search

zowe / zss

Zowe System Services Server for enabling low-level microservices
Eclipse Public License 2.0
13 stars 45 forks source link

Support curve customization #713

Open 1000TurquoisePogs opened 5 months ago

1000TurquoisePogs commented 5 months ago

zowe.network.server.tls.curves is an array a user can set in zowe.yaml to customize crypto curves. But, zss doesnt do anything with that array currently.

GSK handles curve customization much like cipher customization, which we already do here https://github.com/zowe/zss/blob/f44ce8a3c1998f69f86ae52a0dec23b977186e81/c/zss.c#L1192

That is, curves are specified as a string of 4 digit numbers back to back without any spaces or symbols inbetween. Its very unfriendly to a human, so a convention of mapping from names to numbers is needed. However, all of zowe needs to conform to the names. I dont know which name strings are available.

Node claims to use ASN.1 strings like "prime256v1"

So,

  1. make a list of names and associated numbers
  2. map from names to numbers to construct the number string (see https://www.ibm.com/docs/en/zos/3.1.0?topic=programming-cipher-suite-definitions#csdcwh__tttcsd )
  3. in tls.c, https://www.ibm.com/docs/en/zos/3.1.0?topic=reference-gsk-attribute-set-buffer must be used to set attribute "GSK_CLIENT_ECURVE_LIST" to the number string. if no number string is present, the command should be skipped as GSK defaults somehow.
JoeNemo commented 5 months ago

This sounds like a straightforward parameter addition to the schema, and feeding that info through zss.c and zowe-common-c/c/tls.c.

However the enumeration of valid values needs to be researched starting from https://datatracker.ietf.org/doc/rfc4492/ and it's related and superseding RFC's.

1000TurquoisePogs commented 5 months ago

I believe the full list of curve strings is here https://neuromancer.sk/std/x962/ Node wants the strings. GSK wants the IANA numbers. The IANA numbers are here https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Search within for "EC Named Curve Registry"

Short story: much like our TLS cipher implementation, we should utilize the name strings, and then create the string-to-number map.

You can even query what node supports, to see their syntax: 'Oakley-EC2N-3', 'Oakley-EC2N-4', 'SM2', 'brainpoolP160r1', 'brainpoolP160t1', 'brainpoolP192r1', 'brainpoolP192t1', 'brainpoolP224r1', 'brainpoolP224t1', 'brainpoolP256r1', 'brainpoolP256t1', 'brainpoolP320r1', 'brainpoolP320t1', 'brainpoolP384r1', 'brainpoolP384t1', 'brainpoolP512r1', 'brainpoolP512t1', 'c2pnb163v1', 'c2pnb163v2', 'c2pnb163v3', 'c2pnb176v1', 'c2pnb208w1', 'c2pnb272w1', 'c2pnb304w1', 'c2pnb368w1', 'c2tnb191v1', 'c2tnb191v2', 'c2tnb191v3', 'c2tnb239v1', 'c2tnb239v2', 'c2tnb239v3', 'c2tnb359v1', 'c2tnb431r1', 'prime192v1', 'prime192v2', 'prime192v3', 'prime239v1', 'prime239v2', 'prime239v3', 'prime256v1', 'secp112r1', 'secp112r2', 'secp128r1', 'secp128r2', 'secp160k1', 'secp160r1', 'secp160r2', 'secp192k1', 'secp224k1', 'secp224r1', 'secp256k1', 'secp384r1', 'secp521r1', 'sect113r1', 'sect113r2', 'sect131r1', 'sect131r2', 'sect163k1', 'sect163r1', 'sect163r2', 'sect193r1', 'sect193r2', 'sect233k1', 'sect233r1', 'sect239k1', 'sect283k1', 'sect283r1', 'sect409k1', 'sect409r1', 'sect571k1', 'sect571r1', 'wap-wsg-idm-ecid-wtls1', 'wap-wsg-idm-ecid-wtls10', 'wap-wsg-idm-ecid-wtls11', 'wap-wsg-idm-ecid-wtls12', 'wap-wsg-idm-ecid-wtls3', 'wap-wsg-idm-ecid-wtls4', 'wap-wsg-idm-ecid-wtls5', 'wap-wsg-idm-ecid-wtls6', 'wap-wsg-idm-ecid-wtls7', 'wap-wsg-idm-ecid-wtls8', 'wap-wsg-idm-ecid-wtls9'