Curve customization support: extract curve array from yaml and make a list of mapped number strings #721
Conversation
Gautham-coder
force-pushed
the
curve-customizaion
branch
from
6c1643f
to
35238be
Compare
Gautham-coder
changed the title
Gautham-coder
changed the title
…s number string if curve is supported Signed-off-by: Gautham Kuppuswamy <gkuppuswamy@rocketsoftware.com>
Gautham-coder
force-pushed
the
curve-customizaion
branch
from
2913004
to
d5af560
Compare
Signed-off-by: Gautham Kuppuswamy <gkuppuswamy@rocketsoftware.com>
| Json *tlsConfig = NULL; | ||
| int tlsGetStatus = cfgGetAnyC(configmgr,ZSS_CFGNAME,&tlsConfig, 4,"zowe","network","server","tls"); | ||
| if (tlsGetStatus) { | ||
| zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_INFO, "TLS is NOT configured for this ZSS\n"); |
There was a problem hiding this comment.
Should this have a message ID?
There was a problem hiding this comment.
I'm not sure on that because elsewhere is the code I can see its a similar message without any ID as such.
Thanks
c/zss.c
Outdated
| JsonObject *tlsConfigObject = jsonAsObject(tlsConfig); | ||
| Json *curveJson = jsonObjectGetPropertyValue(tlsConfigObject, "curves"); | ||
| char *curves = NULL; | ||
| if(jsonIsArray(curveJson)) { |
There was a problem hiding this comment.
What if there is no curves in that JSON? I think you'll dereference a NULL pointer.
There was a problem hiding this comment.
Yes Irek that's true, thanks for pointing that one.
c/zss.c
Outdated
| @@ -1226,6 +1227,42 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh, | |||
|
|
|||
| } | |||
|
|
|||
| Json *tlsConfig = NULL; | |||
| int tlsGetStatus = cfgGetAnyC(configmgr,ZSS_CFGNAME,&tlsConfig, 4,"zowe","network","server","tls"); | |||
There was a problem hiding this comment.
Why do you in some cases use blanks between arguments and in some cases you don't?
There was a problem hiding this comment.
Thanks for pointing that out Irek, I will make correct this.
c/zss.c
Outdated
| JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves"); | ||
| int count = jsonArrayGetCount(curveArray); | ||
| int curveCharLength = 4; | ||
| curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list"); |
There was a problem hiding this comment.
Thanks Irek, I will correct it.
c/zss.c
Outdated
| JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves"); | ||
| int count = jsonArrayGetCount(curveArray); | ||
| int curveCharLength = 4; | ||
| curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list"); |
There was a problem hiding this comment.
Why are you casting this to char *?
There was a problem hiding this comment.
Oh I think this is redundant, I will remove the typecast. Thanks
c/zss.c
Outdated
| int curveCharLength = 4; | ||
| curves = (char *)safeMalloc((sizeof(char) * curveCharLength * count)+1, "curve list"); | ||
| for (int i = 0; i < count; i++) { | ||
| char *ianaName = jsonArrayGetString(curveArray, i); |
There was a problem hiding this comment.
It is defined as a string so it can be NULL, I will add a check for this.
Thanks
c/zss.c
Outdated
| if(jsonIsArray(curveJson)) { | ||
| JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves"); | ||
| int count = jsonArrayGetCount(curveArray); | ||
| int curveCharLength = 4; |
There was a problem hiding this comment.
Make this const to indicate intention.
c/zss.c
Outdated
| if(jsonIsArray(curveJson)) { | ||
| JsonArray *curveArray = jsonObjectGetArray(tlsConfigObject, "curves"); | ||
| int count = jsonArrayGetCount(curveArray); | ||
| int curveCharLength = 4; |
There was a problem hiding this comment.
Why is it 4? Can you tie it to some struct's field size?
There was a problem hiding this comment.
We know that the length will always be 4. Its better not to put in the struct field because we are initializing the array of structs in zowe-common-c/h/tls.h , but we can make it as a constant as you recommended earlier.
c/zss.c
Outdated
| bool found = false; | ||
| while (curve->groupId != NULL) { | ||
| if (!strcmp(ianaName, curve->name)) { | ||
| strcat(curves, curve->groupId); |
There was a problem hiding this comment.
How do you know groupId is exactly 4?
There was a problem hiding this comment.
Here: (https://www.ibm.com/docs/en/zos/3.1.0?topic=reference-gsk-attribute-set-buffer)
It says 1 or more 4-character decimal values.
Signed-off-by: Gautham Kuppuswamy <gkuppuswamy@rocketsoftware.com>
Proposed changes
'zowe.network.server.tls.curves' is an array a user can set in zowe.yaml to customize crypto curves.
GSK handles curves as a string of 4 digit numbers(IANA numbers) back to back without any spaces or symbols in between.
Its very unfriendly to a human, so a mapping from names to numbers is needed, this is done in tls.h, for now only supported curves are in the array. Unsupported curves are commented and can be moved into this array as and when the supported curves are updated.
Curves are set during TLS settings initialization using gsk_attribute_set_buffer(), using 'GSK_CLIENT_ECURVE_LIST', see here
https://www.ibm.com/docs/en/zos/3.1.0?topic=reference-gsk-attribute-set-buffer for reference,
Currently, the supported curves are here, https://www.ibm.com/docs/en/zos/3.1.0?topic=programming-cipher-suite-definitions#csdcwh__tttcsd
Testing:
The curves that are not supported show an error in gsktrace as below, this was tested by adding some unsupported curves into the curve map array.
ERROR set_binary_ecurves(): Elliptical curve 0001 not supported
ERROR set_binary_ecurves(): Elliptical curve 0009 not supported
ERROR set_binary_ecurves(): Elliptical curve 0026 not supported
To show the error in normal logs, only valid curves are in the mapping array. So if any invalid curve is mentioned in zowe.yaml an invalid curve message is logged.
zowe.network.server.tls.curves: ["x25519", "x448", "secp192r1", "secp224r1","prime256v1","secp384r1", "secp521r1"]
,
is converted to number string 0029003000190021002300240025
This PR addresses Issue: #713
This PR depends on: zowe/zowe-common-c#466
Type of change
Please delete options that are not relevant.
PR Checklist
Please delete options that are not relevant.