libnetconf UPDATE YANG data configuration
Configuration based on YANG data. Open 2 ssh channels on one
session. Pubkey,interactive,pw,none SSH authentication working. SSH
message callback not a callback anymore, handle SSH messages manually.
ietf-netconf-server and all models it imports added and a libnetconf2 own model
with augments. And finally only local-definition of keys supported. 2 tests.
NBC API changes.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 2a29e96..4740567 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -111,7 +111,8 @@
src/messages_server.c
src/session.c
src/session_client.c
- src/session_server.c)
+ src/session_server.c
+ src/config_server.c)
if(ENABLE_SSH)
list(APPEND libsrc
@@ -136,7 +137,8 @@
src/session_client.h
src/session_client_ch.h
src/session_server.h
- src/session_server_ch.h)
+ src/session_server_ch.h
+ src/config_server.h)
# files to generate doxygen from
set(doxy_files
diff --git a/examples/client.c b/examples/client.c
index 38512b6..1ebf11c 100644
--- a/examples/client.c
+++ b/examples/client.c
@@ -150,6 +150,7 @@
}
nc_client_init();
+
/* set the path to search for schemas */
nc_client_set_schema_searchpath(MODULES_DIR);
@@ -176,6 +177,7 @@
case 'd':
nc_verbosity(NC_VERB_DEBUG);
+ nc_libssh_thread_verbosity(2);
break;
default:
diff --git a/examples/example.h.in b/examples/example.h.in
index c003565..5aa11f3 100644
--- a/examples/example.h.in
+++ b/examples/example.h.in
@@ -21,6 +21,9 @@
/* directory with library YANG modules */
#define MODULES_DIR "@CMAKE_SOURCE_DIR@/modules"
+/* directory with examples source code and this header */
+#define EXAMPLES_DIR "@CMAKE_SOURCE_DIR@/examples"
+
/* SSH listening IP address */
#define SSH_ADDRESS "127.0.0.1"
diff --git a/examples/server.c b/examples/server.c
index 2a55c77..c0e7cc5 100644
--- a/examples/server.c
+++ b/examples/server.c
@@ -27,6 +27,7 @@
#include <libyang/libyang.h>
+#include "config_server.h"
#include "log.h"
#include "messages_server.h"
#include "netconf.h"
@@ -34,6 +35,7 @@
#include "session_server_ch.h"
volatile int exit_application = 0;
+struct lyd_node *tree;
static void
sigint_handler(int signum)
@@ -52,6 +54,7 @@
struct lyd_node *filter, *err;
struct lyd_meta *m, *type = NULL, *select = NULL;
struct ly_set *set = NULL;
+ LY_ERR ret;
ctx = nc_session_get_ctx(session);
@@ -62,7 +65,8 @@
}
/* search for the optional filter in the RPC */
- if (lyd_find_path(rpc, "filter", 0, &filter)) {
+ ret = lyd_find_path(rpc, "filter", 0, &filter);
+ if (ret && (ret != LY_ENOTFOUND)) {
err = nc_err(ctx, NC_ERR_OP_FAILED, NC_ERR_TYPE_APP);
goto error;
}
@@ -199,108 +203,49 @@
}
static int
-hostkey_callback(const char *name, void *user_data, char **privkey_path, char **privkey_data, NC_SSH_KEY_TYPE *privkey_type)
-{
- /* return only known hostkey */
- if (strcmp(name, "server_hostkey")) {
- return 1;
- }
-
- /* the hostkey is in a file */
- *privkey_path = strdup(user_data);
- *privkey_data = NULL;
- *privkey_type = NC_SSH_KEY_UNKNOWN;
-
- return 0;
-}
-
-static int
-password_callback(const struct nc_session *session, const char *password, void *user_data)
-{
- (void) user_data;
- const char *username;
-
- /* get username from the NETCONF session */
- username = nc_session_get_username(session);
-
- /* compare it with the defined username and password */
- if (strcmp(username, SSH_USERNAME) || strcmp(password, SSH_PASSWORD)) {
- return 1;
- }
-
- return 0;
-}
-
-static int
init(struct ly_ctx **context, struct nc_pollsession **ps, const char *path, NC_TRANSPORT_IMPL server_type)
{
- struct lys_module *module;
int rc = 0;
- const char *features[] = {"*", NULL};
+ const char *config_file_path = EXAMPLES_DIR "/config.xml";
+
+ if (path) {
+ /* if a path is supplied, then use it */
+ config_file_path = path;
+ }
+
+ if (server_type == NC_TI_UNIX) {
+ ERR_MSG_CLEANUP("Only support SSH for now.\n");
+ }
+
+ /* create a libyang context that will determine which YANG modules will be supported by the server */
+ rc = ly_ctx_new(MODULES_DIR, 0, context);
+ if (rc) {
+ ERR_MSG_CLEANUP("Error while creating a new context.\n");
+ }
+
+ /* implement the base NETCONF modules */
+ rc = nc_server_init_ctx(context);
+ if (rc) {
+ ERR_MSG_CLEANUP("Error while initializing context.\n");
+ }
+
+ /* load all required modules for configuration, so the configuration of the server can be done */
+ rc = nc_server_config_load_modules(context);
+ if (rc) {
+ ERR_MSG_CLEANUP("Error loading modules required for configuration of the server.\n");
+ }
+
+ /* parse YANG data from a file, configure the server based on the parsed YANG configuration data */
+ rc = nc_server_config_setup_path(*context, config_file_path);
+ if (rc) {
+ ERR_MSG_CLEANUP("Error setting the path to the configuration data.\n");
+ }
/* initialize the server */
if (nc_server_init()) {
ERR_MSG_CLEANUP("Error occurred while initializing the server.\n");
}
- if (server_type == NC_TI_UNIX) {
- /* add a new UNIX socket endpoint with an arbitrary name main_unix */
- if (nc_server_add_endpt("main_unix", NC_TI_UNIX)) {
- ERR_MSG_CLEANUP("Couldn't add end point.\n");
- }
-
- /* set endpoint listening address to the path from the parameter */
- if (nc_server_endpt_set_address("main_unix", path)) {
- ERR_MSG_CLEANUP("Couldn't set address of end point.\n");
- }
- } else {
- /* add a new SSH endpoint with an arbitrary name main_ssh */
- if (nc_server_add_endpt("main_ssh", NC_TI_LIBSSH)) {
- ERR_MSG_CLEANUP("Couldn't add end point.\n");
- }
-
- /* set generic hostkey callback which will be used for retrieving all the hostkeys */
- nc_server_ssh_set_hostkey_clb(hostkey_callback, (void *)path, NULL);
-
- /* set 'password' SSH authentication callback */
- nc_server_ssh_set_passwd_auth_clb(password_callback, NULL, NULL);
-
- /* add a new hostkey called server_hostkey, whose data will be retrieved by the hostkey callback */
- nc_server_ssh_endpt_add_hostkey("main_ssh", "server_hostkey", -1);
-
- /* set endpoint listening address to the defined IP address */
- if (nc_server_endpt_set_address("main_ssh", SSH_ADDRESS)) {
- ERR_MSG_CLEANUP("Couldn't set address of end point.\n");
- }
-
- /* set endpoint listening port to the defined one */
- if (nc_server_endpt_set_port("main_ssh", SSH_PORT)) {
- ERR_MSG_CLEANUP("Couldn't set port of end point.\n");
- }
-
- /* allow only 'password' SSH authentication method for the endpoint */
- if (nc_server_ssh_endpt_set_auth_methods("main_ssh", NC_SSH_AUTH_PASSWORD)) {
- ERR_MSG_CLEANUP("Couldn't set authentication methods of end point.\n");
- }
- }
-
- /* create a libyang context that will determine which YANG modules will be supported by the server */
- if (ly_ctx_new(MODULES_DIR, 0, context)) {
- ERR_MSG_CLEANUP("Couldn't create new libyang context.\n");
- }
-
- /* support and load the base NETCONF ietf-netconf module with all its features enabled */
- module = ly_ctx_load_module(*context, "ietf-netconf", NULL, features);
- if (!module) {
- ERR_MSG_CLEANUP("Couldn't load ietf-netconf module.\n");
- }
-
- /* support get-schema RPC for the server to be able to send YANG modules */
- module = ly_ctx_load_module(*context, "ietf-netconf-monitoring", NULL, features);
- if (!module) {
- ERR_MSG_CLEANUP("Couldn't load ietf-netconf-monitoring module.\n");
- }
-
/* create a new poll session structure, which is used for polling RPCs sent by clients */
*ps = nc_ps_new();
if (!*ps) {
@@ -324,7 +269,7 @@
struct ly_ctx *context = NULL;
struct nc_session *session, *new_session;
struct nc_pollsession *ps = NULL;
- const char *unix_socket_path = NULL, *ssh_public_key_path = NULL;
+ const char *unix_socket_path = NULL, *config_file_path = NULL;
struct option options[] = {
{"help", no_argument, NULL, 'h'},
@@ -341,7 +286,7 @@
opterr = 0;
- while ((opt = getopt_long(argc, argv, "hu:s:d", options, NULL)) != -1) {
+ while ((opt = getopt_long(argc, argv, ":s:hu:d", options, NULL)) != -1) {
switch (opt) {
case 'h':
help_print();
@@ -356,9 +301,10 @@
break;
case 's':
- ssh_public_key_path = optarg;
- if (init(&context, &ps, ssh_public_key_path, NC_TI_LIBSSH)) {
+ config_file_path = optarg;
+ if (init(&context, &ps, config_file_path, NC_TI_LIBSSH)) {
ERR_MSG_CLEANUP("Failed to initialize a SSH server\n");
+ goto cleanup;
}
printf("Using SSH!\n");
break;
@@ -367,6 +313,18 @@
nc_verbosity(NC_VERB_DEBUG);
break;
+ case ':':
+ if (optopt == 's') {
+ if (init(&context, &ps, NULL, NC_TI_LIBSSH)) {
+ ERR_MSG_CLEANUP("Failed to initialize a SSH server\n");
+ goto cleanup;
+ }
+ printf("Using SSH!\n");
+ break;
+ } else {
+ ERR_MSG_CLEANUP("Invalid option or missing argument\n");
+ }
+
default:
ERR_MSG_CLEANUP("Invalid option or missing argument\n");
}
@@ -440,6 +398,7 @@
}
nc_ps_free(ps);
nc_server_destroy();
+ lyd_free_all(tree);
ly_ctx_destroy(context);
return rc;
}
diff --git a/modules/iana-crypt-hash.yang b/modules/iana-crypt-hash.yang
new file mode 100644
index 0000000..eaf6258
--- /dev/null
+++ b/modules/iana-crypt-hash.yang
@@ -0,0 +1,124 @@
+module iana-crypt-hash {
+ namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash";
+ prefix ianach;
+
+ organization "IANA";
+ contact
+ " Internet Assigned Numbers Authority
+
+ Postal: ICANN
+ 4676 Admiralty Way, Suite 330
+ Marina del Rey, CA 90292
+
+ Tel: +1 310 823 9358
+ E-Mail: iana&iana.org";
+ description
+ "This YANG module defines a typedef for storing passwords
+ using a hash function, and features to indicate which hash
+ functions are supported by an implementation.
+
+ The latest revision of this YANG module can be obtained from
+ the IANA web site.
+
+ Requests for new values should be made to IANA via
+ email (iana&iana.org).
+
+ Copyright (c) 2014 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ The initial version of this YANG module is part of RFC XXXX;
+ see the RFC itself for full legal notices.";
+ // RFC Ed.: replace XXXX with actual RFC number and remove this
+ // note.
+
+ // RFC Ed.: update the date below with the date of RFC publication
+ // and remove this note.
+ revision 2014-04-04 {
+ description
+ "Initial revision.";
+ reference
+ "RFC XXXX: A YANG Data Model for System Management";
+ }
+
+ typedef crypt-hash {
+ type string {
+ pattern
+ '$0$.*'
+ + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}'
+ + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}'
+ + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}';
+ }
+ description
+ "The crypt-hash type is used to store passwords using
+ a hash function. The algorithms for applying the hash
+ function and encoding the result are implemented in
+ various UNIX systems as the function crypt(3).
+
+ A value of this type matches one of the forms:
+
+ $0$<clear text password>
+ $<id>$<salt>$<password hash>
+ $<id>$<parameter>$<salt>$<password hash>
+
+ The '$0$' prefix signals that the value is clear text. When
+ such a value is received by the server, a hash value is
+ calculated, and the string '$<id>$<salt>$' or
+ $<id>$<parameter>$<salt>$ is prepended to the result. This
+ value is stored in the configuration data store.
+
+ If a value starting with '$<id>$', where <id> is not '0', is
+ received, the server knows that the value already represents a
+ hashed value, and stores it as is in the data store.
+
+ When a server needs to verify a password given by a user, it
+ finds the stored password hash string for that user, extracts
+ the salt, and calculates the hash with the salt and given
+ password as input. If the calculated hash value is the same
+ as the stored value, the password given by the client is
+ accepted.
+
+ This type defines the following hash functions:
+
+ id | hash function | feature
+ ---+---------------+-------------------
+ 1 | MD5 | crypt-hash-md5
+ 5 | SHA-256 | crypt-hash-sha-256
+ 6 | SHA-512 | crypt-hash-sha-512
+
+ The server indicates support for the different hash functions
+ by advertising the corresponding feature.";
+ reference
+ "IEEE Std 1003.1-2008 - crypt() function
+ RFC 1321: The MD5 Message-Digest Algorithm
+ FIPS.180-3.2008: Secure Hash Standard";
+ }
+
+ feature crypt-hash-md5 {
+ description
+ "Indicates that the device supports the MD5
+ hash function in 'crypt-hash' values";
+ reference "RFC 1321: The MD5 Message-Digest Algorithm";
+ }
+
+ feature crypt-hash-sha-256 {
+ description
+ "Indicates that the device supports the SHA-256
+ hash function in 'crypt-hash' values";
+ reference "FIPS.180-3.2008: Secure Hash Standard";
+ }
+
+ feature crypt-hash-sha-512 {
+ description
+ "Indicates that the device supports the SHA-512
+ hash function in 'crypt-hash' values";
+ reference "FIPS.180-3.2008: Secure Hash Standard";
+ }
+
+}
diff --git a/modules/iana-ssh-encryption-algs@2022-06-16.yang b/modules/iana-ssh-encryption-algs@2022-06-16.yang
new file mode 100644
index 0000000..fabfd96
--- /dev/null
+++ b/modules/iana-ssh-encryption-algs@2022-06-16.yang
@@ -0,0 +1,392 @@
+module iana-ssh-encryption-algs {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs";
+ prefix sshea;
+
+ organization
+ "Internet Assigned Numbers Authority (IANA)";
+
+ contact
+ "Postal: ICANN
+ 12025 Waterfront Drive, Suite 300
+ Los Angeles, CA 90094-2536
+ United States of America
+ Tel: +1 310 301 5800
+ Email: iana@iana.org";
+
+ description
+ "This module defines identities for the encryption algorithms
+ defined in the 'Encryption Algorithm Names' sub-registry of the
+ 'Secure Shell (SSH) Protocol Parameters' registry maintained
+ by IANA.
+
+ Copyright (c) 2022 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ The initial version of this YANG module is part of RFC EEEE
+ (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
+ itself for full legal notices.";
+
+ revision 2022-06-16 {
+ description
+ "Updated to reflect contents of the encryption algorithms
+ registry on June 16, 2022.";
+ }
+
+ revision 2021-06-01 {
+ description
+ "Initial version";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Typedefs
+
+ typedef encryption-algorithm-ref {
+ type identityref {
+ base "encryption-alg-base";
+ }
+ description
+ "A reference to a SSH encryption algorithm identifier.";
+ }
+
+ // Identities
+
+ identity encryption-alg-base {
+ description
+ "Base identity used to identify encryption algorithms.";
+ }
+
+ identity triple-des-cbc { // YANG IDs cannot begin with a number
+ base encryption-alg-base;
+ description
+ "3DES-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity blowfish-cbc {
+ base encryption-alg-base;
+ description
+ "BLOWFISH-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity twofish256-cbc {
+ base encryption-alg-base;
+ description
+ "TWOFISH256-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity twofish-cbc {
+ base encryption-alg-base;
+ description
+ "TWOFISH-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity twofish192-cbc {
+ base encryption-alg-base;
+ description
+ "TWOFISH192-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity twofish128-cbc {
+ base encryption-alg-base;
+ description
+ "TWOFISH128-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity aes256-cbc {
+ base encryption-alg-base;
+ description
+ "AES256-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity aes192-cbc {
+ base encryption-alg-base;
+ description
+ "AES192-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity aes128-cbc {
+ base encryption-alg-base;
+ description
+ "AES128-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity serpent256-cbc {
+ base encryption-alg-base;
+ description
+ "SERPENT256-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity serpent192-cbc {
+ base encryption-alg-base;
+ description
+ "SERPENT192-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity serpent128-cbc {
+ base encryption-alg-base;
+ description
+ "SERPENT128-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity arcfour {
+ base encryption-alg-base;
+ status obsolete;
+ description
+ "ARCFOUR";
+ reference
+ "RFC 8758:
+ Deprecating RC4 in Secure Shell (SSH)";
+ }
+
+ identity idea-cbc {
+ base encryption-alg-base;
+ description
+ "IDEA-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity cast128-cbc {
+ base encryption-alg-base;
+ description
+ "CAST128-CBC";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity none {
+ base encryption-alg-base;
+ description
+ "NONE";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+ identity des-cbc {
+ base encryption-alg-base;
+ status obsolete;
+ description
+ "DES-CBC";
+ reference
+ "FIPS 46-3:
+ Data Encryption Standard (DES)";
+ }
+
+ identity arcfour128 {
+ base encryption-alg-base;
+ status obsolete;
+ description
+ "ARCFOUR128";
+ reference
+ "RFC 8758:
+ Deprecating RC4 in Secure Shell (SSH)";
+ }
+
+ identity arcfour256 {
+ base encryption-alg-base;
+ status obsolete;
+ description
+ "ARCFOUR256";
+ reference
+ "RFC 8758:
+ Deprecating RC4 in Secure Shell (SSH)";
+ }
+
+ identity aes128-ctr {
+ base encryption-alg-base;
+ description
+ "AES128-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity aes192-ctr {
+ base encryption-alg-base;
+ description
+ "AES192-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity aes256-ctr {
+ base encryption-alg-base;
+ description
+ "AES256-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity triple-des-ctr { // YANG IDs cannot begin with a number
+ base encryption-alg-base;
+ description
+ "3DES-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity blowfish-ctr {
+ base encryption-alg-base;
+ description
+ "BLOWFISH-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity twofish128-ctr {
+ base encryption-alg-base;
+ description
+ "TWOFISH128-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity twofish192-ctr {
+ base encryption-alg-base;
+ description
+ "TWOFISH192-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity twofish256-ctr {
+ base encryption-alg-base;
+ description
+ "TWOFISH256-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity serpent128-ctr {
+ base encryption-alg-base;
+ description
+ "SERPENT128-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity serpent192-ctr {
+ base encryption-alg-base;
+ description
+ "SERPENT192-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity serpent256-ctr {
+ base encryption-alg-base;
+ description
+ "SERPENT256-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity idea-ctr {
+ base encryption-alg-base;
+ description
+ "IDEA-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity cast128-ctr {
+ base encryption-alg-base;
+ description
+ "CAST128-CTR";
+ reference
+ "RFC 4344:
+ The Secure Shell (SSH) Transport Layer Encryption Modes";
+ }
+
+ identity aead-aes-128-gcm {
+ base encryption-alg-base;
+ description
+ "AEAD_AES_128_GCM";
+ reference
+ "RFC 5647:
+ AES Galois Counter Mode for the
+ Secure Shell Transport Layer Protocol";
+ }
+
+ identity aead-aes-256-gcm {
+ base encryption-alg-base;
+ description
+ "AEAD_AES_256_GCM";
+ reference
+ "RFC 5647:
+ AES Galois Counter Mode for the
+ Secure Shell Transport Layer Protocol";
+ }
+
+ // Protocol-accessible Nodes
+
+ container supported-algorithms {
+ config false;
+ description
+ "A container for a list of encryption algorithms
+ supported by the server.";
+ leaf-list supported-algorithm {
+ type encryption-algorithm-ref;
+ description
+ "A encryption algorithm supported by the server.";
+ }
+ }
+
+}
diff --git a/modules/iana-ssh-key-exchange-algs@2022-06-16.yang b/modules/iana-ssh-key-exchange-algs@2022-06-16.yang
new file mode 100644
index 0000000..c4bab5b
--- /dev/null
+++ b/modules/iana-ssh-key-exchange-algs@2022-06-16.yang
@@ -0,0 +1,2219 @@
+module iana-ssh-key-exchange-algs {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs";
+ prefix sshkea;
+
+ organization
+ "Internet Assigned Numbers Authority (IANA)";
+
+ contact
+ "Postal: ICANN
+ 12025 Waterfront Drive, Suite 300
+ Los Angeles, CA 90094-2536
+ United States of America
+ Tel: +1 310 301 5800
+ Email: iana@iana.org";
+
+ description
+ "This module defines identities for the key exchange algorithms
+ defined in the 'Key Exchange Method Names' sub-registry of the
+ 'Secure Shell (SSH) Protocol Parameters' registry maintained
+ by IANA.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ The initial version of this YANG module is part of RFC EEEE
+ (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
+ itself for full legal notices.";
+
+ revision 2022-06-16 {
+ description
+ "Updated to reflect contents of the key exchange algorithms
+ registry on June 16, 2022.";
+ }
+
+ revision 2021-06-01 {
+ description
+ "Initial version";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Typedefs
+
+ typedef key-exchange-algorithm-ref {
+ type identityref {
+ base "key-exchange-alg-base";
+ }
+ description
+ "A reference to a SSH key exchange algorithm identifier.";
+ }
+
+ // Identities
+
+ identity key-exchange-alg-base {
+ description
+ "Base identity used to identify key exchange algorithms.";
+ }
+
+ identity diffie-hellman-group-exchange-sha1 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1";
+ reference
+ "RFC 4419:
+ Diffie-Hellman Group Exchange for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity diffie-hellman-group-exchange-sha256 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256";
+ reference
+ "RFC 4419:
+ Diffie-Hellman Group Exchange for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity diffie-hellman-group1-sha1 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP1-SHA1";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity diffie-hellman-group14-sha1 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP14-SHA1";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity diffie-hellman-group14-sha256 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP14-SHA256";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity diffie-hellman-group15-sha512 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP15-SHA512";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity diffie-hellman-group16-sha512 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP16-SHA512";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity diffie-hellman-group17-sha512 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP17-SHA512";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity diffie-hellman-group18-sha512 {
+ base key-exchange-alg-base;
+ description
+ "DIFFIE-HELLMAN-GROUP18-SHA512";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity ecdh-sha2-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-NISTP256 (secp256r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-NISTP384 (secp384r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-NISTP521 (secp521r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "ECDH-SHA2-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecmqv-sha2 {
+ base key-exchange-alg-base;
+ description
+ "ECMQV-SHA2";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity gss-group1-sha1-nistp256 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-nistp384 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-nistp521 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-curve25519-sha256 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group1-sha1-curve448-sha512 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP1-SHA1-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-nistp256 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-nistp384 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-nistp521 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+ identity gss-group14-sha1-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-curve25519-sha256 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha1-curve448-sha512 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GROUP14-SHA1-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-nistp256 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-nistp384 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-nistp521 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-curve25519-sha256 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-gex-sha1-curve448-sha512 {
+ base key-exchange-alg-base;
+ status deprecated;
+ description
+ "GSS-GEX-SHA1-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity rsa1024-sha1 {
+ base key-exchange-alg-base;
+ status obsolete;
+ description
+ "RSA1024-SHA1";
+ reference
+ "RFC 4432:
+ RSA Key Exchange for the Secure Shell (SSH)
+ Transport Layer Protocol";
+ }
+
+ identity rsa2048-sha256 {
+ base key-exchange-alg-base;
+ description
+ "RSA2048-SHA256";
+ reference
+ "RFC 4432:
+ RSA Key Exchange for the Secure Shell (SSH)
+ Transport Layer Protocol";
+ }
+
+ identity ext-info-s {
+ base key-exchange-alg-base;
+ description
+ "EXT-INFO-S";
+ reference
+ "RFC 8308:
+ Extension Negotiation in the Secure Shell (SSH) Protocol";
+ }
+
+ identity ext-info-c {
+ base key-exchange-alg-base;
+ description
+ "EXT-INFO-C";
+ reference
+ "RFC 8308:
+ Extension Negotiation in the Secure Shell (SSH) Protocol";
+ }
+
+ identity gss-group14-sha256-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group14-sha256-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP14-SHA256-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group15-sha512-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP15-SHA512-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group16-sha512-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP16-SHA512-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group17-sha512-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP17-SHA512-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-group18-sha512-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-GROUP18-SHA512-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp256-sha256-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP256-SHA256-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp384-sha384-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP384-SHA384-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-nistp521-sha512-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-NISTP521-SHA512-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.2.840.10045.3.1.1 (nistp192,
+ secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+ identity gss-curve25519-sha256-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve25519-sha256-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE25519-SHA256-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-nistp256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-NISTP256 (secp256r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-nistp384 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-NISTP384 (secp384r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-nistp521 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-NISTP521 (secp521r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.3.132.0.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.2.840.10045.3.1.1 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.3.132.0.33 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.3.132.0.26 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.3.132.0.27 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.3.132.0.16 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.3.132.0.36 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.3.132.0.37 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-1.3.132.0.38 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-CURVE25519-SHA256";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity gss-curve448-sha512-curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "GSS-CURVE448-SHA512-CURVE448-SHA512";
+ reference
+ "RFC 8732:
+ Generic Security Service Application Program Interface
+ (GSS-API) Key Exchange with SHA-2";
+ }
+
+ identity curve25519-sha256 {
+ base key-exchange-alg-base;
+ description
+ "CURVE25519-SHA256";
+ reference
+ "RFC 8731:
+ Secure Shell (SSH) Key Exchange Method
+ Using Curve25519 and Curve448";
+ }
+
+ identity curve448-sha512 {
+ base key-exchange-alg-base;
+ description
+ "CURVE448-SHA512";
+ reference
+ "RFC 8731:
+ Secure Shell (SSH) Key Exchange Method
+ Using Curve25519 and Curve448";
+ }
+
+ // Protocol-accessible Nodes
+
+ container supported-algorithms {
+ config false;
+ description
+ "A container for a list of key exchange algorithms
+ supported by the server.";
+ leaf-list supported-algorithm {
+ type key-exchange-algorithm-ref;
+ description
+ "A key exchange algorithm supported by the server.";
+ }
+ }
+
+}
diff --git a/modules/iana-ssh-mac-algs@2022-06-16.yang b/modules/iana-ssh-mac-algs@2022-06-16.yang
new file mode 100644
index 0000000..c257400
--- /dev/null
+++ b/modules/iana-ssh-mac-algs@2022-06-16.yang
@@ -0,0 +1,167 @@
+module iana-ssh-mac-algs {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs";
+ prefix sshma;
+
+ organization
+ "Internet Assigned Numbers Authority (IANA)";
+
+ contact
+ "Postal: ICANN
+ 12025 Waterfront Drive, Suite 300
+ Los Angeles, CA 90094-2536
+ United States of America
+ Tel: +1 310 301 5800
+ Email: iana@iana.org";
+
+ description
+ "This module defines identities for the MAC algorithms
+ defined in the 'MAC Algorithm Names' sub-registry of the
+ 'Secure Shell (SSH) Protocol Parameters' registry maintained
+ by IANA.
+
+ Copyright (c) 2022 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ The initial version of this YANG module is part of RFC EEEE
+ (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
+ itself for full legal notices.";
+
+ revision 2022-06-16 {
+ description
+ "Updated to reflect contents of the MAC algorithms
+ registry on June 16, 2022.";
+ }
+
+ revision 2021-06-01 {
+ description
+ "Initial version";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Typedefs
+
+ typedef mac-algorithm-ref {
+ type identityref {
+ base "mac-alg-base";
+ }
+ description
+ "A reference to a SSH mac algorithm identifier.";
+ }
+
+ // Identities
+
+ identity mac-alg-base {
+ description
+ "Base identity used to identify message authentication
+ code (MAC) algorithms.";
+ }
+
+ identity hmac-sha1 {
+ base mac-alg-base;
+ description
+ "HMAC-SHA1";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity hmac-sha1-96 {
+ base mac-alg-base;
+ description
+ "HMAC-SHA1-96";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity hmac-md5 {
+ base mac-alg-base;
+ description
+ "HMAC-MD5";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity hmac-md5-96 {
+ base mac-alg-base;
+ description
+ "HMAC-MD5-96";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity none {
+ base mac-alg-base;
+ description
+ "NONE";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity aead-aes-128-gcm {
+ base mac-alg-base;
+ description
+ "AEAD_AES_128_GCM";
+ reference
+ "RFC 5647:
+ AES Galois Counter Mode for the
+ Secure Shell Transport Layer Protocol";
+ }
+
+ identity aead-aes-256-gcm {
+ base mac-alg-base;
+ description
+ "AEAD_AES_256_GCM";
+ reference
+ "RFC 5647:
+ AES Galois Counter Mode for the
+ Secure Shell Transport Layer Protocol";
+ }
+
+ identity hmac-sha2-256 {
+ base mac-alg-base;
+ description
+ "HMAC-SHA2-256";
+ reference
+ "RFC 6668:
+ SHA-2 Data Integrity Verification for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity hmac-sha2-512 {
+ base mac-alg-base;
+ description
+ "HMAC-SHA2-512";
+ reference
+ "RFC 6668:
+ SHA-2 Data Integrity Verification for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ // Protocol-accessible Nodes
+
+ container supported-algorithms {
+ config false;
+ description
+ "A container for a list of MAC algorithms
+ supported by the server.";
+ leaf-list supported-algorithm {
+ type mac-algorithm-ref;
+ description
+ "A MAC algorithm supported by the server.";
+ }
+ }
+
+}
diff --git a/modules/iana-ssh-public-key-algs@2022-06-16.yang b/modules/iana-ssh-public-key-algs@2022-06-16.yang
new file mode 100644
index 0000000..647a7ed
--- /dev/null
+++ b/modules/iana-ssh-public-key-algs@2022-06-16.yang
@@ -0,0 +1,441 @@
+module iana-ssh-public-key-algs {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs";
+ prefix sshpka;
+
+ organization
+ "Internet Assigned Numbers Authority (IANA)";
+
+ contact
+ "Postal: ICANN
+ 12025 Waterfront Drive, Suite 300
+ Los Angeles, CA 90094-2536
+ United States of America
+ Tel: +1 310 301 5800
+ Email: iana@iana.org";
+
+ description
+ "This module defines identities for the public key algorithms
+ defined in the 'Public Key Algorithm Names' sub-registry of the
+ 'Secure Shell (SSH) Protocol Parameters' registry maintained
+ by IANA.
+
+ Copyright (c) 2022 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ The initial version of this YANG module is part of RFC EEEE
+ (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
+ itself for full legal notices.";
+
+ revision 2022-06-16 {
+ description
+ "Updated to reflect contents of the public key algorithms
+ registry on June 16, 2022.";
+ }
+
+ revision 2021-06-01 {
+ description
+ "Initial version";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Typedefs
+
+ typedef public-key-algorithm-ref {
+ type identityref {
+ base "public-key-alg-base";
+ }
+ description
+ "A reference to a SSH public key algorithm identifier.";
+ }
+
+ // Identities
+
+ identity public-key-alg-base {
+ description
+ "Base identity used to identify public key algorithms.";
+ }
+
+ identity ssh-dss {
+ base public-key-alg-base;
+ description
+ "SSH-DSS";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity ssh-rsa {
+ base public-key-alg-base;
+ description
+ "SSH-RSA";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity rsa-sha2-256 {
+ base public-key-alg-base;
+ description
+ "RSA-SHA2-256";
+ reference
+ "RFC 8332:
+ Use of RSA Keys with SHA-256 and SHA-512
+ in the Secure Shell (SSH) Protocol";
+ }
+
+ identity rsa-sha2-512 {
+ base public-key-alg-base;
+ description
+ "RSA-SHA2-512";
+ reference
+ "RFC 8332:
+ Use of RSA Keys with SHA-256 and SHA-512
+ in the Secure Shell (SSH) Protocol";
+ }
+
+ identity spki-sign-rsa {
+ base public-key-alg-base;
+ description
+ "SPKI-SIGN-RSA";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity spki-sign-dss {
+ base public-key-alg-base;
+ description
+ "SPKI-SIGN-DSS";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity pgp-sign-rsa {
+ base public-key-alg-base;
+ description
+ "PGP-SIGN-RSA";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity pgp-sign-dss {
+ base public-key-alg-base;
+ description
+ "PGP-SIGN-DSS";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity null {
+ base public-key-alg-base;
+ description
+ "NULL";
+ reference
+ "RFC 4462:
+ Generic Security Service Application Program Interface
+ (GSS-API) Authentication and Key Exchange for the
+ Secure Shell (SSH) Protocol";
+ }
+
+ identity ecdsa-sha2-nistp256 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-NISTP256 (secp256r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-nistp384 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-NISTP384 (secp384r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-nistp521 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-NISTP521 (secp521r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.3.132.0.1 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.2.840.10045.3.1.1 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.3.132.0.33 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.3.132.0.26 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.3.132.0.27 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.3.132.0.16 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.3.132.0.36 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.3.132.0.37 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-1.3.132.0.38 {
+ base public-key-alg-base;
+ description
+ "ECDSA-SHA2-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity x509v3-ssh-dss {
+ base public-key-alg-base;
+ description
+ "X509V3-SSH-DSS";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ssh-rsa {
+ base public-key-alg-base;
+ description
+ "X509V3-SSH-RSA";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-rsa2048-sha256 {
+ base public-key-alg-base;
+ description
+ "X509V3-RSA2048-SHA256";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-nistp256 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-NISTP256 (secp256r1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-nistp384 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-NISTP384 (secp384r1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-nistp521 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-NISTP521 (secp521r1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.3.132.0.1 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.3.132.0.1 (nistk163, sect163k1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.2.840.10045.3.1.1 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.3.132.0.33 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.3.132.0.33 (nistp224, secp224r1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.3.132.0.26 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.3.132.0.26 (nistk233, sect233k1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.3.132.0.27 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.3.132.0.27 (nistb233, sect233r1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.3.132.0.16 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.3.132.0.16 (nistk283, sect283k1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.3.132.0.36 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.3.132.0.36 (nistk409, sect409k1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.3.132.0.37 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.3.132.0.37 (nistb409, sect409r1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-1.3.132.0.38 {
+ base public-key-alg-base;
+ description
+ "X509V3-ECDSA-SHA2-1.3.132.0.38 (nistt571, sect571k1)";
+ reference
+ "RFC 6187:
+ X.509v3 Certificates for Secure Shell Authentication";
+ }
+
+ identity ssh-ed25519 {
+ base public-key-alg-base;
+ description
+ "SSH-ED25519";
+ reference
+ "RFC 8709:
+ Ed25519 and Ed448 Public Key Algorithms for the
+ Secure Shell (SSH) Protocol";
+ }
+
+ identity ssh-ed448 {
+ base public-key-alg-base;
+ description
+ "SSH-ED448";
+ reference
+ "RFC 8709:
+ Ed25519 and Ed448 Public Key Algorithms for the
+ Secure Shell (SSH) Protocol";
+ }
+
+ // Protocol-accessible Nodes
+
+ container supported-algorithms {
+ config false;
+ description
+ "A container for a list of public key algorithms
+ supported by the server.";
+ leaf-list supported-algorithm {
+ type public-key-algorithm-ref;
+ description
+ "A public key algorithm supported by the server.";
+ }
+ }
+
+}
diff --git a/modules/iana-tls-cipher-suite-algs@2022-06-16.yang b/modules/iana-tls-cipher-suite-algs@2022-06-16.yang
new file mode 100644
index 0000000..78d310d
--- /dev/null
+++ b/modules/iana-tls-cipher-suite-algs@2022-06-16.yang
@@ -0,0 +1,3778 @@
+module iana-tls-cipher-suite-algs {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:iana-tls-cipher-suite-algs";
+ prefix tlscsa;
+
+ organization
+ "Internet Assigned Numbers Authority (IANA)";
+
+ contact
+ "Postal: ICANN
+ 12025 Waterfront Drive, Suite 300
+ Los Angeles, CA 90094-2536
+ United States of America
+ Tel: +1 310 301 5800
+ Email: iana@iana.org";
+
+ description
+ "This module defines identities for the Cipher Suite
+ algorithms defined in the 'TLS Cipher Suites' sub-registry
+ of the 'Transport Layer Security (TLS) Parameters' registry
+ maintained by IANA.
+
+ Copyright (c) 2022 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ The initial version of this YANG module is part of RFC FFFF
+ (https://www.rfc-editor.org/info/rfcFFFF); see the RFC
+ itself for full legal notices.";
+
+ revision 2022-06-16 {
+ description
+ "Updated to reflect contents of the public key algorithms
+ registry on June 16, 2022.";
+ }
+
+ revision 2021-06-02 {
+ description
+ "Initial version";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Typedefs
+
+ typedef cipher-suite-algorithm-ref {
+ type identityref {
+ base "cipher-suite-alg-base";
+ }
+ description
+ "A reference to a TLS cipher suite algorithm identifier.";
+ }
+ // Identities
+
+ identity cipher-suite-alg-base {
+ description
+ "Base identity used to identify TLS cipher suites.";
+ }
+
+ identity tls-null-with-null-null {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-NULL-WITH-NULL-NULL";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-with-null-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-NULL-MD5";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-NULL-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-export-with-rc4-40-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-EXPORT-WITH-RC4-40-MD5";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+ identity tls-rsa-with-rc4-128-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-RC4-128-MD5";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-rsa-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-RC4-128-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-rsa-export-with-rc2-cbc-40-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1";
+ }
+
+ identity tls-rsa-with-idea-cbc-sha {
+ base cipher-suite-alg-base;
+ status obsolete;
+ description
+ "TLS-RSA-WITH-IDEA-CBC-SHA";
+ reference
+ "RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)
+ RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-export-with-des40-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1";
+ }
+
+ identity tls-rsa-with-des-cbc-sha {
+ base cipher-suite-alg-base;
+ status obsolete;
+ description
+ "TLS-RSA-WITH-DES-CBC-SHA";
+ reference
+ "RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)
+ RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-dss-export-with-des40-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1";
+ }
+
+ identity tls-dh-dss-with-des-cbc-sha {
+ base cipher-suite-alg-base;
+ status obsolete;
+ description
+ "TLS-DH-DSS-WITH-DES-CBC-SHA";
+ reference
+ "RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)
+ RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-dss-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-rsa-export-with-des40-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1";
+ }
+
+ identity tls-dh-rsa-with-des-cbc-sha {
+ base cipher-suite-alg-base;
+ status obsolete;
+ description
+ "TLS-DH-RSA-WITH-DES-CBC-SHA";
+ reference
+ "RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)
+ RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-rsa-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-dss-export-with-des40-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-EXPORT-WITH-DES40-CBC-SHA";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1";
+ }
+
+ identity tls-dhe-dss-with-des-cbc-sha {
+ base cipher-suite-alg-base;
+ status obsolete;
+ description
+ "TLS-DHE-DSS-WITH-DES-CBC-SHA";
+ reference
+ "RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)
+ RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-dss-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-rsa-export-with-des40-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-EXPORT-WITH-DES40-CBC-SHA";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1";
+ }
+
+ identity tls-dhe-rsa-with-des-cbc-sha {
+ base cipher-suite-alg-base;
+ status obsolete;
+ description
+ "TLS-DHE-RSA-WITH-DES-CBC-SHA";
+ reference
+ "RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)
+ RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-anon-export-with-rc4-40-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-EXPORT-WITH-RC4-40-MD5";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-dh-anon-with-rc4-128-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-RC4-128-MD5";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-dh-anon-export-with-des40-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-EXPORT-WITH-DES40-CBC-SHA";
+ reference
+ "RFC 4346:
+ The TLS Protocol Version 1.1";
+ }
+
+ identity tls-dh-anon-with-des-cbc-sha {
+ base cipher-suite-alg-base;
+ status obsolete;
+ description
+ "TLS-DH-ANON-WITH-DES-CBC-SHA";
+ reference
+ "RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)
+ RFC 5469:
+ DES and IDEA Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-anon-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-krb5-with-des-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-WITH-DES-CBC-SHA";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-WITH-RC4-128-SHA";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-krb5-with-idea-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-WITH-IDEA-CBC-SHA";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-with-des-cbc-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-WITH-DES-CBC-MD5";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-with-3des-ede-cbc-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-WITH-3DES-EDE-CBC-MD5";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-with-rc4-128-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-WITH-RC4-128-MD5";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-krb5-with-idea-cbc-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-WITH-IDEA-CBC-MD5";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-export-with-des-cbc-40-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-EXPORT-WITH-DES-CBC-40-SHA";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-export-with-rc2-cbc-40-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-EXPORT-WITH-RC2-CBC-40-SHA";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-export-with-rc4-40-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-EXPORT-WITH-RC4-40-SHA";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-krb5-export-with-des-cbc-40-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-EXPORT-WITH-DES-CBC-40-MD5";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-export-with-rc2-cbc-40-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-EXPORT-WITH-RC2-CBC-40-MD5";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-krb5-export-with-rc4-40-md5 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-KRB5-EXPORT-WITH-RC4-40-MD5";
+ reference
+ "RFC 2712:
+ Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS)
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-psk-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-NULL-SHA";
+ reference
+ "RFC 4785:
+ Pre-Shared Key Cipher Suites with NULL Encryption for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-NULL-SHA";
+ reference
+ "RFC 4785:
+ Pre-Shared Key Cipher Suites with NULL Encryption for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-NULL-SHA";
+ reference
+ "RFC 4785:
+ Pre-Shared Key Cipher Suites with NULL Encryption for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+ identity tls-dh-dss-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-rsa-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-dss-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-rsa-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-anon-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-dss-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-rsa-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-dss-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-rsa-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-anon-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-with-null-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-NULL-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-with-aes-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-256-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-dss-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-rsa-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-dss-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-with-camellia-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-dss-with-camellia-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-CAMELLIA-128-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-rsa-with-camellia-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-CAMELLIA-128-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-dss-with-camellia-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-camellia-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-anon-with-camellia-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-CAMELLIA-128-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-dss-with-aes-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-AES-256-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-rsa-with-aes-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-AES-256-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-dss-with-aes-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dhe-rsa-with-aes-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-anon-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-dh-anon-with-aes-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-AES-256-CBC-SHA256";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2";
+ }
+
+ identity tls-rsa-with-camellia-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-dss-with-camellia-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-CAMELLIA-256-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-rsa-with-camellia-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-CAMELLIA-256-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-dss-with-camellia-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-camellia-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-anon-with-camellia-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-CAMELLIA-256-CBC-SHA";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-psk-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-RC4-128-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-psk-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-RC4-128-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-dhe-psk-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-RC4-128-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-rsa-psk-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-seed-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-SEED-CBC-SHA";
+ reference
+ "RFC 4162:
+ Addition of SEED Ciphersuites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-dss-with-seed-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-SEED-CBC-SHA";
+ reference
+ "RFC 4162:
+ Addition of SEED Ciphersuites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-rsa-with-seed-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-SEED-CBC-SHA";
+ reference
+ "RFC 4162:
+ Addition of SEED Ciphersuites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-dss-with-seed-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-SEED-CBC-SHA";
+ reference
+ "RFC 4162:
+ Addition of SEED Ciphersuites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-seed-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-SEED-CBC-SHA";
+ reference
+ "RFC 4162:
+ Addition of SEED Ciphersuites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-anon-with-seed-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-SEED-CBC-SHA";
+ reference
+ "RFC 4162:
+ Addition of SEED Ciphersuites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-rsa-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dh-rsa-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dh-rsa-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-dss-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-dss-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dh-dss-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dh-dss-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dh-anon-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-dh-anon-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5288:
+ AES-GCM Cipher Suites for TLS";
+ }
+
+ identity tls-psk-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-psk-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-dhe-psk-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-dhe-psk-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-rsa-psk-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-rsa-psk-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-psk-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-psk-with-aes-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-256-CBC-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-psk-with-null-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-NULL-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-psk-with-null-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-NULL-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-dhe-psk-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-dhe-psk-with-aes-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-dhe-psk-with-null-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-NULL-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-dhe-psk-with-null-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-NULL-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-rsa-psk-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-rsa-psk-with-aes-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-rsa-psk-with-null-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-NULL-SHA256";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-rsa-psk-with-null-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-NULL-SHA384";
+ reference
+ "RFC 5487:
+ Pre-Shared Key Cipher Suites for Transport Layer Security
+ (TLS) with SHA-256/384 and AES Galois Counter Mode";
+ }
+
+ identity tls-rsa-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-dss-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-rsa-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-dss-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-anon-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-rsa-with-camellia-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-dss-with-camellia-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-CAMELLIA-256-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-rsa-with-camellia-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-CAMELLIA-256-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-dss-with-camellia-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-camellia-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-dh-anon-with-camellia-256-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-CAMELLIA-256-CBC-SHA256";
+ reference
+ "RFC 5932:
+ Camellia Cipher Suites for TLS";
+ }
+
+ identity tls-sm4-gcm-sm3 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SM4-GCM-SM3";
+ reference
+ "RFC 8998:
+ ShangMi (SM) Cipher Suites for Transport Layer Security
+ (TLS) Protocol Version 1.3";
+ }
+ identity tls-sm4-ccm-sm3 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SM4-CCM-SM3";
+ reference
+ "RFC 8998:
+ ShangMi (SM) Cipher Suites for Transport Layer Security
+ (TLS) Protocol Version 1.3";
+ }
+
+ identity tls-empty-renegotiation-info-scsv {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-EMPTY-RENEGOTIATION-INFO-SCSV";
+ reference
+ "RFC 5746:
+ Transport Layer Security (TLS)
+ Renegotiation Indication Extension";
+ }
+
+ identity tls-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-AES-128-GCM-SHA256";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity tls-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-AES-256-GCM-SHA384";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity tls-chacha20-poly1305-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-CHACHA20-POLY1305-SHA256";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+ identity tls-aes-128-ccm-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-AES-128-CCM-SHA256";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity tls-aes-128-ccm-8-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-AES-128-CCM-8-SHA256";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity tls-fallback-scsv {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-FALLBACK-SCSV";
+ reference
+ "RFC 7507:
+ TLS Fallback Signaling Cipher Suite Value (SCSV)
+ for Preventing Protocol Downgrade Attacks";
+ }
+
+ identity tls-ecdh-ecdsa-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-NULL-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-ecdsa-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-RC4-128-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-ecdh-ecdsa-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-ecdsa-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-ecdsa-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdhe-ecdsa-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-NULL-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdhe-ecdsa-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-ecdhe-ecdsa-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-rsa-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-NULL-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-rsa-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-RC4-128-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-ecdh-rsa-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-rsa-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-rsa-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdhe-rsa-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-NULL-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdhe-rsa-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-RC4-128-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-ecdhe-rsa-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdhe-rsa-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdhe-rsa-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-anon-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ANON-WITH-NULL-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-anon-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ANON-WITH-RC4-128-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-ecdh-anon-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ANON-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-anon-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ANON-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-ecdh-anon-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ANON-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity tls-srp-sha-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+
+ identity tls-srp-sha-rsa-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+
+ identity tls-srp-sha-dss-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+
+ identity tls-srp-sha-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+
+ identity tls-srp-sha-rsa-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+
+ identity tls-srp-sha-dss-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+
+ identity tls-srp-sha-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+ identity tls-srp-sha-rsa-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+
+ identity tls-srp-sha-dss-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5054:
+ Using SRP for TLS Authentication";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdh-ecdsa-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdh-ecdsa-with-aes-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdhe-rsa-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdhe-rsa-with-aes-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdh-rsa-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+ identity tls-ecdh-rsa-with-aes-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdh-ecdsa-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdh-ecdsa-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdhe-rsa-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdhe-rsa-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdh-rsa-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdh-rsa-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 5289:
+ TLS Elliptic Curve Cipher Suites with SHA-256/384
+ and AES Galois Counter Mode";
+ }
+
+ identity tls-ecdhe-psk-with-rc4-128-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-RC4-128-SHA";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)
+ RFC 6347:
+ Datagram Transport Layer Security version 1.2";
+ }
+
+ identity tls-ecdhe-psk-with-3des-ede-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-aes-128-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-aes-256-cbc-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-aes-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-aes-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-null-sha {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-NULL-SHA";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-null-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-NULL-SHA256";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-null-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-NULL-SHA384";
+ reference
+ "RFC 5489:
+ ECDHE_PSK Ciphersuites for Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-dss-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-dss-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-rsa-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-rsa-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-dss-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-dss-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-anon-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-anon-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-ecdsa-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-ecdsa-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-rsa-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-rsa-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+ identity tls-ecdh-rsa-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-rsa-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-rsa-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-rsa-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-dss-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-dss-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-dss-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-dss-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-anon-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-anon-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-ecdsa-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-ecdsa-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-rsa-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-rsa-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-rsa-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-rsa-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-aria-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-aria-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-aria-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+ identity tls-ecdhe-psk-with-aria-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384";
+ reference
+ "RFC 6209:
+ Addition of the ARIA Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-camellia-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-ecdsa-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-ecdsa-with-camellia-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-rsa-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-rsa-with-camellia-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-rsa-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-rsa-with-camellia-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-rsa-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-rsa-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-RSA-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-dss-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-dss-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-DSS-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-dss-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-dss-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-DSS-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-anon-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dh-anon-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DH-ANON-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-ecdsa-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-ecdsa-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-rsa-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-rsa-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-rsa-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdh-rsa-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-camellia-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-camellia-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+ identity tls-psk-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-camellia-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-camellia-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-camellia-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-camellia-128-cbc-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-camellia-256-cbc-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384";
+ reference
+ "RFC 6367:
+ Addition of the Camellia Cipher Suites to
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-with-aes-128-ccm {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-128-CCM";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-rsa-with-aes-256-ccm {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-256-CCM";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-aes-128-ccm {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-RSA-WITH-AES-128-CCM";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-aes-256-ccm {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-RSA-WITH-AES-256-CCM";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-rsa-with-aes-128-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-128-CCM-8";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-rsa-with-aes-256-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-WITH-AES-256-CCM-8";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-aes-128-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-AES-128-CCM-8";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-rsa-with-aes-256-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-DHE-RSA-WITH-AES-256-CCM-8";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-psk-with-aes-128-ccm {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-128-CCM";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-psk-with-aes-256-ccm {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-256-CCM";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-psk-with-aes-128-ccm {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-PSK-WITH-AES-128-CCM";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-dhe-psk-with-aes-256-ccm {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-PSK-WITH-AES-256-CCM";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-psk-with-aes-128-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-128-CCM-8";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-psk-with-aes-256-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-AES-256-CCM-8";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-psk-dhe-with-aes-128-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-DHE-WITH-AES-128-CCM-8";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-psk-dhe-with-aes-256-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-DHE-WITH-AES-256-CCM-8";
+ reference
+ "RFC 6655:
+ AES-CCM Cipher Suites for TLS";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-128-ccm {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-128-CCM";
+ reference
+ "RFC 7251:
+ AES-CCM ECC Cipher Suites for TLS";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-256-ccm {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-256-CCM";
+ reference
+ "RFC 7251:
+ AES-CCM ECC Cipher Suites for TLS";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-128-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8";
+ reference
+ "RFC 7251:
+ AES-CCM ECC Cipher Suites for TLS";
+ }
+
+ identity tls-ecdhe-ecdsa-with-aes-256-ccm-8 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8";
+ reference
+ "RFC 7251:
+ AES-CCM ECC Cipher Suites for TLS";
+ }
+
+ identity tls-eccpwd-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECCPWD-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 8492:
+ Secure Password Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-eccpwd-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECCPWD-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 8492:
+ Secure Password Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-eccpwd-with-aes-128-ccm-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECCPWD-WITH-AES-128-CCM-SHA256";
+ reference
+ "RFC 8492:
+ Secure Password Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-eccpwd-with-aes-256-ccm-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECCPWD-WITH-AES-256-CCM-SHA384";
+ reference
+ "RFC 8492:
+ Secure Password Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-sha256-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SHA256-SHA256";
+ reference
+ "RFC 9150:
+ TLS 1.3 Authentication and Integrity-Only Cipher Suites";
+ }
+
+ identity tls-sha384-sha384 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-SHA384-SHA384";
+ reference
+ "RFC 9150:
+ TLS 1.3 Authentication and Integrity-Only Cipher Suites";
+ }
+
+ identity tls-gostr341112-256-with-kuznyechik-ctr-omac {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-GOSTR341112-256-WITH-KUZNYECHIK-CTR-OMAC";
+ reference
+ "RFC 9189:
+ GOST Cipher Suites for Transport Layer Security (TLS)
+ Protocol Version 1.2";
+ }
+
+ identity tls-gostr341112-256-with-magma-ctr-omac {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-GOSTR341112-256-WITH-MAGMA-CTR-OMAC";
+ reference
+ "RFC 9189:
+ GOST Cipher Suites for Transport Layer Security (TLS)
+ Protocol Version 1.2";
+ }
+
+ identity tls-gostr341112-256-with-28147-cnt-imit {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-GOSTR341112-256-WITH-28147-CNT-IMIT";
+ reference
+ "RFC 9189:
+ GOST Cipher Suites for Transport Layer Security (TLS)
+ Protocol Version 1.2";
+ }
+
+ identity tls-ecdhe-rsa-with-chacha20-poly1305-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256";
+ reference
+ "RFC 7905:
+ ChaCha20-Poly1305 Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-ecdsa-with-chacha20-poly1305-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256";
+ reference
+ "RFC 7905:
+ ChaCha20-Poly1305 Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-rsa-with-chacha20-poly1305-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256";
+ reference
+ "RFC 7905:
+ ChaCha20-Poly1305 Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-psk-with-chacha20-poly1305-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256";
+ reference
+ "RFC 7905:
+ ChaCha20-Poly1305 Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-chacha20-poly1305-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256";
+ reference
+ "RFC 7905:
+ ChaCha20-Poly1305 Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-dhe-psk-with-chacha20-poly1305-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256";
+ reference
+ "RFC 7905:
+ ChaCha20-Poly1305 Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-rsa-psk-with-chacha20-poly1305-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256";
+ reference
+ "RFC 7905:
+ ChaCha20-Poly1305 Cipher Suites for
+ Transport Layer Security (TLS)";
+ }
+
+ identity tls-ecdhe-psk-with-aes-128-gcm-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-PSK-WITH-AES-128-GCM-SHA256";
+ reference
+ "RFC 8442:
+ ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites";
+ }
+
+ identity tls-ecdhe-psk-with-aes-256-gcm-sha384 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-PSK-WITH-AES-256-GCM-SHA384";
+ reference
+ "RFC 8442:
+ ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites";
+ }
+
+ identity tls-ecdhe-psk-with-aes-128-ccm-8-sha256 {
+ base cipher-suite-alg-base;
+ status deprecated;
+ description
+ "TLS-ECDHE-PSK-WITH-AES-128-CCM-8-SHA256";
+ reference
+ "RFC 8442:
+ ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites";
+ }
+ identity tls-ecdhe-psk-with-aes-128-ccm-sha256 {
+ base cipher-suite-alg-base;
+ description
+ "TLS-ECDHE-PSK-WITH-AES-128-CCM-SHA256";
+ reference
+ "RFC 8442:
+ ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites";
+ }
+
+ // Protocol-accessible Nodes
+
+ container supported-algorithms {
+ config false;
+ description
+ "A container for a list of cipher suite algorithms supported
+ by the server.";
+ leaf-list supported-algorithm {
+ type cipher-suite-algorithm-ref;
+ description
+ "A cipher suite algorithm supported by the server.";
+ }
+ }
+
+}
diff --git a/modules/ietf-crypto-types@2022-07-07.yang b/modules/ietf-crypto-types@2022-07-07.yang
new file mode 100644
index 0000000..19b658d
--- /dev/null
+++ b/modules/ietf-crypto-types@2022-07-07.yang
@@ -0,0 +1,1021 @@
+module ietf-crypto-types {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
+ prefix ct;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
+
+ description
+ "This module defines common YANG types for cryptographic
+ applications.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC AAAA
+ (https://www.rfc-editor.org/info/rfcAAAA); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-07-07 {
+ description
+ "Initial version";
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature one-symmetric-key-format {
+ description
+ "Indicates that the server supports the
+ 'one-symmetric-key-format' identity.";
+ }
+
+ feature one-asymmetric-key-format {
+ description
+ "Indicates that the server supports the
+ 'one-asymmetric-key-format' identity.";
+ }
+
+ feature symmetrically-encrypted-value-format {
+ description
+ "Indicates that the server supports the
+ 'symmetrically-encrypted-value-format' identity.";
+ }
+
+ feature asymmetrically-encrypted-value-format {
+ description
+ "Indicates that the server supports the
+ 'asymmetrically-encrypted-value-format' identity.";
+ }
+
+ feature cms-enveloped-data-format {
+ description
+ "Indicates that the server supports the
+ 'cms-enveloped-data-format' identity.";
+ }
+
+ feature cms-encrypted-data-format {
+ description
+ "Indicates that the server supports the
+ 'cms-encrypted-data-format' identity.";
+ }
+ feature csr-generation {
+ description
+ "Indicates that the server implements the
+ 'generate-csr' action.";
+ }
+
+ feature p10-based-csrs {
+ description
+ "Indicates that the erver implements support
+ for generating P10-based CSRs, as defined
+ in RFC 2986.";
+ reference
+ "RFC 2986: PKCS #10: Certification Request Syntax
+ Specification Version 1.7";
+ }
+
+ feature certificate-expiration-notification {
+ description
+ "Indicates that the server implements the
+ 'certificate-expiration' notification.";
+ }
+
+ feature hidden-keys {
+ description
+ "Indicates that the server supports hidden keys.";
+ }
+
+ feature password-encryption {
+ description
+ "Indicates that the server supports password
+ encryption.";
+ }
+
+ feature symmetric-key-encryption {
+ description
+ "Indicates that the server supports encryption
+ of symmetric keys.";
+ }
+
+ feature private-key-encryption {
+ description
+ "Indicates that the server supports encryption
+ of private keys.";
+ }
+
+ /*************************************************/
+ /* Base Identities for Key Format Structures */
+ /*************************************************/
+ identity symmetric-key-format {
+ description
+ "Base key-format identity for symmetric keys.";
+ }
+
+ identity public-key-format {
+ description
+ "Base key-format identity for public keys.";
+ }
+
+ identity private-key-format {
+ description
+ "Base key-format identity for private keys.";
+ }
+
+ /****************************************************/
+ /* Identities for Private Key Format Structures */
+ /****************************************************/
+
+ identity rsa-private-key-format {
+ base private-key-format;
+ description
+ "Indicates that the private key value is encoded
+ as an RSAPrivateKey (from RFC 3447).";
+ reference
+ "RFC 3447: PKCS #1: RSA Cryptography
+ Specifications Version 2.2";
+ }
+
+ identity ec-private-key-format {
+ base private-key-format;
+ description
+ "Indicates that the private key value is encoded
+ as an ECPrivateKey (from RFC 5915)";
+ reference
+ "RFC 5915: Elliptic Curve Private Key Structure";
+ }
+
+ identity one-asymmetric-key-format {
+ if-feature "one-asymmetric-key-format";
+ base private-key-format;
+ description
+ "Indicates that the private key value is a CMS
+ OneAsymmetricKey structure, as defined in RFC 5958,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 5958: Asymmetric Key Packages
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***************************************************/
+ /* Identities for Public Key Format Structures */
+ /***************************************************/
+
+ identity ssh-public-key-format {
+ base public-key-format;
+ description
+ "Indicates that the public key value is an SSH public key,
+ as specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity subject-public-key-info-format {
+ base public-key-format;
+ description
+ "Indicates that the public key value is a SubjectPublicKeyInfo
+ structure, as described in RFC 5280 encoded using ASN.1
+ distinguished encoding rules (DER), as specified in
+ ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /******************************************************/
+ /* Identities for Symmetric Key Format Structures */
+ /******************************************************/
+
+ identity octet-string-key-format {
+ base symmetric-key-format;
+ description
+ "Indicates that the key is encoded as a raw octet string.
+ The length of the octet string MUST be appropriate for
+ the associated algorithm's block size.
+
+ How the associated algorithm is known is outside the
+ scope of this module. This statement also applies when
+ the octet string has been encrypted.";
+ }
+
+ identity one-symmetric-key-format {
+ if-feature "one-symmetric-key-format";
+ base symmetric-key-format;
+ description
+ "Indicates that the private key value is a CMS
+ OneSymmetricKey structure, as defined in RFC 6031,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6031: Cryptographic Message Syntax (CMS)
+ Symmetric Key Package Content Type
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /*************************************************/
+ /* Identities for Encrypted Value Structures */
+ /*************************************************/
+
+ identity encrypted-value-format {
+ description
+ "Base format identity for encrypted values.";
+ }
+
+ identity symmetrically-encrypted-value-format {
+ if-feature "symmetrically-encrypted-value-format";
+ base encrypted-value-format;
+ description
+ "Base format identity for symmetrically encrypted
+ values.";
+ }
+
+ identity asymmetrically-encrypted-value-format {
+ if-feature "asymmetrically-encrypted-value-format";
+ base encrypted-value-format;
+ description
+ "Base format identity for asymmetrically encrypted
+ values.";
+ }
+
+ identity cms-encrypted-data-format {
+ if-feature "cms-encrypted-data-format";
+ base symmetrically-encrypted-value-format;
+ description
+ "Indicates that the encrypted value conforms to
+ the 'encrypted-data-cms' type with the constraint
+ that the 'unprotectedAttrs' value is not set.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ identity cms-enveloped-data-format {
+ if-feature "cms-enveloped-data-format";
+ base asymmetrically-encrypted-value-format;
+ description
+ "Indicates that the encrypted value conforms to the
+ 'enveloped-data-cms' type with the following constraints:
+
+ The EnvelopedData structure MUST have exactly one
+ 'RecipientInfo'.
+
+ If the asymmetric key supports public key cryptography
+ (e.g., RSA), then the 'RecipientInfo' must be a
+ 'KeyTransRecipientInfo' with the 'RecipientIdentifier'
+ using a 'subjectKeyIdentifier' with the value set using
+ 'method 1' in RFC 7093 over the recipient's public key.
+
+ Otherwise, if the asymmetric key supports key agreement
+ (e.g., ECC), then the 'RecipientInfo' must be a
+ 'KeyAgreeRecipientInfo'. The 'OriginatorIdentifierOrKey'
+ value must use the 'OriginatorPublicKey' alternative.
+ The 'UserKeyingMaterial' value must not be present.
+ There must be exactly one 'RecipientEncryptedKeys' value
+ having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId'
+ with the value set using 'method 1' in RFC 7093 over the
+ recipient's public key.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)
+ RFC 7093:
+ Additional Methods for Generating Key
+ Identifiers Values
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /*********************************************************/
+ /* Identities for Certificate Signing Request Formats */
+ /*********************************************************/
+
+ identity csr-format {
+ description
+ "A base identity for the certificate signing request
+ formats. Additional derived identities MAY be defined
+ by future efforts.";
+ }
+
+ identity p10-csr {
+ if-feature "p10-based-csrs";
+ base csr-format;
+ description
+ "Indicates the 'CertificationRequest' structure
+ defined in RFC 2986.";
+ reference
+ "RFC 2986: PKCS #10: Certification Request Syntax
+ Specification Version 1.7";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 2986 */
+ /***************************************************/
+
+ typedef csr-info {
+ type binary;
+ description
+ "A CertificationRequestInfo structure, as defined in
+ RFC 2986, encoded using ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986: PKCS #10: Certification Request Syntax
+ Specification Version 1.7
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef p10-csr {
+ type binary;
+ description
+ "A CertificationRequest structure, as specified in
+ RFC 2986, encoded using ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 5280 */
+ /***************************************************/
+
+ typedef x509 {
+ type binary;
+ description
+ "A Certificate structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef crl {
+ type binary;
+ description
+ "A CertificateList structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 6960 */
+ /***************************************************/
+
+ typedef oscp-request {
+ type binary;
+ description
+ "A OCSPRequest structure, as specified in RFC 6960,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6960:
+ X.509 Internet Public Key Infrastructure Online
+ Certificate Status Protocol - OCSP
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef oscp-response {
+ type binary;
+ description
+ "A OCSPResponse structure, as specified in RFC 6960,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6960:
+ X.509 Internet Public Key Infrastructure Online
+ Certificate Status Protocol - OCSP
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***********************************************/
+ /* Typedefs for ASN.1 structures from 5652 */
+ /***********************************************/
+
+ typedef cms {
+ type binary;
+ description
+ "A ContentInfo structure, as specified in RFC 5652,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5652:
+ Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef data-content-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ data content type, as described by Section 4 in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef signed-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ signed-data content type, as described by Section 5 in
+ RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef enveloped-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ enveloped-data content type, as described by Section 6
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef digested-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ digested-data content type, as described by Section 7
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef encrypted-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ encrypted-data content type, as described by Section 8
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef authenticated-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ authenticated-data content type, as described by Section 9
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5280 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a self-signed
+ root certificate.";
+ }
+
+ typedef end-entity-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a certificate
+ that is neither self-signed nor having Basic constraint
+ CA true.";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5652 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the chain of
+ X.509 certificates needed to authenticate the certificate
+ presented by a client or end-entity.
+
+ The CMS MUST contain only a single chain of certificates.
+ The client or end-entity certificate MUST only authenticate
+ to last intermediate CA certificate listed in the chain.
+
+ In all cases, the chain MUST include a self-signed root
+ certificate. In the case where the root certificate is
+ itself the issuer of the client or end-entity certificate,
+ only one certificate is present.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ typedef end-entity-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the end
+ entity certificate itself, and MAY contain any number
+ of intermediate certificates leading up to a trust
+ anchor certificate. The trust anchor certificate
+ MAY be included as well.
+
+ The CMS MUST contain a single end entity certificate.
+ The CMS MUST NOT contain any spurious certificates.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ /*****************/
+ /* Groupings */
+ /*****************/
+
+ grouping encrypted-value-grouping {
+ description
+ "A reusable grouping for a value that has been encrypted by
+ a referenced symmetric or asymmetric key.";
+ container encrypted-by {
+ nacm:default-deny-write;
+ description
+ "An empty container enabling a reference to the key that
+ encrypted the value to be augmented in. The referenced
+ key MUST be a symmetric key or an asymmetric key.
+
+ A symmetric key MUST be referenced via a leaf node called
+ 'symmetric-key-ref'. An asymmetric key MUST be referenced
+ via a leaf node called 'asymmetric-key-ref'.
+
+ The leaf nodes MUST be direct descendants in the data tree,
+ and MAY be direct descendants in the schema tree.";
+ }
+ leaf encrypted-value-format {
+ type identityref {
+ base encrypted-value-format;
+ }
+ mandatory true;
+ description
+ "Identifies the format of the 'encrypted-value' leaf.
+
+ If 'encrypted-by' points to a symmetric key, then a
+ 'symmetrically-encrypted-value-format' based identity
+ MUST by set (e.g., cms-encrypted-data-format).
+
+ If 'encrypted-by' points to an asymmetric key, then an
+ 'asymmetrically-encrypted-value-format' based identity
+ MUST by set (e.g., cms-enveloped-data-format).";
+ }
+ leaf encrypted-value {
+ nacm:default-deny-write;
+ type binary;
+ must '../encrypted-by';
+ mandatory true;
+ description
+ "The value, encrypted using the referenced symmetric
+ or asymmetric key. The value MUST be encoded using
+ the format associated with the 'encrypted-value-format'
+ leaf.";
+ }
+ }
+
+ grouping password-grouping {
+ description
+ "A password that MAY be encrypted.";
+ choice password-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between password types.";
+ case cleartext-password {
+ leaf cleartext-password {
+ nacm:default-deny-all;
+ type string;
+ description
+ "The cleartext value of the password.";
+ }
+ }
+ case encrypted-password {
+ if-feature "password-encryption";
+ container encrypted-password {
+ description
+ "A container for the encrypted password value.";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping symmetric-key-grouping {
+ description
+ "A symmetric key.";
+ leaf key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base symmetric-key-format;
+ }
+ description
+ "Identifies the symmetric key's format. Implementations
+ SHOULD ensure that the incoming symmetric key value is
+ encoded in the specified format.
+
+ For encrypted keys, the value is the same as it would
+ have been if the key were not encrypted.";
+ }
+ choice key-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between key types.";
+ case cleartext-key {
+ leaf cleartext-key {
+ nacm:default-deny-all;
+ type binary;
+ must '../key-format';
+ description
+ "The binary value of the key. The interpretation of
+ the value is defined by the 'key-format' field.";
+ }
+ }
+ case hidden-key {
+ if-feature "hidden-keys";
+ leaf hidden-key {
+ type empty;
+ must 'not(../key-format)';
+ description
+ "A hidden key. How such keys are created is outside
+ the scope of this module.";
+ }
+ }
+ case encrypted-key {
+ if-feature "symmetric-key-encryption";
+ container encrypted-key {
+ must '../key-format';
+ description
+ "A container for the encrypted symmetric key value.
+ The interpretation of the 'encrypted-value' node
+ is via the 'key-format' node";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping public-key-grouping {
+ description
+ "A public key.";
+ leaf public-key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base public-key-format;
+ }
+ mandatory true;
+ description
+ "Identifies the public key's format. Implementations SHOULD
+ ensure that the incoming public key value is encoded in the
+ specified format.";
+ }
+ leaf public-key {
+ nacm:default-deny-write;
+ type binary;
+ mandatory true;
+ description
+ "The binary value of the public key. The interpretation
+ of the value is defined by 'public-key-format' field.";
+ }
+ }
+
+ grouping asymmetric-key-pair-grouping {
+ description
+ "A private key and its associated public key. Implementations
+ SHOULD ensure that the two keys are a matching pair.";
+ uses public-key-grouping;
+ leaf private-key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base private-key-format;
+ }
+ description
+ "Identifies the private key's format. Implementations SHOULD
+ ensure that the incoming private key value is encoded in the
+ specified format.
+
+ For encrypted keys, the value is the same as it would have
+ been if the key were not encrypted.";
+ }
+ choice private-key-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between key types.";
+ case cleartext-private-key {
+ leaf cleartext-private-key {
+ nacm:default-deny-all;
+ type binary;
+ must '../private-key-format';
+ description
+ "The value of the binary key The key's value is
+ interpreted by the 'private-key-format' field.";
+ }
+ }
+ case hidden-private-key {
+ if-feature "hidden-keys";
+ leaf hidden-private-key {
+ type empty;
+ must 'not(../private-key-format)';
+ description
+ "A hidden key. How such keys are created is
+ outside the scope of this module.";
+ }
+ }
+ case encrypted-private-key {
+ if-feature "private-key-encryption";
+ container encrypted-private-key {
+ must '../private-key-format';
+ description
+ "A container for the encrypted asymmetric private key
+ value. The interpretation of the 'encrypted-value'
+ node is via the 'private-key-format' node";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping certificate-expiration-grouping {
+ description
+ "A notification for when a certificate is about to, or
+ already has, expired.";
+ notification certificate-expiration {
+ if-feature "certificate-expiration-notification";
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping trust-anchor-cert-grouping {
+ description
+ "A trust anchor certificate, and a notification for when
+ it is about to (or already has) expire.";
+ leaf cert-data {
+ nacm:default-deny-write;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ }
+ uses certificate-expiration-grouping;
+ }
+
+ grouping end-entity-cert-grouping {
+ description
+ "An end entity certificate, and a notification for when
+ it is about to (or already has) expire. Implementations
+ SHOULD assert that, where used, the end entity certificate
+ contains the expected public key.";
+ leaf cert-data {
+ nacm:default-deny-write;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ }
+ uses certificate-expiration-grouping;
+ }
+
+ grouping generate-csr-grouping {
+ description
+ "Defines the 'generate-csr' action.";
+ action generate-csr {
+ if-feature "csr-generation";
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values.
+
+ This action statement is only available when the
+ associated 'public-key-format' node's value is
+ 'subject-public-key-info-format'.";
+ reference
+ "RFC 6125:
+ Representation and Verification of Domain-Based
+ Application Service Identity within Internet Public Key
+ Infrastructure Using X.509 (PKIX) Certificates in the
+ Context of Transport Layer Security (TLS)";
+ input {
+ leaf csr-format {
+ type identityref {
+ base csr-format;
+ }
+ mandatory true;
+ description
+ "Specifies the format for the returned certifiacte.";
+ }
+ leaf csr-info {
+ type csr-info;
+ mandatory true;
+ description
+ "A CertificationRequestInfo structure, as defined in
+ RFC 2986.
+
+ Enables the client to provide a fully-populated
+ CertificationRequestInfo structure that the server
+ only needs to sign in order to generate the complete
+ 'CertificationRequest' structure to return in the
+ 'output'.
+
+ The 'AlgorithmIdentifier' field contained inside
+ the 'SubjectPublicKeyInfo' field MUST be one known
+ to be supported by the device.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ RFC AAAA:
+ YANG Data Types and Groupings for Cryptography";
+ }
+ }
+ output {
+ choice csr-type {
+ mandatory true;
+ description
+ "A choice amongst certificate signing request formats.
+ Additional formats MAY be augmented into this 'choice'
+ statement by future efforts.";
+ case p10-csr {
+ leaf p10-csr {
+ type p10-csr;
+ description
+ "A CertificationRequest, as defined in RFC 2986.";
+ }
+ description
+ "A CertificationRequest, as defined in RFC 2986.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ RFC AAAA:
+ YANG Data Types and Groupings for Cryptography";
+ }
+ }
+ }
+ }
+ } // generate-csr-grouping
+
+ grouping asymmetric-key-pair-with-cert-grouping {
+ description
+ "A private/public key pair and an associated certificate.
+ Implementations SHOULD assert that certificates contain
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ uses end-entity-cert-grouping;
+ uses generate-csr-grouping;
+ } // asymmetric-key-pair-with-cert-grouping
+
+ grouping asymmetric-key-pair-with-certs-grouping {
+ description
+ "A private/public key pair and associated certificates.
+ Implementations SHOULD assert that certificates contain
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ container certificates {
+ nacm:default-deny-write;
+ description
+ "Certificates associated with this asymmetric key.";
+ list certificate {
+ key "name";
+ description
+ "A certificate for this asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the certificate.";
+ }
+ uses end-entity-cert-grouping {
+ refine "cert-data" {
+ mandatory true;
+ }
+ }
+ }
+ }
+ uses generate-csr-grouping;
+ } // asymmetric-key-pair-with-certs-grouping
+
+}
diff --git a/modules/ietf-keystore@2022-05-24.yang b/modules/ietf-keystore@2022-05-24.yang
new file mode 100644
index 0000000..345e0aa
--- /dev/null
+++ b/modules/ietf-keystore@2022-05-24.yang
@@ -0,0 +1,412 @@
+module ietf-keystore {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
+ prefix ks;
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
+
+ description
+ "This module defines a 'keystore' to centralize management
+ of security credentials.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC CCCC
+ (https://www.rfc-editor.org/info/rfcCCCC); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-05-24 {
+ description
+ "Initial version";
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature central-keystore-supported {
+ description
+ "The 'central-keystore-supported' feature indicates that
+ the server supports the keystore (i.e., implements the
+ 'ietf-keystore' module).";
+ }
+
+ feature local-definitions-supported {
+ description
+ "The 'local-definitions-supported' feature indicates that
+ the server supports locally-defined keys.";
+ }
+
+ feature asymmetric-keys {
+ description
+ "The 'asymmetric-keys' feature indicates that the server
+ supports asymmetric keys in keystores.";
+ }
+
+ feature symmetric-keys {
+ description
+ "The 'symmetric-keys' feature indicates that the server
+ supports symmetric keys in keystores.";
+ }
+
+ /****************/
+ /* Typedefs */
+ /****************/
+
+ typedef symmetric-key-ref {
+ type leafref {
+ path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key"
+ + "/ks:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to a symmetric key stored in the keystore, when this
+ module is implemented.";
+ }
+
+ typedef asymmetric-key-ref {
+ type leafref {
+ path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ + "/ks:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to an asymmetric key stored in the keystore, when this
+ module is implemented.";
+ }
+
+ /*****************/
+ /* Groupings */
+ /*****************/
+
+ grouping encrypted-by-choice-grouping {
+ description
+ "A grouping that defines a 'choice' statement that can be
+ augmented into the 'encrypted-by' node, present in the
+ 'symmetric-key-grouping' and 'asymmetric-key-pair-grouping'
+ groupings defined in RFC AAAA, enabling references to keys
+ in the keystore, when this module is implemented.";
+ choice encrypted-by-choice {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice amongst other symmetric or asymmetric keys.";
+ case symmetric-key-ref {
+ if-feature "central-keystore-supported";
+ if-feature "symmetric-keys";
+ leaf symmetric-key-ref {
+ type ks:symmetric-key-ref;
+ description
+ "Identifies the symmetric key used to encrypt the
+ associated key.";
+ }
+ }
+ case asymmetric-key-ref {
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ leaf asymmetric-key-ref {
+ type ks:asymmetric-key-ref;
+ description
+ "Identifies the asymmetric key whose public key
+ encrypted the associated key.";
+ }
+ }
+ }
+ }
+
+ grouping asymmetric-key-certificate-ref-grouping {
+ description
+ "This grouping defines a reference to a specific certificate
+ associated with an asymmetric key stored in the keystore,
+ when this module is implemented.";
+ leaf asymmetric-key {
+ nacm:default-deny-write;
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ type ks:asymmetric-key-ref;
+ must '../certificate';
+ description
+ "A reference to an asymmetric key in the keystore.";
+ }
+ leaf certificate {
+ nacm:default-deny-write;
+ type leafref {
+ path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ + "[ks:name = current()/../asymmetric-key]/"
+ + "ks:certificates/ks:certificate/ks:name";
+ }
+ must '../asymmetric-key';
+ description
+ "A reference to a specific certificate of the
+ asymmetric key in the keystore.";
+ }
+ }
+
+ // local-or-keystore-* groupings
+
+ grouping local-or-keystore-symmetric-key-grouping {
+ description
+ "A grouping that expands to allow the symmetric key to be
+ either stored locally, i.e., within the using data model,
+ or a reference to a symmetric key stored in the keystore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-keystore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate keystore locations.";
+ choice local-or-keystore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ case local {
+ if-feature "local-definitions-supported";
+ if-feature "symmetric-keys";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses ct:symmetric-key-grouping;
+ }
+ }
+ case keystore {
+ if-feature "central-keystore-supported";
+ if-feature "symmetric-keys";
+ leaf keystore-reference {
+ type ks:symmetric-key-ref;
+ description
+ "A reference to an symmetric key that exists in
+ the keystore, when this module is implemented.";
+ }
+ }
+ }
+ }
+ grouping local-or-keystore-asymmetric-key-grouping {
+ description
+ "A grouping that expands to allow the asymmetric key to be
+ either stored locally, i.e., within the using data model,
+ or a reference to an asymmetric key stored in the keystore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-keystore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate keystore locations.";
+ choice local-or-keystore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ case local {
+ if-feature "local-definitions-supported";
+ if-feature "asymmetric-keys";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses ct:asymmetric-key-pair-grouping;
+ }
+ }
+ case keystore {
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ leaf keystore-reference {
+ type ks:asymmetric-key-ref;
+ description
+ "A reference to an asymmetric key that exists in
+ the keystore, when this module is implemented. The
+ intent is to reference just the asymmetric key
+ without any regard for any certificates that may
+ be associated with it.";
+ }
+ }
+ }
+ }
+
+ grouping local-or-keystore-asymmetric-key-with-certs-grouping {
+ description
+ "A grouping that expands to allow an asymmetric key and
+ its associated certificates to be either stored locally,
+ i.e., within the using data model, or a reference to an
+ asymmetric key (and its associated certificates) stored
+ in the keystore.
+ Servers that do not 'implement' this module, and hence
+ 'central-keystore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate keystore locations.";
+ choice local-or-keystore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ case local {
+ if-feature "local-definitions-supported";
+ if-feature "asymmetric-keys";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses ct:asymmetric-key-pair-with-certs-grouping;
+ }
+ }
+ case keystore {
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ leaf keystore-reference {
+ type ks:asymmetric-key-ref;
+ description
+ "A reference to an asymmetric-key (and all of its
+ associated certificates) in the keystore, when
+ this module is implemented.";
+ }
+ }
+ }
+ }
+
+ grouping local-or-keystore-end-entity-cert-with-key-grouping {
+ description
+ "A grouping that expands to allow an end-entity certificate
+ (and its associated asymmetric key pair) to be either stored
+ locally, i.e., within the using data model, or a reference
+ to a specific certificate in the keystore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-keystore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate keystore locations.";
+ choice local-or-keystore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ case local {
+ if-feature "local-definitions-supported";
+ if-feature "asymmetric-keys";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses ct:asymmetric-key-pair-with-cert-grouping;
+ }
+ }
+ case keystore {
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ container keystore-reference {
+ uses asymmetric-key-certificate-ref-grouping;
+ description
+ "A reference to a specific certificate associated with
+ an asymmetric key stored in the keystore, when this
+ module is implemented.";
+ }
+ }
+ }
+ }
+
+ grouping keystore-grouping {
+ description
+ "Grouping definition enables use in other contexts. If ever
+ done, implementations MUST augment new 'case' statements
+ into the various local-or-keystore 'choice' statements to
+ supply leafrefs to the model-specific location(s).";
+ container asymmetric-keys {
+ nacm:default-deny-write;
+ if-feature "asymmetric-keys";
+ description
+ "A list of asymmetric keys.";
+ list asymmetric-key {
+ key "name";
+ description
+ "An asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the asymmetric key.";
+ }
+ uses ct:asymmetric-key-pair-with-certs-grouping;
+ }
+ }
+ container symmetric-keys {
+ nacm:default-deny-write;
+ if-feature "symmetric-keys";
+ description
+ "A list of symmetric keys.";
+ list symmetric-key {
+ key "name";
+ description
+ "A symmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the symmetric key.";
+ }
+ uses ct:symmetric-key-grouping;
+ }
+ }
+ }
+
+ /*********************************/
+ /* Protocol accessible nodes */
+ /*********************************/
+
+ container keystore {
+ if-feature central-keystore-supported;
+ description
+ "A central keystore containing a list of symmetric keys and
+ a list of asymmetric keys.";
+ nacm:default-deny-write;
+ uses keystore-grouping {
+ augment "symmetric-keys/symmetric-key/key-type/encrypted-key/"
+ + "encrypted-key/encrypted-by" {
+ description
+ "Augments in a choice statement enabling the encrypting
+ key to be any other symmetric or asymmetric key in the
+ central keystore.";
+ uses encrypted-by-choice-grouping;
+ }
+ augment "asymmetric-keys/asymmetric-key/private-key-type/"
+ + "encrypted-private-key/encrypted-private-key/"
+ + "encrypted-by" {
+ description
+ "Augments in a choice statement enabling the encrypting
+ key to be any other symmetric or asymmetric key in the
+ central keystore.";
+ uses encrypted-by-choice-grouping;
+ }
+ }
+ }
+}
diff --git a/modules/ietf-netconf-server@2022-05-24.yang b/modules/ietf-netconf-server@2022-05-24.yang
new file mode 100644
index 0000000..c48d584
--- /dev/null
+++ b/modules/ietf-netconf-server@2022-05-24.yang
@@ -0,0 +1,677 @@
+module ietf-netconf-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
+ prefix ncs;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-x509-cert-to-name {
+ prefix x509c2n;
+ reference
+ "RFC 7407: A YANG Data Model for SNMP Configuration";
+ }
+
+ import ietf-tcp-client {
+ prefix tcpc;
+ reference
+ "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ import ietf-tcp-server {
+ prefix tcps;
+ reference
+ "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ import ietf-ssh-common {
+ prefix sshcmn;
+ revision-date 2022-07-18; // stable grouping definitions
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import ietf-ssh-server {
+ prefix sshs;
+ revision-date 2022-07-18; // stable grouping definitions
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import ietf-tls-server {
+ prefix tlss;
+ revision-date 2022-07-18; // stable grouping definitions
+ reference
+ "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>
+ Author: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>";
+
+ description
+ "This module contains a collection of YANG definitions
+ for configuring NETCONF servers.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC HHHH
+ (https://www.rfc-editor.org/info/rfcHHHH); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-05-24 {
+ description
+ "Initial version";
+ reference
+ "RFC HHHH: NETCONF Client and Server Models";
+ }
+
+ // Features
+
+ feature ssh-listen {
+ description
+ "The 'ssh-listen' feature indicates that the NETCONF server
+ supports opening a port to accept NETCONF over SSH
+ client connections.";
+ reference
+ "RFC 6242:
+ Using the NETCONF Protocol over Secure Shell (SSH)";
+ }
+
+ feature tls-listen {
+ description
+ "The 'tls-listen' feature indicates that the NETCONF server
+ supports opening a port to accept NETCONF over TLS
+ client connections.";
+ reference
+ "RFC 7589: Using the NETCONF Protocol over Transport
+ Layer Security (TLS) with Mutual X.509
+ Authentication";
+ }
+
+ feature ssh-call-home {
+ description
+ "The 'ssh-call-home' feature indicates that the NETCONF
+ server supports initiating a NETCONF over SSH call
+ home connection to NETCONF clients.";
+ reference
+ "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ feature tls-call-home {
+ description
+ "The 'tls-call-home' feature indicates that the NETCONF
+ server supports initiating a NETCONF over TLS call
+ home connection to NETCONF clients.";
+ reference
+ "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ feature central-netconf-server-supported {
+ description
+ "The 'central-netconf-server-supported' feature indicates
+ that the server supports the top-level 'netconf-server'
+ node.
+
+ This feature is needed as some servers may want to use
+ features defined in this module, which requires this
+ module to be implemented, without having to support
+ the top-level 'netconf-server' node.";
+ }
+
+ // Groupings
+
+ grouping netconf-server-grouping {
+ description
+ "A reusable grouping for configuring a NETCONF server
+ without any consideration for how underlying transport
+ sessions are established.
+
+ Note that this grouping uses a fairly typical descendant
+ node name such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue by wrapping the 'uses'
+ statement in a container called, e.g.,
+ 'netconf-server-parameters'. This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ container client-identity-mappings {
+ description
+ "Specifies mappings through which NETCONF client X.509
+ certificates are used to determine a NETCONF username,
+ per RFC 7407.
+
+ For TLS-based transports, if no matching and valid
+ cert-to-name list entry can be found, then the NETCONF
+ server MUST close the connection, and MUST NOT accept
+ NETCONF messages over it, per Section 7 in RFC 7589.
+
+ For SSH-based transports, a matching cert-to-name
+ entry overrides the username provided by the SSH
+ implementation, consistent with the second paragraph
+ of Section 3 in RFC 6242.";
+ reference
+ "RFC 6242:
+ Using the NETCONF Protocol over Secure Shell (SSH)
+ RFC 7589:
+ Using the NETCONF Protocol over Transport Layer
+ Security (TLS) with Mutual X.509 Authentication";
+ uses x509c2n:cert-to-name {
+ refine "cert-to-name/fingerprint" {
+ mandatory false;
+ description
+ "A 'fingerprint' value does not need to be specified
+ when the 'cert-to-name' mapping is independent of
+ fingerprint matching. A 'cert-to-name' having no
+ fingerprint value will match any client certificate
+ and therefore should only be present at the end of
+ the user-ordered 'cert-to-name' list.";
+ }
+ }
+ }
+ }
+
+ grouping netconf-server-listen-stack-grouping {
+ description
+ "A reusable grouping for configuring a NETCONF server
+ 'listen' protocol stack for a single connection.";
+ choice transport {
+ mandatory true;
+ description
+ "Selects between available transports.";
+ case ssh {
+ if-feature "ssh-listen";
+ container ssh {
+ description
+ "SSH-specific listening configuration for inbound
+ connections.";
+ container tcp-server-parameters {
+ description
+ "A wrapper around the TCP client parameters
+ to avoid name collisions.";
+ uses tcps:tcp-server-grouping {
+ refine "local-port" {
+ default "830";
+ description
+ "The NETCONF server will listen on the
+ IANA-assigned well-known port value
+ for 'netconf-ssh' (830) if no value
+ is specified.";
+ }
+ }
+ }
+ container ssh-server-parameters {
+ description
+ "A wrapper around the SSH server parameters
+ to avoid name collisions.";
+ uses sshs:ssh-server-grouping;
+ }
+ container netconf-server-parameters {
+ description
+ "A wrapper around the NETCONF server parameters
+ to avoid name collisions.";
+ uses ncs:netconf-server-grouping {
+ refine "client-identity-mappings" {
+ if-feature "sshcmn:ssh-x509-certs";
+ description
+ "Augments in an 'if-feature' statement
+ ensuring the 'client-identity-mappings'
+ descendant is enabled only when SSH
+ supports X.509 certificates.";
+ }
+ augment "client-identity-mappings" {
+ description
+ "Adds a flag indicating if a cert-to-name
+ is required.";
+ leaf mapping-required {
+ type boolean;
+ description
+ "Indicates that the cert-to-name mapping
+ is required (i.e., the SSH-level username
+ is ignored).";
+ }
+ }
+ }
+ }
+ }
+ }
+ case tls {
+ if-feature "tls-listen";
+ container tls {
+ description
+ "TLS-specific listening configuration for inbound
+ connections.";
+ container tcp-server-parameters {
+ description
+ "A wrapper around the TCP client parameters
+ to avoid name collisions.";
+ uses tcps:tcp-server-grouping {
+ refine "local-port" {
+ default "6513";
+ description
+ "The NETCONF server will listen on the
+ IANA-assigned well-known port value
+ for 'netconf-tls' (6513) if no value
+ is specified.";
+ }
+ }
+ }
+ container tls-server-parameters {
+ description
+ "A wrapper around the TLS server parameters to
+ avoid name collisions.";
+ uses tlss:tls-server-grouping {
+ refine "client-authentication" {
+ must 'ca-certs or ee-certs';
+ description
+ "NETCONF/TLS servers MUST validate client
+ certificates. This configures certificates
+ at the socket-level (i.e. bags), more
+ discriminating client-certificate checks
+ SHOULD be implemented by the application.";
+ reference
+ "RFC 7589:
+ Using the NETCONF Protocol over Transport Layer
+ Security (TLS) with Mutual X.509 Authentication";
+ }
+ }
+ }
+ container netconf-server-parameters {
+ description
+ "A wrapper around the NETCONF server parameters
+ to avoid name collisions.";
+ uses ncs:netconf-server-grouping {
+ refine "client-identity-mappings/cert-to-name" {
+ min-elements 1;
+ description
+ "The TLS transport requires a mapping.";
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ grouping netconf-server-callhome-stack-grouping {
+ description
+ "A reusable grouping for configuring a NETCONF server
+ 'call-home' protocol stack, for a single connection.";
+ choice transport {
+ mandatory true;
+ description
+ "Selects between available transports.";
+ case ssh {
+ if-feature "ssh-call-home";
+ container ssh {
+ description
+ "Specifies SSH-specific call-home transport
+ configuration.";
+ container tcp-client-parameters {
+ description
+ "A wrapper around the TCP client parameters
+ to avoid name collisions.";
+ uses tcpc:tcp-client-grouping {
+ refine "remote-port" {
+ default "4334";
+ description
+ "The NETCONF server will attempt to connect
+ to the IANA-assigned well-known port for
+ 'netconf-ch-tls' (4334) if no value is
+ specified.";
+ }
+ }
+ }
+ container ssh-server-parameters {
+ description
+ "A wrapper around the SSH server parameters
+ to avoid name collisions.";
+ uses sshs:ssh-server-grouping;
+ }
+ container netconf-server-parameters {
+ description
+ "A wrapper around the NETCONF server parameters
+ to avoid name collisions.";
+ uses ncs:netconf-server-grouping {
+ refine "client-identity-mappings" {
+ if-feature "sshcmn:ssh-x509-certs";
+ description
+ "Augments in an 'if-feature' statement
+ ensuring the 'client-identity-mappings'
+ descendant is enabled only when SSH
+ supports X.509 certificates.";
+ }
+ augment "client-identity-mappings" {
+ description
+ "Adds a flag indicating if a cert-to-name
+ is required.";
+ leaf mapping-required {
+ type boolean;
+ description
+ "Indicates that the cert-to-name mapping
+ is required (i.e., the SSH-level username
+ is ignored).";
+ }
+ }
+ }
+ }
+ }
+ }
+ case tls {
+ if-feature "tls-call-home";
+ container tls {
+ description
+ "Specifies TLS-specific call-home transport
+ configuration.";
+ container tcp-client-parameters {
+ description
+ "A wrapper around the TCP client parameters
+ to avoid name collisions.";
+ uses tcpc:tcp-client-grouping {
+ refine "remote-port" {
+ default "4335";
+ description
+ "The NETCONF server will attempt to connect
+ to the IANA-assigned well-known port for
+ 'netconf-ch-tls' (4335) if no value is
+ specified.";
+ }
+ }
+ }
+ container tls-server-parameters {
+ description
+ "A wrapper around the TLS server parameters to
+ avoid name collisions.";
+ uses tlss:tls-server-grouping {
+ refine "client-authentication" {
+ must 'ca-certs or ee-certs';
+ description
+ "NETCONF/TLS servers MUST validate client
+ certificates. This configures certificates
+ at the socket-level (i.e. bags), more
+ discriminating client-certificate checks
+ SHOULD be implemented by the application.";
+ reference
+ "RFC 7589:
+ Using the NETCONF Protocol over Transport Layer
+ Security (TLS) with Mutual X.509 Authentication";
+ }
+ }
+ }
+ container netconf-server-parameters {
+ description
+ "A wrapper around the NETCONF server parameters
+ to avoid name collisions.";
+ uses ncs:netconf-server-grouping {
+ refine "client-identity-mappings/cert-to-name" {
+ min-elements 1;
+ description
+ "The TLS transport requires a mapping.";
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ grouping netconf-server-app-grouping {
+ description
+ "A reusable grouping for configuring a NETCONF server
+ application that supports both 'listen' and 'call-home'
+ protocol stacks for a multiplicity of connections.";
+ container listen {
+ if-feature "ssh-listen or tls-listen";
+ presence
+ "Indicates that server-listening ports have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply that this node must be configured.";
+ description
+ "Configures listen behavior";
+ leaf idle-timeout {
+ type uint16;
+ units "seconds";
+ default "3600"; // one hour
+ description
+ "Specifies the maximum number of seconds that a NETCONF
+ session may remain idle. A NETCONF session will be
+ dropped if it is idle for an interval longer than this
+ number of seconds. If set to zero, then the server
+ will never drop a session because it is idle. Sessions
+ that have a notification subscription active are never
+ dropped.";
+ }
+ list endpoint {
+ key "name";
+ min-elements 1;
+ description
+ "List of endpoints to listen for NETCONF connections.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the NETCONF listen endpoint.";
+ }
+ uses netconf-server-listen-stack-grouping;
+ }
+ }
+ container call-home {
+ if-feature "ssh-call-home or tls-call-home";
+ presence
+ "Indicates that server-initiated call home connections have
+ been configured. This statement is present so the mandatory
+ descendant nodes do not imply that this node must be
+ configured.";
+ description
+ "Configures the NETCONF server to initiate the underlying
+ transport connection to NETCONF clients.";
+ list netconf-client {
+ key "name";
+ min-elements 1;
+ description
+ "List of NETCONF clients the NETCONF server is to
+ maintain simultaneous call-home connections with.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the remote NETCONF client.";
+ }
+ container endpoints {
+ description
+ "Container for the list of endpoints.";
+ list endpoint {
+ key "name";
+ min-elements 1;
+ ordered-by user;
+ description
+ "A non-empty user-ordered list of endpoints for this
+ NETCONF server to try to connect to in sequence.
+ Defining more than one enables high-availability.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this endpoint.";
+ }
+ uses netconf-server-callhome-stack-grouping;
+ }
+ }
+ container connection-type {
+ description
+ "Indicates the NETCONF server's preference for how the
+ NETCONF connection is maintained.";
+ choice connection-type {
+ mandatory true;
+ description
+ "Selects between available connection types.";
+ case persistent-connection {
+ container persistent {
+ presence
+ "Indicates that a persistent connection is to be
+ maintained.";
+ description
+ "Maintain a persistent connection to the NETCONF
+ client. If the connection goes down, immediately
+ start trying to reconnect to the NETCONF client,
+ using the reconnection strategy.
+
+ This connection type minimizes any NETCONF client
+ to NETCONF server data-transfer delay, albeit at
+ the expense of holding resources longer.";
+ }
+ }
+ case periodic-connection {
+ container periodic {
+ presence "Indicates that a periodic connection is
+ to be maintained.";
+ description
+ "Periodically connect to the NETCONF client.
+
+ This connection type increases resource
+ utilization, albeit with increased delay in
+ NETCONF client to NETCONF client interactions.
+
+ The NETCONF client SHOULD gracefully close the
+ connection using <close-session> upon completing
+ planned activities. If the NETCONF session is
+ not closed gracefully, the NETCONF server MUST
+ immediately attempt to reestablish the connection.
+
+ In the case that the previous connection is still
+ active (i.e., the NETCONF client has not closed
+ it yet), establishing a new connection is NOT
+ RECOMMENDED.";
+ leaf period {
+ type uint16;
+ units "minutes";
+ default "60";
+ description
+ "Duration of time between periodic connections.";
+ }
+ leaf anchor-time {
+ type yang:date-and-time {
+ // constrained to minute-level granularity
+ pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "Designates a timestamp before or after which a
+ series of periodic connections are determined.
+ The periodic connections occur at a whole
+ multiple interval from the anchor time. For
+ example, for an anchor time is 15 minutes past
+ midnight and a period interval of 24 hours, then
+ a periodic connection will occur 15 minutes past
+ midnight everyday.";
+ }
+ leaf idle-timeout {
+ type uint16;
+ units "seconds";
+ default "120"; // two minutes
+ description
+ "Specifies the maximum number of seconds that
+ a NETCONF session may remain idle. A NETCONF
+ session will be dropped if it is idle for an
+ interval longer than this number of seconds.
+ If set to zero, then the server will never
+ drop a session because it is idle.";
+ }
+ }
+ } // case periodic-connection
+ } // choice connection-type
+ } // container connection-type
+ container reconnect-strategy {
+ description
+ "The reconnection strategy directs how a NETCONF server
+ reconnects to a NETCONF client, after discovering its
+ connection to the client has dropped, even if due to a
+ reboot. The NETCONF server starts with the specified
+ endpoint and tries to connect to it max-attempts times
+ before trying the next endpoint in the list (round
+ robin).";
+ leaf start-with {
+ type enumeration {
+ enum first-listed {
+ description
+ "Indicates that reconnections should start with
+ the first endpoint listed.";
+ }
+ enum last-connected {
+ description
+ "Indicates that reconnections should start with
+ the endpoint last connected to. If no previous
+ connection has ever been established, then the
+ first endpoint configured is used. NETCONF
+ servers SHOULD be able to remember the last
+ endpoint connected to across reboots.";
+ }
+ enum random-selection {
+ description
+ "Indicates that reconnections should start with
+ a random endpoint.";
+ }
+ }
+ default "first-listed";
+ description
+ "Specifies which of the NETCONF client's endpoints
+ the NETCONF server should start with when trying
+ to connect to the NETCONF client.";
+ }
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "5";
+ description
+ "Specifies the amount of time in seconds after which,
+ if the connection is not established, an endpoint
+ connection attempt is considered unsuccessful.";
+ }
+ leaf max-attempts {
+ type uint8 {
+ range "1..max";
+ }
+ default "3";
+ description
+ "Specifies the number times the NETCONF server tries
+ to connect to a specific endpoint before moving on
+ to the next endpoint in the list (round robin).";
+ }
+ } // container reconnect-strategy
+ } // list netconf-client
+ } // container call-home
+ } // grouping netconf-server-app-grouping
+
+ // Protocol accessible node for servers that implement this module.
+ container netconf-server {
+ if-feature central-netconf-server-supported;
+ uses netconf-server-app-grouping;
+ description
+ "Top-level container for NETCONF server configuration.";
+ }
+}
diff --git a/modules/ietf-ssh-common@2022-07-18.yang b/modules/ietf-ssh-common@2022-07-18.yang
new file mode 100644
index 0000000..00f32f4
--- /dev/null
+++ b/modules/ietf-ssh-common@2022-07-18.yang
@@ -0,0 +1,257 @@
+module ietf-ssh-common {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
+ prefix sshcmn;
+
+ import iana-ssh-encryption-algs {
+ prefix sshea;
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import iana-ssh-key-exchange-algs {
+ prefix sshkea;
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import iana-ssh-mac-algs {
+ prefix sshma;
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import iana-ssh-public-key-algs {
+ prefix sshpka;
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines a common features and groupings for
+ Secure Shell (SSH).
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC EEEE
+ (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-07-18 {
+ description
+ "Initial version";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Features
+
+ feature ssh-x509-certs {
+ description
+ "X.509v3 certificates are supported for SSH.";
+ reference
+ "RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication";
+ }
+
+ feature transport-params {
+ description
+ "SSH transport layer parameters are configurable.";
+ }
+
+ feature public-key-generation {
+ description
+ "Indicates that the server implements the
+ 'generate-public-key' RPC.";
+ }
+
+ // Groupings
+
+ grouping transport-params-grouping {
+ description
+ "A reusable grouping for SSH transport parameters.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ container host-key {
+ description
+ "Parameters regarding host key.";
+ leaf-list host-key-alg {
+ type identityref {
+ base sshpka:public-key-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable host key algorithms in order of descending
+ preference. The configured host key algorithms should
+ be compatible with the algorithm used by the configured
+ private key. Please see Section 5 of RFC EEEE for
+ valid combinations.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable host key algorithms are implementation-
+ defined.";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+ }
+ container key-exchange {
+ description
+ "Parameters regarding key exchange.";
+ leaf-list key-exchange-alg {
+ type identityref {
+ base sshkea:key-exchange-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable key exchange algorithms in order of descending
+ preference.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable key exchange algorithms are implementation
+ defined.";
+ }
+ }
+ container encryption {
+ description
+ "Parameters regarding encryption.";
+ leaf-list encryption-alg {
+ type identityref {
+ base sshea:encryption-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable encryption algorithms in order of descending
+ preference.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable encryption algorithms are implementation
+ defined.";
+ }
+ }
+ container mac {
+ description
+ "Parameters regarding message authentication code (MAC).";
+ leaf-list mac-alg {
+ type identityref {
+ base sshma:mac-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable MAC algorithms in order of descending
+ preference.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable MAC algorithms are implementation-
+ defined.";
+ }
+ }
+ }
+
+ // Protocol-accessible Nodes
+
+ rpc generate-public-key {
+ if-feature "public-key-generation";
+ description
+ "Requests the device to generate an public key using
+ the specified key algorithm.";
+ input {
+ leaf algorithm {
+ type sshpka:public-key-algorithm-ref;
+ mandatory true;
+ description
+ "The algorithm to be used when generating the key.";
+ }
+ leaf bits {
+ type uint16;
+ description
+ "Specifies the number of bits in the key to create.
+ For RSA keys, the minimum size is 1024 bits and
+ the default is 3072 bits. Generally, 3072 bits is
+ considered sufficient. DSA keys must be exactly 1024
+ bits as specified by FIPS 186-2. For ECDSA keys, the
+ 'bits' value determines the key length by selecting
+ from one of three elliptic curve sizes: 256, 384 or
+ 521 bits. Attempting to use bit lengths other than
+ these three values for ECDSA keys will fail. ECDSA-SK,
+ Ed25519 and Ed25519-SK keys have a fixed length and
+ the 'bits' value, if specified, will be ignored.";
+ }
+ choice private-key-encoding {
+ default cleartext;
+ description
+ "A choice amongst optional private key handling.";
+ case cleartext {
+ leaf cleartext {
+ type empty;
+ description
+ "Indicates that the private key is to be returned
+ as a cleartext value.";
+ }
+ }
+ case encrypt {
+ if-feature "ct:private-key-encryption";
+ container encrypt-with {
+ description
+ "Indicates that the key is to be encrypted using
+ the specified symmetric or asymmetric key.";
+ uses ks:encrypted-by-choice-grouping;
+ }
+ }
+ case hide {
+ if-feature "ct:hidden-keys";
+ leaf hide {
+ type empty;
+ description
+ "Indicates that the private key is to be hidden.
+
+ Unlike the 'cleartext' and 'encrypt' options, the
+ key returned is a placeholder for an internally
+ stored key. See the 'Support for Built-in Keys'
+ section in RFC CCCC for information about hidden
+ keys.";
+ }
+ }
+ }
+ }
+ output {
+ uses ct:asymmetric-key-pair-grouping;
+ }
+ } // end generate-public-key
+
+}
diff --git a/modules/ietf-ssh-server@2022-07-18.yang b/modules/ietf-ssh-server@2022-07-18.yang
new file mode 100644
index 0000000..2dd04bd
--- /dev/null
+++ b/modules/ietf-ssh-server@2022-07-18.yang
@@ -0,0 +1,414 @@
+module ietf-ssh-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server";
+ prefix sshs;
+
+ import iana-crypt-hash {
+ prefix ianach;
+ reference
+ "RFC 7317: A YANG Data Model for System Management";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ import ietf-truststore {
+ prefix ts;
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ import ietf-ssh-common {
+ prefix sshcmn;
+ revision-date 2022-07-18; // stable grouping definitions
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines reusable groupings for SSH servers that
+ can be used as a basis for specific SSH server instances.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC EEEE
+ (https://www.rfc-editor.org/info/rfcEEEE); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-07-18 {
+ description
+ "Initial version";
+ reference
+ "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Features
+
+ feature ssh-server-keepalives {
+ description
+ "Per socket SSH keepalive parameters are configurable for
+ SSH servers on the server implementing this feature.";
+ }
+
+ feature local-users-supported {
+ description
+ "Indicates that the configuration for users can be
+ configured herein, as opposed to in an application
+ specific location.";
+ }
+
+ feature local-user-auth-publickey {
+ if-feature "local-users-supported";
+ description
+ "Indicates that the 'publickey' authentication type,
+ per RFC 4252, is supported for locally-defined users.
+
+ The 'publickey' authentication type is required by
+ RFC 4252, but common implementations enable it to
+ be disabled.";
+ reference
+ "RFC 4252:
+ The Secure Shell (SSH) Authentication Protocol";
+ }
+
+ feature local-user-auth-password {
+ if-feature "local-users-supported";
+ description
+ "Indicates that the 'password' authentication type,
+ per RFC 4252, is supported for locally-defined users.";
+ reference
+ "RFC 4252:
+ The Secure Shell (SSH) Authentication Protocol";
+ }
+
+ feature local-user-auth-hostbased {
+ if-feature "local-users-supported";
+ description
+ "Indicates that the 'hostbased' authentication type,
+ per RFC 4252, is supported for locally-defined users.";
+ reference
+ "RFC 4252:
+ The Secure Shell (SSH) Authentication Protocol";
+ }
+
+ feature local-user-auth-none {
+ if-feature "local-users-supported";
+ description
+ "Indicates that the 'none' authentication type, per
+ RFC 4252, is supported. It is NOT RECOMMENDED to
+ enable this feature.";
+ reference
+ "RFC 4252:
+ The Secure Shell (SSH) Authentication Protocol";
+ }
+
+ // Groupings
+
+ grouping ssh-server-grouping {
+ description
+ "A reusable grouping for configuring a SSH server without
+ any consideration for how underlying TCP sessions are
+ established.
+
+ Note that this grouping uses fairly typical descendant
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'ssh-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ container server-identity {
+ nacm:default-deny-write;
+ description
+ "The list of host keys the SSH server will present when
+ establishing a SSH connection.";
+ list host-key {
+ key "name";
+ min-elements 1;
+ ordered-by user;
+ description
+ "An ordered list of host keys the SSH server will use to
+ construct its ordered list of algorithms, when sending
+ its SSH_MSG_KEXINIT message, as defined in Section 7.1
+ of RFC 4253.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this host key";
+ }
+ choice host-key-type {
+ mandatory true;
+ description
+ "The type of host key being specified";
+ container public-key {
+ description
+ "A locally-defined or referenced asymmetric key pair
+ to be used for the SSH server's host key.";
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ uses ks:local-or-keystore-asymmetric-key-grouping {
+ refine "local-or-keystore/local/local-definition" {
+ must
+ 'public-key-format = "ct:ssh-public-key-format"';
+ }
+ refine "local-or-keystore/keystore/"
+ + "keystore-reference" {
+ must 'deref(.)/../ks:public-key-format'
+ + ' = "ct:ssh-public-key-format"';
+ }
+ }
+ }
+ container certificate {
+ if-feature "sshcmn:ssh-x509-certs";
+ description
+ "A locally-defined or referenced end-entity
+ certificate to be used for the SSH server's
+ host key.";
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ uses
+ ks:local-or-keystore-end-entity-cert-with-key-grouping {
+ refine "local-or-keystore/local/local-definition" {
+ must 'public-key-format'
+ + ' = "ct:subject-public-key-info-format"';
+ }
+ refine "local-or-keystore/keystore/keystore-reference"
+ + "/asymmetric-key" {
+ must 'deref(.)/../ks:public-key-format'
+ + ' = "ct:subject-public-key-info-format"';
+ }
+ }
+ }
+ }
+ }
+ } // container server-identity
+
+ container client-authentication {
+ nacm:default-deny-write;
+ description
+ "Specifies how the SSH server can authenticate SSH clients.";
+ container users {
+ if-feature "local-users-supported";
+ description
+ "A list of locally configured users.";
+ list user {
+ key "name";
+ description
+ "A locally configured user.
+
+ The server SHOULD derive the list of authentication
+ 'method names' returned to the SSH client from the
+ descendant nodes configured herein, per Sections
+ 5.1 and 5.2 in RFC 4252.
+
+ The authentication methods are unordered. Clients
+ must authenticate to all configured methods.
+ Whenever a choice amongst methods arises,
+ implementations SHOULD use a default ordering
+ that prioritizes automation over human-interaction.";
+ leaf name {
+ type string;
+ description
+ "The 'user name' for the SSH client, as defined in
+ the SSH_MSG_USERAUTH_REQUEST message in RFC 4253.";
+ }
+ container public-keys {
+ if-feature "local-user-auth-publickey";
+ presence
+ "Indicates that public keys have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply that this node must be
+ configured.";
+ description
+ "A set of SSH public keys may be used by the SSH
+ server to authenticate this user. A user is
+ authenticated if its public key is an exact
+ match to a configured public key.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-public-keys-grouping {
+ refine "local-or-truststore/local/local-definition"
+ + "/public-key" {
+ must 'public-key-format'
+ + ' = "ct:ssh-public-key-format"';
+ }
+ refine "local-or-truststore/truststore/"
+ + "truststore-reference" {
+ must 'deref(.)/../*/ts:public-key-format'
+ + ' = "ct:ssh-public-key-format"';
+ }
+ }
+ }
+ leaf password {
+ if-feature "local-user-auth-password";
+ type ianach:crypt-hash;
+ description
+ "The password for this user.";
+ }
+ container hostbased {
+ if-feature "local-user-auth-hostbased";
+ presence
+ "Indicates that hostbased keys have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply that this node must be
+ configured.";
+ description
+ "A set of SSH host keys used by the SSH server to
+ authenticate this user's host. A user's host is
+ authenticated if its host key is an exact match
+ to a configured host key.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-public-keys-grouping {
+ refine "local-or-truststore/local/local-definition"
+ + "/public-key" {
+ must 'public-key-format'
+ + ' = "ct:ssh-public-key-format"';
+ }
+ refine "local-or-truststore/truststore"
+ + "/truststore-reference" {
+ must 'deref(.)/../*/ts:public-key-format'
+ + ' = "ct:ssh-public-key-format"';
+ }
+ }
+ }
+ leaf none {
+ if-feature "local-user-auth-none";
+ type empty;
+ description
+ "Indicates that the 'none' method is configured
+ for this user.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ }
+ }
+ container ca-certs {
+ if-feature "sshcmn:ssh-x509-certs";
+ presence
+ "Indicates that CA certificates have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply this node must be configured.";
+ description
+ "A set of certificate authority (CA) certificates used by
+ the SSH server to authenticate SSH client certificates.
+ A client certificate is authenticated if it has a valid
+ chain of trust to a configured CA certificate.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container ee-certs {
+ if-feature "sshcmn:ssh-x509-certs";
+ presence
+ "Indicates that EE certificates have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply this node must be configured.";
+ description
+ "A set of client certificates (i.e., end entity
+ certificates) used by the SSH server to authenticate
+ the certificates presented by SSH clients. A client
+ certificate is authenticated if it is an exact match
+ to a configured end-entity certificate.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ } // container client-authentication
+
+ container transport-params {
+ nacm:default-deny-write;
+ if-feature "sshcmn:transport-params";
+ description
+ "Configurable parameters of the SSH transport layer.";
+ uses sshcmn:transport-params-grouping;
+ } // container transport-params
+
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "ssh-server-keepalives";
+ presence
+ "Indicates that the SSH server proactively tests the
+ aliveness of the remote SSH client.";
+ description
+ "Configures the keep-alive policy, to proactively test
+ the aliveness of the SSL client. An unresponsive SSL
+ client is dropped after approximately max-wait *
+ max-attempts seconds. Per Section 4 of RFC 4254,
+ the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST
+ message with a purposely nonexistent 'request name'
+ value (e.g., keepalive@ietf.org) and the 'want reply'
+ value set to '1'.";
+ reference
+ "RFC 4254: The Secure Shell (SSH) Connection Protocol";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which
+ if no data has been received from the SSL client,
+ a SSL-level message will be sent to test the
+ aliveness of the SSL client.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the SSL client before assuming the SSL client is
+ no longer alive.";
+ }
+ }
+ } // grouping ssh-server-grouping
+
+}
diff --git a/modules/ietf-tcp-client@2022-05-24.yang b/modules/ietf-tcp-client@2022-05-24.yang
new file mode 100644
index 0000000..4426353
--- /dev/null
+++ b/modules/ietf-tcp-client@2022-05-24.yang
@@ -0,0 +1,316 @@
+module ietf-tcp-client {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-client";
+ prefix tcpc;
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ import ietf-tcp-common {
+ prefix tcpcmn;
+ reference
+ "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group and the
+ IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ https://datatracker.ietf.org/wg/tcpm
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ TCPM WG list <mailto:tcpm@ietf.org>
+ Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Michael Scharf
+ <mailto:michael.scharf@hs-esslingen.de>";
+
+ description
+ "This module defines reusable groupings for TCP clients that
+ can be used as a basis for specific TCP client instances.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC DDDD
+ (https://www.rfc-editor.org/info/rfcDDDD); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-05-24 {
+ description
+ "Initial version";
+ reference
+ "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ // Features
+
+ feature local-binding-supported {
+ description
+ "Indicates that the server supports configuring local
+ bindings (i.e., the local address and local port) for
+ TCP clients.";
+ }
+
+ feature tcp-client-keepalives {
+ description
+ "Per socket TCP keepalive parameters are configurable for
+ TCP clients on the server implementing this feature.";
+ }
+
+ feature proxy-connect {
+ description
+ "Proxy connection configuration is configurable for
+ TCP clients on the server implementing this feature.";
+ }
+
+ feature socks5-gss-api {
+ description
+ "Indicates that the server supports authenticating
+ using GSSAPI when initiating TCP connections via
+ and SOCKS Version 5 proxy server.";
+ reference
+ "RFC 1928: SOCKS Protocol Version 5";
+ }
+
+ feature socks5-username-password {
+ description
+ "Indicates that the server supports authenticating using
+ username/password when initiating TCP connections via
+ and SOCKS Version 5 proxy server.";
+ reference
+ "RFC 1928: SOCKS Protocol Version 5";
+ }
+
+ // Groupings
+
+ grouping tcp-client-grouping {
+ description
+ "A reusable grouping for configuring a TCP client.
+
+ Note that this grouping uses fairly typical descendant
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'tcp-client-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ leaf remote-address {
+ type inet:host;
+ mandatory true;
+ description
+ "The IP address or hostname of the remote peer to
+ establish a connection with. If a domain name is
+ configured, then the DNS resolution should happen on
+ each connection attempt. If the DNS resolution
+ results in multiple IP addresses, the IP addresses
+ are tried according to local preference order until
+ a connection has been established or until all IP
+ addresses have failed.";
+ }
+ leaf remote-port {
+ type inet:port-number;
+ default "0";
+ description
+ "The IP port number for the remote peer to establish a
+ connection with. An invalid default value (0) is used
+ (instead of 'mandatory true') so that as application
+ level data model may 'refine' it with an application
+ specific default port number value.";
+ }
+ leaf local-address {
+ if-feature "local-binding-supported";
+ type inet:ip-address;
+ description
+ "The local IP address/interface (VRF?) to bind to for when
+ connecting to the remote peer. INADDR_ANY ('0.0.0.0') or
+ INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to
+ explicitly indicate the implicit default, that the server
+ can bind to any IPv4 or IPv6 addresses, respectively.";
+ }
+ leaf local-port {
+ if-feature "local-binding-supported";
+ type inet:port-number;
+ default "0";
+ description
+ "The local IP port number to bind to for when connecting
+ to the remote peer. The port number '0', which is the
+ default value, indicates that any available local port
+ number may be used.";
+ }
+ container proxy-server {
+ if-feature "proxy-connect";
+ presence
+ "Indicates that a proxy connection has been configured.
+ Present so that the mandatory descendant nodes do not
+ imply that this node must be configured.";
+ choice proxy-type {
+ mandatory true;
+ description
+ "Selects a proxy connection protocol.";
+ case socks4 {
+ container socks4-parameters {
+ leaf remote-address {
+ type inet:ip-address;
+ mandatory true;
+ description
+ "The IP address of the proxy server.";
+ }
+ leaf remote-port {
+ type inet:port-number;
+ default "1080";
+ description
+ "The IP port number for the proxy server.";
+ }
+ description
+ "Parameters for connecting to a TCP-based proxy
+ server using the SOCKS4 protocol.";
+ reference
+ "SOCKS, Proceedings: 1992 Usenix Security Symposium.";
+ }
+ }
+ case socks4a {
+ container socks4a-parameters {
+ leaf remote-address {
+ type inet:host;
+ mandatory true;
+ description
+ "The IP address or hostname of the proxy server.";
+ }
+ leaf remote-port {
+ type inet:port-number;
+ default "1080";
+ description
+ "The IP port number for the proxy server.";
+ }
+ description
+ "Parameters for connecting to a TCP-based proxy
+ server using the SOCKS4a protocol.";
+ reference
+ "SOCKS Proceedings:
+ 1992 Usenix Security Symposium.
+ OpenSSH message:
+ SOCKS 4A: A Simple Extension to SOCKS 4 Protocol
+ https://www.openssh.com/txt/socks4a.protocol";
+ }
+ }
+ case socks5 {
+ container socks5-parameters {
+ leaf remote-address {
+ type inet:host;
+ mandatory true;
+ description
+ "The IP address or hostname of the proxy server.";
+ }
+ leaf remote-port {
+ type inet:port-number;
+ default "1080";
+ description
+ "The IP port number for the proxy server.";
+ }
+ container authentication-parameters {
+ presence
+ "Indicates that an authentication mechanism
+ has been configured. Present so that the
+ mandatory descendant nodes do not imply that
+ this node must be configured.";
+ description
+ "A container for SOCKS Version 5 authentication
+ mechanisms.
+
+ A complete list of methods is defined at:
+ https://www.iana.org/assignments/socks-methods
+ /socks-methods.xhtml.";
+ reference
+ "RFC 1928: SOCKS Protocol Version 5";
+ choice auth-type {
+ mandatory true;
+ description
+ "A choice amongst supported SOCKS Version 5
+ authentication mechanisms.";
+ case gss-api {
+ if-feature "socks5-gss-api";
+ container gss-api {
+ description
+ "Contains GSS-API configuration. Defines
+ as an empty container to enable specific
+ GSS-API configuration to be augmented in
+ by future modules.";
+ reference
+ "RFC 1928: SOCKS Protocol Version 5
+ RFC 2743: Generic Security Service
+ Application Program Interface
+ Version 2, Update 1";
+ }
+ }
+ case username-password {
+ if-feature "socks5-username-password";
+ container username-password {
+ leaf username {
+ type string;
+ mandatory true;
+ description
+ "The 'username' value to use for client
+ identification.";
+ }
+ uses ct:password-grouping {
+ description
+ "The password to be used for client
+ authentication.";
+ }
+ description
+ "Contains Username/Password configuration.";
+ reference
+ "RFC 1929: Username/Password Authentication
+ for SOCKS V5";
+ }
+ }
+ }
+ }
+ description
+ "Parameters for connecting to a TCP-based proxy server
+ using the SOCKS5 protocol.";
+ reference
+ "RFC 1928: SOCKS Protocol Version 5";
+ }
+ }
+ }
+ description
+ "Proxy server settings.";
+ }
+
+ uses tcpcmn:tcp-common-grouping {
+ augment "keepalives" {
+ if-feature "tcp-client-keepalives";
+ description
+ "Add an if-feature statement so that implementations
+ can choose to support TCP client keepalives.";
+ }
+ }
+ }
+}
diff --git a/modules/ietf-tcp-common@2022-05-24.yang b/modules/ietf-tcp-common@2022-05-24.yang
new file mode 100644
index 0000000..e9a927d
--- /dev/null
+++ b/modules/ietf-tcp-common@2022-05-24.yang
@@ -0,0 +1,115 @@
+module ietf-tcp-common {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-common";
+ prefix tcpcmn;
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group and the
+ IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ https://datatracker.ietf.org/wg/tcpm
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ TCPM WG list <mailto:tcpm@ietf.org>
+ Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Michael Scharf
+ <mailto:michael.scharf@hs-esslingen.de>";
+
+ description
+ "This module defines reusable groupings for TCP commons that
+ can be used as a basis for specific TCP common instances.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC DDDD
+ (https://www.rfc-editor.org/info/rfcDDDD); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-05-24 {
+ description
+ "Initial version";
+ reference
+ "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ // Features
+
+ feature keepalives-supported {
+ description
+ "Indicates that keepalives are supported.";
+ }
+
+ // Groupings
+
+ grouping tcp-common-grouping {
+ description
+ "A reusable grouping for configuring TCP parameters common
+ to TCP connections as well as the operating system as a
+ whole.";
+ container keepalives {
+ if-feature "keepalives-supported";
+ presence
+ "Indicates that keepalives are enabled. This statement is
+ present so the mandatory descendant nodes do not imply that
+ this node must be configured.";
+ description
+ "Configures the keep-alive policy, to proactively test the
+ aliveness of the TCP peer. An unresponsive TCP peer is
+ dropped after approximately (idle-time + max-probes
+ * probe-interval) seconds.";
+ leaf idle-time {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ mandatory true;
+ description
+ "Sets the amount of time after which if no data has been
+ received from the TCP peer, a TCP-level probe message
+ will be sent to test the aliveness of the TCP peer.
+ Two hours (7200 seconds) is safe value, per RFC 1122.";
+ reference
+ "RFC 1122:
+ Requirements for Internet Hosts -- Communication Layers";
+ }
+ leaf max-probes {
+ type uint16 {
+ range "1..max";
+ }
+ mandatory true;
+ description
+ "Sets the maximum number of sequential keep-alive probes
+ that can fail to obtain a response from the TCP peer
+ before assuming the TCP peer is no longer alive.";
+ }
+ leaf probe-interval {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ mandatory true;
+ description
+ "Sets the time interval between failed probes. The interval
+ SHOULD be significantly longer than one second in order to
+ avoid harm on a congested link.";
+ }
+ } // container keepalives
+ } // grouping tcp-common-grouping
+
+}
diff --git a/modules/ietf-tcp-server@2022-05-24.yang b/modules/ietf-tcp-server@2022-05-24.yang
new file mode 100644
index 0000000..b465dfe
--- /dev/null
+++ b/modules/ietf-tcp-server@2022-05-24.yang
@@ -0,0 +1,114 @@
+module ietf-tcp-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-server";
+ prefix tcps;
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-tcp-common {
+ prefix tcpcmn;
+ reference
+ "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group and the
+ IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ https://datatracker.ietf.org/wg/tcpm
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ TCPM WG list <mailto:tcpm@ietf.org>
+ Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Michael Scharf
+ <mailto:michael.scharf@hs-esslingen.de>";
+
+ description
+ "This module defines reusable groupings for TCP servers that
+ can be used as a basis for specific TCP server instances.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC DDDD
+ (https://www.rfc-editor.org/info/rfcDDDD); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-05-24 {
+ description
+ "Initial version";
+ reference
+ "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ // Features
+
+ feature tcp-server-keepalives {
+ description
+ "Per socket TCP keepalive parameters are configurable for
+ TCP servers on the server implementing this feature.";
+ }
+
+ // Groupings
+
+ grouping tcp-server-grouping {
+ description
+ "A reusable grouping for configuring a TCP server.
+
+ Note that this grouping uses fairly typical descendant
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'tcp-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+ leaf local-address {
+ type inet:ip-address;
+ mandatory true;
+ description
+ "The local IP address to listen on for incoming
+ TCP client connections. INADDR_ANY (0.0.0.0) or
+ INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be
+ used when the server is to listen on all IPv4 or
+ IPv6 addresses, respectively.";
+ }
+ leaf local-port {
+ type inet:port-number;
+ default "0";
+ description
+ "The local port number to listen on for incoming TCP
+ client connections. An invalid default value (0)
+ is used (instead of 'mandatory true') so that an
+ application level data model may 'refine' it with
+ an application specific default port number value.";
+ }
+ uses tcpcmn:tcp-common-grouping {
+ augment "keepalives" {
+ if-feature "tcp-server-keepalives";
+ description
+ "Add an if-feature statement so that implementations
+ can choose to support TCP server keepalives.";
+ }
+ }
+ }
+}
diff --git a/modules/ietf-tls-common@2022-07-18.yang b/modules/ietf-tls-common@2022-07-18.yang
new file mode 100644
index 0000000..fb48c4c
--- /dev/null
+++ b/modules/ietf-tls-common@2022-07-18.yang
@@ -0,0 +1,311 @@
+module ietf-tls-common {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
+ prefix tlscmn;
+
+ import iana-tls-cipher-suite-algs {
+ prefix tlscsa;
+ reference
+ "RFC FFFF: YANG Groupings for TLS Clients and SSH Servers";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ WG Web: https://datatracker.ietf.org/wg/netconf
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Jeff Hartley <mailto:jeff.hartley@commscope.com>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines a common features and groupings for
+ Transport Layer Security (TLS).
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC FFFF
+ (https://www.rfc-editor.org/info/rfcFFFF); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-07-18 {
+ description
+ "Initial version";
+ reference
+ "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ // Features
+
+ feature tls10 {
+ status "obsolete";
+ description
+ "TLS Protocol Version 1.0 is supported. TLS 1.0 is obsolete
+ and thus it is NOT RECOMMENDED to enable this feature.";
+ reference
+ "RFC 2246: The TLS Protocol Version 1.0";
+ }
+
+ feature tls11 {
+ status "obsolete";
+ description
+ "TLS Protocol Version 1.1 is supported. TLS 1.1 is obsolete
+ and thus it is NOT RECOMMENDED to enable this feature.";
+ reference
+ "RFC 4346: The Transport Layer Security (TLS) Protocol
+ Version 1.1";
+ }
+
+ feature tls12 {
+ status "deprecated";
+ description
+ "TLS Protocol Version 1.2 is supported TLS 1.2 is obsolete
+ and thus it is NOT RECOMMENDED to enable this feature.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ feature tls13 {
+ description
+ "TLS Protocol Version 1.3 is supported.";
+ reference
+ "RFC 8446: The Transport Layer Security (TLS)
+ Protocol Version 1.3";
+ }
+
+ feature hello-params {
+ description
+ "TLS hello message parameters are configurable.";
+ }
+
+ feature public-key-generation {
+ description
+ "Indicates that the server implements the
+ 'generate-public-key' RPC.";
+ }
+
+ // Identities
+
+ identity tls-version-base {
+ description
+ "Base identity used to identify TLS protocol versions.";
+ }
+
+ identity tls10 {
+ if-feature "tls10";
+ base tls-version-base;
+ status "obsolete";
+ description
+ "TLS Protocol Version 1.0.";
+ reference
+ "RFC 2246: The TLS Protocol Version 1.0";
+ }
+
+ identity tls11 {
+ if-feature "tls11";
+ base tls-version-base;
+ status "obsolete";
+ description
+ "TLS Protocol Version 1.1.";
+ reference
+ "RFC 4346: The Transport Layer Security (TLS) Protocol
+ Version 1.1";
+ }
+
+ identity tls12 {
+ if-feature "tls12";
+ base tls-version-base;
+ status "deprecated";
+ description
+ "TLS Protocol Version 1.2.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity tls13 {
+ if-feature "tls13";
+ base tls-version-base;
+ description
+ "TLS Protocol Version 1.3.";
+ reference
+ "RFC 8446: The Transport Layer Security (TLS)
+ Protocol Version 1.3";
+ }
+
+ typedef epsk-supported-hash {
+ type enumeration {
+ enum sha-256 {
+ description
+ "The SHA-256 Hash.";
+ }
+ enum sha-384 {
+ description
+ "The SHA-384 Hash.";
+ }
+ }
+ description
+ "As per Section 4.2.11 of RFC 8446, the hash algorithm
+ supported by an instance of an External Pre-Shared
+ Key (EPSK).";
+ reference
+ "RFC 8446: The Transport Layer Security (TLS)
+ Protocol Version 1.3
+ I-D.ietf-tls-external-psk-importer: Importing
+ External PSKs for TLS
+ I-D.ietf-tls-external-psk-guidance: Guidance
+ for External PSK Usage in TLS";
+ }
+
+ // Groupings
+
+ grouping hello-params-grouping {
+ description
+ "A reusable grouping for TLS hello message parameters.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2
+ RFC 8446: The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ container tls-versions {
+ description
+ "Parameters regarding TLS versions.";
+ leaf-list tls-version {
+ type identityref {
+ base tls-version-base;
+ }
+ description
+ "Acceptable TLS protocol versions.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable TLS protocol versions are implementation-
+ defined.";
+ }
+ }
+ container cipher-suites {
+ description
+ "Parameters regarding cipher suites.";
+ leaf-list cipher-suite {
+ type identityref {
+ base tlscsa:cipher-suite-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable cipher suites in order of descending
+ preference. The configured host key algorithms should
+ be compatible with the algorithm used by the configured
+ private key. Please see Section 5 of RFC FFFF for
+ valid combinations.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable cipher suites are implementation-
+ defined.";
+ reference
+ "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
+ }
+ }
+ } // hello-params-grouping
+
+ rpc generate-public-key {
+ if-feature "public-key-generation";
+ description
+ "Requests the device to generate an public key using
+ the specified key algorithm.";
+ input {
+ leaf algorithm {
+ type tlscsa:cipher-suite-algorithm-ref;
+ mandatory true;
+ description
+ "The cipher suite algorithm that the generated key is
+ to work with. Implementations derive the public key
+ algorithm from the cipher suite algorithm. Example:
+ cipher suite 'tls-rsa-with-aes-256-cbc-sha256' maps
+ to the RSA public key.";
+ }
+ leaf bits {
+ type uint16;
+ description
+ "Specifies the number of bits in the key to create.
+ For RSA keys, the minimum size is 1024 bits and
+ the default is 3072 bits. Generally, 3072 bits is
+ considered sufficient. DSA keys must be exactly 1024
+ bits as specified by FIPS 186-2. For elliptical
+ keys, the 'bits' value determines the key length
+ of the curve (e.g., 256, 384 or 521), where valid
+ values supported by the server are conveyed via an
+ unspecified mechanism. For some public algorithms,
+ the keys have a fixed length and the 'bits' value,
+ if specified, will be ignored.";
+ }
+ choice private-key-encoding {
+ default cleartext;
+ description
+ "A choice amongst optional private key handling.";
+ case cleartext {
+ leaf cleartext {
+ type empty;
+ description
+ "Indicates that the private key is to be returned
+ as a cleartext value.";
+ }
+ }
+ case encrypt {
+ if-feature "ct:private-key-encryption";
+ container encrypt-with {
+ description
+ "Indicates that the key is to be encrypted using
+ the specified symmetric or asymmetric key.";
+ uses ks:encrypted-by-choice-grouping;
+ }
+ }
+ case hide {
+ if-feature "ct:hidden-keys";
+ leaf hide {
+ type empty;
+ description
+ "Indicates that the private key is to be hidden.
+
+ Unlike the 'cleartext' and 'encrypt' options, the
+ key returned is a placeholder for an internally
+ stored key. See the 'Support for Built-in Keys'
+ section in RFC CCCC for information about hidden
+ keys.";
+ }
+ }
+ }
+ }
+ output {
+ uses ct:asymmetric-key-pair-grouping;
+ }
+ } // end generate-public-key
+
+}
diff --git a/modules/ietf-tls-server@2022-07-18.yang b/modules/ietf-tls-server@2022-07-18.yang
new file mode 100644
index 0000000..971bd18
--- /dev/null
+++ b/modules/ietf-tls-server@2022-07-18.yang
@@ -0,0 +1,525 @@
+module ietf-tls-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
+ prefix tlss;
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ import ietf-truststore {
+ prefix ts;
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ import ietf-tls-common {
+ prefix tlscmn;
+ revision-date 2022-07-18; // stable grouping definitions
+ reference
+ "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ WG Web: https://datatracker.ietf.org/wg/netconf
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Jeff Hartley <mailto:jeff.hartley@commscope.com>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines reusable groupings for TLS servers that
+ can be used as a basis for specific TLS server instances.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC FFFF
+ (https://www.rfc-editor.org/info/rfcFFFF); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-07-18 {
+ description
+ "Initial version";
+ reference
+ "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ // Features
+
+ feature tls-server-keepalives {
+ description
+ "Per socket TLS keepalive parameters are configurable for
+ TLS servers on the server implementing this feature.";
+ }
+
+ feature server-ident-x509-cert {
+ description
+ "Indicates that the server supports identifying itself
+ using X.509 certificates.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile";
+ }
+
+ feature server-ident-raw-public-key {
+ description
+ "Indicates that the server supports identifying itself
+ using raw public keys.";
+ reference
+ "RFC 7250:
+ Using Raw Public Keys in Transport Layer Security (TLS)
+ and Datagram Transport Layer Security (DTLS)";
+ }
+
+ feature server-ident-tls12-psk {
+ description
+ "Indicates that the server supports identifying itself
+ using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys).";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for Transport Layer Security
+ (TLS)";
+ }
+
+ feature server-ident-tls13-epsk {
+ description
+ "Indicates that the server supports identifying itself
+ using TLS-1.3 External PSKs (pre-shared keys).";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ feature client-auth-supported {
+ description
+ "Indicates that the configuration for how to authenticate
+ clients can be configured herein. TLS-level client
+ authentication may not be needed when client authentication
+ is expected to occur only at another protocol layer.";
+ }
+
+ feature client-auth-x509-cert {
+ description
+ "Indicates that the server supports authenticating clients
+ using X.509 certificates.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile";
+ }
+
+ feature client-auth-raw-public-key {
+ description
+ "Indicates that the server supports authenticating clients
+ using raw public keys.";
+ reference
+ "RFC 7250:
+ Using Raw Public Keys in Transport Layer Security (TLS)
+ and Datagram Transport Layer Security (DTLS)";
+ }
+
+ feature client-auth-tls12-psk {
+ description
+ "Indicates that the server supports authenticating clients
+ using PSKs (pre-shared or pairwise-symmetric keys).";
+ reference
+ "RFC 4279:
+ Pre-Shared Key Ciphersuites for Transport Layer Security
+ (TLS)";
+ }
+
+ feature client-auth-tls13-epsk {
+ description
+ "Indicates that the server supports authenticating clients
+ using TLS-1.3 External PSKs (pre-shared keys).";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ // Groupings
+
+ grouping tls-server-grouping {
+ description
+ "A reusable grouping for configuring a TLS server without
+ any consideration for how underlying TCP sessions are
+ established.
+
+ Note that this grouping uses fairly typical descendant
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'tls-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ container server-identity {
+ nacm:default-deny-write;
+ description
+ "A locally-defined or referenced end-entity certificate,
+ including any configured intermediate certificates, the
+ TLS server will present when establishing a TLS connection
+ in its Certificate message, as defined in Section 7.4.2
+ in RFC 5246 and Section 4.4.2 in RFC 8446.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2
+ RFC 8446: The Transport Layer Security (TLS) Protocol
+ Version 1.3
+ RFC CCCC: A YANG Data Model for a Keystore";
+ choice auth-type {
+ mandatory true;
+ description
+ "A choice amongst authentication types, of which one must
+ be enabled (via its associated 'feature') and selected.";
+ case certificate {
+ if-feature "server-ident-x509-cert";
+ container certificate {
+ description
+ "Specifies the server identity using a certificate.";
+ uses
+ ks:local-or-keystore-end-entity-cert-with-key-grouping{
+ refine "local-or-keystore/local/local-definition" {
+ must 'public-key-format'
+ + ' = "ct:subject-public-key-info-format"';
+ }
+ refine "local-or-keystore/keystore/keystore-reference"
+ + "/asymmetric-key" {
+ must 'deref(.)/../ks:public-key-format'
+ + ' = "ct:subject-public-key-info-format"';
+ }
+ }
+ }
+ }
+ case raw-private-key {
+ if-feature "server-ident-raw-public-key";
+ container raw-private-key {
+ description
+ "Specifies the server identity using a raw
+ private key.";
+ uses ks:local-or-keystore-asymmetric-key-grouping {
+ refine "local-or-keystore/local/local-definition" {
+ must 'public-key-format'
+ + ' = "ct:subject-public-key-info-format"';
+ }
+ refine "local-or-keystore/keystore/keystore-reference"{
+ must 'deref(.)/../ks:public-key-format'
+ + ' = "ct:subject-public-key-info-format"';
+ }
+ }
+ }
+ }
+ case tls12-psk {
+ if-feature "server-ident-tls12-psk";
+ container tls12-psk {
+ description
+ "Specifies the server identity using a PSK (pre-shared
+ or pairwise-symmetric key).";
+ uses ks:local-or-keystore-symmetric-key-grouping;
+ leaf id_hint {
+ type string;
+ description
+ "The key 'psk_identity_hint' value used in the TLS
+ 'ServerKeyExchange' message.";
+ reference
+ "RFC 4279: Pre-Shared Key Ciphersuites for
+ Transport Layer Security (TLS)";
+ }
+ }
+ }
+ case tls13-epsk {
+ if-feature "server-ident-tls13-epsk";
+ container tls13-epsk {
+ description
+ "An External Pre-Shared Key (EPSK) is established
+ or provisioned out-of-band, i.e., not from a TLS
+ connection. An EPSK is a tuple of (Base Key,
+ External Identity, Hash). External PSKs MUST
+ NOT be imported for (D)TLS 1.2 or prior versions.
+ When PSKs are provisioned out of band, the PSK
+ identity and the KDF hash algorithm to be used
+ with the PSK MUST also be provisioned.
+
+ The structure of this container is designed
+ to satisfy the requirements of RFC 8446
+ Section 4.2.11, the recommendations from
+ I-D ietf-tls-external-psk-guidance Section 6,
+ and the EPSK input fields detailed in
+ I-D draft-ietf-tls-external-psk-importer
+ Section 3.1. The base-key is based upon
+ ks:local-or-keystore-symmetric-key-grouping
+ in order to provide users with flexible and
+ secure storage options.";
+ reference
+ "RFC 8446: The Transport Layer Security (TLS)
+ Protocol Version 1.3
+ I-D.ietf-tls-external-psk-importer: Importing
+ External PSKs for TLS
+ I-D.ietf-tls-external-psk-guidance: Guidance
+ for External PSK Usage in TLS";
+ uses ks:local-or-keystore-symmetric-key-grouping;
+ leaf external-identity {
+ type string;
+ mandatory true;
+ description
+ "As per Section 4.2.11 of RFC 8446, and Section 4.1
+ of I-D. ietf-tls-external-psk-guidance: A sequence
+ of bytes used to identify an EPSK. A label for a
+ pre-shared key established externally.";
+ reference
+ "RFC 8446: The Transport Layer Security (TLS)
+ Protocol Version 1.3
+ I-D.ietf-tls-external-psk-guidance:
+ Guidance for External PSK Usage in TLS";
+ }
+ leaf hash {
+ type tlscmn:epsk-supported-hash;
+ mandatory true;
+ description
+ "As per Section 4.2.11 of RFC 8446, for externally
+ established PSKs, the Hash algorithm MUST be set
+ when the PSK is established or default to SHA-256
+ if no such algorithm is defined. The server MUST
+ ensure that it selects a compatible PSK (if any)
+ and cipher suite. Each PSK MUST only be used
+ with a single hash function.";
+ reference
+ "RFC 8446: The Transport Layer Security (TLS)
+ Protocol Version 1.3";
+ }
+ leaf context {
+ type string;
+ description
+ "As per Section 4.1 of I-D.
+ ietf-tls-external-psk-guidance: Context
+ may include information about peer roles or
+ identities to mitigate Selfie-style reflection
+ attacks [Selfie]. If the EPSK is a key derived
+ from some other protocol or sequence of protocols,
+ context MUST include a channel binding for the
+ deriving protocols [RFC5056]. The details of
+ this binding are protocol specific.";
+ reference
+ "I-D.ietf-tls-external-psk-importer:
+ Importing External PSKs for TLS
+ I-D.ietf-tls-external-psk-guidance:
+ Guidance for External PSK Usage in TLS";
+ }
+ leaf target-protocol {
+ type uint16;
+ description
+ "As per Section 3.1 of I-D.
+ ietf-tls-external-psk-guidance: The protocol
+ for which a PSK is imported for use.";
+ reference
+ "I-D.ietf-tls-external-psk-importer:
+ Importing External PSKs for TLS";
+ }
+ leaf target-kdf {
+ type uint16;
+ description
+ "As per Section 3.1 of I-D.
+ ietf-tls-external-psk-guidance: The specific Key
+ Derivation Function (KDF) for which a PSK is
+ imported for use.";
+ reference
+ "I-D.ietf-tls-external-psk-importer:
+ Importing External PSKs for TLS";
+ }
+ }
+ }
+ }
+ } // container server-identity
+
+ container client-authentication {
+ if-feature "client-auth-supported";
+ nacm:default-deny-write;
+ must 'ca-certs or ee-certs or raw-public-keys or tls12-psks
+ or tls13-epsks';
+ presence
+ "Indicates that client authentication is supported (i.e.,
+ that the server will request clients send certificates).
+ If not configured, the TLS server SHOULD NOT request the
+ TLS clients provide authentication credentials.";
+ description
+ "Specifies how the TLS server can authenticate TLS clients.
+ Any combination of credentials is additive and unordered.
+
+ Note that no configuration is required for PSK (pre-shared
+ or pairwise-symmetric key) based authentication as the key
+ is necessarily the same as configured in the '../server-
+ identity' node.";
+ container ca-certs {
+ if-feature "client-auth-x509-cert";
+ presence
+ "Indicates that CA certificates have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply that this node must be configured.";
+ description
+ "A set of certificate authority (CA) certificates used by
+ the TLS server to authenticate TLS client certificates.
+ A client certificate is authenticated if it has a valid
+ chain of trust to a configured CA certificate.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container ee-certs {
+ if-feature "client-auth-x509-cert";
+ presence
+ "Indicates that EE certificates have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply that this node must be configured.";
+ description
+ "A set of client certificates (i.e., end entity
+ certificates) used by the TLS server to authenticate
+ certificates presented by TLS clients. A client
+ certificate is authenticated if it is an exact
+ match to a configured client certificate.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container raw-public-keys {
+ if-feature "client-auth-raw-public-key";
+ presence
+ "Indicates that raw public keys have been configured.
+ This statement is present so the mandatory descendant
+ nodes do not imply that this node must be configured.";
+ description
+ "A set of raw public keys used by the TLS server to
+ authenticate raw public keys presented by the TLS
+ client. A raw public key is authenticated if it
+ is an exact match to a configured raw public key.";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-public-keys-grouping {
+ refine "local-or-truststore/local/local-definition"
+ + "/public-key" {
+ must 'public-key-format'
+ + ' = "ct:subject-public-key-info-format"';
+ }
+ refine "local-or-truststore/truststore"
+ + "/truststore-reference" {
+ must 'deref(.)/../*/ts:public-key-format'
+ + ' = "ct:subject-public-key-info-format"';
+ }
+ }
+ }
+ leaf tls12-psks {
+ if-feature "client-auth-tls12-psk";
+ type empty;
+ description
+ "Indicates that the TLS server can authenticate TLS clients
+ using configured PSKs (pre-shared or pairwise-symmetric
+ keys).
+
+ No configuration is required since the PSK value is the
+ same as PSK value configured in the 'server-identity'
+ node.";
+ }
+ leaf tls13-epsks {
+ if-feature "client-auth-tls13-epsk";
+ type empty;
+ description
+ "Indicates that the TLS 1.3 server can authenticate TLS
+ clients using configured external PSKs (pre-shared keys).
+
+ No configuration is required since the PSK value is the
+ same as PSK value configured in the 'server-identity'
+ node.";
+ }
+ } // container client-authentication
+
+ container hello-params {
+ nacm:default-deny-write;
+ if-feature "tlscmn:hello-params";
+ uses tlscmn:hello-params-grouping;
+ description
+ "Configurable parameters for the TLS hello message.";
+ } // container hello-params
+
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "tls-server-keepalives";
+ description
+ "Configures the keepalive policy for the TLS server.";
+ leaf peer-allowed-to-send {
+ type empty;
+ description
+ "Indicates that the remote TLS client is allowed to send
+ HeartbeatRequest messages, as defined by RFC 6520
+ to this TLS server.";
+ reference
+ "RFC 6520: Transport Layer Security (TLS) and Datagram
+ Transport Layer Security (DTLS) Heartbeat Extension";
+ }
+ container test-peer-aliveness {
+ presence
+ "Indicates that the TLS server proactively tests the
+ aliveness of the remote TLS client.";
+ description
+ "Configures the keep-alive policy to proactively test
+ the aliveness of the TLS client. An unresponsive
+ TLS client is dropped after approximately max-wait
+ * max-attempts seconds.";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which if
+ no data has been received from the TLS client, a
+ TLS-level message will be sent to test the
+ aliveness of the TLS client.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the TLS client before assuming the TLS client is
+ no longer alive.";
+ }
+ }
+ } // container keepalives
+ } // grouping tls-server-grouping
+
+}
diff --git a/modules/ietf-truststore@2022-05-24.yang b/modules/ietf-truststore@2022-05-24.yang
new file mode 100644
index 0000000..7aaf7a2
--- /dev/null
+++ b/modules/ietf-truststore@2022-05-24.yang
@@ -0,0 +1,339 @@
+module ietf-truststore {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-truststore";
+ prefix ts;
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web : https://datatracker.ietf.org/wg/netconf
+ WG List : NETCONF WG list <mailto:netconf@ietf.org>
+ Author : Kent Watsen <kent+ietf@watsen.net>";
+ description
+ "This module defines a 'truststore' to centralize management
+ of trust anchors including certificates and public keys.
+
+ Copyright (c) 2021 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC BBBB
+ (https://www.rfc-editor.org/info/rfcBBBB); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-05-24 {
+ description
+ "Initial version";
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature central-truststore-supported {
+ description
+ "The 'central-truststore-supported' feature indicates that
+ the server supports the truststore (i.e., implements the
+ 'ietf-truststore' module).";
+ }
+
+ feature local-definitions-supported {
+ description
+ "The 'local-definitions-supported' feature indicates that
+ the server supports locally-defined trust anchors.";
+ }
+ feature certificates {
+ description
+ "The 'certificates' feature indicates that the server
+ implements the /truststore/certificate-bags subtree.";
+ }
+
+ feature public-keys {
+ description
+ "The 'public-keys' feature indicates that the server
+ implements the /truststore/public-key-bags subtree.";
+ }
+
+ /****************/
+ /* Typedefs */
+ /****************/
+
+ typedef certificate-bag-ref {
+ type leafref {
+ path "/ts:truststore/ts:certificate-bags/"
+ + "ts:certificate-bag/ts:name";
+ }
+ description
+ "This typedef defines a reference to a certificate bag
+ in the truststore, when this module is implemented.";
+ }
+
+ typedef certificate-ref {
+ type leafref {
+ path "/ts:truststore/ts:certificate-bags/ts:certificate-bag"
+ + "[ts:name = current()/../ts:certificate-bag]/"
+ + "ts:certificate/ts:name";
+ }
+ description
+ "This typedef defines a reference to a specific certificate
+ in a certificate bag in the truststore, when this module
+ is implemented. This typedef requires that there exist a
+ sibling 'leaf' node called 'certificate-bag' that SHOULD
+ have the typedef 'certificate-bag-ref'.";
+ }
+
+ typedef public-key-bag-ref {
+ type leafref {
+ path "/ts:truststore/ts:public-key-bags/"
+ + "ts:public-key-bag/ts:name";
+ }
+ description
+ "This typedef defines a reference to a public key bag
+ in the truststore, when this module is implemented.";
+ }
+
+ typedef public-key-ref {
+ type leafref {
+ path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
+ + "[ts:name = current()/../ts:public-key-bag]/"
+ + "ts:public-key/ts:name";
+ }
+ description
+ "This typedef defines a reference to a specific public key
+ in a public key bag in the truststore, when this module is
+ implemented. This typedef requires that there exist a
+ sibling 'leaf' node called 'public-key-bag' that SHOULD
+ have the typedef 'public-key-bag-ref'.";
+ }
+
+ /*****************/
+ /* Groupings */
+ /*****************/
+
+ grouping local-or-truststore-certs-grouping {
+ description
+ "A grouping that allows the certificates to be either
+ configured locally, within the using data model, or be a
+ reference to a certificate bag stored in the truststore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-truststore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate truststore locations.";
+ choice local-or-truststore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the truststore.";
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "A container for locally configured trust anchor
+ certificates.";
+ list certificate {
+ key "name";
+ min-elements 1;
+ description
+ "A trust anchor certificate.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this certificate.";
+ }
+ uses ct:trust-anchor-cert-grouping {
+ refine "cert-data" {
+ mandatory true;
+ }
+ }
+ }
+ }
+ }
+ case truststore {
+ if-feature "central-truststore-supported";
+ if-feature "certificates";
+ leaf truststore-reference {
+ type ts:certificate-bag-ref;
+ description
+ "A reference to a certificate bag that exists in the
+ truststore, when this module is implemented.";
+ }
+ }
+ }
+ }
+
+ grouping local-or-truststore-public-keys-grouping {
+ description
+ "A grouping that allows the public keys to be either
+ configured locally, within the using data model, or be a
+ reference to a public key bag stored in the truststore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-truststore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate truststore locations.";
+ choice local-or-truststore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the truststore.";
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "A container to hold local public key definitions.";
+ list public-key {
+ key "name";
+ description
+ "A public key definition.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this public key.";
+ }
+ uses ct:public-key-grouping;
+ }
+ }
+ }
+ case truststore {
+ if-feature "central-truststore-supported";
+ if-feature "public-keys";
+ leaf truststore-reference {
+ type ts:public-key-bag-ref;
+ description
+ "A reference to a bag of public keys that exists
+ in the truststore, when this module is implemented.";
+ }
+ }
+ }
+ }
+
+ grouping truststore-grouping {
+ description
+ "A grouping definition that enables use in other contexts.
+ Where used, implementations MUST augment new 'case'
+ statements into the various local-or-truststore 'choice'
+ statements to supply leafrefs to the model-specific
+ location(s).";
+ container certificate-bags {
+ nacm:default-deny-write;
+ if-feature "certificates";
+ description
+ "A collection of certificate bags.";
+ list certificate-bag {
+ key "name";
+ description
+ "A bag of certificates. Each bag of certificates SHOULD
+ be for a specific purpose. For instance, one bag could
+ be used to authenticate a specific set of servers, while
+ another could be used to authenticate a specific set of
+ clients.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this bag of certificates.";
+ }
+ leaf description {
+ type string;
+ description
+ "A description for this bag of certificates. The
+ intended purpose for the bag SHOULD be described.";
+ }
+ list certificate {
+ key "name";
+ description
+ "A trust anchor certificate.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this certificate.";
+ }
+ uses ct:trust-anchor-cert-grouping {
+ refine "cert-data" {
+ mandatory true;
+ }
+ }
+ }
+ }
+ }
+ container public-key-bags {
+ nacm:default-deny-write;
+ if-feature "public-keys";
+ description
+ "A collection of public key bags.";
+ list public-key-bag {
+ key "name";
+ description
+ "A bag of public keys. Each bag of keys SHOULD be for
+ a specific purpose. For instance, one bag could be used
+ authenticate a specific set of servers, while another
+ could be used to authenticate a specific set of clients.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this bag of public keys.";
+ }
+ leaf description {
+ type string;
+ description
+ "A description for this bag public keys. The
+ intended purpose for the bag SHOULD be described.";
+ }
+ list public-key {
+ key "name";
+ description
+ "A public key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this public key.";
+ }
+ uses ct:public-key-grouping;
+ }
+ }
+ }
+ }
+
+ /*********************************/
+ /* Protocol accessible nodes */
+ /*********************************/
+
+ container truststore {
+ if-feature central-truststore-supported;
+ nacm:default-deny-write;
+ description
+ "The truststore contains bags of certificates and
+ public keys.";
+ uses truststore-grouping;
+ }
+}
diff --git a/modules/ietf-x509-cert-to-name.yang b/modules/ietf-x509-cert-to-name.yang
new file mode 100644
index 0000000..53b5484
--- /dev/null
+++ b/modules/ietf-x509-cert-to-name.yang
@@ -0,0 +1,314 @@
+ module ietf-x509-cert-to-name {
+
+ yang-version 1;
+
+ namespace
+ "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
+
+ prefix x509c2n;
+
+ import ietf-yang-types {
+ prefix yang;
+ }
+
+ organization
+ "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
+
+ contact
+ "WG Web: <http://tools.ietf.org/wg/netmod/>
+WG List: <mailto:netmod@ietf.org>
+
+WG Chair: Thomas Nadeau
+ <mailto:tnadeau@lucidvision.com>
+
+WG Chair: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>
+
+Editor: Martin Bjorklund
+ <mailto:mbj@tail-f.com>
+
+Editor: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>";
+
+ description
+ "This module contains a collection of YANG definitions for
+extracting a name from an X.509 certificate.
+The algorithm used to extract a name from an X.509 certificate
+was first defined in RFC 6353.
+
+Copyright (c) 2014 IETF Trust and the persons identified as
+authors of the code. All rights reserved.
+
+Redistribution and use in source and binary forms, with or
+without modification, is permitted pursuant to, and subject
+to the license terms contained in, the Simplified BSD License
+set forth in Section 4.c of the IETF Trust's Legal Provisions
+Relating to IETF Documents
+(http://trustee.ietf.org/license-info).
+
+This version of this YANG module is part of RFC 7407; see
+the RFC itself for full legal notices.";
+
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model for
+ the Simple Network Management Protocol (SNMP)";
+
+
+ revision "2014-12-10" {
+ description "Initial revision.";
+ reference
+ "RFC 7407: A YANG Data Model for SNMP Configuration";
+
+ }
+
+
+ typedef tls-fingerprint {
+ type yang:hex-string {
+ pattern
+ '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
+ }
+ description
+ "A fingerprint value that can be used to uniquely reference
+other data of potentially arbitrary length.
+
+A tls-fingerprint value is composed of a 1-octet hashing
+algorithm identifier followed by the fingerprint value. The
+first octet value identifying the hashing algorithm is taken
+from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
+remaining octets are filled using the results of the hashing
+algorithm.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
+
+ }
+
+ identity cert-to-name {
+ description
+ "Base identity for algorithms to derive a name from a
+certificate.";
+ }
+
+ identity specified {
+ base cert-to-name;
+ description
+ "Directly specifies the name to be used for the certificate.
+The value of the leaf 'name' in the cert-to-name list is
+used.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
+
+ }
+
+ identity san-rfc822-name {
+ base cert-to-name;
+ description
+ "Maps a subjectAltName's rfc822Name to a name. The local part
+of the rfc822Name is passed unaltered, but the host-part of
+the name must be passed in lowercase. For example, the
+rfc822Name field FooBar@Example.COM is mapped to name
+FooBar@example.com.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
+
+ }
+
+ identity san-dns-name {
+ base cert-to-name;
+ description
+ "Maps a subjectAltName's dNSName to a name after first
+converting it to all lowercase (RFC 5280 does not specify
+converting to lowercase, so this involves an extra step).
+This mapping results in a 1:1 correspondence between
+subjectAltName dNSName values and the name values.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
+
+ }
+
+ identity san-ip-address {
+ base cert-to-name;
+ description
+ "Maps a subjectAltName's iPAddress to a name by
+transforming the binary-encoded address as follows:
+
+ 1) for IPv4, the value is converted into a
+ decimal-dotted quad address (e.g., '192.0.2.1').
+
+ 2) for IPv6 addresses, the value is converted into a
+ 32-character, all-lowercase hexadecimal string
+ without any colon separators.
+
+This mapping results in a 1:1 correspondence between
+subjectAltName iPAddress values and the name values.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
+
+ }
+
+ identity san-any {
+ base cert-to-name;
+ description
+ "Maps any of the following fields using the corresponding
+mapping algorithms:
+
+ +------------+-----------------+
+ | Type | Algorithm |
+ |------------+-----------------|
+ | rfc822Name | san-rfc822-name |
+ | dNSName | san-dns-name |
+ | iPAddress | san-ip-address |
+ +------------+-----------------+
+
+The first matching subjectAltName value found in the
+certificate of the above types MUST be used when deriving
+the name. The mapping algorithm specified in the
+'Algorithm' column MUST be used to derive the name.
+
+This mapping results in a 1:1 correspondence between
+subjectAltName values and name values. The three sub-mapping
+algorithms produced by this combined algorithm cannot produce
+conflicting results between themselves.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
+
+ }
+
+ identity common-name {
+ base cert-to-name;
+ description
+ "Maps a certificate's CommonName to a name after converting
+it to a UTF-8 encoding. The usage of CommonNames is
+deprecated, and users are encouraged to use subjectAltName
+mapping methods instead. This mapping results in a 1:1
+correspondence between certificate CommonName values and name
+values.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
+
+ }
+
+ grouping cert-to-name {
+ description
+ "Defines nodes for mapping certificates to names. Modules
+that use this grouping should describe how the resulting
+name is used.";
+ list cert-to-name {
+ key "id";
+ description
+ "This list defines how certificates are mapped to names.
+The name is derived by considering each cert-to-name
+list entry in order. The cert-to-name entry's fingerprint
+determines whether the list entry is a match:
+
+1) If the cert-to-name list entry's fingerprint value
+ matches that of the presented certificate, then consider
+ the list entry a successful match.
+
+2) If the cert-to-name list entry's fingerprint value
+ matches that of a locally held copy of a trusted CA
+ certificate, and that CA certificate was part of the CA
+ certificate chain to the presented certificate, then
+ consider the list entry a successful match.
+
+Once a matching cert-to-name list entry has been found, the
+map-type is used to determine how the name associated with
+the certificate should be determined. See the map-type
+leaf's description for details on determining the name value.
+If it is impossible to determine a name from the cert-to-name
+list entry's data combined with the data presented in the
+certificate, then additional cert-to-name list entries MUST
+be searched to look for another potential match.
+
+Security administrators are encouraged to make use of
+certificates with subjectAltName fields that can be mapped to
+names so that a single root CA certificate can allow all
+child certificates' subjectAltName fields to map directly to
+a name via a 1:1 transformation.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
+
+ leaf id {
+ type uint32;
+ description
+ "The id specifies the order in which the entries in the
+cert-to-name list are searched. Entries with lower
+numbers are searched first.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
+
+ }
+
+ leaf fingerprint {
+ type tls-fingerprint;
+ mandatory true;
+ description
+ "Specifies a value with which the fingerprint of the
+full certificate presented by the peer is compared. If
+the fingerprint of the full certificate presented by the
+peer does not match the fingerprint configured, then the
+entry is skipped, and the search for a match continues.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
+
+ }
+
+ leaf map-type {
+ type identityref {
+ base cert-to-name;
+ }
+ mandatory true;
+ description
+ "Specifies the algorithm used to map the certificate
+presented by the peer to a name.
+
+Mappings that need additional configuration objects should
+use the 'when' statement to make them conditional based on
+the map-type.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
+
+ }
+
+ leaf name {
+ when
+ "../map-type = 'x509c2n:specified'";
+ type string;
+ mandatory true;
+ description
+ "Directly specifies the NETCONF username when the
+map-type is 'specified'.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
+
+ }
+ } // list cert-to-name
+ } // grouping cert-to-name
+ } // module ietf-x509-cert-to-name
\ No newline at end of file
diff --git a/modules/libnetconf2-netconf-server.yang b/modules/libnetconf2-netconf-server.yang
new file mode 100644
index 0000000..f9b7625
--- /dev/null
+++ b/modules/libnetconf2-netconf-server.yang
@@ -0,0 +1,35 @@
+module libnetconf2-netconf-server {
+ yang-version 1.1;
+ namespace "urn:cesnet:libnetconf2-netconf-server";
+ prefix np2;
+
+ import ietf-netconf-server {
+ prefix ncs;
+ }
+
+ augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
+ leaf auth-attempts {
+ type uint16;
+ default 3;
+ }
+
+ leaf auth-timeout {
+ type uint16;
+ default 10;
+ units "seconds";
+ }
+ }
+
+ augment "/ncs:netconf-server/ncs:listen/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
+ container keyboard-interactive {
+ presence "";
+ leaf pam-config-file-name {
+ type string;
+ mandatory true;
+ }
+ leaf pam-config-file-dir {
+ type string;
+ }
+ }
+ }
+}
diff --git a/src/config.h.in b/src/config.h.in
index 736eaee..7f36b81 100644
--- a/src/config.h.in
+++ b/src/config.h.in
@@ -52,6 +52,11 @@
/*
* Location of installed YANG modules on the system
*/
+#define NC_SERVER_SEARCH_DIR "@YANG_MODULE_DIR@"
+
+/*
+ * Location of installed YANG modules on the system
+ */
#define NC_CLIENT_SEARCH_DIR "@CLIENT_SEARCH_DIR@"
/*
diff --git a/src/config_server.c b/src/config_server.c
new file mode 100644
index 0000000..d0aaeda
--- /dev/null
+++ b/src/config_server.c
@@ -0,0 +1,2389 @@
+/**
+ * @file config_server.c
+ * @author Roman Janota <janota@cesnet.cz>
+ * @brief libnetconf2 server configuration functions
+ *
+ * @copyright
+ * Copyright (c) 2015 - 2021 CESNET, z.s.p.o.
+ *
+ * This source code is licensed under BSD 3-Clause License (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ */
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "compat.h"
+#include "config_server.h"
+#include "libnetconf.h"
+#include "session_server.h"
+#include "session_server_ch.h"
+
+/* All libssh supported host-key, key-exchange, encryption and mac algorithms as of version 0.10.90 */
+
+static const char *supported_hostkey_algs[] = {
+ "ssh-ed25519-cert-v01@openssh.com", "ecdsa-sha2-nistp521-cert-v01@openssh.com",
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ecdsa-sha2-nistp256-cert-v01@openssh.com",
+ "rsa-sha2-512-cert-v01@openssh.com", "rsa-sha2-256-cert-v01@openssh.com",
+ "ssh-rsa-cert-v01@openssh.com", "ssh-dss-cert-v01@openssh.com",
+ "ssh-ed25519", "ecdsa-sha2-nistp521", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp256",
+ "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", "ssh-dss", NULL
+};
+
+static const char *supported_kex_algs[] = {
+ "diffie-hellman-group-exchange-sha1", "curve25519-sha256", "curve25519-sha256@libssh.org",
+ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512",
+ "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha256", NULL
+};
+
+static const char *supported_encryption_algs[] = {
+ "chacha20-poly1305@openssh.com", "aes256-gcm@openssh.com", "aes128-gcm@openssh.com",
+ "aes256-ctr", "aes192-ctr", "aes128-ctr", "aes256-cbc", "aes192-cbc", "aes128-cbc",
+ "blowfish-cbc", "3des-cbc", "none", NULL
+};
+
+static const char *supported_mac_algs[] = {
+ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com",
+ "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", NULL
+};
+
+extern struct nc_server_opts server_opts;
+
+/**
+ * @brief Get the pointer to an endpoint structure based on node's location in the YANG data.
+ *
+ * @param[in] node Node from which the endpoint containing this node is derived.
+ * @param[out] endpt Endpoint containing the node.
+ * @param[out] bind Bind corresponding to the endpoint. Optional.
+ * @return 0 on success, 1 on error.
+ */
+static int
+nc_server_get_endpt(const struct lyd_node *node, struct nc_endpt **endpt, struct nc_bind **bind)
+{
+ uint16_t i;
+ const char *endpt_name;
+
+ assert(node);
+
+ while (node) {
+ if (!strcmp(LYD_NAME(node), "endpoint")) {
+ break;
+ }
+ node = lyd_parent(node);
+ }
+
+ if (!node) {
+ ERR(NULL, "Node \"%s\" is not contained in an endpoint subtree.", LYD_NAME(node));
+ return 1;
+ }
+
+ node = lyd_child(node);
+ assert(!strcmp(LYD_NAME(node), "name"));
+ endpt_name = lyd_get_value(node);
+
+ for (i = 0; i < server_opts.endpt_count; i++) {
+ if (!strcmp(server_opts.endpts[i].name, endpt_name)) {
+ *endpt = &server_opts.endpts[i];
+ if (bind) {
+ *bind = &server_opts.binds[i];
+ }
+ return 0;
+ }
+ }
+
+ ERR(NULL, "Endpoint \"%s\" was not found.", endpt_name);
+ return 1;
+}
+
+/**
+ * @brief Get the pointer to a hostkey structure based on node's location in the YANG data.
+ *
+ * @param[in] node Node from which the hotkey containing this node is derived.
+ * @param[in] opts Server SSH opts storing the array of the hostkey structures.
+ * @param[out] hostkey Hostkey containing the node.
+ * @return 0 on success, 1 on error.
+ */
+static int
+nc_server_get_hostkey(const struct lyd_node *node, const struct nc_server_ssh_opts *opts, struct nc_hostkey **hostkey)
+{
+ uint16_t i;
+ const char *hostkey_name;
+
+ assert(node && opts);
+
+ while (node) {
+ if (!strcmp(LYD_NAME(node), "host-key")) {
+ break;
+ }
+ node = lyd_parent(node);
+ }
+
+ if (!node) {
+ ERR(NULL, "Node \"%s\" is not contained in a host-key subtree.", LYD_NAME(node));
+ return 1;
+ }
+
+ node = lyd_child(node);
+ assert(!strcmp(LYD_NAME(node), "name"));
+ hostkey_name = lyd_get_value(node);
+
+ for (i = 0; i < opts->hostkey_count; i++) {
+ if (!strcmp(opts->hostkeys[i].name, hostkey_name)) {
+ *hostkey = &opts->hostkeys[i];
+ return 0;
+ }
+ }
+
+ ERR(NULL, "Host-key \"%s\" was not found.", hostkey_name);
+ return 1;
+}
+
+/**
+ * @brief Get the pointer to a client authentication structure based on node's location in the YANG data.
+ *
+ * @param[in] node Node from which the client-authentication structure containing this node is derived.
+ * @param[in] opts Server SSH opts storing the array of the client authentication structures.
+ * @param[out] auth_client Client authentication structure containing the node.
+ * @return 0 on success, 1 on error.
+ */
+static int
+nc_server_get_auth_client(const struct lyd_node *node, const struct nc_server_ssh_opts *opts, struct nc_client_auth **auth_client)
+{
+ uint16_t i;
+ const char *authkey_name;
+
+ assert(node && opts);
+
+ while (node) {
+ if (!strcmp(LYD_NAME(node), "user")) {
+ break;
+ }
+ node = lyd_parent(node);
+ }
+
+ if (!node) {
+ ERR(NULL, "Node \"%s\" is not contained in a client-authentication subtree.", LYD_NAME(node));
+ return 1;
+ }
+
+ node = lyd_child(node);
+ assert(!strcmp(LYD_NAME(node), "name"));
+ authkey_name = lyd_get_value(node);
+
+ for (i = 0; i < opts->client_count; i++) {
+ if (!strcmp(opts->auth_clients[i].username, authkey_name)) {
+ *auth_client = &opts->auth_clients[i];
+ return 0;
+ }
+ }
+
+ ERR(NULL, "Authorized key \"%s\" was not found.", authkey_name);
+ return 1;
+}
+
+/**
+ * @brief Get the pointer to a client authentication public key structure based on node's location in the YANG data.
+ *
+ * @param[in] node Node from which the ca-public key structure containing this node is derived.
+ * @param[in] auth_client Client authentication structure storing the array of the public key structures.
+ * @param[out] pubkey Public key structure containing the node.
+ * @return 0 on success, 1 on error.
+ */
+static int
+nc_server_get_pubkey(const struct lyd_node *node, const struct nc_client_auth *auth_client, struct nc_client_auth_pubkey **pubkey)
+{
+ uint16_t i;
+ const char *pubkey_name;
+
+ assert(node && auth_client);
+
+ node = lyd_parent(node);
+ while (node) {
+ if (!strcmp(LYD_NAME(node), "public-key")) {
+ break;
+ }
+ node = lyd_parent(node);
+ }
+
+ if (!node) {
+ ERR(NULL, "Node \"%s\" is not contained in a public-key subtree.", LYD_NAME(node));
+ return 1;
+ }
+
+ node = lyd_child(node);
+ assert(!strcmp(LYD_NAME(node), "name"));
+ pubkey_name = lyd_get_value(node);
+
+ for (i = 0; i < auth_client->pubkey_count; i++) {
+ if (!strcmp(auth_client->pubkeys[i].name, pubkey_name)) {
+ *pubkey = &auth_client->pubkeys[i];
+ return 0;
+ }
+ }
+
+ ERR(NULL, "Public key \"%s\" was not found.", pubkey_name);
+ return 1;
+}
+
+/**
+ * @brief Compares the nth-parent name.
+ *
+ * @param[in] node Node of which nth-parent to compare.
+ * @param[in] parent_count Count of parents.
+ * @param[in] parent_name Expected name of the parent.
+ * @return 1 if the name matches, 0 otherwise.
+ */
+static int
+equal_parent_name(const struct lyd_node *node, uint16_t parent_count, const char *parent_name)
+{
+ uint16_t i;
+
+ assert(node && parent_count > 0 && parent_name);
+
+ node = lyd_parent(node);
+ for (i = 1; i < parent_count; i++) {
+ node = lyd_parent(node);
+ }
+
+ if (!strcmp(LYD_NAME(node), parent_name)) {
+ return 1;
+ }
+
+ return 0;
+}
+
+static void
+nc_server_del_auth_client_pam_name(struct nc_client_auth *auth_client)
+{
+ free(auth_client->pam_config_name);
+ auth_client->pam_config_name = NULL;
+}
+
+static void
+nc_server_del_auth_client_pam_dir(struct nc_client_auth *auth_client)
+{
+ free(auth_client->pam_config_dir);
+ auth_client->pam_config_dir = NULL;
+}
+
+static void
+nc_server_del_endpt_name(struct nc_endpt *endpt)
+{
+ free(endpt->name);
+ endpt->name = NULL;
+}
+
+static void
+nc_server_del_local_address(struct nc_bind *bind)
+{
+ free(bind->address);
+ bind->address = NULL;
+}
+
+static void
+nc_server_del_hostkey_name(struct nc_hostkey *hostkey)
+{
+ free(hostkey->name);
+ hostkey->name = NULL;
+}
+
+static void
+nc_server_del_public_key(struct nc_hostkey *hostkey)
+{
+ free(hostkey->pub_base64);
+ hostkey->pub_base64 = NULL;
+}
+
+static void
+nc_server_del_truststore_reference(struct nc_client_auth *client_auth)
+{
+ free(client_auth->ts_reference);
+ client_auth->ts_reference = NULL;
+}
+
+static void
+nc_server_del_private_key(struct nc_hostkey *hostkey)
+{
+ free(hostkey->priv_base64);
+ hostkey->priv_base64 = NULL;
+}
+
+static void
+nc_server_del_keystore_reference(struct nc_hostkey *hostkey)
+{
+ hostkey->keystore = NULL;
+}
+
+static void
+nc_server_del_auth_client_username(struct nc_client_auth *auth_client)
+{
+ free(auth_client->username);
+ auth_client->username = NULL;
+}
+
+static void
+nc_server_del_auth_client_pubkey_name(struct nc_client_auth_pubkey *pubkey)
+{
+ free(pubkey->name);
+ pubkey->name = NULL;
+}
+
+static void
+nc_server_del_auth_client_pubkey_pub_base64(struct nc_client_auth_pubkey *pubkey)
+{
+ free(pubkey->pub_base64);
+ pubkey->pub_base64 = NULL;
+}
+
+static void
+nc_server_del_auth_client_ts_reference(struct nc_client_auth *auth_client)
+{
+ free(auth_client->ts_reference);
+ auth_client->ts_reference = NULL;
+}
+
+static void
+nc_server_del_auth_client_password(struct nc_client_auth *auth_client)
+{
+ free(auth_client->password);
+ auth_client->password = NULL;
+}
+
+static void
+nc_server_del_hostkey_algs(struct nc_server_ssh_opts *opts)
+{
+ free(opts->hostkey_algs);
+ opts->hostkey_algs = NULL;
+}
+
+static void
+nc_server_del_kex_algs(struct nc_server_ssh_opts *opts)
+{
+ free(opts->kex_algs);
+ opts->kex_algs = NULL;
+}
+
+static void
+nc_server_del_encryption_algs(struct nc_server_ssh_opts *opts)
+{
+ free(opts->encryption_algs);
+ opts->encryption_algs = NULL;
+}
+
+static void
+nc_server_del_mac_algs(struct nc_server_ssh_opts *opts)
+{
+ free(opts->mac_algs);
+ opts->mac_algs = NULL;
+}
+
+static void
+nc_server_del_hostkey(struct nc_server_ssh_opts *opts, struct nc_hostkey *hostkey)
+{
+ assert(hostkey->ks_type == NC_STORE_LOCAL || hostkey->ks_type == NC_STORE_KEYSTORE);
+
+ if (hostkey->ks_type == NC_STORE_LOCAL) {
+ nc_server_del_public_key(hostkey);
+ nc_server_del_private_key(hostkey);
+ } else if (hostkey->ks_type == NC_STORE_KEYSTORE) {
+ nc_server_del_keystore_reference(hostkey);
+ }
+
+ nc_server_del_hostkey_name(hostkey);
+ opts->hostkey_count--;
+ if (!opts->hostkey_count) {
+ free(opts->hostkeys);
+ opts->hostkeys = NULL;
+ }
+}
+
+static void
+nc_server_del_auth_client_pubkey(struct nc_client_auth *auth_client, struct nc_client_auth_pubkey *pubkey)
+{
+ nc_server_del_auth_client_pubkey_name(pubkey);
+ nc_server_del_auth_client_pubkey_pub_base64(pubkey);
+
+ auth_client->pubkey_count--;
+ if (!auth_client->pubkey_count) {
+ free(auth_client->pubkeys);
+ auth_client->pubkeys = NULL;
+ }
+}
+
+static void
+nc_server_del_auth_client(struct nc_server_ssh_opts *opts, struct nc_client_auth *auth_client)
+{
+ uint16_t i, pubkey_count;
+
+ if (auth_client->ks_type == NC_STORE_LOCAL) {
+ pubkey_count = auth_client->pubkey_count;
+ for (i = 0; i < pubkey_count; i++) {
+ nc_server_del_auth_client_pubkey(auth_client, &auth_client->pubkeys[i]);
+ }
+ } else if (auth_client->ks_type == NC_STORE_TRUSTSTORE) {
+ nc_server_del_auth_client_ts_reference(auth_client);
+ } else {
+ return;
+ }
+
+ nc_server_del_auth_client_password(auth_client);
+ nc_server_del_auth_client_pam_name(auth_client);
+ nc_server_del_auth_client_pam_dir(auth_client);
+ nc_server_del_auth_client_username(auth_client);
+
+ opts->client_count--;
+ if (!opts->client_count) {
+ free(opts->auth_clients);
+ opts->auth_clients = NULL;
+ }
+}
+
+static void
+nc_server_del_ssh(struct nc_bind *bind, struct nc_server_ssh_opts *opts)
+{
+ uint16_t i, hostkey_count, client_count;
+
+ nc_server_del_local_address(bind);
+ if (bind->sock > -1) {
+ close(bind->sock);
+ }
+
+ /* store in variable because it gets decremented in the function call */
+ hostkey_count = opts->hostkey_count;
+ for (i = 0; i < hostkey_count; i++) {
+ nc_server_del_hostkey(opts, &opts->hostkeys[i]);
+ }
+
+ client_count = opts->client_count;
+ for (i = 0; i < client_count; i++) {
+ nc_server_del_auth_client(opts, &opts->auth_clients[i]);
+ }
+
+ nc_server_del_hostkey_algs(opts);
+ nc_server_del_kex_algs(opts);
+ nc_server_del_encryption_algs(opts);
+ nc_server_del_mac_algs(opts);
+
+ free(opts);
+ opts = NULL;
+}
+
+void
+nc_server_del_endpt_ssh(struct nc_endpt *endpt, struct nc_bind *bind)
+{
+ nc_server_del_endpt_name(endpt);
+ nc_server_del_ssh(bind, endpt->opts.ssh);
+
+ server_opts.endpt_count--;
+ if (!server_opts.endpt_count) {
+ free(server_opts.endpts);
+ free(server_opts.binds);
+ server_opts.endpts = NULL;
+ server_opts.binds = NULL;
+ }
+}
+
+/* presence container */
+int
+nc_server_configure_listen(NC_OPERATION op)
+{
+ uint16_t i;
+
+ assert(op == NC_OP_CREATE || op == NC_OP_DELETE);
+
+ if (op == NC_OP_DELETE) {
+ for (i = 0; i < server_opts.endpt_count; i++) {
+ nc_server_del_endpt_ssh(&server_opts.endpts[i], &server_opts.binds[i]);
+ }
+ }
+
+ return 0;
+}
+
+/* default leaf */
+static int
+nc_server_configure_idle_timeout(const struct lyd_node *node, NC_OPERATION op)
+{
+ assert(!strcmp(LYD_NAME(node), "idle-timeout"));
+
+ if (equal_parent_name(node, 1, "listen")) {
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ server_opts.idle_timeout = strtoul(lyd_get_value(node), NULL, 10);
+ } else {
+ /* default value */
+ server_opts.idle_timeout = 3600;
+ }
+ }
+
+ return 0;
+}
+
+static int
+nc_server_create_bind(void)
+{
+ int ret = 0;
+ void *tmp;
+
+ tmp = realloc(server_opts.binds, (server_opts.endpt_count + 1) * sizeof *server_opts.binds);
+ if (!tmp) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ server_opts.binds = tmp;
+ memset(&server_opts.binds[server_opts.endpt_count], 0, sizeof *server_opts.binds);
+
+ server_opts.binds[server_opts.endpt_count].sock = -1;
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_create_endpoint(const struct lyd_node *node)
+{
+ int ret = 0;
+ void *tmp;
+
+ tmp = realloc(server_opts.endpts, (server_opts.endpt_count + 1) * sizeof *server_opts.endpts);
+ if (!tmp) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ server_opts.endpts = tmp;
+ memset(&server_opts.endpts[server_opts.endpt_count], 0, sizeof *server_opts.endpts);
+
+ node = lyd_child(node);
+ assert(!strcmp(LYD_NAME(node), "name"));
+
+ server_opts.endpts[server_opts.endpt_count].name = strdup(lyd_get_value(node));
+ if (!server_opts.endpts[server_opts.endpt_count].name) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_create_bind()) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ server_opts.endpt_count++;
+
+cleanup:
+ return ret;
+}
+
+/* list */
+static int
+nc_server_configure_endpoint(const struct lyd_node *node, NC_OPERATION op)
+{
+ int ret = 0;
+ struct nc_endpt *endpt;
+ struct nc_bind *bind;
+
+ assert(!strcmp(LYD_NAME(node), "endpoint"));
+
+ if (op == NC_OP_CREATE) {
+ ret = nc_server_create_endpoint(node);
+ if (ret) {
+ goto cleanup;
+ }
+ } else if (op == NC_OP_DELETE) {
+ /* free all children */
+ if (nc_server_get_endpt(node, &endpt, &bind)) {
+ ret = 1;
+ goto cleanup;
+ }
+ nc_server_del_endpt_ssh(endpt, bind);
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_create_ssh(struct nc_endpt *endpt)
+{
+ endpt->ti = NC_TI_LIBSSH;
+ endpt->opts.ssh = calloc(1, sizeof(struct nc_server_ssh_opts));
+ if (!endpt->opts.ssh) {
+ ERRMEM;
+ return 1;
+ }
+
+ return 0;
+}
+
+/* NP container */
+static int
+nc_server_configure_ssh(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_bind *bind;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "ssh"));
+
+ if (nc_server_get_endpt(node, &endpt, &bind)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (op == NC_OP_CREATE) {
+ ret = nc_server_create_ssh(endpt);
+ if (ret) {
+ goto cleanup;
+ }
+ } else if (op == NC_OP_DELETE) {
+ nc_server_del_ssh(bind, endpt->opts.ssh);
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_config_set_address_port(struct nc_endpt *endpt, struct nc_bind *bind, const char *address, uint16_t port)
+{
+ int sock = -1, set_addr, ret = 0;
+
+ assert((address && !port) || (!address && port));
+
+ if (address) {
+ set_addr = 1;
+ } else {
+ set_addr = 0;
+ }
+
+ if (set_addr) {
+ port = bind->port;
+ } else {
+ address = bind->address;
+ }
+
+ if (!set_addr && (endpt->ti == NC_TI_UNIX)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ /* we have all the information we need to create a listening socket */
+ if (address && port) {
+ /* create new socket, close the old one */
+ sock = nc_sock_listen_inet(address, port, &endpt->ka);
+ if (sock == -1) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (bind->sock > -1) {
+ close(bind->sock);
+ }
+ bind->sock = sock;
+ }
+
+ if (sock > -1) {
+ switch (endpt->ti) {
+#ifdef NC_ENABLED_SSH
+ case NC_TI_LIBSSH:
+ VRB(NULL, "Listening on %s:%u for SSH connections.", address, port);
+ break;
+#endif
+#ifdef NC_ENABLED_TLS
+ case NC_TI_OPENSSL:
+ VRB(NULL, "Listening on %s:%u for TLS connections.", address, port);
+ break;
+#endif
+ default:
+ ERRINT;
+ ret = 1;
+ break;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* mandatory leaf */
+static int
+nc_server_configure_local_address(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_bind *bind;
+ int ret = 0;
+
+ (void) op;
+
+ assert(!strcmp(LYD_NAME(node), "local-address"));
+
+ if (equal_parent_name(node, 4, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, &bind)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ nc_server_del_local_address(bind);
+ bind->address = strdup(lyd_get_value(node));
+ if (!bind->address) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+
+ ret = nc_server_config_set_address_port(endpt, bind, lyd_get_value(node), 0);
+ if (ret) {
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* leaf with default value */
+static int
+nc_server_configure_local_port(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_bind *bind;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "local-port"));
+
+ if (equal_parent_name(node, 4, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, &bind)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ bind->port = strtoul(lyd_get_value(node), NULL, 10);
+ } else {
+ /* delete -> set to default */
+ bind->port = 0;
+ }
+
+ ret = nc_server_config_set_address_port(endpt, bind, NULL, bind->port);
+ if (ret) {
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* P container */
+static int
+nc_server_configure_keepalives(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_bind *bind;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "keepalives"));
+
+ if (equal_parent_name(node, 4, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, &bind)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (op == NC_OP_CREATE) {
+ endpt->ka.enabled = 1;
+ } else {
+ endpt->ka.enabled = 0;
+ }
+ ret = nc_sock_configure_keepalive(bind->sock, &endpt->ka);
+ if (ret) {
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* mandatory leaf */
+static int
+nc_server_configure_idle_time(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_bind *bind;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "idle-time"));
+
+ if (equal_parent_name(node, 4, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, &bind)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ endpt->ka.idle_time = strtoul(lyd_get_value(node), NULL, 10);
+ } else {
+ endpt->ka.idle_time = 0;
+ }
+ ret = nc_sock_configure_keepalive(bind->sock, &endpt->ka);
+ if (ret) {
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* mandatory leaf */
+static int
+nc_server_configure_max_probes(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_bind *bind;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "max-probes"));
+
+ if (equal_parent_name(node, 4, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, &bind)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ endpt->ka.max_probes = strtoul(lyd_get_value(node), NULL, 10);
+ } else {
+ endpt->ka.max_probes = 0;
+ }
+ ret = nc_sock_configure_keepalive(bind->sock, &endpt->ka);
+ if (ret) {
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* mandatory leaf */
+static int
+nc_server_configure_probe_interval(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_bind *bind;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "probe-interval"));
+
+ if (equal_parent_name(node, 4, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, &bind)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ endpt->ka.probe_interval = strtoul(lyd_get_value(node), NULL, 10);
+ } else {
+ endpt->ka.probe_interval = 0;
+ }
+ ret = nc_sock_configure_keepalive(bind->sock, &endpt->ka);
+ if (ret) {
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_create_host_key(const struct lyd_node *node, struct nc_server_ssh_opts *opts)
+{
+ int ret = 0;
+ void *tmp;
+
+ tmp = realloc(opts->hostkeys,
+ (opts->hostkey_count + 1) * sizeof *opts->hostkeys);
+ if (!tmp) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ opts->hostkeys = tmp;
+
+ memset(&opts->hostkeys[opts->hostkey_count], 0, sizeof *opts->hostkeys);
+
+ opts->hostkeys[opts->hostkey_count].name = strdup(lyd_get_value(lyd_child(node)));
+ if (!opts->hostkeys[opts->hostkey_count].name) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+
+ /* set union selector */
+ lyd_find_path(node, "public-key", 0, (struct lyd_node **)&node);
+ assert(node);
+
+ if (!lyd_find_path(node, "local-definition", 0, NULL)) {
+ opts->hostkeys[opts->hostkey_count].ks_type = NC_STORE_LOCAL;
+ } else {
+ opts->hostkeys[opts->hostkey_count].ks_type = NC_STORE_KEYSTORE;
+ }
+
+ opts->hostkey_count++;
+
+cleanup:
+ return ret;
+}
+
+/* list */
+static int
+nc_server_configure_host_key(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_hostkey *hostkey;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "host-key"));
+
+ if ((equal_parent_name(node, 1, "server-identity")) && (equal_parent_name(node, 5, "listen"))) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (op == NC_OP_CREATE) {
+ ret = nc_server_create_host_key(node, endpt->opts.ssh);
+ if (ret) {
+ goto cleanup;
+ }
+ } else if (op == NC_OP_DELETE) {
+ if (nc_server_get_hostkey(node, endpt->opts.ssh, &hostkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ nc_server_del_hostkey(endpt->opts.ssh, hostkey);
+ }
+ } else if (equal_parent_name(node, 1, "transport-params")) {
+ /* just a container with the name host-key, nothing to be done */
+ goto cleanup;
+ } else {
+ ERRINT;
+ ret = 1;
+ goto cleanup;
+ }
+
+cleanup:
+ return ret;
+}
+
+/* mandatory leaf */
+int
+nc_server_configure_public_key_format(const struct lyd_node *node, NC_OPERATION op)
+{
+ const char *format;
+ struct nc_endpt *endpt;
+ struct nc_client_auth *auth_client;
+ struct nc_client_auth_pubkey *pubkey;
+ struct nc_hostkey *hostkey;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "public-key-format"));
+
+ format = ((struct lyd_node_term *)node)->value.ident->name;
+
+ if ((equal_parent_name(node, 6, "client-authentication")) && (equal_parent_name(node, 10, "listen"))) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_pubkey(node, auth_client, &pubkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ if (!strcmp(format, "ssh-public-key-format")) {
+ pubkey->pubkey_type = NC_SSH_PUBKEY_X509;
+ } else if (!strcmp(format, "subject-public-key-info-format")) {
+ pubkey->pubkey_type = NC_SSH_PUBKEY_SSH2;
+ } else {
+ ERR(NULL, "Public key format (%s) not supported.", format);
+ }
+ }
+ } else if ((equal_parent_name(node, 5, "server-identity")) && (equal_parent_name(node, 11, "listen"))) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_hostkey(node, endpt->opts.ssh, &hostkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ if (!strcmp(format, "ssh-public-key-format")) {
+ hostkey->pubkey_type = NC_SSH_PUBKEY_X509;
+ } else if (!strcmp(format, "subject-public-key-info-format")) {
+ hostkey->pubkey_type = NC_SSH_PUBKEY_SSH2;
+ } else {
+ ERR(NULL, "Public key format (%s) not supported.", format);
+ }
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* leaf */
+int
+nc_server_configure_private_key_format(const struct lyd_node *node, NC_OPERATION op)
+{
+ const char *format;
+ struct nc_endpt *endpt;
+ struct nc_hostkey *hostkey;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "private-key-format"));
+
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_hostkey(node, endpt->opts.ssh, &hostkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ format = ((struct lyd_node_term *)node)->value.ident->name;
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ if (!strcmp(format, "rsa-private-key-format")) {
+ hostkey->privkey_type = NC_SSH_KEY_RSA;
+ } else if (!strcmp(format, "ec-private-key-format")) {
+ hostkey->privkey_type = NC_SSH_KEY_ECDSA;
+ } else {
+ ERR(NULL, "Private key format (%s) not supported.", format);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_replace_cleartext_private_key(const struct lyd_node *node, struct nc_hostkey *hostkey)
+{
+ nc_server_del_private_key(hostkey);
+ hostkey->priv_base64 = strdup(lyd_get_value(node));
+ if (!hostkey->priv_base64) {
+ ERRMEM;
+ return 1;
+ }
+
+ return 0;
+}
+
+static int
+nc_server_configure_cleartext_private_key(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_hostkey *hostkey;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "cleartext-private-key"));
+
+ if ((equal_parent_name(node, 6, "ssh")) && (equal_parent_name(node, 8, "listen"))) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+ if (nc_server_get_hostkey(node, endpt->opts.ssh, &hostkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ ret = nc_server_replace_cleartext_private_key(node, hostkey);
+ if (ret) {
+ goto cleanup;
+ }
+ } else {
+ nc_server_del_private_key(hostkey);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_create_keystore_reference(const struct lyd_node *node, struct nc_hostkey *hostkey)
+{
+ uint16_t i;
+ struct nc_keystore *ks = NULL;
+
+ /* lookup name */
+ for (i = 0; i < server_opts.keystore_count; i++) {
+ if (!strcmp(lyd_get_value(node), server_opts.keystore[i].name)) {
+ ks = &server_opts.keystore[i];
+ break;
+ }
+ }
+
+ if (!ks) {
+ ERR(NULL, "Keystore (%s) not found.", lyd_get_value(node));
+ return 1;
+ }
+
+ hostkey->keystore = ks;
+
+ return 0;
+}
+
+/* leaf */
+static int
+nc_server_configure_keystore_reference(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_hostkey *hostkey;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "keystore-reference"));
+
+ if ((equal_parent_name(node, 4, "server-identity")) && (equal_parent_name(node, 7, "listen"))) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+ if (nc_server_get_hostkey(node, endpt->opts.ssh, &hostkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ ret = nc_server_create_keystore_reference(node, hostkey);
+ if (ret) {
+ goto cleanup;
+ }
+ } else {
+ hostkey->keystore = NULL;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_create_auth_key_public_key_list(const struct lyd_node *node, struct nc_client_auth *auth_client)
+{
+ int ret = 0;
+ void *tmp;
+
+ assert(!strcmp(LYD_NAME(node), "public-key"));
+
+ tmp = realloc(auth_client->pubkeys, (auth_client->pubkey_count + 1) * sizeof *auth_client->pubkeys);
+ if (!tmp) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ auth_client->pubkeys = tmp;
+
+ memset(&auth_client->pubkeys[auth_client->pubkey_count], 0, sizeof *auth_client->pubkeys);
+
+ node = lyd_child(node);
+ assert(!strcmp(LYD_NAME(node), "name"));
+
+ auth_client->pubkeys[auth_client->pubkey_count].name = strdup(lyd_get_value(node));
+ if (!auth_client->pubkeys[auth_client->pubkey_count].name) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+
+ ++auth_client->pubkey_count;
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_replace_auth_key_public_key_leaf(const struct lyd_node *node, struct nc_client_auth_pubkey *pubkey)
+{
+ nc_server_del_auth_client_pubkey_pub_base64(pubkey);
+
+ pubkey->pub_base64 = strdup(lyd_get_value(node));
+ if (!pubkey->pub_base64) {
+ ERRMEM;
+ return 1;
+ }
+
+ return 0;
+}
+
+static int
+nc_server_replace_host_key_public_key(const struct lyd_node *node, struct nc_hostkey *hostkey)
+{
+ nc_server_del_public_key(hostkey);
+
+ hostkey->pub_base64 = strdup(lyd_get_value(node));
+ if (!hostkey->pub_base64) {
+ ERRMEM;
+ return 1;
+ }
+
+ return 0;
+}
+
+static int
+nc_server_configure_public_key(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_hostkey *hostkey;
+ struct nc_client_auth *auth_client;
+ struct nc_client_auth_pubkey *pubkey;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "public-key"));
+
+ if ((equal_parent_name(node, 3, "host-key")) && (equal_parent_name(node, 8, "listen"))) {
+ /* server's public-key, mandatory leaf */
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_hostkey(node, endpt->opts.ssh, &hostkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ ret = nc_server_replace_host_key_public_key(node, hostkey);
+ if (ret) {
+ goto cleanup;
+ }
+ }
+ } else if ((equal_parent_name(node, 5, "client-authentication")) && (equal_parent_name(node, 9, "listen"))) {
+ /* client auth pubkeys, list */
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (op == NC_OP_CREATE) {
+ ret = nc_server_create_auth_key_public_key_list(node, auth_client);
+ if (ret) {
+ goto cleanup;
+ }
+ } else if (op == NC_OP_DELETE) {
+ if (nc_server_get_pubkey(node, auth_client, &pubkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ nc_server_del_auth_client_pubkey(auth_client, pubkey);
+ }
+ } else if ((equal_parent_name(node, 6, "client-authentication")) && (equal_parent_name(node, 10, "listen"))) {
+ /* client auth pubkey, leaf */
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_pubkey(node, auth_client, &pubkey)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ ret = nc_server_replace_auth_key_public_key_leaf(node, pubkey);
+ if (ret) {
+ goto cleanup;
+ }
+ } else {
+ nc_server_del_auth_client_pubkey_pub_base64(pubkey);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_create_user(const struct lyd_node *node, struct nc_server_ssh_opts *opts)
+{
+ int ret = 0;
+ void *tmp;
+
+ tmp = realloc(opts->auth_clients, (opts->client_count + 1) * sizeof *opts->auth_clients);
+ if (!tmp) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ opts->auth_clients = tmp;
+
+ memset(&opts->auth_clients[opts->client_count], 0, sizeof *opts->auth_clients);
+
+ opts->auth_clients[opts->client_count].username = strdup(lyd_get_value(lyd_child(node)));
+ if (!opts->auth_clients[opts->client_count].username) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+
+ lyd_find_path(node, "public-keys", 0, (struct lyd_node **)&node);
+
+ if (node) {
+ /* set union selector */
+ if (!lyd_find_path(node, "local-definition", 0, NULL)) {
+ opts->auth_clients[opts->client_count].ks_type = NC_STORE_LOCAL;
+ } else {
+ opts->auth_clients[opts->client_count].ks_type = NC_STORE_TRUSTSTORE;
+ }
+ }
+
+ ++opts->client_count;
+
+cleanup:
+ return ret;
+}
+
+/* list */
+static int
+nc_server_configure_user(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_client_auth *auth_client;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "user"));
+
+ if (equal_parent_name(node, 6, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (op == NC_OP_CREATE) {
+ ret = nc_server_create_user(node, endpt->opts.ssh);
+ if (ret) {
+ goto cleanup;
+ }
+ } else if (op == NC_OP_DELETE) {
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ nc_server_del_auth_client(endpt->opts.ssh, auth_client);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_configure_auth_attempts(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "auth-attempts"));
+
+ if (equal_parent_name(node, 5, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ endpt->opts.ssh->auth_attempts = strtoul(lyd_get_value(node), NULL, 10);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_configure_auth_timeout(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "auth-timeout"));
+
+ if (equal_parent_name(node, 5, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ endpt->opts.ssh->auth_timeout = strtoul(lyd_get_value(node), NULL, 10);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_replace_truststore_reference(const struct lyd_node *node, struct nc_client_auth *client_auth)
+{
+ /*todo*/
+ nc_server_del_truststore_reference(client_auth);
+
+ client_auth->ts_reference = strdup(lyd_get_value(node));
+ if (!client_auth->ts_reference) {
+ ERRMEM;
+ return 1;
+ }
+
+ return 0;
+}
+
+/* leaf */
+static int
+nc_server_configure_truststore_reference(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_client_auth *auth_client;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "truststore-reference"));
+
+ if ((equal_parent_name(node, 1, "public-keys")) && (equal_parent_name(node, 8, "listen"))) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ ret = nc_server_replace_truststore_reference(node, auth_client);
+ if (ret) {
+ goto cleanup;
+ }
+ } else {
+ nc_server_del_truststore_reference(auth_client);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_replace_password(const struct lyd_node *node, struct nc_client_auth *auth_client)
+{
+ nc_server_del_auth_client_password(auth_client);
+
+ auth_client->password = strdup(lyd_get_value(node));
+ if (!auth_client->password) {
+ ERRMEM;
+ return 1;
+ }
+
+ return 0;
+}
+
+/* leaf */
+static int
+nc_server_configure_password(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_client_auth *auth_client;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "password"));
+
+ if (equal_parent_name(node, 7, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ ret = nc_server_replace_password(node, auth_client);
+ if (ret) {
+ goto cleanup;
+ }
+ } else {
+ nc_server_del_auth_client_password(auth_client);
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_configure_pam_name(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_client_auth *auth_client;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "pam-config-file-name"));
+
+ if (equal_parent_name(node, 8, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ nc_server_del_auth_client_pam_name(auth_client);
+
+ auth_client->pam_config_name = strdup(lyd_get_value(node));
+ if (!auth_client->pam_config_name) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_configure_pam_dir(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_client_auth *auth_client;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "pam-config-file-dir"));
+
+ if (equal_parent_name(node, 8, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ nc_server_del_auth_client_pam_dir(auth_client);
+ auth_client->pam_config_dir = strdup(lyd_get_value(node));
+ if (!auth_client->pam_config_dir) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* leaf */
+static int
+nc_server_configure_none(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ struct nc_client_auth *auth_client;
+ int ret = 0;
+
+ assert(!strcmp(LYD_NAME(node), "none"));
+
+ if (equal_parent_name(node, 7, "listen")) {
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (nc_server_get_auth_client(node, endpt->opts.ssh, &auth_client)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+ if (op == NC_OP_CREATE) {
+ auth_client->supports_none = 1;
+ } else {
+ auth_client->supports_none = 0;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_configure_transport_params(const char *alg, char **alg_store, NC_OPERATION op)
+{
+ int ret = 0, alg_found = 0;
+ char *substr, *haystack;
+ size_t alg_len = strlen(alg);
+
+ if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
+ if (!*alg_store) {
+ /* first call */
+ *alg_store = strdup(alg);
+ if (!*alg_store) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ } else {
+ /* +1 because of ',' between algorithms */
+ *alg_store = nc_realloc(*alg_store, strlen(*alg_store) + alg_len + 1 + 1);
+ if (!*alg_store) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ sprintf(*alg_store, "%s,%s", *alg_store, alg);
+ }
+ } else {
+ /* delete */
+ haystack = *alg_store;
+ while ((substr = strstr(haystack, alg))) {
+ /* iterate over all the substrings */
+ if (((substr == haystack) && (*(substr + alg_len) == ',')) ||
+ ((substr != haystack) && (*(substr - 1) == ',') && (*(substr + alg_len) == ','))) {
+ /* either the first element of the string or somewhere in the middle */
+ memmove(substr, substr + alg_len + 1, strlen(substr + alg_len + 1));
+ alg_found = 1;
+ break;
+ } else if ((*(substr - 1) == ',') && (*(substr + alg_len) == '\0')) {
+ /* the last element of the string */
+ *(substr - 1) = '\0';
+ alg_found = 1;
+ break;
+ }
+ haystack++;
+ }
+ if (!alg_found) {
+ ERR(NULL, "Unable to delete an algorithm (%s), which was not previously added.", alg);
+ ret = 1;
+ }
+ }
+
+cleanup:
+ return ret;
+}
+
+/* leaf-list */
+static int
+nc_server_configure_host_key_alg(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ int ret = 0, listen = 0;
+ const char *alg;
+ uint8_t i;
+
+ /* get the algorithm name and compare it with algs supported by libssh */
+ alg = ((struct lyd_node_term *)node)->value.ident->name;
+
+ if (equal_parent_name(node, 6, "listen")) {
+ listen = 1;
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+
+ i = 0;
+ while (supported_hostkey_algs[i]) {
+ if (!strcmp(supported_hostkey_algs[i], alg)) {
+ if (listen) {
+ if (nc_server_configure_transport_params(alg, &endpt->opts.ssh->hostkey_algs, op)) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+ break;
+ }
+ i++;
+ }
+ if (!supported_hostkey_algs[i]) {
+ /* algorithm not supported */
+ ERR(NULL, "Public key algorithm (%s) not supported by libssh.", alg);
+ ret = 1;
+ }
+
+cleanup:
+ return ret;
+}
+
+/* leaf-list */
+static int
+nc_server_configure_kex_alg(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ int ret = 0, listen = 0;
+ const char *alg;
+ uint8_t i;
+
+ /* get the algorithm name and compare it with algs supported by libssh */
+ alg = ((struct lyd_node_term *)node)->value.ident->name;
+
+ if (equal_parent_name(node, 6, "listen")) {
+ listen = 1;
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+
+ i = 0;
+ while (supported_kex_algs[i]) {
+ if (!strcmp(supported_kex_algs[i], alg)) {
+ if (listen) {
+ if (nc_server_configure_transport_params(alg, &endpt->opts.ssh->kex_algs, op)) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+ break;
+ }
+ i++;
+ }
+ if (!supported_kex_algs[i]) {
+ /* algorithm not supported */
+ ERR(NULL, "Key exchange algorithm (%s) not supported by libssh.", alg);
+ ret = 1;
+ }
+
+cleanup:
+ return ret;
+}
+
+/* leaf-list */
+static int
+nc_server_configure_encryption_alg(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ int ret = 0, listen = 0;
+ const char *alg;
+ uint8_t i;
+
+ /* get the algorithm name and compare it with algs supported by libssh */
+ alg = ((struct lyd_node_term *)node)->value.ident->name;
+
+ if (equal_parent_name(node, 6, "listen")) {
+ listen = 1;
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+
+ i = 0;
+ while (supported_encryption_algs[i]) {
+ if (!strcmp(supported_encryption_algs[i], alg)) {
+ if (listen) {
+ if (nc_server_configure_transport_params(alg, &endpt->opts.ssh->encryption_algs, op)) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+ break;
+ }
+ i++;
+ }
+ if (!supported_encryption_algs[i]) {
+ /* algorithm not supported */
+ ERR(NULL, "Encryption algorithm (%s) not supported by libssh.", alg);
+ ret = 1;
+ }
+
+cleanup:
+ return ret;
+}
+
+/* leaf-list */
+static int
+nc_server_configure_mac_alg(const struct lyd_node *node, NC_OPERATION op)
+{
+ struct nc_endpt *endpt;
+ int ret = 0, listen = 0;
+ const char *alg;
+ uint8_t i;
+
+ /* get the algorithm name and compare it with algs supported by libssh */
+ alg = ((struct lyd_node_term *)node)->value.ident->name;
+
+ if (equal_parent_name(node, 6, "listen")) {
+ listen = 1;
+ if (nc_server_get_endpt(node, &endpt, NULL)) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+
+ i = 0;
+ while (supported_mac_algs[i]) {
+ if (!strcmp(supported_mac_algs[i], alg)) {
+ if (listen) {
+ if (nc_server_configure_transport_params(alg, &endpt->opts.ssh->mac_algs, op)) {
+ ret = 1;
+ goto cleanup;
+ }
+ }
+ break;
+ }
+ i++;
+ }
+ if (!supported_mac_algs[i]) {
+ /* algorithm not supported */
+ ERR(NULL, "MAC algorithm (%s) not supported by libssh.", alg);
+ ret = 1;
+ }
+
+cleanup:
+ return ret;
+}
+
+static int
+nc_server_configure(const struct lyd_node *node, NC_OPERATION op)
+{
+ const char *name = LYD_NAME(node);
+
+ if (!strcmp(name, "listen")) {
+ if (nc_server_configure_listen(op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "idle-timeout")) {
+ if (nc_server_configure_idle_timeout(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "endpoint")) {
+ if (nc_server_configure_endpoint(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "ssh")) {
+ if (nc_server_configure_ssh(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "local-address")) {
+ if (nc_server_configure_local_address(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "local-port")) {
+ if (nc_server_configure_local_port(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "keepalives")) {
+ if (nc_server_configure_keepalives(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "idle-time")) {
+ if (nc_server_configure_idle_time(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "max-probes")) {
+ if (nc_server_configure_max_probes(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "probe-interval")) {
+ if (nc_server_configure_probe_interval(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "host-key")) {
+ if (nc_server_configure_host_key(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "public-key-format")) {
+ if (nc_server_configure_public_key_format(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "public-key")) {
+ if (nc_server_configure_public_key(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "private-key-format")) {
+ if (nc_server_configure_private_key_format(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "cleartext-private-key")) {
+ if (nc_server_configure_cleartext_private_key(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "keystore-reference")) {
+ if (nc_server_configure_keystore_reference(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "user")) {
+ if (nc_server_configure_user(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "auth-attempts")) {
+ if (nc_server_configure_auth_attempts(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "auth-timeout")) {
+ if (nc_server_configure_auth_timeout(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "truststore-reference")) {
+ if (nc_server_configure_truststore_reference(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "password")) {
+ if (nc_server_configure_password(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "pam-config-file-name")) {
+ if (nc_server_configure_pam_name(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "pam-config-file-dir")) {
+ if (nc_server_configure_pam_dir(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "none")) {
+ if (nc_server_configure_none(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "host-key-alg")) {
+ if (nc_server_configure_host_key_alg(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "key-exchange-alg")) {
+ if (nc_server_configure_kex_alg(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "encryption-alg")) {
+ if (nc_server_configure_encryption_alg(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "mac-alg")) {
+ if (nc_server_configure_mac_alg(node, op)) {
+ goto error;
+ }
+ } else if (!strcmp(name, "cert-data")) {} else if (!strcmp(name, "expiration-date")) {} else if (!strcmp(name, "asymmetric-key")) {} else if (!strcmp(name, "certificate")) {} else if (!strcmp(name, "key-format")) {} else if (!strcmp(name,
+ "cleartext-key")) {} else if (!strcmp(name, "hidden-key")) {} else if (!strcmp(name, "id_hint")) {} else if (!strcmp(name, "external-identity")) {} else if (!strcmp(name, "hash")) {} else if (!strcmp(name, "context")) {} else if (!strcmp(name,
+ "target-protocol")) {} else if (!strcmp(name, "target-kdf")) {} else if (!strcmp(name, "client-authentication")) {} else if (!strcmp(name, "ca-certs")) {} else if (!strcmp(name, "ee-certs")) {} else if (!strcmp(name,
+ "raw-public-keys")) {} else if (!strcmp(name, "tls12-psks")) {} else if (!strcmp(name, "tls13-epsks")) {} else if (!strcmp(name, "tls-version")) {} else if (!strcmp(name, "cipher-suite")) {} else if (!strcmp(name,
+ "peer-allowed-to-send")) {} else if (!strcmp(name, "test-peer-aliveness")) {} else if (!strcmp(name, "max-wait")) {} else if (!strcmp(name, "max-attempts")) {} else if (!strcmp(name, "cert-to-name")) {} else if (!strcmp(name,
+ "id")) {} else if (!strcmp(name, "fingerprint")) {} else if (!strcmp(name, "map-type")) {}
+
+ return 0;
+
+error:
+ ERR(NULL, "Configuring (%s) failed.", LYD_NAME(node));
+ return 1;
+}
+
+int
+nc_session_server_parse_tree(const struct lyd_node *node, NC_OPERATION parent_op)
+{
+ struct lyd_node *child;
+ struct lyd_meta *m;
+ NC_OPERATION current_op;
+
+ assert(node);
+
+ /* get current op */
+ LY_LIST_FOR(node->meta, m) {
+ if (!strcmp(m->name, "operation")) {
+ if (!strcmp(lyd_get_meta_value(m), "create")) {
+ current_op = NC_OP_CREATE;
+ } else if (!strcmp(lyd_get_meta_value(m), "delete")) {
+ current_op = NC_OP_DELETE;
+ } else if (!strcmp(lyd_get_meta_value(m), "replace")) {
+ current_op = NC_OP_REPLACE;
+ } else if (!strcmp(lyd_get_meta_value(m), "none")) {
+ current_op = NC_OP_NONE;
+ }
+ break;
+ }
+ }
+
+ /* node has no op, inherit from the parent */
+ if (!m) {
+ current_op = parent_op;
+ }
+
+ switch (current_op) {
+ case NC_OP_NONE:
+ break;
+ case NC_OP_CREATE:
+ case NC_OP_DELETE:
+ case NC_OP_REPLACE:
+ if (nc_server_configure(node, current_op)) {
+ return 1;
+ }
+ break;
+ default:
+ break;
+ }
+
+ if (current_op != NC_OP_DELETE) {
+ LY_LIST_FOR(lyd_child(node), child) {
+ if (nc_session_server_parse_tree(child, current_op)) {
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+
+static int
+nc_server_configure_certificates(const struct lyd_node *node, struct nc_keystore *ks)
+{
+ int ret = 0;
+ uint16_t cert_count;
+ void *tmp;
+
+ node = node->next;
+ if ((!node) || (strcmp(LYD_NAME(node), "certificate"))) {
+ WRN(NULL, "Certificates container is empty");
+ goto cleanup;
+ }
+
+ /* certificate list */
+ while (node) {
+ cert_count = ks->cert_count;
+ tmp = realloc(ks->certs, cert_count + 1);
+ if (!tmp) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+ ks->certs = tmp;
+
+ ks->certs[cert_count].name = strdup(lyd_get_value(lyd_child(node)));
+ if (!ks->certs[cert_count].name) {
+ ERRMEM;
+ ret = 1;
+ goto cleanup;
+ }
+
+ ks->certs[cert_count].cert_data = strdup(lyd_get_value(lyd_child(node)->next));
+ if (!ks->certs[cert_count].cert_data) {
+ ERRMEM;
+ free(ks->certs[cert_count].name);
+ ret = 1;
+ goto cleanup;
+ }
+
+ ks->cert_count++;
+ }
+
+cleanup:
+ if (ret) {
+ for (cert_count = 0; cert_count < ks->cert_count; cert_count++) {
+ free(ks->certs[cert_count].name);
+ free(ks->certs[cert_count].cert_data);
+ }
+ free(ks->certs);
+ }
+ return ret;
+}
+
+static int
+nc_fill_keystore(const struct lyd_node *data)
+{
+ int ret = 0;
+ uint32_t prev_lo;
+ struct lyd_node *tree, *node, *iter, *iter_tmp;
+ void *tmp;
+ struct nc_keystore *ks;
+
+ /* silently search for keystore node */
+ prev_lo = ly_log_options(0);
+ ret = lyd_find_path(data, "/ks:keystore", 0, &tree);
+ ly_log_options(prev_lo);
+ if (ret) {
+ WRN(NULL, "Keystore container not found in the YANG data.");
+ return 0;
+ }
+
+ /* asymmetric keys container */
+ lyd_find_path(tree, "asymmetric-keys", 0, (struct lyd_node **)&node);
+ if (!node) {
+ WRN(NULL, "Asymmetric keys container not found in the YANG data.");
+ return 0;
+ }
+
+ /* asymmetric key list */
+ lyd_find_path(node, "asymmetric-key", 0, (struct lyd_node **)&node);
+ if (!node) {
+ WRN(NULL, "Asymmetric keys container is empty.");
+ return 0;
+ }
+
+ LY_LIST_FOR(node, iter) {
+ tmp = realloc(server_opts.keystore, server_opts.keystore_count + 1);
+ if (!tmp) {
+ ERRMEM;
+ goto fail;
+ }
+ server_opts.keystore = tmp;
+ ks = &server_opts.keystore[server_opts.keystore_count];
+
+ iter_tmp = iter;
+ /* name */
+ iter_tmp = lyd_child(iter_tmp);
+ ks->name = strdup(lyd_get_value(iter_tmp));
+ if (!ks->name) {
+ ERRMEM;
+ goto fail;
+ }
+
+ /* mandatory public-key-format */
+ iter_tmp = iter_tmp->next;
+ if (nc_server_configure_public_key_format(iter_tmp, 0)) {
+ free(ks->name);
+ goto fail;
+ }
+
+ /* mandatory public-key */
+ iter_tmp = iter_tmp->next;
+ ks->pub_base64 = strdup(lyd_get_value(iter_tmp));
+ if (!ks->pub_base64) {
+ free(ks->name);
+ ERRMEM;
+ goto fail;
+ }
+
+ iter_tmp = iter_tmp->next;
+ while (iter_tmp) {
+ if (!strcmp(LYD_NAME(iter_tmp), "private-key-format")) {
+ if (nc_server_configure_private_key_format(iter_tmp, 0)) {
+ goto fail;
+ }
+ } else if (!strcmp(LYD_NAME(iter_tmp), "private-key-type")) {
+ if ((!strcmp(LYD_NAME(lyd_child(iter_tmp)), "cleartext-private-key")) &&
+ (!strcmp(LYD_NAME(lyd_child(lyd_child(iter_tmp))), "cleartext-private-key"))) {
+ ks->priv_base64 = strdup(lyd_get_value(lyd_child(lyd_child(iter_tmp))));
+ if (!ks->priv_base64) {
+ ERRMEM;
+ goto fail;
+ }
+ }
+ } else if (!strcmp(LYD_NAME(iter_tmp), "certificates")) {
+ if (nc_server_configure_certificates(iter_tmp, ks)) {
+ goto fail;
+ }
+ }
+ /* todo CSR? */
+ iter_tmp = iter_tmp->next;
+ }
+
+ server_opts.keystore_count++;
+ }
+
+ return 0;
+
+fail:
+ free(server_opts.keystore);
+ return 1;
+}
+
+API int
+nc_server_config_load_modules(struct ly_ctx **ctx)
+{
+ int i, new_ctx = 0;
+
+ if (!*ctx) {
+ if (ly_ctx_new(NC_SERVER_SEARCH_DIR, 0, ctx)) {
+ ERR(NULL, "Couldn't create new libyang context.\n");
+ goto error;
+ }
+ new_ctx = 1;
+ }
+
+ /* all features */
+ const char *ietf_nectonf_server[] = {"ssh-listen", "tls-listen", "ssh-call-home", "tls-call-home", "central-netconf-server-supported", NULL};
+ /* all features */
+ const char *ietf_x509_cert_to_name[] = {NULL};
+ /* no private-key-encryption and csr-generation */
+ const char *ietf_crypto_types[] = {
+ "one-symmetric-key-format", "one-asymmetric-key-format", "symmetrically-encrypted-value-format",
+ "asymmetrically-encrypted-value-format", "cms-enveloped-data-format", "cms-encrypted-data-format",
+ "p10-based-csrs", "certificate-expiration-notification", "hidden-keys", "password-encryption",
+ "symmetric-key-encryption", NULL
+ };
+ /* all features */
+ const char *ietf_tcp_common[] = {"keepalives-supported", NULL};
+ /* no ssh-x509-certs */
+ const char *ietf_ssh_common[] = {"transport-params", "public-key-generation", NULL};
+ /* all features */
+ const char *iana_ssh_encryption_algs[] = {NULL};
+ /* all features */
+ const char *iana_ssh_key_exchange_algs[] = {NULL};
+ /* all features */
+ const char *iana_ssh_mac_algs[] = {NULL};
+ /* all features */
+ const char *iana_ssh_public_key_algs[] = {NULL};
+ /* all features */
+ const char *ietf_keystore[] = {"central-keystore-supported", "local-definitions-supported", "asymmetric-keys", "symmetric-keys", NULL};
+ /* no ssh-server-keepalives and local-user-auth-hostbased */
+ const char *ietf_ssh_server[] = {"local-users-supported", "local-user-auth-publickey", "local-user-auth-password", "local-user-auth-none", NULL};
+ /* all features */
+ const char *ietf_truststore[] = {"central-truststore-supported", "local-definitions-supported", "certificates", "public-keys", NULL};
+ /* all features */
+ const char *ietf_tls_server[] = {
+ "tls-server-keepalives", "server-ident-x509-cert", "server-ident-raw-public-key", "server-ident-tls12-psk",
+ "server-ident-tls13-epsk", "client-auth-supported", "client-auth-x509-cert", "client-auth-raw-public-key",
+ "client-auth-tls12-psk", "client-auth-tls13-epsk", NULL
+ };
+ /* all features */
+ const char *libnetconf2_netconf_server[] = {NULL};
+
+ const char *module_names[] = {
+ "ietf-netconf-server", "ietf-x509-cert-to-name", "ietf-crypto-types",
+ "ietf-tcp-common", "ietf-ssh-common", "iana-ssh-encryption-algs",
+ "iana-ssh-key-exchange-algs", "iana-ssh-mac-algs", "iana-ssh-public-key-algs",
+ "ietf-keystore", "ietf-ssh-server", "ietf-truststore",
+ "ietf-tls-server", "libnetconf2-netconf-server", NULL
+ };
+
+ const char **module_features[] = {
+ ietf_nectonf_server, ietf_x509_cert_to_name, ietf_crypto_types,
+ ietf_tcp_common, ietf_ssh_common, iana_ssh_encryption_algs,
+ iana_ssh_key_exchange_algs, iana_ssh_mac_algs, iana_ssh_public_key_algs,
+ ietf_keystore, ietf_ssh_server, ietf_truststore,
+ ietf_tls_server, libnetconf2_netconf_server, NULL
+ };
+
+ for (i = 0; module_names[i] != NULL; i++) {
+ if (!ly_ctx_load_module(*ctx, module_names[i], NULL, module_features[i])) {
+ ERR(NULL, "Loading module \"%s\" failed.\n", module_names[i]);
+ goto error;
+ }
+ }
+
+ return 0;
+
+error:
+ if (new_ctx) {
+ ly_ctx_destroy(*ctx);
+ *ctx = NULL;
+ }
+ return 1;
+}
+
+API int
+nc_server_config_setup_path(const struct ly_ctx *ctx, const char *path)
+{
+ struct lyd_node *tree = NULL;
+ int ret = 0;
+
+ if (!path) {
+ ERRARG("Missing path parameter.");
+ ret = 1;
+ goto cleanup;
+ }
+
+ ret = lyd_parse_data_path(ctx, path, LYD_XML, LYD_PARSE_NO_STATE | LYD_PARSE_STRICT, LYD_VALIDATE_NO_STATE, &tree);
+ if (ret) {
+ goto cleanup;
+ }
+
+ ret = nc_server_config_setup(tree);
+ if (ret) {
+ goto cleanup;
+ }
+
+cleanup:
+ lyd_free_all(tree);
+ return ret;
+}
+
+API int
+nc_server_config_setup(const struct lyd_node *data)
+{
+ int ret = 0;
+ struct lyd_node *tree;
+ struct lyd_meta *m;
+ NC_OPERATION op;
+
+ /* LOCK */
+ pthread_rwlock_wrlock(&server_opts.config_lock);
+
+ ret = nc_fill_keystore(data);
+ if (ret) {
+ ERR(NULL, "Filling keystore failed.");
+ goto cleanup;
+ }
+
+ ret = lyd_find_path(data, "/ietf-netconf-server:netconf-server", 0, &tree);
+ if (ret) {
+ ERR(NULL, "Unable to find the netconf-server container in the YANG data.");
+ goto cleanup;
+ }
+
+ LY_LIST_FOR(tree->meta, m) {
+ if (!strcmp(m->name, "operation")) {
+ if (!strcmp(lyd_get_meta_value(m), "create")) {
+ op = NC_OP_CREATE;
+ } else if (!strcmp(lyd_get_meta_value(m), "delete")) {
+ op = NC_OP_DELETE;
+ } else if (!strcmp(lyd_get_meta_value(m), "replace")) {
+ op = NC_OP_REPLACE;
+ } else if (!strcmp(lyd_get_meta_value(m), "none")) {
+ op = NC_OP_NONE;
+ } else {
+ ERR(NULL, "Unexpected operation (%s).", lyd_get_meta_value(m));
+ ret = 1;
+ goto cleanup;
+ }
+ }
+ }
+
+ if (nc_session_server_parse_tree(tree, op)) {
+ ret = 1;
+ goto cleanup;
+ }
+
+cleanup:
+ /* UNLOCK */
+ pthread_rwlock_unlock(&server_opts.config_lock);
+ return ret;
+}
diff --git a/src/config_server.h b/src/config_server.h
new file mode 100644
index 0000000..9adfede
--- /dev/null
+++ b/src/config_server.h
@@ -0,0 +1,83 @@
+/**
+ * @file config_server.h
+ * @author Roman Janota <janota@cesnet.cz>
+ * @brief libnetconf2 server configuration
+ *
+ * @copyright
+ * Copyright (c) 2015 - 2021 CESNET, z.s.p.o.
+ *
+ * This source code is licensed under BSD 3-Clause License (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ */
+
+#ifndef NC_CONFIG_SERVER_H_
+#define NC_CONFIG_SERVER_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <libyang/libyang.h>
+#include <stdint.h>
+
+#include "netconf.h"
+#include "session.h"
+#include "session_p.h"
+
+/**
+ * @brief Configure server based on the given data.
+ *
+ * Expected data is a validated instance of a ietf-netconf-server YANG data.
+ * The data must be in the diff format and supported operations are: create, replace,
+ * delete and none. Context must already have implemented the required modules, see
+ * ::nc_config_load_modules().
+ *
+ * @param[in] data ietf-netconf-server YANG data.
+ * @return 0 on success, 1 on error.
+ */
+int nc_server_config_setup(const struct lyd_node *data);
+
+/**
+ * @brief Configure server based on the given ietf-netconf-server YANG data.
+ * Wrapper around ::nc_config_setup_server() hiding work with parsing the data.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] path Path to the file with YANG data in XML format.
+ * @return 0 on success, 1 on error.
+ */
+int nc_server_config_setup_path(const struct ly_ctx *ctx, const char *path);
+
+/**
+ * @brief Implements all the required modules and their features in the context.
+ * Needs to be called before any other configuration functions.
+ *
+ * If ctx is :
+ * - NULL: a new context will be created and if the call is successful you have to free it,
+ * - non NULL: modules will simply be implemented.
+ *
+ * Implemented modules: ietf-netconf-server, ietf-x509-cert-to-name, ietf-crypto-types,
+ * ietf-tcp-common, ietf-ssh-common, iana-ssh-encryption-algs, iana-ssh-key-exchange-algs,
+ * iana-ssh-mac-algs, iana-ssh-public-key-algs, ietf-keystore, ietf-ssh-server, ietf-truststore,
+ * ietf-tls-server and libnetconf2-netconf-server.
+ *
+ * @param[in, out] ctx Optional context in which the modules will be implemented. Created if ctx is null.
+ * @return 0 on success, 1 on error.
+ */
+int nc_server_config_load_modules(struct ly_ctx **ctx);
+
+/**
+ * @brief Configures the listen subtree in the ietf-netconf-server module.
+ *
+ * @param[in] op Operation to be done on the subtree. Only does something if the operation is NC_OP_DELETE.
+ * @return 0 on success, 1 on error.
+ */
+int nc_server_configure_listen(NC_OPERATION op);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NC_SESSION_SERVER_H_ */
diff --git a/src/log_p.h b/src/log_p.h
index 5f772d4..0feb8cc 100644
--- a/src/log_p.h
+++ b/src/log_p.h
@@ -52,5 +52,11 @@
#define ERRARG(arg) ERR(NULL, "%s: invalid argument (%s).", __func__, arg)
#define ERRINIT ERR(NULL, "%s: libnetconf2 not initialized.", __func__)
#define ERRINT ERR(NULL, "%s: internal error (%s:%d).", __func__, __FILE__, __LINE__)
+#define ERRNODE(name) ERR(NULL, "%s: missing node (%s) in the YANG data.", __func__, name)
+#define UNEXNODE(name) VRB(NULL, "%s: unexpected node (%s) in the YANG data.", __func__, name)
+#define CHECKNODE(node, name) if (strcmp(LYD_NAME(node), name)) { \
+ ERR(NULL, "%s: missing node (%s) in the YANG data.", __func__, name); \
+ return 1; \
+ }
#endif /* NC_LOG_PRIVATE_H_ */
diff --git a/src/session.c b/src/session.c
index d148fcf..1a7f1e5 100644
--- a/src/session.c
+++ b/src/session.c
@@ -125,7 +125,7 @@
}
int
-nc_sock_enable_keepalive(int sock, struct nc_keepalives *ka)
+nc_sock_configure_keepalive(int sock, struct nc_keepalives *ka)
{
int opt;
@@ -754,24 +754,6 @@
/* there are still multiple sessions, keep the ring list */
siter->ti.libssh.next = session->ti.libssh.next;
}
-
- /* change nc_sshcb_msg() argument, we need a RUNNING session and this one will be freed */
- if (session->flags & NC_SESSION_SSH_MSG_CB) {
- siter = session->ti.libssh.next;
- while (siter && (siter->status != NC_STATUS_RUNNING)) {
- if (siter->ti.libssh.next == session) {
- ERRINT;
- break;
- }
- siter = siter->ti.libssh.next;
- }
- /* siter may be NULL in case all the sessions terminated at the same time (socket was disconnected),
- * we set session to NULL because we do not expect any new message to arrive */
- ssh_set_message_callback(session->ti.libssh.session, nc_sshcb_msg, siter);
- if (siter) {
- siter->flags |= NC_SESSION_SSH_MSG_CB;
- }
- }
}
/* SESSION IO UNLOCK */
@@ -1032,6 +1014,8 @@
uint32_t i, u;
LY_ARRAY_COUNT_TYPE v;
char *yl_content_id;
+ uint32_t wd_also_supported;
+ uint32_t wd_basic_mode;
#define NC_CPBLT_BUF_LEN 4096
char str[NC_CPBLT_BUF_LEN];
@@ -1088,11 +1072,12 @@
mod = ly_ctx_get_module_implemented(ctx, "ietf-netconf-with-defaults");
if (mod) {
- if (!server_opts.wd_basic_mode) {
+ wd_basic_mode = ATOMIC_LOAD_RELAXED(server_opts.wd_basic_mode);
+ if (!wd_basic_mode) {
VRB(NULL, "with-defaults capability will not be advertised even though \"ietf-netconf-with-defaults\" model is present, unknown basic-mode.");
} else {
strcpy(str, "urn:ietf:params:netconf:capability:with-defaults:1.0");
- switch (server_opts.wd_basic_mode) {
+ switch (wd_basic_mode) {
case NC_WD_ALL:
strcat(str, "?basic-mode=report-all");
break;
@@ -1107,18 +1092,19 @@
break;
}
- if (server_opts.wd_also_supported) {
+ wd_also_supported = ATOMIC_LOAD_RELAXED(server_opts.wd_also_supported);
+ if (wd_also_supported) {
strcat(str, "&also-supported=");
- if (server_opts.wd_also_supported & NC_WD_ALL) {
+ if (wd_also_supported & NC_WD_ALL) {
strcat(str, "report-all,");
}
- if (server_opts.wd_also_supported & NC_WD_ALL_TAG) {
+ if (wd_also_supported & NC_WD_ALL_TAG) {
strcat(str, "report-all-tagged,");
}
- if (server_opts.wd_also_supported & NC_WD_TRIM) {
+ if (wd_also_supported & NC_WD_TRIM) {
strcat(str, "trim,");
}
- if (server_opts.wd_also_supported & NC_WD_EXPLICIT) {
+ if (wd_also_supported & NC_WD_EXPLICIT) {
strcat(str, "explicit,");
}
str[strlen(str) - 1] = '\0';
diff --git a/src/session_client.c b/src/session_client.c
index 00d78db..e086fa2 100644
--- a/src/session_client.c
+++ b/src/session_client.c
@@ -1650,7 +1650,7 @@
}
/* enable keep-alive */
- if (nc_sock_enable_keepalive(sock, ka)) {
+ if (nc_sock_configure_keepalive(sock, ka)) {
goto cleanup;
}
diff --git a/src/session_client_ssh.c b/src/session_client_ssh.c
index 647a526..bacfc13 100644
--- a/src/session_client_ssh.c
+++ b/src/session_client_ssh.c
@@ -167,6 +167,7 @@
}
free(opts->keys);
free(opts->username);
+ opts->key_count = 0;
opts->keys = NULL;
opts->username = NULL;
}
@@ -1213,7 +1214,6 @@
ERR(session, "Authentication failed (%s).", ssh_get_error(ssh_sess));
return -1;
} else if (ret_auth == SSH_AUTH_SUCCESS) {
- WRN(session, "Server accepts \"none\" authentication method.")
return 1;
}
diff --git a/src/session_p.h b/src/session_p.h
index b352cc4..3db1457 100644
--- a/src/session_p.h
+++ b/src/session_p.h
@@ -43,6 +43,33 @@
/* number of all supported authentication methods */
# define NC_SSH_AUTH_COUNT 3
+/**
+ * Enumeration of diff operation types.
+ */
+typedef enum {
+ NC_OP_NONE,
+ NC_OP_CREATE,
+ NC_OP_DELETE,
+ NC_OP_REPLACE
+} NC_OPERATION;
+
+/**
+ * Enumeration of key or certificate store type.
+ */
+typedef enum {
+ NC_STORE_LOCAL, /**< key/certificate is stored locally in the ietf-netconf-server YANG data */
+ NC_STORE_KEYSTORE, /**< key/certificate is stored externally in a keystore module YANG data */
+ NC_STORE_TRUSTSTORE /**< key/certificate is stored externally in a truststore module YANG data */
+} NC_STORE_TYPE;
+
+/**
+ * Enumeration of SSH public key representation types.
+ */
+typedef enum {
+ NC_SSH_PUBKEY_SSH2, /**< begins with BEGIN SSH2 PUBLICKEY, see RFC 4716 */
+ NC_SSH_PUBKEY_X509 /**< begins with BEGIN PUBLICKEY, see RFC 5280 sec. 4.1.2.7 */
+} NC_SSH_PUBKEY_TYPE;
+
/* ACCESS unlocked */
struct nc_client_ssh_opts {
/* SSH authentication method preferences */
@@ -74,13 +101,71 @@
char *username;
};
+struct nc_certificate {
+ char *name;
+ char *cert_data;
+};
+
+struct nc_keystore {
+ char *name;
+ char *pub_base64;
+ char *priv_base64;
+ NC_SSH_KEY_TYPE privkey_type;
+
+ struct nc_certificate *certs;
+ uint16_t cert_count;
+};
+
+struct nc_client_auth {
+ char *username;
+
+ NC_STORE_TYPE ks_type;
+ union {
+ struct {
+ struct nc_client_auth_pubkey {
+ char *name;
+ char *pub_base64;
+ NC_SSH_PUBKEY_TYPE pubkey_type;
+ } *pubkeys;
+ uint16_t pubkey_count;
+ };
+ char *ts_reference;
+ };
+
+ char *password;
+ char *pam_config_name;
+ char *pam_config_dir;
+ int supports_none;
+};
+
+struct nc_hostkey {
+ char *name;
+
+ NC_STORE_TYPE ks_type;
+ union {
+ struct {
+ NC_SSH_PUBKEY_TYPE pubkey_type;
+ char *pub_base64;
+ NC_SSH_KEY_TYPE privkey_type;
+ char *priv_base64;
+ };
+ struct nc_keystore *keystore;
+ };
+};
+
/* ACCESS locked, separate locks */
struct nc_server_ssh_opts {
- /* SSH bind options */
- char **hostkeys;
- uint8_t hostkey_count;
+ struct nc_hostkey *hostkeys; /* everything in ks */
+ uint16_t hostkey_count;
- int auth_methods;
+ struct nc_client_auth *auth_clients;
+ uint16_t client_count;
+
+ char *hostkey_algs;
+ char *encryption_algs;
+ char *kex_algs;
+ char *mac_algs;
+
uint16_t auth_attempts;
uint16_t auth_timeout;
};
@@ -142,6 +227,13 @@
gid_t gid;
};
+struct nc_bind {
+ char *address;
+ uint16_t port;
+ int sock;
+ int pollin;
+};
+
/* ACCESS unlocked */
struct nc_client_opts {
char *schema_searchpath;
@@ -150,12 +242,7 @@
void *schema_clb_data;
struct nc_keepalives ka;
- struct nc_bind {
- char *address;
- uint16_t port;
- int sock;
- int pollin;
- } *ch_binds;
+ struct nc_bind *ch_binds;
struct {
NC_TRANSPORT_IMPL ti;
@@ -181,8 +268,8 @@
struct nc_server_opts {
/* ACCESS unlocked */
- NC_WD_MODE wd_basic_mode;
- int wd_also_supported;
+ ATOMIC_T wd_basic_mode;
+ ATOMIC_T wd_also_supported;
uint32_t capabilities_count;
char **capabilities;
@@ -192,8 +279,8 @@
void (*content_id_data_free)(void *data);
/* ACCESS unlocked */
- uint16_t hello_timeout;
- uint16_t idle_timeout;
+ ATOMIC_T hello_timeout;
+ ATOMIC_T idle_timeout;
#ifdef NC_ENABLED_SSH
int (*passwd_auth_clb)(const struct nc_session *session, const char *password, void *user_data);
@@ -211,8 +298,6 @@
int (*interactive_auth_clb)(const struct nc_session *session, ssh_message msg, void *user_data);
void *interactive_auth_data;
void (*interactive_auth_data_free)(void *data);
- char *conf_name;
- char *conf_dir;
#endif
#ifdef NC_ENABLED_TLS
int (*user_verify_clb)(const struct nc_session *session);
@@ -233,31 +318,14 @@
void (*trusted_cert_list_data_free)(void *data);
#endif
-#ifdef NC_ENABLED_SSH
- /* ACCESS locked with authkey_lock */
- struct {
- char *path;
- char *base64;
- NC_SSH_KEY_TYPE type;
- char *username;
- } *authkeys;
- uint16_t authkey_count;
- pthread_mutex_t authkey_lock;
+ pthread_rwlock_t config_lock;
+ struct nc_keystore *keystore; /**< store for keys/certificates */
+ uint16_t keystore_count;
- int (*hostkey_clb)(const char *name, void *user_data, char **privkey_path, char **privkey_data,
- NC_SSH_KEY_TYPE *privkey_type);
- void *hostkey_data;
- void (*hostkey_data_free)(void *data);
-#endif
-
- /* ACCESS locked, add/remove endpts/binds - bind_lock + WRITE endpt_lock (strict order!)
- * modify endpts - WRITE endpt_lock
- * access endpts - READ endpt_lock
- * modify/poll binds - bind_lock */
struct nc_bind *binds;
- pthread_mutex_t bind_lock;
struct nc_endpt {
char *name;
+ int changed;
NC_TRANSPORT_IMPL ti;
struct nc_keepalives ka;
@@ -272,7 +340,6 @@
} opts;
} *endpts;
uint16_t endpt_count;
- pthread_rwlock_t endpt_lock;
/* ACCESS locked, add/remove CH clients - WRITE lock ch_client_lock
* modify CH clients - READ lock ch_client_lock + ch_client_lock */
@@ -477,11 +544,6 @@
# define NC_SESSION_SSH_AUTHENTICATED 0x10
/* netconf subsystem requested */
# define NC_SESSION_SSH_SUBSYS_NETCONF 0x20
- /* new SSH message arrived */
-# define NC_SESSION_SSH_NEW_MSG 0x40
- /* this session is passed to nc_sshcb_msg() */
-# define NC_SESSION_SSH_MSG_CB 0x80
-
uint16_t ssh_auth_attempts; /**< number of failed SSH authentication attempts */
#endif
#ifdef NC_ENABLED_TLS
@@ -531,6 +593,7 @@
struct nc_pam_thread_arg {
ssh_message msg; /**< libssh message */
struct nc_session *session; /**< NETCONF session */
+ struct nc_server_ssh_opts *opts; /**< SSH server opts */
};
#endif
@@ -566,7 +629,7 @@
const char *nc_keytype2str(NC_SSH_KEY_TYPE type);
-int nc_sock_enable_keepalive(int sock, struct nc_keepalives *ka);
+int nc_sock_configure_keepalive(int sock, struct nc_keepalives *ka);
struct nc_session *nc_new_session(NC_SIDE side, int shared_ti);
@@ -789,17 +852,17 @@
* @param[in] timeout Transport operations timeout in msec (not SSH authentication one).
* @return 1 on success, 0 on timeout, -1 on error.
*/
-int nc_accept_ssh_session(struct nc_session *session, int sock, int timeout);
+int nc_accept_ssh_session(struct nc_session *session, struct nc_server_ssh_opts *opts, int sock, int timeout);
/**
- * @brief Callback called when a new SSH message is received.
+ * @brief Process a SSH message.
*
- * @param[in] sshsession SSH session the message arrived on.
+ * @param[in] session Session structure of the connection.
+ * @param[in] opts Endpoint SSH options on which the session was created.
* @param[in] msg SSH message itself.
- * @param[in] data NETCONF session running on @p sshsession.
* @return 0 if the message was handled, 1 if it is left up to libssh.
*/
-int nc_sshcb_msg(ssh_session sshsession, ssh_message msg, void *data);
+int nc_session_ssh_msg(struct nc_session *session, struct nc_server_ssh_opts *opts, ssh_message msg);
void nc_server_ssh_clear_opts(struct nc_server_ssh_opts *opts);
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
index 9b9b3f1..76b3c8c 100644
--- a/src/session_server_tls.c
+++ b/src/session_server_tls.c
@@ -932,7 +932,7 @@
}
ret = nc_server_tls_set_server_cert(name, endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
return ret;
}
@@ -1025,7 +1025,7 @@
}
ret = nc_server_tls_add_trusted_cert_list(name, endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
return ret;
}
@@ -1116,7 +1116,7 @@
}
ret = nc_server_tls_del_trusted_cert_list(name, endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
return ret;
}
@@ -1181,7 +1181,7 @@
}
ret = nc_server_tls_set_trusted_ca_paths(ca_file, ca_dir, endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
return ret;
}
@@ -1272,7 +1272,7 @@
}
ret = nc_server_tls_set_crl_paths(crl_file, crl_dir, endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
return ret;
}
@@ -1327,7 +1327,7 @@
}
nc_server_tls_clear_crls(endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
}
API void
@@ -1422,7 +1422,7 @@
}
ret = nc_server_tls_add_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
return ret;
}
@@ -1520,7 +1520,7 @@
}
ret = nc_server_tls_del_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
return ret;
}
@@ -1608,7 +1608,7 @@
}
ret = nc_server_tls_get_ctn(id, fingerprint, map_type, name, endpt->opts.tls);
/* UNLOCK */
- pthread_rwlock_unlock(&server_opts.endpt_lock);
+ pthread_rwlock_unlock(&server_opts.config_lock);
return ret;
}
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 663c0c4..8796d89 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -8,11 +8,11 @@
endif()
# list of all the tests in each directory
-set(tests test_io test_fd_comm test_init_destroy_client test_init_destroy_server test_client_thread test_thread_messages)
+set(tests test_nc3)
# only enable PAM tests if the version of PAM is greater than 1.4
if(LIBPAM_HAVE_CONFDIR)
- list(APPEND tests test_pam)
+ list(APPEND tests test_auth test_two_channels)
endif()
set(client_tests test_client test_client_messages)
@@ -37,7 +37,7 @@
#append tests depending on SSH/TLS
if(ENABLE_SSH OR ENABLE_TLS)
- list(APPEND tests test_server_thread)
+ #list(APPEND tests test_server_thread)
if(ENABLE_SSH)
list(APPEND client_tests test_client_ssh)
endif()
diff --git a/tests/client/test_client_ssh.c b/tests/client/test_client_ssh.c
index 8d50145..175577b 100644
--- a/tests/client/test_client_ssh.c
+++ b/tests/client/test_client_ssh.c
@@ -23,6 +23,7 @@
#include <cmocka.h>
#include <config.h>
+#include <config_server.h>
#include <libyang/libyang.h>
#include <log.h>
#include <session_client.h>
@@ -34,6 +35,67 @@
#include <libssh/libssh.h>
#include <libssh/server.h>
+const char *data =
+ "<netconf-server xmlns=\"urn:ietf:params:xml:ns:yang:ietf-netconf-server\" xmlns:yang=\"urn:ietf:params:xml:ns:yang:1\" yang:operation=\"none\">\n"
+ " <listen yang:operation=\"create\">\n"
+ " <idle-timeout>10</idle-timeout>\n"
+ " <endpoint>\n"
+ " <name>default-ssh</name>\n"
+ " <ssh>\n"
+ " <tcp-server-parameters>\n"
+ " <local-address>127.0.0.1</local-address>\n"
+ " <local-port>10005</local-port>\n"
+ " </tcp-server-parameters>\n"
+ " <ssh-server-parameters>\n"
+ " <server-identity>\n"
+ " <host-key>\n"
+ " <name>key</name>\n"
+ " <public-key>\n"
+ " <local-definition>\n"
+ " <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
+ " <public-key>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEAAQ==</public-key>\n"
+ " <private-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:rsa-private-key-format</private-key-format>\n"
+ " <cleartext-private-key>MIIJKAIBAAKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEAAQKCAgAeRZw75Oszoqj0jfMmMILdD3Cfad+dY3FvLESYESeyt0XAX8XoOed6ymQj1qPGxQGGkkBvPEgv1b3jrC8Rhfb3Ct39Z7mRpTar5iHhwwBUboBTUmQ0vR173iAHX8sw2Oa17mCO/CDlr8Fu4Xcom7r3vlVBepo72VSjpPYMjN0MANjwhEi3NCyWzTXBRgUK3TuZbzfzto0w2Irlpx0S7dAqxfk70jXBgwv2vSDWKfg1lL1X0BkMVX98xpMkcjMW2muSqp4KBtTma4GqT6z0f7Y1Bs3lGLZmvPlBXxQVVvkFtiQsENCtSd/h17Gk2mb4EbReaaBzwCYqJdRWtlpJ54kzy8U00co+Yn//ZS7sbbIDkqHPnXkpdIr+0rEDMlOw2Y3vRZCxqZFqfWCW0uzhwKqk2VoYqtDL+ORKG/aG/KTBQ4Y71Uh+7aabPwj5R+NaVMjbqmrVeH70eKjoNVgcNYY1C9rGVF1d+LQEm7UsqS0DPp4wN9QKLAqIfuarAhQBhZy1R7Sj1r5macD9DsGxsurM4mHZV0LNmYLZiFHjTUb6iRSPD5RBFW80vcNtxZ0cxmkLtxrj/DVyExV11Cl0SbZLLa9mScYvxdl/qZutXt3PQyab0NiYxGzCD2RnLkCyxkh1vuHHjhvIWYfbd2VgZB/qGr+o9T07FGfMCu23//fugQKCAQEA9UH38glH/rAjZ431sv6ryUEFY8I2FyLTijtvoj9CNGcQn8vJQAHvUPfMdyqDoum6wgcTmG+UXA6mZzpGQCiY8JW5CoItgXRoYgNzpvVVe2aLf51QGtNLLEFpNDMpCtI+I+COpAmGvWAukku0pZfRjm9eb1ydvTpHlFC9+VhVUsLzw3VtSC5PVW6r65mZcYcB6SFVPap+31ENP/9jOMFoymh57lSMZJMxTEA5b0l2miFb9Rp906Zqiud5zv2jIqF6gL70giW3ovVxR7LGKKTKIa9pxawHwB6Ithygs7YoJkjF2dm8pZTMZKsQN92K70XGj07SmYRLZpkVD7i+cqbbKQKCAQEA9M6580Rcw6W0twfcy0/iB4U5ZS52EcCjW8vHlL+MpUo7YvXadSgV1ZaM28zW/ZGk3wE0zy1YT5s30SQkm0NiWN3t/J0l19ccAOxlPWfjhF7vIQZr7XMo5HeaK0Ak5+68J6bx6KgcXmlJOup7INaE8DyGXB6vd4K6957IXyqs3/bfJAUmz49hnveCfLFdTVVT/Uq4IoPKfQSbSZc0BvPBsnBCF164l4jllGBaWS302dhgW4cgxzG0SZGgNwow4AhB+ygiiS8yvOa7UcHfUObVrzWeeq9mYSQ1PkvUTjkWR2/Y8xy7WP0TRBdJOVSs90H51lerEDGNQWvQvI97S9ZOsQKCAQB59u9lpuXtqwxAQCFyfSFSuQoEHR2nDcOjF4GhbtHum15yCPaw5QVs/33nuPWze4ZLXReKk9p0mTh5V0p+N3IvGlXl+uzEVu5d55eI7LIw5sLymHmwjWjxvimiMtrzLbCHSPHGc5JU9NLUH9/bBY/JxGpy+NzcsHHOOQTwTdRIjviIOAo7fgQn2RyX0k+zXE8/7zqjqvji9zyemdNu8we4uJICSntyvJwkbj/hrufTKEnBrwXpzfVn1EsH+6w32ZPBGLUhT75txJ8r56SRq7l1XPU9vxovmT+lSMFF/Y0j1MbHWnds5H1shoFPNtYTvWBL/gfPHjIc+H23zsiu3XlZAoIBAC2xB/Pnpoi9vOUMiqFH36AXtYa1DURy+AqCFlYlClMvb7YgvQ1w1eJvnwrHSLk7HdKhnwGsLPduuRRH8q0n/osnoOutSQroE0n41UyIv2ZNccRwNmSzQcairBu2dSz02hlsh2otNl5IuGpOqXyPjXBpW4qGD6n2tH7THALnLC0BHtTSQVQsJsRM3gX39LoiWvLDp2qJvplm6rTpi8Rgap6rZSqHe1yNKIxxD2vlr/WY9SMgLXYASO4SSBz9wfGOmQIPk6KXNJkdV4kC7nNjIi75iwLLCgjHgUiHTrDq5sWekpeNnUoWsinbTsdsjnv3zHG9GyiClyLGxMbs4M5eyYECggEBAKuC8ZMpdIrjk6tERYB6g0LnQ7mW8XYbDFAmLYMLs9yfG2jcjVbsW9Kugsr+3poUUv/q+hNO3jfY4HazhZDa0MalgNPoSwr/VNRnkck40x2ovFb989J7yl++zTrnIrax9XRH1V0cNu+Kj7OMwZ2RRfbNv5JBdOZPvkfqyIKFmbQgYbtD66rHuzNOfJpzqr/WVLO57/zzW8245NKG2B6B0oXkei/KqDY0DAbHR3i3EOj1NPtVI1FC/xX8R9BREaid458bqoHJKuInrGcBjaUI9Cvymv8TbstUgD6NPbJR4Sm6vrLeUqzjWZP3t1+Z6DjXmnpR2vvhMU/FWb//21p/88o=</cleartext-private-key>\n"
+ " </local-definition>\n"
+ " </public-key>\n"
+ " </host-key>\n"
+ " </server-identity>\n"
+ " <client-authentication>\n"
+ " <users>\n"
+ " <user>\n"
+ " <name>test</name>\n"
+ " <public-keys>\n"
+ " <local-definition>\n"
+ " <public-key>\n"
+ " <name>client</name>\n"
+ " <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
+ " <public-key>AAAAB3NzaC1yc2EAAAADAQABAAABAQDPavVALiM7QwTIUAndO8E9GOkSDQWjuEwkzbJ3kOBPa7kkq71UOZFeecDjFb9eipkljfFys/JYHGQaYVF8/svT0KV5h7HlutRdF6yvqSEbjpbTORb27pdHX3iFEyDCwCIoq9vMeX+wyXnteyn01GpIL0ig0WAnvkqX/SPjuplX5ZItUSr0MhXM7fNSX50BD6G8IO0/djUcdMUcjTjGv73SxB9ZzLvxnhXuUJbzEJJJLj6qajyEIVaJSa73vA33JCD8qzarrsuITojVLPDFmeHwSAoB5dP86yop6e6ypuXzKxxef6yNXcE8oTj8UFYBIXsgIP2nBvWk41EaK0Vk3YFl</public-key>\n"
+ " </public-key>\n"
+ " </local-definition>\n"
+ " </public-keys>\n"
+ " </user>\n"
+ " </users>\n"
+ " </client-authentication>\n"
+ " <transport-params>\n"
+ " <host-key>\n"
+ " <host-key-alg xmlns:sshpka=\"urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs\">sshpka:rsa-sha2-512</host-key-alg>\n"
+ " </host-key>\n"
+ " <key-exchange>\n"
+ " <key-exchange-alg xmlns:sshkea=\"urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs\">sshkea:curve25519-sha256</key-exchange-alg>\n"
+ " </key-exchange>\n"
+ " <encryption>\n"
+ " <encryption-alg xmlns:sshea=\"urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs\">sshea:aes256-ctr</encryption-alg>\n"
+ " </encryption>\n"
+ " <mac>\n"
+ " <mac-alg xmlns:sshma=\"urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs\">sshma:hmac-sha2-512</mac-alg>\n"
+ " </mac>\n"
+ " </transport-params>\n"
+ " </ssh-server-parameters>\n"
+ " </ssh>\n"
+ " </endpoint>\n"
+ " </listen>\n"
+ "</netconf-server>\n";
+
static int
ssh_hostkey_check_clb(const char *hostname, ssh_session session, void *priv)
{
@@ -596,7 +658,7 @@
}
static void
-test_nc_connect_ssh_pubkey_succesfull(void **state)
+test_nc_connect_ssh_pubkey_ecdsa_succesfull(void **state)
{
(void)state;
struct nc_session *session;
@@ -633,6 +695,65 @@
/* disconnect */
will_return(__wrap_ssh_channel_poll_timeout, 0);
nc_session_free(session, NULL);
+
+ /* delete the keypair */
+ ret = nc_client_ssh_del_keypair(0);
+ assert_int_equal(ret, 0);
+}
+
+static void
+test_nc_connect_ssh_pubkey_succesfull(void **state)
+{
+ (void)state;
+ struct nc_session *session;
+ struct ly_ctx *ctx;
+ struct lyd_node *tree;
+ int ret = 0;
+
+ /* set authentication method to use password authentication */
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PASSWORD, -1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PUBLICKEY, 1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_INTERACTIVE, -1);
+
+ /* add keypair for authentication */
+ ret = nc_client_ssh_add_keypair(TESTS_DIR "/data/key_rsa.pub", TESTS_DIR "/data/key_rsa");
+ assert_int_equal(ret, 0);
+
+ /* fake succesfull connection */
+ will_return(__wrap_connect, 0);
+ will_return(__wrap_ssh_connect, 0);
+ /* do not authenticate using no authentication method */
+ will_return(__wrap_ssh_userauth_none, 1);
+ will_return(__wrap_ssh_userauth_try_publickey, 0);
+ will_return(__wrap_ssh_userauth_publickey, 0);
+ will_return(__wrap_ssh_is_connected, 1);
+ will_return(__wrap_ssh_channel_open_session, 0);
+ will_return(__wrap_ssh_channel_request_subsystem, 0);
+
+ /* fake ssh function for recieving hello message */
+ will_return(__wrap_ssh_is_connected, 1);
+
+ will_return(__wrap_nc_handshake_io, 3);
+ will_return(__wrap_nc_ctx_check_and_fill, 0);
+
+ ret = ly_ctx_new(MODULES_DIR, 0, &ctx);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_config_load_modules(&ctx);
+ assert_int_equal(ret, 0);
+
+ ret = lyd_parse_data_mem(ctx, data, LYD_XML, LYD_PARSE_NO_STATE | LYD_PARSE_STRICT, LYD_VALIDATE_NO_STATE, &tree);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_config_setup(tree);
+ assert_int_equal(ret, 0);
+
+ session = nc_connect_ssh("127.0.0.1", 8080, NULL);
+ assert_non_null(session);
+
+ /* disconnect */
+ will_return(__wrap_ssh_channel_poll_timeout, 0);
+ nc_session_free(session, NULL);
}
static void
@@ -816,6 +937,7 @@
cmocka_unit_test_setup_teardown(test_nc_client_ssh_setting_username, setup_f, teardown_f),
cmocka_unit_test_setup_teardown(test_nc_connect_ssh_interactive_succesfull, setup_f, teardown_f),
cmocka_unit_test_setup_teardown(test_nc_connect_ssh_password_succesfull, setup_f, teardown_f),
+ cmocka_unit_test_setup_teardown(test_nc_connect_ssh_pubkey_ecdsa_succesfull, setup_f, teardown_f),
cmocka_unit_test_setup_teardown(test_nc_connect_ssh_pubkey_succesfull, setup_f, teardown_f),
cmocka_unit_test_setup_teardown(test_nc_connect_connection_failed, setup_f, teardown_f),
cmocka_unit_test_setup_teardown(test_nc_connect_ssh_bad_hello, setup_f, teardown_f),
diff --git a/tests/config.h.in b/tests/config.h.in
index 42a8078..cf58c40 100644
--- a/tests/config.h.in
+++ b/tests/config.h.in
@@ -19,6 +19,7 @@
#endif
#define TESTS_DIR "@CMAKE_SOURCE_DIR@/tests"
+#define MODULES_DIR "@CMAKE_SOURCE_DIR@/modules"
#define BUILD_DIR "@CMAKE_BINARY_DIR@"
@SSH_MACRO@
diff --git a/tests/pam/pam_netconf.c b/tests/pam/pam_netconf.c
index dd30fe0..835f483 100644
--- a/tests/pam/pam_netconf.c
+++ b/tests/pam/pam_netconf.c
@@ -259,7 +259,7 @@
if (r != PAM_SUCCESS) {
return r;
}
- if (!strcmp((const char *)username, "test")) {
+ if (!strcmp((const char *)username, "test_int")) {
return PAM_NEW_AUTHTOK_REQD;
}
return PAM_SYSTEM_ERR;
@@ -291,7 +291,7 @@
if (r != PAM_SUCCESS) {
return r;
}
- if (!strcmp((const char *)username, "test")) {
+ if (!strcmp((const char *)username, "test_int")) {
return PAM_SUCCESS;
} else {
return PAM_SYSTEM_ERR;
@@ -299,7 +299,7 @@
/* change the authentication token in the second call */
} else if (flags & PAM_UPDATE_AUTHTOK) {
- r = pam_set_item(pam_h, PAM_AUTHTOK, "test");
+ r = pam_set_item(pam_h, PAM_AUTHTOK, "test_int");
if (r == PAM_SUCCESS) {
printf("[TEST #6] Passed.\n\n");
} else {
diff --git a/tests/test_auth.c b/tests/test_auth.c
new file mode 100644
index 0000000..29b22b1
--- /dev/null
+++ b/tests/test_auth.c
@@ -0,0 +1,457 @@
+/**
+ * @file test_auth.c
+ * @author Roman Janota <xjanot04@fit.vutbr.cz>
+ * @brief libnetconf2 Linux PAM keyboard-interactive authentication test
+ *
+ * @copyright
+ * Copyright (c) 2022 CESNET, z.s.p.o.
+ *
+ * This source code is licensed under BSD 3-Clause License (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ */
+
+#include <errno.h>
+#include <pthread.h>
+#include <setjmp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <cmocka.h>
+
+#include <config_server.h>
+#include <libnetconf.h>
+#include <libyang/libyang.h>
+#include <log.h>
+#include <session_client.h>
+#include <session_server.h>
+
+#include "tests/config.h"
+
+#define NC_ACCEPT_TIMEOUT 100
+#define NC_PS_POLL_TIMEOUT 100
+
+struct ly_ctx *ctx;
+
+struct test_state {
+ // bariera
+ pthread_barrier_t barrier;
+};
+
+const char *data =
+ "<netconf-server xmlns=\"urn:ietf:params:xml:ns:yang:ietf-netconf-server\" xmlns:yang=\"urn:ietf:params:xml:ns:yang:1\" yang:operation=\"none\">\n"
+ " <listen yang:operation=\"create\">\n"
+ " <idle-timeout>10</idle-timeout>\n"
+ " <endpoint>\n"
+ " <name>default-ssh</name>\n"
+ " <ssh>\n"
+ " <tcp-server-parameters>\n"
+ " <local-address>127.0.0.1</local-address>\n"
+ " <local-port>10005</local-port>\n"
+ " </tcp-server-parameters>\n"
+ " <ssh-server-parameters>\n"
+ " <server-identity>\n"
+ " <host-key>\n"
+ " <name>key</name>\n"
+ " <public-key>\n"
+ " <local-definition>\n"
+ " <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
+ " <public-key>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEAAQ==</public-key>\n"
+ " <private-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:rsa-private-key-format</private-key-format>\n"
+ " <cleartext-private-key>MIIJKAIBAAKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEAAQKCAgAeRZw75Oszoqj0jfMmMILdD3Cfad+dY3FvLESYESeyt0XAX8XoOed6ymQj1qPGxQGGkkBvPEgv1b3jrC8Rhfb3Ct39Z7mRpTar5iHhwwBUboBTUmQ0vR173iAHX8sw2Oa17mCO/CDlr8Fu4Xcom7r3vlVBepo72VSjpPYMjN0MANjwhEi3NCyWzTXBRgUK3TuZbzfzto0w2Irlpx0S7dAqxfk70jXBgwv2vSDWKfg1lL1X0BkMVX98xpMkcjMW2muSqp4KBtTma4GqT6z0f7Y1Bs3lGLZmvPlBXxQVVvkFtiQsENCtSd/h17Gk2mb4EbReaaBzwCYqJdRWtlpJ54kzy8U00co+Yn//ZS7sbbIDkqHPnXkpdIr+0rEDMlOw2Y3vRZCxqZFqfWCW0uzhwKqk2VoYqtDL+ORKG/aG/KTBQ4Y71Uh+7aabPwj5R+NaVMjbqmrVeH70eKjoNVgcNYY1C9rGVF1d+LQEm7UsqS0DPp4wN9QKLAqIfuarAhQBhZy1R7Sj1r5macD9DsGxsurM4mHZV0LNmYLZiFHjTUb6iRSPD5RBFW80vcNtxZ0cxmkLtxrj/DVyExV11Cl0SbZLLa9mScYvxdl/qZutXt3PQyab0NiYxGzCD2RnLkCyxkh1vuHHjhvIWYfbd2VgZB/qGr+o9T07FGfMCu23//fugQKCAQEA9UH38glH/rAjZ431sv6ryUEFY8I2FyLTijtvoj9CNGcQn8vJQAHvUPfMdyqDoum6wgcTmG+UXA6mZzpGQCiY8JW5CoItgXRoYgNzpvVVe2aLf51QGtNLLEFpNDMpCtI+I+COpAmGvWAukku0pZfRjm9eb1ydvTpHlFC9+VhVUsLzw3VtSC5PVW6r65mZcYcB6SFVPap+31ENP/9jOMFoymh57lSMZJMxTEA5b0l2miFb9Rp906Zqiud5zv2jIqF6gL70giW3ovVxR7LGKKTKIa9pxawHwB6Ithygs7YoJkjF2dm8pZTMZKsQN92K70XGj07SmYRLZpkVD7i+cqbbKQKCAQEA9M6580Rcw6W0twfcy0/iB4U5ZS52EcCjW8vHlL+MpUo7YvXadSgV1ZaM28zW/ZGk3wE0zy1YT5s30SQkm0NiWN3t/J0l19ccAOxlPWfjhF7vIQZr7XMo5HeaK0Ak5+68J6bx6KgcXmlJOup7INaE8DyGXB6vd4K6957IXyqs3/bfJAUmz49hnveCfLFdTVVT/Uq4IoPKfQSbSZc0BvPBsnBCF164l4jllGBaWS302dhgW4cgxzG0SZGgNwow4AhB+ygiiS8yvOa7UcHfUObVrzWeeq9mYSQ1PkvUTjkWR2/Y8xy7WP0TRBdJOVSs90H51lerEDGNQWvQvI97S9ZOsQKCAQB59u9lpuXtqwxAQCFyfSFSuQoEHR2nDcOjF4GhbtHum15yCPaw5QVs/33nuPWze4ZLXReKk9p0mTh5V0p+N3IvGlXl+uzEVu5d55eI7LIw5sLymHmwjWjxvimiMtrzLbCHSPHGc5JU9NLUH9/bBY/JxGpy+NzcsHHOOQTwTdRIjviIOAo7fgQn2RyX0k+zXE8/7zqjqvji9zyemdNu8we4uJICSntyvJwkbj/hrufTKEnBrwXpzfVn1EsH+6w32ZPBGLUhT75txJ8r56SRq7l1XPU9vxovmT+lSMFF/Y0j1MbHWnds5H1shoFPNtYTvWBL/gfPHjIc+H23zsiu3XlZAoIBAC2xB/Pnpoi9vOUMiqFH36AXtYa1DURy+AqCFlYlClMvb7YgvQ1w1eJvnwrHSLk7HdKhnwGsLPduuRRH8q0n/osnoOutSQroE0n41UyIv2ZNccRwNmSzQcairBu2dSz02hlsh2otNl5IuGpOqXyPjXBpW4qGD6n2tH7THALnLC0BHtTSQVQsJsRM3gX39LoiWvLDp2qJvplm6rTpi8Rgap6rZSqHe1yNKIxxD2vlr/WY9SMgLXYASO4SSBz9wfGOmQIPk6KXNJkdV4kC7nNjIi75iwLLCgjHgUiHTrDq5sWekpeNnUoWsinbTsdsjnv3zHG9GyiClyLGxMbs4M5eyYECggEBAKuC8ZMpdIrjk6tERYB6g0LnQ7mW8XYbDFAmLYMLs9yfG2jcjVbsW9Kugsr+3poUUv/q+hNO3jfY4HazhZDa0MalgNPoSwr/VNRnkck40x2ovFb989J7yl++zTrnIrax9XRH1V0cNu+Kj7OMwZ2RRfbNv5JBdOZPvkfqyIKFmbQgYbtD66rHuzNOfJpzqr/WVLO57/zzW8245NKG2B6B0oXkei/KqDY0DAbHR3i3EOj1NPtVI1FC/xX8R9BREaid458bqoHJKuInrGcBjaUI9Cvymv8TbstUgD6NPbJR4Sm6vrLeUqzjWZP3t1+Z6DjXmnpR2vvhMU/FWb//21p/88o=</cleartext-private-key>\n"
+ " </local-definition>\n"
+ " </public-key>\n"
+ " </host-key>\n"
+ " </server-identity>\n"
+ " <client-authentication>\n"
+ " <users>\n"
+ " <user>\n"
+ " <name>test_pk</name>\n"
+ " <public-keys>\n"
+ " <local-definition>\n"
+ " <public-key>\n"
+ " <name>test</name>\n"
+ " <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
+ " <public-key>AAAAB3NzaC1yc2EAAAADAQABAAABAQDPavVALiM7QwTIUAndO8E9GOkSDQWjuEwkzbJ3kOBPa7kkq71UOZFeecDjFb9eipkljfFys/JYHGQaYVF8/svT0KV5h7HlutRdF6yvqSEbjpbTORb27pdHX3iFEyDCwCIoq9vMeX+wyXnteyn01GpIL0ig0WAnvkqX/SPjuplX5ZItUSr0MhXM7fNSX50BD6G8IO0/djUcdMUcjTjGv73SxB9ZzLvxnhXuUJbzEJJJLj6qajyEIVaJSa73vA33JCD8qzarrsuITojVLPDFmeHwSAoB5dP86yop6e6ypuXzKxxef6yNXcE8oTj8UFYBIXsgIP2nBvWk41EaK0Vk3YFl</public-key>\n"
+ " </public-key>\n"
+ " </local-definition>\n"
+ " </public-keys>\n"
+ " </user>\n"
+ " <user>\n"
+ " <name>test_int</name>\n"
+ " <keyboard-interactive xmlns=\"urn:cesnet:libnetconf2-netconf-server\">\n"
+ " <pam-config-file-name>netconf.conf</pam-config-file-name>\n"
+ " <pam-config-file-dir>" BUILD_DIR "/tests</pam-config-file-dir>\n"
+ " </keyboard-interactive>\n"
+ " </user>\n"
+ " <user>\n"
+ " <name>test_pw</name>\n"
+ " <password>$6$xyz$lomVe5tZ2Gz9uSKKywzXuPcHhqjIByhBbqdUTx/jAwUnw7JRp7QHd4ORiEVqxeZg1NEJkHux.mETo9BFPSh1x.</password>\n"
+ " </user>\n"
+ " <user>\n"
+ " <name>test_none</name>\n"
+ " <none/>\n"
+ " </user>\n"
+ " </users>\n"
+ " </client-authentication>\n"
+ " <transport-params>\n"
+ " <host-key>\n"
+ " <host-key-alg xmlns:sshpka=\"urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs\">sshpka:rsa-sha2-512</host-key-alg>\n"
+ " </host-key>\n"
+ " <key-exchange>\n"
+ " <key-exchange-alg xmlns:sshkea=\"urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs\">sshkea:curve25519-sha256</key-exchange-alg>\n"
+ " </key-exchange>\n"
+ " <encryption>\n"
+ " <encryption-alg xmlns:sshea=\"urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs\">sshea:aes256-ctr</encryption-alg>\n"
+ " </encryption>\n"
+ " <mac>\n"
+ " <mac-alg xmlns:sshma=\"urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs\">sshma:hmac-sha2-512</mac-alg>\n"
+ " </mac>\n"
+ " </transport-params>\n"
+ " </ssh-server-parameters>\n"
+ " </ssh>\n"
+ " </endpoint>\n"
+ " </listen>\n"
+ "</netconf-server>\n";
+
+static void *
+server_thread(void *arg)
+{
+ int ret;
+ NC_MSG_TYPE msgtype;
+ struct nc_session *session;
+ struct nc_pollsession *ps;
+ struct test_state *state = arg;
+
+ (void) arg;
+
+ ps = nc_ps_new();
+ assert_non_null(ps);
+
+ /* accept a session and add it to the poll session structure */
+ pthread_barrier_wait(&state->barrier);
+ msgtype = nc_accept(NC_ACCEPT_TIMEOUT, ctx, &session);
+ assert_int_equal(msgtype, NC_MSG_HELLO);
+
+ ret = nc_ps_add_session(ps, session);
+ assert_int_equal(ret, 0);
+
+ do {
+ ret = nc_ps_poll(ps, NC_PS_POLL_TIMEOUT, NULL);
+ assert_int_equal(ret & NC_PSPOLL_RPC, NC_PSPOLL_RPC);
+ } while (!(ret & NC_PSPOLL_SESSION_TERM));
+
+ nc_ps_clear(ps, 1, NULL);
+ nc_ps_free(ps);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static int
+ssh_hostkey_check_clb(const char *hostname, ssh_session session, void *priv)
+{
+ (void)hostname;
+ (void)session;
+ (void)priv;
+ /* skip the knownhost check */
+
+ return 0;
+}
+
+static char *
+auth_interactive(const char *auth_name, const char *instruction, const char *prompt, int echo, void *priv)
+{
+ (void) instruction;
+ (void) echo;
+ (void) auth_name;
+ (void) priv;
+
+ /* send the replies to keyboard-interactive authentication */
+ if (strstr(prompt, "backwards")) {
+ return strdup("tni_tset");
+ } else if (strstr(prompt, "1+1")) {
+ return strdup("2");
+ } else {
+ return NULL;
+ }
+}
+
+static void *
+client_thread_interactive(void *arg)
+{
+ int ret;
+ struct nc_session *session = NULL;
+ struct test_state *state = arg;
+
+ ret = nc_client_set_schema_searchpath(MODULES_DIR);
+ assert_int_equal(ret, 0);
+
+ ret = nc_client_ssh_set_username("test_int");
+ assert_int_equal(ret, 0);
+
+ /* set keyboard-interactive authentication callback */
+ nc_client_ssh_set_auth_interactive_clb(auth_interactive, NULL);
+
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PUBLICKEY, -1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PASSWORD, -1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_INTERACTIVE, 1);
+
+ pthread_barrier_wait(&state->barrier);
+ session = nc_connect_ssh("127.0.0.1", 10005, NULL);
+ assert_non_null(session);
+
+ nc_session_free(session, NULL);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static void
+test_nc_auth_interactive(void **state)
+{
+ int ret, i;
+ pthread_t tids[2];
+
+ assert_non_null(state);
+
+ ret = pthread_create(&tids[0], NULL, client_thread_interactive, *state);
+ assert_int_equal(ret, 0);
+ ret = pthread_create(&tids[1], NULL, server_thread, *state);
+ assert_int_equal(ret, 0);
+
+ for (i = 0; i < 2; i++) {
+ pthread_join(tids[i], NULL);
+ }
+}
+
+static char *
+auth_password(const char *username, const char *hostname, void *priv)
+{
+ (void) hostname;
+ (void) priv;
+
+ /* send the replies to keyboard-interactive authentication */
+ if (!strcmp(username, "test_pw")) {
+ return strdup("testpw");
+ } else {
+ return NULL;
+ }
+}
+
+static void *
+client_thread_password(void *arg)
+{
+ int ret;
+ struct nc_session *session = NULL;
+ struct test_state *state = arg;
+
+ ret = nc_client_set_schema_searchpath(MODULES_DIR);
+ assert_int_equal(ret, 0);
+
+ ret = nc_client_ssh_set_username("test_pw");
+ assert_int_equal(ret, 0);
+
+ nc_client_ssh_set_auth_password_clb(auth_password, NULL);
+
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PUBLICKEY, -1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PASSWORD, 1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_INTERACTIVE, -1);
+
+ pthread_barrier_wait(&state->barrier);
+ session = nc_connect_ssh("127.0.0.1", 10005, NULL);
+ assert_non_null(session);
+
+ nc_session_free(session, NULL);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static void
+test_nc_auth_password(void **state)
+{
+ int ret, i;
+ pthread_t tids[2];
+
+ assert_non_null(state);
+
+ ret = pthread_create(&tids[0], NULL, client_thread_password, *state);
+ assert_int_equal(ret, 0);
+ ret = pthread_create(&tids[1], NULL, server_thread, *state);
+ assert_int_equal(ret, 0);
+
+ for (i = 0; i < 2; i++) {
+ pthread_join(tids[i], NULL);
+ }
+}
+
+static void *
+client_thread_pubkey(void *arg)
+{
+ int ret;
+ struct nc_session *session = NULL;
+ struct test_state *state = arg;
+
+ ret = nc_client_set_schema_searchpath(MODULES_DIR);
+ assert_int_equal(ret, 0);
+
+ ret = nc_client_ssh_set_username("test_pk");
+ assert_int_equal(ret, 0);
+
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PUBLICKEY, 1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PASSWORD, -1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_INTERACTIVE, -1);
+
+ ret = nc_client_ssh_add_keypair(TESTS_DIR "/data/key_rsa.pub", TESTS_DIR "/data/key_rsa");
+ assert_int_equal(ret, 0);
+
+ pthread_barrier_wait(&state->barrier);
+ session = nc_connect_ssh("127.0.0.1", 10005, NULL);
+ assert_non_null(session);
+
+ nc_session_free(session, NULL);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static void
+test_nc_auth_pubkey(void **state)
+{
+ int ret, i;
+ pthread_t tids[2];
+
+ assert_non_null(state);
+
+ ret = pthread_create(&tids[0], NULL, client_thread_pubkey, *state);
+ assert_int_equal(ret, 0);
+ ret = pthread_create(&tids[1], NULL, server_thread, *state);
+ assert_int_equal(ret, 0);
+
+ for (i = 0; i < 2; i++) {
+ pthread_join(tids[i], NULL);
+ }
+}
+
+static void *
+client_thread_none(void *arg)
+{
+ int ret;
+ struct nc_session *session = NULL;
+ struct test_state *state = arg;
+
+ ret = nc_client_set_schema_searchpath(MODULES_DIR);
+ assert_int_equal(ret, 0);
+
+ ret = nc_client_ssh_set_username("test_none");
+ assert_int_equal(ret, 0);
+
+ pthread_barrier_wait(&state->barrier);
+ session = nc_connect_ssh("127.0.0.1", 10005, NULL);
+ assert_non_null(session);
+
+ nc_session_free(session, NULL);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static void
+test_nc_auth_none(void **state)
+{
+ int ret, i;
+ pthread_t tids[2];
+
+ assert_non_null(state);
+
+ ret = pthread_create(&tids[0], NULL, client_thread_none, *state);
+ assert_int_equal(ret, 0);
+ ret = pthread_create(&tids[1], NULL, server_thread, *state);
+ assert_int_equal(ret, 0);
+
+ for (i = 0; i < 2; i++) {
+ pthread_join(tids[i], NULL);
+ }
+}
+
+static int
+setup_f(void **state)
+{
+ int ret;
+ struct lyd_node *tree;
+ struct test_state *test_state;
+
+ nc_verbosity(NC_VERB_VERBOSE);
+
+ /* init barrier */
+ test_state = malloc(sizeof *test_state);
+ assert_non_null(test_state);
+
+ ret = pthread_barrier_init(&test_state->barrier, NULL, 2);
+ assert_int_equal(ret, 0);
+
+ *state = test_state;
+
+ ret = ly_ctx_new(MODULES_DIR, 0, &ctx);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_init_ctx(&ctx);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_config_load_modules(&ctx);
+ assert_int_equal(ret, 0);
+
+ /* parse yang data */
+ ret = lyd_parse_data_mem(ctx, data, LYD_XML, LYD_PARSE_NO_STATE | LYD_PARSE_STRICT, LYD_VALIDATE_NO_STATE, &tree);
+ assert_int_equal(ret, 0);
+
+ /* configure the server based on the data */
+ ret = nc_server_config_setup(tree);
+ assert_int_equal(ret, 0);
+
+ /* initialize client */
+ nc_client_init();
+
+ ret = nc_server_init();
+ assert_int_equal(ret, 0);
+
+ /* skip the knownhost check */
+ nc_client_ssh_set_auth_hostkey_check_clb(ssh_hostkey_check_clb, NULL);
+
+ lyd_free_all(tree);
+
+ return 0;
+}
+
+static int
+teardown_f(void **state)
+{
+ int ret = 0;
+ struct test_state *test_state;
+
+ assert_non_null(state);
+ test_state = *state;
+
+ ret = pthread_barrier_destroy(&test_state->barrier);
+ assert_int_equal(ret, 0);
+
+ free(*state);
+ nc_client_destroy();
+ nc_server_destroy();
+ ly_ctx_destroy(ctx);
+
+ return 0;
+}
+
+int
+main(void)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_nc_auth_interactive, setup_f, teardown_f),
+ cmocka_unit_test_setup_teardown(test_nc_auth_pubkey, setup_f, teardown_f),
+ cmocka_unit_test_setup_teardown(test_nc_auth_password, setup_f, teardown_f),
+ cmocka_unit_test_setup_teardown(test_nc_auth_none, setup_f, teardown_f)
+ };
+
+ setenv("CMOCKA_TEST_ABORT", "1", 1);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/tests/test_nc3.c b/tests/test_nc3.c
new file mode 100644
index 0000000..f74ab25
--- /dev/null
+++ b/tests/test_nc3.c
@@ -0,0 +1,243 @@
+/**
+ * @file test_pam.c
+ * @author Roman Janota <xjanot04@fit.vutbr.cz>
+ * @brief libnetconf2 Linux PAM keyboard-interactive authentication test
+ *
+ * @copyright
+ * Copyright (c) 2022 CESNET, z.s.p.o.
+ *
+ * This source code is licensed under BSD 3-Clause License (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ */
+
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <libyang/libyang.h>
+#include <log.h>
+#include <session_client.h>
+#include <session_server.h>
+#include "config_server.h"
+
+#include "tests/config.h"
+
+#define nc_assert(cond) if (!(cond)) { fprintf(stderr, "assert failed (%s:%d)\n", __FILE__, __LINE__); abort(); }
+
+#define NC_ACCEPT_TIMEOUT 5000
+#define NC_PS_POLL_TIMEOUT 5000
+
+const char *data =
+ "<netconf-server xmlns=\"urn:ietf:params:xml:ns:yang:ietf-netconf-server\" xmlns:yang=\"urn:ietf:params:xml:ns:yang:1\" yang:operation=\"none\">"
+ "<listen yang:operation=\"create\">"
+ "<idle-timeout>10</idle-timeout>"
+ "<endpoint>"
+ "<name>default-ssh</name>"
+ "<ssh>"
+ "<tcp-server-parameters>"
+ "<local-address>127.0.0.1</local-address>"
+ "<local-port>10005</local-port>"
+ "</tcp-server-parameters>"
+ "<ssh-server-parameters>"
+ "<server-identity>"
+ "<host-key>"
+ "<name>key</name>"
+ "<public-key>"
+ "<local-definition>"
+ "<public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>"
+ "<public-key>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6ojtjfDmvyQP1ZkIwBpr"
+ "97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeV"
+ "n6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FT"
+ "irzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6w"
+ "NmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCU"
+ "UGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrz"
+ "ARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rf"
+ "WZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKv"
+ "Ya1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3"
+ "u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMa"
+ "OQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMh"
+ "jufl2qE2Q7fQIaav/1NqBVkCAwEAAQ==</public-key>"
+ "<private-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:rsa-private-key-format</private-key-format>"
+ "<cleartext-private-key>MIIJKAIBAAKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1V"
+ "ArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6al"
+ "wf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4g"
+ "fNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+Zc"
+ "zSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+d"
+ "KYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FK"
+ "tGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo"
+ "4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/f"
+ "t1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBT"
+ "oE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yV"
+ "ONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEA"
+ "AQKCAgAeRZw75Oszoqj0jfMmMILdD3Cfad+dY3FvLESYESeyt0XAX8XoOed6ymQj"
+ "1qPGxQGGkkBvPEgv1b3jrC8Rhfb3Ct39Z7mRpTar5iHhwwBUboBTUmQ0vR173iAH"
+ "X8sw2Oa17mCO/CDlr8Fu4Xcom7r3vlVBepo72VSjpPYMjN0MANjwhEi3NCyWzTXB"
+ "RgUK3TuZbzfzto0w2Irlpx0S7dAqxfk70jXBgwv2vSDWKfg1lL1X0BkMVX98xpMk"
+ "cjMW2muSqp4KBtTma4GqT6z0f7Y1Bs3lGLZmvPlBXxQVVvkFtiQsENCtSd/h17Gk"
+ "2mb4EbReaaBzwCYqJdRWtlpJ54kzy8U00co+Yn//ZS7sbbIDkqHPnXkpdIr+0rED"
+ "MlOw2Y3vRZCxqZFqfWCW0uzhwKqk2VoYqtDL+ORKG/aG/KTBQ4Y71Uh+7aabPwj5"
+ "R+NaVMjbqmrVeH70eKjoNVgcNYY1C9rGVF1d+LQEm7UsqS0DPp4wN9QKLAqIfuar"
+ "AhQBhZy1R7Sj1r5macD9DsGxsurM4mHZV0LNmYLZiFHjTUb6iRSPD5RBFW80vcNt"
+ "xZ0cxmkLtxrj/DVyExV11Cl0SbZLLa9mScYvxdl/qZutXt3PQyab0NiYxGzCD2Rn"
+ "LkCyxkh1vuHHjhvIWYfbd2VgZB/qGr+o9T07FGfMCu23//fugQKCAQEA9UH38glH"
+ "/rAjZ431sv6ryUEFY8I2FyLTijtvoj9CNGcQn8vJQAHvUPfMdyqDoum6wgcTmG+U"
+ "XA6mZzpGQCiY8JW5CoItgXRoYgNzpvVVe2aLf51QGtNLLEFpNDMpCtI+I+COpAmG"
+ "vWAukku0pZfRjm9eb1ydvTpHlFC9+VhVUsLzw3VtSC5PVW6r65mZcYcB6SFVPap+"
+ "31ENP/9jOMFoymh57lSMZJMxTEA5b0l2miFb9Rp906Zqiud5zv2jIqF6gL70giW3"
+ "ovVxR7LGKKTKIa9pxawHwB6Ithygs7YoJkjF2dm8pZTMZKsQN92K70XGj07SmYRL"
+ "ZpkVD7i+cqbbKQKCAQEA9M6580Rcw6W0twfcy0/iB4U5ZS52EcCjW8vHlL+MpUo7"
+ "YvXadSgV1ZaM28zW/ZGk3wE0zy1YT5s30SQkm0NiWN3t/J0l19ccAOxlPWfjhF7v"
+ "IQZr7XMo5HeaK0Ak5+68J6bx6KgcXmlJOup7INaE8DyGXB6vd4K6957IXyqs3/bf"
+ "JAUmz49hnveCfLFdTVVT/Uq4IoPKfQSbSZc0BvPBsnBCF164l4jllGBaWS302dhg"
+ "W4cgxzG0SZGgNwow4AhB+ygiiS8yvOa7UcHfUObVrzWeeq9mYSQ1PkvUTjkWR2/Y"
+ "8xy7WP0TRBdJOVSs90H51lerEDGNQWvQvI97S9ZOsQKCAQB59u9lpuXtqwxAQCFy"
+ "fSFSuQoEHR2nDcOjF4GhbtHum15yCPaw5QVs/33nuPWze4ZLXReKk9p0mTh5V0p+"
+ "N3IvGlXl+uzEVu5d55eI7LIw5sLymHmwjWjxvimiMtrzLbCHSPHGc5JU9NLUH9/b"
+ "BY/JxGpy+NzcsHHOOQTwTdRIjviIOAo7fgQn2RyX0k+zXE8/7zqjqvji9zyemdNu"
+ "8we4uJICSntyvJwkbj/hrufTKEnBrwXpzfVn1EsH+6w32ZPBGLUhT75txJ8r56SR"
+ "q7l1XPU9vxovmT+lSMFF/Y0j1MbHWnds5H1shoFPNtYTvWBL/gfPHjIc+H23zsiu"
+ "3XlZAoIBAC2xB/Pnpoi9vOUMiqFH36AXtYa1DURy+AqCFlYlClMvb7YgvQ1w1eJv"
+ "nwrHSLk7HdKhnwGsLPduuRRH8q0n/osnoOutSQroE0n41UyIv2ZNccRwNmSzQcai"
+ "rBu2dSz02hlsh2otNl5IuGpOqXyPjXBpW4qGD6n2tH7THALnLC0BHtTSQVQsJsRM"
+ "3gX39LoiWvLDp2qJvplm6rTpi8Rgap6rZSqHe1yNKIxxD2vlr/WY9SMgLXYASO4S"
+ "SBz9wfGOmQIPk6KXNJkdV4kC7nNjIi75iwLLCgjHgUiHTrDq5sWekpeNnUoWsinb"
+ "Tsdsjnv3zHG9GyiClyLGxMbs4M5eyYECggEBAKuC8ZMpdIrjk6tERYB6g0LnQ7mW"
+ "8XYbDFAmLYMLs9yfG2jcjVbsW9Kugsr+3poUUv/q+hNO3jfY4HazhZDa0MalgNPo"
+ "Swr/VNRnkck40x2ovFb989J7yl++zTrnIrax9XRH1V0cNu+Kj7OMwZ2RRfbNv5JB"
+ "dOZPvkfqyIKFmbQgYbtD66rHuzNOfJpzqr/WVLO57/zzW8245NKG2B6B0oXkei/K"
+ "qDY0DAbHR3i3EOj1NPtVI1FC/xX8R9BREaid458bqoHJKuInrGcBjaUI9Cvymv8T"
+ "bstUgD6NPbJR4Sm6vrLeUqzjWZP3t1+Z6DjXmnpR2vvhMU/FWb//21p/88o=</cleartext-private-key>"
+ "</local-definition>"
+ "</public-key>"
+ "</host-key>"
+ "</server-identity>"
+ "<client-authentication>"
+ "<users>"
+ "<user>"
+ "<name>test</name>"
+ "<public-keys>"
+ "<local-definition>"
+ "<public-key>"
+ "<name>client</name>"
+ "<public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>"
+ "<public-key>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvpKj6gy/Rm1pqlUIaeKp"
+ "WuL2KOJBbodhxuPG+0S6f+Jf4LopOB76tmg1RQ/bAXLNxXkG46Cx9UOHaFK/Ixul"
+ "cCbH6LxOUg90/HVS7NnbaVtDsl03HG9CPZTlQzM+n+iFAXv5ub5PFzW3VCCNDSfM"
+ "tXUOdVR93u/OAc7uz0nWjGhWnOH5MPJCQPS8ZFpL9hQxQuyAXFY0YLW/9eRMDgx/"
+ "OPTuvlTxIF+YHaMzY+Wy+Oaygwb78dCow+3RQRgCB20o5o6exx2nX2Cqr7UJzG/N"
+ "30XCusKIcTT978td8AU7UjpbzoNehm/tmQdDq+8IDsNfWbxCHDYLMD8IR32UDXGD"
+ "DVSwrtNgUs8HWNNCBKjTNCeQf1v/yiRd7hRf2aj+w9sDu8PI+VC9pabsRe2KxnnD"
+ "U9Sq+4IB3ZM3C5XpJDbu8DVigGZSevim7p/D6mW2phlyxtlK9WmQ5Misg/Z8jM7E"
+ "Z3gJcTvh20IS6I4plG7DJvsIC/Pc3IS2JC/w0prCZa8gOKob8x2mjjQcOA1eVIUm"
+ "yw6WbV1X65/jAJvIS6an/oFAk4bBTfJA6fYfU4Pb9NWovYxm/eNR5BbRmFFh0uXa"
+ "0s92S50iOotf8CnW7PZ7PWKgzKqtnN9Ob+Ye7WjDdG+NCrhkiDBOCuHDrHXwqaxW"
+ "BmUICo2mnUMK7JuJNSZe5DMCAwEAAQ==</public-key>"
+ "</public-key>"
+ "</local-definition>"
+ "</public-keys>"
+ "<none/>"
+ "</user>"
+ "</users>"
+ "</client-authentication>"
+ "<transport-params>"
+ "<host-key>"
+ "<host-key-alg xmlns:sshpka=\"urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs\">sshpka:ssh-rsa</host-key-alg>"
+ "<host-key-alg xmlns:sshpka=\"urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs\">sshpka:rsa-sha2-512</host-key-alg>"
+ "</host-key>"
+ "<key-exchange>"
+ "<key-exchange-alg xmlns:sshkea=\"urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs\">sshkea:diffie-hellman-group18-sha512</key-exchange-alg>"
+ "</key-exchange>"
+ "<encryption>"
+ "<encryption-alg xmlns:sshea=\"urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs\">sshea:aes256-cbc</encryption-alg>"
+ "</encryption>"
+ "<mac>"
+ "<mac-alg xmlns:sshma=\"urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs\">sshma:hmac-sha1</mac-alg>"
+ "</mac>"
+ "</transport-params>"
+ "</ssh-server-parameters>"
+ "</ssh>"
+ "</endpoint>"
+ "</listen>"
+ "</netconf-server>";
+
+static int
+setup(struct ly_ctx *ctx)
+{
+ int i;
+ const char *all_features[] = {"*", NULL};
+ /* no ssh-x509-certs */
+ const char *ssh_common_features[] = {"transport-params", "public-key-generation", NULL};
+ /* no ssh-server-keepalives and local-user-auth-hostbased */
+ const char *ssh_server_features[] = {"local-users-supported", "local-user-auth-publickey", "local-user-auth-password", "local-user-auth-none", NULL};
+ /* no private-key-encryption and csr-generation */
+ const char *crypto_types_features[] = {
+ "one-symmetric-key-format", "one-asymmetric-key-format", "symmetrically-encrypted-value-format",
+ "asymmetrically-encrypted-value-format", "cms-enveloped-data-format", "cms-encrypted-data-format",
+ "p10-based-csrs", "certificate-expiration-notification", "hidden-keys", "password-encryption",
+ "symmetric-key-encryption", NULL
+ };
+
+ const char *module_names[] = {
+ "ietf-netconf-server", "ietf-tls-common", "ietf-tls-server", "ietf-truststore", "iana-crypt-hash", "ietf-keystore",
+ "ietf-tcp-server", "ietf-tcp-common", "ietf-tcp-client", "iana-ssh-public-key-algs",
+ "iana-ssh-key-exchange-algs", "iana-ssh-encryption-algs", "iana-ssh-mac-algs", NULL
+ };
+
+ for (i = 0; module_names[i] != NULL; i++) {
+ if (!ly_ctx_load_module(ctx, module_names[i], NULL, all_features)) {
+ fprintf(stderr, "Loading module (%s) failed.\n", module_names[i]);
+ goto error;
+ }
+ }
+
+ if (!ly_ctx_load_module(ctx, "ietf-ssh-common", NULL, ssh_common_features)) {
+ fprintf(stderr, "Loading module (ietf-ssh-common) failed.\n");
+ goto error;
+ }
+ if (!ly_ctx_load_module(ctx, "ietf-ssh-server", NULL, ssh_server_features)) {
+ fprintf(stderr, "Loading module (ietf-ssh-server) failed.\n");
+ goto error;
+ }
+ if (!ly_ctx_load_module(ctx, "ietf-crypto-types", NULL, crypto_types_features)) {
+ fprintf(stderr, "Loading module (ietf-crypto-types) failed.\n");
+ goto error;
+ }
+
+ return 0;
+
+error:
+ return 1;
+}
+
+int
+main(void)
+{
+ int ret;
+ struct ly_ctx *ctx;
+ struct lyd_node *tree;
+
+ nc_verbosity(NC_VERB_VERBOSE);
+
+ ret = ly_ctx_new("/home/roman/Downloads/yang", 0, &ctx);
+ nc_assert(!ret);
+
+ ret = setup(ctx);
+ nc_assert(!ret);
+
+ ret = lyd_parse_data_mem(ctx, data, LYD_XML, LYD_PARSE_NO_STATE | LYD_PARSE_STRICT, LYD_VALIDATE_NO_STATE, &tree);
+ nc_assert(!ret);
+
+ ret = nc_server_config_setup(tree);
+ nc_assert(!ret);
+
+ nc_server_init();
+
+ nc_server_destroy();
+ lyd_free_all(tree);
+ ly_ctx_destroy(ctx);
+ return 0;
+}
diff --git a/tests/test_pam.c b/tests/test_pam.c
deleted file mode 100644
index 8fce478..0000000
--- a/tests/test_pam.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/**
- * @file test_pam.c
- * @author Roman Janota <xjanot04@fit.vutbr.cz>
- * @brief libnetconf2 Linux PAM keyboard-interactive authentication test
- *
- * @copyright
- * Copyright (c) 2022 CESNET, z.s.p.o.
- *
- * This source code is licensed under BSD 3-Clause License (the "License").
- * You may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * https://opensource.org/licenses/BSD-3-Clause
- */
-
-#define _GNU_SOURCE
-
-#include <pthread.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <libyang/libyang.h>
-#include <log.h>
-#include <session_client.h>
-#include <session_server.h>
-
-#include "tests/config.h"
-
-#define nc_assert(cond) if (!(cond)) { fprintf(stderr, "assert failed (%s:%d)\n", __FILE__, __LINE__); abort(); }
-
-#define NC_ACCEPT_TIMEOUT 5000
-#define NC_PS_POLL_TIMEOUT 5000
-
-struct ly_ctx *ctx;
-
-static void *
-server_thread(void *arg)
-{
- int ret;
- NC_MSG_TYPE msgtype;
- struct nc_session *session;
- struct nc_pollsession *ps;
-
- (void) arg;
- ps = nc_ps_new();
- nc_assert(ps);
-
- /* accept a session and add it to the poll session structure */
- msgtype = nc_accept(NC_ACCEPT_TIMEOUT, ctx, &session);
- nc_assert(msgtype == NC_MSG_HELLO);
- ret = nc_ps_add_session(ps, session);
- nc_assert(!ret);
- ret = nc_ps_poll(ps, NC_PS_POLL_TIMEOUT, NULL);
- nc_assert(ret & NC_PSPOLL_RPC);
- ret = nc_ps_poll(ps, NC_PS_POLL_TIMEOUT, NULL);
- nc_assert(ret & NC_PSPOLL_RPC);
- nc_ps_clear(ps, 1, NULL);
-
- nc_ps_free(ps);
- nc_thread_destroy();
- return NULL;
-}
-
-static int
-clb_hostkeys(const char *name, void *user_data, char **privkey_path, char **privkey_data,
- NC_SSH_KEY_TYPE *privkey_type)
-{
- (void) user_data;
- (void) privkey_data;
- (void) privkey_type;
-
- /* set the path to the testing private keys */
- if (!strcmp(name, "key_rsa")) {
- *privkey_path = strdup(TESTS_DIR "/data/key_rsa");
- return 0;
- } else if (!strcmp(name, "key_dsa")) {
- *privkey_path = strdup(TESTS_DIR "/data/key_dsa");
- return 0;
- }
-
- return 1;
-}
-
-static char *
-auth_interactive(const char *auth_name, const char *instruction, const char *prompt, int echo, void *priv)
-{
- (void) instruction;
- (void) echo;
- (void) auth_name;
- (void) priv;
-
- /* send the replies to keyboard-interactive authentication */
- if (strstr(prompt, "backwards")) {
- return strdup("tset");
- } else if (strstr(prompt, "1+1")) {
- return strdup("2");
- } else {
- return NULL;
- }
-}
-
-static int
-ssh_hostkey_check_clb(const char *hostname, ssh_session session, void *priv)
-{
- (void)hostname;
- (void)session;
- (void)priv;
- /* redundant in this test, nonetheless this callback has to be set */
-
- return 0;
-}
-
-static void *
-client_thread(void *arg)
-{
- (void) arg;
- int ret;
- struct nc_session *session = NULL;
-
- printf("SSH client started.\n");
-
- /* initialize client */
- nc_client_init();
- ret = nc_client_set_schema_searchpath(TESTS_DIR "/data/modules");
- nc_assert(!ret);
- /* skip the knownhost check */
- nc_client_ssh_set_auth_hostkey_check_clb(ssh_hostkey_check_clb, NULL);
-
- ret = nc_client_ssh_set_username("test");
- nc_assert(!ret);
-
- /* set keyboard-interactive authentication callback */
- nc_client_ssh_set_auth_interactive_clb(auth_interactive, NULL);
- session = nc_connect_ssh("0.0.0.0", 6002, NULL);
- nc_assert(session);
-
- printf("SSH client finished.\n");
- nc_client_destroy();
-
- nc_session_free(session, NULL);
- nc_thread_destroy();
- return NULL;
-}
-
-int
-main(void)
-{
- int ret, i;
- pthread_t tids[2];
-
- ly_ctx_new(TESTS_DIR "/data/modules", 0, &ctx);
- nc_assert(ctx);
- ly_ctx_load_module(ctx, "ietf-netconf", NULL, NULL);
-
- nc_verbosity(NC_VERB_VERBOSE);
- nc_server_init();
-
- /* set callback */
- nc_server_ssh_set_hostkey_clb(clb_hostkeys, NULL, NULL);
-
- /* do first, so that client can connect on SSH */
- ret = nc_server_add_endpt("main_ssh", NC_TI_LIBSSH);
- nc_assert(!ret);
- ret = nc_server_endpt_set_address("main_ssh", "0.0.0.0");
- nc_assert(!ret);
- ret = nc_server_endpt_set_port("main_ssh", 6002);
- nc_assert(!ret);
- ret = nc_server_ssh_endpt_add_hostkey("main_ssh", "key_rsa", -1);
- nc_assert(!ret);
-
- /* in order to use the Linux PAM keyboard-interactive method,
- * the PAM module has to know where to find the desired configuration file */
- ret = nc_server_ssh_set_pam_conf_path("netconf.conf", BUILD_DIR "/tests");
- nc_assert(!ret);
-
- /* only want to test keyboard-interactive auth method */
- ret = nc_server_ssh_endpt_set_auth_methods("main_ssh", NC_SSH_AUTH_INTERACTIVE);
- nc_assert(!ret);
-
- ret = pthread_create(&tids[0], NULL, client_thread, NULL);
- nc_assert(!ret);
- ret = pthread_create(&tids[1], NULL, server_thread, NULL);
- nc_assert(!ret);
-
- for (i = 0; i < 2; i++) {
- pthread_join(tids[i], NULL);
- }
-
- nc_server_destroy();
- ly_ctx_destroy(ctx);
- return 0;
-}
diff --git a/tests/test_two_channels.c b/tests/test_two_channels.c
new file mode 100644
index 0000000..37ac20c
--- /dev/null
+++ b/tests/test_two_channels.c
@@ -0,0 +1,282 @@
+/**
+ * @file test_pam.c
+ * @author Roman Janota <xjanot04@fit.vutbr.cz>
+ * @brief libnetconf2 Linux PAM keyboard-interactive authentication test
+ *
+ * @copyright
+ * Copyright (c) 2022 CESNET, z.s.p.o.
+ *
+ * This source code is licensed under BSD 3-Clause License (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ */
+
+#include <errno.h>
+#include <pthread.h>
+#include <semaphore.h>
+#include <setjmp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <cmocka.h>
+
+#include <config_server.h>
+#include <libnetconf.h>
+#include <libyang/libyang.h>
+#include <log.h>
+#include <session_client.h>
+#include <session_server.h>
+
+#include "tests/config.h"
+
+#define NC_ACCEPT_TIMEOUT 5000
+#define NC_PS_POLL_TIMEOUT 500
+#define BACKOFF_TIMEOUT_USECS 100
+
+struct ly_ctx *ctx;
+int flag = 0;
+
+const char *data =
+ "<netconf-server xmlns=\"urn:ietf:params:xml:ns:yang:ietf-netconf-server\" xmlns:yang=\"urn:ietf:params:xml:ns:yang:1\" yang:operation=\"none\">\n"
+ " <listen yang:operation=\"create\">\n"
+ " <idle-timeout>10</idle-timeout>\n"
+ " <endpoint>\n"
+ " <name>default-ssh</name>\n"
+ " <ssh>\n"
+ " <tcp-server-parameters>\n"
+ " <local-address>127.0.0.1</local-address>\n"
+ " <local-port>10005</local-port>\n"
+ " </tcp-server-parameters>\n"
+ " <ssh-server-parameters>\n"
+ " <server-identity>\n"
+ " <host-key>\n"
+ " <name>key</name>\n"
+ " <public-key>\n"
+ " <local-definition>\n"
+ " <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
+ " <public-key>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEAAQ==</public-key>\n"
+ " <private-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:rsa-private-key-format</private-key-format>\n"
+ " <cleartext-private-key>MIIJKAIBAAKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEAAQKCAgAeRZw75Oszoqj0jfMmMILdD3Cfad+dY3FvLESYESeyt0XAX8XoOed6ymQj1qPGxQGGkkBvPEgv1b3jrC8Rhfb3Ct39Z7mRpTar5iHhwwBUboBTUmQ0vR173iAHX8sw2Oa17mCO/CDlr8Fu4Xcom7r3vlVBepo72VSjpPYMjN0MANjwhEi3NCyWzTXBRgUK3TuZbzfzto0w2Irlpx0S7dAqxfk70jXBgwv2vSDWKfg1lL1X0BkMVX98xpMkcjMW2muSqp4KBtTma4GqT6z0f7Y1Bs3lGLZmvPlBXxQVVvkFtiQsENCtSd/h17Gk2mb4EbReaaBzwCYqJdRWtlpJ54kzy8U00co+Yn//ZS7sbbIDkqHPnXkpdIr+0rEDMlOw2Y3vRZCxqZFqfWCW0uzhwKqk2VoYqtDL+ORKG/aG/KTBQ4Y71Uh+7aabPwj5R+NaVMjbqmrVeH70eKjoNVgcNYY1C9rGVF1d+LQEm7UsqS0DPp4wN9QKLAqIfuarAhQBhZy1R7Sj1r5macD9DsGxsurM4mHZV0LNmYLZiFHjTUb6iRSPD5RBFW80vcNtxZ0cxmkLtxrj/DVyExV11Cl0SbZLLa9mScYvxdl/qZutXt3PQyab0NiYxGzCD2RnLkCyxkh1vuHHjhvIWYfbd2VgZB/qGr+o9T07FGfMCu23//fugQKCAQEA9UH38glH/rAjZ431sv6ryUEFY8I2FyLTijtvoj9CNGcQn8vJQAHvUPfMdyqDoum6wgcTmG+UXA6mZzpGQCiY8JW5CoItgXRoYgNzpvVVe2aLf51QGtNLLEFpNDMpCtI+I+COpAmGvWAukku0pZfRjm9eb1ydvTpHlFC9+VhVUsLzw3VtSC5PVW6r65mZcYcB6SFVPap+31ENP/9jOMFoymh57lSMZJMxTEA5b0l2miFb9Rp906Zqiud5zv2jIqF6gL70giW3ovVxR7LGKKTKIa9pxawHwB6Ithygs7YoJkjF2dm8pZTMZKsQN92K70XGj07SmYRLZpkVD7i+cqbbKQKCAQEA9M6580Rcw6W0twfcy0/iB4U5ZS52EcCjW8vHlL+MpUo7YvXadSgV1ZaM28zW/ZGk3wE0zy1YT5s30SQkm0NiWN3t/J0l19ccAOxlPWfjhF7vIQZr7XMo5HeaK0Ak5+68J6bx6KgcXmlJOup7INaE8DyGXB6vd4K6957IXyqs3/bfJAUmz49hnveCfLFdTVVT/Uq4IoPKfQSbSZc0BvPBsnBCF164l4jllGBaWS302dhgW4cgxzG0SZGgNwow4AhB+ygiiS8yvOa7UcHfUObVrzWeeq9mYSQ1PkvUTjkWR2/Y8xy7WP0TRBdJOVSs90H51lerEDGNQWvQvI97S9ZOsQKCAQB59u9lpuXtqwxAQCFyfSFSuQoEHR2nDcOjF4GhbtHum15yCPaw5QVs/33nuPWze4ZLXReKk9p0mTh5V0p+N3IvGlXl+uzEVu5d55eI7LIw5sLymHmwjWjxvimiMtrzLbCHSPHGc5JU9NLUH9/bBY/JxGpy+NzcsHHOOQTwTdRIjviIOAo7fgQn2RyX0k+zXE8/7zqjqvji9zyemdNu8we4uJICSntyvJwkbj/hrufTKEnBrwXpzfVn1EsH+6w32ZPBGLUhT75txJ8r56SRq7l1XPU9vxovmT+lSMFF/Y0j1MbHWnds5H1shoFPNtYTvWBL/gfPHjIc+H23zsiu3XlZAoIBAC2xB/Pnpoi9vOUMiqFH36AXtYa1DURy+AqCFlYlClMvb7YgvQ1w1eJvnwrHSLk7HdKhnwGsLPduuRRH8q0n/osnoOutSQroE0n41UyIv2ZNccRwNmSzQcairBu2dSz02hlsh2otNl5IuGpOqXyPjXBpW4qGD6n2tH7THALnLC0BHtTSQVQsJsRM3gX39LoiWvLDp2qJvplm6rTpi8Rgap6rZSqHe1yNKIxxD2vlr/WY9SMgLXYASO4SSBz9wfGOmQIPk6KXNJkdV4kC7nNjIi75iwLLCgjHgUiHTrDq5sWekpeNnUoWsinbTsdsjnv3zHG9GyiClyLGxMbs4M5eyYECggEBAKuC8ZMpdIrjk6tERYB6g0LnQ7mW8XYbDFAmLYMLs9yfG2jcjVbsW9Kugsr+3poUUv/q+hNO3jfY4HazhZDa0MalgNPoSwr/VNRnkck40x2ovFb989J7yl++zTrnIrax9XRH1V0cNu+Kj7OMwZ2RRfbNv5JBdOZPvkfqyIKFmbQgYbtD66rHuzNOfJpzqr/WVLO57/zzW8245NKG2B6B0oXkei/KqDY0DAbHR3i3EOj1NPtVI1FC/xX8R9BREaid458bqoHJKuInrGcBjaUI9Cvymv8TbstUgD6NPbJR4Sm6vrLeUqzjWZP3t1+Z6DjXmnpR2vvhMU/FWb//21p/88o=</cleartext-private-key>\n"
+ " </local-definition>\n"
+ " </public-key>\n"
+ " </host-key>\n"
+ " </server-identity>\n"
+ " <client-authentication>\n"
+ " <users>\n"
+ " <user>\n"
+ " <name>test1</name>\n"
+ " <public-keys>\n"
+ " <local-definition>\n"
+ " <public-key>\n"
+ " <name>client</name>\n"
+ " <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
+ " <public-key>AAAAB3NzaC1yc2EAAAADAQABAAABAQDPavVALiM7QwTIUAndO8E9GOkSDQWjuEwkzbJ3kOBPa7kkq71UOZFeecDjFb9eipkljfFys/JYHGQaYVF8/svT0KV5h7HlutRdF6yvqSEbjpbTORb27pdHX3iFEyDCwCIoq9vMeX+wyXnteyn01GpIL0ig0WAnvkqX/SPjuplX5ZItUSr0MhXM7fNSX50BD6G8IO0/djUcdMUcjTjGv73SxB9ZzLvxnhXuUJbzEJJJLj6qajyEIVaJSa73vA33JCD8qzarrsuITojVLPDFmeHwSAoB5dP86yop6e6ypuXzKxxef6yNXcE8oTj8UFYBIXsgIP2nBvWk41EaK0Vk3YFl</public-key>\n"
+ " </public-key>\n"
+ " </local-definition>\n"
+ " </public-keys>\n"
+ " </user>\n"
+ " <user>\n"
+ " <name>test2</name>\n"
+ " <public-keys>\n"
+ " <local-definition>\n"
+ " <public-key>\n"
+ " <name>client</name>\n"
+ " <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
+ " <public-key>AAAAB3NzaC1yc2EAAAADAQABAAABAQDPavVALiM7QwTIUAndO8E9GOkSDQWjuEwkzbJ3kOBPa7kkq71UOZFeecDjFb9eipkljfFys/JYHGQaYVF8/svT0KV5h7HlutRdF6yvqSEbjpbTORb27pdHX3iFEyDCwCIoq9vMeX+wyXnteyn01GpIL0ig0WAnvkqX/SPjuplX5ZItUSr0MhXM7fNSX50BD6G8IO0/djUcdMUcjTjGv73SxB9ZzLvxnhXuUJbzEJJJLj6qajyEIVaJSa73vA33JCD8qzarrsuITojVLPDFmeHwSAoB5dP86yop6e6ypuXzKxxef6yNXcE8oTj8UFYBIXsgIP2nBvWk41EaK0Vk3YFl</public-key>\n"
+ " </public-key>\n"
+ " </local-definition>\n"
+ " </public-keys>\n"
+ " </user>\n"
+ " </users>\n"
+ " </client-authentication>\n"
+ " <transport-params>\n"
+ " <host-key>\n"
+ " <host-key-alg xmlns:sshpka=\"urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs\">sshpka:rsa-sha2-512</host-key-alg>\n"
+ " </host-key>\n"
+ " <key-exchange>\n"
+ " <key-exchange-alg xmlns:sshkea=\"urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs\">sshkea:curve25519-sha256</key-exchange-alg>\n"
+ " </key-exchange>\n"
+ " <encryption>\n"
+ " <encryption-alg xmlns:sshea=\"urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs\">sshea:aes256-ctr</encryption-alg>\n"
+ " </encryption>\n"
+ " <mac>\n"
+ " <mac-alg xmlns:sshma=\"urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs\">sshma:hmac-sha2-512</mac-alg>\n"
+ " </mac>\n"
+ " </transport-params>\n"
+ " </ssh-server-parameters>\n"
+ " </ssh>\n"
+ " </endpoint>\n"
+ " </listen>\n"
+ "</netconf-server>\n";
+
+static void *
+server_thread(void *arg)
+{
+ int ret, del_session_count = 0, sleep_count = 0;
+ NC_MSG_TYPE msgtype;
+ struct nc_session *session, *new_session;
+ struct nc_pollsession *ps;
+
+ (void) arg;
+
+ ps = nc_ps_new();
+ assert_non_null(ps);
+
+ while (del_session_count < 2) {
+ msgtype = nc_accept(0, ctx, &session);
+
+ if (msgtype == NC_MSG_HELLO) {
+ ret = nc_ps_add_session(ps, session);
+ assert_int_equal(ret, 0);
+ }
+
+ ret = nc_ps_poll(ps, 0, &new_session);
+
+ if (ret & NC_PSPOLL_SESSION_TERM) {
+ nc_ps_del_session(ps, new_session);
+ nc_session_free(new_session, NULL);
+ del_session_count++;
+ } else if (ret & NC_PSPOLL_SSH_CHANNEL) {
+ msgtype = nc_session_accept_ssh_channel(session, &new_session);
+ if (msgtype == NC_MSG_HELLO) {
+ ret = nc_ps_add_session(ps, new_session);
+ assert_int_equal(ret, 0);
+ }
+ } else if (ret & NC_PS_POLL_TIMEOUT) {
+ usleep(BACKOFF_TIMEOUT_USECS);
+ sleep_count++;
+ assert_int_not_equal(sleep_count, 50000);
+ }
+ }
+
+ nc_ps_free(ps);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static int
+ssh_hostkey_check_clb(const char *hostname, ssh_session session, void *priv)
+{
+ (void)hostname;
+ (void)session;
+ (void)priv;
+ /* redundant in this test, nonetheless this callback has to be set */
+
+ return 0;
+}
+
+static void *
+client_thread(void *arg)
+{
+ (void) arg;
+ int ret;
+ struct nc_session *session_cl1, *session_cl2;
+
+ /* initialize client */
+ nc_client_init();
+ ret = nc_client_set_schema_searchpath(MODULES_DIR);
+ assert_int_equal(ret, 0);
+ /* skip the knownhost check */
+ nc_client_ssh_set_auth_hostkey_check_clb(ssh_hostkey_check_clb, NULL);
+
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PUBLICKEY, 1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_PASSWORD, -1);
+ nc_client_ssh_set_auth_pref(NC_SSH_AUTH_INTERACTIVE, -1);
+
+ ret = nc_client_ssh_add_keypair(TESTS_DIR "/data/key_rsa.pub", TESTS_DIR "/data/key_rsa");
+ assert_int_equal(ret, 0);
+
+ ret = nc_client_ssh_set_username("test1");
+ assert_int_equal(ret, 0);
+
+ session_cl1 = nc_connect_ssh("127.0.0.1", 10005, NULL);
+ assert_non_null(session_cl1);
+
+ ret = nc_client_ssh_set_username("test2");
+ assert_int_equal(ret, 0);
+
+ session_cl2 = nc_connect_ssh_channel(session_cl1, NULL);
+ assert_non_null(session_cl2);
+
+ nc_client_destroy();
+ nc_session_free(session_cl1, NULL);
+ nc_session_free(session_cl2, NULL);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static void
+test_nc_two_channels(void **state)
+{
+ int ret, i;
+ pthread_t tids[2];
+
+ (void) state;
+
+ ret = pthread_create(&tids[0], NULL, client_thread, NULL);
+ assert_int_equal(ret, 0);
+ ret = pthread_create(&tids[1], NULL, server_thread, NULL);
+ assert_int_equal(ret, 0);
+
+ for (i = 0; i < 2; i++) {
+ pthread_join(tids[i], NULL);
+ }
+}
+
+static int
+setup_f(void **state)
+{
+ int ret;
+ struct lyd_node *tree;
+
+ (void) state;
+
+ nc_verbosity(NC_VERB_VERBOSE);
+
+ ret = ly_ctx_new(MODULES_DIR, 0, &ctx);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_init_ctx(&ctx);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_config_load_modules(&ctx);
+ assert_int_equal(ret, 0);
+
+ ret = lyd_parse_data_mem(ctx, data, LYD_XML, LYD_PARSE_NO_STATE | LYD_PARSE_STRICT, LYD_VALIDATE_NO_STATE, &tree);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_config_setup(tree);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_init();
+ assert_int_equal(ret, 0);
+
+ lyd_free_all(tree);
+
+ return 0;
+}
+
+static int
+teardown_f(void **state)
+{
+ (void) state;
+
+ nc_server_destroy();
+ ly_ctx_destroy(ctx);
+
+ return 0;
+}
+
+int
+main(void)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_nc_two_channels, setup_f, teardown_f),
+ };
+
+ setenv("CMOCKA_TEST_ABORT", "1", 1);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}