blob: c362163b4e0492de6246cebe94c446d828e555a8 [file] [log] [blame]
Michal Vasko086311b2016-01-08 09:53:11 +01001/**
2 * \file session_server.h
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 session server manipulation
5 *
6 * Copyright (c) 2015 CESNET, z.s.p.o.
7 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +01008 * This source code is licensed under BSD 3-Clause License (the "License").
9 * You may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +010011 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +010012 * https://opensource.org/licenses/BSD-3-Clause
Michal Vasko086311b2016-01-08 09:53:11 +010013 */
14
15#ifndef NC_SESSION_SERVER_H_
16#define NC_SESSION_SERVER_H_
17
18#include <stdint.h>
Michal Vasko05ba9df2016-01-13 14:40:27 +010019#include <libyang/libyang.h>
Michal Vasko086311b2016-01-08 09:53:11 +010020
Michal Vasko709598e2016-11-28 14:48:32 +010021#ifdef NC_ENABLED_TLS
22# include <openssl/x509.h>
23#endif
24
Michal Vasko086311b2016-01-08 09:53:11 +010025#include "session.h"
Michal Vasko086311b2016-01-08 09:53:11 +010026#include "netconf.h"
27
Michal Vasko1a38c862016-01-15 15:50:07 +010028/**
29 * @brief Prototype of callbacks that are called if some RPCs are received.
30 *
31 * If \p session termination reason is changed in the callback, one last reply
32 * is sent and then the session is considered invalid.
33 *
34 * @param[in] rpc Parsed client RPC request.
35 * @param[in] session Session the RPC arrived on.
36 * @return Server reply. If NULL, an operation-failed error will be sent to the client.
37 */
Michal Vasko05ba9df2016-01-13 14:40:27 +010038typedef struct nc_server_reply *(*nc_rpc_clb)(struct lyd_node *rpc, struct nc_session *session);
39
Michal Vasko1a38c862016-01-15 15:50:07 +010040/**
Michal Vasko7b096242016-01-29 15:55:10 +010041 * @brief Set the termination reason for a session. Use only in #nc_rpc_clb callbacks.
Michal Vasko1a38c862016-01-15 15:50:07 +010042 *
43 * @param[in] session Session to modify.
44 * @param[in] reason Reason of termination.
45 */
46void nc_session_set_term_reason(struct nc_session *session, NC_SESSION_TERM_REASON reason);
47
48/**
Michal Vaskoa7b8ca52016-03-01 12:09:29 +010049 * @brief Initialize libssh and/or libssl/libcrypto and the server using a libyang context.
Michal Vasko1a38c862016-01-15 15:50:07 +010050 *
51 * The context is not modified internally, only its dictionary is used for holding
Michal Vaskoa43589b2016-02-17 13:24:59 +010052 * all the strings, which is thread-safe. Reading models is considered thread-safe
53 * as models cannot be removed and are rarely modified (augments or deviations).
Michal Vasko1a38c862016-01-15 15:50:07 +010054 *
Michal Vasko3a889fd2016-09-30 12:16:37 +020055 * If the RPC callbacks on schema nodes (mentioned in @ref howtoserver) are modified after
Michal Vasko5494f512016-03-01 12:13:44 +010056 * server initialization with that particular context, they will be called (changes
57 * will take effect). However, there could be race conditions as the access to
58 * these callbacks is not thread-safe.
59 *
Michal Vasko1a38c862016-01-15 15:50:07 +010060 * Server capabilities are generated based on its content. Changing the context
61 * in ways that result in changed capabilities (adding models, changing features)
62 * is discouraged after sessions are established as it is not possible to change
63 * capabilities of a session.
64 *
65 * This context can safely be destroyed only after calling the last libnetconf2
66 * function in an application.
67 *
Michal Vasko3a889fd2016-09-30 12:16:37 +020068 * Supported RPCs of models in the context are expected to have their callback
69 * in the corresponding RPC schema node set to a nc_rpc_clb function callback using nc_set_rpc_callback().
Michal Vasko1a38c862016-01-15 15:50:07 +010070 * This callback is called by nc_ps_poll() if the particular RPC request is
71 * received. Callbacks for ietf-netconf:get-schema (supporting YANG and YIN format
72 * only) and ietf-netconf:close-session are set internally if left unset.
73 *
Michal Vasko1a38c862016-01-15 15:50:07 +010074 * @param[in] ctx Core NETCONF server context.
75 * @return 0 on success, -1 on error.
76 */
Michal Vasko086311b2016-01-08 09:53:11 +010077int nc_server_init(struct ly_ctx *ctx);
78
Michal Vasko1a38c862016-01-15 15:50:07 +010079/**
Michal Vaskoa7b8ca52016-03-01 12:09:29 +010080 * @brief Destroy any dynamically allocated libssh and/or libssl/libcrypto and
81 * server resources.
Michal Vaskob48aa812016-01-18 14:13:09 +010082 */
83void nc_server_destroy(void);
84
85/**
Michal Vasko1a38c862016-01-15 15:50:07 +010086 * @brief Set the with-defaults capability extra parameters.
87 *
88 * For the capability to be actually advertised, the server context must also
89 * include the ietf-netconf-with-defaults model.
90 *
91 * Changing this option has the same ill effects as changing capabilities while
92 * sessions are already established.
93 *
94 * @param[in] basic_mode basic-mode with-defaults parameter.
95 * @param[in] also_supported NC_WD_MODE bit array, also-supported with-defaults
96 * parameter.
97 * @return 0 on success, -1 on error.
98 */
Michal Vasko086311b2016-01-08 09:53:11 +010099int nc_server_set_capab_withdefaults(NC_WD_MODE basic_mode, int also_supported);
100
Michal Vasko1a38c862016-01-15 15:50:07 +0100101/**
Michal Vasko55f03972016-04-13 08:56:01 +0200102 * @brief Get with-defaults capability extra parameters.
103 *
104 * At least one argument must be non-NULL.
105 *
106 * @param[in,out] basic_mode basic-mode parameter.
107 * @param[in,out] also_supported also-supported parameter.
108 */
109void nc_server_get_capab_withdefaults(NC_WD_MODE *basic_mode, int *also_supported);
110
111/**
Radek Krejci658782b2016-12-04 22:04:55 +0100112 * @brief Set capability of the server.
Michal Vasko1a38c862016-01-15 15:50:07 +0100113 *
Radek Krejci658782b2016-12-04 22:04:55 +0100114 * Capability can be used when some behavior or extension of the server is not defined
115 * as a YANG module. The provided value will be advertised in the server's \<hello\>
116 * messages. Note, that libnetconf only checks that the provided value is non-empty
117 * string.
Michal Vasko1a38c862016-01-15 15:50:07 +0100118 *
Michal Vasko50d2a5c2017-02-14 10:29:49 +0100119 * @param[in] value Capability string to be advertised in server's \<hello\> messages.
Michal Vasko1a38c862016-01-15 15:50:07 +0100120 */
Radek Krejci658782b2016-12-04 22:04:55 +0100121int nc_server_set_capability(const char *value);
Michal Vasko55f03972016-04-13 08:56:01 +0200122
123/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100124 * @brief Set server timeout for receiving a hello message.
125 *
126 * @param[in] hello_timeout Hello message timeout. 0 for infinite waiting.
127 */
128void nc_server_set_hello_timeout(uint16_t hello_timeout);
Michal Vasko086311b2016-01-08 09:53:11 +0100129
Michal Vasko1a38c862016-01-15 15:50:07 +0100130/**
Michal Vasko55f03972016-04-13 08:56:01 +0200131 * @brief get server timeout for receiving a hello message.
132 *
133 * @return Hello message timeout, 0 is infinite.
134 */
135uint16_t nc_server_get_hello_timeout(void);
136
137/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100138 * @brief Set server timeout for dropping an idle session.
139 *
140 * @param[in] idle_timeout Idle session timeout. 0 to never drop a session
Michal Vaskof0537d82016-01-29 14:42:38 +0100141 * because of inactivity.
Michal Vasko1a38c862016-01-15 15:50:07 +0100142 */
143void nc_server_set_idle_timeout(uint16_t idle_timeout);
Michal Vasko086311b2016-01-08 09:53:11 +0100144
Michal Vasko1a38c862016-01-15 15:50:07 +0100145/**
Michal Vasko55f03972016-04-13 08:56:01 +0200146 * @brief Get server timeout for dropping an idle session.
147 *
148 * @return Idle session timeout, 0 for for never dropping
149 * a session because of inactivity.
150 */
151uint16_t nc_server_get_idle_timeout(void);
152
153/**
Michal Vasko4ffa3b22016-05-24 16:36:25 +0200154 * @brief Get all the server capabilities as will be sent to every client.
155 *
156 * A few capabilities (with-defaults, interleave) depend on the current
157 * server options.
158 *
159 * @param[in] ctx Context to read most capabilities from.
160 * @return Array of capabilities stored in the \p ctx dictionary, NULL on error.
161 */
162const char **nc_server_get_cpblts(struct ly_ctx *ctx);
163
164/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100165 * @brief Accept a new session on a pre-established transport session.
166 *
167 * @param[in] fdin File descriptor to read (unencrypted) XML data from.
168 * @param[in] fdout File descriptor to write (unencrypted) XML data to.
169 * @param[in] username NETCONF username as provided by the transport protocol.
170 * @param[out] session New session on success.
Michal Vasko71090fc2016-05-24 16:37:28 +0200171 * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message
172 * parsing fail, NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other errors.
Michal Vasko1a38c862016-01-15 15:50:07 +0100173 */
Michal Vasko71090fc2016-05-24 16:37:28 +0200174NC_MSG_TYPE nc_accept_inout(int fdin, int fdout, const char *username, struct nc_session **session);
Michal Vasko086311b2016-01-08 09:53:11 +0100175
Michal Vasko1a38c862016-01-15 15:50:07 +0100176/**
fanchanghu966f2de2016-07-21 02:28:57 -0400177 * @brief Set a global nc_rpc_clb that is called if the particular RPC request is
178 * received and the private field in the corresponding RPC schema node is NULL.
179 *
180 * @param[in] clb An user-defined nc_rpc_clb function callback, NULL to default.
181 */
182void nc_set_global_rpc_clb(nc_rpc_clb clb);
183
184/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100185 * @brief Create an empty structure for polling sessions.
186 *
187 * @return Empty pollsession structure, NULL on error.
188 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100189struct nc_pollsession *nc_ps_new(void);
Michal Vaskofb89d772016-01-08 12:25:35 +0100190
Michal Vasko1a38c862016-01-15 15:50:07 +0100191/**
192 * @brief Free a pollsession structure.
193 *
Michal Vasko01082bf2016-04-07 10:44:21 +0200194 * !IMPORTANT! Make sure that \p ps is not accessible (is not used)
195 * by any thread before and after this call!
196 *
Michal Vasko1a38c862016-01-15 15:50:07 +0100197 * @param[in] ps Pollsession structure to free.
198 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100199void nc_ps_free(struct nc_pollsession *ps);
Michal Vaskofb89d772016-01-08 12:25:35 +0100200
Michal Vasko1a38c862016-01-15 15:50:07 +0100201/**
202 * @brief Add a session to a pollsession structure.
203 *
204 * @param[in] ps Pollsession structure to modify.
205 * @param[in] session Session to add to \p ps.
206 * @return 0 on success, -1 on error.
207 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100208int nc_ps_add_session(struct nc_pollsession *ps, struct nc_session *session);
Michal Vaskofb89d772016-01-08 12:25:35 +0100209
Michal Vasko1a38c862016-01-15 15:50:07 +0100210/**
211 * @brief Remove a session from a pollsession structure.
212 *
213 * @param[in] ps Pollsession structure to modify.
214 * @param[in] session Session to remove from \p ps.
Michal Vaskof0537d82016-01-29 14:42:38 +0100215 * @return 0 on success, -1 on not found.
Michal Vasko1a38c862016-01-15 15:50:07 +0100216 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100217int nc_ps_del_session(struct nc_pollsession *ps, struct nc_session *session);
218
Michal Vasko1a38c862016-01-15 15:50:07 +0100219/**
Michal Vasko0fdb7ac2016-03-01 09:03:12 +0100220 * @brief Learn the number of sessions in a pollsession structure.
221 *
Michal Vaskof4462fd2017-02-15 14:29:05 +0100222 * Does not lock \p ps structure for efficiency.
223 *
Michal Vasko0fdb7ac2016-03-01 09:03:12 +0100224 * @param[in] ps Pollsession structure to check.
Michal Vaskoc72d0e62016-07-26 11:36:11 +0200225 * @return Number of sessions (even invalid ones) in \p ps, -1 on error.
Michal Vasko0fdb7ac2016-03-01 09:03:12 +0100226 */
227uint16_t nc_ps_session_count(struct nc_pollsession *ps);
228
Michal Vasko30a5d6b2017-02-15 14:29:39 +0100229#define NC_PSPOLL_NOSESSIONS 0x0001 /**< No sessions to poll. */
230#define NC_PSPOLL_TIMEOUT 0x0002 /**< Timeout elapsed. */
231#define NC_PSPOLL_RPC 0x0004 /**< RPC was correctly parsed and processed. */
232#define NC_PSPOLL_BAD_RPC 0x0008 /**< RPC was received, but failed to be parsed. */
233#define NC_PSPOLL_REPLY_ERROR 0x0010 /**< Response to the RPC was a \<rpc-reply\> of type error. */
234#define NC_PSPOLL_SESSION_TERM 0x0020 /**< Some session was terminated. */
235#define NC_PSPOLL_SESSION_ERROR 0x0040 /**< Some session was terminated incorrectly (not by a \<close-session\> or \<kill-session\> RPC). */
236#define NC_PSPOLL_ERROR 0x0080 /**< Other fatal errors (they are printed). */
Michal Vasko71090fc2016-05-24 16:37:28 +0200237
238#ifdef NC_ENABLED_SSH
Michal Vasko30a5d6b2017-02-15 14:29:39 +0100239# define NC_PSPOLL_SSH_MSG 0x0100 /**< SSH message received (and processed, if relevant, only with SSH support). */
240# define NC_PSPOLL_SSH_CHANNEL 0x0200 /**< New SSH channel opened on an existing session (only with SSH support). */
Michal Vasko71090fc2016-05-24 16:37:28 +0200241#endif
242
Michal Vasko0fdb7ac2016-03-01 09:03:12 +0100243/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100244 * @brief Poll sessions and process any received RPCs.
245 *
Michal Vasko71090fc2016-05-24 16:37:28 +0200246 * All the sessions must be running. Only one event on one session
Michal Vasko96164bf2016-01-21 15:41:58 +0100247 * is handled in one function call.
Michal Vasko1a38c862016-01-15 15:50:07 +0100248 *
249 * @param[in] ps Pollsession structure to use.
Michal Vasko11d142a2016-01-19 15:58:24 +0100250 * @param[in] timeout Poll timeout in milliseconds. 0 for non-blocking call, -1 for
Michal Vasko96830e32016-02-01 10:54:18 +0100251 * infinite waiting.
Michal Vasko71090fc2016-05-24 16:37:28 +0200252 * @param[in] session Session that was processed and that specific return bits concern.
253 * Can be NULL.
254 * @return Bitfield of NC_PSPOLL_* macros, almost any combination can be returned.
Michal Vasko1a38c862016-01-15 15:50:07 +0100255 */
Michal Vasko71090fc2016-05-24 16:37:28 +0200256int nc_ps_poll(struct nc_pollsession *ps, int timeout, struct nc_session **session);
Michal Vasko086311b2016-01-08 09:53:11 +0100257
Michal Vasko11d142a2016-01-19 15:58:24 +0100258/**
Michal Vaskocad3ac42016-03-01 09:06:01 +0100259 * @brief Remove sessions from a pollsession structure and
260 * call nc_session_free() on them.
Michal Vaskod09eae62016-02-01 10:32:52 +0100261 *
Michal Vaskocad3ac42016-03-01 09:06:01 +0100262 * Calling this function with \p all false makes sense if nc_ps_poll() returned 3.
Michal Vaskod09eae62016-02-01 10:32:52 +0100263 *
264 * @param[in] ps Pollsession structure to clear.
Michal Vaskocad3ac42016-03-01 09:06:01 +0100265 * @param[in] all Whether to free all sessions, or only the invalid ones.
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100266 * @param[in] data_free Session user data destructor.
Michal Vaskod09eae62016-02-01 10:32:52 +0100267 */
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100268void nc_ps_clear(struct nc_pollsession *ps, int all, void (*data_free)(void *));
Michal Vaskod09eae62016-02-01 10:32:52 +0100269
Radek Krejci53691be2016-02-22 13:58:37 +0100270#if defined(NC_ENABLED_SSH) || defined(NC_ENABLED_TLS)
Michal Vasko9e036d52016-01-08 10:49:26 +0100271
Michal Vasko1a38c862016-01-15 15:50:07 +0100272/**
Michal Vaskoe2713da2016-08-22 16:06:40 +0200273 * @brief Add a new endpoint.
274 *
275 * Before the endpoint can accept any connections, its address and port must
Michal Vasko2e6defd2016-10-07 15:48:15 +0200276 * be set.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200277 *
278 * @param[in] name Arbitrary unique endpoint name.
Michal Vasko2e6defd2016-10-07 15:48:15 +0200279 * @param[in] ti Transport protocol to use.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200280 * @return 0 on success, -1 on error.
281 */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200282int nc_server_add_endpt(const char *name, NC_TRANSPORT_IMPL ti);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200283
284/**
285 * @brief Stop listening on and remove an endpoint.
286 *
287 * @param[in] name Endpoint name. NULL matches all endpoints.
Michal Vasko59050372016-11-22 14:33:55 +0100288 * @param[in] ti Endpoint transport protocol. NULL matches any protocol.
289 * Redundant to set if \p name is set, endpoint names are
290 * unique disregarding their protocol.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200291 * @return 0 on success, -1 on not finding any match.
292 */
Michal Vasko59050372016-11-22 14:33:55 +0100293int nc_server_del_endpt(const char *name, NC_TRANSPORT_IMPL ti);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200294
295/**
Michal Vasko2e6defd2016-10-07 15:48:15 +0200296 * @brief Change endpoint listening address.
297 *
298 * On error the previous listening socket (if any) is left untouched.
299 *
300 * @param[in] endpt_name Existing endpoint name.
301 * @param[in] address New listening address.
302 * @return 0 on success, -1 on error.
303 */
304int nc_server_endpt_set_address(const char *endpt_name, const char *address);
305
306/**
307 * @brief Change endpoint listening port.
308 *
309 * On error the previous listening socket (if any) is left untouched.
310 *
311 * @param[in] endpt_name Existing endpoint name.
312 * @param[in] port New listening port.
313 * @return 0 on success, -1 on error.
314 */
315int nc_server_endpt_set_port(const char *endpt_name, uint16_t port);
316
317/**
Michal Vasko3031aae2016-01-27 16:07:18 +0100318 * @brief Accept new sessions on all the listening endpoints.
Michal Vasko1a38c862016-01-15 15:50:07 +0100319 *
Michal Vasko11d142a2016-01-19 15:58:24 +0100320 * @param[in] timeout Timeout for receiving a new connection in milliseconds, 0 for
Michal Vasko71090fc2016-05-24 16:37:28 +0200321 * non-blocking call, -1 for infinite waiting.
Michal Vasko96164bf2016-01-21 15:41:58 +0100322 * @param[out] session New session.
Michal Vasko71090fc2016-05-24 16:37:28 +0200323 * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message
324 * parsing fail, NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other errors.
Michal Vasko1a38c862016-01-15 15:50:07 +0100325 */
Michal Vasko71090fc2016-05-24 16:37:28 +0200326NC_MSG_TYPE nc_accept(int timeout, struct nc_session **session);
Michal Vasko9e036d52016-01-08 10:49:26 +0100327
Radek Krejci53691be2016-02-22 13:58:37 +0100328#endif /* NC_ENABLED_SSH || NC_ENABLED_TLS */
Michal Vasko9e036d52016-01-08 10:49:26 +0100329
Radek Krejci53691be2016-02-22 13:58:37 +0100330#ifdef NC_ENABLED_SSH
Michal Vasko086311b2016-01-08 09:53:11 +0100331
Michal Vasko1a38c862016-01-15 15:50:07 +0100332/**
Michal Vasko71090fc2016-05-24 16:37:28 +0200333 * @brief Accept a new NETCONF session on an SSH session of a running NETCONF \p orig_session.
334 * Call this function only when nc_ps_poll() returns NC_PSPOLL_SSH_CHANNEL on \p orig_session.
335 *
336 * @param[in] orig_session Session that has a new SSH channel ready.
337 * @param[out] session New session.
338 * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message
339 * parsing fail, NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other errors.
340 */
341NC_MSG_TYPE nc_session_accept_ssh_channel(struct nc_session *orig_session, struct nc_session **session);
342
343/**
Michal Vasko96164bf2016-01-21 15:41:58 +0100344 * @brief Accept a new NETCONF session on an SSH session of a running NETCONF session
Michal Vasko71090fc2016-05-24 16:37:28 +0200345 * that was polled in \p ps. Call this function only when nc_ps_poll() on \p ps returns NC_PSPOLL_SSH_CHANNEL.
Michal Vaskoc0fde012016-03-01 09:07:23 +0100346 * The new session is only returned in \p session, it is not added to \p ps.
Michal Vasko96164bf2016-01-21 15:41:58 +0100347 *
348 * @param[in] ps Unmodified pollsession structure from the previous nc_ps_poll() call.
349 * @param[out] session New session.
Michal Vasko71090fc2016-05-24 16:37:28 +0200350 * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message
351 * parsing fail, NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other errors.
Michal Vasko96164bf2016-01-21 15:41:58 +0100352 */
Michal Vasko71090fc2016-05-24 16:37:28 +0200353NC_MSG_TYPE nc_ps_accept_ssh_channel(struct nc_pollsession *ps, struct nc_session **session);
Michal Vasko96164bf2016-01-21 15:41:58 +0100354
355/**
Michal Vasko17dfda92016-12-01 14:06:16 +0100356 * @brief Add an authorized client SSH public key. This public key can be used for
357 * publickey authentication (for any SSH connection, even Call Home) afterwards.
358 *
359 * @param[in] pubkey_base64 Authorized public key binary content encoded in base64.
360 * @param[in] type Authorized public key SSH type.
361 * @param[in] username Username that the client with the public key must use.
362 * @return 0 on success, -1 on error.
363 */
364int nc_server_ssh_add_authkey(const char *pubkey_base64, NC_SSH_KEY_TYPE type, const char *username);
365
366/**
367 * @brief Add an authorized client SSH public key. This public key can be used for
368 * publickey authentication (for any SSH connection, even Call Home) afterwards.
369 *
370 * @param[in] pubkey_path Path to the public key.
371 * @param[in] username Username that the client with the public key must use.
372 * @return 0 on success, -1 on error.
373 */
374int nc_server_ssh_add_authkey_path(const char *pubkey_path, const char *username);
375
376/**
377 * @brief Remove an authorized client SSH public key.
378 *
379 * @param[in] pubkey_path Path to an authorized public key. NULL matches all the keys.
380 * @param[in] pubkey_base64 Authorized public key content. NULL matches any key.
381 * @param[in] type Authorized public key type. 0 matches all types.
382 * @param[in] username Username for an authorized public key. NULL matches all the usernames.
383 * @return 0 on success, -1 on not finding any match.
384 */
385int nc_server_ssh_del_authkey(const char *pubkey_path, const char *pubkey_base64, NC_SSH_KEY_TYPE type,
386 const char *username);
387
388/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100389 * @brief Add endpoint SSH host keys the server will identify itself with. Only the name is set, the key itself
390 * wil be retrieved using a callback.
Michal Vasko1a38c862016-01-15 15:50:07 +0100391 *
Michal Vaskoda514772016-02-01 11:32:01 +0100392 * @param[in] endpt_name Existing endpoint name.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100393 * @param[in] name Arbitrary name of the host key.
Michal Vasko7d255882017-02-09 13:35:08 +0100394 * @param[in] idx Optional index where to add the key. -1 adds at the end.
Michal Vasko1a38c862016-01-15 15:50:07 +0100395 * @return 0 on success, -1 on error.
396 */
Michal Vasko7d255882017-02-09 13:35:08 +0100397int nc_server_ssh_endpt_add_hostkey(const char *endpt_name, const char *name, int16_t idx);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200398
399/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100400 * @brief Set the callback for retrieving host keys. Any RSA, DSA, and ECDSA keys can be added. However,
401 * a maximum of one key of each type will be used during SSH authentication, later keys replacing
402 * the earlier ones.
403 *
404 * @param[in] hostkey_clb Callback that should return the key itself. Zero return indicates success, non-zero
405 * an error. On success exactly ONE of \p privkey_path or \p privkey_data is expected
406 * to be set. The one set will be freed.
407 * - \p privkey_path expects a PEM file,
408 * - \p privkey_data expects a base-64 encoded ANS.1 DER data,
409 * - \p privkey_data_rsa flag whether \p privkey_data are the data of an RSA (1) or a DSA (0) key.
410 * @param[in] user_data Optional arbitrary user data that will be passed to \p hostkey_clb.
411 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
412 */
413void nc_server_ssh_set_hostkey_clb(int (*hostkey_clb)(const char *name, void *user_data, char **privkey_path,
414 char **privkey_data, int *privkey_data_rsa),
415 void *user_data, void (*free_user_data)(void *user_data));
416
417/**
418 * @brief Delete endpoint SSH host key. Their order is preserved.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200419 *
420 * @param[in] endpt_name Existing endpoint name.
Michal Vasko7d255882017-02-09 13:35:08 +0100421 * @param[in] name Name of the host key. NULL matches all the keys, but if \p idx != -1 then this must be NULL.
422 * @param[in] idx Index of the hostkey. -1 matches all indices, but if \p name != NULL then this must be -1.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200423 * @return 0 on success, -1 on error.
424 */
Michal Vasko7d255882017-02-09 13:35:08 +0100425int nc_server_ssh_endpt_del_hostkey(const char *endpt_name, const char *name, int16_t idx);
Michal Vasko086311b2016-01-08 09:53:11 +0100426
Michal Vasko1a38c862016-01-15 15:50:07 +0100427/**
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100428 * @brief Move endpoint SSH host key.
429 *
430 * @param[in] endpt_name Exisitng endpoint name.
431 * @param[in] key_mov Name of the host key that will be moved.
432 * @param[in] key_after Name of the key that will preceed \p key_mov. NULL if \p key_mov is to be moved at the beginning.
433 * @return 0 in success, -1 on error.
434 */
435int nc_server_ssh_endpt_mov_hostkey(const char *endpt_name, const char *key_mov, const char *key_after);
436
437/**
438 * @brief Modify endpoint SSH host key.
439 *
440 * @param[in] endpt_name Exisitng endpoint name.
441 * @param[in] name Name of an existing host key.
442 * @param[in] new_name New name of the host key \p name.
443 * @return 0 in success, -1 on error.
444 */
445int nc_server_ssh_endpt_mod_hostkey(const char *endpt_name, const char *name, const char *new_name);
446
447/**
Michal Vasko3031aae2016-01-27 16:07:18 +0100448 * @brief Set endpoint SSH banner the server will send to every client.
Michal Vasko1a38c862016-01-15 15:50:07 +0100449 *
Michal Vaskoda514772016-02-01 11:32:01 +0100450 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100451 * @param[in] banner SSH banner.
452 * @return 0 on success, -1 on error.
453 */
Michal Vasko3031aae2016-01-27 16:07:18 +0100454int nc_server_ssh_endpt_set_banner(const char *endpt_name, const char *banner);
Michal Vasko086311b2016-01-08 09:53:11 +0100455
Michal Vasko1a38c862016-01-15 15:50:07 +0100456/**
Michal Vasko3031aae2016-01-27 16:07:18 +0100457 * @brief Set endpoint accepted SSH authentication methods. All (publickey, password, interactive)
Michal Vaskof0537d82016-01-29 14:42:38 +0100458 * are supported by default.
Michal Vasko1a38c862016-01-15 15:50:07 +0100459 *
Michal Vaskoda514772016-02-01 11:32:01 +0100460 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100461 * @param[in] auth_methods Accepted authentication methods bit field of NC_SSH_AUTH_TYPE.
462 * @return 0 on success, -1 on error.
463 */
Michal Vasko3031aae2016-01-27 16:07:18 +0100464int nc_server_ssh_endpt_set_auth_methods(const char *endpt_name, int auth_methods);
Michal Vasko086311b2016-01-08 09:53:11 +0100465
Michal Vasko1a38c862016-01-15 15:50:07 +0100466/**
Michal Vasko3031aae2016-01-27 16:07:18 +0100467 * @brief Set endpoint SSH authentication attempts of every client. 3 by default.
Michal Vasko1a38c862016-01-15 15:50:07 +0100468 *
Michal Vaskoda514772016-02-01 11:32:01 +0100469 * @param[in] endpt_name Existing endpoint name.
Michal Vasko5e6f4cc2016-01-20 13:27:44 +0100470 * @param[in] auth_attempts Failed authentication attempts before a client is dropped.
Michal Vasko1a38c862016-01-15 15:50:07 +0100471 * @return 0 on success, -1 on error.
472 */
Michal Vasko3031aae2016-01-27 16:07:18 +0100473int nc_server_ssh_endpt_set_auth_attempts(const char *endpt_name, uint16_t auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100474
Michal Vasko1a38c862016-01-15 15:50:07 +0100475/**
Michal Vasko3031aae2016-01-27 16:07:18 +0100476 * @brief Set endpoint SSH authentication timeout. 10 seconds by default.
Michal Vasko1a38c862016-01-15 15:50:07 +0100477 *
Michal Vaskoda514772016-02-01 11:32:01 +0100478 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100479 * @param[in] auth_timeout Number of seconds before an unauthenticated client is dropped.
480 * @return 0 on success, -1 on error.
481 */
Michal Vasko3031aae2016-01-27 16:07:18 +0100482int nc_server_ssh_endpt_set_auth_timeout(const char *endpt_name, uint16_t auth_timeout);
Michal Vasko086311b2016-01-08 09:53:11 +0100483
Radek Krejci53691be2016-02-22 13:58:37 +0100484#endif /* NC_ENABLED_SSH */
Michal Vasko086311b2016-01-08 09:53:11 +0100485
Radek Krejci53691be2016-02-22 13:58:37 +0100486#ifdef NC_ENABLED_TLS
Michal Vasko086311b2016-01-08 09:53:11 +0100487
Michal Vasko1a38c862016-01-15 15:50:07 +0100488/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100489 * @brief Set the server TLS certificate. Only the name is set, the certificate itself
490 * wil be retrieved using a callback.
Michal Vasko1a38c862016-01-15 15:50:07 +0100491 *
Michal Vaskoda514772016-02-01 11:32:01 +0100492 * @param[in] endpt_name Existing endpoint name.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100493 * @param[in] name Arbitrary certificate name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100494 * @return 0 on success, -1 on error.
495 */
Michal Vasko4c1fb492017-01-30 14:31:07 +0100496int nc_server_tls_endpt_set_server_cert(const char *endpt_name, const char *name);
Michal Vasko086311b2016-01-08 09:53:11 +0100497
Michal Vasko1a38c862016-01-15 15:50:07 +0100498/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100499 * @brief Set the callback for retrieving server certificate and matching private key.
Michal Vasko1a38c862016-01-15 15:50:07 +0100500 *
Michal Vasko4c1fb492017-01-30 14:31:07 +0100501 * @param[in] cert_clb Callback that should return the certificate and the key itself. Zero return indicates success,
502 * non-zero an error. On success exactly ONE of \p cert_path or \p cert_data and ONE of
503 * \p privkey_path and \p privkey_data is expected to be set. Those set will be freed.
504 * - \p cert_path expects a PEM file,
505 * - \p cert_data expects a base-64 encoded ASN.1 DER data,
506 * - \p privkey_path expects a PEM file,
507 * - \p privkey_data expects a base-64 encoded ANS.1 DER data,
508 * - \p privkey_data_rsa flag whether \p privkey_data are the data of an RSA (1) or a DSA (0) key.
509 * @param[in] user_data Optional arbitrary user data that will be passed to \p cert_clb.
510 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
Michal Vasko1a38c862016-01-15 15:50:07 +0100511 */
Michal Vasko4c1fb492017-01-30 14:31:07 +0100512void nc_server_tls_set_server_cert_clb(int (*cert_clb)(const char *name, void *user_data, char **cert_path, char **cert_data,
513 char **privkey_path, char **privkey_data, int *privkey_data_rsa),
514 void *user_data, void (*free_user_data)(void *user_data));
Michal Vasko0457bb42016-01-08 15:49:13 +0100515
Michal Vasko1a38c862016-01-15 15:50:07 +0100516/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100517 * @brief Add a trusted certificate list. Can be both a CA or a client one. Can be
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100518 * safely used together with nc_server_tls_endpt_set_trusted_ca_paths().
Michal Vasko1a38c862016-01-15 15:50:07 +0100519 *
Michal Vaskoda514772016-02-01 11:32:01 +0100520 * @param[in] endpt_name Existing endpoint name.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100521 * @param[in] name Arbitary name identifying this certificate list.
Michal Vasko1a38c862016-01-15 15:50:07 +0100522 * @return 0 on success, -1 on error.
523 */
Michal Vasko4c1fb492017-01-30 14:31:07 +0100524int nc_server_tls_endpt_add_trusted_cert_list(const char *endpt_name, const char *name);
Michal Vasko0457bb42016-01-08 15:49:13 +0100525
Michal Vasko1a38c862016-01-15 15:50:07 +0100526/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100527 * @brief Set the callback for retrieving trusted certificates.
528 *
529 * @param[in] cert_list_clb Callback that should return all the certificates of a list. Zero return indicates success,
530 * non-zero an error. On success, \p cert_paths and \p cert_data are expected to be set or left
531 * NULL. Both will be (deeply) freed.
532 * - \p cert_paths expect an array of PEM files,
533 * - \p cert_path_count number of \p cert_paths array members,
534 * - \p cert_data expect an array of base-64 encoded ASN.1 DER cert data,
535 * - \p cert_data_count number of \p cert_data array members.
536 * @param[in] user_data Optional arbitrary user data that will be passed to \p cert_clb.
537 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
538 */
539void nc_server_tls_set_trusted_cert_list_clb(int (*cert_list_clb)(const char *name, void *user_data, char ***cert_paths,
540 int *cert_path_count, char ***cert_data, int *cert_data_count),
541 void *user_data, void (*free_user_data)(void *user_data));
542
543/**
544 * @brief Remove a trusted certificate.
Michal Vasko1a38c862016-01-15 15:50:07 +0100545 *
Michal Vaskoda514772016-02-01 11:32:01 +0100546 * @param[in] endpt_name Existing endpoint name.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100547 * @param[in] name Name of the certificate list to delete. NULL deletes all the lists.
548 * @return 0 on success, -1 on not found.
Michal Vasko1a38c862016-01-15 15:50:07 +0100549 */
Michal Vasko4c1fb492017-01-30 14:31:07 +0100550int nc_server_tls_endpt_del_trusted_cert_list(const char *endpt_name, const char *name);
Michal Vasko0457bb42016-01-08 15:49:13 +0100551
Michal Vasko1a38c862016-01-15 15:50:07 +0100552/**
553 * @brief Set trusted Certificate Authority certificate locations. There can only be
Michal Vasko5d2ad082016-02-09 11:47:59 +0100554 * one file and one directory, they are replaced if already set. Can be safely
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100555 * used with nc_server_tls_endpt_add_trusted_cert() or its _path variant.
Michal Vasko1a38c862016-01-15 15:50:07 +0100556 *
Michal Vaskoda514772016-02-01 11:32:01 +0100557 * @param[in] endpt_name Existing endpoint name.
Michal Vasko96830e32016-02-01 10:54:18 +0100558 * @param[in] ca_file Path to a trusted CA cert store file in PEM format. Can be NULL.
559 * @param[in] ca_dir Path to a trusted CA cert store hashed directory (c_rehash utility
560 * can be used to create hashes) with PEM files. Can be NULL.
Michal Vasko1a38c862016-01-15 15:50:07 +0100561 * @return 0 on success, -1 on error.
562 */
Michal Vasko96830e32016-02-01 10:54:18 +0100563int nc_server_tls_endpt_set_trusted_ca_paths(const char *endpt_name, const char *ca_file, const char *ca_dir);
Michal Vasko0457bb42016-01-08 15:49:13 +0100564
Michal Vasko1a38c862016-01-15 15:50:07 +0100565/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100566 * @brief Set Certificate Revocation List locations. There can only be one file
Michal Vaskof0537d82016-01-29 14:42:38 +0100567 * and one directory, they are replaced if already set.
Michal Vasko1a38c862016-01-15 15:50:07 +0100568 *
Michal Vaskoda514772016-02-01 11:32:01 +0100569 * @param[in] endpt_name Existing endpoint name.
Michal Vasko96830e32016-02-01 10:54:18 +0100570 * @param[in] crl_file Path to a CRL store file in PEM format. Can be NULL.
571 * @param[in] crl_dir Path to a CRL store hashed directory (c_rehash utility
572 * can be used to create hashes) with PEM files. Can be NULL.
Michal Vasko1a38c862016-01-15 15:50:07 +0100573 * @return 0 on success, -1 on error.
574 */
Michal Vasko96830e32016-02-01 10:54:18 +0100575int nc_server_tls_endpt_set_crl_paths(const char *endpt_name, const char *crl_file, const char *crl_dir);
Michal Vasko0457bb42016-01-08 15:49:13 +0100576
Michal Vasko1a38c862016-01-15 15:50:07 +0100577/**
Michal Vasko96830e32016-02-01 10:54:18 +0100578 * @brief Destroy and clean CRLs. Certificates, private keys, and CTN entries are
Michal Vaskof0537d82016-01-29 14:42:38 +0100579 * not affected.
Michal Vaskoda514772016-02-01 11:32:01 +0100580 *
581 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100582 */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100583void nc_server_tls_endpt_clear_crls(const char *endpt_name);
Michal Vasko0457bb42016-01-08 15:49:13 +0100584
Michal Vasko1a38c862016-01-15 15:50:07 +0100585/**
Michal Vasko58c22a22016-11-23 13:49:53 +0100586 * @brief Add a cert-to-name entry.
Michal Vasko1a38c862016-01-15 15:50:07 +0100587 *
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100588 * It is possible to add an entry step-by-step, specifying first only \p ip and in later calls
589 * \p fingerprint, \p map_type, and optionally \p name spearately.
590 *
Michal Vaskoda514772016-02-01 11:32:01 +0100591 * @param[in] endpt_name Existing endpoint name.
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100592 * @param[in] id Priority of the entry. It must be unique. If already exists, the entry with this id
593 * is modified.
594 * @param[in] fingerprint Matching certificate fingerprint. If NULL, kept temporarily unset.
595 * @param[in] map_type Type of username-certificate mapping. If 0, kept temporarily unset.
596 * @param[in] name Specific username used only if \p map_type == NC_TLS_CTN_SPECIFED.
Michal Vasko1a38c862016-01-15 15:50:07 +0100597 * @return 0 on success, -1 on error.
598 */
Michal Vasko3a889fd2016-09-30 12:16:37 +0200599int nc_server_tls_endpt_add_ctn(const char *endpt_name, uint32_t id, const char *fingerprint,
600 NC_TLS_CTN_MAPTYPE map_type, const char *name);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100601
Michal Vasko1a38c862016-01-15 15:50:07 +0100602/**
Michal Vasko58c22a22016-11-23 13:49:53 +0100603 * @brief Remove a cert-to-name entry.
Michal Vasko1a38c862016-01-15 15:50:07 +0100604 *
Michal Vaskoda514772016-02-01 11:32:01 +0100605 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100606 * @param[in] id Priority of the entry. -1 matches all the priorities.
607 * @param[in] fingerprint Fingerprint fo the entry. NULL matches all the fingerprints.
608 * @param[in] map_type Mapping type of the entry. 0 matches all the mapping types.
609 * @param[in] name Specific username for the entry. NULL matches all the usernames.
610 * @return 0 on success, -1 on not finding any match.
611 */
Michal Vasko3a889fd2016-09-30 12:16:37 +0200612int nc_server_tls_endpt_del_ctn(const char *endpt_name, int64_t id, const char *fingerprint,
613 NC_TLS_CTN_MAPTYPE map_type, const char *name);
Michal Vasko0457bb42016-01-08 15:49:13 +0100614
Michal Vaskodf5e6af2016-11-23 13:50:56 +0100615/**
616 * @brief Get a cert-to-name entry.
617 *
618 * If a parameter is NULL, it is ignored. If its dereferenced value is NULL,
619 * it is filled and returned. If the value is set, it is used as a filter.
620 * Returns first matching entry.
621 *
622 * @param[in] endpt_name Existing endpoint name.
623 * @param[in,out] id Priority of the entry.
624 * @param[in,out] fingerprint Fingerprint fo the entry.
625 * @param[in,out] map_type Mapping type of the entry.
626 * @param[in,out] name Specific username for the entry.
627 * @return 0 on success, -1 on not finding any match.
628 */
Michal Vaskof585ac72016-11-25 15:16:38 +0100629int nc_server_tls_endpt_get_ctn(const char *endpt_name, uint32_t *id, char **fingerprint, NC_TLS_CTN_MAPTYPE *map_type,
630 char **name);
Michal Vaskodf5e6af2016-11-23 13:50:56 +0100631
Michal Vasko7060bcf2016-11-28 14:48:11 +0100632/**
Michal Vasko709598e2016-11-28 14:48:32 +0100633 * @brief Get client certificate.
634 *
635 * @param[in] session Session to get the information from.
636 * @return Const session client certificate.
637 */
638const X509 *nc_session_get_client_cert(const struct nc_session *session);
639
640/**
Michal Vasko7060bcf2016-11-28 14:48:11 +0100641 * @brief Set TLS authentication additional verify callback.
642 *
643 * Server will always perform cert-to-name based on its configuration. Only after it passes
644 * and this callback is set, it is also called. It should return exactly what OpenSSL
645 * verify callback meaning 1 for success, 0 to deny the user.
646 *
647 * @param[in] verify_clb Additional user verify callback.
648 */
649void nc_server_tls_set_verify_clb(int (*verify_clb)(const struct nc_session *session));
650
Radek Krejci53691be2016-02-22 13:58:37 +0100651#endif /* NC_ENABLED_TLS */
Michal Vasko086311b2016-01-08 09:53:11 +0100652
Michal Vaskof8352352016-05-24 09:11:36 +0200653/**
Michal Vaskoc45ebd32016-05-25 11:17:36 +0200654 * @brief Get session start time.
Michal Vaskof8352352016-05-24 09:11:36 +0200655 *
656 * @param[in] session Session to get the information from.
Michal Vaskoc45ebd32016-05-25 11:17:36 +0200657 * @return Session start time.
Michal Vaskof8352352016-05-24 09:11:36 +0200658 */
Michal Vaskoc45ebd32016-05-25 11:17:36 +0200659time_t nc_session_get_start_time(const struct nc_session *session);
Michal Vaskof8352352016-05-24 09:11:36 +0200660
Michal Vasko086311b2016-01-08 09:53:11 +0100661#endif /* NC_SESSION_SERVER_H_ */