From 101b4782e71d7d0d7964e4d333c7b765510ff838 Mon Sep 17 00:00:00 2001 From: Jordan Filteau Date: Thu, 12 Oct 2023 13:21:01 -0500 Subject: [PATCH 1/4] changes to allow disable of TLSv1.3 Signed-off-by: Jordan Filteau --- c/tls.c | 38 ++++++++++++++++++++++++++++++-------- h/tls.h | 8 +++++++- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/c/tls.c b/c/tls.c index a790f0677..8e9a6ae72 100644 --- a/c/tls.c +++ b/c/tls.c @@ -15,6 +15,7 @@ #include "bpxnet.h" #include "fdpoll.h" #include "tls.h" +#include "zos.h" int getClientCertificate(gsk_handle soc_handle, char *clientCertificate, unsigned int clientCertificateBufferSize, unsigned int *clientCertificateLength) { @@ -54,6 +55,17 @@ int getClientCertificate(gsk_handle soc_handle, char *clientCertificate, unsigne return rc; } +static int isTLSV13Enabled(TlsSettings *settings) { + ECVT *ecvt = getECVT(); + if ((ecvt->ecvtpseq > 0x1020300) && (settings->maxTls == NULL || !strcmp(settings->maxTls, "TLSv1.3"))) { + return true; + } + /* + Default to false for versions lower than 2.3 and when set to anything other than TLSV1.3. + */ + return false; +} + int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) { int rc = 0; TlsEnvironment *env = (TlsEnvironment *)safeMalloc(sizeof(*env), "Tls Environment"); @@ -67,7 +79,12 @@ int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) { rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1, GSK_PROTOCOL_TLSV1_OFF); rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_1, GSK_PROTOCOL_TLSV1_1_OFF); rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_2, GSK_PROTOCOL_TLSV1_2_ON); - rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_3, GSK_PROTOCOL_TLSV1_3_ON); + /* + We will treat not set as allowing TLSv1.3. + */ + if (isTLSV13Enabled(settings)) { + rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_3, GSK_PROTOCOL_TLSV1_3_ON); + } rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE_2048); #ifdef DEV_DO_NOT_VALIDATE_CLIENT_CERTIFICATES @@ -160,14 +177,19 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers, 0); rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4); } - if (keyshares) { - /* - * TLS 1.3 needs this. + /* + To be safe, + */ + if (isTLSV13Enabled(env->settings)) { + if (keyshares) { + /* + Only TLS 1.3 needs this. */ - if (isServer) { - rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_SERVER_TLS_KEY_SHARES, keyshares, 0); - } else { - rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_CLIENT_TLS_KEY_SHARES, keyshares, 0); + if (isServer) { + rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_SERVER_TLS_KEY_SHARES, keyshares, 0); + } else { + rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_CLIENT_TLS_KEY_SHARES, keyshares, 0); + } } } rc = rc || gsk_attribute_set_callback(socket->socketHandle, GSK_IO_CALLBACK, &ioCallbacks); diff --git a/h/tls.h b/h/tls.h index e6fa4110b..cf951cea4 100644 --- a/h/tls.h +++ b/h/tls.h @@ -129,6 +129,12 @@ typedef struct TlsSettings_tag { #define TLS_SECP256R1 "0023" #define TLS_SECP521R1 "0025" char *keyshares; + /* + TLSv1.3 isn't supported on some zos versions. Having it + enabled causes issues. + TODO: Find out why it isn't negotiating 1.2. + */ + char *maxTls; } TlsSettings; typedef struct TlsEnvironment_tag { @@ -161,4 +167,4 @@ int getClientCertificate(gsk_handle soc_handle, char *clientCertificate, unsigne SPDX-License-Identifier: EPL-2.0 Copyright Contributors to the Zowe Project. -*/ \ No newline at end of file +*/ From 415f6f29b929646c3a485057696df8061ec8b076 Mon Sep 17 00:00:00 2001 From: Jordan Filteau Date: Fri, 13 Oct 2023 14:58:25 -0500 Subject: [PATCH 2/4] separating default and configurable ciphers for 1.2 and 1.3 Signed-off-by: Jordan Filteau --- c/tls.c | 15 ++++++++++----- h/tls.h | 3 ++- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/c/tls.c b/c/tls.c index 8e9a6ae72..06cc4aec2 100644 --- a/c/tls.c +++ b/c/tls.c @@ -165,7 +165,8 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer return TLS_ALLOC_ERROR; } char *label = env->settings->label; - char *ciphers = env->settings->ciphers; + char *ciphers1_2 = env->settings->ciphers1_2; + char *ciphers1_3 = env->settings->ciphers1_3; char *keyshares = env->settings->keyshares; rc = rc || gsk_secure_socket_open(env->envHandle, &socket->socketHandle); rc = rc || gsk_attribute_set_numeric_value(socket->socketHandle, GSK_FD, fd); @@ -173,14 +174,13 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_KEYRING_LABEL, label, 0); } rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE, isServer ? GSK_SERVER_SESSION_WITH_CL_AUTH : GSK_CLIENT_SESSION); - if (ciphers) { - rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers, 0); - rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4); - } /* To be safe, */ if (isTLSV13Enabled(env->settings)) { + if (ciphers1_3) { + rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers1_3, 0); + } if (keyshares) { /* Only TLS 1.3 needs this. @@ -191,7 +191,12 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_CLIENT_TLS_KEY_SHARES, keyshares, 0); } } + } else { + if (ciphers1_2) { + rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers1_3, 0); + } } + rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4); rc = rc || gsk_attribute_set_callback(socket->socketHandle, GSK_IO_CALLBACK, &ioCallbacks); rc = rc || gsk_secure_socket_init(socket->socketHandle); if (rc == 0) { diff --git a/h/tls.h b/h/tls.h index cf951cea4..7c5ada3fc 100644 --- a/h/tls.h +++ b/h/tls.h @@ -124,7 +124,7 @@ typedef struct TlsSettings_tag { #define TLS_AES_128_GCM_SHA256 "1301" #define TLS_AES_256_GCM_SHA384 "1302" #define TLS_CHACHA20_POLY1305_SHA256 "1303" - char *ciphers; + char *ciphers1_2; #define TLS_X25519 "0029" #define TLS_SECP256R1 "0023" #define TLS_SECP521R1 "0025" @@ -135,6 +135,7 @@ typedef struct TlsSettings_tag { TODO: Find out why it isn't negotiating 1.2. */ char *maxTls; + char *ciphers1_3; } TlsSettings; typedef struct TlsEnvironment_tag { From e71d1ce58520b70d627672170a48caa974736e3b Mon Sep 17 00:00:00 2001 From: Jordan Filteau Date: Fri, 13 Oct 2023 15:04:43 -0500 Subject: [PATCH 3/4] fixing typo with cipher name Signed-off-by: Jordan Filteau --- c/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/c/tls.c b/c/tls.c index 06cc4aec2..f3fc5f115 100644 --- a/c/tls.c +++ b/c/tls.c @@ -193,7 +193,7 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer } } else { if (ciphers1_2) { - rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers1_3, 0); + rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers1_2, 0); } } rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4); From 0d55d47244d37b77bd156fc0376cc0c90e9592a2 Mon Sep 17 00:00:00 2001 From: Jordan Filteau Date: Fri, 13 Oct 2023 16:47:36 -0500 Subject: [PATCH 4/4] reverting changes Signed-off-by: Jordan Filteau --- c/tls.c | 15 +++++---------- h/tls.h | 3 +-- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/c/tls.c b/c/tls.c index f3fc5f115..557034675 100644 --- a/c/tls.c +++ b/c/tls.c @@ -165,22 +165,22 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer return TLS_ALLOC_ERROR; } char *label = env->settings->label; - char *ciphers1_2 = env->settings->ciphers1_2; - char *ciphers1_3 = env->settings->ciphers1_3; + char *ciphers = env->settings->ciphers; char *keyshares = env->settings->keyshares; rc = rc || gsk_secure_socket_open(env->envHandle, &socket->socketHandle); rc = rc || gsk_attribute_set_numeric_value(socket->socketHandle, GSK_FD, fd); if (label) { rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_KEYRING_LABEL, label, 0); } + if (ciphers) { + rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers, 0); + rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4); + } rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE, isServer ? GSK_SERVER_SESSION_WITH_CL_AUTH : GSK_CLIENT_SESSION); /* To be safe, */ if (isTLSV13Enabled(env->settings)) { - if (ciphers1_3) { - rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers1_3, 0); - } if (keyshares) { /* Only TLS 1.3 needs this. @@ -191,12 +191,7 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_CLIENT_TLS_KEY_SHARES, keyshares, 0); } } - } else { - if (ciphers1_2) { - rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers1_2, 0); - } } - rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4); rc = rc || gsk_attribute_set_callback(socket->socketHandle, GSK_IO_CALLBACK, &ioCallbacks); rc = rc || gsk_secure_socket_init(socket->socketHandle); if (rc == 0) { diff --git a/h/tls.h b/h/tls.h index 7c5ada3fc..cf951cea4 100644 --- a/h/tls.h +++ b/h/tls.h @@ -124,7 +124,7 @@ typedef struct TlsSettings_tag { #define TLS_AES_128_GCM_SHA256 "1301" #define TLS_AES_256_GCM_SHA384 "1302" #define TLS_CHACHA20_POLY1305_SHA256 "1303" - char *ciphers1_2; + char *ciphers; #define TLS_X25519 "0029" #define TLS_SECP256R1 "0023" #define TLS_SECP521R1 "0025" @@ -135,7 +135,6 @@ typedef struct TlsSettings_tag { TODO: Find out why it isn't negotiating 1.2. */ char *maxTls; - char *ciphers1_3; } TlsSettings; typedef struct TlsEnvironment_tag {