Skip to content

Commit

Permalink
Merge pull request #398 from zowe/v2.x/staging
Browse files Browse the repository at this point in the history
Merge staging into rc
  • Loading branch information
1000TurquoisePogs authored Aug 29, 2023
2 parents 18bbf13 + 82f0d3c commit 12a2d8e
Show file tree
Hide file tree
Showing 15 changed files with 742 additions and 96 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Zowe Common C Changelog

## `2.11.0`

- WTO printing methods have been moved to zos.c to be more available as utilities (for ex: for the Launcher)

## `2.10.0`

- Feature: The configmgr can now use the 'zos' module in YAML config templates. The 'zos' module is only added when run on ZOS. For a list of available functions, see https://github.com/zowe/zowe-install-packaging/blob/v2.x/staging/build/zwe/types/%40qjstypes/zos.d.ts (#384)
Expand Down
2 changes: 1 addition & 1 deletion build/configmgr.proj.env
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
PROJECT="configmgr"
VERSION=2.10.0
VERSION=2.11.0
DEPS="QUICKJS LIBYAML"

QUICKJS="quickjs"
Expand Down
10 changes: 6 additions & 4 deletions c/dynalloc.c
Original file line number Diff line number Diff line change
Expand Up @@ -874,30 +874,32 @@ int setTextUnit(int type, int size, char* stringValue, int numValue, int key,
}
}

typedef TextUnit *__ptr32 *__ptr32 TextUnitPtrArray;

int dynallocNewDataset(TextUnit **inputTextUnit, int inputTextUnitCount, int *reasonCode) {
ALLOC_STRUCT31(
STRUCT31_NAME(below2G),
STRUCT31_FIELDS(
DynallocParms parms;
TextUnit ** __ptr32 textUnits;
TextUnitPtrArray textUnits;
)
);

below2G->textUnits = (TextUnit **)safeMalloc31(sizeof(TextUnit*) * inputTextUnitCount, "Text units array");
below2G->textUnits = (TextUnitPtrArray)safeMalloc31(sizeof(TextUnit*__ptr32) * inputTextUnitCount, "Text units array");
if(below2G->textUnits == NULL) {
return -1;
}
DynallocParms *parms = &below2G->parms;
dynallocParmsInit(parms);

dynallocParmsSetTextUnits(parms, (TextUnit * __ptr32 *)below2G->textUnits, inputTextUnitCount);
dynallocParmsSetTextUnits(parms, (TextUnitPtrArray)below2G->textUnits, inputTextUnitCount);

int rc;

do {
rc = 0;
for (int i = 0; i < inputTextUnitCount; i++) {
below2G->textUnits[i] = inputTextUnit[i];
below2G->textUnits[i] = (TextUnit *__ptr32)inputTextUnit[i];
if (below2G->textUnits[i] == NULL) {
rc = -1;
break;
Expand Down
84 changes: 70 additions & 14 deletions c/httpserver.c
Original file line number Diff line number Diff line change
Expand Up @@ -2653,19 +2653,23 @@ static int safAuthenticate(HttpService *service, HttpRequest *request, AuthRespo
} else if (authDataFound){
ACEE *acee = NULL;
strupcase(request->username); /* upfold username */
if (!(request->flags & HTTP_REQUEST_NO_PASSWORD)) {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "Password is null. Calling safAuthenticate without a password.\n");
} else {
#ifdef ENABLE_DANGEROUS_AUTH_TRACING
#ifdef METTLE
printf("SAF auth for user: '%s'\n", request->username);
printf("SAF auth for user: '%s'\n", request->username);
#else
printf("u: '%s' p: '%s'\n",request->username,request->password);
printf("u: '%s' p: '%s'\n",request->username,request->password);
#endif
#endif
if (isLowerCasePasswordAllowed() || isPassPhrase(request->password)) {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "mixed-case system or a pass phrase, not upfolding password\n");
/* don't upfold password */
} else {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "non-mixed-case system, not a pass phrase, upfolding password\n");
strupcase(request->password); /* upfold password */
if (isLowerCasePasswordAllowed() || isPassPhrase(request->password)) {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "mixed-case system or a pass phrase, not upfolding password\n");
/* don't upfold password */
} else {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3, "non-mixed-case system, not a pass phrase, upfolding password\n");
strupcase(request->password); /* upfold password */
}
}

#if APF_AUTHORIZED
Expand All @@ -2675,10 +2679,17 @@ static int safAuthenticate(HttpService *service, HttpRequest *request, AuthRespo

CrossMemoryServerName *privilegedServerName = getConfiguredProperty(service->server, HTTP_SERVER_PRIVILEGED_SERVER_PROPERTY);
int pwdCheckRC = 0, pwdCheckRSN = 0;
pwdCheckRC = zisCheckUsernameAndPassword(privilegedServerName,
request->username, request->password, &status);
authResponse->type = AUTH_TYPE_RACF;
authResponse->responseDetails.safStatus = status.safStatus;
if (!(request->flags & HTTP_REQUEST_NO_PASSWORD)) {
pwdCheckRC = zisCheckUsernameAndPassword(privilegedServerName,
request->username, request->password, &status);
authResponse->type = AUTH_TYPE_RACF;
authResponse->responseDetails.safStatus = status.safStatus;
} else {
pwdCheckRC = zisCheckUsername(privilegedServerName,
request->username, &status);
authResponse->type = AUTH_TYPE_RACF;
authResponse->responseDetails.safStatus = status.safStatus;
}

if (pwdCheckRC != 0) {
#ifdef DEBUG_AUTH
Expand Down Expand Up @@ -3142,7 +3153,7 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest *
int authDataFound = FALSE;
HttpHeader *authenticationHeader = getHeader(request,"Authorization");
char *tokenCookieText = getCookieValue(request,getSessionTokenCookieName(service));

zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG3,
"serviceAuthNativeWithSessionToken: authenticationHeader 0x%p\n",
"extractFunction 0x%p\n",
Expand All @@ -3162,9 +3173,54 @@ static int serviceAuthNativeWithSessionToken(HttpService *service, HttpRequest *
if (service->authExtractionFunction(service, request) == 0){
authDataFound = TRUE;
}
}
}

#define TLS_CLIENT_CERTIFICATE_MAX_LENGTH 65536

char *clientCertificate = safeMalloc(TLS_CLIENT_CERTIFICATE_MAX_LENGTH, "Client Certificate");
unsigned int clientCertificateLength = 0;

int rc = getClientCertificate(response->socket->tlsSocket->socketHandle, clientCertificate, TLS_CLIENT_CERTIFICATE_MAX_LENGTH, &clientCertificateLength);
if (rc != 0) {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG, "getClientCertificate - %d.\n", rc);
}

#ifdef ENABLE_DANGEROUS_AUTH_TRACING
/* We probably don't want to dump their certificate, right? */
dumpbuffer(clientCertificate, clientCertificateLength);
#endif

if (rc == 0 && clientCertificateLength > 0) {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG, "There is a client certificate attached to the request.\n");
/*
* We don't want to do this if we already found authentication data.
*/
if (authDataFound == FALSE) {
#define TLS_USERID_LENGTH 9
char userid[TLS_USERID_LENGTH] = {0};
int racfReturnCode = 0, racfReasonCode = 0;
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG, "There was no token or credentials found in the request. Server is attempting to map the client certificate.\n");
int safReturnCode = getUseridByCertificate(clientCertificate, clientCertificateLength, userid, &racfReturnCode, &racfReasonCode);
if (safReturnCode == 0) {
request->username = userid;
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_DEBUG, "Found user '%s' from client certificate.\n", request->username);
request->password = NULL;
request->flags = HTTP_REQUEST_NO_PASSWORD;
authDataFound = TRUE;
} else {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_INFO, "No user was found for client certificate. (rc = 0x%x racfRC = 0x%x racfRSN = 0x%x\n", safReturnCode, racfReturnCode, racfReasonCode);
}
} else {
zowelog(NULL, LOG_COMP_HTTPSERVER, ZOWE_LOG_INFO, "Client certificate was attached to request, but credentials are also attached. Server won't attempt to map the client certificate.\n");
}
}


if (clientCertificate) {
safeFree(clientCertificate, TLS_CLIENT_CERTIFICATE_MAX_LENGTH);
clientCertificate = NULL;
}

response->sessionCookie = NULL;

AUTH_TRACE("AUTH: tokenCookieText: %s\n",(tokenCookieText ? tokenCookieText : "<noAuthToken>"));
Expand Down
14 changes: 10 additions & 4 deletions c/le.c
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ char *getCAA(void){
}

#ifndef LE_MAX_SUPPORTED_ZOS
#define LE_MAX_SUPPORTED_ZOS 0x01020500u
#define LE_MAX_SUPPORTED_ZOS 0x01030100u
#endif

void abortIfUnsupportedCAA() {
Expand All @@ -120,9 +120,15 @@ void abortIfUnsupportedCAA() {
unsigned int zosVersion = ecvt->ecvtpseq;
#ifndef METTLE
if (zosVersion > LE_MAX_SUPPORTED_ZOS) {
printf("error: z/OS version = 0x%08X, max supported version = 0x%08X - "
"CAA fields require verification\n", zosVersion, LE_MAX_SUPPORTED_ZOS);
abort();
const char *continueWithWarning = getenv("ZWE_zowe_launcher_unsafeDisableZosVersionCheck");
if (!strcmp(continueWithWarning, "true")) {
printf("warning: z/OS version = 0x%08X, max supported version = 0x%08X - "
"CAA fields require verification\n", zosVersion, LE_MAX_SUPPORTED_ZOS);
} else {
printf("error: z/OS version = 0x%08X, max supported version = 0x%08X - "
"CAA fields require verification\n", zosVersion, LE_MAX_SUPPORTED_ZOS);
abort();
}
}
#else
/* Metal uses its own copy of CAA, reserved fields will always be available */
Expand Down
69 changes: 8 additions & 61 deletions c/metalio.c
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
#include "qsam.h"
#include "metalio.h"
#include "alloc.h"
#include "zos.h"

static int isopen(void * dcbptr) {

Expand Down Expand Up @@ -378,30 +379,7 @@ SYSOUT *getSYSOUTStruct(char *ddname, SYSOUT *existingSysout, char *buffer){
*/
void message(char *message){

ALLOC_STRUCT31(
STRUCT31_NAME(below2G),
STRUCT31_FIELDS(
WTOCommon31 common;
char text[126]; /* Maximum length of WTO text is 126 - ABEND D23-xxxx0005 if longer than 126 */
)
);

int len = strlen(message);
if (len>sizeof(below2G->text))
len=sizeof(below2G->text);

below2G->common.length = len+sizeof(below2G->common); /* +4 for header */
memcpy(below2G->text,message,len);

__asm(ASM_PREFIX
" WTO MF=(E,(%[wtobuf])) \n"
:
:[wtobuf]"NR:r1"(&below2G->common)
:"r0","r1","r15");

FREE_STRUCT31(
STRUCT31_NAME(below2G)
);
wtoMessage(message);
}

/* this can only be called from authorized callers */
Expand Down Expand Up @@ -485,44 +463,13 @@ void sendWTO(int descriptorCode, int routingCode, char *message, int length){
}

#define WTO_MAX_SIZE 126
void wtoPrintf(char *formatString, ...){
char text[WTO_MAX_SIZE+1]; /* Allow for trailing null character */
void wtoPrintf(char *formatString, ...) {
va_list argPointer;
int cnt;

for (int pass=0; pass<2; pass++){

/* The resulting text string from vsnprintf is unpredictable if
there is an error in the format string or arguments. In that
case we will set the output text area to null, repeat the
vsnprintf, and then find the length of the null terminated
string. This avoids initializing the output text area prior
to every successful request.
*/

va_start(argPointer,formatString);
cnt = vsnprintf(text,sizeof(text),formatString,argPointer);
va_end(argPointer);

if (cnt<0){
if (pass==0)
memset(text,0,sizeof(text)); /* Clear the text buffer before retrying the vsnprint request */
else {
text[WTO_MAX_SIZE] = 0; /* Ensure strlen stops at the end of the text buffer */
cnt = strlen(text); /* Find the end of the text string */
}
} else
break; /* vsnprintf did not return an error - cnt was set */
}
if (cnt>WTO_MAX_SIZE) /* If more data to format than the text buffer length */
cnt = WTO_MAX_SIZE; /* Truncate the formatted length to the text buffer length */

/* We never want to include a final \n character in the WTO text */

if (cnt>0 && text[cnt-1] == '\n') /* If text ends with \n */
text[cnt-1] = 0; /* Change it into a null character */

message(text);
va_start(argPointer, formatString);

wtoPrintf3(formatString, argPointer);

va_end(argPointer);
}

void authWTOPrintf(char *formatString, ...){
Expand Down
51 changes: 47 additions & 4 deletions c/tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,52 @@
Copyright Contributors to the Zowe Project.
*/
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <errno.h>
#include "alloc.h"
#include "bpxnet.h"
#include "fdpoll.h"
#include "tls.h"

int getClientCertificate(gsk_handle soc_handle, char *clientCertificate, unsigned int clientCertificateBufferSize, unsigned int *clientCertificateLength) {

int rc = 0;

if (clientCertificate == NULL || clientCertificateBufferSize <= 0) {
return -1;
}

memset(clientCertificate, 0, clientCertificateBufferSize);
*clientCertificateLength = 0;

gsk_cert_data_elem *gskCertificateArray = NULL;
int gskCertificateArrayElementCount = 0;

rc = gsk_attribute_get_cert_info(soc_handle, GSK_PARTNER_CERT_INFO, &gskCertificateArray, &gskCertificateArrayElementCount);

if (rc != 0) {
return rc;
}

for (int i = 0; i < gskCertificateArrayElementCount; i++) {
gsk_cert_data_elem *tmp = &gskCertificateArray[i];
if (tmp->cert_data_id == CERT_BODY_DER) {
if (clientCertificateBufferSize >= tmp->cert_data_l) {
memcpy(clientCertificate, tmp->cert_data_p, tmp->cert_data_l);
*clientCertificateLength = tmp->cert_data_l;
} else {
rc = -1; /* tls rc are all positive */
}
break;
}
}

gsk_free_cert_data(gskCertificateArray, gskCertificateArrayElementCount);

return rc;
}

int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) {
int rc = 0;
TlsEnvironment *env = (TlsEnvironment *)safeMalloc(sizeof(*env), "Tls Environment");
Expand All @@ -29,6 +68,11 @@ int tlsInit(TlsEnvironment **outEnv, TlsSettings *settings) {
rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_1, GSK_PROTOCOL_TLSV1_1_OFF);
rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_PROTOCOL_TLSV1_2, GSK_PROTOCOL_TLSV1_2_ON);
rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE, GSK_SERVER_EPHEMERAL_DH_GROUP_SIZE_2048);

#ifdef DEV_DO_NOT_VALIDATE_CLIENT_CERTIFICATES
rc = rc || gsk_attribute_set_enum(env->envHandle, GSK_CLIENT_AUTH_TYPE, GSK_CLIENT_AUTH_PASSTHRU_TYPE);
#endif

rc = rc || gsk_attribute_set_buffer(env->envHandle, GSK_KEYRING_FILE, settings->keyring, 0);
if (settings->stash) {
rc = rc || gsk_attribute_set_buffer(env->envHandle, GSK_KEYRING_STASH_FILE, settings->stash, 0);
Expand Down Expand Up @@ -94,9 +138,9 @@ static int secureSocketSend(int fd, void *data, int len, char *userData) {
}
return rc;
}

int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isServer) {
int rc = 0;
int rc = 0;
gsk_iocallback ioCallbacks = {secureSocketRecv, secureSocketSend, NULL, NULL, NULL, NULL};
TlsSocket *socket = (TlsSocket*)safeMalloc(sizeof(TlsSocket), "Tls Socket");
if (!socket) {
Expand All @@ -109,8 +153,7 @@ int tlsSocketInit(TlsEnvironment *env, TlsSocket **outSocket, int fd, bool isSer
if (label) {
rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_KEYRING_LABEL, label, 0);
}
rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE,
isServer ? GSK_SERVER_SESSION : GSK_CLIENT_SESSION);
rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_SESSION_TYPE, isServer ? GSK_SERVER_SESSION_WITH_CL_AUTH : GSK_CLIENT_SESSION);
if (ciphers) {
rc = rc || gsk_attribute_set_buffer(socket->socketHandle, GSK_V3_CIPHER_SPECS_EXPANDED, ciphers, 0);
rc = rc || gsk_attribute_set_enum(socket->socketHandle, GSK_V3_CIPHERS, GSK_V3_CIPHERS_CHAR4);
Expand Down
Loading

0 comments on commit 12a2d8e

Please sign in to comment.