Merge pull request #398 from zowe/v2.x/staging

Merge staging into rc

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Zowe Common C Changelog
 
+## `2.11.0`
+
+- WTO printing methods have been moved to zos.c to be more available as utilities (for ex: for the Launcher)
+
 ## `2.10.0`
 
 - Feature: The configmgr can now use the 'zos' module in YAML config templates. The 'zos' module is only added when run on ZOS. For a list of available functions, see https://github.com/zowe/zowe-install-packaging/blob/v2.x/staging/build/zwe/types/%40qjstypes/zos.d.ts (#384)

build/configmgr.proj.env

@@ -1,5 +1,5 @@
 PROJECT="configmgr"
-VERSION=2.10.0
+VERSION=2.11.0
 DEPS="QUICKJS LIBYAML"
 
 QUICKJS="quickjs"

c/dynalloc.c

@@ -874,30 +874,32 @@ int setTextUnit(int type, int size, char* stringValue, int numValue, int key,
   }
 }
 
+typedef TextUnit *__ptr32 *__ptr32 TextUnitPtrArray;
+
 int dynallocNewDataset(TextUnit **inputTextUnit, int inputTextUnitCount, int *reasonCode) {
   ALLOC_STRUCT31(
     STRUCT31_NAME(below2G),
     STRUCT31_FIELDS(
       DynallocParms parms;
-      TextUnit ** __ptr32 textUnits;
+      TextUnitPtrArray textUnits;
     )
   );
 
-  below2G->textUnits = (TextUnit **)safeMalloc31(sizeof(TextUnit*) * inputTextUnitCount, "Text units array");
+  below2G->textUnits = (TextUnitPtrArray)safeMalloc31(sizeof(TextUnit*__ptr32) * inputTextUnitCount, "Text units array");
   if(below2G->textUnits == NULL) {
     return -1;
   }
   DynallocParms *parms = &below2G->parms;
   dynallocParmsInit(parms);
 
-  dynallocParmsSetTextUnits(parms, (TextUnit * __ptr32 *)below2G->textUnits, inputTextUnitCount);
+  dynallocParmsSetTextUnits(parms, (TextUnitPtrArray)below2G->textUnits, inputTextUnitCount);
 
   int rc;
 
   do {
     rc = 0;
     for (int i = 0; i < inputTextUnitCount; i++) { 
-      below2G->textUnits[i] = inputTextUnit[i];
+      below2G->textUnits[i] = (TextUnit *__ptr32)inputTextUnit[i];
       if (below2G->textUnits[i] == NULL) {
         rc = -1;
         break;

c/httpserver.c

@@ -2653,19 +2653,23 @@ static int safAuthenticate(HttpService *service, HttpRequest *request, AuthRespo
   } else if (authDataFound){
     ACEE *acee = NULL;
     strupcase(request->username); /* upfold username */
+    if (!(request->flags & HTTP_REQUEST_NO_PASSWORD)) {
+      zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "Password is null. Calling safAuthenticate without a password.\n");
+    } else {
 #ifdef ENABLE_DANGEROUS_AUTH_TRACING
  #ifdef METTLE
-    printf("SAF auth for user: '%s'\n", request->username);
+      printf("SAF auth for user: '%s'\n", request->username);
  #else
-    printf("u: '%s' p: '%s'\n",request->username,request->password);
+      printf("u: '%s' p: '%s'\n",request->username,request->password);
  #endif
 #endif
-    if (isLowerCasePasswordAllowed() || isPassPhrase(request->password)) {
-      zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "mixed-case system or a pass phrase, not upfolding password\n");
-      /* don't upfold password */
-    } else {
-      zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "non-mixed-case system, not a pass phrase, upfolding password\n");
-      strupcase(request->password); /* upfold password */
+      if (isLowerCasePasswordAllowed() || isPassPhrase(request->password)) {
+        zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "mixed-case system or a pass phrase, not upfolding password\n");
+        /* don't upfold password */
+      } else {
+        zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "non-mixed-case system, not a pass phrase, upfolding password\n");
+        strupcase(request->password); /* upfold password */
+      }
     }
 
 #if APF_AUTHORIZED
@@ -2675,10 +2679,17 @@ static int safAuthenticate(HttpService *service, HttpRequest *request, AuthRespo
 
     CrossMemoryServerName *privilegedServerName = getConfiguredProperty(service->server, HTTP_SERVER_PRIVILEGED_SERVER_PROPERTY);
     int pwdCheckRC = 0, pwdCheckRSN = 0;
-    pwdCheckRC = zisCheckUsernameAndPassword(privilegedServerName,
-        request->username, request->password, &status);
-    authResponse->type = AUTH_TYPE_RACF;
-    authResponse->responseDetails.safStatus = status.safStatus;
+    if (!(request->flags & HTTP_REQUEST_NO_PASSWORD)) {
+      pwdCheckRC = zisCheckUsernameAndPassword(privilegedServerName,
+          request->username, request->password, &status);
+      authResponse->type = AUTH_TYPE_RACF;
+      authResponse->responseDetails.safStatus = status.safStatus;
+    } else {
+      pwdCheckRC = zisCheckUsername(privilegedServerName,
+          request->username, &status);
+      authResponse->type = AUTH_TYPE_RACF;
+      authResponse->responseDetails.safStatus = status.safStatus;
+    }
 
     if (pwdCheckRC != 0) {
 #ifdef DEBUG_AUTH
@@ -3142,7 +3153,7 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest *
   int authDataFound = FALSE; 
   HttpHeader *authenticationHeader = getHeader(request,"Authorization");
   char *tokenCookieText = getCookieValue(request,getSessionTokenCookieName(service));
-  
+
   zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3,
           "serviceAuthNativeWithSessionToken: authenticationHeader 0x%p\n",
           "extractFunction 0x%p\n",
@@ -3162,9 +3173,54 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest *
       if (service->authExtractionFunction(service, request) == 0){
         authDataFound = TRUE;
       }
+    } 
+  }
+
+#define TLS_CLIENT_CERTIFICATE_MAX_LENGTH 65536
+
+  char *clientCertificate = safeMalloc(TLS_CLIENT_CERTIFICATE_MAX_LENGTH, "Client Certificate");
+  unsigned int clientCertificateLength = 0;
+
+  int rc = getClientCertificate(response->socket->tlsSocket->socketHandle, clientCertificate, TLS_CLIENT_CERTIFICATE_MAX_LENGTH, &clientCertificateLength);
+  if (rc != 0) {
+    zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG, "getClientCertificate - %d.\n", rc);    
+  }
+
+#ifdef ENABLE_DANGEROUS_AUTH_TRACING
+  /* We probably don't want to dump their certificate, right? */
+  dumpbuffer(clientCertificate, clientCertificateLength);
+#endif
+
+  if (rc == 0 && clientCertificateLength > 0) {
+    zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG, "There is a client certificate attached to the request.\n");
+    /*
+     * We don't want to do this if we already found authentication data.
+     */
+    if (authDataFound == FALSE) {
+#define TLS_USERID_LENGTH 9
+      char userid[TLS_USERID_LENGTH] = {0};
+      int racfReturnCode = 0, racfReasonCode = 0;
+      zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG, "There was no token or credentials found in the request. Server is attempting to map the client certificate.\n");
+      int safReturnCode = getUseridByCertificate(clientCertificate, clientCertificateLength, userid, &racfReturnCode, &racfReasonCode);
+      if (safReturnCode == 0) {
+        request->username = userid;
+        zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG, "Found user '%s' from client certificate.\n", request->username);
+        request->password = NULL;
+        request->flags = HTTP_REQUEST_NO_PASSWORD;
+        authDataFound = TRUE;
+      } else {
+        zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_INFO, "No user was found for client certificate. (rc = 0x%x racfRC = 0x%x racfRSN = 0x%x\n", safReturnCode, racfReturnCode, racfReasonCode);
+      }
+    } else {
+      zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_INFO, "Client certificate was attached to request, but credentials are also attached. Server won't attempt to map the client certificate.\n");
     }
   }
-
+
+  if (clientCertificate) {
+    safeFree(clientCertificate, TLS_CLIENT_CERTIFICATE_MAX_LENGTH);
+    clientCertificate = NULL;
+  }
+
   response->sessionCookie = NULL;
 
   AUTH_TRACE("AUTH: tokenCookieText: %s\n",(tokenCookieText ? tokenCookieText : "<noAuthToken>"));

c/le.c

@@ -111,7 +111,7 @@ char *getCAA(void){
 }
 
 #ifndef LE_MAX_SUPPORTED_ZOS
-#define LE_MAX_SUPPORTED_ZOS 0x01020500u
+#define LE_MAX_SUPPORTED_ZOS 0x01030100u
 #endif
 
 void abortIfUnsupportedCAA() {
@@ -120,9 +120,15 @@ void abortIfUnsupportedCAA() {
   unsigned int zosVersion = ecvt->ecvtpseq;
 #ifndef METTLE
   if (zosVersion > LE_MAX_SUPPORTED_ZOS) {
-    printf("error: z/OS version = 0x%08X, max supported version = 0x%08X - "
-           "CAA fields require verification\n", zosVersion, LE_MAX_SUPPORTED_ZOS);
-    abort();
+    const char *continueWithWarning = getenv("ZWE_zowe_launcher_unsafeDisableZosVersionCheck");
+    if (!strcmp(continueWithWarning, "true")) {
+      printf("warning: z/OS version = 0x%08X, max supported version = 0x%08X - "
+             "CAA fields require verification\n", zosVersion, LE_MAX_SUPPORTED_ZOS);
+    } else {
+      printf("error: z/OS version = 0x%08X, max supported version = 0x%08X - "
+             "CAA fields require verification\n", zosVersion, LE_MAX_SUPPORTED_ZOS);
+      abort();
+    }
   }
 #else
   /* Metal uses its own copy of CAA, reserved fields will always be available */

c/metalio.c

@@ -55,6 +55,7 @@
 #include "qsam.h"
 #include "metalio.h"
 #include "alloc.h"
+#include "zos.h"
 
 static int isopen(void * dcbptr) {
 
@@ -378,30 +379,7 @@ SYSOUT *getSYSOUTStruct(char *ddname, SYSOUT *existingSysout, char *buffer){
 */
 void message(char *message){
 
-  ALLOC_STRUCT31(
-    STRUCT31_NAME(below2G),
-    STRUCT31_FIELDS(
-      WTOCommon31 common;
-      char text[126];          /* Maximum length of WTO text is 126 - ABEND D23-xxxx0005 if longer than 126 */
-    )
-  );
-
-  int len = strlen(message);
-  if (len>sizeof(below2G->text))
-    len=sizeof(below2G->text);
-
-  below2G->common.length = len+sizeof(below2G->common); /* +4 for header */
-  memcpy(below2G->text,message,len);
-
-  __asm(ASM_PREFIX
-        " WTO MF=(E,(%[wtobuf])) \n"
-        :
-        :[wtobuf]"NR:r1"(&below2G->common)
-        :"r0","r1","r15");
-
-  FREE_STRUCT31(
-    STRUCT31_NAME(below2G)
-  );
+  wtoMessage(message);
 }
 
 /* this can only be called from authorized callers */
@@ -485,44 +463,13 @@ void sendWTO(int descriptorCode, int routingCode, char *message, int length){
 }
 
 #define WTO_MAX_SIZE 126
-void wtoPrintf(char *formatString, ...){
-  char text[WTO_MAX_SIZE+1];       /* Allow for trailing null character */
+void wtoPrintf(char *formatString, ...) {
   va_list argPointer;
-  int cnt;
-
-  for (int pass=0; pass<2; pass++){
-
-    /* The resulting text string from vsnprintf is unpredictable if
-       there is an error in the format string or arguments.  In that
-       case we will set the output text area to null, repeat the
-       vsnprintf, and then find the length of the null terminated
-       string.  This avoids initializing the output text area prior
-       to every successful request.
-    */
-
-    va_start(argPointer,formatString);
-    cnt = vsnprintf(text,sizeof(text),formatString,argPointer);
-    va_end(argPointer);
-
-    if (cnt<0){
-      if (pass==0)
-        memset(text,0,sizeof(text));  /* Clear the text buffer before retrying the vsnprint request */
-      else {
-        text[WTO_MAX_SIZE] = 0;       /* Ensure strlen stops at the end of the text buffer */
-        cnt = strlen(text);           /* Find the end of the text string */
-      }
-    } else
-      break;                          /* vsnprintf did not return an error - cnt was set */
-  }
-  if (cnt>WTO_MAX_SIZE)               /* If more data to format than the text buffer length */
-    cnt = WTO_MAX_SIZE;               /* Truncate the formatted length to the text buffer length */
-
-  /* We never want to include a final \n character in the WTO text */
-
-  if (cnt>0 && text[cnt-1] == '\n')   /* If text ends with \n */
-    text[cnt-1] = 0;                  /* Change it into a null character */
-
-  message(text);
+  va_start(argPointer, formatString);
+
+  wtoPrintf3(formatString, argPointer);
+
+  va_end(argPointer);
 }
 
 void authWTOPrintf(char *formatString, ...){

c/tls.c

@@ -8,13 +8,52 @@
   Copyright Contributors to the Zowe Project.
 */
 #include <stdlib.h>
+#include <string.h>
 #include <sys/socket.h>
 #include <errno.h>
 #include "alloc.h"
 #include "bpxnet.h"
 #include "fdpoll.h"
 #include "tls.h"
 
+int getClientCertificate(gsk_handle soc_handle, char *clientCertificate, unsigned int clientCertificateBufferSize, unsigned int *clientCertificateLength) {
+
+  int rc = 0;
+
+  if (clientCertificate == NULL || clientCertificateBufferSize <= 0) {
+    return -1;
+  }
+
+  memset(clientCertificate, 0, clientCertificateBufferSize);
+  *clientCertificateLength = 0;
+
+  gsk_cert_data_elem *gskCertificateArray = NULL;
+  int gskCertificateArrayElementCount = 0; 
+
+  rc = gsk_attribute_get_cert_info(soc_handle, GSK_PARTNER_CERT_INFO, &gskCertificateArray, &gskCertificateArrayElementCount);
+
+  if (rc != 0) {
+    return rc;
+  }
+
+  for (int i = 0; i < gskCertificateArrayElementCount; i++) {
+    gsk_cert_data_elem *tmp = &gskCertificateArray[i];
+    if (tmp->cert_data_id == CERT_BODY_DER) {
+      if (clientCertificateBufferSize >= tmp->cert_data_l) {
+        memcpy(clientCertificate, tmp->cert_data_p, tmp->cert_data_l);
+        *clientCertificateLength = tmp->cert_data_l;
+      } else {
+        rc = -1; /* tls rc are all positive */
+      }
+      break;
+    }
+  }
+
+  gsk_free_cert_data(gskCertificateArray, gskCertificateArrayElementCount);
+
+  return rc;
+}
+
 int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) {
   int rc = 0;
   TlsEnvironment *env = (TlsEnvironment *)safeMalloc(sizeof(*env), "Tls Environment");
@@ -29,6 +68,11 @@ int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) {
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_1, GSK_PROTOCOL_TLSV1_1_OFF);
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_2, GSK_PROTOCOL_TLSV1_2_ON);
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE_2048);
+
+#ifdef DEV_DO_NOT_VALIDATE_CLIENT_CERTIFICATES
+  rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_CLIENT_AUTH_TYPE, GSK_CLIENT_AUTH_PASSTHRU_TYPE);
+#endif
+
   rc = rc || gsk_attribute_set_buffer(env->envHandle, GSK_KEYRING_FILE, settings->keyring, 0);
   if (settings->stash) {
     rc = rc || gsk_attribute_set_buffer(env->envHandle, GSK_KEYRING_STASH_FILE, settings->stash, 0);
@@ -94,9 +138,9 @@ static int secureSocketSend(int fd, void *data, int len, char *userData) {
   }
   return rc;
 }
-
+ 
 int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isServer) {
-  int   rc = 0;
+  int rc = 0;
   gsk_iocallback ioCallbacks = {secureSocketRecv, secureSocketSend, NULL, NULL, NULL, NULL};
   TlsSocket *socket = (TlsSocket*)safeMalloc(sizeof(TlsSocket), "Tls Socket");
   if (!socket) {
@@ -109,8 +153,7 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer
   if (label) {
     rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_KEYRING_LABEL, label, 0);
   }
-  rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE,
-                                    isServer ? GSK_SERVER_SESSION : GSK_CLIENT_SESSION);
+  rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE, isServer ? GSK_SERVER_SESSION_WITH_CL_AUTH : GSK_CLIENT_SESSION);
   if (ciphers) {
     rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers, 0);
     rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4);