Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 3f9b65c25c7cd628bf4418ebe153e3b3e84e0c59 / . / src / server_config_ts.c
blob: b0d318b84d1739eba3f8723277dc1e7ae71fc44b [file] [log] [blame]
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]1/**
2 * @file server_config_ts.c
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 truststore configuration functions
5 *
6 * @copyright
7 * Copyright (c) 2023 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
16#define _GNU_SOURCE
17
18#include <assert.h>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]19#include <stdint.h>
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]20#include <stdlib.h>
21#include <string.h>
22
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]23#include <libyang/libyang.h>
24
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]25#include "compat.h"
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]26#include "log_p.h"
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]27#include "server_config_p.h"
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]28#include "session_p.h"
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]29
30extern struct nc_server_opts server_opts;
31
32/**
33 * @brief Get the pointer to a certificate bag structure based on node's location in the YANG data.
34 *
35 * @param[in] node Node from which the certificate bag containing this node is derived.
36 * @param[out] cbag Certificate bag containing the node.
37 * @return 0 on success, 1 on error.
38 */
39static int
40nc_server_config_get_certificate_bag(const struct lyd_node *node, struct nc_certificate_bag **cbag)
41{
42 uint16_t i;
43 const char *cbag_name;
44 struct nc_truststore *ts;
45
46 assert(node);
47
48 while (node) {
49 if (!strcmp(LYD_NAME(node), "certificate-bag")) {
50 break;
51 }
52 node = lyd_parent(node);
53 }
54
55 if (!node) {
56 ERR(NULL, "Node \"%s\" is not contained in a certificate-bag subtree.", LYD_NAME(node));
57 return 1;
58 }
59
60 node = lyd_child(node);
61 assert(!strcmp(LYD_NAME(node), "name"));
62 cbag_name = lyd_get_value(node);
63
64 ts = &server_opts.truststore;
65 for (i = 0; i < ts->cert_bag_count; i++) {
66 if (!strcmp(ts->cert_bags[i].name, cbag_name)) {
67 *cbag = &ts->cert_bags[i];
68 return 0;
69 }
70 }
71
72 ERR(NULL, "Certificate bag \"%s\" was not found.", cbag_name);
73 return 1;
74}
75
76/**
77 * @brief Get the pointer to a certificate structure based on node's location in the YANG data.
78 *
79 * @param[in] node Node from which the certificate containing this node is derived.
80 * @param[in] cbag Certificate bag containing the certificate.
81 * @param[out] cert Certificate containing the node.
82 * @return 0 on success, 1 on error.
83 */
84static int
85nc_server_config_get_certificate(const struct lyd_node *node, const struct nc_certificate_bag *cbag, struct nc_certificate **cert)
86{
87 uint16_t i;
88 const char *cert_name;
89
90 assert(node);
91
92 while (node) {
93 if (!strcmp(LYD_NAME(node), "certificate")) {
94 break;
95 }
96 node = lyd_parent(node);
97 }
98
99 if (!node) {
100 ERR(NULL, "Node \"%s\" is not contained in a certificate subtree.", LYD_NAME(node));
101 return 1;
102 }
103
104 node = lyd_child(node);
105 assert(!strcmp(LYD_NAME(node), "name"));
106 cert_name = lyd_get_value(node);
107
108 for (i = 0; i < cbag->cert_count; i++) {
109 if (!strcmp(cbag->certs[i].name, cert_name)) {
110 *cert = &cbag->certs[i];
111 return 0;
112 }
113 }
114
115 ERR(NULL, "Certificate \"%s\" was not found.", cert_name);
116 return 1;
117}
118
119/**
120 * @brief Get the pointer to a public key bag structure based on node's location in the YANG data.
121 *
122 * @param[in] node Node from which the public key bag containing this node is derived.
123 * @param[out] pbag Public key bag containing the node.
124 * @return 0 on success, 1 on error.
125 */
126static int
127nc_server_config_get_public_key_bag(const struct lyd_node *node, struct nc_public_key_bag **pbag)
128{
129 uint16_t i;
130 const char *pbag_name;
131 struct nc_truststore *ts;
132
133 assert(node);
134
135 while (node) {
136 if (!strcmp(LYD_NAME(node), "public-key-bag")) {
137 break;
138 }
139 node = lyd_parent(node);
140 }
141
142 if (!node) {
143 ERR(NULL, "Node \"%s\" is not contained in a public-key-bag subtree.", LYD_NAME(node));
144 return 1;
145 }
146
147 node = lyd_child(node);
148 assert(!strcmp(LYD_NAME(node), "name"));
149 pbag_name = lyd_get_value(node);
150
151 ts = &server_opts.truststore;
152 for (i = 0; i < ts->pub_bag_count; i++) {
153 if (!strcmp(ts->pub_bags[i].name, pbag_name)) {
154 *pbag = &ts->pub_bags[i];
155 return 0;
156 }
157 }
158
159 ERR(NULL, "Public key bag \"%s\" was not found.", pbag_name);
160 return 1;
161}
162
163/**
164 * @brief Get the pointer to a public key structure based on node's location in the YANG data.
165 *
166 * @param[in] node Node from which the public key containing this node is derived.
167 * @param[in] pbag Public key bag containing the public key.
168 * @param[out] pkey Public key containing the node.
169 * @return 0 on success, 1 on error.
170 */
171static int
172nc_server_config_get_public_key(const struct lyd_node *node, const struct nc_public_key_bag *pbag, struct nc_public_key **pkey)
173{
174 uint16_t i;
175 const char *pkey_name;
176
177 assert(node);
178
179 while (node) {
180 if (!strcmp(LYD_NAME(node), "public-key")) {
181 if (lyd_child(node)) {
182 /* check if it's not the leaf public-key, only case about the list */
183 break;
184 }
185 }
186
187 node = lyd_parent(node);
188 }
189
190 if (!node) {
191 ERR(NULL, "Node \"%s\" is not contained in a public-key subtree.", LYD_NAME(node));
192 return 1;
193 }
194
195 node = lyd_child(node);
196 assert(!strcmp(LYD_NAME(node), "name"));
197 pkey_name = lyd_get_value(node);
198
199 for (i = 0; i < pbag->pubkey_count; i++) {
200 if (!strcmp(pbag->pubkeys[i].name, pkey_name)) {
201 *pkey = &pbag->pubkeys[i];
202 return 0;
203 }
204 }
205
206 ERR(NULL, "Public key \"%s\" was not found.", pkey_name);
207 return 1;
208}
209
210static void
211nc_server_config_ts_del_cert_data(struct nc_certificate *cert)
212{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]213 free(cert->data);
214 cert->data = NULL;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]215}
216
217static void
218nc_server_config_ts_del_public_key_base64(struct nc_public_key *pkey)
219{
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]220 free(pkey->data);
221 pkey->data = NULL;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]222}
223
224static void
225nc_server_config_ts_del_certificate(struct nc_certificate_bag *cbag, struct nc_certificate *cert)
226{
227 free(cert->name);
228 cert->name = NULL;
229
230 nc_server_config_ts_del_cert_data(cert);
231
232 cbag->cert_count--;
233 if (cbag->cert_count == 0) {
234 free(cbag->certs);
235 cbag->certs = NULL;
236 }
237}
238
239static void
240nc_server_config_ts_del_public_key(struct nc_public_key_bag *pbag, struct nc_public_key *pkey)
241{
242 free(pkey->name);
243 pkey->name = NULL;
244
245 nc_server_config_ts_del_public_key_base64(pkey);
246
247 pbag->pubkey_count--;
248 if (pbag->pubkey_count == 0) {
249 free(pbag->pubkeys);
250 pbag->pubkeys = NULL;
251 }
252}
253
254static void
255nc_server_config_ts_del_certificate_bag(struct nc_certificate_bag *cbag)
256{
257 uint16_t i, cert_count;
258 struct nc_truststore *ts = &server_opts.truststore;
259
260 free(cbag->name);
261 cbag->name = NULL;
262
263 cert_count = cbag->cert_count;
264 for (i = 0; i < cert_count; i++) {
265 nc_server_config_ts_del_certificate(cbag, &cbag->certs[i]);
266 }
267
268 ts->cert_bag_count--;
269 if (ts->cert_bag_count == 0) {
270 free(ts->cert_bags);
271 ts->cert_bags = NULL;
272 }
273}
274
275static void
276nc_server_config_ts_del_public_key_bag(struct nc_public_key_bag *pbag)
277{
278 uint16_t i, pubkey_count;
279 struct nc_truststore *ts = &server_opts.truststore;
280
281 free(pbag->name);
282 pbag->name = NULL;
283
284 pubkey_count = pbag->pubkey_count;
285 for (i = 0; i < pubkey_count; i++) {
286 nc_server_config_ts_del_public_key(pbag, &pbag->pubkeys[i]);
287 }
288
289 ts->pub_bag_count--;
290 if (ts->pub_bag_count == 0) {
291 free(ts->pub_bags);
292 ts->pub_bags = NULL;
293 }
294}
295
296static int
297nc_server_config_ts_certificate_bags(const struct lyd_node *node, NC_OPERATION op)
298{
299 uint16_t i, cert_bag_count;
300 struct nc_truststore *ts = &server_opts.truststore;
301
302 (void) node;
303
304 if (op == NC_OP_DELETE) {
305 cert_bag_count = ts->cert_bag_count;
306 for (i = 0; i < cert_bag_count; i++) {
307 nc_server_config_ts_del_certificate_bag(&ts->cert_bags[i]);
308 }
309 }
310
311 return 0;
312}
313
314static int
315nc_server_config_ts_public_key_bags(const struct lyd_node *node, NC_OPERATION op)
316{
317 uint16_t i, pub_bag_count;
318 struct nc_truststore *ts = &server_opts.truststore;
319
320 (void) node;
321
322 if (op == NC_OP_DELETE) {
323 pub_bag_count = ts->pub_bag_count;
324 for (i = 0; i < pub_bag_count; i++) {
325 nc_server_config_ts_del_public_key_bag(&ts->pub_bags[i]);
326 }
327 }
328
329 return 0;
330}
331
332int
333nc_server_config_ts_truststore(const struct lyd_node *node, NC_OPERATION op)
334{
335 (void) node;
336
337 if (op == NC_OP_DELETE) {
338 nc_server_config_ts_certificate_bags(NULL, NC_OP_DELETE);
339 nc_server_config_ts_public_key_bags(NULL, NC_OP_DELETE);
340 }
341
342 return 0;
343}
344
345static int
346nc_server_config_ts_create_certificate_bag(const struct lyd_node *node)
347{
348 struct nc_truststore *ts = &server_opts.truststore;
349
350 node = lyd_child(node);
351 assert(!strcmp(LYD_NAME(node), "name"));
352
353 return nc_server_config_realloc(lyd_get_value(node), (void **)&ts->cert_bags, sizeof *ts->cert_bags, &ts->cert_bag_count);
354}
355
356static int
357nc_server_config_ts_certificate_bag(const struct lyd_node *node, NC_OPERATION op)
358{
359 struct nc_certificate_bag *bag;
360
361 assert(!strcmp(LYD_NAME(node), "certificate-bag"));
362
363 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
364 if (nc_server_config_ts_create_certificate_bag(node)) {
365 return 1;
366 }
367 } else {
368 if (nc_server_config_get_certificate_bag(node, &bag)) {
369 return 1;
370 }
371
372 nc_server_config_ts_del_certificate_bag(bag);
373 }
374
375 return 0;
376}
377
378static int
379nc_server_config_ts_create_certificate(const struct lyd_node *node, struct nc_certificate_bag *bag)
380{
381 node = lyd_child(node);
382 assert(!strcmp(LYD_NAME(node), "name"));
383
384 return nc_server_config_realloc(lyd_get_value(node), (void **)&bag->certs, sizeof *bag->certs, &bag->cert_count);
385}
386
387static int
388nc_server_config_ts_certificate(const struct lyd_node *node, NC_OPERATION op)
389{
390 struct nc_certificate_bag *bag;
391 struct nc_certificate *cert;
392
393 assert(!strcmp(LYD_NAME(node), "certificate"));
394
395 if (nc_server_config_get_certificate_bag(node, &bag)) {
396 return 1;
397 }
398
399 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
400 if (nc_server_config_ts_create_certificate(node, bag)) {
401 return 1;
402 }
403 } else {
404 if (nc_server_config_get_certificate(node, bag, &cert)) {
405 return 1;
406 }
407
408 nc_server_config_ts_del_certificate(bag, cert);
409 }
410
411 return 0;
412}
413
414static int
415nc_server_config_ts_cert_data(const struct lyd_node *node, NC_OPERATION op)
416{
417 struct nc_certificate_bag *bag;
418 struct nc_certificate *cert;
419
420 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
421 if (nc_server_config_get_certificate_bag(node, &bag)) {
422 return 1;
423 }
424 if (nc_server_config_get_certificate(node, bag, &cert)) {
425 return 1;
426 }
427
428 nc_server_config_ts_del_cert_data(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]429 cert->data = strdup(lyd_get_value(node));
430 if (!cert->data) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]431 ERRMEM;
432 return 1;
433 }
434 }
435
436 return 0;
437}
438
439static int
440nc_server_config_ts_create_public_key_bag(const struct lyd_node *node)
441{
442 struct nc_truststore *ts = &server_opts.truststore;
443
444 node = lyd_child(node);
445 assert(!strcmp(LYD_NAME(node), "name"));
446
447 return nc_server_config_realloc(lyd_get_value(node), (void **)&ts->pub_bags, sizeof *ts->pub_bags, &ts->pub_bag_count);
448}
449
450static int
451nc_server_config_ts_public_key_bag(const struct lyd_node *node, NC_OPERATION op)
452{
453 struct nc_public_key_bag *pbag;
454
455 assert(!strcmp(LYD_NAME(node), "public-key-bag"));
456
457 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
458 if (nc_server_config_ts_create_public_key_bag(node)) {
459 return 1;
460 }
461 } else {
462 if (nc_server_config_get_public_key_bag(node, &pbag)) {
463 return 1;
464 }
465
466 nc_server_config_ts_del_public_key_bag(pbag);
467 }
468
469 return 0;
470}
471
472static int
473nc_server_config_ts_create_public_key(const struct lyd_node *node, struct nc_public_key_bag *bag)
474{
475 node = lyd_child(node);
476 assert(!strcmp(LYD_NAME(node), "name"));
477
478 return nc_server_config_realloc(lyd_get_value(node), (void **)&bag->pubkeys, sizeof *bag->pubkeys, &bag->pubkey_count);
479}
480
481static int
482nc_server_config_ts_public_key(const struct lyd_node *node, NC_OPERATION op)
483{
484 int ret = 0;
485 struct nc_public_key_bag *bag;
486 struct nc_public_key *pkey;
487
488 if (nc_server_config_get_public_key_bag(node, &bag)) {
489 ret = 1;
490 goto cleanup;
491 }
492
493 if (equal_parent_name(node, 1, "public-key-bag")) {
494 /* public-key list */
495 if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
496 ret = nc_server_config_ts_create_public_key(node, bag);
497 if (ret) {
498 goto cleanup;
499 }
500 } else {
501 if (nc_server_config_get_public_key(node, bag, &pkey)) {
502 ret = 1;
503 goto cleanup;
504 }
505
506 nc_server_config_ts_del_public_key(bag, pkey);
507 }
508 } else {
509 /* public-key leaf */
510 if (nc_server_config_get_public_key(node, bag, &pkey)) {
511 ret = 1;
512 goto cleanup;
513 }
514
515 /* replace the public key */
516 nc_server_config_ts_del_public_key_base64(pkey);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]517 pkey->data = strdup(lyd_get_value(node));
518 if (!pkey->data) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]519 ERRMEM;
520 ret = 1;
521 goto cleanup;
522 }
523 }
524
525cleanup:
526 return ret;
527}
528
529static int
530nc_server_config_ts_public_key_format(const struct lyd_node *node, NC_OPERATION op)
531{
532 const char *format;
533 struct nc_public_key_bag *bag;
534 struct nc_public_key *pkey;
535
536 (void) op;
537
538 if (nc_server_config_get_public_key_bag(node, &bag)) {
539 return 1;
540 }
541
542 if (nc_server_config_get_public_key(node, bag, &pkey)) {
543 return 1;
544 }
545
546 format = ((struct lyd_node_term *)node)->value.ident->name;
547 if (!strcmp(format, "ssh-public-key-format")) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]548 pkey->type = NC_PUBKEY_FORMAT_SSH2;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]549 } else if (!strcmp(format, "subject-public-key-info-format")) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame^]550 pkey->type = NC_PUBKEY_FORMAT_X509;
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]551 } else {
552 ERR(NULL, "Public key format (%s) not supported.", format);
553 }
554
555 return 0;
556}
557
558int
559nc_server_config_parse_truststore(const struct lyd_node *node, NC_OPERATION op)
560{
561 const char *name = LYD_NAME(node);
562
563 if (!strcmp(name, "truststore")) {
564 if (nc_server_config_ts_truststore(node, op)) {
565 goto error;
566 }
567 } else if (!strcmp(name, "certificate-bags")) {
568 if (nc_server_config_ts_certificate_bags(node, op)) {
569 goto error;
570 }
571 } else if (!strcmp(name, "certificate-bag")) {
572 if (nc_server_config_ts_certificate_bag(node, op)) {
573 goto error;
574 }
575 } else if (!strcmp(name, "certificate")) {
576 if (nc_server_config_ts_certificate(node, op)) {
577 goto error;
578 }
579 } else if (!strcmp(name, "cert-data")) {
580 if (nc_server_config_ts_cert_data(node, op)) {
581 goto error;
582 }
583 } else if (!strcmp(name, "public-key-bags")) {
584 if (nc_server_config_ts_public_key_bags(node, op)) {
585 goto error;
586 }
587 } else if (!strcmp(name, "public-key-bag")) {
588 if (nc_server_config_ts_public_key_bag(node, op)) {
589 goto error;
590 }
591 } else if (!strcmp(name, "public-key")) {
592 if (nc_server_config_ts_public_key(node, op)) {
593 goto error;
594 }
595 } else if (!strcmp(name, "public-key-format")) {
596 if (nc_server_config_ts_public_key_format(node, op)) {
597 goto error;
598 }
599 }
600
601 return 0;
602
603error:
604 ERR(NULL, "Configuring (%s) failed.", name);
605 return 1;
606}
607
608int
609nc_server_config_fill_truststore(const struct lyd_node *data, NC_OPERATION op)
610{
611 int ret = 0;
612 uint32_t prev_lo;
613 struct lyd_node *tree;
614
615 /* silently search for nodes, some of them may not be present */
616 prev_lo = ly_log_options(0);
617
618 ret = lyd_find_path(data, "/ietf-truststore:truststore", 0, &tree);
619 if (ret || (tree->flags & LYD_DEFAULT)) {
620 VRB(NULL, "Truststore container not found in the YANG data.");
621 ret = 0;
622 goto cleanup;
623 }
624
roman0bbc19c2023-05-26 09:59:09 +0200[diff] [blame]625 if (nc_server_config_parse_tree(tree, op, NC_MODULE_TRUSTSTORE)) {
romanf02273a2023-05-25 09:44:11 +0200[diff] [blame]626 ret = 1;
627 goto cleanup;
628 }
629
630cleanup:
631 /* reset the logging options back to what they were */
632 ly_log_options(prev_lo);
633 return ret;
634}