Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / ba93eacb8dd37a212ae3882be431aadfb9228196 / . / src / config_new_tls.c
blob: 1ba72ddf688c10690363ff905cf3bb34da349156 [file] [log] [blame]
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]1/**
2 * @file config_new_tls.c
3 * @author Roman Janota <janota@cesnet.cz>
4 * @brief libnetconf2 TLS server new configuration creation functions
5 *
6 * @copyright
7 * Copyright (c) 2023 CESNET, z.s.p.o.
8 *
9 * This source code is licensed under BSD 3-Clause License (the "License").
10 * You may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * https://opensource.org/licenses/BSD-3-Clause
14 */
15
16#define _GNU_SOURCE
17
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]18#include <stdarg.h>
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]19#include <stdint.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23
24#include <libyang/libyang.h>
25
26#include "compat.h"
27#include "config.h"
28#include "config_new.h"
29#include "log_p.h"
30#include "server_config.h"
31#include "session.h"
32#include "session_p.h"
33
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]34static int
35_nc_server_config_new_tls_server_certificate(const struct ly_ctx *ctx, const char *tree_path, const char *pubkey_path,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]36 const char *privkey_path, const char *certificate_path, struct lyd_node **config)
37{
38 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]39 char *privkey = NULL, *pubkey = NULL, *cert = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]40 NC_PRIVKEY_FORMAT privkey_type;
41 NC_PUBKEY_FORMAT pubkey_type;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]42 const char *privkey_format, *pubkey_format;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]43
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]44 /* get the keys as a string from the given files */
45 ret = nc_server_config_new_get_keys(privkey_path, pubkey_path, &privkey, &pubkey, &privkey_type, &pubkey_type);
46 if (ret) {
47 ERR(NULL, "Getting keys from file(s) failed.");
48 goto cleanup;
49 }
50
romand30af552023-06-16 15:18:27 +0200[diff] [blame]51 /* get cert data from file */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]52 ret = nc_server_config_new_read_certificate(certificate_path, &cert);
53 if (ret) {
54 ERR(NULL, "Getting certificate from file \"%s\" failed.", certificate_path);
55 goto cleanup;
56 }
57
romand30af552023-06-16 15:18:27 +0200[diff] [blame]58 /* get pubkey format str */
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]59 if (pubkey_type == NC_PUBKEY_FORMAT_X509) {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]60 pubkey_format = "ietf-crypto-types:public-key-info-format";
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]61 } else {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]62 pubkey_format = "ietf-crypto-types:ssh-public-key-format";
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]63 }
64
65 /* get privkey identityref value */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]66 privkey_format = nc_config_new_privkey_format_to_identityref(privkey_type);
67 if (!privkey_format) {
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]68 ret = 1;
69 goto cleanup;
70 }
71
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]72 ret = nc_config_new_create_append(ctx, tree_path, "public-key-format", pubkey_format, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]73 if (ret) {
74 goto cleanup;
75 }
76
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]77 ret = nc_config_new_create_append(ctx, tree_path, "public-key", pubkey, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]78 if (ret) {
79 goto cleanup;
80 }
81
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]82 ret = nc_config_new_create_append(ctx, tree_path, "private-key-format", privkey_format, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]83 if (ret) {
84 goto cleanup;
85 }
86
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]87 ret = nc_config_new_create_append(ctx, tree_path, "cleartext-private-key", privkey, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]88 if (ret) {
89 goto cleanup;
90 }
91
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]92 ret = nc_config_new_create_append(ctx, tree_path, "cert-data", cert, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]93 if (ret) {
94 goto cleanup;
95 }
96
97cleanup:
98 free(privkey);
99 free(pubkey);
100 free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]101 return ret;
102}
103
104API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]105nc_server_config_new_tls_server_certificate(const struct ly_ctx *ctx, const char *endpt_name, const char *pubkey_path,
106 const char *privkey_path, const char *certificate_path, struct lyd_node **config)
107{
108 int ret = 0;
109 char *path = NULL;
110
111 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, privkey_path, certificate_path, config, 1);
112
113 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
114 "tls/tls-server-parameters/server-identity/certificate/inline-definition", endpt_name) == -1) {
115 ERRMEM;
116 path = NULL;
117 ret = 1;
118 goto cleanup;
119 }
120
121 ret = _nc_server_config_new_tls_server_certificate(ctx, path, pubkey_path, privkey_path,
122 certificate_path, config);
123 if (ret) {
124 ERR(NULL, "Creating new TLS server certificate YANG data failed.");
125 goto cleanup;
126 }
127
128cleanup:
129 free(path);
130 return ret;
131}
132
133API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]134nc_server_config_new_tls_del_server_certificate(const char *endpt_name, struct lyd_node **config)
135{
136 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
137
138 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
139 "tls/tls-server-parameters/server-identity/certificate/inline-definition", endpt_name);
140}
141
142API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]143nc_server_config_new_ch_tls_server_certificate(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]144 const char *pubkey_path, const char *privkey_path, const char *certificate_path, struct lyd_node **config)
145{
146 int ret = 0;
147 char *path = NULL;
148
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]149 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, privkey_path, certificate_path, 1);
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]150 NC_CHECK_ARG_RET(NULL, config, 1);
151
152 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/"
153 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]154 "certificate/inline-definition", client_name, endpt_name) == -1) {
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]155 ERRMEM;
156 path = NULL;
157 ret = 1;
158 goto cleanup;
159 }
160
161 ret = _nc_server_config_new_tls_server_certificate(ctx, path, pubkey_path, privkey_path,
162 certificate_path, config);
163 if (ret) {
164 ERR(NULL, "Creating new CH TLS server certificate YANG data failed.");
165 goto cleanup;
166 }
167
168cleanup:
169 free(path);
170 return ret;
171}
172
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]173API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]174nc_server_config_new_ch_tls_del_server_certificate(const char *client_name, const char *endpt_name,
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]175 struct lyd_node **config)
176{
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]177 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]178
179 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
180 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/server-identity/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]181 "certificate/inline-definition", client_name, endpt_name);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]182}
183
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]184static int
185_nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const char *tree_path,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]186 const char *cert_path, struct lyd_node **config)
187{
188 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]189 char *cert = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]190
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]191 ret = nc_server_config_new_read_certificate(cert_path, &cert);
192 if (ret) {
193 ERR(NULL, "Getting certificate from file \"%s\" failed.", cert_path);
194 goto cleanup;
195 }
196
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]197 ret = nc_config_new_create_append(ctx, tree_path, "cert-data", cert, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]198 if (ret) {
199 goto cleanup;
200 }
201
202cleanup:
203 free(cert);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]204 return ret;
205}
206
207API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]208nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]209 const char *cert_path, struct lyd_node **config)
210{
211 int ret = 0;
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]212 char *path = NULL;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]213
214 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
215
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]216 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
217 "client-authentication/ee-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
218 ERRMEM;
219 path = NULL;
220 ret = 1;
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]221 goto cleanup;
222 }
223
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]224 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]225 if (ret) {
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]226 ERR(NULL, "Creating new TLS client certificate YANG data failed.");
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]227 goto cleanup;
228 }
229
230cleanup:
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]231 free(path);
232 return ret;
233}
234
235API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]236nc_server_config_new_tls_del_client_certificate(const char *endpt_name, const char *cert_name, struct lyd_node **config)
237{
238 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
239
240 if (cert_name) {
241 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
242 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
243 "certificate[name='%s']", endpt_name, cert_name);
244 } else {
245 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
246 "tls-server-parameters/client-authentication/ee-certs/inline-definition/"
247 "certificate", endpt_name);
248 }
249}
250
251API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]252nc_server_config_new_ch_tls_client_certificate(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]253 const char *cert_name, const char *cert_path, struct lyd_node **config)
254{
255 int ret = 0;
256 char *path = NULL;
257
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]258 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_name, cert_path, 1);
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]259 NC_CHECK_ARG_RET(NULL, config, 1);
260
261 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
262 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]263 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name) == -1) {
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]264 ERRMEM;
265 path = NULL;
266 ret = 1;
267 goto cleanup;
268 }
269
270 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
271 if (ret) {
272 ERR(NULL, "Creating new CH TLS client certificate YANG data failed.");
273 goto cleanup;
274 }
275
276cleanup:
277 free(path);
278 return ret;
279}
280
281API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]282nc_server_config_new_ch_tls_del_client_certificate(const char *client_name, const char *endpt_name,
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]283 const char *cert_name, struct lyd_node **config)
284{
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]285 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]286
287 if (cert_name) {
288 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
289 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]290 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]291 } else {
292 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
293 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ee-certs/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]294 "inline-definition/certificate", client_name, endpt_name);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]295 }
296}
297
298API int
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]299nc_server_config_new_tls_client_ca(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
300 const char *cert_path, struct lyd_node **config)
301{
302 int ret = 0;
303 char *path = NULL;
304
305 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_name, cert_path, config, 1);
306
307 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
308 "client-authentication/ca-certs/inline-definition/certificate[name='%s']", endpt_name, cert_name) == -1) {
309 ERRMEM;
310 path = NULL;
311 ret = 1;
312 goto cleanup;
313 }
314
315 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
316 if (ret) {
317 ERR(NULL, "Creating new TLS client certificate authority YANG data failed.");
318 goto cleanup;
319 }
320
321cleanup:
322 free(path);
323 return ret;
324}
325
326API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]327nc_server_config_new_tls_del_client_ca(const char *endpt_name, const char *cert_name, struct lyd_node **config)
328{
329 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
330
331 if (cert_name) {
332 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
333 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
334 "certificate[name='%s']", endpt_name, cert_name);
335 } else {
336 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
337 "tls-server-parameters/client-authentication/ca-certs/inline-definition/"
338 "certificate", endpt_name);
339 }
340}
341
342API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]343nc_server_config_new_ch_tls_client_ca(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]344 const char *cert_name, const char *cert_path, struct lyd_node **config)
345{
346 int ret = 0;
347 char *path = NULL;
348
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]349 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cert_name, cert_path, 1);
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]350 NC_CHECK_ARG_RET(NULL, config, 1);
351
352 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
353 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]354 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name) == -1) {
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]355 ERRMEM;
356 path = NULL;
357 ret = 1;
358 goto cleanup;
359 }
360
361 ret = _nc_server_config_new_tls_client_certificate(ctx, path, cert_path, config);
362 if (ret) {
363 ERR(NULL, "Creating new CH TLS client certificate authority YANG data failed.");
364 goto cleanup;
365 }
366
367cleanup:
368 free(path);
roman3f9b65c2023-06-05 14:26:58 +0200[diff] [blame]369 return ret;
370}
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]371
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]372API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]373nc_server_config_new_ch_tls_del_client_ca(const char *client_name, const char *endpt_name,
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]374 const char *cert_name, struct lyd_node **config)
375{
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]376 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]377
378 if (cert_name) {
379 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
380 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]381 "inline-definition/certificate[name='%s']", client_name, endpt_name, cert_name);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]382 } else {
383 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
384 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/client-authentication/ca-certs/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]385 "inline-definition/certificate", client_name, endpt_name);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]386 }
387}
388
romand30af552023-06-16 15:18:27 +0200[diff] [blame]389static const char *
390nc_config_new_tls_maptype2str(NC_TLS_CTN_MAPTYPE map_type)
391{
392 switch (map_type) {
393 case NC_TLS_CTN_SPECIFIED:
394 return "ietf-x509-cert-to-name:specified";
395 case NC_TLS_CTN_SAN_RFC822_NAME:
396 return "ietf-x509-cert-to-name:san-rfc822-name";
397 case NC_TLS_CTN_SAN_DNS_NAME:
398 return "ietf-x509-cert-to-name:san-dns-name";
399 case NC_TLS_CTN_SAN_IP_ADDRESS:
400 return "ietf-x509-cert-to-name:san-ip-address";
401 case NC_TLS_CTN_SAN_ANY:
402 return "ietf-x509-cert-to-name:san-any";
403 case NC_TLS_CTN_COMMON_NAME:
404 return "ietf-x509-cert-to-name:common-name";
405 case NC_TLS_CTN_UNKNOWN:
406 default:
407 ERR(NULL, "Unknown map_type.");
408 return NULL;
409 }
410}
411
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]412static int
413_nc_server_config_new_tls_ctn(const struct ly_ctx *ctx, const char *tree_path, const char *fingerprint,
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]414 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
415{
416 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]417 const char *map;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]418
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]419 if (fingerprint) {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]420 /* optional */
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]421 ret = nc_config_new_create_append(ctx, tree_path, "fingerprint", fingerprint, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]422 if (ret) {
423 goto cleanup;
424 }
425 }
426
romand30af552023-06-16 15:18:27 +0200[diff] [blame]427 /* get map str */
428 map = nc_config_new_tls_maptype2str(map_type);
429 if (!map) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]430 ret = 1;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]431 goto cleanup;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]432 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]433
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]434 ret = nc_config_new_create_append(ctx, tree_path, "map-type", map, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]435 if (ret) {
436 goto cleanup;
437 }
438
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]439 ret = nc_config_new_create_append(ctx, tree_path, "name", name, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]440 if (ret) {
441 goto cleanup;
442 }
443
444cleanup:
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]445 return ret;
446}
447
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]448API int
449nc_server_config_new_tls_ctn(const struct ly_ctx *ctx, const char *endpt_name, uint32_t id, const char *fingerprint,
450 NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
451{
452 int ret = 0;
453 char *path = NULL;
454
455 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, id, name, config, 1);
456
457 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/netconf-server-parameters/"
458 "client-identity-mappings/cert-to-name[id='%u']", endpt_name, id) == -1) {
459 ERRMEM;
460 path = NULL;
461 ret = 1;
462 goto cleanup;
463 }
464
465 ret = _nc_server_config_new_tls_ctn(ctx, path, fingerprint, map_type, name, config);
466 if (ret) {
467 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
468 goto cleanup;
469 }
470
471cleanup:
472 free(path);
473 return ret;
474}
475
476API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]477nc_server_config_new_tls_del_ctn(const char *endpt_name, uint32_t id, struct lyd_node **config)
478{
479 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
480
481 if (id) {
482 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
483 "netconf-server-parameters/client-identity-mappings/cert-to-name[id='%u']", endpt_name, id);
484 } else {
485 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
486 "netconf-server-parameters/client-identity-mappings/cert-to-name", endpt_name);
487 }
488}
489
490API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]491nc_server_config_new_ch_tls_ctn(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]492 uint32_t id, const char *fingerprint, NC_TLS_CTN_MAPTYPE map_type, const char *name, struct lyd_node **config)
493{
494 int ret = 0;
495 char *path = NULL;
496
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]497 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, id, name, config, 1);
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]498
499 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
500 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]501 "cert-to-name[id='%u']", client_name, endpt_name, id) == -1) {
romanb6f44032023-06-30 15:07:56 +0200[diff] [blame]502 ERRMEM;
503 path = NULL;
504 ret = 1;
505 goto cleanup;
506 }
507
508 ret = _nc_server_config_new_tls_ctn(ctx, path, fingerprint, map_type, name, config);
509 if (ret) {
510 ERR(NULL, "Creating new TLS cert-to-name YANG data failed.");
511 goto cleanup;
512 }
513
514cleanup:
515 free(path);
516 return ret;
517}
518
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]519API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]520nc_server_config_new_ch_tls_del_ctn(const char *client_name, const char *endpt_name,
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]521 uint32_t id, struct lyd_node **config)
522{
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]523 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]524
525 if (id) {
526 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
527 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]528 "cert-to-name[id='%u']", client_name, endpt_name, id);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]529 } else {
530 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
531 "endpoints/endpoint[name='%s']/tls/netconf-server-parameters/client-identity-mappings/"
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]532 "cert-to-name", client_name, endpt_name);
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]533 }
534}
535
romand30af552023-06-16 15:18:27 +0200[diff] [blame]536static const char *
537nc_config_new_tls_tlsversion2str(NC_TLS_VERSION version)
538{
539 switch (version) {
540 case NC_TLS_VERSION_10:
541 return "ietf-tls-common:tls10";
542 case NC_TLS_VERSION_11:
543 return "ietf-tls-common:tls11";
544 case NC_TLS_VERSION_12:
545 return "ietf-tls-common:tls12";
546 case NC_TLS_VERSION_13:
547 return "ietf-tls-common:tls13";
548 default:
549 ERR(NULL, "Unknown TLS version.");
550 return NULL;
551 }
552}
553
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]554API int
555nc_server_config_new_tls_version(const struct ly_ctx *ctx, const char *endpt_name,
556 NC_TLS_VERSION tls_version, struct lyd_node **config)
557{
558 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]559 const char *version;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]560
561 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
562
romand30af552023-06-16 15:18:27 +0200[diff] [blame]563 version = nc_config_new_tls_tlsversion2str(tls_version);
564 if (!version) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]565 ret = 1;
566 goto cleanup;
567 }
568
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]569 ret = nc_config_new_create(ctx, config, version, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
romand30af552023-06-16 15:18:27 +0200[diff] [blame]570 "hello-params/tls-versions/tls-version", endpt_name);
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]571 if (ret) {
572 ERR(NULL, "Creating new YANG data nodes for TLS version failed.");
573 goto cleanup;
574 }
575
576cleanup:
577 return ret;
578}
579
580API int
581nc_server_config_new_ch_tls_version(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
582 NC_TLS_VERSION tls_version, struct lyd_node **config)
583{
584 int ret = 0;
585 const char *version;
586
587 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, config, 1);
588
589 version = nc_config_new_tls_tlsversion2str(tls_version);
590 if (!version) {
591 ret = 1;
592 goto cleanup;
593 }
594
595 ret = nc_config_new_create(ctx, config, version, "/ietf-netconf-server:netconf-server/call-home/"
596 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
597 "hello-params/tls-versions/tls-version", client_name, endpt_name);
598 if (ret) {
599 ERR(NULL, "Creating new YANG data nodes for Call-Home TLS version failed.");
600 goto cleanup;
601 }
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]602
603cleanup:
604 return ret;
605}
606
607API int
608nc_server_config_new_tls_del_version(const char *endpt_name, NC_TLS_VERSION tls_version, struct lyd_node **config)
609{
610 int ret = 0;
611 const char *version;
612
613 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
614
615 version = nc_config_new_tls_tlsversion2str(tls_version);
616 if (!version) {
617 ret = 1;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]618 goto cleanup;
619 }
620
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]621 ret = nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
622 "tls-server-parameters/hello-params/tls-versions/tls-version[.='%s']", endpt_name, version);
623
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]624cleanup:
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]625 return ret;
626}
627
628API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]629nc_server_config_new_ch_tls_del_version(const char *client_name, const char *endpt_name,
630 NC_TLS_VERSION tls_version, struct lyd_node **config)
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]631{
632 int ret = 0;
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]633 const char *version;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]634
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]635 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]636
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]637 version = nc_config_new_tls_tlsversion2str(tls_version);
638 if (!version) {
639 ret = 1;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]640 goto cleanup;
641 }
642
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]643 ret = nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/"
644 "netconf-client[name='%s']/endpoints/endpoint[name='%s']/tls/"
645 "tls-server-parameters/hello-params/tls-versions/tls-version[.='%s']", client_name, endpt_name, version);
646
647cleanup:
648 return ret;
649}
650
651static int
652_nc_server_config_new_tls_ciphers(const struct ly_ctx *ctx, const char *tree_path,
653 int cipher_count, va_list ap, struct lyd_node **config)
654{
655 int ret = 0, i;
656 struct lyd_node *old = NULL;
657 char *cipher = NULL, *cipher_ident = NULL;
658
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]659 /* delete all older algorithms (if any) se they can be replaced by the new ones */
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]660 lyd_find_path(*config, tree_path, 0, &old);
661 if (old) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]662 lyd_free_tree(old);
663 }
664
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]665 for (i = 0; i < cipher_count; i++) {
666 cipher = va_arg(ap, char *);
667
romand30af552023-06-16 15:18:27 +0200[diff] [blame]668 ret = asprintf(&cipher_ident, "iana-tls-cipher-suite-algs:%s", cipher);
669 if (ret == -1) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]670 ERRMEM;
671 ret = 1;
672 goto cleanup;
673 }
674
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]675 ret = nc_config_new_create_append(ctx, tree_path, "cipher-suite", cipher_ident, config);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]676 if (ret) {
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]677 goto cleanup;
678 }
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]679
romand30af552023-06-16 15:18:27 +0200[diff] [blame]680 free(cipher_ident);
681 cipher_ident = NULL;
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]682 }
683
684cleanup:
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]685 return ret;
686}
687
688API int
689nc_server_config_new_tls_ciphers(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config,
690 int cipher_count, ...)
691{
692 int ret = 0;
693 va_list ap;
694 char *path = NULL;
695
696 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cipher_count, config, 1);
697
698 va_start(ap, cipher_count);
699
700 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
701 "tls-server-parameters/hello-params/cipher-suites", endpt_name) == -1) {
702 ERRMEM;
703 path = NULL;
704 ret = 1;
705 goto cleanup;
706 }
707
708 ret = _nc_server_config_new_tls_ciphers(ctx, path, cipher_count, ap, config);
709 if (ret) {
710 ERR(NULL, "Creating new TLS cipher YANG data nodes failed.");
711 }
712
713cleanup:
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]714 va_end(ap);
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]715 free(path);
716 return ret;
717}
718
719API int
720nc_server_config_new_ch_tls_ciphers(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
721 struct lyd_node **config, int cipher_count, ...)
722{
723 int ret = 0;
724 va_list ap;
725 char *path = NULL;
726
727 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, cipher_count, config, 1);
728
729 va_start(ap, cipher_count);
730
731 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/endpoints/"
732 "endpoint[name='%s']/tls/tls-server-parameters/hello-params/cipher-suites", client_name, endpt_name) == -1) {
733 ERRMEM;
734 path = NULL;
735 ret = 1;
736 goto cleanup;
737 }
738
739 ret = _nc_server_config_new_tls_ciphers(ctx, path, cipher_count, ap, config);
740 if (ret) {
741 ERR(NULL, "Creating new Call-Home TLS cipher YANG data nodes failed.");
742 }
743
744cleanup:
745 va_end(ap);
746 free(path);
roman12644fe2023-06-08 11:06:42 +0200[diff] [blame]747 return ret;
748}
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]749
750API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]751nc_server_config_new_tls_del_cipher(const char *endpt_name, const char *cipher, struct lyd_node **config)
752{
753 NC_CHECK_ARG_RET(NULL, endpt_name, cipher, config, 1);
754
755 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
756 "tls/tls-server-parameters/hello-params/cipher-suites/"
757 "cipher-suite[.='iana-tls-cipher-suite-algs:%s']", endpt_name, cipher);
758}
759
760API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]761nc_server_config_new_ch_tls_del_cipher(const char *client_name, const char *endpt_name,
762 const char *cipher, struct lyd_node **config)
763{
764 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, cipher, config, 1);
765
766 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
767 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/hello-params/cipher-suites/"
768 "cipher-suite[.='iana-tls-cipher-suite-algs:%s']", client_name, endpt_name, cipher);
769}
770
771static int
772_nc_server_config_new_tls_crl_path(const struct ly_ctx *ctx, const char *tree_path,
773 const char *crl_path, struct lyd_node **config)
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]774{
775 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]776 struct lyd_node *node = NULL;
777 char *url_path = NULL, *ext_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]778
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]779 if (asprintf(&url_path, "%s/libnetconf2-netconf-server:crl-url", tree_path) == -1) {
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]780 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]781 url_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]782 ret = 1;
783 goto cleanup;
784 }
785
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]786 if (asprintf(&ext_path, "%s/libnetconf2-netconf-server:crl-cert-ext", tree_path) == -1) {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]787 ERRMEM;
788 ext_path = NULL;
789 ret = 1;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]790 goto cleanup;
791 }
792
793 /* delete other choice nodes if they are present */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]794 ret = lyd_find_path(*config, url_path, 0, &node);
795 if (!ret) {
796 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]797 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]798 ret = lyd_find_path(*config, ext_path, 0, &node);
799 if (!ret) {
800 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]801 }
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]802
803 /* create the crl path node */
804 ret = nc_config_new_create_append(ctx, tree_path, "libnetconf2-netconf-server:crl-path", crl_path, config);
805 if (ret) {
806 goto cleanup;
807 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]808
809cleanup:
romand30af552023-06-16 15:18:27 +0200[diff] [blame]810 free(url_path);
811 free(ext_path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]812 return ret;
813}
814
815API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]816nc_server_config_new_tls_crl_path(const struct ly_ctx *ctx, const char *endpt_name,
817 const char *crl_path, struct lyd_node **config)
818{
819 int ret = 0;
820 char *path = NULL;
821
822 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, crl_path, config, 1);
823
824 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
825 "client-authentication", endpt_name) == -1) {
826 ERRMEM;
827 path = NULL;
828 ret = 1;
829 goto cleanup;
830 }
831
832 ret = _nc_server_config_new_tls_crl_path(ctx, path, crl_path, config);
833 if (ret) {
834 ERR(NULL, "Creating new CRL YANG data nodes failed.");
835 goto cleanup;
836 }
837
838cleanup:
839 free(path);
840 return ret;
841}
842
843API int
844nc_server_config_new_ch_tls_crl_path(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
845 const char *crl_path, struct lyd_node **config)
846{
847 int ret = 0;
848 char *path = NULL;
849
850 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, crl_path, config, 1);
851
852 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
853 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
854 "client-authentication", client_name, endpt_name) == -1) {
855 ERRMEM;
856 path = NULL;
857 ret = 1;
858 goto cleanup;
859 }
860
861 ret = _nc_server_config_new_tls_crl_path(ctx, path, crl_path, config);
862 if (ret) {
863 ERR(NULL, "Creating new Call-Home CRL YANG data nodes failed.");
864 goto cleanup;
865 }
866
867cleanup:
868 free(path);
869 return ret;
870}
871
872static int
873_nc_server_config_new_tls_crl_url(const struct ly_ctx *ctx, const char *tree_path,
874 const char *crl_url, struct lyd_node **config)
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]875{
876 int ret = 0;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]877 struct lyd_node *node = NULL;
878 char *crl_path = NULL, *ext_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]879
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]880 if (asprintf(&crl_path, "%s/libnetconf2-netconf-server:crl-path", tree_path) == -1) {
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]881 ERRMEM;
romand30af552023-06-16 15:18:27 +0200[diff] [blame]882 crl_path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]883 ret = 1;
884 goto cleanup;
885 }
886
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]887 if (asprintf(&ext_path, "%s/libnetconf2-netconf-server:crl-cert-ext", tree_path) == -1) {
romand30af552023-06-16 15:18:27 +0200[diff] [blame]888 ERRMEM;
889 ext_path = NULL;
890 ret = 1;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]891 goto cleanup;
892 }
893
894 /* delete other choice nodes if they are present */
romand30af552023-06-16 15:18:27 +0200[diff] [blame]895 ret = lyd_find_path(*config, crl_path, 0, &node);
896 if (!ret) {
897 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]898 }
romand30af552023-06-16 15:18:27 +0200[diff] [blame]899 ret = lyd_find_path(*config, ext_path, 0, &node);
900 if (!ret) {
901 lyd_free_tree(node);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]902 }
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]903
904 /* create the crl path node */
905 ret = nc_config_new_create_append(ctx, tree_path, "libnetconf2-netconf-server:crl-url", crl_url, config);
906 if (ret) {
907 goto cleanup;
908 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]909
910cleanup:
romand30af552023-06-16 15:18:27 +0200[diff] [blame]911 free(crl_path);
912 free(ext_path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]913 return ret;
914}
915
916API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]917nc_server_config_new_tls_crl_url(const struct ly_ctx *ctx, const char *endpt_name, const char *crl_url, struct lyd_node **config)
918{
919 int ret = 0;
920 char *path = NULL;
921
922 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, crl_url, config, 1);
923
924 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
925 "client-authentication", endpt_name) == -1) {
926 ERRMEM;
927 path = NULL;
928 ret = 1;
929 goto cleanup;
930 }
931
932 ret = _nc_server_config_new_tls_crl_url(ctx, path, crl_url, config);
933 if (ret) {
934 ERR(NULL, "Creating new CRL YANG data nodes failed.");
935 goto cleanup;
936 }
937
938cleanup:
939 free(path);
940 return ret;
941}
942
943API int
944nc_server_config_new_ch_tls_crl_url(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
945 const char *crl_url, struct lyd_node **config)
946{
947 int ret = 0;
948 char *path = NULL;
949
950 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, crl_url, config, 1);
951
952 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
953 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
954 "client-authentication", client_name, endpt_name) == -1) {
955 ERRMEM;
956 path = NULL;
957 ret = 1;
958 goto cleanup;
959 }
960
961 ret = _nc_server_config_new_tls_crl_url(ctx, path, crl_url, config);
962 if (ret) {
963 ERR(NULL, "Creating new Call-Home CRL YANG data nodes failed.");
964 goto cleanup;
965 }
966
967cleanup:
968 free(path);
969 return ret;
970}
971
972static int
973_nc_server_config_new_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *tree_path, struct lyd_node **config)
974{
975 int ret = 0;
976 struct lyd_node *node = NULL;
977 char *crl_path = NULL, *url_path = NULL;
978
979 if (asprintf(&crl_path, "%s/libnetconf2-netconf-server:crl-path", tree_path) == -1) {
980 ERRMEM;
981 crl_path = NULL;
982 ret = 1;
983 goto cleanup;
984 }
985
986 if (asprintf(&url_path, "%s/libnetconf2-netconf-server:crl-url", tree_path) == -1) {
987 ERRMEM;
988 url_path = NULL;
989 ret = 1;
990 goto cleanup;
991 }
992
993 /* delete other choice nodes if they are present */
994 ret = lyd_find_path(*config, crl_path, 0, &node);
995 if (!ret) {
996 lyd_free_tree(node);
997 }
998 ret = lyd_find_path(*config, url_path, 0, &node);
999 if (!ret) {
1000 lyd_free_tree(node);
1001 }
1002
1003 /* create the crl path node */
1004 ret = nc_config_new_create_append(ctx, tree_path, "libnetconf2-netconf-server:crl-cert-ext", NULL, config);
1005 if (ret) {
1006 goto cleanup;
1007 }
1008
1009cleanup:
1010 free(crl_path);
1011 free(url_path);
1012 return ret;
1013}
1014
1015API int
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]1016nc_server_config_new_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *endpt_name, struct lyd_node **config)
1017{
1018 int ret = 0;
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]1019 char *path = NULL;
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]1020
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]1021 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, config, 1);
1022
1023 if (asprintf(&path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1024 "client-authentication", endpt_name) == -1) {
1025 ERRMEM;
1026 path = NULL;
1027 ret = 1;
1028 goto cleanup;
1029 }
1030
1031 ret = _nc_server_config_new_tls_crl_cert_ext(ctx, path, config);
romand30af552023-06-16 15:18:27 +0200[diff] [blame]1032 if (ret) {
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]1033 ERR(NULL, "Creating new CRL YANG data nodes failed.");
romand30af552023-06-16 15:18:27 +0200[diff] [blame]1034 goto cleanup;
1035 }
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]1036
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]1037cleanup:
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]1038 free(path);
1039 return ret;
1040}
1041
1042API int
1043nc_server_config_new_ch_tls_crl_cert_ext(const struct ly_ctx *ctx, const char *client_name, const char *endpt_name,
1044 struct lyd_node **config)
1045{
1046 int ret = 0;
1047 char *path = NULL;
1048
1049 NC_CHECK_ARG_RET(NULL, ctx, client_name, endpt_name, config, 1);
1050
1051 if (asprintf(&path, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1052 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1053 "client-authentication", client_name, endpt_name) == -1) {
1054 ERRMEM;
1055 path = NULL;
1056 ret = 1;
1057 goto cleanup;
1058 }
1059
1060 ret = _nc_server_config_new_tls_crl_cert_ext(ctx, path, config);
1061 if (ret) {
1062 ERR(NULL, "Creating new Call-Home CRL YANG data nodes failed.");
1063 goto cleanup;
1064 }
1065
1066cleanup:
1067 free(path);
romanfaecc582023-06-15 16:13:31 +0200[diff] [blame]1068 return ret;
1069}
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]1070
1071API int
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]1072nc_server_config_new_tls_del_crl(const char *endpt_name, struct lyd_node **config)
1073{
1074 int ret = 0;
1075
1076 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
1077
1078 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1079 "client-authentication/libnetconf2-netconf-server:crl-path", endpt_name);
1080 if (ret) {
1081 goto cleanup;
1082 }
1083
1084 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1085 "client-authentication/libnetconf2-netconf-server:crl-url", endpt_name);
1086 if (ret) {
1087 goto cleanup;
1088 }
1089
1090 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1091 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", endpt_name);
1092 if (ret) {
1093 goto cleanup;
1094 }
1095
1096cleanup:
1097 return ret;
1098}
1099
1100API int
roman9d5e5a52023-07-14 12:43:44 +0200[diff] [blame]1101nc_server_config_new_ch_tls_del_crl(const char *client_name, const char *endpt_name, struct lyd_node **config)
1102{
1103 int ret = 0;
1104
1105 NC_CHECK_ARG_RET(NULL, client_name, endpt_name, config, 1);
1106
1107 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1108 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1109 "client-authentication/libnetconf2-netconf-server:crl-path", client_name, endpt_name);
1110 if (ret) {
1111 goto cleanup;
1112 }
1113
1114 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1115 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1116 "client-authentication/libnetconf2-netconf-server:crl-url", client_name, endpt_name);
1117 if (ret) {
1118 goto cleanup;
1119 }
1120
1121 ret = nc_config_new_check_delete(config, "/ietf-netconf-server:netconf-server/call-home/netconf-client[name='%s']/"
1122 "endpoints/endpoint[name='%s']/tls/tls-server-parameters/"
1123 "client-authentication/libnetconf2-netconf-server:crl-cert-ext", client_name, endpt_name);
1124 if (ret) {
1125 goto cleanup;
1126 }
1127
1128cleanup:
1129 return ret;
1130}
1131
1132API int
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]1133nc_config_new_tls_endpoint_client_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *referenced_endpt, struct lyd_node **config)
1134{
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]1135 NC_CHECK_ARG_RET(NULL, ctx, endpt_name, referenced_endpt, config, 1);
1136
roman5cbb6532023-06-22 12:53:17 +0200[diff] [blame]1137 return nc_config_new_create(ctx, config, referenced_endpt, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
roman2e797ef2023-06-19 10:47:49 +0200[diff] [blame]1138 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
1139}
roman8ba6efa2023-07-12 15:27:52 +0200[diff] [blame]1140
1141API int
1142nc_config_new_tls_del_endpoint_client_reference(const char *endpt_name, struct lyd_node **config)
1143{
1144 NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
1145
1146 return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tls-server-parameters/"
1147 "client-authentication/libnetconf2-netconf-server:endpoint-client-auth", endpt_name);
1148}