Merge pull request #408 from zowe/v2.x/staging

Merge staging into RC

build/configmgr.proj.env

@@ -1,5 +1,5 @@
 PROJECT="configmgr"
-VERSION=2.11.0
+VERSION=2.12.0
 DEPS="QUICKJS LIBYAML"
 
 QUICKJS="quickjs"

c/tls.c

@@ -15,6 +15,7 @@
 #include "bpxnet.h"
 #include "fdpoll.h"
 #include "tls.h"
+#include "zos.h"
 
 int getClientCertificate(gsk_handle soc_handle, char *clientCertificate, unsigned int clientCertificateBufferSize, unsigned int *clientCertificateLength) {
 
@@ -54,6 +55,17 @@ int getClientCertificate(gsk_handle soc_handle, char *clientCertificate, unsigne
   return rc;
 }
 
+static int isTLSV13Enabled(TlsSettings *settings) {
+  ECVT *ecvt = getECVT();
+  if ((ecvt->ecvtpseq > 0x1020300) && (settings->maxTls == NULL || !strcmp(settings->maxTls, "TLSv1.3"))) {
+    return true;
+  }
+  /*
+    Default to false for versions lower than 2.3 and when set to anything other than TLSV1.3.
+  */
+  return false;
+}
+
 int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) {
   int rc = 0;
   TlsEnvironment *env = (TlsEnvironment *)safeMalloc(sizeof(*env), "Tls Environment");
@@ -67,6 +79,12 @@ int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) {
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1, GSK_PROTOCOL_TLSV1_OFF);
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_1, GSK_PROTOCOL_TLSV1_1_OFF);
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_2, GSK_PROTOCOL_TLSV1_2_ON);
+  /*
+    We will treat not set as allowing TLSv1.3.
+  */
+  if (isTLSV13Enabled(settings)) {
+    rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_3, GSK_PROTOCOL_TLSV1_3_ON);
+  }
   rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE_2048);
 
 #ifdef DEV_DO_NOT_VALIDATE_CLIENT_CERTIFICATES
@@ -148,16 +166,32 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer
   }
   char *label = env->settings->label;
   char *ciphers = env->settings->ciphers;
+  char *keyshares = env->settings->keyshares;
   rc = rc || gsk_secure_socket_open(env->envHandle, &socket->socketHandle);
   rc = rc || gsk_attribute_set_numeric_value(socket->socketHandle, GSK_FD, fd);
   if (label) {
     rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_KEYRING_LABEL, label, 0);
   }
-  rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE, isServer ? GSK_SERVER_SESSION_WITH_CL_AUTH : GSK_CLIENT_SESSION);
   if (ciphers) {
     rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers, 0);
     rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4);
   }
+  rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE, isServer ? GSK_SERVER_SESSION_WITH_CL_AUTH : GSK_CLIENT_SESSION);
+  /*
+    To be safe,
+  */
+  if (isTLSV13Enabled(env->settings)) {
+    if (keyshares) {
+     /*   
+       Only TLS 1.3 needs this.
+     */
+      if (isServer) {
+        rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_SERVER_TLS_KEY_SHARES, keyshares, 0);
+      } else {
+        rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_CLIENT_TLS_KEY_SHARES, keyshares, 0);
+      }
+    }
+  }
   rc = rc || gsk_attribute_set_callback(socket->socketHandle, GSK_IO_CALLBACK, &ioCallbacks);
   rc = rc || gsk_secure_socket_init(socket->socketHandle);
   if (rc == 0) {

c/zos.c

@@ -1500,9 +1500,8 @@ void wtoMessage(const char *message){
 }
 
 #define WTO_MAX_SIZE 126
-void wtoPrintf3(const char *formatString, ...) {
+void wtoPrintf3(const char *formatString, va_list arg) {
   char text[WTO_MAX_SIZE+1];       /* Allow for trailing null character */
-  va_list argPointer;
   int cnt;
 
   for (int pass=0; pass<2; pass++){
@@ -1515,9 +1514,7 @@ void wtoPrintf3(const char *formatString, ...) {
        to every successful request.
     */
 
-    va_start(argPointer,formatString);
-    cnt = vsnprintf(text,sizeof(text),formatString,argPointer);
-    va_end(argPointer);
+    cnt = vsnprintf(text,sizeof(text),formatString,arg);
 
     if (cnt<0){
       if (pass==0)

h/tls.h

@@ -121,7 +121,20 @@ typedef struct TlsSettings_tag {
 #define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 "C030" // 256-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and ephemeral ECDH key exchange signed with an RSA certificate
 #define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 "C031" // 128-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and fixed ECDH key exchange signed with an RSA certificate
 #define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 "C032" // 256-bit AES in Galois Counter Mode encryption with 128-bit AEAD message authentication and fixed ECDH key exchange signed with an RSA certificate
+#define TLS_AES_128_GCM_SHA256 "1301"
+#define TLS_AES_256_GCM_SHA384 "1302"
+#define TLS_CHACHA20_POLY1305_SHA256 "1303"
   char *ciphers;
+#define TLS_X25519 "0029"
+#define TLS_SECP256R1 "0023"
+#define TLS_SECP521R1 "0025"
+  char *keyshares;
+  /*
+     TLSv1.3 isn't supported on some zos versions. Having it
+     enabled causes issues.
+     TODO: Find out why it isn't negotiating 1.2.
+  */
+  char *maxTls;
 } TlsSettings;
 
 typedef struct TlsEnvironment_tag {
@@ -154,4 +167,4 @@ int getClientCertificate(gsk_handle soc_handle, char *clientCertificate, unsigne
   SPDX-License-Identifier: EPL-2.0
   
   Copyright Contributors to the Zowe Project.
-*/
+*/

h/zos.h

@@ -13,6 +13,12 @@
 #ifndef __ZOS__
 #define __ZOS__  1
 
+#ifdef METTLE
+#include <metal/stdarg.h>
+#else
+#include <stdarg.h>
+#endif
+
 #ifndef __LONGNAME__
 
 #define extractPSW EXTRPSW
@@ -1538,7 +1544,7 @@ int dsabIsOMVS(DSAB *dsab);
 
 void wtoMessage(const char *message);
 
-void wtoPrintf3(const char *formatString, ...);
+void wtoPrintf3(const char *formatString, va_list arg);
 
 int locate(char *dsn, int *volserCount, char *firstVolser);
 

manifest.template.yaml

@@ -1,7 +1,7 @@
 ---
 name: zowe-common-c
 
-version: 2.11.0
+version: 2.12.0
 
 homepage: https://zowe.org
 keywords: