Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 8ba6efa79446c9b0be745fbd50b50132413519f5 / . / src / config_new_tls.c
blob: 988827b5d1b30d22eb47dcac6b210d3824a5d140 [file] [log] [blame]
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1/**
2 * @file config_new_tls.c
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 TLS server new configuration creation functions
5 *
6 * @copyright
7 * Copyright (c) 2023 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
16#define _GNU_SOURCE
17
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]18#include <stdarg.h>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]19#include <stdint.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23
24#include <libyang/libyang.h>
25
26#include "compat.h"
27#include "config.h"
28#include "config_new.h"
29#include "log_p.h"
30#include "server_config.h"
31#include "session.h"
32#include "session_p.h"
33
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]34static int
35_nc_server_config_new_tls_server_certificate(const struct ly_ctx *ctx, const char *tree_path, const char *pubkey_path,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]36 const char *privkey_path, const char *certificate_path, struct lyd_node **config)
37{
38 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]39 char *privkey = NULL, *pubkey = NULL, *cert = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]40 NC_PRIVKEY_FORMAT privkey_type;
41 NC_PUBKEY_FORMAT pubkey_type;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]42 const char *privkey_format, *pubkey_format;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]43
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]44 /* get the keys as a string from the given files */
45 ret = nc_server_config_new_get_keys(privkey_path, pubkey_path, &privkey, &pubkey, &privkey_type, &pubkey_type);
46 if (ret) {
47 ERR(NULL, "Getting keys from file(s) failed.");
48 goto cleanup;
49 }
50
romand30af552023-06-16 15:18:27 +0200[diff] [blame]51 /* get cert data from file */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]52 ret = nc_server_config_new_read_certificate(certificate_path, &cert);
53 if (ret) {
54 ERR(NULL, "Getting certificate from file \"%s\" failed.", certificate_path);
55 goto cleanup;
56 }
57
romand30af552023-06-16 15:18:27 +0200[diff] [blame]58 /* get pubkey format str */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]59 if (pubkey_type == NC_PUBKEY_FORMAT_X509) {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]60 pubkey_format = "ietf-crypto-types:public-key-info-format";
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]61 } else {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]62 pubkey_format = "ietf-crypto-types:ssh-public-key-format";
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]63 }
64
65 /* get privkey identityref value */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]66 privkey_format = nc_config_new_privkey_format_to_identityref(privkey_type);
67 if (!privkey_format) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]68 ret = 1;
69 goto cleanup;
70 }
71
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]72 ret = nc_config_new_create_append(ctx, tree_path, "public-key-format", pubkey_format, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]73 if (ret) {
74 goto cleanup;
75 }
76
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]77 ret = nc_config_new_create_append(ctx, tree_path, "public-key", pubkey, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]78 if (ret) {
79 goto cleanup;
80 }
81
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]82 ret = nc_config_new_create_append(ctx, tree_path, "private-key-format", privkey_format, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]83 if (ret) {
84 goto cleanup;
85 }
86
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]87 ret = nc_config_new_create_append(ctx, tree_path, "cleartext-private-key", privkey, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]88 if (ret) {
89 goto cleanup;
90 }
91
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]92 ret = nc_config_new_create_append(ctx, tree_path, "cert-data", cert, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]93 if (ret) {
94 goto cleanup;
95 }
96
97cleanup:
98 free(privkey);
99 free(pubkey);
100 free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]101 return ret;
102}
103
104API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]105nc_server_config_new_tls_server_certificate(const struct ly_ctx *ctx, const char *endpt_name, const char *pubkey_path,
106 const char *privkey_path, const char *certificate_path, struct lyd_node **config)
107{
108 int ret = 0;
109 char *path = NULL;
110
111 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, privkey_path, certificate_path, config, 1);
112
113 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
114 "tls/tls-server-parameters/server-identity/certificate/inline-definition", endpt_name) == -1) {
115 ERRMEM;
116 path = NULL;
117 ret = 1;
118 goto cleanup;
119 }
120
121 ret = _nc_server_config_new_tls_server_certificate(ctx, path, pubkey_path, privkey_path,
122 certificate_path, config);
123 if (ret) {
124 ERR(NULL, "Creating new TLS server certificate YANG data failed.");
125 goto cleanup;
126 }
127
128cleanup:
129 free(path);
130 return ret;
131}
132
133API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]134nc_server_config_new_tls_del_server_certificate(const char *endpt_name, struct lyd_node **config)
135{
136 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
137
138 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
139 "tls/tls-server-parameters/server-identity/certificate/inline-definition", endpt_name);
140}
141
142API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]143nc_server_config_new_ch_tls_server_certificate(const struct ly_ctx *ctx, const char *ch_client_name, const char *endpt_name,
144 const char *pubkey_path, const char *privkey_path, const char *certificate_path, struct lyd_node **config)
145{
146 int ret = 0;
147 char *path = NULL;
148
149 NC_CHECK_ARG_RET(NULL, ctx, ch_client_name, endpt_name, privkey_path, certificate_path, 1);
150 NC_CHECK_ARG_RET(NULL, config, 1);
151
152 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/"
153 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
154 "certificate/inline-definition", ch_client_name, endpt_name) == -1) {
155 ERRMEM;
156 path = NULL;
157 ret = 1;
158 goto cleanup;
159 }
160
161 ret = _nc_server_config_new_tls_server_certificate(ctx, path, pubkey_path, privkey_path,
162 certificate_path, config);
163 if (ret) {
164 ERR(NULL, "Creating new CH TLS server certificate YANG data failed.");
165 goto cleanup;
166 }
167
168cleanup:
169 free(path);
170 return ret;
171}
172
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]173API int
174nc_server_config_new_ch_tls_del_server_certificate(const char *ch_client_name, const char *endpt_name,
175 struct lyd_node **config)
176{
177 NC_CHECK_ARG_RET(NULL, ch_client_name, endpt_name, config, 1);
178
179 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
180 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
181 "certificate/inline-definition", ch_client_name, endpt_name);
182}
183
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]184static int
185_nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const char *tree_path,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]186 const char *cert_path, struct lyd_node **config)
187{
188 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]189 char *cert = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]190
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]191 ret = nc_server_config_new_read_certificate(cert_path, &cert);
192 if (ret) {
193 ERR(NULL, "Getting certificate from file \"%s\" failed.", cert_path);
194 goto cleanup;
195 }
196
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]197 ret = nc_config_new_create_append(ctx, tree_path, "cert-data", cert, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]198 if (ret) {
199 goto cleanup;
200 }
201
202cleanup:
203 free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]204 return ret;
205}
206
207API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]208nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]209 const char *cert_path, struct lyd_node **config)
210{
211 int ret = 0;
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]212 char *path = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]213
214 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
215
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]216 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
217 "client-authentication/ee-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
218 ERRMEM;
219 path = NULL;
220 ret = 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]221 goto cleanup;
222 }
223
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]224 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]225 if (ret) {
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]226 ERR(NULL, "Creating new TLS client certificate YANG data failed.");
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]227 goto cleanup;
228 }
229
230cleanup:
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]231 free(path);
232 return ret;
233}
234
235API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]236nc_server_config_new_tls_del_client_certificate(const char *endpt_name, const char *cert_name, struct lyd_node **config)
237{
238 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
239
240 if (cert_name) {
241 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
242 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
243 "certificate[name='%s']", endpt_name, cert_name);
244 } else {
245 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
246 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
247 "certificate", endpt_name);
248 }
249}
250
251API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]252nc_server_config_new_ch_tls_client_certificate(const struct ly_ctx *ctx, const char *ch_client_name, const char *endpt_name,
253 const char *cert_name, const char *cert_path, struct lyd_node **config)
254{
255 int ret = 0;
256 char *path = NULL;
257
258 NC_CHECK_ARG_RET(NULL, ctx, ch_client_name, endpt_name, cert_name, cert_path, 1);
259 NC_CHECK_ARG_RET(NULL, config, 1);
260
261 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
262 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
263 "inline-definition/certificate[name='%s']", ch_client_name, endpt_name, cert_name) == -1) {
264 ERRMEM;
265 path = NULL;
266 ret = 1;
267 goto cleanup;
268 }
269
270 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
271 if (ret) {
272 ERR(NULL, "Creating new CH TLS client certificate YANG data failed.");
273 goto cleanup;
274 }
275
276cleanup:
277 free(path);
278 return ret;
279}
280
281API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]282nc_server_config_new_ch_tls_del_client_certificate(const char *ch_client_name, const char *endpt_name,
283 const char *cert_name, struct lyd_node **config)
284{
285 NC_CHECK_ARG_RET(NULL, ch_client_name, endpt_name, config, 1);
286
287 if (cert_name) {
288 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
289 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
290 "inline-definition/certificate[name='%s']", ch_client_name, endpt_name, cert_name);
291 } else {
292 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
293 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
294 "inline-definition/certificate", ch_client_name, endpt_name);
295 }
296}
297
298API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]299nc_server_config_new_tls_client_ca(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
300 const char *cert_path, struct lyd_node **config)
301{
302 int ret = 0;
303 char *path = NULL;
304
305 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
306
307 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
308 "client-authentication/ca-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
309 ERRMEM;
310 path = NULL;
311 ret = 1;
312 goto cleanup;
313 }
314
315 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
316 if (ret) {
317 ERR(NULL, "Creating new TLS client certificate authority YANG data failed.");
318 goto cleanup;
319 }
320
321cleanup:
322 free(path);
323 return ret;
324}
325
326API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]327nc_server_config_new_tls_del_client_ca(const char *endpt_name, const char *cert_name, struct lyd_node **config)
328{
329 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
330
331 if (cert_name) {
332 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
333 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
334 "certificate[name='%s']", endpt_name, cert_name);
335 } else {
336 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
337 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
338 "certificate", endpt_name);
339 }
340}
341
342API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]343nc_server_config_new_ch_tls_client_ca(const struct ly_ctx *ctx, const char *ch_client_name, const char *endpt_name,
344 const char *cert_name, const char *cert_path, struct lyd_node **config)
345{
346 int ret = 0;
347 char *path = NULL;
348
349 NC_CHECK_ARG_RET(NULL, ctx, ch_client_name, endpt_name, cert_name, cert_path, 1);
350 NC_CHECK_ARG_RET(NULL, config, 1);
351
352 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
353 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
354 "inline-definition/certificate[name='%s']", ch_client_name, endpt_name, cert_name) == -1) {
355 ERRMEM;
356 path = NULL;
357 ret = 1;
358 goto cleanup;
359 }
360
361 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
362 if (ret) {
363 ERR(NULL, "Creating new CH TLS client certificate authority YANG data failed.");
364 goto cleanup;
365 }
366
367cleanup:
368 free(path);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]369 return ret;
370}
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]371
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]372API int
373nc_server_config_new_ch_tls_del_client_ca(const char *ch_client_name, const char *endpt_name,
374 const char *cert_name, struct lyd_node **config)
375{
376 NC_CHECK_ARG_RET(NULL, ch_client_name, endpt_name, config, 1);
377
378 if (cert_name) {
379 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
380 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
381 "inline-definition/certificate[name='%s']", ch_client_name, endpt_name, cert_name);
382 } else {
383 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
384 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
385 "inline-definition/certificate", ch_client_name, endpt_name);
386 }
387}
388
romand30af552023-06-16 15:18:27 +0200[diff] [blame]389static const char *
390nc_config_new_tls_maptype2str(NC_TLS_CTN_MAPTYPE map_type)
391{
392 switch (map_type) {
393 case NC_TLS_CTN_SPECIFIED:
394 return "ietf-x509-cert-to-name:specified";
395 case NC_TLS_CTN_SAN_RFC822_NAME:
396 return "ietf-x509-cert-to-name:san-rfc822-name";
397 case NC_TLS_CTN_SAN_DNS_NAME:
398 return "ietf-x509-cert-to-name:san-dns-name";
399 case NC_TLS_CTN_SAN_IP_ADDRESS:
400 return "ietf-x509-cert-to-name:san-ip-address";
401 case NC_TLS_CTN_SAN_ANY:
402 return "ietf-x509-cert-to-name:san-any";
403 case NC_TLS_CTN_COMMON_NAME:
404 return "ietf-x509-cert-to-name:common-name";
405 case NC_TLS_CTN_UNKNOWN:
406 default:
407 ERR(NULL, "Unknown map_type.");
408 return NULL;
409 }
410}
411
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]412static int
413_nc_server_config_new_tls_ctn(const struct ly_ctx *ctx, const char *tree_path, const char *fingerprint,
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]414 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
415{
416 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]417 const char *map;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]418
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]419 if (fingerprint) {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]420 /* optional */
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]421 ret = nc_config_new_create_append(ctx, tree_path, "fingerprint", fingerprint, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]422 if (ret) {
423 goto cleanup;
424 }
425 }
426
romand30af552023-06-16 15:18:27 +0200[diff] [blame]427 /* get map str */
428 map = nc_config_new_tls_maptype2str(map_type);
429 if (!map) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]430 ret = 1;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]431 goto cleanup;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]432 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]433
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]434 ret = nc_config_new_create_append(ctx, tree_path, "map-type", map, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]435 if (ret) {
436 goto cleanup;
437 }
438
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]439 ret = nc_config_new_create_append(ctx, tree_path, "name", name, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]440 if (ret) {
441 goto cleanup;
442 }
443
444cleanup:
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]445 return ret;
446}
447
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]448API int
449nc_server_config_new_tls_ctn(const struct ly_ctx *ctx, const char *endpt_name, uint32_t id, const char *fingerprint,
450 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
451{
452 int ret = 0;
453 char *path = NULL;
454
455 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, id, name, config, 1);
456
457 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/netconf-server-parameters/"
458 "client-identity-mappings/cert-to-name[id='%u']", endpt_name, id) == -1) {
459 ERRMEM;
460 path = NULL;
461 ret = 1;
462 goto cleanup;
463 }
464
465 ret = _nc_server_config_new_tls_ctn(ctx, path, fingerprint, map_type, name, config);
466 if (ret) {
467 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
468 goto cleanup;
469 }
470
471cleanup:
472 free(path);
473 return ret;
474}
475
476API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]477nc_server_config_new_tls_del_ctn(const char *endpt_name, uint32_t id, struct lyd_node **config)
478{
479 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
480
481 if (id) {
482 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
483 "netconf-server-parameters/client-identity-mappings/cert-to-name[id='%u']", endpt_name, id);
484 } else {
485 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
486 "netconf-server-parameters/client-identity-mappings/cert-to-name", endpt_name);
487 }
488}
489
490API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]491nc_server_config_new_ch_tls_ctn(const struct ly_ctx *ctx, const char *ch_client_name, const char *endpt_name,
492 uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
493{
494 int ret = 0;
495 char *path = NULL;
496
497 NC_CHECK_ARG_RET(NULL, ch_client_name, endpt_name, id, name, config, 1);
498
499 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
500 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
501 "cert-to-name[id='%u']", ch_client_name, endpt_name, id) == -1) {
502 ERRMEM;
503 path = NULL;
504 ret = 1;
505 goto cleanup;
506 }
507
508 ret = _nc_server_config_new_tls_ctn(ctx, path, fingerprint, map_type, name, config);
509 if (ret) {
510 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
511 goto cleanup;
512 }
513
514cleanup:
515 free(path);
516 return ret;
517}
518
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]519API int
520nc_server_config_new_ch_tls_del_ctn(const char *ch_client_name, const char *endpt_name,
521 uint32_t id, struct lyd_node **config)
522{
523 NC_CHECK_ARG_RET(NULL, ch_client_name, endpt_name, config, 1);
524
525 if (id) {
526 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
527 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
528 "cert-to-name[id='%u']", ch_client_name, endpt_name, id);
529 } else {
530 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
531 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
532 "cert-to-name", ch_client_name, endpt_name);
533 }
534}
535
romand30af552023-06-16 15:18:27 +0200[diff] [blame]536static const char *
537nc_config_new_tls_tlsversion2str(NC_TLS_VERSION version)
538{
539 switch (version) {
540 case NC_TLS_VERSION_10:
541 return "ietf-tls-common:tls10";
542 case NC_TLS_VERSION_11:
543 return "ietf-tls-common:tls11";
544 case NC_TLS_VERSION_12:
545 return "ietf-tls-common:tls12";
546 case NC_TLS_VERSION_13:
547 return "ietf-tls-common:tls13";
548 default:
549 ERR(NULL, "Unknown TLS version.");
550 return NULL;
551 }
552}
553
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]554API int
555nc_server_config_new_tls_version(const struct ly_ctx *ctx, const char *endpt_name,
556 NC_TLS_VERSION tls_version, struct lyd_node **config)
557{
558 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]559 const char *version;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]560
561 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
562
romand30af552023-06-16 15:18:27 +0200[diff] [blame]563 version = nc_config_new_tls_tlsversion2str(tls_version);
564 if (!version) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]565 ret = 1;
566 goto cleanup;
567 }
568
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]569 ret = nc_config_new_create(ctx, config, version, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]570 "hello-params/tls-versions/tls-version", endpt_name);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]571
572cleanup:
573 return ret;
574}
575
576API int
577nc_server_config_new_tls_del_version(const char *endpt_name, NC_TLS_VERSION tls_version, struct lyd_node **config)
578{
579 int ret = 0;
580 const char *version;
581
582 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
583
584 version = nc_config_new_tls_tlsversion2str(tls_version);
585 if (!version) {
586 ret = 1;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]587 goto cleanup;
588 }
589
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]590 ret = nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
591 "tls-server-parameters/hello-params/tls-versions/tls-version[.='%s']", endpt_name, version);
592
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]593cleanup:
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]594 return ret;
595}
596
597API int
598nc_server_config_new_tls_ciphers(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config,
roman08f67f42023-06-08 13:51:54 +0200[diff] [blame]599 int cipher_count, ...)
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]600{
601 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]602 struct lyd_node *old = NULL;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]603 va_list ap;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]604 char *cipher = NULL, *cipher_ident = NULL, *old_path = NULL;
roman08f67f42023-06-08 13:51:54 +0200[diff] [blame]605 int i;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]606
607 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
608
romand30af552023-06-16 15:18:27 +0200[diff] [blame]609 va_start(ap, cipher_count);
610
611 ret = asprintf(&old_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
612 "tls/tls-server-parameters/hello-params/cipher-suites", endpt_name);
613 if (ret == -1) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]614 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]615 old_path = NULL;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]616 goto cleanup;
617 }
618
619 /* delete all older algorithms (if any) se they can be replaced by the new ones */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]620 ret = lyd_find_path(*config, old_path, 0, &old);
621 if (!ret) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]622 lyd_free_tree(old);
623 }
624
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]625 for (i = 0; i < cipher_count; i++) {
626 cipher = va_arg(ap, char *);
627
romand30af552023-06-16 15:18:27 +0200[diff] [blame]628 ret = asprintf(&cipher_ident, "iana-tls-cipher-suite-algs:%s", cipher);
629 if (ret == -1) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]630 ERRMEM;
631 ret = 1;
632 goto cleanup;
633 }
634
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]635 ret = nc_config_new_create(ctx, config, cipher_ident, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]636 "tls/tls-server-parameters/hello-params/cipher-suites/cipher-suite", endpt_name);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]637 if (ret) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]638 goto cleanup;
639 }
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]640
romand30af552023-06-16 15:18:27 +0200[diff] [blame]641 free(cipher_ident);
642 cipher_ident = NULL;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]643 }
644
645cleanup:
646 va_end(ap);
romand30af552023-06-16 15:18:27 +0200[diff] [blame]647 free(old_path);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]648 return ret;
649}
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]650
651API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]652nc_server_config_new_tls_del_cipher(const char *endpt_name, const char *cipher, struct lyd_node **config)
653{
654 NC_CHECK_ARG_RET(NULL, endpt_name, cipher, config, 1);
655
656 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
657 "tls/tls-server-parameters/hello-params/cipher-suites/"
658 "cipher-suite[.='iana-tls-cipher-suite-algs:%s']", endpt_name, cipher);
659}
660
661API int
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]662nc_server_config_new_tls_crl_path(const struct ly_ctx *ctx, const char *endpt_name, const char *path, struct lyd_node **config)
663{
664 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]665 struct lyd_node *node = NULL;
666 char *url_path = NULL, *ext_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]667
668 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, path, config, 1);
669
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]670 ret = nc_config_new_create(ctx, config, path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]671 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name);
672 if (ret) {
673 goto cleanup;
674 }
675
676 if (asprintf(&url_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
677 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name) == -1) {
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]678 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]679 url_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]680 ret = 1;
681 goto cleanup;
682 }
683
romand30af552023-06-16 15:18:27 +0200[diff] [blame]684 if (asprintf(&ext_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
685 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name) == -1) {
686 ERRMEM;
687 ext_path = NULL;
688 ret = 1;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]689 goto cleanup;
690 }
691
692 /* delete other choice nodes if they are present */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]693 ret = lyd_find_path(*config, url_path, 0, &node);
694 if (!ret) {
695 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]696 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]697 ret = lyd_find_path(*config, ext_path, 0, &node);
698 if (!ret) {
699 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]700 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]701 /* don't care about the return values from lyd_find_path */
702 ret = 0;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]703
704cleanup:
romand30af552023-06-16 15:18:27 +0200[diff] [blame]705 free(url_path);
706 free(ext_path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]707 return ret;
708}
709
710API int
711nc_server_config_new_tls_crl_url(const struct ly_ctx *ctx, const char *endpt_name, const char *url, struct lyd_node **config)
712{
713 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]714 struct lyd_node *node = NULL;
715 char *crl_path = NULL, *ext_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]716
717 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, url, config, 1);
718
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]719 ret = nc_config_new_create(ctx, config, url, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]720 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name);
721 if (ret) {
722 goto cleanup;
723 }
724
725 if (asprintf(&crl_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
726 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name) == -1) {
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]727 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]728 crl_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]729 ret = 1;
730 goto cleanup;
731 }
732
romand30af552023-06-16 15:18:27 +0200[diff] [blame]733 if (asprintf(&ext_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
734 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name) == -1) {
735 ERRMEM;
736 ext_path = NULL;
737 ret = 1;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]738 goto cleanup;
739 }
740
741 /* delete other choice nodes if they are present */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]742 ret = lyd_find_path(*config, crl_path, 0, &node);
743 if (!ret) {
744 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]745 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]746 ret = lyd_find_path(*config, ext_path, 0, &node);
747 if (!ret) {
748 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]749 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]750 /* don't care about the return values from lyd_find_path */
751 ret = 0;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]752
753cleanup:
romand30af552023-06-16 15:18:27 +0200[diff] [blame]754 free(crl_path);
755 free(ext_path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]756 return ret;
757}
758
759API int
760nc_server_config_new_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config)
761{
762 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]763 struct lyd_node *node = NULL;
764 char *crl_path = NULL, *url_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]765
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]766 ret = nc_config_new_create(ctx, config, NULL, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]767 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name);
768 if (ret) {
769 goto cleanup;
770 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]771
romand30af552023-06-16 15:18:27 +0200[diff] [blame]772 if (asprintf(&crl_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
773 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name) == -1) {
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]774 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]775 crl_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]776 ret = 1;
777 goto cleanup;
778 }
779
romand30af552023-06-16 15:18:27 +0200[diff] [blame]780 if (asprintf(&url_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
781 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name) == -1) {
782 ERRMEM;
783 url_path = NULL;
784 ret = 1;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]785 goto cleanup;
786 }
787
788 /* delete other choice nodes if they are present */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]789 ret = lyd_find_path(*config, crl_path, 0, &node);
790 if (!ret) {
791 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]792 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]793 ret = lyd_find_path(*config, url_path, 0, &node);
794 if (!ret) {
795 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]796 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]797 /* don't care about the return values from lyd_find_path */
798 ret = 0;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]799
800cleanup:
romand30af552023-06-16 15:18:27 +0200[diff] [blame]801 free(crl_path);
802 free(url_path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]803 return ret;
804}
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]805
806API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]807nc_server_config_new_tls_del_crl(const char *endpt_name, struct lyd_node **config)
808{
809 int ret = 0;
810
811 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
812
813 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
814 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name);
815 if (ret) {
816 goto cleanup;
817 }
818
819 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
820 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name);
821 if (ret) {
822 goto cleanup;
823 }
824
825 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
826 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name);
827 if (ret) {
828 goto cleanup;
829 }
830
831cleanup:
832 return ret;
833}
834
835API int
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]836nc_config_new_tls_endpoint_client_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *referenced_endpt, struct lyd_node **config)
837{
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]838 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, referenced_endpt, config, 1);
839
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]840 return nc_config_new_create(ctx, config, referenced_endpt, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]841 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
842}
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame^]843
844API int
845nc_config_new_tls_del_endpoint_client_reference(const char *endpt_name, struct lyd_node **config)
846{
847 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
848
849 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
850 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
851}