-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Curve customization support: extract curve array from yaml and make a list of mapped number strings #721
base: v2.x/staging
Are you sure you want to change the base?
Conversation
6c1643f
to
35238be
Compare
…s number string if curve is supported Signed-off-by: Gautham Kuppuswamy <[email protected]>
2913004
to
d5af560
Compare
Signed-off-by: Gautham Kuppuswamy <[email protected]>
Json *tlsConfig = NULL; | ||
int tlsGetStatus = cfgGetAnyC(configmgr,ZSS_CFGNAME,&tlsConfig, 4,"zowe","network","server","tls"); | ||
if (tlsGetStatus) { | ||
zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_INFO, "TLS is NOT configured for this ZSS\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this have a message ID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure on that because elsewhere is the code I can see its a similar message without any ID as such.
Thanks
c/zss.c
Outdated
JsonObject *tlsConfigObject = jsonAsObject(tlsConfig); | ||
Json *curveJson = jsonObjectGetPropertyValue(tlsConfigObject, "curves"); | ||
char *curves = NULL; | ||
if(jsonIsArray(curveJson)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if there is no curves
in that JSON? I think you'll dereference a NULL
pointer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes Irek that's true, thanks for pointing that one.
c/zss.c
Outdated
@@ -1226,6 +1227,42 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh, | |||
|
|||
} | |||
|
|||
Json *tlsConfig = NULL; | |||
int tlsGetStatus = cfgGetAnyC(configmgr,ZSS_CFGNAME,&tlsConfig, 4,"zowe","network","server","tls"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you in some cases use blanks between arguments and in some cases you don't?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing that out Irek, I will make correct this.
c/zss.c
Outdated
JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves"); | ||
int count = jsonArrayGetCount(curveArray); | ||
int curveCharLength = 4; | ||
curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NULL
check missing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Irek, I will correct it.
c/zss.c
Outdated
JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves"); | ||
int count = jsonArrayGetCount(curveArray); | ||
int curveCharLength = 4; | ||
curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you casting this to char *
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I think this is redundant, I will remove the typecast. Thanks
c/zss.c
Outdated
int curveCharLength = 4; | ||
curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list"); | ||
for (int i = 0; i < count; i++) { | ||
char *ianaName = jsonArrayGetString(curveArray, i); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be NULL
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is defined as a string so it can be NULL, I will add a check for this.
Thanks
c/zss.c
Outdated
if(jsonIsArray(curveJson)) { | ||
JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves"); | ||
int count = jsonArrayGetCount(curveArray); | ||
int curveCharLength = 4; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make this const
to indicate intention.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure Irek.
c/zss.c
Outdated
if(jsonIsArray(curveJson)) { | ||
JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves"); | ||
int count = jsonArrayGetCount(curveArray); | ||
int curveCharLength = 4; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is it 4? Can you tie it to some struct's field size?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We know that the length will always be 4. Its better not to put in the struct field because we are initializing the array of structs in zowe-common-c/h/tls.h
, but we can make it as a constant as you recommended earlier.
c/zss.c
Outdated
bool found = false; | ||
while (curve->groupId != NULL) { | ||
if (!strcmp(ianaName, curve->name)) { | ||
strcat(curves, curve->groupId); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you know groupId
is exactly 4?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here: (https://www.ibm.com/docs/en/zos/3.1.0?topic=reference-gsk-attribute-set-buffer)
It says 1 or more 4-character decimal values.
Signed-off-by: Gautham Kuppuswamy <[email protected]>
Proposed changes
'zowe.network.server.tls.curves' is an array a user can set in zowe.yaml to customize crypto curves.
GSK handles curves as a string of 4 digit numbers(IANA numbers) back to back without any spaces or symbols in between.
Its very unfriendly to a human, so a mapping from names to numbers is needed, this is done in tls.h, for now only supported curves are in the array. Unsupported curves are commented and can be moved into this array as and when the supported curves are updated.
Curves are set during TLS settings initialization using gsk_attribute_set_buffer(), using 'GSK_CLIENT_ECURVE_LIST', see here
https://www.ibm.com/docs/en/zos/3.1.0?topic=reference-gsk-attribute-set-buffer for reference,
Currently, the supported curves are here, https://www.ibm.com/docs/en/zos/3.1.0?topic=programming-cipher-suite-definitions#csdcwh__tttcsd
Testing:
The curves that are not supported show an error in gsktrace as below, this was tested by adding some unsupported curves into the curve map array.
ERROR set_binary_ecurves(): Elliptical curve 0001 not supported
ERROR set_binary_ecurves(): Elliptical curve 0009 not supported
ERROR set_binary_ecurves(): Elliptical curve 0026 not supported
To show the error in normal logs, only valid curves are in the mapping array. So if any invalid curve is mentioned in zowe.yaml an invalid curve message is logged.
zowe.network.server.tls.curves: ["x25519", "x448", "secp192r1", "secp224r1","prime256v1","secp384r1", "secp521r1"]
,
is converted to number string 0029003000190021002300240025
This PR addresses Issue: #713
This PR depends on: zowe/zowe-common-c#466
Type of change
Please delete options that are not relevant.
PR Checklist
Please delete options that are not relevant.