Merge pull request #659 from zowe/feature/v2/check-min-max-tls

Use zowe standard network config
zowe · Nov 22, 2023 · 432448d · 432448d
2 parents 5ca217d + c14e376
commit 432448d
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,9 +3,12 @@
 All notable changes to the ZSS package will be documented in this file.
 
 ## `2.13.0`
+- Enhancement: Added support for using "zowe.network" and "components.zss.zowe.network" to set listener IP and TLS version properties. (#659)
+- Enhancement: Added support for using "zowe.network" and "components.zss.zowe.network" to set cipher suites.
 - Enhancement: Change pattern matching for keyrings to allow more types of keyrings in the future (#581)
-- Bugfix:  Corrected build environment file's use of IP address to github.com (#660)
 - Enhancement: Consolidate JWK warnings into improved ZWES1606W message (#663)
+- Bugfix:  Corrected build environment file's use of IP address to github.com (#660)
+
 
 ## `2.10.0`
 - This action making a CHANGELOG note via special syntax from the GitHub PR commit message, like it could automatically update CHANGELOG.md with the message. First job checks if PR body has changelog note or not if it's not there then it asked them to add it and second job is to check if changelog note has been added in changelog.md file or not. (#636)

diff --git a/c/zss.c b/c/zss.c
@@ -1147,6 +1147,8 @@ static char* generateCookieName(JsonObject *envConfig, int port) {
 #define AGENT_HTTPS_PREFIX       "ZWED_agent_https_"
 #define ENV_AGENT_HTTPS_KEY(key) AGENT_HTTPS_PREFIX key
 
+TLS_IANA_CIPHER_MAP(ianaCipherMap)
+
 static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh,
                                      ConfigManager *configmgr,
                                      char **outAddress,
@@ -1161,13 +1163,46 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh,
   JsonObject *httpsConfigObject = jsonAsObject(httpsConfig);
   TlsSettings *settings = (TlsSettings*)SLHAlloc(slh, sizeof(*settings));
   settings->maxTls = jsonObjectGetString(httpsConfigObject, "maxTls");
-  char *ciphers = jsonObjectGetString(httpsConfigObject, "ciphers");
+  settings->minTls = jsonObjectGetString(httpsConfigObject, "minTls");
+
+  Json *cipherJson = jsonObjectGetPropertyValue(httpsConfigObject, "ciphers");
+  char *ciphers = NULL;
+  if (jsonIsString(cipherJson)) {
   /* 
-   * Takes a string of ciphers. This isn't ideal, but any other methods are
-   * going to be fairly complicated.
-   *
+   * Takes a string of ciphers.
    * ciphers: 13021303003500380039002F00320033
    */
+    ciphers = jsonObjectGetString(httpsConfigObject, "ciphers");
+    zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_DEBUG, "Cipher string override to %s\n", ciphers);
+  } else {
+    JsonArray *cipherArray = jsonObjectGetArray(httpsConfigObject, "ciphers");
+    int count = jsonArrayGetCount(cipherArray);
+
+    int cipherCharLength = 4;
+    ciphers = (char *)safeMalloc((sizeof(char) * cipherCharLength * count)+1, "cipher list");
+
+    for (int i = 0; i < count; i++) {
+      char *ianaName = jsonArrayGetString(cipherArray, i);
+      zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_DEBUG, "Cipher request=%s\n", ianaName);
+      CipherMap *cipher = (CipherMap *)ianaCipherMap;
+      bool found = false;
+      while (cipher->suiteId != NULL) {
+        if (!strcmp(ianaName, cipher->name)) {
+          strcat(ciphers, cipher->suiteId);
+          zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_DEBUG, "Cipher match=%s\n", cipher->suiteId);
+          found = true;
+          break;
+        }
+        ++cipher;
+      }
+      if (!found) {
+        zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_WARNING, ZSS_LOG_CIPHER_INVALID_MSG, ianaName);
+      }
+    }
+    zowelog(NULL, LOG_COMP_ID_MVD_SERVER, ZOWE_LOG_DEBUG, "Cipher array override to %s\n", ciphers);    
+
+  }
+
   ECVT *ecvt = getECVT();
   /*
      2.3 (1020300) no tls 1.3

diff --git a/defaults.yaml b/defaults.yaml
@@ -18,10 +18,13 @@ components:
         password: ${{ ()=> { if (components.zss.tls) { if (zowe.certificate.keystore.type.match(/JCE.*KS/)) { return null } else { return zowe.certificate.keystore.password } } else { return null } }() }}
         label: ${{ ()=> { if (components.zss.tls) { return zowe.certificate.keystore.alias } else { return null } }() }}
         port: ${{ ()=> { if (components.zss.tls) { return  components.zss.port } else { return null } }() }}
-        ipAddresses: ${{ ()=> { if (components.zss.tls){ if (zowe.environments?.ZWED_agent_https_ipAddresses){ return zowe.environments.ZWED_agent_https_ipAddresses.split(',') } else { return [ '0.0.0.0' ] } } else { return null } }() }}
+        ipAddresses: "${{ ()=> { if (components.zss.tls){ if (zowe.environments?.ZWED_agent_https_ipAddresses){ return zowe.environments.ZWED_agent_https_ipAddresses.split(',') } else if (components.zss.zowe?.network?.server?.listenAddresses) { return components.zss.zowe.network.server.listenAddresses } else if (zowe.network?.server?.listenAddresses) { return zowe.network.server.listenAddresses } else { return [ '0.0.0.0' ] } } else { return null } }() }}"
+        maxTls: "${{ ()=> { let maxTls = components.zss.zowe?.network?.server?.tls?.maxTls || zowe.network?.server?.tls?.maxTls; return maxTls ? maxTls : 'TLSv1.3'; }() }}"
+        minTls: "${{ ()=> { let minTls = components.zss.zowe?.network?.server?.tls?.minTls || zowe.network?.server?.tls?.minTls; return minTls ? minTls : 'TLSv1.2'; }() }}"
+        ciphers: "${{ ()=> { let ciphers = components.zss.zowe?.network?.server?.tls?.ciphers || zowe.network?.server?.tls?.ciphers; if (typeof ciphers == 'string') { return ciphers; } else if (Array.isArray(ciphers)) { return ciphers.map(cipher => cipher.toUpperCase()); } else { return [ 'TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' ]; } }() }}"  
       http:
         port: ${{ ()=> { if (components.zss.tls) { return null } else { return components.zss.port } }() }}
-        ipAddresses: ${{ () => { if (components.zss.tls) { return null } else { if (zowe.environments?.ZWED_agent_http_ipAddresses) {  return zowe.environments.ZWED_agent_http_ipAddresses.split(',') } else { return [ '127.0.0.1' ] } } }() }}
+        ipAddresses: "${{ () => { if (components.zss.tls) { return null } else { if (zowe.environments?.ZWED_agent_http_ipAddresses) {  return zowe.environments.ZWED_agent_http_ipAddresses.split(',') } else if (components.zss.zowe?.network?.server?.listenAddresses) { return components.zss.zowe.network.server.listenAddresses } else if (zowe.network?.server?.listenAddresses) { return zowe.network.server.listenAddresses } else { return [ '127.0.0.1' ] } } }() }}"
       mediationLayer:
         server:
           isHttps: true

diff --git a/deps/zowe-common-c b/deps/zowe-common-c
diff --git a/h/zssLogging.h b/h/zssLogging.h
@@ -297,6 +297,13 @@ bool isLogLevelValid(int level);
 #define ZSS_LOG_HTTPS_INVALID_MSG_TEXT        "Failed to configure https server, check agent https settings\n"
 #define ZSS_LOG_HTTPS_INVALID_MSG             ZSS_LOG_HTTPS_INVALID_MSG_ID" "ZSS_LOG_HTTPS_INVALID_MSG_TEXT
 
+#ifndef ZSS_LOG_CIPHER_INVALID_MSG_ID
+#define ZSS_LOG_CIPHER_INVALID_MSG_ID          ZSS_LOG_MSG_PRFX"1066W"
+#endif
+#define ZSS_LOG_CIPHER_INVALID_MSG_TEXT        "Requested cipher '%s' not available.\n"
+#define ZSS_LOG_CIPHER_INVALID_MSG             ZSS_LOG_CIPHER_INVALID_MSG_ID" "ZSS_LOG_CIPHER_INVALID_MSG_TEXT
+
+
 /* registerProduct */
 
 #ifndef ZSS_LOG_PROD_REG_ENABLED_MSG_ID

diff --git a/schemas/zss-config.json b/schemas/zss-config.json
@@ -124,19 +124,35 @@
               "description": "The password to the keyring"
             },
             "ciphers": {
-              "type": [ "string", "null" ],
-              "description": "The list of ciphers in order of priority"
+              "oneOf": [
+                { "type": "string",
+                  "description": "A set of cipher suite IDs as a number string without separators. The numbers are in order of priority."
+                },
+                { "type": "array",
+                  "description": "A set of IANA names for cipher suites, in order of priority",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              ]
             },
             "keyshares": {
               "type": [ "string", "null" ],
               "description": "The list of key shares in order of priority"
             },
             "maxTls": {
               "type": [ "string", "null" ],
-              "enum": ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"],
+              "enum": ["TLSv1.2", "TLSv1.3"],
               "default": "TLSv1.3",
               "description": "Maximum tls version allowed."
+            },
+            "minTls": {
+              "type": [ "string", "null" ],
+              "enum": ["TLSv1.2", "TLSv1.3"],
+              "default": "TLSv1.2",
+              "description": "Minimum tls version allowed."
             }
+
           }
         },
         "http": {
+3 −0		CHANGELOG.md
+1 −1		build/configmgr.proj.env
+77 −10		c/tls.c
+98 −0		h/tls.h
+1 −1		manifest.template.yaml