into
base: v2.x/staging
Choose a base branch
from

Conversation

Gautham-coder
Copy link
Contributor

@Gautham-coder Gautham-coder commented Jul 30, 2024

Proposed changes
'zowe.network.server.tls.curves' is an array a user can set in zowe.yaml to customize crypto curves.
GSK handles curves as a string of 4 digit numbers(IANA numbers) back to back without any spaces or symbols in between.
Its very unfriendly to a human, so a mapping from names to numbers is needed, this is done in tls.h, for now only supported curves are in the array. Unsupported curves are commented and can be moved into this array as and when the supported curves are updated.

Curves are set during TLS settings initialization using gsk_attribute_set_buffer(), using 'GSK_CLIENT_ECURVE_LIST', see here
https://www.ibm.com/docs/en/zos/3.1.0?topic=reference-gsk-attribute-set-buffer for reference,

Currently, the supported curves are here, https://www.ibm.com/docs/en/zos/3.1.0?topic=programming-cipher-suite-definitions#csdcwh__tttcsd

Testing:
The curves that are not supported show an error in gsktrace as below, this was tested by adding some unsupported curves into the curve map array.
ERROR set_binary_ecurves(): Elliptical curve 0001 not supported
ERROR set_binary_ecurves(): Elliptical curve 0009 not supported
ERROR set_binary_ecurves(): Elliptical curve 0026 not supported

To show the error in normal logs, only valid curves are in the mapping array. So if any invalid curve is mentioned in zowe.yaml an invalid curve message is logged.

zowe.network.server.tls.curves: ["x25519", "x448", "secp192r1", "secp224r1","prime256v1","secp384r1", "secp521r1"]
,
is converted to number string 0029003000190021002300240025

This PR addresses Issue: #713

This PR depends on: zowe/zowe-common-c#466

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Change in a documentation
  • Refactor the code
  • Chore, repository cleanup, updates the dependencies.
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

PR Checklist

Please delete options that are not relevant.

  • If the changes in this PR are meant for the next release / mainline, this PR targets the "staging" branch.
  • My code follows the style guidelines of this project (see: Contributing guideline)
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • New and existing unit tests pass locally with my changes
  • video or image is included if visual changes are made
  • Relevant update to CHANGELOG.md
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works, or describe a test method below

@ifakhrutdinov ifakhrutdinov self-requested a review July 31, 2024 15:25
@Gautham-coder Gautham-coder changed the title DO NOT MERGE: Extract curve array from yaml and make a list of mapped number strings Curve customization support, extract curve array from yaml and make a list of mapped number strings Aug 7, 2024
@Gautham-coder Gautham-coder changed the title Curve customization support, extract curve array from yaml and make a list of mapped number strings Curve customization support: extract curve array from yaml and make a list of mapped number strings Aug 7, 2024
…s number string if curve is supported

Signed-off-by: Gautham Kuppuswamy <[email protected]>
Json *tlsConfig = NULL;
int tlsGetStatus = cfgGetAnyC(configmgr,ZSS_CFGNAME,&tlsConfig, 4,"zowe","network","server","tls");
if (tlsGetStatus) {
zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_INFO, "TLS is NOT configured for this ZSS\n");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this have a message ID?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure on that because elsewhere is the code I can see its a similar message without any ID as such.
Thanks

c/zss.c Outdated
JsonObject *tlsConfigObject = jsonAsObject(tlsConfig);
Json *curveJson = jsonObjectGetPropertyValue(tlsConfigObject, "curves");
char *curves = NULL;
if(jsonIsArray(curveJson)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if there is no curves in that JSON? I think you'll dereference a NULL pointer.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes Irek that's true, thanks for pointing that one.

c/zss.c Show resolved Hide resolved
c/zss.c Outdated
@@ -1226,6 +1227,42 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh,

}

Json *tlsConfig = NULL;
int tlsGetStatus = cfgGetAnyC(configmgr,ZSS_CFGNAME,&tlsConfig, 4,"zowe","network","server","tls");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you in some cases use blanks between arguments and in some cases you don't?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing that out Irek, I will make correct this.

c/zss.c Outdated
JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves");
int count = jsonArrayGetCount(curveArray);
int curveCharLength = 4;
curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NULL check missing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Irek, I will correct it.

c/zss.c Outdated
JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves");
int count = jsonArrayGetCount(curveArray);
int curveCharLength = 4;
curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you casting this to char *?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I think this is redundant, I will remove the typecast. Thanks

c/zss.c Outdated
int curveCharLength = 4;
curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list");
for (int i = 0; i < count; i++) {
char *ianaName = jsonArrayGetString(curveArray, i);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be NULL?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is defined as a string so it can be NULL, I will add a check for this.
Thanks

c/zss.c Outdated
if(jsonIsArray(curveJson)) {
JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves");
int count = jsonArrayGetCount(curveArray);
int curveCharLength = 4;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make this const to indicate intention.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure Irek.

c/zss.c Outdated
if(jsonIsArray(curveJson)) {
JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves");
int count = jsonArrayGetCount(curveArray);
int curveCharLength = 4;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it 4? Can you tie it to some struct's field size?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We know that the length will always be 4. Its better not to put in the struct field because we are initializing the array of structs in zowe-common-c/h/tls.h , but we can make it as a constant as you recommended earlier.

c/zss.c Outdated
bool found = false;
while (curve->groupId != NULL) {
if (!strcmp(ianaName, curve->name)) {
strcat(curves, curve->groupId);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you know groupId is exactly 4?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here: (https://www.ibm.com/docs/en/zos/3.1.0?topic=reference-gsk-attribute-set-buffer)
image

It says 1 or more 4-character decimal values.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants