Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 33981231b6eaef585b75098bed70d09e19e1a2e3 / . / src / config_new_tls.c
blob: f1616cbf30b8e6025f4103a745a1c00878e2efc3 [file] [log] [blame]
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1/**
2 * @file config_new_tls.c
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 TLS server new configuration creation functions
5 *
6 * @copyright
7 * Copyright (c) 2023 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
16#define _GNU_SOURCE
17
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]18#include <stdarg.h>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]19#include <stdint.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23
24#include <libyang/libyang.h>
25
26#include "compat.h"
27#include "config.h"
28#include "config_new.h"
29#include "log_p.h"
30#include "server_config.h"
31#include "session.h"
32#include "session_p.h"
33
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]34static int
35_nc_server_config_new_tls_server_certificate(const struct ly_ctx *ctx, const char *tree_path, const char *pubkey_path,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]36 const char *privkey_path, const char *certificate_path, struct lyd_node **config)
37{
38 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]39 char *privkey = NULL, *pubkey = NULL, *cert = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]40 NC_PRIVKEY_FORMAT privkey_type;
41 NC_PUBKEY_FORMAT pubkey_type;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]42 const char *privkey_format, *pubkey_format;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]43
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]44 /* get the keys as a string from the given files */
45 ret = nc_server_config_new_get_keys(privkey_path, pubkey_path, &privkey, &pubkey, &privkey_type, &pubkey_type);
46 if (ret) {
47 ERR(NULL, "Getting keys from file(s) failed.");
48 goto cleanup;
49 }
50
romand30af552023-06-16 15:18:27 +0200[diff] [blame]51 /* get cert data from file */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]52 ret = nc_server_config_new_read_certificate(certificate_path, &cert);
53 if (ret) {
54 ERR(NULL, "Getting certificate from file \"%s\" failed.", certificate_path);
55 goto cleanup;
56 }
57
romand30af552023-06-16 15:18:27 +0200[diff] [blame]58 /* get pubkey format str */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]59 if (pubkey_type == NC_PUBKEY_FORMAT_X509) {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]60 pubkey_format = "ietf-crypto-types:public-key-info-format";
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]61 } else {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]62 pubkey_format = "ietf-crypto-types:ssh-public-key-format";
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]63 }
64
65 /* get privkey identityref value */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]66 privkey_format = nc_config_new_privkey_format_to_identityref(privkey_type);
67 if (!privkey_format) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]68 ret = 1;
69 goto cleanup;
70 }
71
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]72 ret = nc_config_new_create_append(ctx, tree_path, "public-key-format", pubkey_format, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]73 if (ret) {
74 goto cleanup;
75 }
76
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]77 ret = nc_config_new_create_append(ctx, tree_path, "public-key", pubkey, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]78 if (ret) {
79 goto cleanup;
80 }
81
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]82 ret = nc_config_new_create_append(ctx, tree_path, "private-key-format", privkey_format, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]83 if (ret) {
84 goto cleanup;
85 }
86
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]87 ret = nc_config_new_create_append(ctx, tree_path, "cleartext-private-key", privkey, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]88 if (ret) {
89 goto cleanup;
90 }
91
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]92 ret = nc_config_new_create_append(ctx, tree_path, "cert-data", cert, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]93 if (ret) {
94 goto cleanup;
95 }
96
97cleanup:
98 free(privkey);
99 free(pubkey);
100 free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]101 return ret;
102}
103
104API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]105nc_server_config_new_tls_server_certificate(const struct ly_ctx *ctx, const char *endpt_name, const char *pubkey_path,
106 const char *privkey_path, const char *certificate_path, struct lyd_node **config)
107{
108 int ret = 0;
109 char *path = NULL;
110
111 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, privkey_path, certificate_path, config, 1);
112
113 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
114 "tls/tls-server-parameters/server-identity/certificate/inline-definition", endpt_name) == -1) {
115 ERRMEM;
116 path = NULL;
117 ret = 1;
118 goto cleanup;
119 }
120
121 ret = _nc_server_config_new_tls_server_certificate(ctx, path, pubkey_path, privkey_path,
122 certificate_path, config);
123 if (ret) {
124 ERR(NULL, "Creating new TLS server certificate YANG data failed.");
125 goto cleanup;
126 }
127
128cleanup:
129 free(path);
130 return ret;
131}
132
133API int
134nc_server_config_new_ch_tls_server_certificate(const struct ly_ctx *ctx, const char *ch_client_name, const char *endpt_name,
135 const char *pubkey_path, const char *privkey_path, const char *certificate_path, struct lyd_node **config)
136{
137 int ret = 0;
138 char *path = NULL;
139
140 NC_CHECK_ARG_RET(NULL, ctx, ch_client_name, endpt_name, privkey_path, certificate_path, 1);
141 NC_CHECK_ARG_RET(NULL, config, 1);
142
143 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/"
144 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
145 "certificate/inline-definition", ch_client_name, endpt_name) == -1) {
146 ERRMEM;
147 path = NULL;
148 ret = 1;
149 goto cleanup;
150 }
151
152 ret = _nc_server_config_new_tls_server_certificate(ctx, path, pubkey_path, privkey_path,
153 certificate_path, config);
154 if (ret) {
155 ERR(NULL, "Creating new CH TLS server certificate YANG data failed.");
156 goto cleanup;
157 }
158
159cleanup:
160 free(path);
161 return ret;
162}
163
164static int
165_nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const char *tree_path,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]166 const char *cert_path, struct lyd_node **config)
167{
168 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]169 char *cert = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]170
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]171 ret = nc_server_config_new_read_certificate(cert_path, &cert);
172 if (ret) {
173 ERR(NULL, "Getting certificate from file \"%s\" failed.", cert_path);
174 goto cleanup;
175 }
176
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]177 ret = nc_config_new_create_append(ctx, tree_path, "cert-data", cert, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]178 if (ret) {
179 goto cleanup;
180 }
181
182cleanup:
183 free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]184 return ret;
185}
186
187API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]188nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]189 const char *cert_path, struct lyd_node **config)
190{
191 int ret = 0;
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]192 char *path = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]193
194 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
195
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]196 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
197 "client-authentication/ee-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
198 ERRMEM;
199 path = NULL;
200 ret = 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]201 goto cleanup;
202 }
203
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]204 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]205 if (ret) {
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]206 ERR(NULL, "Creating new TLS client certificate YANG data failed.");
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]207 goto cleanup;
208 }
209
210cleanup:
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]211 free(path);
212 return ret;
213}
214
215API int
216nc_server_config_new_ch_tls_client_certificate(const struct ly_ctx *ctx, const char *ch_client_name, const char *endpt_name,
217 const char *cert_name, const char *cert_path, struct lyd_node **config)
218{
219 int ret = 0;
220 char *path = NULL;
221
222 NC_CHECK_ARG_RET(NULL, ctx, ch_client_name, endpt_name, cert_name, cert_path, 1);
223 NC_CHECK_ARG_RET(NULL, config, 1);
224
225 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
226 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
227 "inline-definition/certificate[name='%s']", ch_client_name, endpt_name, cert_name) == -1) {
228 ERRMEM;
229 path = NULL;
230 ret = 1;
231 goto cleanup;
232 }
233
234 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
235 if (ret) {
236 ERR(NULL, "Creating new CH TLS client certificate YANG data failed.");
237 goto cleanup;
238 }
239
240cleanup:
241 free(path);
242 return ret;
243}
244
245API int
246nc_server_config_new_tls_client_ca(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
247 const char *cert_path, struct lyd_node **config)
248{
249 int ret = 0;
250 char *path = NULL;
251
252 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
253
254 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
255 "client-authentication/ca-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
256 ERRMEM;
257 path = NULL;
258 ret = 1;
259 goto cleanup;
260 }
261
262 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
263 if (ret) {
264 ERR(NULL, "Creating new TLS client certificate authority YANG data failed.");
265 goto cleanup;
266 }
267
268cleanup:
269 free(path);
270 return ret;
271}
272
273API int
274nc_server_config_new_ch_tls_client_ca(const struct ly_ctx *ctx, const char *ch_client_name, const char *endpt_name,
275 const char *cert_name, const char *cert_path, struct lyd_node **config)
276{
277 int ret = 0;
278 char *path = NULL;
279
280 NC_CHECK_ARG_RET(NULL, ctx, ch_client_name, endpt_name, cert_name, cert_path, 1);
281 NC_CHECK_ARG_RET(NULL, config, 1);
282
283 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
284 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
285 "inline-definition/certificate[name='%s']", ch_client_name, endpt_name, cert_name) == -1) {
286 ERRMEM;
287 path = NULL;
288 ret = 1;
289 goto cleanup;
290 }
291
292 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
293 if (ret) {
294 ERR(NULL, "Creating new CH TLS client certificate authority YANG data failed.");
295 goto cleanup;
296 }
297
298cleanup:
299 free(path);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]300 return ret;
301}
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]302
romand30af552023-06-16 15:18:27 +0200[diff] [blame]303static const char *
304nc_config_new_tls_maptype2str(NC_TLS_CTN_MAPTYPE map_type)
305{
306 switch (map_type) {
307 case NC_TLS_CTN_SPECIFIED:
308 return "ietf-x509-cert-to-name:specified";
309 case NC_TLS_CTN_SAN_RFC822_NAME:
310 return "ietf-x509-cert-to-name:san-rfc822-name";
311 case NC_TLS_CTN_SAN_DNS_NAME:
312 return "ietf-x509-cert-to-name:san-dns-name";
313 case NC_TLS_CTN_SAN_IP_ADDRESS:
314 return "ietf-x509-cert-to-name:san-ip-address";
315 case NC_TLS_CTN_SAN_ANY:
316 return "ietf-x509-cert-to-name:san-any";
317 case NC_TLS_CTN_COMMON_NAME:
318 return "ietf-x509-cert-to-name:common-name";
319 case NC_TLS_CTN_UNKNOWN:
320 default:
321 ERR(NULL, "Unknown map_type.");
322 return NULL;
323 }
324}
325
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]326static int
327_nc_server_config_new_tls_ctn(const struct ly_ctx *ctx, const char *tree_path, const char *fingerprint,
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]328 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
329{
330 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]331 const char *map;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]332
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]333 if (fingerprint) {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]334 /* optional */
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]335 ret = nc_config_new_create_append(ctx, tree_path, "fingerprint", fingerprint, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]336 if (ret) {
337 goto cleanup;
338 }
339 }
340
romand30af552023-06-16 15:18:27 +0200[diff] [blame]341 /* get map str */
342 map = nc_config_new_tls_maptype2str(map_type);
343 if (!map) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]344 ret = 1;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]345 goto cleanup;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]346 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]347
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]348 ret = nc_config_new_create_append(ctx, tree_path, "map-type", map, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]349 if (ret) {
350 goto cleanup;
351 }
352
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]353 ret = nc_config_new_create_append(ctx, tree_path, "name", name, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]354 if (ret) {
355 goto cleanup;
356 }
357
358cleanup:
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]359 return ret;
360}
361
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]362API int
363nc_server_config_new_tls_ctn(const struct ly_ctx *ctx, const char *endpt_name, uint32_t id, const char *fingerprint,
364 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
365{
366 int ret = 0;
367 char *path = NULL;
368
369 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, id, name, config, 1);
370
371 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/netconf-server-parameters/"
372 "client-identity-mappings/cert-to-name[id='%u']", endpt_name, id) == -1) {
373 ERRMEM;
374 path = NULL;
375 ret = 1;
376 goto cleanup;
377 }
378
379 ret = _nc_server_config_new_tls_ctn(ctx, path, fingerprint, map_type, name, config);
380 if (ret) {
381 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
382 goto cleanup;
383 }
384
385cleanup:
386 free(path);
387 return ret;
388}
389
390API int
391nc_server_config_new_ch_tls_ctn(const struct ly_ctx *ctx, const char *ch_client_name, const char *endpt_name,
392 uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
393{
394 int ret = 0;
395 char *path = NULL;
396
397 NC_CHECK_ARG_RET(NULL, ch_client_name, endpt_name, id, name, config, 1);
398
399 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
400 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
401 "cert-to-name[id='%u']", ch_client_name, endpt_name, id) == -1) {
402 ERRMEM;
403 path = NULL;
404 ret = 1;
405 goto cleanup;
406 }
407
408 ret = _nc_server_config_new_tls_ctn(ctx, path, fingerprint, map_type, name, config);
409 if (ret) {
410 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
411 goto cleanup;
412 }
413
414cleanup:
415 free(path);
416 return ret;
417}
418
romand30af552023-06-16 15:18:27 +0200[diff] [blame]419static const char *
420nc_config_new_tls_tlsversion2str(NC_TLS_VERSION version)
421{
422 switch (version) {
423 case NC_TLS_VERSION_10:
424 return "ietf-tls-common:tls10";
425 case NC_TLS_VERSION_11:
426 return "ietf-tls-common:tls11";
427 case NC_TLS_VERSION_12:
428 return "ietf-tls-common:tls12";
429 case NC_TLS_VERSION_13:
430 return "ietf-tls-common:tls13";
431 default:
432 ERR(NULL, "Unknown TLS version.");
433 return NULL;
434 }
435}
436
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]437API int
438nc_server_config_new_tls_version(const struct ly_ctx *ctx, const char *endpt_name,
439 NC_TLS_VERSION tls_version, struct lyd_node **config)
440{
441 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]442 const char *version;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]443
444 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
445
romand30af552023-06-16 15:18:27 +0200[diff] [blame]446 version = nc_config_new_tls_tlsversion2str(tls_version);
447 if (!version) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]448 ret = 1;
449 goto cleanup;
450 }
451
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]452 ret = nc_config_new_create(ctx, config, version, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]453 "hello-params/tls-versions/tls-version", endpt_name);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]454 if (ret) {
455 goto cleanup;
456 }
457
458cleanup:
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]459 return ret;
460}
461
462API int
463nc_server_config_new_tls_ciphers(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config,
roman08f67f42023-06-08 13:51:54 +0200[diff] [blame]464 int cipher_count, ...)
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]465{
466 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]467 struct lyd_node *old = NULL;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]468 va_list ap;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]469 char *cipher = NULL, *cipher_ident = NULL, *old_path = NULL;
roman08f67f42023-06-08 13:51:54 +0200[diff] [blame]470 int i;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]471
472 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
473
romand30af552023-06-16 15:18:27 +0200[diff] [blame]474 va_start(ap, cipher_count);
475
476 ret = asprintf(&old_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
477 "tls/tls-server-parameters/hello-params/cipher-suites", endpt_name);
478 if (ret == -1) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]479 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]480 old_path = NULL;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]481 goto cleanup;
482 }
483
484 /* delete all older algorithms (if any) se they can be replaced by the new ones */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]485 ret = lyd_find_path(*config, old_path, 0, &old);
486 if (!ret) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]487 lyd_free_tree(old);
488 }
489
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]490 for (i = 0; i < cipher_count; i++) {
491 cipher = va_arg(ap, char *);
492
romand30af552023-06-16 15:18:27 +0200[diff] [blame]493 ret = asprintf(&cipher_ident, "iana-tls-cipher-suite-algs:%s", cipher);
494 if (ret == -1) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]495 ERRMEM;
496 ret = 1;
497 goto cleanup;
498 }
499
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]500 ret = nc_config_new_create(ctx, config, cipher_ident, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]501 "tls/tls-server-parameters/hello-params/cipher-suites/cipher-suite", endpt_name);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]502 if (ret) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]503 goto cleanup;
504 }
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]505
romand30af552023-06-16 15:18:27 +0200[diff] [blame]506 free(cipher_ident);
507 cipher_ident = NULL;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]508 }
509
510cleanup:
511 va_end(ap);
romand30af552023-06-16 15:18:27 +0200[diff] [blame]512 free(old_path);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]513 return ret;
514}
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]515
516API int
517nc_server_config_new_tls_crl_path(const struct ly_ctx *ctx, const char *endpt_name, const char *path, struct lyd_node **config)
518{
519 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]520 struct lyd_node *node = NULL;
521 char *url_path = NULL, *ext_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]522
523 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, path, config, 1);
524
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]525 ret = nc_config_new_create(ctx, config, path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]526 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name);
527 if (ret) {
528 goto cleanup;
529 }
530
531 if (asprintf(&url_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
532 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name) == -1) {
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]533 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]534 url_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]535 ret = 1;
536 goto cleanup;
537 }
538
romand30af552023-06-16 15:18:27 +0200[diff] [blame]539 if (asprintf(&ext_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
540 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name) == -1) {
541 ERRMEM;
542 ext_path = NULL;
543 ret = 1;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]544 goto cleanup;
545 }
546
547 /* delete other choice nodes if they are present */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]548 ret = lyd_find_path(*config, url_path, 0, &node);
549 if (!ret) {
550 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]551 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]552 ret = lyd_find_path(*config, ext_path, 0, &node);
553 if (!ret) {
554 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]555 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]556 /* don't care about the return values from lyd_find_path */
557 ret = 0;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]558
559cleanup:
romand30af552023-06-16 15:18:27 +0200[diff] [blame]560 free(url_path);
561 free(ext_path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]562 return ret;
563}
564
565API int
566nc_server_config_new_tls_crl_url(const struct ly_ctx *ctx, const char *endpt_name, const char *url, struct lyd_node **config)
567{
568 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]569 struct lyd_node *node = NULL;
570 char *crl_path = NULL, *ext_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]571
572 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, url, config, 1);
573
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]574 ret = nc_config_new_create(ctx, config, url, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]575 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name);
576 if (ret) {
577 goto cleanup;
578 }
579
580 if (asprintf(&crl_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
581 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name) == -1) {
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]582 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]583 crl_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]584 ret = 1;
585 goto cleanup;
586 }
587
romand30af552023-06-16 15:18:27 +0200[diff] [blame]588 if (asprintf(&ext_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
589 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name) == -1) {
590 ERRMEM;
591 ext_path = NULL;
592 ret = 1;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]593 goto cleanup;
594 }
595
596 /* delete other choice nodes if they are present */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]597 ret = lyd_find_path(*config, crl_path, 0, &node);
598 if (!ret) {
599 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]600 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]601 ret = lyd_find_path(*config, ext_path, 0, &node);
602 if (!ret) {
603 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]604 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]605 /* don't care about the return values from lyd_find_path */
606 ret = 0;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]607
608cleanup:
romand30af552023-06-16 15:18:27 +0200[diff] [blame]609 free(crl_path);
610 free(ext_path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]611 return ret;
612}
613
614API int
615nc_server_config_new_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config)
616{
617 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]618 struct lyd_node *node = NULL;
619 char *crl_path = NULL, *url_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]620
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]621 ret = nc_config_new_create(ctx, config, NULL, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]622 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name);
623 if (ret) {
624 goto cleanup;
625 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]626
romand30af552023-06-16 15:18:27 +0200[diff] [blame]627 if (asprintf(&crl_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
628 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name) == -1) {
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]629 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]630 crl_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]631 ret = 1;
632 goto cleanup;
633 }
634
romand30af552023-06-16 15:18:27 +0200[diff] [blame]635 if (asprintf(&url_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
636 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name) == -1) {
637 ERRMEM;
638 url_path = NULL;
639 ret = 1;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]640 goto cleanup;
641 }
642
643 /* delete other choice nodes if they are present */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]644 ret = lyd_find_path(*config, crl_path, 0, &node);
645 if (!ret) {
646 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]647 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]648 ret = lyd_find_path(*config, url_path, 0, &node);
649 if (!ret) {
650 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]651 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]652 /* don't care about the return values from lyd_find_path */
653 ret = 0;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]654
655cleanup:
romand30af552023-06-16 15:18:27 +0200[diff] [blame]656 free(crl_path);
657 free(url_path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]658 return ret;
659}
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]660
661API int
662nc_config_new_tls_endpoint_client_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *referenced_endpt, struct lyd_node **config)
663{
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]664 return nc_config_new_create(ctx, config, referenced_endpt, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]665 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
666}