blob: b2d378b66c4bae22725e15e8fd9e86c36ab7d569 [file] [log] [blame]
Michal Vasko086311b2016-01-08 09:53:11 +01001/**
2 * \file session_server.h
3 * \author Michal Vasko <mvasko@cesnet.cz>
4 * \brief libnetconf2 session server manipulation
5 *
Michal Vasko1440a742021-03-31 11:11:03 +02006 * Copyright (c) 2015 - 2021 CESNET, z.s.p.o.
Michal Vasko086311b2016-01-08 09:53:11 +01007 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +01008 * This source code is licensed under BSD 3-Clause License (the "License").
9 * You may not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
Michal Vaskoafd416b2016-02-25 14:51:46 +010011 *
Radek Krejci9b81f5b2016-02-24 13:14:49 +010012 * https://opensource.org/licenses/BSD-3-Clause
Michal Vasko086311b2016-01-08 09:53:11 +010013 */
14
15#ifndef NC_SESSION_SERVER_H_
16#define NC_SESSION_SERVER_H_
17
Michal Vaskoc09730e2019-01-17 10:07:26 +010018#ifdef __cplusplus
19extern "C" {
20#endif
21
Michal Vasko086311b2016-01-08 09:53:11 +010022#include <stdint.h>
Michal Vasko05ba9df2016-01-13 14:40:27 +010023#include <libyang/libyang.h>
Michal Vasko086311b2016-01-08 09:53:11 +010024
Michal Vasko709598e2016-11-28 14:48:32 +010025#ifdef NC_ENABLED_TLS
26# include <openssl/x509.h>
27#endif
28
bhart3bc2f582018-06-05 12:40:32 -050029#ifdef NC_ENABLED_SSH
30# include <libssh/libssh.h>
31# include <libssh/callbacks.h>
32# include <libssh/server.h>
33#endif
34
Michal Vasko086311b2016-01-08 09:53:11 +010035#include "session.h"
Michal Vasko086311b2016-01-08 09:53:11 +010036#include "netconf.h"
37
Michal Vasko1a38c862016-01-15 15:50:07 +010038/**
Radek Krejci6799a052017-05-19 14:23:23 +020039 * @defgroup server_session Server Session
40 * @ingroup server
41 *
42 * @brief Server-side NETCONF session manipulation.
43 * @{
44 */
45
46/**
Michal Vasko1a38c862016-01-15 15:50:07 +010047 * @brief Prototype of callbacks that are called if some RPCs are received.
48 *
49 * If \p session termination reason is changed in the callback, one last reply
50 * is sent and then the session is considered invalid.
51 *
Radek Krejci6799a052017-05-19 14:23:23 +020052 * The callback is set via nc_set_global_rpc_clb().
53 *
Michal Vasko1a38c862016-01-15 15:50:07 +010054 * @param[in] rpc Parsed client RPC request.
55 * @param[in] session Session the RPC arrived on.
56 * @return Server reply. If NULL, an operation-failed error will be sent to the client.
57 */
Michal Vasko05ba9df2016-01-13 14:40:27 +010058typedef struct nc_server_reply *(*nc_rpc_clb)(struct lyd_node *rpc, struct nc_session *session);
59
Michal Vasko1a38c862016-01-15 15:50:07 +010060/**
Michal Vasko7b096242016-01-29 15:55:10 +010061 * @brief Set the termination reason for a session. Use only in #nc_rpc_clb callbacks.
Michal Vasko1a38c862016-01-15 15:50:07 +010062 *
63 * @param[in] session Session to modify.
64 * @param[in] reason Reason of termination.
65 */
66void nc_session_set_term_reason(struct nc_session *session, NC_SESSION_TERM_REASON reason);
67
68/**
Michal Vasko142cfea2017-08-07 10:12:11 +020069 * @brief Set the session-id of the session responsible for this session's termination.
70 *
71 * @param[in] session Session to modify. Must have term_reason set to #NC_SESSION_TERM_KILLED.
72 * @param[in] sid SID of the killing session.
73 */
74void nc_session_set_killed_by(struct nc_session *session, uint32_t sid);
75
76/**
77 * @brief Set the status of a session.
78 *
79 * @param[in] session Session to modify.
80 * @param[in] status Status of the session.
81 */
82void nc_session_set_status(struct nc_session *session, NC_STATUS status);
83
84/**
Radek Krejci6799a052017-05-19 14:23:23 +020085 * @brief Set a global nc_rpc_clb that is called if the particular RPC request is
86 * received and the private field in the corresponding RPC schema node is NULL.
87 *
88 * @param[in] clb An user-defined nc_rpc_clb function callback, NULL to default.
89 */
90void nc_set_global_rpc_clb(nc_rpc_clb clb);
91
92/**@} Server Session */
93
94/**
95 * @addtogroup server
96 * @{
97 */
98
99/**
Michal Vaskoa7b8ca52016-03-01 12:09:29 +0100100 * @brief Initialize libssh and/or libssl/libcrypto and the server using a libyang context.
Michal Vasko1a38c862016-01-15 15:50:07 +0100101 *
102 * The context is not modified internally, only its dictionary is used for holding
Michal Vaskoa43589b2016-02-17 13:24:59 +0100103 * all the strings, which is thread-safe. Reading models is considered thread-safe
104 * as models cannot be removed and are rarely modified (augments or deviations).
Michal Vasko1a38c862016-01-15 15:50:07 +0100105 *
Michal Vasko3a889fd2016-09-30 12:16:37 +0200106 * If the RPC callbacks on schema nodes (mentioned in @ref howtoserver) are modified after
Michal Vasko5494f512016-03-01 12:13:44 +0100107 * server initialization with that particular context, they will be called (changes
108 * will take effect). However, there could be race conditions as the access to
109 * these callbacks is not thread-safe.
110 *
Michal Vasko1a38c862016-01-15 15:50:07 +0100111 * Server capabilities are generated based on its content. Changing the context
112 * in ways that result in changed capabilities (adding models, changing features)
113 * is discouraged after sessions are established as it is not possible to change
114 * capabilities of a session.
115 *
116 * This context can safely be destroyed only after calling the last libnetconf2
117 * function in an application.
118 *
Michal Vasko3a889fd2016-09-30 12:16:37 +0200119 * Supported RPCs of models in the context are expected to have their callback
120 * in the corresponding RPC schema node set to a nc_rpc_clb function callback using nc_set_rpc_callback().
Michal Vasko1a38c862016-01-15 15:50:07 +0100121 * This callback is called by nc_ps_poll() if the particular RPC request is
122 * received. Callbacks for ietf-netconf:get-schema (supporting YANG and YIN format
123 * only) and ietf-netconf:close-session are set internally if left unset.
124 *
Michal Vasko1a38c862016-01-15 15:50:07 +0100125 * @param[in] ctx Core NETCONF server context.
126 * @return 0 on success, -1 on error.
127 */
Michal Vasko086311b2016-01-08 09:53:11 +0100128int nc_server_init(struct ly_ctx *ctx);
129
Michal Vasko1a38c862016-01-15 15:50:07 +0100130/**
Michal Vaskoa7b8ca52016-03-01 12:09:29 +0100131 * @brief Destroy any dynamically allocated libssh and/or libssl/libcrypto and
132 * server resources.
Michal Vaskob48aa812016-01-18 14:13:09 +0100133 */
134void nc_server_destroy(void);
135
136/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100137 * @brief Set the with-defaults capability extra parameters.
138 *
139 * For the capability to be actually advertised, the server context must also
140 * include the ietf-netconf-with-defaults model.
141 *
142 * Changing this option has the same ill effects as changing capabilities while
143 * sessions are already established.
144 *
145 * @param[in] basic_mode basic-mode with-defaults parameter.
146 * @param[in] also_supported NC_WD_MODE bit array, also-supported with-defaults
147 * parameter.
148 * @return 0 on success, -1 on error.
149 */
Michal Vasko086311b2016-01-08 09:53:11 +0100150int nc_server_set_capab_withdefaults(NC_WD_MODE basic_mode, int also_supported);
151
Michal Vasko1a38c862016-01-15 15:50:07 +0100152/**
Michal Vasko55f03972016-04-13 08:56:01 +0200153 * @brief Get with-defaults capability extra parameters.
154 *
155 * At least one argument must be non-NULL.
156 *
157 * @param[in,out] basic_mode basic-mode parameter.
158 * @param[in,out] also_supported also-supported parameter.
159 */
160void nc_server_get_capab_withdefaults(NC_WD_MODE *basic_mode, int *also_supported);
161
162/**
Radek Krejci658782b2016-12-04 22:04:55 +0100163 * @brief Set capability of the server.
Michal Vasko1a38c862016-01-15 15:50:07 +0100164 *
Radek Krejci658782b2016-12-04 22:04:55 +0100165 * Capability can be used when some behavior or extension of the server is not defined
166 * as a YANG module. The provided value will be advertised in the server's \<hello\>
167 * messages. Note, that libnetconf only checks that the provided value is non-empty
168 * string.
Michal Vasko1a38c862016-01-15 15:50:07 +0100169 *
Michal Vasko50d2a5c2017-02-14 10:29:49 +0100170 * @param[in] value Capability string to be advertised in server's \<hello\> messages.
Michal Vasko1a38c862016-01-15 15:50:07 +0100171 */
Radek Krejci658782b2016-12-04 22:04:55 +0100172int nc_server_set_capability(const char *value);
Michal Vasko55f03972016-04-13 08:56:01 +0200173
174/**
Michal Vasko1440a742021-03-31 11:11:03 +0200175 * @brief Set the callback for getting yang-library capability identifier. If none is set, libyang context change count is used.
176 *
177 * @param[in] content_id_clb Callback that should return the yang-library content identifier.
178 * @param[in] user_data Optional arbitrary user data that will be passed to \p content_id_clb.
179 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
180 */
181void nc_server_set_content_id_clb(char *(*content_id_clb)(void *user_data), void *user_data,
182 void (*free_user_data)(void *user_data));
183
184/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100185 * @brief Set server timeout for receiving a hello message.
186 *
187 * @param[in] hello_timeout Hello message timeout. 0 for infinite waiting.
188 */
189void nc_server_set_hello_timeout(uint16_t hello_timeout);
Michal Vasko086311b2016-01-08 09:53:11 +0100190
Michal Vasko1a38c862016-01-15 15:50:07 +0100191/**
Michal Vasko55f03972016-04-13 08:56:01 +0200192 * @brief get server timeout for receiving a hello message.
193 *
194 * @return Hello message timeout, 0 is infinite.
195 */
196uint16_t nc_server_get_hello_timeout(void);
197
198/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100199 * @brief Set server timeout for dropping an idle session.
200 *
201 * @param[in] idle_timeout Idle session timeout. 0 to never drop a session
Michal Vaskof0537d82016-01-29 14:42:38 +0100202 * because of inactivity.
Michal Vasko1a38c862016-01-15 15:50:07 +0100203 */
204void nc_server_set_idle_timeout(uint16_t idle_timeout);
Michal Vasko086311b2016-01-08 09:53:11 +0100205
Michal Vasko1a38c862016-01-15 15:50:07 +0100206/**
Michal Vasko55f03972016-04-13 08:56:01 +0200207 * @brief Get server timeout for dropping an idle session.
208 *
209 * @return Idle session timeout, 0 for for never dropping
210 * a session because of inactivity.
211 */
212uint16_t nc_server_get_idle_timeout(void);
213
214/**
Radek Krejci24a18412018-05-16 15:09:10 +0200215 * @brief Get all the server capabilities including all the schemas.
Michal Vasko4ffa3b22016-05-24 16:36:25 +0200216 *
217 * A few capabilities (with-defaults, interleave) depend on the current
218 * server options.
219 *
220 * @param[in] ctx Context to read most capabilities from.
221 * @return Array of capabilities stored in the \p ctx dictionary, NULL on error.
222 */
223const char **nc_server_get_cpblts(struct ly_ctx *ctx);
224
Radek Krejci24a18412018-05-16 15:09:10 +0200225/**
226 * @brief Get the server capabilities including the schemas with the specified YANG version.
227 *
228 * A few capabilities (with-defaults, interleave) depend on the current
229 * server options.
230 *
231 * @param[in] ctx Context to read most capabilities from.
232 * @param[in] version YANG version of the schemas to be included in result, with
233 * LYS_VERSION_UNDEF the result is the same as from nc_server_get_cpblts().
234 * @return Array of capabilities stored in the \p ctx dictionary, NULL on error.
235 */
236const char **nc_server_get_cpblts_version(struct ly_ctx *ctx, LYS_VERSION version);
237
Michal Vasko1440a742021-03-31 11:11:03 +0200238/** @} Server */
Radek Krejci6799a052017-05-19 14:23:23 +0200239
240/**
241 * @addtogroup server_session
242 * @{
243 */
244
Michal Vasko4ffa3b22016-05-24 16:36:25 +0200245/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100246 * @brief Accept a new session on a pre-established transport session.
247 *
248 * @param[in] fdin File descriptor to read (unencrypted) XML data from.
249 * @param[in] fdout File descriptor to write (unencrypted) XML data to.
250 * @param[in] username NETCONF username as provided by the transport protocol.
251 * @param[out] session New session on success.
Michal Vasko71090fc2016-05-24 16:37:28 +0200252 * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message
253 * parsing fail, NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other errors.
Michal Vasko1a38c862016-01-15 15:50:07 +0100254 */
Michal Vasko71090fc2016-05-24 16:37:28 +0200255NC_MSG_TYPE nc_accept_inout(int fdin, int fdout, const char *username, struct nc_session **session);
Michal Vasko086311b2016-01-08 09:53:11 +0100256
Michal Vasko1a38c862016-01-15 15:50:07 +0100257/**
258 * @brief Create an empty structure for polling sessions.
259 *
260 * @return Empty pollsession structure, NULL on error.
261 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100262struct nc_pollsession *nc_ps_new(void);
Michal Vaskofb89d772016-01-08 12:25:35 +0100263
Michal Vasko1a38c862016-01-15 15:50:07 +0100264/**
265 * @brief Free a pollsession structure.
266 *
Michal Vasko01082bf2016-04-07 10:44:21 +0200267 * !IMPORTANT! Make sure that \p ps is not accessible (is not used)
268 * by any thread before and after this call!
269 *
Michal Vasko1a38c862016-01-15 15:50:07 +0100270 * @param[in] ps Pollsession structure to free.
271 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100272void nc_ps_free(struct nc_pollsession *ps);
Michal Vaskofb89d772016-01-08 12:25:35 +0100273
Michal Vasko1a38c862016-01-15 15:50:07 +0100274/**
275 * @brief Add a session to a pollsession structure.
276 *
277 * @param[in] ps Pollsession structure to modify.
278 * @param[in] session Session to add to \p ps.
279 * @return 0 on success, -1 on error.
280 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100281int nc_ps_add_session(struct nc_pollsession *ps, struct nc_session *session);
Michal Vaskofb89d772016-01-08 12:25:35 +0100282
Michal Vasko1a38c862016-01-15 15:50:07 +0100283/**
284 * @brief Remove a session from a pollsession structure.
285 *
286 * @param[in] ps Pollsession structure to modify.
287 * @param[in] session Session to remove from \p ps.
Michal Vaskof0537d82016-01-29 14:42:38 +0100288 * @return 0 on success, -1 on not found.
Michal Vasko1a38c862016-01-15 15:50:07 +0100289 */
Michal Vasko05ba9df2016-01-13 14:40:27 +0100290int nc_ps_del_session(struct nc_pollsession *ps, struct nc_session *session);
291
Michal Vasko1a38c862016-01-15 15:50:07 +0100292/**
Michal Vaskoe1ee05b2017-03-21 10:10:18 +0100293 * @brief Get a session from a pollsession structure matching the session ID.
294 *
295 * @param[in] ps Pollsession structure to read from.
Michal Vasko4871c9d2017-10-09 14:48:39 +0200296 * @param[in] idx Index of the session.
297 * @return Session on index, NULL if out-of-bounds.
Michal Vaskoe1ee05b2017-03-21 10:10:18 +0100298 */
Michal Vasko4871c9d2017-10-09 14:48:39 +0200299struct nc_session *nc_ps_get_session(const struct nc_pollsession *ps, uint16_t idx);
Michal Vaskoe1ee05b2017-03-21 10:10:18 +0100300
301/**
Michal Vasko0fdb7ac2016-03-01 09:03:12 +0100302 * @brief Learn the number of sessions in a pollsession structure.
303 *
Michal Vaskof4462fd2017-02-15 14:29:05 +0100304 * Does not lock \p ps structure for efficiency.
305 *
Michal Vasko0fdb7ac2016-03-01 09:03:12 +0100306 * @param[in] ps Pollsession structure to check.
Michal Vaskoc72d0e62016-07-26 11:36:11 +0200307 * @return Number of sessions (even invalid ones) in \p ps, -1 on error.
Michal Vasko0fdb7ac2016-03-01 09:03:12 +0100308 */
309uint16_t nc_ps_session_count(struct nc_pollsession *ps);
310
Michal Vasko30a5d6b2017-02-15 14:29:39 +0100311#define NC_PSPOLL_NOSESSIONS 0x0001 /**< No sessions to poll. */
312#define NC_PSPOLL_TIMEOUT 0x0002 /**< Timeout elapsed. */
313#define NC_PSPOLL_RPC 0x0004 /**< RPC was correctly parsed and processed. */
314#define NC_PSPOLL_BAD_RPC 0x0008 /**< RPC was received, but failed to be parsed. */
315#define NC_PSPOLL_REPLY_ERROR 0x0010 /**< Response to the RPC was a \<rpc-reply\> of type error. */
316#define NC_PSPOLL_SESSION_TERM 0x0020 /**< Some session was terminated. */
317#define NC_PSPOLL_SESSION_ERROR 0x0040 /**< Some session was terminated incorrectly (not by a \<close-session\> or \<kill-session\> RPC). */
318#define NC_PSPOLL_ERROR 0x0080 /**< Other fatal errors (they are printed). */
Michal Vasko71090fc2016-05-24 16:37:28 +0200319
320#ifdef NC_ENABLED_SSH
Michal Vaskoe645de32017-05-26 14:02:50 +0200321# define NC_PSPOLL_SSH_MSG 0x00100 /**< SSH message received (and processed, if relevant, only with SSH support). */
322# define NC_PSPOLL_SSH_CHANNEL 0x0200 /**< New SSH channel opened on an existing session (only with SSH support). */
Michal Vasko71090fc2016-05-24 16:37:28 +0200323#endif
324
Michal Vasko0fdb7ac2016-03-01 09:03:12 +0100325/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100326 * @brief Poll sessions and process any received RPCs.
327 *
Michal Vaskoe4300a82017-05-24 10:35:42 +0200328 * Only one event on one session is handled in one function call. If this event
329 * is a session termination (#NC_PSPOLL_SESSION_TERM returned), the session
330 * should be removed from \p ps.
Michal Vasko1a38c862016-01-15 15:50:07 +0100331 *
332 * @param[in] ps Pollsession structure to use.
Michal Vasko11d142a2016-01-19 15:58:24 +0100333 * @param[in] timeout Poll timeout in milliseconds. 0 for non-blocking call, -1 for
Michal Vasko96830e32016-02-01 10:54:18 +0100334 * infinite waiting.
Michal Vasko71090fc2016-05-24 16:37:28 +0200335 * @param[in] session Session that was processed and that specific return bits concern.
336 * Can be NULL.
Michal Vaskoade892d2017-02-22 13:40:35 +0100337 * @return Bitfield of NC_PSPOLL_* macros.
Michal Vasko1a38c862016-01-15 15:50:07 +0100338 */
Michal Vasko71090fc2016-05-24 16:37:28 +0200339int nc_ps_poll(struct nc_pollsession *ps, int timeout, struct nc_session **session);
Michal Vasko086311b2016-01-08 09:53:11 +0100340
Michal Vasko11d142a2016-01-19 15:58:24 +0100341/**
Michal Vaskocad3ac42016-03-01 09:06:01 +0100342 * @brief Remove sessions from a pollsession structure and
343 * call nc_session_free() on them.
Michal Vaskod09eae62016-02-01 10:32:52 +0100344 *
Michal Vaskoade892d2017-02-22 13:40:35 +0100345 * Calling this function with \p all false makes sense if nc_ps_poll() returned #NC_PSPOLL_SESSION_TERM.
Michal Vaskod09eae62016-02-01 10:32:52 +0100346 *
347 * @param[in] ps Pollsession structure to clear.
Michal Vaskocad3ac42016-03-01 09:06:01 +0100348 * @param[in] all Whether to free all sessions, or only the invalid ones.
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100349 * @param[in] data_free Session user data destructor.
Michal Vaskod09eae62016-02-01 10:32:52 +0100350 */
Michal Vaskoe1a64ec2016-03-01 12:21:58 +0100351void nc_ps_clear(struct nc_pollsession *ps, int all, void (*data_free)(void *));
Michal Vaskod09eae62016-02-01 10:32:52 +0100352
Michal Vasko1440a742021-03-31 11:11:03 +0200353/** @} Server Session */
Radek Krejci6799a052017-05-19 14:23:23 +0200354
355/**
356 * @addtogroup server
357 * @{
358 */
359
Michal Vasko1a38c862016-01-15 15:50:07 +0100360/**
Michal Vaskoe2713da2016-08-22 16:06:40 +0200361 * @brief Add a new endpoint.
362 *
363 * Before the endpoint can accept any connections, its address and port must
Radek Krejci6799a052017-05-19 14:23:23 +0200364 * be set via nc_server_endpt_set_address() and nc_server_endpt_set_port().
Michal Vaskoe2713da2016-08-22 16:06:40 +0200365 *
366 * @param[in] name Arbitrary unique endpoint name.
Michal Vasko2e6defd2016-10-07 15:48:15 +0200367 * @param[in] ti Transport protocol to use.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200368 * @return 0 on success, -1 on error.
369 */
Michal Vasko2e6defd2016-10-07 15:48:15 +0200370int nc_server_add_endpt(const char *name, NC_TRANSPORT_IMPL ti);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200371
372/**
373 * @brief Stop listening on and remove an endpoint.
374 *
375 * @param[in] name Endpoint name. NULL matches all endpoints.
Michal Vasko59050372016-11-22 14:33:55 +0100376 * @param[in] ti Endpoint transport protocol. NULL matches any protocol.
377 * Redundant to set if \p name is set, endpoint names are
378 * unique disregarding their protocol.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200379 * @return 0 on success, -1 on not finding any match.
380 */
Michal Vasko59050372016-11-22 14:33:55 +0100381int nc_server_del_endpt(const char *name, NC_TRANSPORT_IMPL ti);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200382
383/**
Michal Vaskoe8e07702017-03-15 10:19:30 +0100384 * @brief Get the number of currently configured listening endpoints.
385 * Note that an ednpoint without address and/or port will be included
386 * even though it is not, in fact, listening.
387 *
388 * @return Number of added listening endpoints.
389 */
390int nc_server_endpt_count(void);
391
392/**
Michal Vasko1b5973e2020-01-30 16:05:46 +0100393 * @brief Check if an endpoint exists.
394 *
395 * @param[in] name Endpoint name.
396 * @return 0 if does not exists, non-zero otherwise.
397 */
398int nc_server_is_endpt(const char *name);
399
400/**
Michal Vasko2e6defd2016-10-07 15:48:15 +0200401 * @brief Change endpoint listening address.
402 *
403 * On error the previous listening socket (if any) is left untouched.
404 *
405 * @param[in] endpt_name Existing endpoint name.
406 * @param[in] address New listening address.
407 * @return 0 on success, -1 on error.
408 */
409int nc_server_endpt_set_address(const char *endpt_name, const char *address);
410
Michal Vasko946cacb2020-08-12 11:18:08 +0200411#if defined(NC_ENABLED_SSH) || defined(NC_ENABLED_TLS)
412
Michal Vasko2e6defd2016-10-07 15:48:15 +0200413/**
414 * @brief Change endpoint listening port.
415 *
Michal Vasko946cacb2020-08-12 11:18:08 +0200416 * This is only valid on SSH/TLS transport endpoint.
Michal Vasko2e6defd2016-10-07 15:48:15 +0200417 * On error the previous listening socket (if any) is left untouched.
418 *
419 * @param[in] endpt_name Existing endpoint name.
420 * @param[in] port New listening port.
421 * @return 0 on success, -1 on error.
422 */
423int nc_server_endpt_set_port(const char *endpt_name, uint16_t port);
Michal Vasko9e036d52016-01-08 10:49:26 +0100424
Michal Vasko946cacb2020-08-12 11:18:08 +0200425#endif
426
Olivier Matzac7fa2f2018-10-11 10:02:04 +0200427/**
428 * @brief Change endpoint permissions.
429 *
Michal Vasko946cacb2020-08-12 11:18:08 +0200430 * This is only valid on UNIX transport endpoint.
Olivier Matzac7fa2f2018-10-11 10:02:04 +0200431 * On error the previous listening socket (if any) is left untouched.
432 *
433 * @param[in] endpt_name Existing endpoint name.
434 * @param[in] mode New mode, -1 to use default.
435 * @param[in] uid New uid, -1 to use default.
436 * @param[in] gid New gid, -1 to use default.
437 * @return 0 on success, -1 on error.
438 */
439int nc_server_endpt_set_perms(const char *endpt_name, mode_t mode, uid_t uid, gid_t gid);
440
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200441/**
442 * @brief Change endpoint keepalives state. Affects only new connections.
443 *
444 * @param[in] endpt_name Existing endpoint name.
445 * @param[in] enable Whether to enable or disable keepalives.
446 * @return 0 on success, -1 on error.
447 */
448int nc_server_endpt_enable_keepalives(const char *endpt_name, int enable);
449
450/**
451 * @brief Change endpoint keepalives parameters. Affects only new connections.
452 *
453 * @param[in] endpt_name Existing endpoint name.
454 * @param[in] idle_time Keepalive idle time in seconds, 1 by default, -1 to keep previous value.
455 * @param[in] max_probes Keepalive max probes sent, 10 by default, -1 to keep previous value.
456 * @param[in] probe_interval Keepalive probe interval in seconds, 5 by default, -1 to keep previous value.
457 * @return 0 on success, -1 on error.
458 */
459int nc_server_endpt_set_keepalives(const char *endpt_name, int idle_time, int max_probes, int probe_interval);
460
Michal Vasko1440a742021-03-31 11:11:03 +0200461/** @} Server */
Radek Krejci6799a052017-05-19 14:23:23 +0200462
463/**
464 * @addtogroup server_session
465 */
466
Michal Vasko1a38c862016-01-15 15:50:07 +0100467/**
Michal Vasko3031aae2016-01-27 16:07:18 +0100468 * @brief Accept new sessions on all the listening endpoints.
Michal Vasko1a38c862016-01-15 15:50:07 +0100469 *
Michal Vaskob70c8b82017-03-17 09:09:29 +0100470 * Once a new (TCP/IP) conection is established a different (quite long) timeout
471 * is used for waiting for transport-related data, which means this call can block
472 * for much longer that \p timeout, but only with slow/faulty/malicious clients.
473 *
Michal Vasko11d142a2016-01-19 15:58:24 +0100474 * @param[in] timeout Timeout for receiving a new connection in milliseconds, 0 for
Michal Vasko71090fc2016-05-24 16:37:28 +0200475 * non-blocking call, -1 for infinite waiting.
Michal Vasko96164bf2016-01-21 15:41:58 +0100476 * @param[out] session New session.
Michal Vasko71090fc2016-05-24 16:37:28 +0200477 * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message
478 * parsing fail, NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other errors.
Michal Vasko1a38c862016-01-15 15:50:07 +0100479 */
Michal Vasko71090fc2016-05-24 16:37:28 +0200480NC_MSG_TYPE nc_accept(int timeout, struct nc_session **session);
Michal Vasko9e036d52016-01-08 10:49:26 +0100481
Radek Krejci53691be2016-02-22 13:58:37 +0100482#ifdef NC_ENABLED_SSH
Michal Vasko086311b2016-01-08 09:53:11 +0100483
Michal Vasko1a38c862016-01-15 15:50:07 +0100484/**
Michal Vasko71090fc2016-05-24 16:37:28 +0200485 * @brief Accept a new NETCONF session on an SSH session of a running NETCONF \p orig_session.
Michal Vaskoade892d2017-02-22 13:40:35 +0100486 * Call this function only when nc_ps_poll() returns #NC_PSPOLL_SSH_CHANNEL on \p orig_session.
Michal Vasko71090fc2016-05-24 16:37:28 +0200487 *
488 * @param[in] orig_session Session that has a new SSH channel ready.
489 * @param[out] session New session.
490 * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message
491 * parsing fail, NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other errors.
492 */
493NC_MSG_TYPE nc_session_accept_ssh_channel(struct nc_session *orig_session, struct nc_session **session);
494
495/**
Michal Vasko96164bf2016-01-21 15:41:58 +0100496 * @brief Accept a new NETCONF session on an SSH session of a running NETCONF session
Michal Vaskoade892d2017-02-22 13:40:35 +0100497 * that was polled in \p ps. Call this function only when nc_ps_poll() on \p ps returns #NC_PSPOLL_SSH_CHANNEL.
Michal Vaskoc0fde012016-03-01 09:07:23 +0100498 * The new session is only returned in \p session, it is not added to \p ps.
Michal Vasko96164bf2016-01-21 15:41:58 +0100499 *
500 * @param[in] ps Unmodified pollsession structure from the previous nc_ps_poll() call.
501 * @param[out] session New session.
Michal Vasko71090fc2016-05-24 16:37:28 +0200502 * @return NC_MSG_HELLO on success, NC_MSG_BAD_HELLO on client \<hello\> message
503 * parsing fail, NC_MSG_WOULDBLOCK on timeout, NC_MSG_ERROR on other errors.
Michal Vasko96164bf2016-01-21 15:41:58 +0100504 */
Michal Vasko71090fc2016-05-24 16:37:28 +0200505NC_MSG_TYPE nc_ps_accept_ssh_channel(struct nc_pollsession *ps, struct nc_session **session);
Michal Vasko96164bf2016-01-21 15:41:58 +0100506
Michal Vasko1440a742021-03-31 11:11:03 +0200507/** @} Server Session */
Radek Krejci6799a052017-05-19 14:23:23 +0200508
509/**
510 * @defgroup server_ssh Server SSH
511 * @ingroup server
512 *
513 * @brief Server-side settings for SSH connections.
514 * @{
515 */
516
Michal Vasko96164bf2016-01-21 15:41:58 +0100517/**
Michal Vasko17dfda92016-12-01 14:06:16 +0100518 * @brief Add an authorized client SSH public key. This public key can be used for
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200519 * publickey authentication (for any SSH connection, even Call Home) afterwards.
Michal Vaskoda514772016-02-01 11:32:01 +0100520 *
Michal Vasko17dfda92016-12-01 14:06:16 +0100521 * @param[in] pubkey_base64 Authorized public key binary content encoded in base64.
522 * @param[in] type Authorized public key SSH type.
523 * @param[in] username Username that the client with the public key must use.
Michal Vaskoda514772016-02-01 11:32:01 +0100524 * @return 0 on success, -1 on error.
525 */
Michal Vasko17dfda92016-12-01 14:06:16 +0100526int nc_server_ssh_add_authkey(const char *pubkey_base64, NC_SSH_KEY_TYPE type, const char *username);
Michal Vaskoda514772016-02-01 11:32:01 +0100527
528/**
Michal Vasko17dfda92016-12-01 14:06:16 +0100529 * @brief Add an authorized client SSH public key. This public key can be used for
530 * publickey authentication (for any SSH connection, even Call Home) afterwards.
Michal Vaskoda514772016-02-01 11:32:01 +0100531 *
Michal Vasko17dfda92016-12-01 14:06:16 +0100532 * @param[in] pubkey_path Path to the public key.
533 * @param[in] username Username that the client with the public key must use.
Michal Vaskoda514772016-02-01 11:32:01 +0100534 * @return 0 on success, -1 on error.
535 */
Michal Vasko17dfda92016-12-01 14:06:16 +0100536int nc_server_ssh_add_authkey_path(const char *pubkey_path, const char *username);
Michal Vaskoda514772016-02-01 11:32:01 +0100537
538/**
Michal Vasko17dfda92016-12-01 14:06:16 +0100539 * @brief Remove an authorized client SSH public key.
Michal Vasko1a38c862016-01-15 15:50:07 +0100540 *
Michal Vasko17dfda92016-12-01 14:06:16 +0100541 * @param[in] pubkey_path Path to an authorized public key. NULL matches all the keys.
542 * @param[in] pubkey_base64 Authorized public key content. NULL matches any key.
543 * @param[in] type Authorized public key type. 0 matches all types.
544 * @param[in] username Username for an authorized public key. NULL matches all the usernames.
545 * @return 0 on success, -1 on not finding any match.
Michal Vasko1a38c862016-01-15 15:50:07 +0100546 */
Michal Vasko17dfda92016-12-01 14:06:16 +0100547int nc_server_ssh_del_authkey(const char *pubkey_path, const char *pubkey_base64, NC_SSH_KEY_TYPE type,
548 const char *username);
Michal Vaskoe2713da2016-08-22 16:06:40 +0200549
550/**
Michal Vaskoebba7602018-03-23 13:14:08 +0100551 * @brief Set the callback for SSH password authentication. If none is set, local system users are used.
552 *
553 * @param[in] passwd_auth_clb Callback that should authenticate the user. Username can be directly obtained from \p session.
Michal Vasko1440a742021-03-31 11:11:03 +0200554 * Zero return indicates success, non-zero an error.
Michal Vaskoebba7602018-03-23 13:14:08 +0100555 * @param[in] user_data Optional arbitrary user data that will be passed to \p passwd_auth_clb.
556 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
557 */
558void nc_server_ssh_set_passwd_auth_clb(int (*passwd_auth_clb)(const struct nc_session *session, const char *password,
Michal Vasko1440a742021-03-31 11:11:03 +0200559 void *user_data), void *user_data, void (*free_user_data)(void *user_data));
Michal Vaskoebba7602018-03-23 13:14:08 +0100560
561/**
bhart3bc2f582018-06-05 12:40:32 -0500562 * @brief Set the callback for SSH interactive authentication. If none is set, local system users are used.
563 *
564 * @param[in] interactive_auth_clb Callback that should authenticate the user.
Michal Vasko1440a742021-03-31 11:11:03 +0200565 * Zero return indicates success, non-zero an error.
bhart3bc2f582018-06-05 12:40:32 -0500566 * @param[in] user_data Optional arbitrary user data that will be passed to \p passwd_auth_clb.
567 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
568 */
Michal Vasko1440a742021-03-31 11:11:03 +0200569void nc_server_ssh_set_interactive_auth_clb(int (*interactive_auth_clb)(const struct nc_session *session,
570 const ssh_message msg, void *user_data), void *user_data, void (*free_user_data)(void *user_data));
bhart3bc2f582018-06-05 12:40:32 -0500571
572/**
573 * @brief Set the callback for SSH public key authentication. If none is set, local system users are used.
574 *
575 * @param[in] pubkey_auth_clb Callback that should authenticate the user.
Michal Vasko1440a742021-03-31 11:11:03 +0200576 * Zero return indicates success, non-zero an error.
bhart3bc2f582018-06-05 12:40:32 -0500577 * @param[in] user_data Optional arbitrary user data that will be passed to \p passwd_auth_clb.
578 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
579 */
Michal Vasko1440a742021-03-31 11:11:03 +0200580 void nc_server_ssh_set_pubkey_auth_clb(int (*pubkey_auth_clb)(const struct nc_session *session, ssh_key key,
581 void *user_data), void *user_data, void (*free_user_data)(void *user_data));
bhart3bc2f582018-06-05 12:40:32 -0500582
583/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100584 * @brief Set the callback for retrieving host keys. Any RSA, DSA, and ECDSA keys can be added. However,
585 * a maximum of one key of each type will be used during SSH authentication, later keys replacing
586 * the earlier ones.
587 *
588 * @param[in] hostkey_clb Callback that should return the key itself. Zero return indicates success, non-zero
589 * an error. On success exactly ONE of \p privkey_path or \p privkey_data is expected
590 * to be set. The one set will be freed.
591 * - \p privkey_path expects a PEM file,
592 * - \p privkey_data expects a base-64 encoded ANS.1 DER data,
Michal Vasko68177b72020-04-27 15:46:53 +0200593 * - \p privkey_type type of the key in \p privkey_data. Use ::NC_SSH_KEY_UNKNOWN for
594 * PKCS#8 key that includes the information about the key in its data.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100595 * @param[in] user_data Optional arbitrary user data that will be passed to \p hostkey_clb.
596 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
597 */
598void nc_server_ssh_set_hostkey_clb(int (*hostkey_clb)(const char *name, void *user_data, char **privkey_path,
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200599 char **privkey_data, NC_SSH_KEY_TYPE *privkey_type), void *user_data, void (*free_user_data)(void *user_data));
Michal Vasko4c1fb492017-01-30 14:31:07 +0100600
601/**
Michal Vaskoddce1212019-05-24 09:58:49 +0200602 * @brief Add endpoint SSH host keys the server will identify itself with. Only the name is set, the key itself
603 * wil be retrieved using a callback.
604 *
605 * @param[in] endpt_name Existing endpoint name.
606 * @param[in] name Arbitrary name of the host key.
607 * @param[in] idx Optional index where to add the key. -1 adds at the end.
608 * @return 0 on success, -1 on error.
609 */
610int nc_server_ssh_endpt_add_hostkey(const char *endpt_name, const char *name, int16_t idx);
611
612/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100613 * @brief Delete endpoint SSH host key. Their order is preserved.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200614 *
615 * @param[in] endpt_name Existing endpoint name.
Michal Vasko7d255882017-02-09 13:35:08 +0100616 * @param[in] name Name of the host key. NULL matches all the keys, but if \p idx != -1 then this must be NULL.
617 * @param[in] idx Index of the hostkey. -1 matches all indices, but if \p name != NULL then this must be -1.
Michal Vaskoe2713da2016-08-22 16:06:40 +0200618 * @return 0 on success, -1 on error.
619 */
Michal Vasko7d255882017-02-09 13:35:08 +0100620int nc_server_ssh_endpt_del_hostkey(const char *endpt_name, const char *name, int16_t idx);
Michal Vasko086311b2016-01-08 09:53:11 +0100621
Michal Vasko1a38c862016-01-15 15:50:07 +0100622/**
Michal Vaskofbfe8b62017-02-14 10:22:30 +0100623 * @brief Move endpoint SSH host key.
624 *
625 * @param[in] endpt_name Exisitng endpoint name.
626 * @param[in] key_mov Name of the host key that will be moved.
627 * @param[in] key_after Name of the key that will preceed \p key_mov. NULL if \p key_mov is to be moved at the beginning.
628 * @return 0 in success, -1 on error.
629 */
630int nc_server_ssh_endpt_mov_hostkey(const char *endpt_name, const char *key_mov, const char *key_after);
631
632/**
633 * @brief Modify endpoint SSH host key.
634 *
635 * @param[in] endpt_name Exisitng endpoint name.
636 * @param[in] name Name of an existing host key.
637 * @param[in] new_name New name of the host key \p name.
638 * @return 0 in success, -1 on error.
639 */
640int nc_server_ssh_endpt_mod_hostkey(const char *endpt_name, const char *name, const char *new_name);
Michal Vasko086311b2016-01-08 09:53:11 +0100641
Michal Vasko1a38c862016-01-15 15:50:07 +0100642/**
Michal Vasko3031aae2016-01-27 16:07:18 +0100643 * @brief Set endpoint accepted SSH authentication methods. All (publickey, password, interactive)
Michal Vaskof0537d82016-01-29 14:42:38 +0100644 * are supported by default.
Michal Vasko1a38c862016-01-15 15:50:07 +0100645 *
Michal Vaskoda514772016-02-01 11:32:01 +0100646 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100647 * @param[in] auth_methods Accepted authentication methods bit field of NC_SSH_AUTH_TYPE.
648 * @return 0 on success, -1 on error.
649 */
Michal Vasko3031aae2016-01-27 16:07:18 +0100650int nc_server_ssh_endpt_set_auth_methods(const char *endpt_name, int auth_methods);
Michal Vasko086311b2016-01-08 09:53:11 +0100651
Michal Vasko1a38c862016-01-15 15:50:07 +0100652/**
Michal Vaskoddce1212019-05-24 09:58:49 +0200653 * @brief Get endpoint accepted SSH authentication methods.
654 *
655 * @param[in] endpt_name Existing endpoint name.
656 * @return Accepted authentication methods bit field of NC_SSH_AUTH_TYPE.
657 */
658int nc_server_ssh_endpt_get_auth_methods(const char *endpt_name);
659
660/**
Michal Vasko3031aae2016-01-27 16:07:18 +0100661 * @brief Set endpoint SSH authentication attempts of every client. 3 by default.
Michal Vasko1a38c862016-01-15 15:50:07 +0100662 *
Michal Vaskoda514772016-02-01 11:32:01 +0100663 * @param[in] endpt_name Existing endpoint name.
Michal Vasko5e6f4cc2016-01-20 13:27:44 +0100664 * @param[in] auth_attempts Failed authentication attempts before a client is dropped.
Michal Vasko1a38c862016-01-15 15:50:07 +0100665 * @return 0 on success, -1 on error.
666 */
Michal Vasko3031aae2016-01-27 16:07:18 +0100667int nc_server_ssh_endpt_set_auth_attempts(const char *endpt_name, uint16_t auth_attempts);
Michal Vasko086311b2016-01-08 09:53:11 +0100668
Michal Vasko1a38c862016-01-15 15:50:07 +0100669/**
Michal Vaskocbad4c52019-06-27 16:30:35 +0200670 * @brief Set endpoint SSH authentication timeout. 30 seconds by default.
Michal Vasko1a38c862016-01-15 15:50:07 +0100671 *
Michal Vaskoda514772016-02-01 11:32:01 +0100672 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100673 * @param[in] auth_timeout Number of seconds before an unauthenticated client is dropped.
674 * @return 0 on success, -1 on error.
675 */
Michal Vasko3031aae2016-01-27 16:07:18 +0100676int nc_server_ssh_endpt_set_auth_timeout(const char *endpt_name, uint16_t auth_timeout);
Michal Vasko086311b2016-01-08 09:53:11 +0100677
Radek Krejci6799a052017-05-19 14:23:23 +0200678/**@} Server SSH */
679
Radek Krejci53691be2016-02-22 13:58:37 +0100680#endif /* NC_ENABLED_SSH */
Michal Vasko086311b2016-01-08 09:53:11 +0100681
Radek Krejci53691be2016-02-22 13:58:37 +0100682#ifdef NC_ENABLED_TLS
Michal Vasko086311b2016-01-08 09:53:11 +0100683
Michal Vasko1a38c862016-01-15 15:50:07 +0100684/**
Radek Krejci6799a052017-05-19 14:23:23 +0200685 * @defgroup server_tls Server TLS
686 * @ingroup server
687 *
688 * @brief Server-side settings for TLS connections.
689 * @{
690 */
691
692/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100693 * @brief Set the server TLS certificate. Only the name is set, the certificate itself
694 * wil be retrieved using a callback.
Michal Vaskoda514772016-02-01 11:32:01 +0100695 *
696 * @param[in] endpt_name Existing endpoint name.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100697 * @param[in] name Arbitrary certificate name.
Michal Vaskoda514772016-02-01 11:32:01 +0100698 * @return 0 on success, -1 on error.
699 */
Michal Vasko4c1fb492017-01-30 14:31:07 +0100700int nc_server_tls_endpt_set_server_cert(const char *endpt_name, const char *name);
Michal Vaskoda514772016-02-01 11:32:01 +0100701
702/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100703 * @brief Set the callback for retrieving server certificate and matching private key.
Michal Vaskoda514772016-02-01 11:32:01 +0100704 *
Michal Vasko4c1fb492017-01-30 14:31:07 +0100705 * @param[in] cert_clb Callback that should return the certificate and the key itself. Zero return indicates success,
706 * non-zero an error. On success exactly ONE of \p cert_path or \p cert_data and ONE of
707 * \p privkey_path and \p privkey_data is expected to be set. Those set will be freed.
708 * - \p cert_path expects a PEM file,
709 * - \p cert_data expects a base-64 encoded ASN.1 DER data,
710 * - \p privkey_path expects a PEM file,
711 * - \p privkey_data expects a base-64 encoded ANS.1 DER data,
Michal Vaskoddce1212019-05-24 09:58:49 +0200712 * - \p privkey_type type of the key in \p privkey_data.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100713 * @param[in] user_data Optional arbitrary user data that will be passed to \p cert_clb.
714 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
Michal Vaskoda514772016-02-01 11:32:01 +0100715 */
Michal Vasko4c1fb492017-01-30 14:31:07 +0100716void nc_server_tls_set_server_cert_clb(int (*cert_clb)(const char *name, void *user_data, char **cert_path, char **cert_data,
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200717 char **privkey_path, char **privkey_data, NC_SSH_KEY_TYPE *privkey_type), void *user_data,
718 void (*free_user_data)(void *user_data));
Michal Vaskoda514772016-02-01 11:32:01 +0100719
720/**
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500721 * @brief Set the callback for retrieving server certificate chain
722 *
723 * @param[in] cert_chain_clb Callback that should return all the certificates of the chain. Zero return indicates success,
724 * non-zero an error. On success, \p cert_paths and \p cert_data are expected to be set or left
725 * NULL. Both will be (deeply) freed.
726 * - \p cert_paths expect an array of PEM files,
727 * - \p cert_path_count number of \p cert_paths array members,
728 * - \p cert_data expect an array of base-64 encoded ASN.1 DER cert data,
729 * - \p cert_data_count number of \p cert_data array members.
730 * @param[in] user_data Optional arbitrary user data that will be passed to \p cert_clb.
731 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
732 */
733void nc_server_tls_set_server_cert_chain_clb(int (*cert_chain_clb)(const char *name, void *user_data, char ***cert_paths,
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200734 int *cert_path_count, char ***cert_data, int *cert_data_count), void *user_data, void (*free_user_data)(void *user_data));
Andrew Langefeld440b6c72018-08-27 16:26:20 -0500735
736/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100737 * @brief Add a trusted certificate list. Can be both a CA or a client one. Can be
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100738 * safely used together with nc_server_tls_endpt_set_trusted_ca_paths().
Michal Vasko1a38c862016-01-15 15:50:07 +0100739 *
Michal Vaskoda514772016-02-01 11:32:01 +0100740 * @param[in] endpt_name Existing endpoint name.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100741 * @param[in] name Arbitary name identifying this certificate list.
Michal Vasko1a38c862016-01-15 15:50:07 +0100742 * @return 0 on success, -1 on error.
743 */
Michal Vasko4c1fb492017-01-30 14:31:07 +0100744int nc_server_tls_endpt_add_trusted_cert_list(const char *endpt_name, const char *name);
Michal Vasko0457bb42016-01-08 15:49:13 +0100745
Michal Vasko1a38c862016-01-15 15:50:07 +0100746/**
Michal Vasko4c1fb492017-01-30 14:31:07 +0100747 * @brief Set the callback for retrieving trusted certificates.
748 *
749 * @param[in] cert_list_clb Callback that should return all the certificates of a list. Zero return indicates success,
750 * non-zero an error. On success, \p cert_paths and \p cert_data are expected to be set or left
751 * NULL. Both will be (deeply) freed.
752 * - \p cert_paths expect an array of PEM files,
753 * - \p cert_path_count number of \p cert_paths array members,
754 * - \p cert_data expect an array of base-64 encoded ASN.1 DER cert data,
755 * - \p cert_data_count number of \p cert_data array members.
756 * @param[in] user_data Optional arbitrary user data that will be passed to \p cert_clb.
757 * @param[in] free_user_data Optional callback that will be called during cleanup to free any \p user_data.
758 */
759void nc_server_tls_set_trusted_cert_list_clb(int (*cert_list_clb)(const char *name, void *user_data, char ***cert_paths,
Michal Vaskoe49a15f2019-05-27 14:18:36 +0200760 int *cert_path_count, char ***cert_data, int *cert_data_count), void *user_data, void (*free_user_data)(void *user_data));
Michal Vasko4c1fb492017-01-30 14:31:07 +0100761
762/**
763 * @brief Remove a trusted certificate.
Michal Vasko1a38c862016-01-15 15:50:07 +0100764 *
Michal Vaskoda514772016-02-01 11:32:01 +0100765 * @param[in] endpt_name Existing endpoint name.
Michal Vasko4c1fb492017-01-30 14:31:07 +0100766 * @param[in] name Name of the certificate list to delete. NULL deletes all the lists.
767 * @return 0 on success, -1 on not found.
Michal Vasko1a38c862016-01-15 15:50:07 +0100768 */
Michal Vasko4c1fb492017-01-30 14:31:07 +0100769int nc_server_tls_endpt_del_trusted_cert_list(const char *endpt_name, const char *name);
Michal Vasko0457bb42016-01-08 15:49:13 +0100770
Michal Vasko1a38c862016-01-15 15:50:07 +0100771/**
772 * @brief Set trusted Certificate Authority certificate locations. There can only be
Michal Vasko5d2ad082016-02-09 11:47:59 +0100773 * one file and one directory, they are replaced if already set. Can be safely
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100774 * used with nc_server_tls_endpt_add_trusted_cert() or its _path variant.
Michal Vasko1a38c862016-01-15 15:50:07 +0100775 *
Michal Vaskoda514772016-02-01 11:32:01 +0100776 * @param[in] endpt_name Existing endpoint name.
Michal Vasko96830e32016-02-01 10:54:18 +0100777 * @param[in] ca_file Path to a trusted CA cert store file in PEM format. Can be NULL.
778 * @param[in] ca_dir Path to a trusted CA cert store hashed directory (c_rehash utility
779 * can be used to create hashes) with PEM files. Can be NULL.
Michal Vasko1a38c862016-01-15 15:50:07 +0100780 * @return 0 on success, -1 on error.
781 */
Michal Vasko96830e32016-02-01 10:54:18 +0100782int nc_server_tls_endpt_set_trusted_ca_paths(const char *endpt_name, const char *ca_file, const char *ca_dir);
Michal Vasko0457bb42016-01-08 15:49:13 +0100783
Michal Vasko1a38c862016-01-15 15:50:07 +0100784/**
Michal Vasko1a38c862016-01-15 15:50:07 +0100785 * @brief Set Certificate Revocation List locations. There can only be one file
Michal Vaskof0537d82016-01-29 14:42:38 +0100786 * and one directory, they are replaced if already set.
Michal Vasko1a38c862016-01-15 15:50:07 +0100787 *
Michal Vaskoda514772016-02-01 11:32:01 +0100788 * @param[in] endpt_name Existing endpoint name.
Michal Vasko96830e32016-02-01 10:54:18 +0100789 * @param[in] crl_file Path to a CRL store file in PEM format. Can be NULL.
790 * @param[in] crl_dir Path to a CRL store hashed directory (c_rehash utility
791 * can be used to create hashes) with PEM files. Can be NULL.
Michal Vasko1a38c862016-01-15 15:50:07 +0100792 * @return 0 on success, -1 on error.
793 */
Michal Vasko96830e32016-02-01 10:54:18 +0100794int nc_server_tls_endpt_set_crl_paths(const char *endpt_name, const char *crl_file, const char *crl_dir);
Michal Vasko0457bb42016-01-08 15:49:13 +0100795
Michal Vasko1a38c862016-01-15 15:50:07 +0100796/**
Michal Vasko96830e32016-02-01 10:54:18 +0100797 * @brief Destroy and clean CRLs. Certificates, private keys, and CTN entries are
Michal Vaskof0537d82016-01-29 14:42:38 +0100798 * not affected.
Michal Vaskoda514772016-02-01 11:32:01 +0100799 *
800 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100801 */
Michal Vaskoc6b9c7b2016-01-28 11:10:08 +0100802void nc_server_tls_endpt_clear_crls(const char *endpt_name);
Michal Vasko0457bb42016-01-08 15:49:13 +0100803
Michal Vasko1a38c862016-01-15 15:50:07 +0100804/**
Michal Vasko58c22a22016-11-23 13:49:53 +0100805 * @brief Add a cert-to-name entry.
Michal Vasko1a38c862016-01-15 15:50:07 +0100806 *
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100807 * It is possible to add an entry step-by-step, specifying first only \p ip and in later calls
808 * \p fingerprint, \p map_type, and optionally \p name spearately.
Michal Vasko1a38c862016-01-15 15:50:07 +0100809 *
Michal Vaskoda514772016-02-01 11:32:01 +0100810 * @param[in] endpt_name Existing endpoint name.
Michal Vasko3cf4aaa2017-02-01 15:03:36 +0100811 * @param[in] id Priority of the entry. It must be unique. If already exists, the entry with this id
812 * is modified.
813 * @param[in] fingerprint Matching certificate fingerprint. If NULL, kept temporarily unset.
814 * @param[in] map_type Type of username-certificate mapping. If 0, kept temporarily unset.
815 * @param[in] name Specific username used only if \p map_type == NC_TLS_CTN_SPECIFED.
Michal Vasko1a38c862016-01-15 15:50:07 +0100816 * @return 0 on success, -1 on error.
817 */
Michal Vasko3a889fd2016-09-30 12:16:37 +0200818int nc_server_tls_endpt_add_ctn(const char *endpt_name, uint32_t id, const char *fingerprint,
819 NC_TLS_CTN_MAPTYPE map_type, const char *name);
Michal Vaskoc14e3c82016-01-11 16:14:30 +0100820
Michal Vasko1a38c862016-01-15 15:50:07 +0100821/**
Michal Vasko58c22a22016-11-23 13:49:53 +0100822 * @brief Remove a cert-to-name entry.
Michal Vasko1a38c862016-01-15 15:50:07 +0100823 *
Michal Vaskoda514772016-02-01 11:32:01 +0100824 * @param[in] endpt_name Existing endpoint name.
Michal Vasko1a38c862016-01-15 15:50:07 +0100825 * @param[in] id Priority of the entry. -1 matches all the priorities.
826 * @param[in] fingerprint Fingerprint fo the entry. NULL matches all the fingerprints.
827 * @param[in] map_type Mapping type of the entry. 0 matches all the mapping types.
828 * @param[in] name Specific username for the entry. NULL matches all the usernames.
829 * @return 0 on success, -1 on not finding any match.
830 */
Michal Vasko3a889fd2016-09-30 12:16:37 +0200831int nc_server_tls_endpt_del_ctn(const char *endpt_name, int64_t id, const char *fingerprint,
832 NC_TLS_CTN_MAPTYPE map_type, const char *name);
Michal Vasko0457bb42016-01-08 15:49:13 +0100833
Michal Vaskodf5e6af2016-11-23 13:50:56 +0100834/**
835 * @brief Get a cert-to-name entry.
836 *
837 * If a parameter is NULL, it is ignored. If its dereferenced value is NULL,
838 * it is filled and returned. If the value is set, it is used as a filter.
839 * Returns first matching entry.
840 *
841 * @param[in] endpt_name Existing endpoint name.
842 * @param[in,out] id Priority of the entry.
843 * @param[in,out] fingerprint Fingerprint fo the entry.
844 * @param[in,out] map_type Mapping type of the entry.
845 * @param[in,out] name Specific username for the entry.
846 * @return 0 on success, -1 on not finding any match.
847 */
Michal Vaskof585ac72016-11-25 15:16:38 +0100848int nc_server_tls_endpt_get_ctn(const char *endpt_name, uint32_t *id, char **fingerprint, NC_TLS_CTN_MAPTYPE *map_type,
849 char **name);
Michal Vaskodf5e6af2016-11-23 13:50:56 +0100850
Michal Vasko7060bcf2016-11-28 14:48:11 +0100851/**
Michal Vasko709598e2016-11-28 14:48:32 +0100852 * @brief Get client certificate.
853 *
854 * @param[in] session Session to get the information from.
855 * @return Const session client certificate.
856 */
857const X509 *nc_session_get_client_cert(const struct nc_session *session);
858
859/**
Michal Vasko7060bcf2016-11-28 14:48:11 +0100860 * @brief Set TLS authentication additional verify callback.
861 *
862 * Server will always perform cert-to-name based on its configuration. Only after it passes
863 * and this callback is set, it is also called. It should return exactly what OpenSSL
864 * verify callback meaning 1 for success, 0 to deny the user.
865 *
866 * @param[in] verify_clb Additional user verify callback.
867 */
868void nc_server_tls_set_verify_clb(int (*verify_clb)(const struct nc_session *session));
869
Radek Krejci6799a052017-05-19 14:23:23 +0200870/**@} Server TLS */
871
Radek Krejci53691be2016-02-22 13:58:37 +0100872#endif /* NC_ENABLED_TLS */
Michal Vasko086311b2016-01-08 09:53:11 +0100873
Michal Vaskof8352352016-05-24 09:11:36 +0200874/**
Radek Krejci6799a052017-05-19 14:23:23 +0200875 * @addtogroup server_session
876 * @{
877 */
878
879/**
Michal Vaskoc45ebd32016-05-25 11:17:36 +0200880 * @brief Get session start time.
Michal Vaskof8352352016-05-24 09:11:36 +0200881 *
882 * @param[in] session Session to get the information from.
Michal Vaskoc45ebd32016-05-25 11:17:36 +0200883 * @return Session start time.
Michal Vaskof8352352016-05-24 09:11:36 +0200884 */
Michal Vaskoc45ebd32016-05-25 11:17:36 +0200885time_t nc_session_get_start_time(const struct nc_session *session);
Michal Vaskof8352352016-05-24 09:11:36 +0200886
Michal Vasko3486a7c2017-03-03 13:28:07 +0100887/**
Michal Vasko71dbd772021-03-23 14:08:37 +0100888 * @brief Increase session notification subscription flag count.
889 * Supports multiple subscriptions on one session.
Michal Vasko3486a7c2017-03-03 13:28:07 +0100890 *
891 * It is used only to ignore timeouts, because they are
892 * ignored for sessions with active subscriptions.
893 *
894 * @param[in] session Session to modify.
Michal Vasko3486a7c2017-03-03 13:28:07 +0100895 */
Michal Vasko71dbd772021-03-23 14:08:37 +0100896void nc_session_inc_notif_status(struct nc_session *session);
897
898/**
899 * @brief Decrease session notification subscription flag count.
900 * Supports multiple subscriptions on one session.
901 *
902 * @param[in] session Session to modify.
903 */
904void nc_session_dec_notif_status(struct nc_session *session);
Michal Vasko3486a7c2017-03-03 13:28:07 +0100905
906/**
907 * @brief Get session notification subscription flag.
908 *
909 * @param[in] session Session to get the information from.
910 * @return 0 for no active subscription, non-zero for an active subscription.
911 */
912int nc_session_get_notif_status(const struct nc_session *session);
913
Michal Vasko8f430592019-02-26 08:32:54 +0100914/**
915 * @brief Learn whether a session was created using Call Home or not.
916 * Works only for server sessions.
917 *
918 * @param[in] session Session to get the information from.
919 * @return 0 if a standard session, non-zero if a Call Home session.
920 */
921int nc_session_is_callhome(const struct nc_session *session);
922
Radek Krejci6799a052017-05-19 14:23:23 +0200923/**@} Server Session */
924
Michal Vaskoc09730e2019-01-17 10:07:26 +0100925#ifdef __cplusplus
926}
927#endif
928
Michal Vasko086311b2016-01-08 09:53:11 +0100929#endif /* NC_SESSION_SERVER_H_ */