Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 3e21b0e224d7260921b2f51bcc92a90c69e8b3d7 / . / src / server_config_ts.c
blob: 11fec832a6c3f5a70c0f7b37769fedc772ccaecb [file] [log] [blame]
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]1/**
2 * @file server_config_ts.c
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 truststore configuration functions
5 *
6 * @copyright
7 * Copyright (c) 2023 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
16#define _GNU_SOURCE
17
18#include <assert.h>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]19#include <stdint.h>
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]20#include <stdlib.h>
21#include <string.h>
22
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]23#include <libyang/libyang.h>
24
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]25#include "compat.h"
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]26#include "log_p.h"
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]27#include "server_config_p.h"
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]28#include "session_p.h"
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]29
30extern struct nc_server_opts server_opts;
31
32/**
33 * @brief Get the pointer to a certificate bag structure based on node's location in the YANG data.
34 *
35 * @param[in] node Node from which the certificate bag containing this node is derived.
36 * @param[out] cbag Certificate bag containing the node.
37 * @return 0 on success, 1 on error.
38 */
39static int
40nc_server_config_get_certificate_bag(const struct lyd_node *node, struct nc_certificate_bag **cbag)
41{
42 uint16_t i;
43 const char *cbag_name;
44 struct nc_truststore *ts;
45
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]46 assert(node && cbag);
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]47
48 while (node) {
49 if (!strcmp(LYD_NAME(node), "certificate-bag")) {
50 break;
51 }
52 node = lyd_parent(node);
53 }
54
55 if (!node) {
56 ERR(NULL, "Node \"%s\" is not contained in a certificate-bag subtree.", LYD_NAME(node));
57 return 1;
58 }
59
60 node = lyd_child(node);
61 assert(!strcmp(LYD_NAME(node), "name"));
62 cbag_name = lyd_get_value(node);
63
64 ts = &server_opts.truststore;
65 for (i = 0; i < ts->cert_bag_count; i++) {
66 if (!strcmp(ts->cert_bags[i].name, cbag_name)) {
67 *cbag = &ts->cert_bags[i];
68 return 0;
69 }
70 }
71
72 ERR(NULL, "Certificate bag \"%s\" was not found.", cbag_name);
73 return 1;
74}
75
76/**
77 * @brief Get the pointer to a certificate structure based on node's location in the YANG data.
78 *
79 * @param[in] node Node from which the certificate containing this node is derived.
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]80 * @param[out] cert Certificate containing the node.
81 * @return 0 on success, 1 on error.
82 */
83static int
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]84nc_server_config_get_certificate(const struct lyd_node *node, struct nc_certificate **cert)
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]85{
86 uint16_t i;
87 const char *cert_name;
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]88 struct nc_certificate_bag *cbag;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]89
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]90 assert(node && cert);
91
92 if (nc_server_config_get_certificate_bag(node, &cbag)) {
93 return 1;
94 }
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]95
96 while (node) {
97 if (!strcmp(LYD_NAME(node), "certificate")) {
98 break;
99 }
100 node = lyd_parent(node);
101 }
102
103 if (!node) {
104 ERR(NULL, "Node \"%s\" is not contained in a certificate subtree.", LYD_NAME(node));
105 return 1;
106 }
107
108 node = lyd_child(node);
109 assert(!strcmp(LYD_NAME(node), "name"));
110 cert_name = lyd_get_value(node);
111
112 for (i = 0; i < cbag->cert_count; i++) {
113 if (!strcmp(cbag->certs[i].name, cert_name)) {
114 *cert = &cbag->certs[i];
115 return 0;
116 }
117 }
118
119 ERR(NULL, "Certificate \"%s\" was not found.", cert_name);
120 return 1;
121}
122
123/**
124 * @brief Get the pointer to a public key bag structure based on node's location in the YANG data.
125 *
126 * @param[in] node Node from which the public key bag containing this node is derived.
127 * @param[out] pbag Public key bag containing the node.
128 * @return 0 on success, 1 on error.
129 */
130static int
131nc_server_config_get_public_key_bag(const struct lyd_node *node, struct nc_public_key_bag **pbag)
132{
133 uint16_t i;
134 const char *pbag_name;
135 struct nc_truststore *ts;
136
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]137 assert(node && pbag);
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]138
139 while (node) {
140 if (!strcmp(LYD_NAME(node), "public-key-bag")) {
141 break;
142 }
143 node = lyd_parent(node);
144 }
145
146 if (!node) {
147 ERR(NULL, "Node \"%s\" is not contained in a public-key-bag subtree.", LYD_NAME(node));
148 return 1;
149 }
150
151 node = lyd_child(node);
152 assert(!strcmp(LYD_NAME(node), "name"));
153 pbag_name = lyd_get_value(node);
154
155 ts = &server_opts.truststore;
156 for (i = 0; i < ts->pub_bag_count; i++) {
157 if (!strcmp(ts->pub_bags[i].name, pbag_name)) {
158 *pbag = &ts->pub_bags[i];
159 return 0;
160 }
161 }
162
163 ERR(NULL, "Public key bag \"%s\" was not found.", pbag_name);
164 return 1;
165}
166
167/**
168 * @brief Get the pointer to a public key structure based on node's location in the YANG data.
169 *
170 * @param[in] node Node from which the public key containing this node is derived.
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]171 * @param[out] pkey Public key containing the node.
172 * @return 0 on success, 1 on error.
173 */
174static int
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]175nc_server_config_get_public_key(const struct lyd_node *node, struct nc_public_key **pkey)
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]176{
177 uint16_t i;
178 const char *pkey_name;
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]179 struct nc_public_key_bag *pbag;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]180
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]181 assert(node && pkey);
182
183 if (nc_server_config_get_public_key_bag(node, &pbag)) {
184 return 1;
185 }
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]186
187 while (node) {
188 if (!strcmp(LYD_NAME(node), "public-key")) {
189 if (lyd_child(node)) {
190 /* check if it's not the leaf public-key, only case about the list */
191 break;
192 }
193 }
194
195 node = lyd_parent(node);
196 }
197
198 if (!node) {
199 ERR(NULL, "Node \"%s\" is not contained in a public-key subtree.", LYD_NAME(node));
200 return 1;
201 }
202
203 node = lyd_child(node);
204 assert(!strcmp(LYD_NAME(node), "name"));
205 pkey_name = lyd_get_value(node);
206
207 for (i = 0; i < pbag->pubkey_count; i++) {
208 if (!strcmp(pbag->pubkeys[i].name, pkey_name)) {
209 *pkey = &pbag->pubkeys[i];
210 return 0;
211 }
212 }
213
214 ERR(NULL, "Public key \"%s\" was not found.", pkey_name);
215 return 1;
216}
217
218static void
219nc_server_config_ts_del_cert_data(struct nc_certificate *cert)
220{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]221 free(cert->data);
222 cert->data = NULL;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]223}
224
225static void
226nc_server_config_ts_del_public_key_base64(struct nc_public_key *pkey)
227{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]228 free(pkey->data);
229 pkey->data = NULL;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]230}
231
232static void
233nc_server_config_ts_del_certificate(struct nc_certificate_bag *cbag, struct nc_certificate *cert)
234{
235 free(cert->name);
236 cert->name = NULL;
237
238 nc_server_config_ts_del_cert_data(cert);
239
240 cbag->cert_count--;
241 if (cbag->cert_count == 0) {
242 free(cbag->certs);
243 cbag->certs = NULL;
244 }
245}
246
247static void
248nc_server_config_ts_del_public_key(struct nc_public_key_bag *pbag, struct nc_public_key *pkey)
249{
250 free(pkey->name);
251 pkey->name = NULL;
252
253 nc_server_config_ts_del_public_key_base64(pkey);
254
255 pbag->pubkey_count--;
256 if (pbag->pubkey_count == 0) {
257 free(pbag->pubkeys);
258 pbag->pubkeys = NULL;
259 }
260}
261
262static void
263nc_server_config_ts_del_certificate_bag(struct nc_certificate_bag *cbag)
264{
265 uint16_t i, cert_count;
266 struct nc_truststore *ts = &server_opts.truststore;
267
268 free(cbag->name);
269 cbag->name = NULL;
270
271 cert_count = cbag->cert_count;
272 for (i = 0; i < cert_count; i++) {
273 nc_server_config_ts_del_certificate(cbag, &cbag->certs[i]);
274 }
275
276 ts->cert_bag_count--;
277 if (ts->cert_bag_count == 0) {
278 free(ts->cert_bags);
279 ts->cert_bags = NULL;
280 }
281}
282
283static void
284nc_server_config_ts_del_public_key_bag(struct nc_public_key_bag *pbag)
285{
286 uint16_t i, pubkey_count;
287 struct nc_truststore *ts = &server_opts.truststore;
288
289 free(pbag->name);
290 pbag->name = NULL;
291
292 pubkey_count = pbag->pubkey_count;
293 for (i = 0; i < pubkey_count; i++) {
294 nc_server_config_ts_del_public_key(pbag, &pbag->pubkeys[i]);
295 }
296
297 ts->pub_bag_count--;
298 if (ts->pub_bag_count == 0) {
299 free(ts->pub_bags);
300 ts->pub_bags = NULL;
301 }
302}
303
304static int
305nc_server_config_ts_certificate_bags(const struct lyd_node *node, NC_OPERATION op)
306{
307 uint16_t i, cert_bag_count;
308 struct nc_truststore *ts = &server_opts.truststore;
309
310 (void) node;
311
312 if (op == NC_OP_DELETE) {
313 cert_bag_count = ts->cert_bag_count;
314 for (i = 0; i < cert_bag_count; i++) {
315 nc_server_config_ts_del_certificate_bag(&ts->cert_bags[i]);
316 }
317 }
318
319 return 0;
320}
321
322static int
323nc_server_config_ts_public_key_bags(const struct lyd_node *node, NC_OPERATION op)
324{
325 uint16_t i, pub_bag_count;
326 struct nc_truststore *ts = &server_opts.truststore;
327
328 (void) node;
329
330 if (op == NC_OP_DELETE) {
331 pub_bag_count = ts->pub_bag_count;
332 for (i = 0; i < pub_bag_count; i++) {
333 nc_server_config_ts_del_public_key_bag(&ts->pub_bags[i]);
334 }
335 }
336
337 return 0;
338}
339
340int
341nc_server_config_ts_truststore(const struct lyd_node *node, NC_OPERATION op)
342{
343 (void) node;
344
345 if (op == NC_OP_DELETE) {
346 nc_server_config_ts_certificate_bags(NULL, NC_OP_DELETE);
347 nc_server_config_ts_public_key_bags(NULL, NC_OP_DELETE);
348 }
349
350 return 0;
351}
352
353static int
354nc_server_config_ts_create_certificate_bag(const struct lyd_node *node)
355{
356 struct nc_truststore *ts = &server_opts.truststore;
357
358 node = lyd_child(node);
359 assert(!strcmp(LYD_NAME(node), "name"));
360
361 return nc_server_config_realloc(lyd_get_value(node), (void **)&ts->cert_bags, sizeof *ts->cert_bags, &ts->cert_bag_count);
362}
363
364static int
365nc_server_config_ts_certificate_bag(const struct lyd_node *node, NC_OPERATION op)
366{
367 struct nc_certificate_bag *bag;
368
369 assert(!strcmp(LYD_NAME(node), "certificate-bag"));
370
371 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
372 if (nc_server_config_ts_create_certificate_bag(node)) {
373 return 1;
374 }
375 } else {
376 if (nc_server_config_get_certificate_bag(node, &bag)) {
377 return 1;
378 }
379
380 nc_server_config_ts_del_certificate_bag(bag);
381 }
382
383 return 0;
384}
385
386static int
387nc_server_config_ts_create_certificate(const struct lyd_node *node, struct nc_certificate_bag *bag)
388{
389 node = lyd_child(node);
390 assert(!strcmp(LYD_NAME(node), "name"));
391
392 return nc_server_config_realloc(lyd_get_value(node), (void **)&bag->certs, sizeof *bag->certs, &bag->cert_count);
393}
394
395static int
396nc_server_config_ts_certificate(const struct lyd_node *node, NC_OPERATION op)
397{
398 struct nc_certificate_bag *bag;
399 struct nc_certificate *cert;
400
401 assert(!strcmp(LYD_NAME(node), "certificate"));
402
403 if (nc_server_config_get_certificate_bag(node, &bag)) {
404 return 1;
405 }
406
407 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
408 if (nc_server_config_ts_create_certificate(node, bag)) {
409 return 1;
410 }
411 } else {
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]412 if (nc_server_config_get_certificate(node, &cert)) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]413 return 1;
414 }
415
416 nc_server_config_ts_del_certificate(bag, cert);
417 }
418
419 return 0;
420}
421
422static int
423nc_server_config_ts_cert_data(const struct lyd_node *node, NC_OPERATION op)
424{
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]425 struct nc_certificate *cert;
426
427 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]428 if (nc_server_config_get_certificate(node, &cert)) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]429 return 1;
430 }
431
432 nc_server_config_ts_del_cert_data(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]433 cert->data = strdup(lyd_get_value(node));
434 if (!cert->data) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]435 ERRMEM;
436 return 1;
437 }
438 }
439
440 return 0;
441}
442
443static int
444nc_server_config_ts_create_public_key_bag(const struct lyd_node *node)
445{
446 struct nc_truststore *ts = &server_opts.truststore;
447
448 node = lyd_child(node);
449 assert(!strcmp(LYD_NAME(node), "name"));
450
451 return nc_server_config_realloc(lyd_get_value(node), (void **)&ts->pub_bags, sizeof *ts->pub_bags, &ts->pub_bag_count);
452}
453
454static int
455nc_server_config_ts_public_key_bag(const struct lyd_node *node, NC_OPERATION op)
456{
457 struct nc_public_key_bag *pbag;
458
459 assert(!strcmp(LYD_NAME(node), "public-key-bag"));
460
461 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
462 if (nc_server_config_ts_create_public_key_bag(node)) {
463 return 1;
464 }
465 } else {
466 if (nc_server_config_get_public_key_bag(node, &pbag)) {
467 return 1;
468 }
469
470 nc_server_config_ts_del_public_key_bag(pbag);
471 }
472
473 return 0;
474}
475
476static int
477nc_server_config_ts_create_public_key(const struct lyd_node *node, struct nc_public_key_bag *bag)
478{
479 node = lyd_child(node);
480 assert(!strcmp(LYD_NAME(node), "name"));
481
482 return nc_server_config_realloc(lyd_get_value(node), (void **)&bag->pubkeys, sizeof *bag->pubkeys, &bag->pubkey_count);
483}
484
485static int
486nc_server_config_ts_public_key(const struct lyd_node *node, NC_OPERATION op)
487{
488 int ret = 0;
489 struct nc_public_key_bag *bag;
490 struct nc_public_key *pkey;
491
492 if (nc_server_config_get_public_key_bag(node, &bag)) {
493 ret = 1;
494 goto cleanup;
495 }
496
497 if (equal_parent_name(node, 1, "public-key-bag")) {
498 /* public-key list */
499 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
500 ret = nc_server_config_ts_create_public_key(node, bag);
501 if (ret) {
502 goto cleanup;
503 }
504 } else {
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]505 if (nc_server_config_get_public_key(node, &pkey)) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]506 ret = 1;
507 goto cleanup;
508 }
509
510 nc_server_config_ts_del_public_key(bag, pkey);
511 }
512 } else {
513 /* public-key leaf */
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]514 if (nc_server_config_get_public_key(node, &pkey)) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]515 ret = 1;
516 goto cleanup;
517 }
518
519 /* replace the public key */
520 nc_server_config_ts_del_public_key_base64(pkey);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]521 pkey->data = strdup(lyd_get_value(node));
522 if (!pkey->data) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]523 ERRMEM;
524 ret = 1;
525 goto cleanup;
526 }
527 }
528
529cleanup:
530 return ret;
531}
532
533static int
534nc_server_config_ts_public_key_format(const struct lyd_node *node, NC_OPERATION op)
535{
536 const char *format;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]537 struct nc_public_key *pkey;
538
539 (void) op;
540
roman4cb8bb12023-06-29 09:16:46 +0200[diff] [blame]541 if (nc_server_config_get_public_key(node, &pkey)) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]542 return 1;
543 }
544
545 format = ((struct lyd_node_term *)node)->value.ident->name;
546 if (!strcmp(format, "ssh-public-key-format")) {
roman13145912023-08-17 15:36:54 +0200[diff] [blame]547 pkey->type = NC_PUBKEY_FORMAT_SSH;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]548 } else if (!strcmp(format, "subject-public-key-info-format")) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]549 pkey->type = NC_PUBKEY_FORMAT_X509;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]550 } else {
551 ERR(NULL, "Public key format (%s) not supported.", format);
552 }
553
554 return 0;
555}
556
557int
558nc_server_config_parse_truststore(const struct lyd_node *node, NC_OPERATION op)
559{
560 const char *name = LYD_NAME(node);
561
562 if (!strcmp(name, "truststore")) {
563 if (nc_server_config_ts_truststore(node, op)) {
564 goto error;
565 }
566 } else if (!strcmp(name, "certificate-bags")) {
567 if (nc_server_config_ts_certificate_bags(node, op)) {
568 goto error;
569 }
570 } else if (!strcmp(name, "certificate-bag")) {
571 if (nc_server_config_ts_certificate_bag(node, op)) {
572 goto error;
573 }
574 } else if (!strcmp(name, "certificate")) {
575 if (nc_server_config_ts_certificate(node, op)) {
576 goto error;
577 }
578 } else if (!strcmp(name, "cert-data")) {
579 if (nc_server_config_ts_cert_data(node, op)) {
580 goto error;
581 }
582 } else if (!strcmp(name, "public-key-bags")) {
583 if (nc_server_config_ts_public_key_bags(node, op)) {
584 goto error;
585 }
586 } else if (!strcmp(name, "public-key-bag")) {
587 if (nc_server_config_ts_public_key_bag(node, op)) {
588 goto error;
589 }
590 } else if (!strcmp(name, "public-key")) {
591 if (nc_server_config_ts_public_key(node, op)) {
592 goto error;
593 }
594 } else if (!strcmp(name, "public-key-format")) {
595 if (nc_server_config_ts_public_key_format(node, op)) {
596 goto error;
597 }
598 }
599
600 return 0;
601
602error:
603 ERR(NULL, "Configuring (%s) failed.", name);
604 return 1;
605}
606
607int
608nc_server_config_fill_truststore(const struct lyd_node *data, NC_OPERATION op)
609{
610 int ret = 0;
611 uint32_t prev_lo;
612 struct lyd_node *tree;
613
614 /* silently search for nodes, some of them may not be present */
615 prev_lo = ly_log_options(0);
616
617 ret = lyd_find_path(data, "/ietf-truststore:truststore", 0, &tree);
618 if (ret || (tree->flags & LYD_DEFAULT)) {
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]619 /* not found */
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]620 ret = 0;
621 goto cleanup;
622 }
623
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]624 if (nc_server_config_parse_tree(tree, op, NC_MODULE_TRUSTSTORE)) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]625 ret = 1;
626 goto cleanup;
627 }
628
629cleanup:
630 /* reset the logging options back to what they were */
631 ly_log_options(prev_lo);
632 return ret;
633}