diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc435c9f6..b8b01870a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ on: - devel env: - DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev + DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev jobs: git-branch: @@ -67,7 +67,7 @@ jobs: dep-build-type: "Debug", cc: "gcc", options: "", - packages: "libcurl4-openssl-dev valgrind", + packages: "valgrind", snaps: "", make-prepend: "", make-target: "" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b254e4e80..bea0cdee9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,7 +7,7 @@ on: branches: [ "devel" ] env: - DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev + DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev jobs: git-branch: diff --git a/.github/workflows/devel-push.yml b/.github/workflows/devel-push.yml index 9f28ab480..9cd5935e6 100644 --- a/.github/workflows/devel-push.yml +++ b/.github/workflows/devel-push.yml @@ -5,7 +5,7 @@ on: - devel env: - DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev + DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev COVERITY_PROJECT: CESNET%2FNetopeer2 jobs: diff --git a/CMakeLists.txt b/CMakeLists.txt index 4a1b1f745..706f8b483 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 2.8.12) +cmake_minimum_required(VERSION 3.5) project(netopeer2 C) set(NETOPEER2_DESC "NETCONF tools suite including a server and command-line client") @@ -46,7 +46,7 @@ endif() # Generic version of not only the library. Major version is reserved for really big changes of the project, # minor version changes with added functionality (new tool, functionality of the tool or library, ...) and # micro version is changed with a set of small changes or bugfixes anywhere in the project. -set(NP2SRV_VERSION 2.1.72) +set(NP2SRV_VERSION 2.2.0) # libyang required version set(LIBYANG_DEP_VERSION 2.1.87) @@ -54,9 +54,9 @@ set(LIBYANG_DEP_SOVERSION 2.37.1) set(LIBYANG_DEP_SOVERSION_MAJOR 2) # libnetconf2 required version -set(LIBNETCONF2_DEP_VERSION 2.1.27) -set(LIBNETCONF2_DEP_SOVERSION 3.5.3) -set(LIBNETCONF2_DEP_SOVERSION_MAJOR 3) +set(LIBNETCONF2_DEP_VERSION 3.0.0) +set(LIBNETCONF2_DEP_SOVERSION 4.0.0) +set(LIBNETCONF2_DEP_SOVERSION_MAJOR 4) # sysrepo required version set(SYSREPO_DEP_VERSION 2.2.111) @@ -155,27 +155,37 @@ set(FORMAT_SRC # checks # -find_package(PkgConfig) -if(PKG_CONFIG_FOUND) - # lnc2 support for np2srv thread count - execute_process(COMMAND ${PKG_CONFIG_EXECUTABLE} "--variable=LNC2_MAX_THREAD_COUNT" "libnetconf2" OUTPUT_VARIABLE LNC2_THREAD_COUNT) - if(LNC2_THREAD_COUNT) - string(STRIP ${LNC2_THREAD_COUNT} LNC2_THREAD_COUNT) - if(LNC2_THREAD_COUNT LESS THREAD_COUNT) - message(FATAL_ERROR "libnetconf2 was compiled with support up to ${LNC2_THREAD_COUNT} threads, server is configured with ${THREAD_COUNT}.") - else() - message(STATUS "libnetconf2 was compiled with support of up to ${LNC2_THREAD_COUNT} threads") - endif() +# PKGCONFIG { + +find_package(PkgConfig REQUIRED) + +# find libnetconf2 pkg +pkg_check_modules(PKG_LN2 REQUIRED libnetconf2) + +# libnetconf2 thread count check +pkg_get_variable(LN2_THREAD_COUNT libnetconf2 "LN2_MAX_THREAD_COUNT") +if(LN2_THREAD_COUNT) + if(LN2_THREAD_COUNT LESS THREAD_COUNT) + message(FATAL_ERROR "libnetconf2 was compiled with support up to ${LN2_THREAD_COUNT} threads, server is configured with ${THREAD_COUNT}.") else() - message(STATUS "Unable to learn libnetconf2 thread support, check skipped") + message(STATUS "libnetconf2 was compiled with support of up to ${LN2_THREAD_COUNT} threads") endif() - - # sysrepo group - execute_process(COMMAND ${PKG_CONFIG_EXECUTABLE} "--variable=SR_GROUP" "sysrepo" OUTPUT_VARIABLE SR_GROUP OUTPUT_STRIP_TRAILING_WHITESPACE) else() - message(STATUS "pkg-config not found, so it was not possible to check if libnetconf2 supports ${THREAD_COUNT} threads") + message(STATUS "Unable to learn libnetconf2 thread support, check skipped") +endif() + +# get libnetconf2 module directory, use it later when installing modules +pkg_get_variable(LN2_YANG_MODULE_DIR libnetconf2 "LN2_SCHEMAS_DIR") +if(NOT LN2_YANG_MODULE_DIR) + message(FATAL_ERROR "Unable to learn libnetconf2 module search directory.") endif() +# find sysrepo pkg and get sysrepo group +pkg_check_modules(PKG_SR REQUIRED sysrepo) +pkg_get_variable(SR_GROUP sysrepo "SR_GROUP") + +# } PKGCONFIG + if(ENABLE_VALGRIND_TESTS) find_program(VALGRIND_FOUND valgrind) if(NOT VALGRIND_FOUND) @@ -229,21 +239,6 @@ include_directories(${LIBNETCONF2_INCLUDE_DIRS}) list(APPEND CMAKE_REQUIRED_INCLUDES ${LIBNETCONF2_INCLUDE_DIRS}) list(APPEND CMAKE_REQUIRED_LIBRARIES ${LIBNETCONF2_LIBRARIES}) -# at least some remote transport is enabled -if(LIBNETCONF2_ENABLED_SSH OR LIBNETCONF2_ENABLED_TLS) - list(APPEND SERVER_SRC src/netconf_server.c) -endif() - -# SSH is enabled -if(LIBNETCONF2_ENABLED_SSH) - list(APPEND SERVER_SRC src/netconf_server_ssh.c) -endif() - -# TLS is enabled -if(LIBNETCONF2_ENABLED_TLS) - list(APPEND SERVER_SRC src/netconf_server_tls.c) -endif() - # link compat use_compat() @@ -265,7 +260,7 @@ endif() target_link_libraries(netopeer2-server ${LIBNETCONF2_LIBRARIES}) # libssh (was already found, if exists) -if(LIBSSH_FOUND AND LIBNETCONF2_ENABLED_SSH) +if(LIBSSH_FOUND AND LIBNETCONF2_ENABLED_SSH_TLS) target_link_libraries(netopeer2-server ${LIBSSH_LIBRARIES}) include_directories(${LIBSSH_INCLUDE_DIRS}) endif() @@ -361,6 +356,7 @@ if(INSTALL_MODULES) set(ENV{NP2_MODULE_PERMS} \"${MODULES_PERMS}\") set(ENV{NP2_MODULE_OWNER} \"${MODULES_OWNER}\") set(ENV{NP2_MODULE_GROUP} \"${MODULES_GROUP}\") + set(ENV{LN2_MODULE_DIR} \"${LN2_YANG_MODULE_DIR}\") set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/setup.sh\" RESULT_VARIABLE SETUP_RES) @@ -371,6 +367,7 @@ if(INSTALL_MODULES) else() message(WARNING "Server will refuse to start if the modules are not installed!") endif() + if(GENERATE_HOSTKEY) install(CODE " message(STATUS \"Generating a new RSA host key \\\"genkey\\\" if not already added...\") @@ -422,4 +419,5 @@ add_custom_target(cleancache # uninstall add_custom_target(uninstall ${SCRIPT_DIR}/remove.sh COMMAND "${CMAKE_COMMAND}" -P "${CMAKE_MODULE_PATH}/uninstall.cmake" - COMMENT "Removing netopeer2 modules from sysrepo...") + COMMENT "Removing netopeer2 modules from sysrepo..." +) diff --git a/CMakeModules/FindLibNETCONF2.cmake b/CMakeModules/FindLibNETCONF2.cmake index b400dbb84..8ba5d5395 100644 --- a/CMakeModules/FindLibNETCONF2.cmake +++ b/CMakeModules/FindLibNETCONF2.cmake @@ -5,8 +5,7 @@ # LIBNETCONF2_INCLUDE_DIRS - the LibNETCONF2 include directory # LIBNETCONF2_LIBRARIES - Link these to use LibNETCONF2 # LIBNETCONF2_VERSION - SO version of the found libNETCONF2 library -# LIBNETCONF2_ENABLED_SSH - LibNETCONF2 was compiled with SSH support -# LIBNETCONF2_ENABLED_TLS - LibNETCONF2 was compiled with TLS support +# LIBNETCONF2_ENABLED_SSH_TLS - LibNETCONF2 was compiled with SSH and TLS support # # Author Michal Vasko # Copyright (c) 2021 CESNET, z.s.p.o. @@ -93,8 +92,7 @@ else() # check the configured options and make them available through cmake list(INSERT CMAKE_REQUIRED_INCLUDES 0 "${LIBNETCONF2_INCLUDE_DIR}") - check_symbol_exists("NC_ENABLED_SSH" "nc_client.h" LIBNETCONF2_ENABLED_SSH) - check_symbol_exists("NC_ENABLED_TLS" "nc_client.h" LIBNETCONF2_ENABLED_TLS) + check_symbol_exists("NC_ENABLED_SSH_TLS" "nc_client.h" LIBNETCONF2_ENABLED_SSH_TLS) list(REMOVE_AT CMAKE_REQUIRED_INCLUDES 0) endif() diff --git a/CMakeModules/uninstall.cmake b/CMakeModules/uninstall.cmake index b9618a29f..39a575339 100644 --- a/CMakeModules/uninstall.cmake +++ b/CMakeModules/uninstall.cmake @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 3.0.2) +cmake_minimum_required(VERSION 3.5) set(MANIFEST "${CMAKE_CURRENT_BINARY_DIR}/install_manifest.txt") diff --git a/cli/CMakeLists.txt b/cli/CMakeLists.txt index 0cc07f887..6263bcb5a 100644 --- a/cli/CMakeLists.txt +++ b/cli/CMakeLists.txt @@ -27,17 +27,16 @@ target_link_libraries(netopeer2-cli ${CMAKE_THREAD_LIBS_INIT}) target_link_libraries(netopeer2-cli ${LIBYANG_LIBRARIES}) target_link_libraries(netopeer2-cli ${LIBNETCONF2_LIBRARIES}) -# dependencies - libssh -if(LIBNETCONF2_ENABLED_SSH) +# dependencies +if(LIBNETCONF2_ENABLED_SSH_TLS) + # - libssh if(NOT LIBSSH_FOUND) message(FATAL_ERROR "libnetconf2 supports SSH but libssh was not found, CLI compilation failed!") endif() target_link_libraries(netopeer2-cli ${LIBSSH_LIBRARIES}) include_directories(${LIBSSH_INCLUDE_DIRS}) -endif() -# dependencies - libssl (and openssl) -if(LIBNETCONF2_ENABLED_TLS) + # - openssl if(NOT OPENSSL_FOUND) message(FATAL_ERROR "libnetconf2 supports TLS but OpenSSL was not found, CLI compilation failed!") endif() diff --git a/cli/commands.c b/cli/commands.c index afe78dfca..cfbadea4f 100644 --- a/cli/commands.c +++ b/cli/commands.c @@ -34,7 +34,7 @@ #include #include -#ifdef NC_ENABLED_TLS +#ifdef NC_ENABLED_SSH_TLS # include # include #endif @@ -663,13 +663,9 @@ cmd_verb_help(void) static void cmd_connect_help(void) { -#if defined (NC_ENABLED_SSH) && defined (NC_ENABLED_TLS) +#ifdef NC_ENABLED_SSH_TLS printf("connect [--help] [--ssh] [--host ] [--port ] [--login ]\n"); printf("connect [--help] --tls [--host ] [--port ] [--cert [--key ]] [--trusted ]\n"); -#elif defined (NC_ENABLED_SSH) - printf("connect [--help] [--ssh] [--host ] [--port ] [--login ]\n"); -#elif defined (NC_ENABLED_TLS) - printf("connect [--help] [--tls] [--host ] [--port ] [--cert [--key ]] [--trusted ]\n"); #endif printf("connect [--help] --unix [--socket ]\n"); } @@ -677,15 +673,10 @@ cmd_connect_help(void) static void cmd_listen_help(void) { -#if defined (NC_ENABLED_SSH) && defined (NC_ENABLED_TLS) +#ifdef NC_ENABLED_SSH_TLS printf("listen [--help] [--timeout ] [--host ] [--port ]\n"); printf(" SSH [--ssh] [--login ]\n"); printf(" TLS --tls [--cert [--key ]] [--trusted ] [--peername ]\n"); -#elif defined (NC_ENABLED_SSH) - printf("listen [--help] [--ssh] [--timeout ] [--host ] [--port ] [--login ]\n"); -#elif defined (NC_ENABLED_TLS) - printf("listen [--help] [--tls] [--timeout ] [--host ] [--port ]" - " [--cert [--key ]] [--trusted ] [--peername ]\n"); #endif } @@ -1273,7 +1264,7 @@ cmd_timed_help(void) printf("timed [--help] [on | off]\n"); } -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS static void cmd_auth_help(void) @@ -1287,10 +1278,6 @@ cmd_knownhosts_help(void) printf("knownhosts [--help] [--del ]\n"); } -#endif /* NC_ENABLED_SSH */ - -#ifdef NC_ENABLED_TLS - static void cmd_cert_help(void) { @@ -1303,10 +1290,6 @@ cmd_crl_help(void) printf("crl [--help | display | add | remove ]\n"); } -#endif /* NC_ENABLED_TLS */ - -#ifdef NC_ENABLED_SSH - static int cmd_auth(const char *arg, char **UNUSED(tmp_config_file)) { @@ -1763,10 +1746,6 @@ cmd_connect_listen_ssh(struct arglist *cmd, int is_connect) return EXIT_SUCCESS; } -#endif /* NC_ENABLED_SSH */ - -#ifdef NC_ENABLED_TLS - static int cp(const char *to, const char *from) { @@ -2602,7 +2581,7 @@ cmd_connect_listen_tls(struct arglist *cmd, int is_connect) return ret; } -#endif /* NC_ENABLED_TLS */ +#endif /* NC_ENABLED_SSH_TLS */ static int cmd_connect_listen_unix(struct arglist *cmd, int is_connect) @@ -2739,22 +2718,22 @@ cmd_verb(const char *arg, char **UNUSED(tmp_config_file)) verb = arg + 5; if (!strcmp(verb, "error") || !strcmp(verb, "0")) { nc_verbosity(0); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(0); #endif } else if (!strcmp(verb, "warning") || !strcmp(verb, "1")) { nc_verbosity(1); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(1); #endif } else if (!strcmp(verb, "verbose") || !strcmp(verb, "2")) { nc_verbosity(2); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(2); #endif } else if (!strcmp(verb, "debug") || !strcmp(verb, "3")) { nc_verbosity(3); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(3); #endif } else { @@ -2793,14 +2772,12 @@ cmd_status(const char *UNUSED(arg), char **UNUSED(tmp_config_file)) printf("Current NETCONF session:\n"); printf(" ID : %u\n", nc_session_get_id(session)); switch (transport) { -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case NC_TI_LIBSSH: s = "SSH"; printf(" Host : %s\n", nc_session_get_host(session)); printf(" Port : %u\n", nc_session_get_port(session)); break; -#endif -#ifdef NC_ENABLED_TLS case NC_TI_OPENSSL: s = "TLS"; printf(" Host : %s\n", nc_session_get_host(session)); @@ -2839,14 +2816,12 @@ cmd_connect_listen(const char *arg, int is_connect) struct arglist cmd; struct option long_options[] = { {"help", 0, 0, 'h'}, -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS {"ssh", 0, 0, 's'}, {"timeout", 1, 0, 'i'}, {"host", 1, 0, 'o'}, {"port", 1, 0, 'p'}, {"login", 1, 0, 'l'}, -#endif -#ifdef NC_ENABLED_TLS {"tls", 0, 0, 't'}, {"timeout", 1, 0, 'i'}, {"host", 1, 0, 'o'}, @@ -2879,12 +2854,8 @@ cmd_connect_listen(const char *arg, int is_connect) ret = -1; -#if defined (NC_ENABLED_SSH) && defined (NC_ENABLED_TLS) +#ifdef NC_ENABLED_SSH_TLS optstring = "hsti:o:p:l:c:k:r:e:uS:"; -#elif defined (NC_ENABLED_SSH) - optstring = "hsi:o:p:l:uS:"; -#elif defined (NC_ENABLED_TLS) - optstring = "hti:o:p:c:k:r:e:uS:"; #else optstring = "hi:o:p:c:k:r:e:uS:"; #endif @@ -2894,12 +2865,10 @@ cmd_connect_listen(const char *arg, int is_connect) case 'h': ti = NC_TI_FD; break; -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case 's': ti = NC_TI_LIBSSH; break; -#endif -#ifdef NC_ENABLED_TLS case 't': ti = NC_TI_OPENSSL; break; @@ -2914,10 +2883,8 @@ cmd_connect_listen(const char *arg, int is_connect) if (!ti) { /* default transport */ -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS ti = NC_TI_LIBSSH; -#elif defined (NC_ENABLED_TLS) - ti = NC_TI_OPENSSL; #endif } @@ -2932,12 +2899,10 @@ cmd_connect_listen(const char *arg, int is_connect) case NC_TI_UNIX: ret = cmd_connect_listen_unix(&cmd, is_connect); break; -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case NC_TI_LIBSSH: ret = cmd_connect_listen_ssh(&cmd, is_connect); break; -#endif -#ifdef NC_ENABLED_TLS case NC_TI_OPENSSL: ret = cmd_connect_listen_tls(&cmd, is_connect); break; @@ -6765,17 +6730,17 @@ cmd_timed(const char *arg, char **UNUSED(tmp_config_file)) } COMMAND commands[] = { -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS {"auth", cmd_auth, cmd_auth_help, "Manage SSH authentication options"}, #endif {"cancel-commit", cmd_cancelcommit, cmd_cancelcommit_help, "ietf-netconf operation"}, -#ifdef NC_ENABLED_TLS +#ifdef NC_ENABLED_SSH_TLS {"cert", cmd_cert, cmd_cert_help, "Manage trusted or your own certificates"}, #endif {"commit", cmd_commit, cmd_commit_help, "ietf-netconf operation"}, {"connect", cmd_connect, cmd_connect_help, "Connect to a NETCONF server"}, {"copy-config", cmd_copyconfig, cmd_copyconfig_help, "ietf-netconf operation"}, -#ifdef NC_ENABLED_TLS +#ifdef NC_ENABLED_SSH_TLS {"crl", cmd_crl, cmd_crl_help, "Manage Certificate Revocation List directory"}, #endif {"delete-config", cmd_deleteconfig, cmd_deleteconfig_help, "ietf-netconf operation"}, @@ -6801,7 +6766,7 @@ COMMAND commands[] = { {"help", cmd_help, NULL, "Display commands description"}, {"kill-session", cmd_killsession, cmd_killsession_help, "ietf-netconf operation"}, {"kill-sub", cmd_killsub, cmd_killsub_help, "ietf-subscribed-notifications operation"}, -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS {"knownhosts", cmd_knownhosts, cmd_knownhosts_help, "Manage the user knownhosts file"}, #endif {"listen", cmd_listen, cmd_listen_help, "Wait for a Call Home connection from a NETCONF server"}, diff --git a/cli/completion.c b/cli/completion.c index 296692123..d979b6027 100644 --- a/cli/completion.c +++ b/cli/completion.c @@ -82,11 +82,9 @@ complete_cmd(const char *buf, const char *hint, linenoiseCompletions *lc) unsigned int match_count = 0, i; if (!strncmp(buf, "searchpath ", 11) -#ifdef NC_ENABLED_SSH - || !strncmp(buf, "auth keys add ", 14) -#endif -#ifdef NC_ENABLED_TLS - || !strncmp(buf, "cert add ", 9) || !strncmp(buf, "cert remove ", 12) || !strncmp(buf, "cert replaceown ", 16) || +#ifdef NC_ENABLED_SSH_TLS + || !strncmp(buf, "auth keys add ", 14) || + !strncmp(buf, "cert add ", 9) || !strncmp(buf, "cert remove ", 12) || !strncmp(buf, "cert replaceown ", 16) || !strncmp(buf, "crl add ", 8) || !strncmp(buf, "crl remove ", 11) #endif ) { diff --git a/cli/configuration.c b/cli/configuration.c index c475f9ab1..2d90cf4ed 100644 --- a/cli/configuration.c +++ b/cli/configuration.c @@ -303,7 +303,7 @@ load_config(void) struct lyd_node *config = NULL, *child; struct ly_ctx *ctx = NULL; -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS const char *key_pub, *key_priv; struct lyd_node *auth_child, *pref_child, *key_child, *pair_child; #endif @@ -367,7 +367,7 @@ load_config(void) opts.output_flag = LYD_PRINT_SHRINK; } /* else default (formatted XML) */ } -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS else if (!strcmp(LYD_NAME(child), "authentication")) { /* -> */ LY_LIST_FOR(lyd_child(child), auth_child) { @@ -402,7 +402,7 @@ load_config(void) } } } -#endif /* ENABLE_SSH */ +#endif /* NC_ENABLED_SSH_TLS */ } cleanup: @@ -415,9 +415,13 @@ load_config(void) void store_config(void) { - char *netconf_dir = NULL, *history_file = NULL, *config_file = NULL, buf[23]; +#ifdef NC_ENABLED_SSH_TLS + char buf[23]; + struct lyd_node *auth, *pref, *keys, *pair; +#endif /* NC_ENABLED_SSH_TLS */ + char *netconf_dir = NULL, *history_file = NULL, *config_file = NULL; struct ly_ctx *ctx = NULL; - struct lyd_node *root = NULL, *auth, *pref, *keys, *pair; + struct lyd_node *root = NULL; const char *str, *ns = "urn:cesnet:netconf-client"; if (ly_ctx_new(NULL, 0, &ctx)) { @@ -452,7 +456,7 @@ store_config(void) goto cleanup; } -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS /* SSH authentication */ if (lyd_new_opaq2(root, NULL, "authentication", NULL, NULL, ns, &auth)) { goto cleanup; @@ -498,7 +502,7 @@ store_config(void) } } } -#endif +#endif /* NC_ENABLED_SSH_TLS */ /* get netconf dir */ if ((netconf_dir = get_netconf_dir()) == NULL) { diff --git a/cli/main.c b/cli/main.c index 6a6f94042..37a207806 100644 --- a/cli/main.c +++ b/cli/main.c @@ -41,7 +41,7 @@ int done; extern struct nc_session *session; void -lnc2_print_clb(NC_VERB_LEVEL level, const char *msg) +lnc2_print_clb(const struct nc_session *UNUSED(session), NC_VERB_LEVEL level, const char *msg) { int was_rawmode = 0; @@ -138,7 +138,7 @@ main(void) action.sa_handler = SIG_IGN; sigaction(SIGPIPE, &action, NULL); - nc_set_print_clb(lnc2_print_clb); + nc_set_print_clb_session(lnc2_print_clb); ly_set_log_clb(ly_print_clb, 1); linenoiseSetCompletionCallback(complete_cmd); linenoiseHistoryDataFree(free); diff --git a/distro/pkg/deb/control b/distro/pkg/deb/control index b62a46b13..d738527f1 100644 --- a/distro/pkg/deb/control +++ b/distro/pkg/deb/control @@ -8,13 +8,14 @@ Build-Depends: cmake, graphviz, libcmocka-dev, libsystemd-dev, - libnetconf2-dev (>= 2.0.0), + libnetconf2-dev (>= 3.0.0), libssh-dev, libssl-dev, libsysrepo-dev (>= 2.0.0), libyang2-dev (>= 2.0.0), pkg-config, - sysrepo-tools (>= 2.0.0) + sysrepo-tools (>= 2.0.0), + libcurl4-openssl-dev (>= 7.30.0) Homepage: https://github.com/CESNET/netopeer2/ Package: netopeer2 diff --git a/distro/pkg/rpm/netopeer2.spec b/distro/pkg/rpm/netopeer2.spec index c62458e97..a7b017634 100644 --- a/distro/pkg/rpm/netopeer2.spec +++ b/distro/pkg/rpm/netopeer2.spec @@ -9,9 +9,9 @@ License: BSD-3-Clause BuildRequires: gcc BuildRequires: cmake -BuildRequires: pkgconfig(libyang) >= 2.0.194 -BuildRequires: pkgconfig(libnetconf2) >= 2.1.11 -BuildRequires: pkgconfig(sysrepo) >= 2.1.64 +BuildRequires: pkgconfig(libyang) >= 2.1.87 +BuildRequires: pkgconfig(libnetconf2) >= 3.0.0 +BuildRequires: pkgconfig(sysrepo) >= 2.2.111 BuildRequires: sysrepo-tools BuildRequires: libcurl-devel BuildRequires: libssh-devel @@ -80,6 +80,7 @@ set -e export NP2_MODULE_DIR=%{_datadir}/yang/modules/netopeer2 export NP2_MODULE_PERMS=600 export NP2_MODULE_OWNER=root +export LN2_MODULE_DIR=%{_datadir}/yang/modules/libnetconf2 %{_datadir}/netopeer2/setup.sh %{_datadir}/netopeer2/merge_hostkey.sh diff --git a/example_configuration/ssh_callhome.xml b/example_configuration/ssh_callhome.xml index b30794bc8..876ccaed0 100644 --- a/example_configuration/ssh_callhome.xml +++ b/example_configuration/ssh_callhome.xml @@ -24,11 +24,7 @@ - - - - - + default-ssh diff --git a/example_configuration/tls_callhome.xml b/example_configuration/tls_callhome.xml index 312fe0f89..9b910bcc8 100644 --- a/example_configuration/tls_callhome.xml +++ b/example_configuration/tls_callhome.xml @@ -16,25 +16,32 @@ - - serverkey - servercert - + + + serverkey + servercert + + - - cacerts - clientcerts - - - 1 - 02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74 - x509c2n:specified - tls-test - - + + cacerts + + + eecerts + + + + + 1 + 02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74 + x509c2n:specified + tls-test + + + diff --git a/example_configuration/tls_keystore.xml b/example_configuration/tls_keystore.xml index add1877e5..bd97e4ed9 100644 --- a/example_configuration/tls_keystore.xml +++ b/example_configuration/tls_keystore.xml @@ -2,13 +2,14 @@ serverkey - rsa2048 + ct:subject-public-key-info-format MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3VrgFBOc/kZOADDFEs3dhktPJyB+EPkRSD1EnTDtlsrR0wG7HgAA+gdoEwbb2cqJxYH5hhUec0alDQ4l7PUe9ycw6L99ZsJsRTAAlcD0JhpgPngAuX24NVqQDv7Cg5Yx3BOS+Q0pO6GGyuOv2DczQ9BLYPAUAldaAIaa424YaJJ4oUNbS76FwqTs+WDaWtkqQRAqPa/9zg4hbiyCQpTbPNesU5GcTuWQpuuWpw1ZqXRKwJ92kYRNGCUYntJYwSdKnhukkEHYxMYVdfwaG3xFmPCDKy5OVBJmwuzWZC7KHrCK7yTzGZ7/izAWb+3JzhwYqhzq/ZF17eZWC/JDyUkBLwIDAQAB - MIIEogIBAAKCAQEA3VrgFBOc/kZOADDFEs3dhktPJyB+EPkRSD1EnTDtlsrR0wG7HgAA+gdoEwbb2cqJxYH5hhUec0alDQ4l7PUe9ycw6L99ZsJsRTAAlcD0JhpgPngAuX24NVqQDv7Cg5Yx3BOS+Q0pO6GGyuOv2DczQ9BLYPAUAldaAIaa424YaJJ4oUNbS76FwqTs+WDaWtkqQRAqPa/9zg4hbiyCQpTbPNesU5GcTuWQpuuWpw1ZqXRKwJ92kYRNGCUYntJYwSdKnhukkEHYxMYVdfwaG3xFmPCDKy5OVBJmwuzWZC7KHrCK7yTzGZ7/izAWb+3JzhwYqhzq/ZF17eZWC/JDyUkBLwIDAQABAoIBAHWhVFD290fc/ph1UlUi12UFYkPNrZDBeyCjhnHuTWQD1itG0TQpFlvIUdNCotSDIGG4J2zMjkj+MrnUWe0pedInnoMhN7fC/BxsXPM3/ca934Vy6heoqpqXzNRbJ+0bhNWKBWGaT94jgWkSRCEnfHO+HkCedFOmLer3nRndKNVwe+bHoXqnsXdOflc3mb71/BM/qfJI3GZBDTZaodTsS2LkuW4DTSNkxGqfZ0Bu1LyYm4mQ50/3nej9ILoT/ejnd17SPNpoBNnEyVJbExrk9pEoFPPKxQ3rCve7FE7y+ILmB4BdiSZm5lOyyJl1Y2Had6fZDubaNKACNWHMkdJ1GokCgYEA8dV97LUZbtgpMyKdzvAfSCXmGyRtucp2FXy5/9UXYU8MXMcOgbMpyrZLbfEwk0YMxKOw8nI4gCaSvIJb0Pek/agjaXIajoYvVIOhvDEq3+2JeT0eQh+9ue5bVOq65FHorDyRV64wwEucBN5CTCaEHdtEJY5WFkOzbrXVipjQxBsCgYEA6lJIm/Yzn92GQw/44XweoWtATtBwDDMvlWWQ8I7U5Rl6ZItPAGuaMmzDolAZjlRPoEPmxPpLKXYgCahkNnfPuuMgI8wA/65uZAqKfOuiGoIyj9oObJ/xb2zI3s4V8EwtfUE+lgg4D29/Cy33V9G6gHgl+CHjT00AZuvHTBsfwH0CgYAJyTXbSkjJL34bT59LLHRXmxEAsCywg/zbSbzNGXZkvaomZvezT+i1B0NuI4BvtTn3Cxix9uVKakUt06ibgCnxCcjFD5T7h3qK1PjKgMLXZOlXOp3q1xX6XCbd/NGrQ5VCwwCup6HZZjXeDJBqPHTEMIdFbckWBY9RP5JwlVZ9WQKBgCy/8iX26v0I7W85SaqmbaMePHXQ0NVDoT7C2t9WJ8ppBzrUcA4Afr5Kj0IcUgUgjORqk1PjCR+t84hkpF7SmtVyMt0jRL2Prn1klfYtehPd8ZIPbtnH4fAJsoL6kK4HnlhhcXZts2cfP//+k1IuN5P5Xib5MdQfPIhrVvBt7a5xAoGAH59S+aygEEIVf5pO8QmqQUpe3WbbuDvlAx3agP2jkeH5A7ZlxFpH7VJSGAoPIsX+nlixUH1P3Esw9ch7ByJ/JRFUX5+G5coTBQj+PAkyGKtmBmnBFxZydMpTdRMyDrKNKpeMZv7yn05YwnbZdS74L49mkY3pFrjRMDH1ltBxobk= + ct:rsa-private-key-format + MIIEogIBAAKCAQEA3VrgFBOc/kZOADDFEs3dhktPJyB+EPkRSD1EnTDtlsrR0wG7HgAA+gdoEwbb2cqJxYH5hhUec0alDQ4l7PUe9ycw6L99ZsJsRTAAlcD0JhpgPngAuX24NVqQDv7Cg5Yx3BOS+Q0pO6GGyuOv2DczQ9BLYPAUAldaAIaa424YaJJ4oUNbS76FwqTs+WDaWtkqQRAqPa/9zg4hbiyCQpTbPNesU5GcTuWQpuuWpw1ZqXRKwJ92kYRNGCUYntJYwSdKnhukkEHYxMYVdfwaG3xFmPCDKy5OVBJmwuzWZC7KHrCK7yTzGZ7/izAWb+3JzhwYqhzq/ZF17eZWC/JDyUkBLwIDAQABAoIBAHWhVFD290fc/ph1UlUi12UFYkPNrZDBeyCjhnHuTWQD1itG0TQpFlvIUdNCotSDIGG4J2zMjkj+MrnUWe0pedInnoMhN7fC/BxsXPM3/ca934Vy6heoqpqXzNRbJ+0bhNWKBWGaT94jgWkSRCEnfHO+HkCedFOmLer3nRndKNVwe+bHoXqnsXdOflc3mb71/BM/qfJI3GZBDTZaodTsS2LkuW4DTSNkxGqfZ0Bu1LyYm4mQ50/3nej9ILoT/ejnd17SPNpoBNnEyVJbExrk9pEoFPPKxQ3rCve7FE7y+ILmB4BdiSZm5lOyyJl1Y2Had6fZDubaNKACNWHMkdJ1GokCgYEA8dV97LUZbtgpMyKdzvAfSCXmGyRtucp2FXy5/9UXYU8MXMcOgbMpyrZLbfEwk0YMxKOw8nI4gCaSvIJb0Pek/agjaXIajoYvVIOhvDEq3+2JeT0eQh+9ue5bVOq65FHorDyRV64wwEucBN5CTCaEHdtEJY5WFkOzbrXVipjQxBsCgYEA6lJIm/Yzn92GQw/44XweoWtATtBwDDMvlWWQ8I7U5Rl6ZItPAGuaMmzDolAZjlRPoEPmxPpLKXYgCahkNnfPuuMgI8wA/65uZAqKfOuiGoIyj9oObJ/xb2zI3s4V8EwtfUE+lgg4D29/Cy33V9G6gHgl+CHjT00AZuvHTBsfwH0CgYAJyTXbSkjJL34bT59LLHRXmxEAsCywg/zbSbzNGXZkvaomZvezT+i1B0NuI4BvtTn3Cxix9uVKakUt06ibgCnxCcjFD5T7h3qK1PjKgMLXZOlXOp3q1xX6XCbd/NGrQ5VCwwCup6HZZjXeDJBqPHTEMIdFbckWBY9RP5JwlVZ9WQKBgCy/8iX26v0I7W85SaqmbaMePHXQ0NVDoT7C2t9WJ8ppBzrUcA4Afr5Kj0IcUgUgjORqk1PjCR+t84hkpF7SmtVyMt0jRL2Prn1klfYtehPd8ZIPbtnH4fAJsoL6kK4HnlhhcXZts2cfP//+k1IuN5P5Xib5MdQfPIhrVvBt7a5xAoGAH59S+aygEEIVf5pO8QmqQUpe3WbbuDvlAx3agP2jkeH5A7ZlxFpH7VJSGAoPIsX+nlixUH1P3Esw9ch7ByJ/JRFUX5+G5coTBQj+PAkyGKtmBmnBFxZydMpTdRMyDrKNKpeMZv7yn05YwnbZdS74L49mkY3pFrjRMDH1ltBxobk= servercert - MIIDrDCCApQCFEf4LBXF80V6bTWn6kJ/RuccpJ/BMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEYMBYGA1UECgwPQ0VTTkVUIHoucy5wLm8uMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUub3JnMB4XDTIxMDkwMzEwMzAyMloXDTMxMDkwMTEwMzAyMlowgZMxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZIhvcNAQkBFhJzZXJ2ZXJAZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdWuAUE5z+Rk4AMMUSzd2GS08nIH4Q+RFIPUSdMO2WytHTAbseAAD6B2gTBtvZyonFgfmGFR5zRqUNDiXs9R73JzDov31mwmxFMACVwPQmGmA+eAC5fbg1WpAO/sKDljHcE5L5DSk7oYbK46/YNzND0Etg8BQCV1oAhprjbhhoknihQ1tLvoXCpOz5YNpa2SpBECo9r/3ODiFuLIJClNs816xTkZxO5ZCm65anDVmpdErAn3aRhE0YJRie0ljBJ0qeG6SQQdjExhV1/BobfEWY8IMrLk5UEmbC7NZkLsoesIrvJPMZnv+LMBZv7cnOHBiqHOr9kXXt5lYL8kPJSQEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGIBnIrbkvRThfXyhWwf4522fTer4lP0znXCNuQ8/86irl6ZWMF2H0HuUha2g1mqAUjJPeM5x2PHr0Ulm3greKXmHl9Oto4SXPOO8tRD/tE09KRGiV/fk+MzFJqbMQj4Dq9P8yOxMMAj95RKN+fH2cIwOKSe8s3gPjldYDPOwIHZhWw3g0LCu/XVhNV2Os3wcWMx/ZWAvSfBUlldc5/dFW3vCy9UpcNj0lfs2LOcAx7R8mdd7wz/9iIZ6mE0OIh1alqKELAbf2hxX6WLoNCYZeVxixsbKhwgAG0XateRjkGjCy7V0q1dpOIs95stxRKNuOlFHXXyCBG1JzpPTfV+RL0= + MIIDrDCCApQCFEf4LBXF80V6bTWn6kJ/RuccpJ/BMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEYMBYGA1UECgwPQ0VTTkVUIHoucy5wLm8uMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUub3JnMB4XDTIxMDkwMzEwMzAyMloXDTMxMDkwMTEwMzAyMlowgZMxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZIhvcNAQkBFhJzZXJ2ZXJAZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdWuAUE5z+Rk4AMMUSzd2GS08nIH4Q+RFIPUSdMO2WytHTAbseAAD6B2gTBtvZyonFgfmGFR5zRqUNDiXs9R73JzDov31mwmxFMACVwPQmGmA+eAC5fbg1WpAO/sKDljHcE5L5DSk7oYbK46/YNzND0Etg8BQCV1oAhprjbhhoknihQ1tLvoXCpOz5YNpa2SpBECo9r/3ODiFuLIJClNs816xTkZxO5ZCm65anDVmpdErAn3aRhE0YJRie0ljBJ0qeG6SQQdjExhV1/BobfEWY8IMrLk5UEmbC7NZkLsoesIrvJPMZnv+LMBZv7cnOHBiqHOr9kXXt5lYL8kPJSQEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGIBnIrbkvRThfXyhWwf4522fTer4lP0znXCNuQ8/86irl6ZWMF2H0HuUha2g1mqAUjJPeM5x2PHr0Ulm3greKXmHl9Oto4SXPOO8tRD/tE09KRGiV/fk+MzFJqbMQj4Dq9P8yOxMMAj95RKN+fH2cIwOKSe8s3gPjldYDPOwIHZhWw3g0LCu/XVhNV2Os3wcWMx/ZWAvSfBUlldc5/dFW3vCy9UpcNj0lfs2LOcAx7R8mdd7wz/9iIZ6mE0OIh1alqKELAbf2hxX6WLoNCYZeVxixsbKhwgAG0XateRjkGjCy7V0q1dpOIs95stxRKNuOlFHXXyCBG1JzpPTfV+RL0= diff --git a/example_configuration/tls_listen.xml b/example_configuration/tls_listen.xml index 8317e987d..d0d6d8938 100644 --- a/example_configuration/tls_listen.xml +++ b/example_configuration/tls_listen.xml @@ -13,25 +13,32 @@ - - serverkey - servercert - + + + serverkey + servercert + + - - cacerts - clientcerts - - - 1 - 02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74 - x509c2n:specified - tls-test - - + + cacerts + + + eecerts + + + + + 1 + 02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74 + x509c2n:specified + tls-test + + + diff --git a/example_configuration/tls_truststore.xml b/example_configuration/tls_truststore.xml index de132389e..7d59c0f84 100644 --- a/example_configuration/tls_truststore.xml +++ b/example_configuration/tls_truststore.xml @@ -1,16 +1,18 @@ - - clientcerts - - clientcert - MIIDqTCCApECFEf4LBXF80V6bTWn6kJ/RuccpJ/AMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEYMBYGA1UECgwPQ0VTTkVUIHoucy5wLm8uMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUub3JnMB4XDTIxMDkwMzEwMjgxOFoXDTMxMDkwMTEwMjgxOFowgZAxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzEPMA0GA1UEAwwGY2xpZW50MSEwHwYJKoZIhvcNAQkBFhJjbGllbnRAZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8zbCEJ0MSbFN+KjWhQKbGVkG+TKKtxMatpKMJ5lYDmB1dwWBHc+jj3+htAtc43BUTxQs/7Cb28VVp7kB1dGOd0b/HGL9n8cBmqRcxe+NEhiIFWANy7dzSNF1uKbBLzjMpgjKBcZ4c4O80pBww0U0Q1DPZ/9AhU9GKgUHiwfHKe8/it7T6lhQ2yXqClkW0xnzTiipYC6T3QNvTHWOCfzsUuHcVcA4seqZYMOOiPqMujgUws2jJ2y0lDXg2bcayDwtahX2oZP+Fil9ifO5CLNv9mw+ze8RxXeDrtFEJzzZfmMp5cmj8LmvdzOszrxfdMoG28gxOGYXXunv3+e4vK32RAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANwq9tqHYiet73ZdZcsUA2Aoa7mdjrYvmTeb4rrRbW5KGxoVhRJYAG/8OTZ3P8liorlPtWDci6iXBk/Ev8f1kqlC35xpRaidXSNAancAj4gS30sdCAAj8KzuWmtYTWT5aR0eAV1UTA4mo2N7OidRk+vVWs5tbbRmFmE/aJj8+Ol8rCgqRW08uLHy4pGljCDJWEiaIpPNflomui35r2F4bXp+7aoYmqL63XVkvlWyZBVQfN6p05l2bTTn2N5IrqPq2r7PF0jZtnEnbFc5Rc7gW25EFym70JQQ2kXOft4++G/NK3JcCk3IHwl7tNN7ZVChbMpbVH5TEV8QXR7DqYG0O7Y= - - - - cacerts - - cacert - MIIEAzCCAuugAwIBAgIURc4sipHvJSlNrQIhRhZilBvV4RowDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzETMBEGA1UEAwwKZXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5vcmcwHhcNMjEwOTAzMTAyMTAxWhcNMzEwOTAxMTAyMTAxWjCBkDELMAkGA1UEBhMCQ1oxFjAUBgNVBAgMDVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xGDAWBgNVBAoMD0NFU05FVCB6LnMucC5vLjEMMAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4Ld3JDDocyy9KXNJhEUPeZpQW3UdUNXloeh5n/bxasgThkBuQ7oF/nKyVUe517U1CJA993ZIc0jhIWThAnqXkz70DX5EZ7ancPd01MidA6T8k1RYYJWr+vyIRYYBYzK7LSnU6wMWqPTgzZB+KMWwb065ooLEB5XwqAeTIMPLRqM1Galewl4ZSuRJnrXxRjfF3AWNyC9dZw6wIg8cppvoLdBGQiFJQf9SgiVy+HyedAytFEixqKAAIgQUJwhCgbEd6jGFbeaL8HT4MFp1VmaaUBQMkZj/GnKBwCk5BEMu76EN1pzHc4Dd6DabQNGCnsqOPe31yhQGmNFy9R6zNnWZMCAwEAAaNTMFEwHQYDVR0OBBYEFM7w/pO8vk5oowvWPoCKo0RW/JcnMB8GA1UdIwQYMBaAFM7w/pO8vk5oowvWPoCKo0RW/JcnMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG/xfYuRKnCyiwYC/K7kAjHmCNnLCr1mx8P1ECsSJPme3OThDTNeGf8iN2952tGmMFDa+DaAwPc6Gt3cWTb/NYMTLWlt2yj5rJAcLXxIU0SMafBf+F7E/R8Ab/HDDjs0pQaJ0EJhQJVkMdfj3Wq9l0dJT5iEBUrUQflDufiMdEJEIGKZh86MgzELbcn1QX8dlLc91M2OifWStqLzXPicG+jjuoPUceC0flMQDb2qx03sxvJKfYfS5ArACqvdWyXLoP7DI9THJrMI/vBHJKpl4Wtmsh2OLn9VHauFMzPSGke5GwjXCpbXGepj9qWN8Gd/FWgSDH2OBvZ6aHdB1pPjN9k= - - + + + eecerts + + eecert + MIIDqTCCApECFEf4LBXF80V6bTWn6kJ/RuccpJ/AMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEYMBYGA1UECgwPQ0VTTkVUIHoucy5wLm8uMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUub3JnMB4XDTIxMDkwMzEwMjgxOFoXDTMxMDkwMTEwMjgxOFowgZAxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzEPMA0GA1UEAwwGY2xpZW50MSEwHwYJKoZIhvcNAQkBFhJjbGllbnRAZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8zbCEJ0MSbFN+KjWhQKbGVkG+TKKtxMatpKMJ5lYDmB1dwWBHc+jj3+htAtc43BUTxQs/7Cb28VVp7kB1dGOd0b/HGL9n8cBmqRcxe+NEhiIFWANy7dzSNF1uKbBLzjMpgjKBcZ4c4O80pBww0U0Q1DPZ/9AhU9GKgUHiwfHKe8/it7T6lhQ2yXqClkW0xnzTiipYC6T3QNvTHWOCfzsUuHcVcA4seqZYMOOiPqMujgUws2jJ2y0lDXg2bcayDwtahX2oZP+Fil9ifO5CLNv9mw+ze8RxXeDrtFEJzzZfmMp5cmj8LmvdzOszrxfdMoG28gxOGYXXunv3+e4vK32RAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANwq9tqHYiet73ZdZcsUA2Aoa7mdjrYvmTeb4rrRbW5KGxoVhRJYAG/8OTZ3P8liorlPtWDci6iXBk/Ev8f1kqlC35xpRaidXSNAancAj4gS30sdCAAj8KzuWmtYTWT5aR0eAV1UTA4mo2N7OidRk+vVWs5tbbRmFmE/aJj8+Ol8rCgqRW08uLHy4pGljCDJWEiaIpPNflomui35r2F4bXp+7aoYmqL63XVkvlWyZBVQfN6p05l2bTTn2N5IrqPq2r7PF0jZtnEnbFc5Rc7gW25EFym70JQQ2kXOft4++G/NK3JcCk3IHwl7tNN7ZVChbMpbVH5TEV8QXR7DqYG0O7Y= + + + + cacerts + + cacert + MIIEAzCCAuugAwIBAgIURc4sipHvJSlNrQIhRhZilBvV4RowDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzETMBEGA1UEAwwKZXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5vcmcwHhcNMjEwOTAzMTAyMTAxWhcNMzEwOTAxMTAyMTAxWjCBkDELMAkGA1UEBhMCQ1oxFjAUBgNVBAgMDVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xGDAWBgNVBAoMD0NFU05FVCB6LnMucC5vLjEMMAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4Ld3JDDocyy9KXNJhEUPeZpQW3UdUNXloeh5n/bxasgThkBuQ7oF/nKyVUe517U1CJA993ZIc0jhIWThAnqXkz70DX5EZ7ancPd01MidA6T8k1RYYJWr+vyIRYYBYzK7LSnU6wMWqPTgzZB+KMWwb065ooLEB5XwqAeTIMPLRqM1Galewl4ZSuRJnrXxRjfF3AWNyC9dZw6wIg8cppvoLdBGQiFJQf9SgiVy+HyedAytFEixqKAAIgQUJwhCgbEd6jGFbeaL8HT4MFp1VmaaUBQMkZj/GnKBwCk5BEMu76EN1pzHc4Dd6DabQNGCnsqOPe31yhQGmNFy9R6zNnWZMCAwEAAaNTMFEwHQYDVR0OBBYEFM7w/pO8vk5oowvWPoCKo0RW/JcnMB8GA1UdIwQYMBaAFM7w/pO8vk5oowvWPoCKo0RW/JcnMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG/xfYuRKnCyiwYC/K7kAjHmCNnLCr1mx8P1ECsSJPme3OThDTNeGf8iN2952tGmMFDa+DaAwPc6Gt3cWTb/NYMTLWlt2yj5rJAcLXxIU0SMafBf+F7E/R8Ab/HDDjs0pQaJ0EJhQJVkMdfj3Wq9l0dJT5iEBUrUQflDufiMdEJEIGKZh86MgzELbcn1QX8dlLc91M2OifWStqLzXPicG+jjuoPUceC0flMQDb2qx03sxvJKfYfS5ArACqvdWyXLoP7DI9THJrMI/vBHJKpl4Wtmsh2OLn9VHauFMzPSGke5GwjXCpbXGepj9qWN8Gd/FWgSDH2OBvZ6aHdB1pPjN9k= + + + diff --git a/modules/iana-crypt-hash@2014-08-06.yang b/modules/iana-crypt-hash@2014-08-06.yang deleted file mode 100644 index 86fcb51a3..000000000 --- a/modules/iana-crypt-hash@2014-08-06.yang +++ /dev/null @@ -1,120 +0,0 @@ - module iana-crypt-hash { - namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; - prefix ianach; - - organization "IANA"; - contact - " Internet Assigned Numbers Authority - - Postal: ICANN - 12025 Waterfront Drive, Suite 300 - Los Angeles, CA 90094-2536 - United States - - Tel: +1 310 301 5800 - E-Mail: iana@iana.org>"; - description - "This YANG module defines a type for storing passwords - using a hash function and features to indicate which hash - functions are supported by an implementation. - - The latest revision of this YANG module can be obtained from - the IANA web site. - - Requests for new values should be made to IANA via - email (iana@iana.org). - - Copyright (c) 2014 IETF Trust and the persons identified as - authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with or - without modification, is permitted pursuant to, and subject - to the license terms contained in, the Simplified BSD License - set forth in Section 4.c of the IETF Trust's Legal Provisions - Relating to IETF Documents - (http://trustee.ietf.org/license-info). - - The initial version of this YANG module is part of RFC 7317; - see the RFC itself for full legal notices."; - - revision 2014-08-06 { - description - "Initial revision."; - reference - "RFC 7317: A YANG Data Model for System Management"; - } - - typedef crypt-hash { - type string { - pattern - '$0$.*' - + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' - + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' - + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; - } - description - "The crypt-hash type is used to store passwords using - a hash function. The algorithms for applying the hash - function and encoding the result are implemented in - various UNIX systems as the function crypt(3). - - A value of this type matches one of the forms: - - $0$ - $$$ - $$$$ - - The '$0$' prefix signals that the value is clear text. When - such a value is received by the server, a hash value is - calculated, and the string '$$$' or - $$$$ is prepended to the result. This - value is stored in the configuration data store. - If a value starting with '$$', where is not '0', is - received, the server knows that the value already represents a - hashed value and stores it 'as is' in the data store. - - When a server needs to verify a password given by a user, it - finds the stored password hash string for that user, extracts - the salt, and calculates the hash with the salt and given - password as input. If the calculated hash value is the same - as the stored value, the password given by the client is - accepted. - - This type defines the following hash functions: - - id | hash function | feature - ---+---------------+------------------- - 1 | MD5 | crypt-hash-md5 - 5 | SHA-256 | crypt-hash-sha-256 - 6 | SHA-512 | crypt-hash-sha-512 - - The server indicates support for the different hash functions - by advertising the corresponding feature."; - reference - "IEEE Std 1003.1-2008 - crypt() function - RFC 1321: The MD5 Message-Digest Algorithm - FIPS.180-4.2012: Secure Hash Standard (SHS)"; - } - - feature crypt-hash-md5 { - description - "Indicates that the device supports the MD5 - hash function in 'crypt-hash' values."; - reference "RFC 1321: The MD5 Message-Digest Algorithm"; - } - - feature crypt-hash-sha-256 { - description - "Indicates that the device supports the SHA-256 - hash function in 'crypt-hash' values."; - reference "FIPS.180-4.2012: Secure Hash Standard (SHS)"; - } - - feature crypt-hash-sha-512 { - description - "Indicates that the device supports the SHA-512 - hash function in 'crypt-hash' values."; - reference "FIPS.180-4.2012: Secure Hash Standard (SHS)"; - } - - } diff --git a/modules/ietf-crypto-types@2019-07-02.yang b/modules/ietf-crypto-types@2019-07-02.yang deleted file mode 100644 index 3313a8c36..000000000 --- a/modules/ietf-crypto-types@2019-07-02.yang +++ /dev/null @@ -1,2058 +0,0 @@ - module ietf-crypto-types { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; - prefix ct; - - import ietf-yang-types { - prefix yang; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Wang Haiguang "; - - description - "This module defines common YANG types for cryptographic - applications. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: Common YANG Data Types for Cryptography"; - } - - /**************************************/ - /* Identities for Hash Algorithms */ - /**************************************/ - - typedef hash-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Hash algorithm is NULL."; - } - enum sha1 { - value 1; - status obsolete; - description - "The SHA1 algorithm."; - reference - "RFC 3174: US Secure Hash Algorithms 1 (SHA1)."; - } - enum sha-224 { - value 2; - description - "The SHA-224 algorithm."; - reference - "RFC 6234: US Secure Hash Algorithms."; - } - enum sha-256 { - value 3; - description - "The SHA-256 algorithm."; - reference - "RFC 6234: US Secure Hash Algorithms."; - } - enum sha-384 { - value 4; - description - "The SHA-384 algorithm."; - reference - "RFC 6234: US Secure Hash Algorithms."; - } - enum sha-512 { - value 5; - description - "The SHA-512 algorithm."; - reference - "RFC 6234: US Secure Hash Algorithms."; - } - enum shake-128 { - value 6; - description - "The SHA3 algorithm with 128-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - enum shake-224 { - value 7; - description - "The SHA3 algorithm with 224-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - enum shake-256 { - value 8; - description - "The SHA3 algorithm with 256-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - enum shake-384 { - value 9; - description - "The SHA3 algorithm with 384-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - enum shake-512 { - value 10; - description - "The SHA3 algorithm with 384-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol families - according to the hash algorithm value assigned by IANA. The - setting is optional and by default is 0. The enumeration - filed is set to the selected hash algorithm."; - } - - /***********************************************/ - /* Identities for Asymmetric Key Algorithms */ - /***********************************************/ - - typedef asymmetric-key-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Asymetric key algorithm is NULL."; - } - enum rsa1024 { - value 1; - description - "The RSA algorithm using a 1024-bit key."; - reference - "RFC 8017: PKCS #1: RSA Cryptography - Specifications Version 2.2."; - } - enum rsa2048 { - value 2; - description - "The RSA algorithm using a 2048-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum rsa3072 { - value 3; - description - "The RSA algorithm using a 3072-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum rsa4096 { - value 4; - description - "The RSA algorithm using a 4096-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum rsa7680 { - value 5; - description - "The RSA algorithm using a 7680-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum rsa15360 { - value 6; - description - "The RSA algorithm using a 15360-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum secp192r1 { - value 7; - description - "The asymmetric algorithm using a NIST P192 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum secp224r1 { - value 8; - description - "The asymmetric algorithm using a NIST P224 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum secp256r1 { - value 9; - description - "The asymmetric algorithm using a NIST P256 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum secp384r1 { - value 10; - description - "The asymmetric algorithm using a NIST P384 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum secp521r1 { - value 11; - description - "The asymmetric algorithm using a NIST P521 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum x25519 { - value 12; - description - "The asymmetric algorithm using a x.25519 Curve."; - reference - "RFC 7748: - Elliptic Curves for Security."; - } - enum x448 { - value 13; - description - "The asymmetric algorithm using a x.448 Curve."; - reference - "RFC 7748: - Elliptic Curves for Security."; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the asymmetric key algorithm value - assigned by IANA. The setting is optional and by default - is 0. The enumeration filed is set to the selected - asymmetric key algorithm."; - } - - /*************************************/ - /* Identities for MAC Algorithms */ - /*************************************/ - - typedef mac-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "mac algorithm is NULL."; - } - enum hmac-sha1 { - value 1; - description - "Generating MAC using SHA1 hash function"; - reference - "RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; - } - enum hmac-sha1-96 { - value 2; - description - "Generating MAC using SHA1 hash function"; - reference - "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; - } - enum hmac-sha2-224 { - value 3; - description - "Generating MAC using SHA2 hash function"; - reference - "RFC 6234: US Secure Hash Algorithms - (SHA and SHA-based HMAC and HKDF)"; - } - enum hmac-sha2-256 { - value 4; - description - "Generating MAC using SHA2 hash function"; - reference - "RFC 6234: US Secure Hash Algorithms - (SHA and SHA-based HMAC and HKDF)"; - } - enum hmac-sha2-256-128 { - value 5; - description - "Generating a 256 bits MAC using SHA2 hash function and - truncate it to 128 bits"; - reference - "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, - and HMAC-SHA-512 with IPsec"; - } - enum hmac-sha2-384 { - value 6; - description - "Generating a 384 bits MAC using SHA2 hash function"; - reference - "RFC 6234: US Secure Hash Algorithms - (SHA and SHA-based HMAC and HKDF)"; - } - enum hmac-sha2-384-192 { - value 7; - description - "Generating a 384 bits MAC using SHA2 hash function and - truncate it to 192 bits"; - reference - "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, - and HMAC-SHA-512 with IPsec"; - } - enum hmac-sha2-512 { - value 8; - description - "Generating a 512 bits MAC using SHA2 hash function"; - reference - "RFC 6234: US Secure Hash Algorithms - (SHA and SHA-based HMAC and HKDF)"; - } - enum hmac-sha2-512-256 { - value 9; - description - "Generating a 512 bits MAC using SHA2 hash function and - truncate it to 256 bits"; - reference - "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, - and HMAC-SHA-512 with IPsec"; - } - enum aes-128-gmac { - value 10; - description - "Generating 128-bit MAC using the Advanced Encryption - Standard (AES) Galois Message Authentication Code - (GMAC) as a mechanism to provide data origin - authentication."; - reference - "RFC 4543: - The Use of Galois Message Authentication Code (GMAC) - in IPsec ESP and AH"; - } - enum aes-192-gmac { - value 11; - description - "Generating 192-bit MAC using the Advanced Encryption - Standard (AES) Galois Message Authentication Code - (GMAC) as a mechanism to provide data origin - authentication."; - reference - "RFC 4543: - The Use of Galois Message Authentication Code (GMAC) - in IPsec ESP and AH"; - } - enum aes-256-gmac { - value 12; - description - "Generating 256-bit MAC using the Advanced Encryption - Standard (AES) Galois Message Authentication Code - (GMAC) as a mechanism to provide data origin - authentication."; - reference - "RFC 4543: - The Use of Galois Message Authentication Code (GMAC) - in IPsec ESP and AH"; - } - enum aes-cmac-96 { - value 13; - description - "Generating 96-bit MAC using Advanced Encryption - Standard (AES) Cipher-based Message Authentication - Code (CMAC)"; - reference - "RFC 4494: - The AES-CMAC Algorithm and its Use with IPsec"; - } - enum aes-cmac-128 { - value 14; - description - "Generating 128-bit MAC using Advanced Encryption - Standard (AES) Cipher-based Message Authentication - Code (CMAC)"; - reference - "RFC 4494: - The AES-CMAC Algorithm and its Use with IPsec"; - } - enum sha1-des3-kd { - value 15; - description - "Generating MAC using triple DES encryption function"; - reference - "RFC 3961: - Encryption and Checksum Specifications for Kerberos - 5"; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the mac algorithm value assigned by - IANA. The setting is optional and by default is 0. The - enumeration filed is set to the selected mac algorithm."; - } - - /********************************************/ - /* Identities for Encryption Algorithms */ - /********************************************/ - - typedef encryption-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Encryption algorithm is NULL."; - } - enum aes-128-cbc { - value 1; - description - "Encrypt message with AES algorithm in CBC mode with - a key length of 128 bits."; - reference - "RFC 3565: Use of the Advanced Encryption Standard (AES) - Encryption Algorithm in Cryptographic Message Syntax - (CMS)"; - } - enum aes-192-cbc { - value 2; - description - "Encrypt message with AES algorithm in CBC mode with - a key length of 192 bits"; - reference - "RFC 3565: Use of the Advanced Encryption Standard (AES) - Encryption Algorithm in Cryptographic Message Syntax - (CMS)"; - } - enum aes-256-cbc { - value 3; - description - "Encrypt message with AES algorithm in CBC mode with - a key length of 256 bits"; - reference - "RFC 3565: Use of the Advanced Encryption Standard (AES) - Encryption Algorithm in Cryptographic Message Syntax - (CMS)"; - } - enum aes-128-ctr { - value 4; - description - "Encrypt message with AES algorithm in CTR mode with - a key length of 128 bits"; - reference - "RFC 3686: - Using Advanced Encryption Standard (AES) Counter - Mode with IPsec Encapsulating Security Payload - (ESP)"; - } - enum aes-192-ctr { - value 5; - description - "Encrypt message with AES algorithm in CTR mode with - a key length of 192 bits"; - reference - "RFC 3686: - Using Advanced Encryption Standard (AES) Counter - Mode with IPsec Encapsulating Security Payload - (ESP)"; - } - enum aes-256-ctr { - value 6; - description - "Encrypt message with AES algorithm in CTR mode with - a key length of 256 bits"; - reference - "RFC 3686: - Using Advanced Encryption Standard (AES) Counter - Mode with IPsec Encapsulating Security Payload - (ESP)"; - } - enum des3-cbc-sha1-kd { - value 7; - description - "Encrypt message with 3DES algorithm in CBC mode - with sha1 function for key derivation"; - reference - "RFC 3961: - Encryption and Checksum Specifications for - Kerberos 5"; - } - enum rc4-hmac { - value 8; - description - "Encrypt message with rc4 algorithm"; - reference - "RFC 4757: - The RC4-HMAC Kerberos Encryption Types Used by - Microsoft Windows"; - } - enum rc4-hmac-exp { - value 9; - description - "Encrypt message with rc4 algorithm that is exportable"; - reference - "RFC 4757: - The RC4-HMAC Kerberos Encryption Types Used by - Microsoft Windows"; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the encryption algorithm value - assigned by IANA. The setting is optional and by default - is 0. The enumeration filed is set to the selected - encryption algorithm."; - } - - /****************************************************/ - /* Identities for Encryption and MAC Algorithms */ - /****************************************************/ - - typedef encryption-and-mac-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Encryption and MAC algorithm is NULL."; - reference - "None"; - } - enum aes-128-ccm { - value 1; - description - "Encrypt message with AES algorithm in CCM - mode with a key length of 128 bits; it can - also be used for generating MAC"; - reference - "RFC 4309: Using Advanced Encryption Standard - (AES) CCM Mode with IPsec Encapsulating Security - Payload (ESP)"; - } - enum aes-192-ccm { - value 2; - description - "Encrypt message with AES algorithm in CCM - mode with a key length of 192 bits; it can - also be used for generating MAC"; - reference - "RFC 4309: Using Advanced Encryption Standard - (AES) CCM Mode with IPsec Encapsulating Security - Payload (ESP)"; - } - enum aes-256-ccm { - value 3; - description - "Encrypt message with AES algorithm in CCM - mode with a key length of 256 bits; it can - also be used for generating MAC"; - reference - "RFC 4309: Using Advanced Encryption Standard - (AES) CCM Mode with IPsec Encapsulating Security - Payload (ESP)"; - } - enum aes-128-gcm { - value 4; - description - "Encrypt message with AES algorithm in GCM - mode with a key length of 128 bits; it can - also be used for generating MAC"; - reference - "RFC 4106: The Use of Galois/Counter Mode (GCM) - in IPsec Encapsulating Security Payload (ESP)"; - } - enum aes-192-gcm { - value 5; - description - "Encrypt message with AES algorithm in GCM - mode with a key length of 192 bits; it can - also be used for generating MAC"; - reference - "RFC 4106: The Use of Galois/Counter Mode (GCM) - in IPsec Encapsulating Security Payload (ESP)"; - } - enum aes-256-gcm { - value 6; - description - "Encrypt message with AES algorithm in GCM - mode with a key length of 256 bits; it can - also be used for generating MAC"; - reference - "RFC 4106: The Use of Galois/Counter Mode (GCM) - in IPsec Encapsulating Security Payload (ESP)"; - } - enum chacha20-poly1305 { - value 7; - description - "Encrypt message with chacha20 algorithm and generate - MAC with POLY1305; it can also be used for generating - MAC"; - reference - "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols"; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the encryption and mac algorithm value - assigned by IANA. The setting is optional and by default is - 0. The enumeration filed is set to the selected encryption - and mac algorithm."; - } - - /******************************************/ - /* Identities for signature algorithm */ - /******************************************/ - - typedef signature-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Signature algorithm is NULL"; - } - enum dsa-sha1 { - value 1; - description - "The signature algorithm using DSA algorithm with SHA1 - hash algorithm"; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - enum rsassa-pkcs1-sha1 { - value 2; - description - "The signature algorithm using RSASSA-PKCS1-v1_5 with - the SHA1 hash algorithm."; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - enum rsassa-pkcs1-sha256 { - value 3; - description - "The signature algorithm using RSASSA-PKCS1-v1_5 with - the SHA256 hash algorithm."; - reference - "RFC 8332: - Use of RSA Keys with SHA-256 and SHA-512 in the - Secure Shell (SSH) Protocol - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pkcs1-sha384 { - value 4; - description - "The signature algorithm using RSASSA-PKCS1-v1_5 with - the SHA384 hash algorithm."; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pkcs1-sha512 { - value 5; - description - "The signature algorithm using RSASSA-PKCS1-v1_5 with - the SHA512 hash algorithm."; - reference - "RFC 8332: - Use of RSA Keys with SHA-256 and SHA-512 in the - Secure Shell (SSH) Protocol - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-rsae-sha256 { - value 6; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA256 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-rsae-sha384 { - value 7; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA384 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-rsae-sha512 { - value 8; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA512 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-pss-sha256 { - value 9; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA256 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-pss-sha384 { - value 10; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA384 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-pss-sha512 { - value 11; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA512 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ecdsa-secp256r1-sha256 { - value 12; - description - "The signature algorithm using ECDSA with curve name - secp256r1 and SHA256 hash algorithm."; - reference - "RFC 5656: - Elliptic Curve Algorithm Integration in the Secure - Shell Transport Layer - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ecdsa-secp384r1-sha384 { - value 13; - description - "The signature algorithm using ECDSA with curve name - secp384r1 and SHA384 hash algorithm."; - reference - "RFC 5656: - Elliptic Curve Algorithm Integration in the Secure - Shell Transport Layer - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ecdsa-secp521r1-sha512 { - value 14; - description - "The signature algorithm using ECDSA with curve name - secp521r1 and SHA512 hash algorithm."; - reference - "RFC 5656: - Elliptic Curve Algorithm Integration in the Secure - Shell Transport Layer - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ed25519 { - value 15; - description - "The signature algorithm using EdDSA with curve x25519"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed25519-cts { - value 16; - description - "The signature algorithm using EdDSA with curve x25519 - with phflag = 0"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed25519-ph { - value 17; - description - "The signature algorithm using EdDSA with curve x25519 - with phflag = 1"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed25519-sha512 { - value 18; - description - "The signature algorithm using EdDSA with curve x25519 - and SHA-512 function"; - reference - "RFC 8419: - Use of Edwards-Curve Digital Signature Algorithm - (EdDSA) Signatures in the Cryptographic Message - Syntax (CMS)"; - } - enum ed448 { - value 19; - description - "The signature algorithm using EdDSA with curve x448"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed448-ph { - value 20; - description - "The signature algorithm using EdDSA with curve x448 - and with PH being SHAKE256(x, 64) and phflag being 1"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed448-shake256 { - value 21; - description - "The signature algorithm using EdDSA with curve x448 - and SHAKE-256 function"; - reference - "RFC 8419: - Use of Edwards-Curve Digital Signature Algorithm - (EdDSA) Signatures in the Cryptographic Message - Syntax (CMS)"; - } - enum ed448-shake256-len { - value 22; - description - "The signature algorithm using EdDSA with curve x448 - and SHAKE-256 function and a customized hash output"; - reference - "RFC 8419: - Use of Edwards-Curve Digital Signature Algorithm - (EdDSA) Signatures in the Cryptographic Message - Syntax (CMS)"; - } - enum rsa-sha2-256 { - value 23; - description - "The signature algorithm using RSA with SHA2 function - for SSH protocol"; - reference - "RFC 8332: - Use of RSA Keys with SHA-256 and SHA-512 - in the Secure Shell (SSH) Protocol"; - } - enum rsa-sha2-512 { - value 24; - description - "The signature algorithm using RSA with SHA2 function - for SSH protocol"; - reference - "RFC 8332: - Use of RSA Keys with SHA-256 and SHA-512 - in the Secure Shell (SSH) Protocol"; - } - enum eccsi { - value 25; - description - "The signature algorithm using ECCSI signature as - defined in RFC 6507."; - reference - "RFC 6507: - Elliptic Curve-Based Certificateless Signatures - for Identity-based Encryption (ECCSI)"; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the signature algorithm value - assigned by IANA. The setting is optional and by default - is 0. The enumeration filed is set to the selected - signature algorithm."; - } - - /**********************************************/ - /* Identities for key exchange algorithms */ - /**********************************************/ - - typedef key-exchange-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Key exchange algorithm is NULL."; - } - enum psk-only { - value 1; - description - "Using Pre-shared key for authentication and key - exchange"; - reference - "RFC 4279: - Pre-Shared Key cipher suites for Transport Layer - Security (TLS)"; - } - enum dhe-ffdhe2048 { - value 2; - description - "Ephemeral Diffie Hellman key exchange with 2048 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum dhe-ffdhe3072 { - value 3; - description - "Ephemeral Diffie Hellman key exchange with 3072 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum dhe-ffdhe4096 { - value 4; - description - "Ephemeral Diffie Hellman key exchange with 4096 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum dhe-ffdhe6144 { - value 5; - description - "Ephemeral Diffie Hellman key exchange with 6144 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum dhe-ffdhe8192 { - value 6; - description - "Ephemeral Diffie Hellman key exchange with 8192 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum psk-dhe-ffdhe2048 { - value 7; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE2048"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-dhe-ffdhe3072 { - value 8; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE3072"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-dhe-ffdhe4096 { - value 9; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE4096"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-dhe-ffdhe6144 { - value 10; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE6144"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-dhe-ffdhe8192 { - value 11; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE8192"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ecdhe-secp256r1 { - value 12; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve secp256r1"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum ecdhe-secp384r1 { - value 13; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve secp384r1"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum ecdhe-secp521r1 { - value 14; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve secp521r1"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum ecdhe-x25519 { - value 15; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve x25519"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum ecdhe-x448 { - value 16; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve x448"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum psk-ecdhe-secp256r1 { - value 17; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve secp256r1"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-ecdhe-secp384r1 { - value 18; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve secp384r1"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-ecdhe-secp521r1 { - value 19; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve secp521r1"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-ecdhe-x25519 { - value 20; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve x25519"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-ecdhe-x448 { - value 21; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve x448"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum diffie-hellman-group14-sha1 { - value 22; - description - "Using DH group14 and SHA1 for key exchange"; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - enum diffie-hellman-group14-sha256 { - value 23; - description - "Using DH group14 and SHA-256 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum diffie-hellman-group15-sha512 { - value 24; - description - "Using DH group15 and SHA-512 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum diffie-hellman-group16-sha512 { - value 25; - description - "Using DH group16 and SHA-512 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum diffie-hellman-group17-sha512 { - value 26; - description - "Using DH group17 and SHA-512 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum diffie-hellman-group18-sha512 { - value 27; - description - "Using DH group18 and SHA-512 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum ecdh-sha2-secp256r1 { - value 28; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve ecp256r1 and using SHA2 for MAC generation"; - reference - "RFC 6239: - Suite B Cryptographic Suites for Secure Shell (SSH)"; - } - enum ecdh-sha2-secp384r1 { - value 29; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve ecp384r1 and using SHA2 for MAC generation"; - reference - "RFC 6239: - Suite B Cryptographic Suites for Secure Shell (SSH)"; - } - enum ecdh-x25519-x9.63-sha256 { - value 30; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using ANSI x9.63 with SHA256 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-x9.63-sha384 { - value 31; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using ANSI x9.63 with SHA384 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-x9.63-sha512 { - value 32; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using ANSI x9.63 with SHA512 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-hkdf-sha256 { - value 33; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using HKDF with SHA256 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-hkdf-sha384 { - value 34; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using HKDF with SHA384 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-hkdf-sha512 { - value 35; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using HKDF with SHA512 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-x9.63-sha256 { - value 36; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using ANSI x9.63 with SHA256 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-x9.63-sha384 { - value 37; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using ANSI x9.63 with SHA384 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-x9.63-sha512 { - value 38; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using ANSI x9.63 with SHA512 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-hkdf-sha256 { - value 39; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using HKDF with SHA256 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-hkdf-sha384 { - value 40; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using HKDF with SHA384 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-hkdf-sha512 { - value 41; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using HKDF with SHA512 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum rsaes-oaep { - value 42; - description - "RSAES-OAEP combines the RSAEP and RSADP primitives with - the EME-OAEP encoding method"; - reference - "RFC 8017: - PKCS #1: - RSA Cryptography Specifications Version 2.2."; - } - enum rsaes-pkcs1-v1_5 { - value 43; - description - "RSAES-PKCS1-v1_5 combines the RSAEP and RSADP - primitives with the EME-PKCS1-v1_5 encoding method"; - reference - "RFC 8017: - PKCS #1: - RSA Cryptography Specifications Version 2.2."; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the key exchange algorithm value - assigned by IANA. The setting is optional and by default - is 0. The enumeration filed is set to the selected key - exchange algorithm."; - } - - /***************************************************/ - /* Typedefs for ASN.1 structures from RFC 5280 */ - /***************************************************/ - - typedef x509 { - type binary; - description - "A Certificate structure, as specified in RFC 5280, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - - typedef crl { - type binary; - description - "A CertificateList structure, as specified in RFC 5280, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - - /***********************************************/ - /* Typedefs for ASN.1 structures from 5652 */ - /***********************************************/ - - typedef cms { - type binary; - description - "A ContentInfo structure, as specified in RFC 5652, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5652: - Cryptographic Message Syntax (CMS) - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - - typedef data-content-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - data content type, as described by Section 4 in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef signed-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - signed-data content type, as described by Section 5 in - RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef enveloped-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - enveloped-data content type, as described by Section 6 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef digested-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - digested-data content type, as described by Section 7 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef encrypted-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - encrypted-data content type, as described by Section 8 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef authenticated-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - authenticated-data content type, as described by Section 9 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - /***************************************************/ - /* Typedefs for structures related to RFC 4253 */ - /***************************************************/ - - typedef ssh-host-key { - type binary; - description - "The binary public key data for this SSH key, as - specified by RFC 4253, Section 6.6, i.e.: - - string certificate or public key format - identifier - byte[n] key/certificate data."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer - Protocol"; - } - - /*********************************************************/ - /* Typedefs for ASN.1 structures related to RFC 5280 */ - /*********************************************************/ - - typedef trust-anchor-cert-x509 { - type x509; - description - "A Certificate structure that MUST encode a self-signed - root certificate."; - } - - typedef end-entity-cert-x509 { - type x509; - description - "A Certificate structure that MUST encode a certificate - that is neither self-signed nor having Basic constraint - CA true."; - } - - /*********************************************************/ - /* Typedefs for ASN.1 structures related to RFC 5652 */ - /*********************************************************/ - - typedef trust-anchor-cert-cms { - type signed-data-cms; - description - "A CMS SignedData structure that MUST contain the chain of - X.509 certificates needed to authenticate the certificate - presented by a client or end-entity. - - The CMS MUST contain only a single chain of certificates. - The client or end-entity certificate MUST only authenticate - to last intermediate CA certificate listed in the chain. - - In all cases, the chain MUST include a self-signed root - certificate. In the case where the root certificate is - itself the issuer of the client or end-entity certificate, - only one certificate is present. - - This CMS structure MAY (as applicable where this type is - used) also contain suitably fresh (as defined by local - policy) revocation objects with which the device can - verify the revocation status of the certificates. - - This CMS encodes the degenerate form of the SignedData - structure that is commonly used to disseminate X.509 - certificates and revocation objects (RFC 5280)."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile."; - } - - typedef end-entity-cert-cms { - type signed-data-cms; - description - "A CMS SignedData structure that MUST contain the end - entity certificate itself, and MAY contain any number - of intermediate certificates leading up to a trust - anchor certificate. The trust anchor certificate - MAY be included as well. - - The CMS MUST contain a single end entity certificate. - The CMS MUST NOT contain any spurious certificates. - - This CMS structure MAY (as applicable where this type is - used) also contain suitably fresh (as defined by local - policy) revocation objects with which the device can - verify the revocation status of the certificates. - - This CMS encodes the degenerate form of the SignedData - structure that is commonly used to disseminate X.509 - certificates and revocation objects (RFC 5280)."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile."; - } - - /**********************************************/ - /* Groupings for keys and/or certificates */ - /**********************************************/ - - grouping symmetric-key-grouping { - description - "A symmetric key and algorithm."; - leaf algorithm { - type encryption-algorithm-t; - mandatory true; - description - "The algorithm to be used when generating the key."; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - choice key-type { - mandatory true; - description - "Choice between key types."; - leaf key { - nacm:default-deny-all; - type binary; - description - "The binary value of the key. The interpretation of - the value is defined by 'algorithm'. For example, - FIXME."; - reference - "RFC XXXX: FIXME"; - } - leaf hidden-key { - nacm:default-deny-write; - type empty; - description - "A permanently hidden key. How such keys are created - is outside the scope of this module."; - } - } - } - - grouping public-key-grouping { - description - "A public key and its associated algorithm."; - leaf algorithm { - nacm:default-deny-write; - type asymmetric-key-algorithm-t; - mandatory true; - description - "Identifies the key's algorithm."; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - leaf public-key { - nacm:default-deny-write; - type binary; - mandatory true; - description - "The binary value of the public key. The interpretation - of the value is defined by 'algorithm'. For example, - a DSA key is an integer, an RSA key is represented as - RSAPublicKey per RFC 8017, and an ECC key is represented - using the 'publicKey' described in RFC 5915."; - reference - "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: - RSA Cryptography Specifications Version 2.2. - RFC 5915: Elliptic Curve Private Key Structure."; - } - } - - grouping asymmetric-key-pair-grouping { - description - "A private key and its associated public key and algorithm."; - uses public-key-grouping; - choice private-key-type { - mandatory true; - description - "Choice between key types."; - leaf private-key { - nacm:default-deny-all; - type binary; - description - "The value of the binary key. The key's value is - interpreted by the 'algorithm'. For example, a DSA key - is an integer, an RSA key is represented as RSAPrivateKey - as defined in RFC 8017, and an ECC key is represented as - ECPrivateKey as defined in RFC 5915."; - reference - "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: - RSA Cryptography Specifications Version 2.2. - RFC 5915: Elliptic Curve Private Key Structure."; - } - leaf hidden-private-key { - nacm:default-deny-write; - type empty; - description - "A permanently hidden key. How such keys are created - is outside the scope of this module."; - } - } - } - - grouping trust-anchor-cert-grouping { - description - "A trust anchor certificate, and a notification for when - it is about to (or already has) expire."; - leaf cert { - nacm:default-deny-write; - type trust-anchor-cert-cms; - description - "The binary certificate data for this certificate."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - notification certificate-expiration { - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping trust-anchor-certs-grouping { - description - "A list of trust anchor certificates, and a notification - for when one is about to (or already has) expire."; - leaf-list cert { - nacm:default-deny-write; - type trust-anchor-cert-cms; - description - "The binary certificate data for this certificate."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - notification certificate-expiration { - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping end-entity-cert-grouping { - description - "An end entity certificate, and a notification for when - it is about to (or already has) expire. Implementations - SHOULD assert that, where used, the end entity certificate - contains the expected public key."; - leaf cert { - nacm:default-deny-write; - type end-entity-cert-cms; - description - "The binary certificate data for this certificate."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - notification certificate-expiration { - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping end-entity-certs-grouping { - description - "A list of end entity certificates, and a notification for - when one is about to (or already has) expire."; - leaf-list cert { - nacm:default-deny-write; - type end-entity-cert-cms; - description - "The binary certificate data for this certificate."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - notification certificate-expiration { - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping asymmetric-key-pair-with-cert-grouping { - description - "A private/public key pair and an associated certificate. - Implementations SHOULD assert that certificates contain - the matching public key."; - uses asymmetric-key-pair-grouping; - uses end-entity-cert-grouping; - action generate-certificate-signing-request { - nacm:default-deny-all; - description - "Generates a certificate signing request structure for - the associated asymmetric key using the passed subject - and attribute values. The specified assertions need - to be appropriate for the certificate's use. For - example, an entity certificate for a TLS server - SHOULD have values that enable clients to satisfy - RFC 6125 processing."; - input { - leaf subject { - type binary; - mandatory true; - description - "The 'subject' field per the CertificationRequestInfo - structure as specified by RFC 2986, Section 4.1 - encoded using the ASN.1 distinguished encoding - rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - leaf attributes { - type binary; // FIXME: does this need to be mandatory? - description - "The 'attributes' field from the structure - CertificationRequestInfo as specified by RFC 2986, - Section 4.1 encoded using the ASN.1 distinguished - encoding rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - } - output { - leaf certificate-signing-request { - type binary; - mandatory true; - description - "A CertificationRequest structure as specified by - RFC 2986, Section 4.2 encoded using the ASN.1 - distinguished encoding rules (DER), as specified - in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - } - } // generate-certificate-signing-request - } // asymmetric-key-pair-with-cert-grouping - - grouping asymmetric-key-pair-with-certs-grouping { - description - "A private/public key pair and associated certificates. - Implementations SHOULD assert that certificates contain - the matching public key."; - uses asymmetric-key-pair-grouping; - container certificates { - nacm:default-deny-write; - description - "Certificates associated with this asymmetric key. - More than one certificate supports, for instance, - a TPM-protected asymmetric key that has both IDevID - and LDevID certificates associated."; - list certificate { - key "name"; - description - "A certificate for this asymmetric key."; - leaf name { - type string; - description - "An arbitrary name for the certificate. If the name - matches the name of a certificate that exists - independently in (i.e., an IDevID), - then the 'cert' node MUST NOT be configured."; - } - uses end-entity-cert-grouping; - } - } // certificates - action generate-certificate-signing-request { - nacm:default-deny-all; - description - "Generates a certificate signing request structure for - the associated asymmetric key using the passed subject - and attribute values. The specified assertions need - to be appropriate for the certificate's use. For - example, an entity certificate for a TLS server - SHOULD have values that enable clients to satisfy - RFC 6125 processing."; - input { - leaf subject { - type binary; - mandatory true; - description - "The 'subject' field per the CertificationRequestInfo - structure as specified by RFC 2986, Section 4.1 - encoded using the ASN.1 distinguished encoding - rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - leaf attributes { - type binary; // FIXME: does this need to be mandatory? - description - "The 'attributes' field from the structure - CertificationRequestInfo as specified by RFC 2986, - Section 4.1 encoded using the ASN.1 distinguished - encoding rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - } - output { - leaf certificate-signing-request { - type binary; - mandatory true; - description - "A CertificationRequest structure as specified by - RFC 2986, Section 4.2 encoded using the ASN.1 - distinguished encoding rules (DER), as specified - in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - } - } // generate-certificate-signing-request - } // asymmetric-key-pair-with-certs-grouping - } diff --git a/modules/ietf-keystore@2019-07-02.yang b/modules/ietf-keystore@2019-07-02.yang deleted file mode 100644 index a4724c0be..000000000 --- a/modules/ietf-keystore@2019-07-02.yang +++ /dev/null @@ -1,458 +0,0 @@ - module ietf-keystore { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-keystore"; - prefix ks; - - import ietf-crypto-types { - prefix ct; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen "; - - description - "This module defines a keystore to centralize management - of security credentials. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC VVVV: A YANG Data Model for a Keystore"; - } - - /****************/ - /* Features */ - /****************/ - - feature keystore-supported { - description - "The 'keystore-supported' feature indicates that the server - supports the keystore."; - } - - feature local-definitions-supported { - description - "The 'local-definitions-supported' feature indicates that the - server supports locally-defined keys."; - } - - feature key-generation { - description - "Indicates that the server supports the actions related to - the life cycling keys in . To be used by - configuration, keys in must be copied to - ."; - } - - /****************/ - /* Typedefs */ - /****************/ - - typedef asymmetric-key-ref { - type leafref { - path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key" - + "/ks:name"; - } - description - "This typedef enables modules to easily define a reference - to an asymmetric key stored in the keystore."; - } - - /*****************/ - /* Groupings */ - /*****************/ - - - grouping key-reference-type-grouping { - description - "A reusable grouping for a choice for the type of key - referenced in the keystore."; - choice key-type { - mandatory true; - description - "A choice between a reference to a symmetric or asymmetric - key in the keystore."; - leaf symmetric-key-ref { - if-feature "keystore-supported"; - type leafref { - path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/" - + "ks:name"; - } - description - "Identifies a symmetric key used to encrypt this key."; - } - leaf asymmetric-key-ref { - if-feature "keystore-supported"; - type leafref { - path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/" - + "ks:name"; - } - description - "Identifies an asymmetric key used to encrypt this key."; - } - } - } - - grouping encrypted-value-grouping { - description - "A reusable grouping for a value that has been encrypted by - a symmetric or asymmetric key in the keystore."; - uses "key-reference-type-grouping"; - leaf value { - type binary; - description - "The private key, encrypted using the specified symmetric - or asymmetric key."; - } - } - - grouping symmetric-key-grouping { - description - "This grouping is identical to the one in ietf-crypt-types - except that it adds a couple case statements enabling the - key value to be encrypted by a symmetric or an asymmetric - key known to the keystore."; - uses ct:symmetric-key-grouping { - augment "key-type" { - description - "Augments a new 'case' statement into the 'choice' - statement defined by the ietf-crypto-types module."; - container encrypted-key { - description - "A container for the encrypted symmetric key value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping asymmetric-key-pair-grouping { - description - "This grouping is identical to the one in ietf-crypt-types - except that it adds a couple case statements enabling the - key value to be encrypted by a symmetric or an asymmetric - key known to the keystore."; - uses ct:asymmetric-key-pair-grouping { - augment "private-key-type" { - description - "Augments a new 'case' statement into the 'choice' - statement defined by the ietf-crypto-types module."; - container encrypted-private-key { - description - "A container for the encrypted asymmetric private - key value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping asymmetric-key-pair-with-cert-grouping { - description - "This grouping is identical to the one in ietf-crypt-types - except that it adds a couple case statements enabling the - key value to be encrypted by a symmetric or an asymmetric - key known to the keystore."; - uses ct:asymmetric-key-pair-with-cert-grouping { - augment "private-key-type" { - description - "Augments a new 'case' statement into the 'choice' - statement defined by the ietf-crypto-types module."; - container encrypted-private-key { - description - "A container for the encrypted asymmetric private - key value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping asymmetric-key-pair-with-certs-grouping { - description - "This grouping is identical to the one in ietf-crypt-types - except that it adds a couple case statements enabling the - key value to be encrypted by a symmetric or an asymmetric - key known to the keystore."; - uses ct:asymmetric-key-pair-with-certs-grouping { - augment "private-key-type" { - description - "Augments a new 'case' statement into the 'choice' - statement defined by the ietf-crypto-types module."; - container encrypted-private-key { - description - "A container for the encrypted asymmetric private - key value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping asymmetric-key-certificate-ref-grouping { - leaf asymmetric-key { - type ks:asymmetric-key-ref; - must '../certificate'; - description - "A reference to an asymmetric key in the keystore."; - } - leaf certificate { - type leafref { - path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key[ks:" - + "name = current()/../asymmetric-key]/ks:certificates" - + "/ks:certificate/ks:name"; - } - must '../asymmetric-key'; - description - "A reference to a specific certificate of the - asymmetric key in the keystore."; - } - description - "This grouping defines a reference to a specific certificate - associated with an asymmetric key stored in the keystore."; - } - - grouping local-or-keystore-asymmetric-key-grouping { - description - "A grouping that expands to allow the asymmetric key to be - either stored locally, within the using data model, or be - a reference to an asymmetric key stored in the keystore."; - choice local-or-keystore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local key definition."; - uses asymmetric-key-pair-grouping; - } - } - case keystore { - if-feature "keystore-supported"; - leaf keystore-reference { - type ks:asymmetric-key-ref; - description - "A reference to an asymmetric key that exists in - the keystore. The intent is to reference just the - asymmetric key, not any certificates that may also - be associated with the asymmetric key."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the keystore."; - } - } - - grouping local-or-keystore-asymmetric-key-with-certs-grouping { - description - "A grouping that expands to allow an asymmetric key and its - associated certificates to be either stored locally, within - the using data model, or be a reference to an asymmetric key - (and its associated certificates) stored in the keystore."; - choice local-or-keystore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local key definition."; - uses asymmetric-key-pair-with-certs-grouping; - } - } - case keystore { - if-feature "keystore-supported"; - leaf keystore-reference { - type ks:asymmetric-key-ref; - description - "A reference to an asymmetric-key (and all of its - associated certificates) in the keystore."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the keystore."; - } - } - - grouping local-or-keystore-end-entity-cert-with-key-grouping { - description - "A grouping that expands to allow an end-entity certificate - (and its associated private key) to be either stored locally, - within the using data model, or be a reference to a specific - certificate in the keystore."; - choice local-or-keystore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local key definition."; - uses asymmetric-key-pair-with-cert-grouping; - } - } - case keystore { - if-feature "keystore-supported"; - container keystore-reference { - uses asymmetric-key-certificate-ref-grouping; - description - "A reference to a specific certificate (and its - associated private key) in the keystore."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the keystore."; - } - } - - grouping keystore-grouping { - description - "Grouping definition enables use in other contexts. If ever - done, implementations SHOULD augment new 'case' statements - into local-or-keystore 'choice' statements to supply leafrefs - to the new location."; - container asymmetric-keys { - description - "A list of asymmetric keys."; - list asymmetric-key { - key "name"; - description - "An asymmetric key."; - leaf name { - type string; - description - "An arbitrary name for the asymmetric key."; - } - uses ks:asymmetric-key-pair-with-certs-grouping; - } - } - container symmetric-keys { - description - "A list of symmetric keys."; - list symmetric-key { - key "name"; - description - "A symmetric key."; - leaf name { - type string; - description - "An arbitrary name for the symmetric key."; - } - uses ks:symmetric-key-grouping; - } - } - } // grouping keystore-grouping - - - /*********************************/ - /* Protocol accessible nodes */ - /*********************************/ - - container keystore { - nacm:default-deny-write; - description - "The keystore contains a list of keys."; - uses keystore-grouping; - } - - rpc generate-symmetric-key { - //nacm:default-deny-all; - description - "Requests the device to generate an symmetric key using - the specified key algorithm, optionally encrypted using - a key in the keystore. The output is this RPC can be - used as input to a subsequent configuration request."; - input { - leaf algorithm { - type ct:encryption-algorithm-t; - mandatory true; - description - "The algorithm to be used when generating the key."; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - container encrypt-with { - presence - "Indicates that the key should be encrypted using - the specified symmetric or asymmetric key. If not - specified, then the private key is not encrypted - when returned."; - description - "A container for the 'key-type' choice."; - uses key-reference-type-grouping; - } - } - output { - uses ks:symmetric-key-grouping; - } - } // end generate-symmetric-key - - rpc generate-asymmetric-key { - //nacm:default-deny-all; - description - "Requests the device to generate an asymmetric key using - the specified key algorithm, optionally encrypted using - a key in the keystore. The output is this RPC can be - used as input to a subsequent configuration request."; - input { - leaf algorithm { - type ct:asymmetric-key-algorithm-t; - mandatory true; - description - "The algorithm to be used when generating the key."; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - container encrypt-with { - presence - "Indicates that the key should be encrypted using - the specified symmetric or asymmetric key. If not - specified, then the private key is not encrypted - when returned."; - description - "A container for the 'key-type' choice."; - uses key-reference-type-grouping; - } - } - output { - uses ks:asymmetric-key-pair-grouping; - } - } // end generate-asymmetric-key - - } diff --git a/modules/ietf-netconf-server@2019-07-02.yang b/modules/ietf-netconf-server@2019-07-02.yang deleted file mode 100644 index ed6bfbbde..000000000 --- a/modules/ietf-netconf-server@2019-07-02.yang +++ /dev/null @@ -1,520 +0,0 @@ - module ietf-netconf-server { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server"; - prefix ncs; - - import ietf-yang-types { - prefix yang; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-x509-cert-to-name { - prefix x509c2n; - reference - "RFC 7407: A YANG Data Model for SNMP Configuration"; - } - - import ietf-tcp-client { - prefix tcpc; - reference - "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; - } - - import ietf-tcp-server { - prefix tcps; - reference - "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; - } - - import ietf-ssh-server { - prefix sshs; - revision-date 2019-07-02; // stable grouping definitions - reference - "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers"; - } - - import ietf-tls-server { - prefix tlss; - revision-date 2019-07-02; // stable grouping definitions - reference - "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu - Author: Juergen Schoenwaelder - "; - description - "This module contains a collection of YANG definitions - for configuring NETCONF servers. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: NETCONF Client and Server Models"; - } - - // Features - - feature ssh-listen { - description - "The 'ssh-listen' feature indicates that the NETCONF server - supports opening a port to accept NETCONF over SSH - client connections."; - reference - "RFC 6242: - Using the NETCONF Protocol over Secure Shell (SSH)"; - } - - feature tls-listen { - description - "The 'tls-listen' feature indicates that the NETCONF server - supports opening a port to accept NETCONF over TLS - client connections."; - reference - "RFC 7589: Using the NETCONF Protocol over Transport - Layer Security (TLS) with Mutual X.509 - Authentication"; - } - - feature ssh-call-home { - description - "The 'ssh-call-home' feature indicates that the NETCONF - server supports initiating a NETCONF over SSH call - home connection to NETCONF clients."; - reference - "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; - } - - feature tls-call-home { - description - "The 'tls-call-home' feature indicates that the NETCONF - server supports initiating a NETCONF over TLS call - home connection to NETCONF clients."; - reference - "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; - } - - // Groupings - - grouping netconf-server-grouping { - description - "Top-level grouping for NETCONF server configuration."; - container listen { - if-feature "ssh-listen or tls-listen"; - presence - "Enables server to listen for NETCONF client connections."; - description - "Configures listen behavior"; - leaf idle-timeout { - type uint16; - units "seconds"; - default 3600; // one hour - description - "Specifies the maximum number of seconds that a NETCONF - session may remain idle. A NETCONF session will be - dropped if it is idle for an interval longer than this - number of seconds. If set to zero, then the server - will never drop a session because it is idle. Sessions - that have a notification subscription active are never - dropped."; - } - list endpoint { - key "name"; - min-elements 1; - description - "List of endpoints to listen for NETCONF connections."; - leaf name { - type string; - description - "An arbitrary name for the NETCONF listen endpoint."; - } - choice transport { - mandatory true; - description - "Selects between available transports."; - case ssh { - if-feature "ssh-listen"; - container ssh { - description - "SSH-specific listening configuration for inbound - connections."; - container tcp-server-parameters { - description - "A wrapper around the TCP client parameters - to avoid name collisions."; - uses tcps:tcp-server-grouping { - refine "local-port" { - default "830"; - description - "The NETCONF server will listen on the - IANA-assigned well-known port value - for 'netconf-ssh' (830) if no value - is specified."; - } - } - } - container ssh-server-parameters { - description - "A wrapper around the SSH server parameters - to avoid name collisions."; - uses sshs:ssh-server-grouping; - } - } - } - case tls { - if-feature "tls-listen"; - container tls { - description - "TLS-specific listening configuration for inbound - connections."; - container tcp-server-parameters { - description - "A wrapper around the TCP client parameters - to avoid name collisions."; - uses tcps:tcp-server-grouping { - refine "local-port" { - default "6513"; - description - "The NETCONF server will listen on the - IANA-assigned well-known port value - for 'netconf-tls' (6513) if no value - is specified."; - } - } - } - container tls-server-parameters { - description - "A wrapper around the TLS server parameters to - avoid name collisions."; - uses tlss:tls-server-grouping { - refine "client-authentication" { - //must 'ca-certs or client-certs'; - description - "NETCONF/TLS servers MUST validate client - certificates."; - } - augment "client-authentication" { - description - "Augments in the cert-to-name structure."; - container cert-maps { - uses x509c2n:cert-to-name; - description - "The cert-maps container is used by a TLS- - based NETCONF server to map the NETCONF - client's presented X.509 certificate to - a NETCONF username. If no matching and - valid cert-to-name list entry can be found, - then the NETCONF server MUST close the - connection, and MUST NOT accept NETCONF - messages over it."; - reference - "RFC WWWW: NETCONF over TLS, Section 7"; - } - } - } - } - } - } - } - } - } - container call-home { - if-feature "ssh-call-home or tls-call-home"; - presence - "Enables the NETCONF server to initiate the underlying - transport connection to NETCONF clients."; - description "Configures call home behavior."; - list netconf-client { - key "name"; - min-elements 1; - description - "List of NETCONF clients the NETCONF server is to - initiate call-home connections to in parallel."; - leaf name { - type string; - description - "An arbitrary name for the remote NETCONF client."; - } - container endpoints { - description - "Container for the list of endpoints."; - list endpoint { - key "name"; - min-elements 1; - ordered-by user; - description - "A non-empty user-ordered list of endpoints for this - NETCONF server to try to connect to in sequence. - Defining more than one enables high-availability."; - leaf name { - type string; - description - "An arbitrary name for this endpoint."; - } - choice transport { - mandatory true; - description - "Selects between available transports."; - case ssh { - if-feature "ssh-call-home"; - container ssh { - description - "Specifies SSH-specific call-home transport - configuration."; - container tcp-client-parameters { - description - "A wrapper around the TCP client parameters - to avoid name collisions."; - uses tcpc:tcp-client-grouping { - refine "remote-port" { - default "4334"; - description - "The NETCONF server will attempt to connect - to the IANA-assigned well-known port for - 'netconf-ch-tls' (4334) if no value is - specified."; - } - } - } - container ssh-server-parameters { - description - "A wrapper around the SSH server parameters - to avoid name collisions."; - uses sshs:ssh-server-grouping; - } - } - } - case tls { - if-feature "tls-call-home"; - container tls { - description - "Specifies TLS-specific call-home transport - configuration."; - container tcp-client-parameters { - description - "A wrapper around the TCP client parameters - to avoid name collisions."; - uses tcpc:tcp-client-grouping { - refine "remote-port" { - default "4335"; - description - "The NETCONF server will attempt to connect - to the IANA-assigned well-known port for - 'netconf-ch-tls' (4335) if no value is - specified."; - } - } - } - container tls-server-parameters { - description - "A wrapper around the TLS server parameters - to avoid name collisions."; - uses tlss:tls-server-grouping { - refine "client-authentication" { - /* commented out since auth could be external - must 'ca-certs or client-certs'; - */ - description - "NETCONF/TLS servers MUST validate client - certificates."; - } - augment "client-authentication" { - description - "Augments in the cert-to-name structure."; - container cert-maps { - uses x509c2n:cert-to-name; - description - "The cert-maps container is used by a - TLS-based NETCONF server to map the - NETCONF client's presented X.509 - certificate to a NETCONF username. If - no matching and valid cert-to-name list - entry can be found, then the NETCONF - server MUST close the connection, and - MUST NOT accept NETCONF messages over - it."; - reference - "RFC WWWW: NETCONF over TLS, Section 7"; - } - } - } - } - } - } // tls - } // choice - } // endpoint - } // endpoints - container connection-type { - description - "Indicates the NETCONF server's preference for how the - NETCONF connection is maintained."; - choice connection-type { - mandatory true; - description - "Selects between available connection types."; - case persistent-connection { - container persistent { - presence "Indicates that a persistent connection is - to be maintained."; - description - "Maintain a persistent connection to the NETCONF - client. If the connection goes down, immediately - start trying to reconnect to the NETCONF client, - using the reconnection strategy. - - This connection type minimizes any NETCONF client - to NETCONF server data-transfer delay, albeit at - the expense of holding resources longer."; - } // container persistent - } // case persistent-connection - case periodic-connection { - container periodic { - presence "Indicates that a periodic connection is - to be maintained."; - description - "Periodically connect to the NETCONF client. - - This connection type increases resource - utilization, albeit with increased delay in - NETCONF client to NETCONF client interactions. - - The NETCONF client SHOULD gracefully close the - connection using upon completing - planned activities. If the NETCONF session is - not closed gracefully, the NETCONF server MUST - immediately attempt to reestablish the connection. - - In the case that the previous connection is still - active (i.e., the NETCONF client has not closed - it yet), establishing a new connection is NOT - RECOMMENDED."; - leaf period { - type uint16; - units "minutes"; - default "60"; - description - "Duration of time between periodic connections."; - } - leaf anchor-time { - type yang:date-and-time { - // constrained to minute-level granularity - pattern '[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:00' - + '(Z|[\+\-][0-9]{2}:[0-9]{2})'; - } - description - "Designates a timestamp before or after which a - series of periodic connections are determined. - The periodic connections occur at a whole - multiple interval from the anchor time. For - example, for an anchor time is 15 minutes past - midnight and a period interval of 24 hours, then - a periodic connection will occur 15 minutes past - midnight everyday."; - } - leaf idle-timeout { - type uint16; - units "seconds"; - default 120; // two minutes - description - "Specifies the maximum number of seconds that - a NETCONF session may remain idle. A NETCONF - session will be dropped if it is idle for an - interval longer than this number of seconds. - If set to zero, then the server will never - drop a session because it is idle."; - } - } // container periodic - } // case periodic-connection - } // choice connection-type - } // container connection-type - container reconnect-strategy { - description - "The reconnection strategy directs how a NETCONF server - reconnects to a NETCONF client, after discovering its - connection to the client has dropped, even if due to a - reboot. The NETCONF server starts with the specified - endpoint and tries to connect to it max-attempts times - before trying the next endpoint in the list (round - robin)."; - leaf start-with { - type enumeration { - enum first-listed { - description - "Indicates that reconnections should start with - the first endpoint listed."; - } - enum last-connected { - description - "Indicates that reconnections should start with - the endpoint last connected to. If no previous - connection has ever been established, then the - first endpoint configured is used. NETCONF - servers SHOULD be able to remember the last - endpoint connected to across reboots."; - } - enum random-selection { - description - "Indicates that reconnections should start with - a random endpoint."; - } - } - default "first-listed"; - description - "Specifies which of the NETCONF client's endpoints - the NETCONF server should start with when trying - to connect to the NETCONF client."; - } - leaf max-attempts { - type uint8 { - range "1..max"; - } - default "3"; - description - "Specifies the number times the NETCONF server tries - to connect to a specific endpoint before moving on - to the next endpoint in the list (round robin)."; - } - } // container reconnect-strategy - } // list netconf-client - } // container call-home - } // grouping netconf-server-grouping - - // Protocol accessible node, for servers that implement this - // module. - - container netconf-server { - uses netconf-server-grouping; - description - "Top-level container for NETCONF server configuration."; - } - } diff --git a/modules/ietf-ssh-common@2019-07-02.yang b/modules/ietf-ssh-common@2019-07-02.yang deleted file mode 100644 index 671f78743..000000000 --- a/modules/ietf-ssh-common@2019-07-02.yang +++ /dev/null @@ -1,462 +0,0 @@ - module ietf-ssh-common { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common"; - prefix sshcmn; - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu "; - - description - "This module defines a common features, identities, and - groupings for Secure Shell (SSH). - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers"; - } - - // Features - - feature ssh-ecc { - description - "Elliptic Curve Cryptography is supported for SSH."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - feature ssh-x509-certs { - description - "X.509v3 certificates are supported for SSH per RFC 6187."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - feature ssh-dh-group-exchange { - description - "Diffie-Hellman Group Exchange is supported for SSH."; - reference - "RFC 4419: Diffie-Hellman Group Exchange for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - feature ssh-ctr { - description - "SDCTR encryption mode is supported for SSH."; - reference - "RFC 4344: The Secure Shell (SSH) Transport Layer - Encryption Modes"; - } - - feature ssh-sha2 { - description - "The SHA2 family of cryptographic hash functions is - supported for SSH."; - reference - "FIPS PUB 180-4: Secure Hash Standard (SHS)"; - } - - // Identities - - identity public-key-alg-base { - description - "Base identity used to identify public key algorithms."; - } - - identity ssh-dss { - base public-key-alg-base; - description - "Digital Signature Algorithm using SHA-1 as the - hashing algorithm."; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity ssh-rsa { - base public-key-alg-base; - description - "RSASSA-PKCS1-v1_5 signature scheme using SHA-1 as the - hashing algorithm."; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity ecdsa-sha2-nistp256 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) using the - nistp256 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity ecdsa-sha2-nistp384 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) using the - nistp384 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity ecdsa-sha2-nistp521 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) using the - nistp521 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity x509v3-ssh-rsa { - base public-key-alg-base; - if-feature "ssh-x509-certs"; - description - "RSASSA-PKCS1-v1_5 signature scheme using a public key stored - in an X.509v3 certificate and using SHA-1 as the hashing - algorithm."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity x509v3-rsa2048-sha256 { - base public-key-alg-base; - if-feature "ssh-x509-certs and ssh-sha2"; - description - "RSASSA-PKCS1-v1_5 signature scheme using a public key stored - in an X.509v3 certificate and using SHA-256 as the hashing - algorithm. RSA keys conveyed using this format MUST have a - modulus of at least 2048 bits."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity x509v3-ecdsa-sha2-nistp256 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) - using the nistp256 curve with a public key stored in - an X.509v3 certificate and using the SHA2 family of - hashing algorithms."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity x509v3-ecdsa-sha2-nistp384 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) - using the nistp384 curve with a public key stored in - an X.509v3 certificate and using the SHA2 family of - hashing algorithms."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity x509v3-ecdsa-sha2-nistp521 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) - using the nistp521 curve with a public key stored in - an X.509v3 certificate and using the SHA2 family of - hashing algorithms."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity key-exchange-alg-base { - description - "Base identity used to identify key exchange algorithms."; - } - - identity diffie-hellman-group14-sha1 { - base key-exchange-alg-base; - description - "Diffie-Hellman key exchange with SHA-1 as HASH and - Oakley Group 14 (2048-bit MODP Group)."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity diffie-hellman-group-exchange-sha1 { - base key-exchange-alg-base; - if-feature "ssh-dh-group-exchange"; - description - "Diffie-Hellman Group and Key Exchange with SHA-1 as HASH."; - reference - "RFC 4419: Diffie-Hellman Group Exchange for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - identity diffie-hellman-group-exchange-sha256 { - base key-exchange-alg-base; - if-feature "ssh-dh-group-exchange and ssh-sha2"; - description - "Diffie-Hellman Group and Key Exchange with SHA-256 as HASH."; - reference - "RFC 4419: Diffie-Hellman Group Exchange for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - identity ecdh-sha2-nistp256 { - base key-exchange-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the - nistp256 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity ecdh-sha2-nistp384 { - base key-exchange-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the - nistp384 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity ecdh-sha2-nistp521 { - base key-exchange-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the - nistp521 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity encryption-alg-base { - description - "Base identity used to identify encryption algorithms."; - } - - identity triple-des-cbc { - base encryption-alg-base; - description - "Three-key 3DES in CBC mode."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity aes128-cbc { - base encryption-alg-base; - description - "AES in CBC mode, with a 128-bit key."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity aes192-cbc { - base encryption-alg-base; - description - "AES in CBC mode, with a 192-bit key."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity aes256-cbc { - base encryption-alg-base; - description - "AES in CBC mode, with a 256-bit key."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity aes128-ctr { - base encryption-alg-base; - if-feature "ssh-ctr"; - description - "AES in SDCTR mode, with 128-bit key."; - reference - "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption - Modes"; - } - - identity aes192-ctr { - base encryption-alg-base; - if-feature "ssh-ctr"; - description - "AES in SDCTR mode, with 192-bit key."; - reference - "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption - Modes"; - } - - identity aes256-ctr { - base encryption-alg-base; - if-feature "ssh-ctr"; - description - "AES in SDCTR mode, with 256-bit key."; - reference - "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption - Modes"; - } - - identity mac-alg-base { - description - "Base identity used to identify message authentication - code (MAC) algorithms."; - } - - identity hmac-sha1 { - base mac-alg-base; - description - "HMAC-SHA1"; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity hmac-sha2-256 { - base mac-alg-base; - if-feature "ssh-sha2"; - description - "HMAC-SHA2-256"; - reference - "RFC 6668: SHA-2 Data Integrity Verification for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - identity hmac-sha2-512 { - base mac-alg-base; - if-feature "ssh-sha2"; - description - "HMAC-SHA2-512"; - reference - "RFC 6668: SHA-2 Data Integrity Verification for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - // Groupings - - grouping transport-params-grouping { - description - "A reusable grouping for SSH transport parameters."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - container host-key { - description - "Parameters regarding host key."; - leaf-list host-key-alg { - type identityref { - base public-key-alg-base; - } - ordered-by user; - description - "Acceptable host key algorithms in order of descending - preference. The configured host key algorithms should - be compatible with the algorithm used by the configured - private key. Please see Section 5 of RFC XXXX for - valid combinations. - - If this leaf-list is not configured (has zero elements) - the acceptable host key algorithms are implementation- - defined."; - reference - "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers"; - } - } - container key-exchange { - description - "Parameters regarding key exchange."; - leaf-list key-exchange-alg { - type identityref { - base key-exchange-alg-base; - } - ordered-by user; - description - "Acceptable key exchange algorithms in order of descending - preference. - - If this leaf-list is not configured (has zero elements) - the acceptable key exchange algorithms are implementation - defined."; - } - } - container encryption { - description - "Parameters regarding encryption."; - leaf-list encryption-alg { - type identityref { - base encryption-alg-base; - } - ordered-by user; - description - "Acceptable encryption algorithms in order of descending - preference. - - If this leaf-list is not configured (has zero elements) - the acceptable encryption algorithms are implementation - defined."; - } - } - container mac { - description - "Parameters regarding message authentication code (MAC)."; - leaf-list mac-alg { - type identityref { - base mac-alg-base; - } - ordered-by user; - description - "Acceptable MAC algorithms in order of descending - preference. - - If this leaf-list is not configured (has zero elements) - the acceptable MAC algorithms are implementation- - defined."; - } - } - } - } diff --git a/modules/ietf-ssh-server@2019-07-02.yang b/modules/ietf-ssh-server@2019-07-02.yang deleted file mode 100644 index d96bbd0ea..000000000 --- a/modules/ietf-ssh-server@2019-07-02.yang +++ /dev/null @@ -1,385 +0,0 @@ - module ietf-ssh-server { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; - prefix sshs; - - import ietf-ssh-common { - prefix sshcmn; - revision-date 2019-07-02; // stable grouping definitions - reference - "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers"; - } - /* - import ietf-truststore { - prefix ta; - reference - "RFC YYYY: A YANG Data Model for a Truststore"; - } - */ - import ietf-keystore { - prefix ks; - reference - "RFC ZZZZ: A YANG Data Model for a Keystore"; - } - - import iana-crypt-hash { - prefix ianach; - reference - "RFC 7317: A YANG Data Model for System Management"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu "; - - description - "This module defines reusable groupings for SSH servers that - can be used as a basis for specific SSH server instances. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers"; - } - - // Features - - feature ssh-server-transport-params-config { - description - "SSH transport layer parameters are configurable on an SSH - server."; - } - - feature ssh-server-keepalives { - description - "Per socket SSH keepalive parameters are configurable for - SSH servers on the server implementing this feature."; - } - - feature local-client-auth-supported { - description - "Indicates that the SSH server supports local configuration - of client credentials."; - } - - feature external-client-auth-supported { - description - "Indicates that the SSH server supports external configuration - of client credentials."; - } - - // Groupings - - grouping ssh-server-grouping { - description - "A reusable grouping for configuring a SSH server without - any consideration for how underlying TCP sessions are - established. - - Note that this grouping uses fairly typical descendent - node names such that a stack of 'uses' statements will - have name conflicts. It is intended that the consuming - data model will resolve the issue (e.g., by wrapping - the 'uses' statement in a container called - 'ssh-server-parameters'). This model purposely does - not do this itself so as to provide maximum flexibility - to consuming models."; - - container server-identity { - nacm:default-deny-write; - description - "The list of host-keys the SSH server will present when - establishing a SSH connection."; - list host-key { - key "name"; - min-elements 1; - ordered-by user; - description - "An ordered list of host keys the SSH server will use to - construct its ordered list of algorithms, when sending - its SSH_MSG_KEXINIT message, as defined in Section 7.1 - of RFC 4253."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer - Protocol"; - leaf name { - type string; - description - "An arbitrary name for this host-key"; - } - choice host-key-type { - mandatory true; - description - "The type of host key being specified"; - container public-key { - uses ks:local-or-keystore-asymmetric-key-grouping; - description - "A locally-defined or referenced asymmetric key pair - to be used for the SSH server's host key."; - reference - "RFC ZZZZ: YANG Data Model for a Centralized - Keystore Mechanism"; - } - container certificate { - if-feature "sshcmn:ssh-x509-certs"; - uses - ks:local-or-keystore-end-entity-cert-with-key-grouping; - description - "A locally-defined or referenced end-entity - certificate to be used for the SSH server's - host key."; - reference - "RFC ZZZZ: YANG Data Model for a Centralized - Keystore Mechanism"; - } - } - } - } // container server-identity - - container client-authentication { - nacm:default-deny-write; - description - "Specifies if SSH client authentication is required or - optional, and specifies if the SSH client authentication - credentials are configured locally or externally."; - container supported-authentication-methods { - description - "Indicates which authentication methods the server - supports."; - leaf publickey { - type empty; - description - "Indicates that the 'publickey' method is supported. - Note that RFC 6187 X.509v3 Certificates for SSH uses - the 'publickey' method name."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol. - RFC 6187: X.509v3 Certificates for Secure Shell - Authentication."; - } - leaf passsword { - type empty; - description - "Indicates that the 'password' method is supported."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol."; - } - leaf hostbased { - type empty; - description - "Indicates that the 'hostbased' method is supported."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol."; - } - leaf none { - type empty; - description - "Indicates that the 'none' method is supported."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol."; - } - leaf-list other { - type string; - description - "Indicates a supported method name not defined by - RFC 4253."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol."; - } - } - choice local-or-external { - description - "Indicates if the client credentials are configured - locally or externally."; - case local { - if-feature "local-client-auth-supported"; - description - "Client credentials are configured locally."; - container users { - description - "A list of locally configured users."; - list user { - key name; - description - "The list of local users configured on this device."; - - leaf name { - type string; - description - "The user name string identifying this entry."; - } - leaf password { - type ianach:crypt-hash; - description - "The password for this entry."; - } - list authorized-key { - key name; - description - "A list of public SSH keys for this user. These - keys are allowed for SSH authentication, as - described in RFC 4253."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer - Protocol"; - leaf name { - type string; - description - "An arbitrary name for the SSH key."; - } - leaf algorithm { - type string; - mandatory true; - description - "The public key algorithm name for this SSH key. - - Valid values are the values in the IANA 'Secure - Shell (SSH) Protocol Parameters' registry, - Public Key Algorithm Names."; - reference - "IANA 'Secure Shell (SSH) Protocol Parameters' - registry, Public Key Algorithm Names"; - } - leaf key-data { - type binary; - mandatory true; - description - "The binary public key data for this SSH key, as - specified by RFC 4253, Section 6.6, i.e.: - - string certificate or public key format - identifier - byte[n] key/certificate data."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer - Protocol"; - } - } - } // list user - /* - if-feature "sshcmn:ssh-x509-certs"; - description - "A reference to a list of certificate authority - (CA) certificates and a reference to a list of - client certificates."; - leaf ca-certs { - if-feature "ts:x509-certificates"; - type ts:certificates-ref; // local or remote - description - "A reference to a list of certificate authority (CA) - certificates used by the SSH server to authenticate - SSH client certificates. A client certificate is - authenticated if it has a valid chain of trust to - a configured CA certificate."; - reference - "RFC YYYY: YANG Data Model for Global Trust Anchors"; - } - leaf client-certs { - if-feature "ts:x509-certificates"; - type ts:certificates-ref; // local or remote - description - "A reference to a list of client certificates - used by the SSH server to authenticate SSH - client certificates. A clients certificate - is authenticated if it is an exact match to - a configured client certificate."; - reference - "RFC YYYY: YANG Data Model for Global Trust Anchors"; - } - */ - } // container users - } // case local - case external { - if-feature "external-client-auth-supported"; - description - "Client credentials are configured externally, such - as via RADIUS, RFC 7317, or another mechanism."; - leaf client-auth-defined-elsewhere { - type empty; - description - "Indicates that client credentials are configured - elsewhere."; - } - } - } // choice local-or-external - } // container client-authentication - - container transport-params { - nacm:default-deny-write; - if-feature "ssh-server-transport-params-config"; - description - "Configurable parameters of the SSH transport layer."; - uses sshcmn:transport-params-grouping; - } // container transport-params - - container keepalives { - nacm:default-deny-write; - if-feature "ssh-server-keepalives"; - presence "Indicates that keepalives are enabled."; - description - "Configures the keep-alive policy, to proactively test - the aliveness of the SSL client. An unresponsive SSL - client is dropped after approximately max-wait * - max-attempts seconds."; - leaf max-wait { - type uint16 { - range "1..max"; - } - units "seconds"; - default "30"; - description - "Sets the amount of time in seconds after which - if no data has been received from the SSL client, - a SSL-level message will be sent to test the - aliveness of the SSL client."; - } - leaf max-attempts { - type uint8; - default "3"; - description - "Sets the maximum number of sequential keep-alive - messages that can fail to obtain a response from - the SSL client before assuming the SSL client is - no longer alive."; - } - } // container keepalives - } // grouping server-identity-grouping - } diff --git a/modules/ietf-tcp-client@2019-07-02.yang b/modules/ietf-tcp-client@2019-07-02.yang deleted file mode 100644 index b61771561..000000000 --- a/modules/ietf-tcp-client@2019-07-02.yang +++ /dev/null @@ -1,145 +0,0 @@ - module ietf-tcp-client { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-client"; - prefix tcpc; - - import ietf-inet-types { - prefix inet; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-tcp-common { - prefix tcpcmn; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group and the - IETF TCP Maintenance and Minor Extensions (TCPM) Working Group"; - - contact - "WG Web: - - WG List: - - Authors: Kent Watsen - Michael Scharf - "; - - description - "This module defines reusable groupings for TCP clients that - can be used as a basis for specific TCP client instances. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - // Features - - feature local-binding-supported { - description - "Indicates that the server supports configuring local - bindings (i.e., the local address and local port) for - TCP clients."; - } - - feature tcp-client-keepalives { - description - "Per socket TCP keepalive parameters are configurable for - TCP clients on the server implementing this feature."; - } - - // Groupings - - grouping tcp-client-grouping { - description - "A reusable grouping for configuring a TCP client. - - Note that this grouping uses fairly typical descendent - node names such that a stack of 'uses' statements will - have name conflicts. It is intended that the consuming - data model will resolve the issue (e.g., by wrapping - the 'uses' statement in a container called - 'tcp-client-parameters'). This model purposely does - not do this itself so as to provide maximum flexibility - to consuming models."; - - leaf remote-address { - type inet:host; - mandatory true; - description - "The IP address or hostname of the remote peer to - establish a connection with. If a domain name is - configured, then the DNS resolution should happen on - each connection attempt. If the the DNS resolution - results in multiple IP addresses, the IP addresses - are tried according to local preference order until - a connection has been established or until all IP - addresses have failed."; - } - leaf remote-port { - type inet:port-number; - default "0"; - description - "The IP port number for the remote peer to establish a - connection with. An invalid default value (0) is used - (instead of 'mandatory true') so that as application - level data model may 'refine' it with an application - specific default port number value."; - } - leaf local-address { - if-feature "local-binding-supported"; - type inet:ip-address; - description - "The local IP address/interface (VRF?) to bind to for when - connecting to the remote peer. INADDR_ANY ('0.0.0.0') or - INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to - explicitly indicate the implicit default, that the server - can bind to any IPv4 or IPv6 addresses, respectively."; - } - leaf local-port { - if-feature "local-binding-supported"; - type inet:port-number; - default "0"; - description - "The local IP port number to bind to for when connecting - to the remote peer. The port number '0', which is the - default value, indicates that any available local port - number may be used."; - } - uses tcpcmn:tcp-connection-grouping { - augment "keepalives" { - if-feature "tcp-client-keepalives"; - description - "Add an if-feature statement so that implementations - can choose to support TCP client keepalives."; - } - } - } - } diff --git a/modules/ietf-tcp-common@2019-07-02.yang b/modules/ietf-tcp-common@2019-07-02.yang deleted file mode 100644 index 076a662ae..000000000 --- a/modules/ietf-tcp-common@2019-07-02.yang +++ /dev/null @@ -1,130 +0,0 @@ - module ietf-tcp-common { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-common"; - prefix tcpcmn; - - organization - "IETF NETCONF (Network Configuration) Working Group and the - IETF TCP Maintenance and Minor Extensions (TCPM) Working Group"; - - contact - "WG Web: - - WG List: - - Authors: Kent Watsen - Michael Scharf - "; - - description - "This module defines reusable groupings for TCP commons that - can be used as a basis for specific TCP common instances. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - // Features - feature keepalives-supported { - description - "Indicates that keepalives are supported."; - } - - // Groupings - - grouping tcp-common-grouping { - description - "A reusable grouping for configuring TCP parameters common - to TCP connections as well as the operating system as a - whole."; - container keepalives { - if-feature "keepalives-supported"; - presence "Indicates that keepalives are enabled."; - description - "Configures the keep-alive policy, to proactively test the - aliveness of the TCP peer. An unresponsive TCP peer is - dropped after approximately (idle-time * 60) + (max-probes - * probe-interval) seconds."; - leaf idle-time { - type uint16 { - range "1..max"; - } - units "seconds"; - mandatory true; - description - "Sets the amount of time after which if no data has been - received from the TCP peer, a TCP-level probe message - will be sent to test the aliveness of the TCP peer."; - } - leaf max-probes { - type uint16 { - range "1..max"; - } - mandatory true; - description - "Sets the maximum number of sequential keep-alive probes - that can fail to obtain a response from the TCP peer - before assuming the TCP peer is no longer alive."; - } - leaf probe-interval { - type uint16 { - range "1..max"; - } - units "seconds"; - mandatory true; - description - "Sets the time interval between failed probes."; - } - } // container keepalives - } // grouping tcp-common-grouping - - - grouping tcp-connection-grouping { - description - "A reusable grouping for configuring TCP parameters common - to TCP connections."; - uses tcp-common-grouping; - } - - /* - The following is for a future bis... - This comment is here now so as support discussion with TCPM. - This comment will be removed before publication. - - Should future system-level parameters be defined as a - grouping or a container? - - grouping tcp-system-grouping { - description - "A reusable grouping for configuring TCP parameters common - to the operating system as a whole."; - - // currently just a placeholder - } - */ - - } diff --git a/modules/ietf-tcp-server@2019-07-02.yang b/modules/ietf-tcp-server@2019-07-02.yang deleted file mode 100644 index 18c519910..000000000 --- a/modules/ietf-tcp-server@2019-07-02.yang +++ /dev/null @@ -1,114 +0,0 @@ - module ietf-tcp-server { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-server"; - prefix tcps; - - import ietf-inet-types { - prefix inet; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-tcp-common { - prefix tcpcmn; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group and the - IETF TCP Maintenance and Minor Extensions (TCPM) Working Group"; - - contact - "WG Web: - - WG List: - - Authors: Kent Watsen - Michael Scharf - "; - - description - "This module defines reusable groupings for TCP servers that - can be used as a basis for specific TCP server instances. - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - // Features - - feature tcp-server-keepalives { - description - "Per socket TCP keepalive parameters are configurable for - TCP servers on the server implementing this feature."; - } - - - // Groupings - - grouping tcp-server-grouping { - description - "A reusable grouping for configuring a TCP server. - - Note that this grouping uses fairly typical descendent - node names such that a stack of 'uses' statements will - have name conflicts. It is intended that the consuming - data model will resolve the issue (e.g., by wrapping - the 'uses' statement in a container called - 'tcp-server-parameters'). This model purposely does - not do this itself so as to provide maximum flexibility - to consuming models."; - leaf local-address { - type inet:ip-address; - mandatory true; - description - "The local IP address to listen on for incoming - TCP client connections. INADDR_ANY (0.0.0.0) or - INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be - used when the server is to listen on all IPv4 or - IPv6 addresses, respectively."; - } - leaf local-port { - type inet:port-number; - default "0"; - description - "The local port number to listen on for incoming TCP - client connections. An invalid default value (0) - is used (instead of 'mandatory true') so that an - application level data model may 'refine' it with - an application specific default port number value."; - } - uses tcpcmn:tcp-connection-grouping { - augment "keepalives" { - if-feature "tcp-server-keepalives"; - description - "Add an if-feature statement so that implementations - can choose to support TCP server keepalives."; - } - } - } - } diff --git a/modules/ietf-tls-common@2019-07-02.yang b/modules/ietf-tls-common@2019-07-02.yang deleted file mode 100644 index bb7c25caa..000000000 --- a/modules/ietf-tls-common@2019-07-02.yang +++ /dev/null @@ -1,406 +0,0 @@ - module ietf-tls-common { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; - prefix tlscmn; - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu "; - - description - "This module defines a common features, identities, and - groupings for Transport Layer Security (TLS). - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; - } - - // Features - - feature tls-1_0 { - description - "TLS Protocol Version 1.0 is supported."; - reference - "RFC 2246: The TLS Protocol Version 1.0"; - } - - feature tls-1_1 { - description - "TLS Protocol Version 1.1 is supported."; - reference - "RFC 4346: The Transport Layer Security (TLS) Protocol - Version 1.1"; - } - - feature tls-1_2 { - description - "TLS Protocol Version 1.2 is supported."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - feature tls-1_3 { - description - "TLS Protocol Version 1.2 is supported."; - reference - "RFC 8446: The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - - feature tls-ecc { - description - "Elliptic Curve Cryptography (ECC) is supported for TLS."; - reference - "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS)"; - } - - feature tls-dhe { - description - "Ephemeral Diffie-Hellman key exchange is supported for TLS."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - feature tls-3des { - description - "The Triple-DES block cipher is supported for TLS."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - feature tls-gcm { - description - "The Galois/Counter Mode authenticated encryption mode is - supported for TLS."; - reference - "RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for - TLS"; - } - - feature tls-sha2 { - description - "The SHA2 family of cryptographic hash functions is supported - for TLS."; - reference - "FIPS PUB 180-4: Secure Hash Standard (SHS)"; - } - - // Identities - - identity tls-version-base { - description - "Base identity used to identify TLS protocol versions."; - } - - identity tls-1.0 { - base tls-version-base; - if-feature "tls-1_0"; - description - "TLS Protocol Version 1.0."; - reference - "RFC 2246: The TLS Protocol Version 1.0"; - } - - identity tls-1.1 { - base tls-version-base; - if-feature "tls-1_1"; - description - "TLS Protocol Version 1.1."; - reference - "RFC 4346: The Transport Layer Security (TLS) Protocol - Version 1.1"; - } - - identity tls-1.2 { - base tls-version-base; - if-feature "tls-1_2"; - description - "TLS Protocol Version 1.2."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity cipher-suite-base { - description - "Base identity used to identify TLS cipher suites."; - } - - identity rsa-with-aes-128-cbc-sha { - base cipher-suite-base; - description - "Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity rsa-with-aes-256-cbc-sha { - base cipher-suite-base; - description - "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity rsa-with-aes-128-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-sha2"; - description - "Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity rsa-with-aes-256-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-sha2"; - description - "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity dhe-rsa-with-aes-128-cbc-sha { - base cipher-suite-base; - if-feature "tls-dhe"; - description - "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity dhe-rsa-with-aes-256-cbc-sha { - base cipher-suite-base; - if-feature "tls-dhe"; - description - "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity dhe-rsa-with-aes-128-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-dhe and tls-sha2"; - description - "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity dhe-rsa-with-aes-256-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-dhe and tls-sha2"; - description - "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity ecdhe-ecdsa-with-aes-128-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-ecc and tls-sha2"; - description - "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-ecdsa-with-aes-256-cbc-sha384 { - base cipher-suite-base; - if-feature "tls-ecc and tls-sha2"; - description - "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-rsa-with-aes-128-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-ecc and tls-sha2"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-rsa-with-aes-256-cbc-sha384 { - base cipher-suite-base; - if-feature "tls-ecc and tls-sha2"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-ecdsa-with-aes-128-gcm-sha256 { - base cipher-suite-base; - if-feature "tls-ecc and tls-gcm and tls-sha2"; - description - "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-ecdsa-with-aes-256-gcm-sha384 { - base cipher-suite-base; - if-feature "tls-ecc and tls-gcm and tls-sha2"; - description - "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-rsa-with-aes-128-gcm-sha256 { - base cipher-suite-base; - if-feature "tls-ecc and tls-gcm and tls-sha2"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-rsa-with-aes-256-gcm-sha384 { - base cipher-suite-base; - if-feature "tls-ecc and tls-gcm and tls-sha2"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity rsa-with-3des-ede-cbc-sha { - base cipher-suite-base; - if-feature "tls-3des"; - description - "Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity ecdhe-rsa-with-3des-ede-cbc-sha { - base cipher-suite-base; - if-feature "tls-ecc and tls-3des"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA."; - reference - "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS)"; - } - - identity ecdhe-rsa-with-aes-128-cbc-sha { - base cipher-suite-base; - if-feature "tls-ecc"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA."; - reference - "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS)"; - } - - identity ecdhe-rsa-with-aes-256-cbc-sha { - base cipher-suite-base; - if-feature "tls-ecc"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA."; - reference - "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS)"; - } - - // Groupings - - grouping hello-params-grouping { - description - "A reusable grouping for TLS hello message parameters."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - container tls-versions { - description - "Parameters regarding TLS versions."; - leaf-list tls-version { - type identityref { - base tls-version-base; - } - description - "Acceptable TLS protocol versions. - - If this leaf-list is not configured (has zero elements) - the acceptable TLS protocol versions are implementation- - defined."; - } - } - container cipher-suites { - description - "Parameters regarding cipher suites."; - leaf-list cipher-suite { - type identityref { - base cipher-suite-base; - } - ordered-by user; - description - "Acceptable cipher suites in order of descending - preference. The configured host key algorithms should - be compatible with the algorithm used by the configured - private key. Please see Section 5 of RFC XXXX for - valid combinations. - - If this leaf-list is not configured (has zero elements) - the acceptable cipher suites are implementation- - defined."; - reference - "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; - } - } - } - } diff --git a/modules/ietf-tls-server@2019-07-02.yang b/modules/ietf-tls-server@2019-07-02.yang deleted file mode 100644 index 22cfb20c7..000000000 --- a/modules/ietf-tls-server@2019-07-02.yang +++ /dev/null @@ -1,263 +0,0 @@ - module ietf-tls-server { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; - prefix tlss; - - import ietf-tls-common { - prefix tlscmn; - revision-date 2019-07-02; // stable grouping definitions - reference - "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; - } - - import ietf-truststore { - prefix ts; - reference - "RFC YYYY: A YANG Data Model for a Truststore"; - } - - import ietf-keystore { - prefix ks; - reference - "RFC ZZZZ: A YANG Data Model for a Keystore"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu "; - - description - "This module defines reusable groupings for TLS servers that - can be used as a basis for specific TLS server instances. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; - } - - // Features - - feature tls-server-hello-params-config { - description - "TLS hello message parameters are configurable on a TLS - server."; - } - - feature tls-server-keepalives { - description - "Per socket TLS keepalive parameters are configurable for - TLS servers on the server implementing this feature."; - } - - feature local-client-auth-supported { - description - "Indicates that the TLS server supports local - configuration of client credentials."; - } - - - feature external-client-auth-supported { - description - "Indicates that the TLS server supports external - configuration of client credentials."; - } - - // Groupings - - grouping tls-server-grouping { - description - "A reusable grouping for configuring a TLS server without - any consideration for how underlying TCP sessions are - established. - - Note that this grouping uses fairly typical descendent - node names such that a stack of 'uses' statements will - have name conflicts. It is intended that the consuming - data model will resolve the issue (e.g., by wrapping - the 'uses' statement in a container called - 'tls-server-parameters'). This model purposely does - not do this itself so as to provide maximum flexibility - to consuming models."; - - - container server-identity { // FIXME: what about PSKs? - nacm:default-deny-write; - description - "A locally-defined or referenced end-entity certificate, - including any configured intermediate certificates, the - TLS server will present when establishing a TLS connection - in its Certificate message, as defined in Section 7.4.2 - in RFC 5246."; - reference - "RFC 5246: - The Transport Layer Security (TLS) Protocol Version 1.2 - RFC ZZZZ: - YANG Data Model for a 'Keystore' Mechanism"; - uses ks:local-or-keystore-end-entity-cert-with-key-grouping; - } // container server-identity - - container client-authentication { // FIXME: what about PSKs? - nacm:default-deny-write; - presence - "Indicates that certificate based client authentication - is supported (i.e., the server will request that the - client send a certificate)."; - description - "Specifies if TLS client authentication is required or - optional, and specifies if the certificates needed to - authenticate the TLS client are configured locally or - externally. If configured locally, the data model - enables both trust anchors and end-entity certificate - to be set."; - choice required-or-optional { - mandatory true; // or default to 'required' ? - description - "Indicates if TLS-level client authentication is required - or optional. This is necessary for some protocols (e.g., - RESTCONF) the may optionally authenticate a client via - TLS-level authentication, HTTP-level authentication, or - both simultaneously)."; - leaf required { - type empty; - description - "Indicates that TLS-level client authentication is - required."; - } - leaf optional { - type empty; - description - "Indicates that TLS-level client authentication is - optional."; - } - } - choice local-or-external { - mandatory true; - description - "Indicates if the certificates needed to authenticate - the client are configured locally or externally. The - need to support external configuration for client - authentication stems from the desire to support - consuming data models that prefer to place client - authentication with client definitions, rather then - in a data model principally concerned with configuring - the transport."; - case local { - if-feature "local-client-auth-supported"; - description - "The certificates needed to authenticate the clients - are configured locally."; - leaf ca-certs { - if-feature "ts:x509-certificates"; - type ts:certificates-ref;//FIXME: local-or-remote? - description - "A reference to a list of certificate authority (CA) - certificates used by the TLS server to authenticate - TLS client certificates. A client certificate is - authenticated if it has a valid chain of trust to - a configured CA certificate."; - reference - "RFC YYYY: YANG Data Model for Global Trust Anchors"; - } - leaf client-certs { - if-feature "ts:x509-certificates"; - type ts:certificates-ref;//FIXME: local-or-remote? - description - "A reference to a list of client certificates - used by the TLS server to authenticate TLS - client certificates. A clients certificate - is authenticated if it is an exact match to - a configured client certificate."; - reference - "RFC YYYY: YANG Data Model for Global Trust Anchors"; - } - } - case external { - if-feature "external-client-auth-supported"; - description - "The certificates needed to authenticate the clients - are configured externally."; - leaf client-auth-defined-elsewhere { - type empty; - description - "Indicates that certificates needed to authenticate - clients are configured elsewhere."; - } - } - } // choice local-or-external - } // container client-authentication - - container hello-params { - nacm:default-deny-write; - if-feature "tls-server-hello-params-config"; - uses tlscmn:hello-params-grouping; - description - "Configurable parameters for the TLS hello message."; - } // container hello-params - - container keepalives { - nacm:default-deny-write; - if-feature "tls-server-keepalives"; - presence "Indicates that keepalives are enabled."; - description - "Configures the keep-alive policy, to proactively test - the aliveness of the TLS client. An unresponsive - TLS client is dropped after approximately max-wait - * max-attempts seconds."; - leaf max-wait { - type uint16 { - range "1..max"; - } - units "seconds"; - default "30"; - description - "Sets the amount of time in seconds after which if - no data has been received from the TLS client, a - TLS-level message will be sent to test the - aliveness of the TLS client."; - } - leaf max-attempts { - type uint8; - default "3"; - description - "Sets the maximum number of sequential keep-alive - messages that can fail to obtain a response from - the TLS client before assuming the TLS client is - no longer alive."; - } - } // container keepalives - } // grouping tls-server-grouping - } diff --git a/modules/ietf-truststore@2019-07-02.yang b/modules/ietf-truststore@2019-07-02.yang deleted file mode 100644 index 98e193d47..000000000 --- a/modules/ietf-truststore@2019-07-02.yang +++ /dev/null @@ -1,294 +0,0 @@ - module ietf-truststore { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-truststore"; - prefix ts; - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - import ietf-crypto-types { - prefix ct; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen "; - - description - "This module defines a truststore to centralize management - of trust anchors including both X.509 certificates and - SSH host keys. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: A YANG Data Model for a Truststore"; - } - - /****************/ - /* Features */ - /****************/ - - feature truststore-supported { - description - "The 'truststore-supported' feature indicates that the - server supports the truststore."; - } - - feature local-definitions-supported { - description - "The 'local-definitions-supported' feature indicates that - the server supports locally-defined trust anchors."; - } - - feature x509-certificates { - description - "The 'x509-certificates' feature indicates that the server - implements the /truststore/certificates subtree."; - } - - feature ssh-host-keys { - description - "The 'ssh-host-keys' feature indicates that the server - implements the /truststore/host-keys subtree."; - } - - /****************/ - /* Typedefs */ - /****************/ - - typedef certificates-ref { - type leafref { - path "/ts:truststore/ts:certificates/ts:name"; - } - description - "This typedef enables modules to easily define a reference - to a set of certificates defined in the truststore."; - } - - typedef host-keys-ref { - type leafref { - path "/ts:truststore/ts:host-keys/ts:name"; - } - description - "This typedef enables modules to easily define a reference - to a set of host keys defined in the truststore."; - } - - /*****************/ - /* Groupings */ - /*****************/ - - grouping local-or-truststore-certs-grouping { - description - "A grouping that expands to allow trust anchors to be - either stored locally, within the using data model, or be - a reference to trust anchors stored in the truststore."; - choice local-or-truststore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local trust anchor definitions. - A list is defined so as to be symmetric with the - truststore definition."; - uses ct:trust-anchor-certs-grouping; - } - } - case truststore { - if-feature "truststore-supported"; - if-feature "x509-certificates"; - leaf truststore-reference { - type ts:certificates-ref; - description - "A reference to a set of trust anchors that exists - in the truststore."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the truststore."; - } - } - - grouping local-or-truststore-host-keys-grouping { - description - "A grouping that expands to allow trust anchors to be - either stored locally, within the using data model, or be - a reference to trust anchors stored in the truststore."; - choice local-or-truststore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local trust anchor definitions. - A list is defined so as to be symmetric with the - truststore definition."; - leaf-list host-key { - nacm:default-deny-write; - type ct:ssh-host-key; - description - "The binary data for this host key."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - uses ct:trust-anchor-certs-grouping; - } - } - case truststore { - if-feature "truststore-supported"; - if-feature "ssh-host-keys"; - leaf truststore-reference { - type ts:host-keys-ref; - description - "A reference to a set of trust anchors that exists - in the truststore."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the truststore."; - } - } - - - grouping truststore-grouping { - description - "Grouping definition enables use in other contexts. If ever - done, implementations SHOULD augment new 'case' statements - into local-or-keystore 'choice' statements to supply leafrefs - to the new location."; - list certificates { - if-feature "x509-certificates"; - key "name"; - description - "A list of certificates. These certificates can be - used by a server to authenticate clients, or by a client - to authenticate servers. Each list of certificates - SHOULD be specific to a purpose, as the list as a whole - may be referenced by other modules. For instance, a - RESTCONF server's configuration might use a specific list - of certificates for when authenticating RESTCONF - client connections."; - leaf name { - type string; - description - "An arbitrary name for this list of certificates."; - } - leaf description { - type string; - description - "An arbitrary description for this list of - certificates."; - } - list certificate { - key "name"; - description - "A certificate."; - leaf name { - type string; - description - "An arbitrary name for this certificate. The - name must be unique across all lists of - certificates (not just this list) so that leafrefs - from another module can resolve to unique values."; - } - uses ct:trust-anchor-cert-grouping { - refine "cert" { - mandatory true; - } - } - } - } - list host-keys { - if-feature "ssh-host-keys"; - key "name"; - description - "A list of host keys. These host-keys can - be used by clients to authenticate SSH servers. Each - list of host keys SHOULD be specific to a purpose, - so the list as a whole may be referenced by other modules. - For instance, a NETCONF client's configuration might - point to a specific list of host keys for when - authenticating specific SSH servers."; - leaf name { - type string; - description - "An arbitrary name for this list of SSH - host keys."; - } - leaf description { - type string; - description - "An arbitrary description for this list of SSH - host keys."; - } - list host-key { - key "name"; - description - "A host key."; - leaf name { - type string; - description - "An arbitrary name for this host-key. Must be - unique across all lists of host-keys (not just - this list) so that a leafref to it from another module - can resolve to unique values."; - } - leaf host-key { - type ct:ssh-host-key; - mandatory true; - description - "The binary public key data for this host key."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - } - } - } - - /*********************************/ - /* Protocol accessible nodes */ - /*********************************/ - - container truststore { - nacm:default-deny-write; - description - "The truststore contains sets of X.509 certificates and - SSH host keys."; - uses truststore-grouping; - } - } diff --git a/modules/ietf-x509-cert-to-name@2014-12-10.yang b/modules/ietf-x509-cert-to-name@2014-12-10.yang deleted file mode 100644 index 00be8bb19..000000000 --- a/modules/ietf-x509-cert-to-name@2014-12-10.yang +++ /dev/null @@ -1,303 +0,0 @@ - module ietf-x509-cert-to-name { - - namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; - prefix x509c2n; - - import ietf-yang-types { - prefix yang; - } - - organization - "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; - - contact - "WG Web: - WG List: - - WG Chair: Thomas Nadeau - - - WG Chair: Juergen Schoenwaelder - - - Editor: Martin Bjorklund - - - Editor: Juergen Schoenwaelder - "; - - description - "This module contains a collection of YANG definitions for - extracting a name from an X.509 certificate. - The algorithm used to extract a name from an X.509 certificate - was first defined in RFC 6353. - - Copyright (c) 2014 IETF Trust and the persons identified as - authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with or - without modification, is permitted pursuant to, and subject - to the license terms contained in, the Simplified BSD License - set forth in Section 4.c of the IETF Trust's Legal Provisions - Relating to IETF Documents - (http://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC 7407; see - the RFC itself for full legal notices."; - - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model for - the Simple Network Management Protocol (SNMP)"; - - revision 2014-12-10 { - description - "Initial revision."; - reference - "RFC 7407: A YANG Data Model for SNMP Configuration"; - - } - - typedef tls-fingerprint { - type yang:hex-string { - pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; - } - description - "A fingerprint value that can be used to uniquely reference - other data of potentially arbitrary length. - - A tls-fingerprint value is composed of a 1-octet hashing - algorithm identifier followed by the fingerprint value. The - first octet value identifying the hashing algorithm is taken - from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The - remaining octets are filled using the results of the hashing - algorithm."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; - } - - /* Identities */ - - identity cert-to-name { - description - "Base identity for algorithms to derive a name from a - certificate."; - } - - identity specified { - base cert-to-name; - description - "Directly specifies the name to be used for the certificate. - The value of the leaf 'name' in the cert-to-name list is - used."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; - } - - identity san-rfc822-name { - base cert-to-name; - description - "Maps a subjectAltName's rfc822Name to a name. The local part - of the rfc822Name is passed unaltered, but the host-part of - the name must be passed in lowercase. For example, the - rfc822Name field FooBar@Example.COM is mapped to name - FooBar@example.com."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; - } - - identity san-dns-name { - base cert-to-name; - description - "Maps a subjectAltName's dNSName to a name after first - converting it to all lowercase (RFC 5280 does not specify - converting to lowercase, so this involves an extra step). - This mapping results in a 1:1 correspondence between - subjectAltName dNSName values and the name values."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; - } - - identity san-ip-address { - base cert-to-name; - description - "Maps a subjectAltName's iPAddress to a name by - transforming the binary-encoded address as follows: - - 1) for IPv4, the value is converted into a - decimal-dotted quad address (e.g., '192.0.2.1'). - - 2) for IPv6 addresses, the value is converted into a - 32-character, all-lowercase hexadecimal string - without any colon separators. - - This mapping results in a 1:1 correspondence between - subjectAltName iPAddress values and the name values."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; - } - - identity san-any { - base cert-to-name; - description - "Maps any of the following fields using the corresponding - mapping algorithms: - - +------------+-----------------+ - | Type | Algorithm | - |------------+-----------------| - | rfc822Name | san-rfc822-name | - | dNSName | san-dns-name | - | iPAddress | san-ip-address | - +------------+-----------------+ - - The first matching subjectAltName value found in the - certificate of the above types MUST be used when deriving - the name. The mapping algorithm specified in the - 'Algorithm' column MUST be used to derive the name. - - This mapping results in a 1:1 correspondence between - subjectAltName values and name values. The three sub-mapping - algorithms produced by this combined algorithm cannot produce - conflicting results between themselves."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; - } - - identity common-name { - base cert-to-name; - description - "Maps a certificate's CommonName to a name after converting - it to a UTF-8 encoding. The usage of CommonNames is - deprecated, and users are encouraged to use subjectAltName - mapping methods instead. This mapping results in a 1:1 - correspondence between certificate CommonName values and name - values."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; - } - - /* - * Groupings - */ - - grouping cert-to-name { - description - "Defines nodes for mapping certificates to names. Modules - that use this grouping should describe how the resulting - name is used."; - - list cert-to-name { - key id; - description - "This list defines how certificates are mapped to names. - The name is derived by considering each cert-to-name - list entry in order. The cert-to-name entry's fingerprint - determines whether the list entry is a match: - - 1) If the cert-to-name list entry's fingerprint value - matches that of the presented certificate, then consider - the list entry a successful match. - - 2) If the cert-to-name list entry's fingerprint value - matches that of a locally held copy of a trusted CA - certificate, and that CA certificate was part of the CA - certificate chain to the presented certificate, then - consider the list entry a successful match. - - Once a matching cert-to-name list entry has been found, the - map-type is used to determine how the name associated with - the certificate should be determined. See the map-type - leaf's description for details on determining the name value. - If it is impossible to determine a name from the cert-to-name - list entry's data combined with the data presented in the - certificate, then additional cert-to-name list entries MUST - be searched to look for another potential match. - - Security administrators are encouraged to make use of - certificates with subjectAltName fields that can be mapped to - names so that a single root CA certificate can allow all - child certificates' subjectAltName fields to map directly to - a name via a 1:1 transformation."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; - - leaf id { - type uint32; - description - "The id specifies the order in which the entries in the - cert-to-name list are searched. Entries with lower - numbers are searched first."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol - (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; - } - - leaf fingerprint { - type x509c2n:tls-fingerprint; - mandatory true; - description - "Specifies a value with which the fingerprint of the - full certificate presented by the peer is compared. If - the fingerprint of the full certificate presented by the - peer does not match the fingerprint configured, then the - entry is skipped, and the search for a match continues."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol - (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; - } - - leaf map-type { - type identityref { - base cert-to-name; - } - mandatory true; - description - "Specifies the algorithm used to map the certificate - presented by the peer to a name. - - Mappings that need additional configuration objects should - use the 'when' statement to make them conditional based on - the map-type."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol - (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; - } - - leaf name { - when "../map-type = 'x509c2n:specified'"; - type string; - mandatory true; - description - "Directly specifies the NETCONF username when the - map-type is 'specified'."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol - (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; - } - } - } - } diff --git a/scripts/common.sh b/scripts/common.sh new file mode 100644 index 000000000..ec7738759 --- /dev/null +++ b/scripts/common.sh @@ -0,0 +1,94 @@ +# common.sh - contains common functions and variables for the scripts + +# arrays of modules to (un)install +NP2_MODULES=( +"ietf-interfaces@2018-02-20.yang" +"ietf-ip@2018-02-22.yang" +"ietf-netconf@2013-09-29.yang -e writable-running -e candidate -e rollback-on-error -e validate -e startup -e url -e xpath -e confirmed-commit" +"ietf-netconf-nmda@2019-01-07.yang -e origin -e with-defaults" +"notifications@2008-07-14.yang" +"nc-notifications@2008-07-14.yang" +"ietf-netconf-monitoring@2010-10-04.yang" +"ietf-network-instance@2019-01-21.yang" +"ietf-subscribed-notifications@2019-09-09.yang -e encode-xml -e replay -e subtree -e xpath" +"ietf-yang-push@2019-09-09.yang -e on-change" +) + +LN2_MODULES=( +"iana-ssh-encryption-algs@2022-06-16.yang" +"iana-ssh-key-exchange-algs@2022-06-16.yang" +"iana-ssh-mac-algs@2022-06-16.yang" +"iana-ssh-public-key-algs@2022-06-16.yang" +"iana-tls-cipher-suite-algs@2022-06-16.yang" +"ietf-x509-cert-to-name@2014-12-10.yang" +"iana-crypt-hash@2014-04-04.yang -e crypt-hash-md5 -e crypt-hash-sha-256 -e crypt-hash-sha-512" +"ietf-crypto-types@2023-04-17.yang -e cleartext-passwords -e cleartext-private-keys" +"ietf-keystore@2023-04-17.yang -e central-keystore-supported -e inline-definitions-supported -e asymmetric-keys" +"ietf-truststore@2023-04-17.yang -e central-truststore-supported -e inline-definitions-supported -e certificates -e public-keys" +"ietf-tcp-common@2023-04-17.yang -e keepalives-supported" +"ietf-tcp-server@2023-04-17.yang -e tcp-server-keepalives" +"ietf-tcp-client@2023-04-17.yang -e local-binding-supported -e tcp-client-keepalives" +"ietf-ssh-common@2023-04-17.yang -e transport-params" +"ietf-ssh-server@2023-04-17.yang -e local-users-supported -e local-user-auth-publickey -e local-user-auth-password -e local-user-auth-none" +"ietf-tls-common@2023-04-17.yang -e tls10 -e tls11 -e tls12 -e tls13 -e hello-params" +"ietf-tls-server@2023-04-17.yang -e server-ident-x509-cert -e client-auth-supported -e client-auth-x509-cert" +"ietf-netconf-server@2023-04-17.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home -e central-netconf-server-supported" +"libnetconf2-netconf-server@2023-09-07.yang" +) + +# get path to the sysrepocfg executable +function SYSREPOCFG_GET_PATH() { + if [ -n "$SYSREPOCFG_EXECUTABLE" ]; then + # from env + SYSREPOCFG="$SYSREPOCFG_EXECUTABLE" + elif [ $(id -u) -eq 0 ] && [ -n "$USER" ] && [ $(command -v su) ]; then + # running as root, avoid problems with sudo PATH + SYSREPOCFG=$(su -c 'command -v sysrepocfg' -l "$USER") + else + # normal user + SYSREPOCFG=$(command -v sysrepocfg) + fi + + if [ -z "$SYSREPOCFG" ]; then + echo "$0: Unable to find sysrepocfg executable." >&2 + exit 1 + fi +} + +# get path to the sysrepoctl executable +function SYSREPOCTL_GET_PATH() { + if [ -n "$SYSREPOCTL_EXECUTABLE" ]; then + # from env + SYSREPOCTL="$SYSREPOCTL_EXECUTABLE" + elif [ $(id -u) -eq 0 ] && [ -n "$USER" ] && [ $(command -v su) ]; then + # running as root, avoid problems with sudo PATH + SYSREPOCTL=$(su -c 'command -v sysrepoctl' -l "$USER") + else + # normal user + SYSREPOCTL=$(command -v sysrepoctl) + fi + + if [ -z "$SYSREPOCTL" ]; then + echo "$0: Unable to find sysrepoctl executable." >&2 + exit 1 + fi +} + +# get path to the openssl executable +function OPENSSL_GET_PATH() { + if [ -n "$OPENSSL_EXECUTABLE" ]; then + # from env + OPENSSL="$OPENSSL_EXECUTABLE" + elif [ $(id -u) -eq 0 ] && [ -n "$USER" ] && [ $(command -v su) ]; then + # running as root, avoid problems with sudo PATH + OPENSSL=$(su -c 'command -v openssl' -l "$USER") + else + # normal user + OPENSSL=$(command -v openssl) + fi + + if [ -z "$OPENSSL" ]; then + echo "$0: Unable to find sysrepoctl executable." >&2 + exit 1 + fi +} diff --git a/scripts/merge_config.sh b/scripts/merge_config.sh index 389784584..bc624cc20 100755 --- a/scripts/merge_config.sh +++ b/scripts/merge_config.sh @@ -2,20 +2,69 @@ set -e -# optional env variable override -if [ -n "$SYSREPOCFG_EXECUTABLE" ]; then - SYSREPOCFG="$SYSREPOCFG_EXECUTABLE" -# avoid problems with sudo PATH -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - SYSREPOCFG=`su -c 'command -v sysrepocfg' -l $USER` -else - SYSREPOCFG=`command -v sysrepocfg` -fi -KS_KEY_NAME=genkey +# import functions +script_directory=$(dirname "$0") +source "${script_directory}/common.sh" + +# get path to sysrepocfg executable, this will be stored in $SYSREPOCFG +SYSREPOCFG_GET_PATH # check that there is no listen/Call Home configuration yet -SERVER_CONFIG=`$SYSREPOCFG -X -x "/ietf-netconf-server:netconf-server/listen/endpoint[1]/name | /ietf-netconf-server:netconf-server/call-home/netconf-client[1]/name"` -if [ -z "$SERVER_CONFIG" ]; then +SERVER_CONFIG=$($SYSREPOCFG -X -x "/ietf-netconf-server:netconf-server/listen/endpoint | /ietf-netconf-server:netconf-server/call-home/netconf-client") +if [ -n "$SERVER_CONFIG" ]; then + # the server is configured, just exit + exit 0 +fi + +# get the user who invoked the script +CURRENT_USER="$SUDO_USER" +# get his home dir +CURRENT_USER_HOME=$(eval echo "~$CURRENT_USER") +# try to get his authorized_keys file +AUTHORIZED_KEYS_FILE="$CURRENT_USER_HOME/.ssh/authorized_keys" +# check if the authorized keys file exists +if [ -f "$AUTHORIZED_KEYS_FILE" ]; then + # it exists, create public keys that are authorized in the server's configuration + AUTH_CONFIG=" + + " + + IDX=0 +# read lines from authorized_keys + while IFS= read -r LINE; do + # check if the line is empty or starts with a comment (#) + if [[ -n "$LINE" && ! "$LINE" =~ ^\s*# ]]; then + # extract the base64 public key + PUB_BASE64=$(echo "$LINE" | awk '{print $2}') + + NEW_PUBKEY_ENTRY=" + authorized_key_${IDX} + ct:ssh-public-key-format + ${PUB_BASE64} + " + # append + AUTH_CONFIG="${AUTH_CONFIG}${NEW_PUBKEY_ENTRY}" + IDX=$((IDX + 1)) + fi + done < "$AUTHORIZED_KEYS_FILE" + + # append the ending tags + AUTH_CONFIG="${AUTH_CONFIG} + + " + + echo "--" + echo "-- Added user \"${CURRENT_USER}\" that can authenticate with a key pair from his authorized_keys to the server configuration..." + echo "--" +else + # authorized_keys doesn't exist, get the user's pw hash from /etc/shadow and use that for authentication + CURRENT_USER_PW_HASH=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow) + AUTH_CONFIG="${CURRENT_USER_PW_HASH}" + + echo "--" + echo "-- Added user \"${CURRENT_USER}\" that can authenticate with his password to the server configuration..." + echo "--" +fi # import default config CONFIG=" @@ -36,16 +85,17 @@ CONFIG=" default-key - $KS_KEY_NAME + genkey - - - - - + + + ${CURRENT_USER} + ${AUTH_CONFIG} + + @@ -54,7 +104,5 @@ CONFIG="" # apply it to startup and running -echo "$CONFIG" | $SYSREPOCFG --edit -d startup -f xml -m ietf-netconf-server -v2 -$SYSREPOCFG -C startup -m ietf-netconf-server -v2 - -fi +echo "$CONFIG" | "$SYSREPOCFG" --edit -d startup -f xml -m ietf-netconf-server -v2 +"$SYSREPOCFG" -C startup -m ietf-netconf-server -v2 diff --git a/scripts/merge_hostkey.sh b/scripts/merge_hostkey.sh index 555af38c9..fedc3a78c 100755 --- a/scripts/merge_hostkey.sh +++ b/scripts/merge_hostkey.sh @@ -2,52 +2,37 @@ set -e -# optional env variable override -if [ -n "$SYSREPOCFG_EXECUTABLE" ]; then - SYSREPOCFG="$SYSREPOCFG_EXECUTABLE" -# avoid problems with sudo PATH -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - SYSREPOCFG=`su -c 'command -v sysrepocfg' -l $USER` -else - SYSREPOCFG=`command -v sysrepocfg` +# import functions +script_directory=$(dirname "$0") +source "${script_directory}/common.sh" + +# get path to sysrepocfg and openssl executables, these will be stored in $SYSREPOCFG and $OPENSSL, respectively +SYSREPOCFG_GET_PATH +OPENSSL_GET_PATH + +# check that there is no SSH key with this name yet, if so just exit +KEYSTORE_KEY=$($SYSREPOCFG -X -x "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='genkey']") +if [ -n "$KEYSTORE_KEY" ]; then + exit 0 fi -if [ -n "$OPENSSL_EXECUTABLE" ]; then - OPENSSL="$OPENSSL_EXECUTABLE" -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - OPENSSL=`su -c 'command -v openssl' -l $USER` -else - OPENSSL=`command -v openssl` -fi - -# check that there is no SSH key with this name yet -KEYSTORE_KEY=`$SYSREPOCFG -X -x "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='genkey']/name"` -if [ -z "$KEYSTORE_KEY" ]; then - # generate a new key -PRIVPEM=`$OPENSSL genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM 2>/dev/null` +PRIVPEM=$($OPENSSL genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM 2>/dev/null) # remove header/footer and newlines -PRIVKEY=`echo "$PRIVPEM" | grep -v -- "-----" | tr -d "\n"` - -# get public key -PUBPEM=`echo "$PRIVPEM" | $OPENSSL rsa -pubout 2>/dev/null` -# remove header/footer and newlines -PUBKEY=`echo "$PUBPEM" | grep -v -- "-----" | tr -d "\n"` +PRIVKEY=$(echo "$PRIVPEM" | grep -v -- "-----" | tr -d "\n") # generate edit config CONFIG=" genkey - rsa2048 - $PUBKEY - $PRIVKEY + ct:ssh-public-key-format + ct:rsa-private-key-format + ${PRIVKEY} " # apply it to startup and running -echo "$CONFIG" | $SYSREPOCFG --edit -d startup -f xml -m ietf-keystore -v2 -$SYSREPOCFG -C startup -m ietf-keystore -v2 - -fi +echo "$CONFIG" | "$SYSREPOCFG" --edit -d startup -f xml -m ietf-keystore -v2 +"$SYSREPOCFG" -C startup -m ietf-keystore -v2 diff --git a/scripts/remove.sh b/scripts/remove.sh index 42d45a69e..8cfbbdf45 100755 --- a/scripts/remove.sh +++ b/scripts/remove.sh @@ -1,46 +1,18 @@ #!/usr/bin/env bash -# {% raw %} - jinja2 command to not process "{#" in the script -# optional env variable override -if [ -n "$SYSREPOCTL_EXECUTABLE" ]; then - SYSREPOCTL="$SYSREPOCTL_EXECUTABLE" -# avoid problems with sudo PATH -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - SYSREPOCTL=`su -c 'command -v sysrepoctl' -l $USER` -else - SYSREPOCTL=`command -v sysrepoctl` -fi +# import functions and modules arrays +script_directory=$(dirname "$0") +source "${script_directory}/common.sh" -# array of modules to remove, exact same as setup.sh -MODULES=( -"ietf-netconf@2013-09-29.yang -e writable-running -e candidate -e rollback-on-error -e validate -e startup -e url -e xpath -e confirmed-commit" -"ietf-netconf-monitoring@2010-10-04.yang" -"ietf-netconf-nmda@2019-01-07.yang -e origin -e with-defaults" -"nc-notifications@2008-07-14.yang" -"notifications@2008-07-14.yang" -"ietf-x509-cert-to-name@2014-12-10.yang" -"ietf-crypto-types@2019-07-02.yang" -"ietf-keystore@2019-07-02.yang -e keystore-supported" -"ietf-truststore@2019-07-02.yang -e truststore-supported -e x509-certificates" -"ietf-tcp-common@2019-07-02.yang -e keepalives-supported" -"ietf-ssh-server@2019-07-02.yang -e local-client-auth-supported" -"ietf-tls-server@2019-07-02.yang -e local-client-auth-supported" -"ietf-netconf-server@2019-07-02.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home" -"ietf-interfaces@2018-02-20.yang" -"ietf-ip@2018-02-22.yang" -"ietf-network-instance@2019-01-21.yang" -"ietf-subscribed-notifications@2019-09-09.yang -e encode-xml -e replay -e subtree -e xpath" -"ietf-yang-push@2019-09-09.yang -e on-change" -) - -CMD_UNINSTALL= +# get path to sysrepoctl executable, this will be stored in $SYSREPOCTL +SYSREPOCTL_GET_PATH # functions -UNINSTALL_MODULE_QUIET() { +function UNINSTALL_MODULE_QUIET() { "$SYSREPOCTL" -u $1 &> /dev/null } -DISABLE_FEATURE() { +function DISABLE_FEATURE() { "$SYSREPOCTL" -c $1 -d $2 -v2 local rc=$? if [ $rc -ne 0 ]; then @@ -48,7 +20,7 @@ DISABLE_FEATURE() { fi } -DISABLE_MODULE_FEATURES() { +function DISABLE_MODULE_FEATURES() { name=$1 sctl_module=$2 module=$3 @@ -70,26 +42,31 @@ DISABLE_MODULE_FEATURES() { done } -# get current modules -SCTL_MODULES=`$SYSREPOCTL -l` -MODULES_LEN=${#MODULES[@]} -for (( i = 0; i < $MODULES_LEN; i++ )); do - # backwards iteration to avoid module dependencies - module=${MODULES[$MODULES_LEN - ($i + 1)]} - name=`echo "$module" | sed 's/\([^@]*\).*/\1/'` +function UNINSTALL_CMD() { + modules=("$@") + nmodules=${#modules[@]} + for (( i = 0; i < $nmodules; i++ )); do + module=${modules[$nmodules - ($i + 1)]} + name=$(echo "$module" | sed 's/\([^@]*\).*/\1/') - SCTL_MODULE=`echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I"` - if [ -n "$SCTL_MODULE" ]; then - if [ "$name" = "ietf-netconf" ]; then - # internal module, we can only disable features - DISABLE_MODULE_FEATURES $name "$SCTL_MODULE" "$module" - else - # uninstall module and ignore the result, there may be new modules depending on this one - UNINSTALL_MODULE_QUIET "$name" + sctl_module=$(echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I") + if [ -n "$sctl_module" ]; then + if [ "$name" = "ietf-netconf" ]; then + # internal module, we can only disable features + DISABLE_MODULE_FEATURES $name "$sctl_module" "$module" + else + # uninstall module and ignore the result, there may be new modules depending on this one + UNINSTALL_MODULE_QUIET "$name" + fi + continue fi - continue - fi -done + done +} + +# get current modules +SCTL_MODULES=`$SYSREPOCTL -l` -# {% endraw %} +# uninstall np2 and ln2 modules +UNINSTALL_CMD "${NP2_MODULES[@]}" +UNINSTALL_CMD "${LN2_MODULES[@]}" diff --git a/scripts/setup.sh b/scripts/setup.sh index 45ec2c727..02c1b10c4 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -1,56 +1,33 @@ #!/usr/bin/env bash -# env variables NP2_MODULE_DIR, NP2_MODULE_PERMS must be defined and NP2_MODULE_OWNER, NP2_MODULE_GROUP will be used if -# defined when executing this script! -if [ -z "$NP2_MODULE_DIR" -o -z "$NP2_MODULE_PERMS" ]; then +# env variables NP2_MODULE_DIR, NP2_MODULE_PERMS and LN2_MODULE_DIR must be defined +# and NP2_MODULE_OWNER, NP2_MODULE_GROUP will be used if defined when executing this script! + +if [ -z "$NP2_MODULE_DIR" -o -z "$NP2_MODULE_PERMS" -o -z "$LN2_MODULE_DIR" ]; then echo "Required environment variables not defined!" exit 1 fi -# optional env variable override -if [ -n "$SYSREPOCTL_EXECUTABLE" ]; then - SYSREPOCTL="$SYSREPOCTL_EXECUTABLE" -# avoid problems with sudo PATH -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - SYSREPOCTL=`su -c 'command -v sysrepoctl' -l $USER` -else - SYSREPOCTL=`command -v sysrepoctl` -fi -MODDIR=${DESTDIR}${NP2_MODULE_DIR} +# import functions and modules arrays +script_directory=$(dirname "$0") +source "${script_directory}/common.sh" + +# get path to sysrepoctl executable, this will be stored in $SYSREPOCTL +SYSREPOCTL_GET_PATH + +NP2_MODDIR=${DESTDIR}${NP2_MODULE_DIR} +LN2_MODDIR=${DESTDIR}${LN2_MODULE_DIR} PERMS=${NP2_MODULE_PERMS} OWNER=${NP2_MODULE_OWNER} GROUP=${NP2_MODULE_GROUP} -# array of modules to install -MODULES=( -"ietf-netconf@2013-09-29.yang -e writable-running -e candidate -e rollback-on-error -e validate -e startup -e url -e xpath -e confirmed-commit" -"ietf-netconf-monitoring@2010-10-04.yang" -"ietf-netconf-nmda@2019-01-07.yang -e origin -e with-defaults" -"nc-notifications@2008-07-14.yang" -"notifications@2008-07-14.yang" -"ietf-x509-cert-to-name@2014-12-10.yang" -"ietf-keystore@2019-07-02.yang -e keystore-supported" -"ietf-truststore@2019-07-02.yang -e truststore-supported -e x509-certificates" -"ietf-tcp-common@2019-07-02.yang -e keepalives-supported" -"ietf-ssh-server@2019-07-02.yang -e local-client-auth-supported" -"ietf-tls-server@2019-07-02.yang -e local-client-auth-supported" -"ietf-netconf-server@2019-07-02.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home" -"ietf-interfaces@2018-02-20.yang" -"ietf-ip@2018-02-22.yang" -"ietf-network-instance@2019-01-21.yang" -"ietf-subscribed-notifications@2019-09-09.yang -e encode-xml -e replay -e subtree -e xpath" -"ietf-yang-push@2019-09-09.yang -e on-change" -) - -CMD_INSTALL= - # functions -INSTALL_MODULE_CMD() { +function INSTALL_MODULE_CMD() { if [ -z "${CMD_INSTALL}" ]; then - CMD_INSTALL="'$SYSREPOCTL' -s '$MODDIR' -v2" + CMD_INSTALL="'$SYSREPOCTL' -s '$1' -v2" fi - CMD_INSTALL="$CMD_INSTALL -i $MODDIR/$1 -p '$PERMS'" + CMD_INSTALL="$CMD_INSTALL -i $1/$2 -p '$PERMS'" if [ ! -z "${OWNER}" ]; then CMD_INSTALL="$CMD_INSTALL -o '$OWNER'" fi @@ -59,16 +36,16 @@ INSTALL_MODULE_CMD() { fi } -UPDATE_MODULE() { - CMD="'$SYSREPOCTL' -U $MODDIR/$1 -s '$MODDIR' -v2" - eval $CMD +function UPDATE_MODULE() { + CMD="'$SYSREPOCTL' -U $1/$2 -s '$1' -v2" + eval "$CMD" local rc=$? if [ $rc -ne 0 ]; then exit $rc fi } -CHANGE_PERMS() { +function CHANGE_PERMS() { CMD="'$SYSREPOCTL' -c $1 -p '$PERMS' -v2" if [ ! -z "${OWNER}" ]; then CMD="$CMD -o '$OWNER'" @@ -76,14 +53,15 @@ CHANGE_PERMS() { if [ ! -z "${GROUP}" ]; then CMD="$CMD -g '$GROUP'" fi - eval $CMD + + eval "$CMD" local rc=$? if [ $rc -ne 0 ]; then exit $rc fi } -ENABLE_FEATURE() { +function ENABLE_FEATURE() { "$SYSREPOCTL" -c $1 -e $2 -v2 local rc=$? if [ $rc -ne 0 ]; then @@ -91,56 +69,68 @@ ENABLE_FEATURE() { fi } -# get current modules -SCTL_MODULES=`$SYSREPOCTL -l` +function SETUP_CMD() { + module_dir="$1" # first argument - module directory + shift # shift all args to the left + modules=("$@") # the rest of the arguments are module names (and their features) + for i in "${modules[@]}"; do + name=$(echo "$i" | sed 's/\([^@]*\).*/\1/') + sctl_module=$(echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I") + if [ -z "$sctl_module" ]; then + # prepare command to install module with all its features + INSTALL_MODULE_CMD "$module_dir" "$i" + continue + fi + + sctl_revision=$(echo "$sctl_module" | sed 's/[^|]*| \([^ ]*\).*/\1/') + revision=$(echo "$i" | sed 's/[^@]*@\([^\.]*\).*/\1/') + if [ "$sctl_revision" \< "$revision" ]; then + # update module without any features + file=$(echo "$i" | cut -d' ' -f 1) + UPDATE_MODULE "$module_dir" "$file" + fi -for i in "${MODULES[@]}"; do - name=`echo "$i" | sed 's/\([^@]*\).*/\1/'` + sctl_owner=$(echo "$sctl_module" | sed 's/\([^|]*|\)\{3\} \([^:]*\).*/\2/') + sctl_group=$(echo "$sctl_module" | sed 's/\([^|]*|\)\{3\}[^:]*:\([^ ]*\).*/\2/') + sctl_perms=$(echo "$sctl_module" | sed 's/\([^|]*|\)\{4\} \([^ ]*\).*/\2/') + if [ "$sctl_perms" != "$PERMS" ] || [ ! -z "${OWNER}" -a "$sctl_owner" != "$OWNER" ] || [ ! -z "${GROUP}" -a "$sctl_group" != "$GROUP" ]; then + # change permissions/owner + CHANGE_PERMS "$name" + fi - SCTL_MODULE=`echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I"` - if [ -z "$SCTL_MODULE" ]; then - # prepare command to install module with all its features - INSTALL_MODULE_CMD "$i" - continue - fi + # parse sysrepoctl features and add extra space at the end for easier matching + sctl_features="`echo "$sctl_module" | sed 's/\([^|]*|\)\{6\}\(.*\)/\2/'` " + # parse features we want to enable + features=$(echo "$i" | sed 's/[^ ]* \(.*\)/\1/') + while [ "${features:0:3}" = "-e " ]; do + # skip "-e " + features=${features:3} + # parse feature + feature=$(echo "$features" | sed 's/\([^[:space:]]*\).*/\1/') + + # enable feature if not already + sctl_feature=$(echo "$sctl_features" | grep " ${feature} ") + if [ -z "$sctl_feature" ]; then + # enable feature + ENABLE_FEATURE $name $feature + fi + + # next iteration, skip this feature + features=$(echo "$features" | sed 's/[^[:space:]]* \(.*\)/\1/') + done + done +} - sctl_revision=`echo "$SCTL_MODULE" | sed 's/[^|]*| \([^ ]*\).*/\1/'` - revision=`echo "$i" | sed 's/[^@]*@\([^\.]*\).*/\1/'` - if [ "$sctl_revision" \< "$revision" ]; then - # update module without any features - file=`echo "$i" | cut -d' ' -f 1` - UPDATE_MODULE "$file" - fi +# get current modules +SCTL_MODULES=`$SYSREPOCTL -l` - sctl_owner=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{3\} \([^:]*\).*/\2/'` - sctl_group=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{3\}[^:]*:\([^ ]*\).*/\2/'` - sctl_perms=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{4\} \([^ ]*\).*/\2/'` - if [ "$sctl_perms" != "$PERMS" ] || [ ! -z "${OWNER}" -a "$sctl_owner" != "$OWNER" ] || [ ! -z "${GROUP}" -a "$sctl_group" != "$GROUP" ]; then - # change permissions/owner - CHANGE_PERMS "$name" - fi +# the install command will be stored in this variable +CMD_INSTALL= - # parse sysrepoctl features and add extra space at the end for easier matching - sctl_features="`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{6\}\(.*\)/\2/'` " - # parse features we want to enable - features=`echo "$i" | sed 's/[^ ]* \(.*\)/\1/'` - while [ "${features:0:3}" = "-e " ]; do - # skip "-e " - features=${features:3} - # parse feature - feature=`echo "$features" | sed 's/\([^[:space:]]*\).*/\1/'` - - # enable feature if not already - sctl_feature=`echo "$sctl_features" | grep " ${feature} "` - if [ -z "$sctl_feature" ]; then - # enable feature - ENABLE_FEATURE $name $feature - fi +# setup the cmd for install, modules are listed in common.sh +SETUP_CMD "$NP2_MODDIR" "${NP2_MODULES[@]}" - # next iteration, skip this feature - features=`echo "$features" | sed 's/[^[:space:]]* \(.*\)/\1/'` - done -done +SETUP_CMD "$LN2_MODDIR" "${LN2_MODULES[@]}" # install all the new modules if [ ! -z "${CMD_INSTALL}" ]; then diff --git a/src/common.c b/src/common.c index edd2b5fa9..6e1ba1561 100644 --- a/src/common.c +++ b/src/common.c @@ -49,7 +49,7 @@ #include "log.h" #include "netconf_monitoring.h" -struct np2srv np2srv = {.unix_mode = -1, .unix_uid = -1, .unix_gid = -1, .pam_config_name = NULL, .pam_config_dir = NULL}; +struct np2srv np2srv = {0}; int np_ignore_rpc(sr_session_ctx_t *ev_sess, sr_event_t event, int *rc) @@ -384,7 +384,7 @@ np2srv_release_ctx_cb(void *cb_data) } int -np2srv_new_session_cb(const char *UNUSED(client_name), struct nc_session *new_session) +np2srv_new_session_cb(const char *UNUSED(client_name), struct nc_session *new_session, void *UNUSED(user_data)) { int c; sr_val_t *event_data; diff --git a/src/common.h b/src/common.h index cf7a5cfa6..622878269 100644 --- a/src/common.h +++ b/src/common.h @@ -69,14 +69,8 @@ struct np2srv { sr_subscription_ctx_t *sr_nacm_stats_sub; /**< sysrepo NACM global stats subscription context */ sr_subscription_ctx_t *sr_notif_sub; /**< sysrepo notification subscription context */ - const char *unix_path; /**< path to the UNIX socket to listen on, if any */ - mode_t unix_mode; /**< UNIX socket mode */ - uid_t unix_uid; /**< UNIX socket UID */ - gid_t unix_gid; /**< UNIX socket GID */ uint32_t sr_timeout; /**< timeout in ms for all sysrepo functions */ const char *ext_data_path; /**< path to the data file with data for LY ext data callback */ - const char *pam_config_name; /**< name of the PAM config file */ - const char *pam_config_dir; /**< path to the PAM config dir */ const char *server_dir; /**< path to server files (just confirmed commit for the moment) */ @@ -241,10 +235,11 @@ void np2srv_release_ctx_cb(void *cb_data); * * @param[in] client_name CH client name, unused. * @param[in] new_session Created NC session. + * @param[in] user_data Arbitrary data, unused. * @return 0 on success; * @return -1 on error. */ -int np2srv_new_session_cb(const char *client_name, struct nc_session *new_session); +int np2srv_new_session_cb(const char *client_name, struct nc_session *new_session, void *user_data); /** * @brief Set URL capability to be advertised for new NETCONF sessions. diff --git a/src/main.c b/src/main.c index 5e3221689..d56b2bf65 100644 --- a/src/main.c +++ b/src/main.c @@ -40,15 +40,6 @@ #include "err_netconf.h" #include "log.h" #include "netconf.h" -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) -# include "netconf_server.h" -#endif -#ifdef NC_ENABLED_SSH -# include "netconf_server_ssh.h" -#endif -#ifdef NC_ENABLED_TLS -# include "netconf_server_tls.h" -#endif #include "netconf_confirmed_commit.h" #include "netconf_monitoring.h" #include "netconf_nmda.h" @@ -189,7 +180,6 @@ np2srv_del_session_cb(struct nc_session *session) } free(event_data); } - /* stop monitoring and free NC session */ ncm_session_del(session); nc_session_free(session, NULL); @@ -608,6 +598,9 @@ server_init(void) /* set with-defaults capability basic-mode */ nc_server_set_capab_withdefaults(NC_WD_EXPLICIT, NC_WD_ALL | NC_WD_ALL_TAG | NC_WD_TRIM | NC_WD_EXPLICIT); + /* set ln2 call home call backs and data */ + nc_server_ch_set_dispatch_data(np2srv_acquire_ctx_cb, np2srv_release_ctx_cb, np2srv.sr_conn, np2srv_new_session_cb, NULL); + /* set capabilities for the NETCONF Notifications */ nc_server_set_capability("urn:ietf:params:netconf:capability:notification:1.0"); nc_server_set_capability("urn:ietf:params:netconf:capability:interleave:1.0"); @@ -620,38 +613,6 @@ server_init(void) /* set libnetconf2 global PRC callback */ nc_set_global_rpc_clb(np2srv_rpc_cb); -#ifdef NC_ENABLED_SSH - /* set libnetconf2 SSH callbacks */ - nc_server_ssh_set_hostkey_clb(np2srv_hostkey_cb, NULL, NULL); - nc_server_ssh_set_pubkey_auth_clb(np2srv_pubkey_auth_cb, NULL, NULL); - - /* configure netconf2 PAM module */ - if (np2srv.pam_config_name) { - nc_server_ssh_set_pam_conf_path(np2srv.pam_config_name, np2srv.pam_config_dir); - } -#endif - -#ifdef NC_ENABLED_TLS - /* set libnetconf2 TLS callbacks */ - nc_server_tls_set_server_cert_clb(np2srv_cert_cb, NULL, NULL); - nc_server_tls_set_trusted_cert_list_clb(np2srv_cert_list_cb, NULL, NULL); -#endif - - /* UNIX socket */ - if (np2srv.unix_path) { - if (nc_server_add_endpt("unix", NC_TI_UNIX)) { - goto error; - } - - if (nc_server_endpt_set_perms("unix", np2srv.unix_mode, np2srv.unix_uid, np2srv.unix_gid)) { - goto error; - } - - if (nc_server_endpt_set_address("unix", np2srv.unix_path)) { - goto error; - } - } - /* restore a previous confirmed commit if restore file exists */ ncc_try_restore(); @@ -670,9 +631,18 @@ server_destroy(void) { struct nc_session *sess; -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) +#ifdef NC_ENABLED_SSH_TLS + struct lyd_node *data = NULL, *node = NULL; + const struct ly_ctx *ly_ctx; + /* remove all CH clients so they do not reconnect */ - nc_server_ch_del_client(NULL); + ly_ctx = sr_acquire_context(np2srv.sr_conn); + lyd_new_path2(NULL, ly_ctx, "/ietf-netconf-server:netconf-server/call-home", NULL, 0, 0, 0, &data, &node); + lyd_new_meta(ly_ctx, data, NULL, "yang:operation", "none", 0, NULL); + lyd_new_meta(ly_ctx, node, NULL, "yang:operation", "delete", 0, NULL); + nc_server_config_setup_diff(data); + lyd_free_tree(data); + sr_release_context(np2srv.sr_conn); #endif /* close all open sessions */ @@ -696,11 +666,6 @@ server_destroy(void) /* libnetconf2 cleanup */ nc_server_destroy(); - /* UNIX socket can now be removed */ - if (np2srv.unix_path) { - unlink(np2srv.unix_path); - } - /* monitoring cleanup */ ncm_destroy(); @@ -717,17 +682,79 @@ server_destroy(void) sr_disconnect(np2srv.sr_conn); } -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) +static int +server_open_pidfile(const char *pidfile) +{ + int pidfd, len; + char pid[8]; + + /* make sure we are the only instance - lock the PID file and write the PID */ + pidfd = open(pidfile, O_RDWR | O_CREAT, 00644); + if (pidfd < 0) { + ERR("Unable to open the PID file \"%s\" (%s).", pidfile, strerror(errno)); + return -1; + } + + if (lockf(pidfd, F_TLOCK, 0) < 0) { + close(pidfd); + if ((errno == EACCES) || (errno == EAGAIN)) { + ERR("Another instance of the Netopeer2 server is running."); + } else { + ERR("Unable to lock the PID file \"%s\" (%s).", pidfile, strerror(errno)); + } + return -1; + } + + if (ftruncate(pidfd, 0)) { + ERR("Failed to truncate PID file (%s).", strerror(errno)); + close(pidfd); + return -1; + } + + len = snprintf(pid, sizeof(pid), "%d\n", getpid()); + if ((len < 0) || (write(pidfd, pid, len) < len)) { + ERR("Failed to write into PID file."); + close(pidfd); + return -1; + } + + close(pidfd); + return 0; +} +/** + * @brief Callback for handling netconf-server, ietf-keystore and ietf-truststore data changes. + * + * The diff is given to libnetconf2, which then handles the changes. + * + * @param session sysrepo session. + * @param[in] sub_id Subscription identifier. + * @param[in] module_name Module's name. + * @param[in] xpath XPath. + * @param[in] event Event. + * @param[in] request_id Request identifier. + * @param private_data Private data. + * + * @return SR_ERR_OK on success, on error any other value. + */ static int -np2srv_dummy_cb(sr_session_ctx_t *UNUSED(session), uint32_t UNUSED(sub_id), const char *UNUSED(module_name), +np2srv_libnetconf2_config_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), const char *UNUSED(xpath), sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) { + int rc = 0; + const struct lyd_node *diff = NULL; + + /* get diff and apply it */ + diff = sr_get_change_diff(session); + rc = nc_server_config_setup_diff(diff); + if (rc) { + ERR("Configuring NETCONF server failed."); + return rc; + } + return SR_ERR_OK; } -#endif - /** * @brief Subscribe to all the handled RPCs of the server. * @@ -847,122 +874,11 @@ server_data_subscribe(void) SR_OPER_SUBSCR(mod_name, "/ietf-subscribed-notifications:subscriptions", np2srv_oper_sub_ntf_subscriptions_cb); /* - * ietf-netconf-server + * ietf-netconf-server, ietf-keystore and ietf-trustore handled by ln2 */ - mod_name = "ietf-netconf-server"; - -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - xpath = "/ietf-netconf-server:netconf-server/listen/idle-timeout"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_idle_timeout_cb); -#endif - -#ifdef NC_ENABLED_SSH - /* subscribe for server SSH listen configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_ssh_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh/tcp-server-parameters"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tcp_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/server-identity/host-key/" - "public-key/keystore-reference"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_ssh_hostkey_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/client-authentication/" - "supported-authentication-methods"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_ssh_auth_methods_cb); - - /* subscribe for providing SSH operational data */ - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/client-authentication/users"; - SR_OPER_SUBSCR(mod_name, xpath, np2srv_endpt_ssh_auth_users_oper_cb); -#endif - -#ifdef NC_ENABLED_TLS - /* subscribe for server TLS listen configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tcp-server-parameters"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tcp_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/server-identity/keystore-reference"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_servercert_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/client-authentication"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_client_auth_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/client-authentication/cert-maps"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_client_ctn_cb); -#endif - -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - /* subscribe for generic Call Home configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/connection-type"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_connection_type_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/connection-type/periodic"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_periodic_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/reconnect-strategy"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_reconnect_strategy_cb); -#endif - -#ifdef NC_ENABLED_SSH - /* subscribe for server SSH Call Home configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_ssh_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/tcp-client-parameters"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tcp_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/" - "server-identity/host-key/public-key/keystore-reference"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_endpt_ssh_hostkey_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/" - "client-authentication/supported-authentication-methods"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_endpt_ssh_auth_methods_cb); -#endif - -#ifdef NC_ENABLED_TLS - /* subscribe for TLS Call Home configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tls_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tcp-client-parameters"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tcp_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - "server-identity/keystore-reference"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tls_servercert_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - "client-authentication"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tls_client_auth_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - "client-authentication/cert-maps"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tls_client_ctn_cb); -#endif - -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - /* - * ietf-keystore (just for in-use operational data) - */ - mod_name = "ietf-keystore"; - xpath = "/ietf-keystore:keystore/asymmetric-keys"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_dummy_cb); - - /* - * ietf-truststore (just for in-use operational data) - */ - mod_name = "ietf-truststore"; - xpath = "/ietf-truststore:truststore/certificates"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_dummy_cb); -#endif + SR_CONFIG_SUBSCR("ietf-netconf-server", NULL, np2srv_libnetconf2_config_cb); + SR_CONFIG_SUBSCR("ietf-keystore", NULL, np2srv_libnetconf2_config_cb); + SR_CONFIG_SUBSCR("ietf-truststore", NULL, np2srv_libnetconf2_config_cb); /* * ietf-netconf-acm @@ -1004,7 +920,7 @@ server_accept_session(void) /* accept session */ msgtype = nc_accept(0, ly_ctx, &ncs); - if ((msgtype == NC_MSG_HELLO) && !np2srv_new_session_cb(NULL, ncs)) { + if ((msgtype == NC_MSG_HELLO) && !np2srv_new_session_cb(NULL, ncs, NULL)) { /* callback success, keep the session with the context lock */ return; } @@ -1023,11 +939,13 @@ server_accept_session(void) static void * worker_thread(void *arg) { +#ifdef NC_ENABLED_SSH_TLS NC_MSG_TYPE msgtype; +#endif /* NC_ENABLED_SSH_TLS */ int rc, idx = *((int *)arg); struct nc_session *ncs; -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(np2_libssh_verbose_level); #endif @@ -1062,13 +980,13 @@ worker_thread(void *arg) np2srv_del_session_cb(ncs); sr_release_context(np2srv.sr_conn); } -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS else if (rc & NC_PSPOLL_SSH_CHANNEL) { /* a new SSH channel on existing session was created */ VRB("Session %d: thread %d event new SSH channel.", nc_session_get_id(ncs), idx); msgtype = nc_session_accept_ssh_channel(ncs, &ncs); if (msgtype == NC_MSG_HELLO) { - if (np2srv_new_session_cb(NULL, ncs)) { + if (np2srv_new_session_cb(NULL, ncs, NULL)) { nc_session_free(ncs, NULL); continue; } @@ -1083,9 +1001,6 @@ worker_thread(void *arg) } /* cleanup */ -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - nc_thread_destroy(); -#endif free(arg); return NULL; } @@ -1125,7 +1040,7 @@ print_usage(char *progname) fprintf(stdout, " -c CATEGORY[,CATEGORY...]\n"); #ifndef NDEBUG fprintf(stdout, " Verbose debug level, print only these debug message categories.\n"); -# ifdef NC_ENABLED_SSH +# ifdef NC_ENABLED_SSH_TLS fprintf(stdout, " Categories: DICT, YANG, YIN, XPATH, DIFF, MSG, LN2DBG, SSH, SYSREPO\n"); # else fprintf(stdout, " Categories: DICT, YANG, YIN, XPATH, DIFF, MSG, LN2DBG, SYSREPO\n"); @@ -1142,12 +1057,8 @@ main(int argc, char *argv[]) int ret = EXIT_SUCCESS; int c, *idx, i; int daemonize = 1, verb = 0; - int pidfd; const char *pidfile = NP2SRV_PID_FILE_PATH; - char pid[8]; char *ptr; - struct passwd *pwd; - struct group *grp; struct sigaction action; sigset_t block_mask; @@ -1174,7 +1085,7 @@ main(int argc, char *argv[]) np2srv.server_dir = SERVER_DIR; /* process command line options */ - while ((c = getopt(argc, argv, "dFhVp:f:U::m:u:g:n:i:t:x:v:c:")) != -1) { + while ((c = getopt(argc, argv, "dFhVp:f:t:x:v:c:")) != -1) { switch (c) { case 'd': daemonize = 0; @@ -1212,7 +1123,7 @@ main(int argc, char *argv[]) } nc_verbosity(np2_verbose_level); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(np2_libssh_verbose_level); #endif break; @@ -1225,44 +1136,6 @@ main(int argc, char *argv[]) case 'f': np2srv.server_dir = optarg; break; - case 'U': - np2srv.unix_path = optarg ? optarg : NP2SRV_UNIX_SOCK_PATH; - break; - case 'm': - np2srv.unix_mode = strtoul(optarg, &ptr, 8); - if (*ptr || (np2srv.unix_mode > 0777)) { - ERR("Invalid UNIX socket mode \"%s\".", optarg); - return EXIT_FAILURE; - } - break; - case 'u': - np2srv.unix_uid = strtoul(optarg, &ptr, 10); - if (*ptr) { - pwd = getpwnam(optarg); - if (!pwd) { - ERR("Invalid UNIX socket UID/user \"%s\".", optarg); - return EXIT_FAILURE; - } - np2srv.unix_uid = pwd->pw_uid; - } - break; - case 'g': - np2srv.unix_gid = strtoul(optarg, &ptr, 10); - if (*ptr) { - grp = getgrnam(optarg); - if (!grp) { - ERR("Invalid UNIX socket GID/group \"%s\".", optarg); - return EXIT_FAILURE; - } - np2srv.unix_gid = grp->gr_gid; - } - break; - case 'n': - np2srv.pam_config_name = optarg; - break; - case 'i': - np2srv.pam_config_dir = optarg; - break; case 't': np2srv.sr_timeout = strtoul(optarg, &ptr, 10); if (*ptr) { @@ -1295,11 +1168,11 @@ main(int argc, char *argv[]) } else if (!strcmp(ptr, "XPATH")) { verb |= LY_LDGXPATH; } else if (!strcmp(ptr, "MSG")) { - /* NETCONF messages - only lnc2 debug verbosity */ + /* NETCONF messages - only ln2 debug verbosity */ np2_verbose_level = NC_VERB_DEBUG; } else if (!strcmp(ptr, "LN2DBG")) { np2_verbose_level = NC_VERB_DEBUG_LOWLVL; -# ifdef NC_ENABLED_SSH +# ifdef NC_ENABLED_SSH_TLS } else if (!strcmp(ptr, "SSH")) { /* 2 should be always enough, 3 is too much useless info */ np2_libssh_verbose_level = 2; @@ -1313,7 +1186,7 @@ main(int argc, char *argv[]) } while ((ptr = strtok(NULL, ","))); /* set final verbosity */ nc_verbosity(np2_verbose_level); -# ifdef NC_ENABLED_SSH +# ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(np2_libssh_verbose_level); # endif if (verb) { @@ -1345,34 +1218,6 @@ main(int argc, char *argv[]) np2_stderr_log = 0; } - /* make sure we are the only instance - lock the PID file and write the PID */ - pidfd = open(pidfile, O_RDWR | O_CREAT, 00644); - if (pidfd < 0) { - ERR("Unable to open the PID file \"%s\" (%s).", pidfile, strerror(errno)); - return EXIT_FAILURE; - } - if (lockf(pidfd, F_TLOCK, 0) < 0) { - close(pidfd); - if ((errno == EACCES) || (errno == EAGAIN)) { - ERR("Another instance of the Netopeer2 server is running."); - } else { - ERR("Unable to lock the PID file \"%s\" (%s).", pidfile, strerror(errno)); - } - return EXIT_FAILURE; - } - if (ftruncate(pidfd, 0)) { - ERR("Failed to truncate PID file (%s).", strerror(errno)); - close(pidfd); - return EXIT_FAILURE; - } - c = snprintf(pid, sizeof(pid), "%d\n", getpid()); - if (write(pidfd, pid, c) < c) { - ERR("Failed to write into PID file."); - close(pidfd); - return EXIT_FAILURE; - } - close(pidfd); - /* set printer callbacks for the used libraries and set proper log levels */ nc_set_print_clb_session(np2log_cb_nc2); /* libnetconf2 */ ly_set_log_clb(np2log_cb_ly, 1); /* libyang */ @@ -1394,6 +1239,12 @@ main(int argc, char *argv[]) goto cleanup; } + /* open/create pidfile */ + if (server_open_pidfile(pidfile)) { + ret = EXIT_FAILURE; + goto cleanup; + } + #ifdef NP2SRV_HAVE_SYSTEMD /* notify systemd */ sd_notify(0, "READY=1"); diff --git a/src/netconf_monitoring.c b/src/netconf_monitoring.c index 467338b17..938f71787 100644 --- a/src/netconf_monitoring.c +++ b/src/netconf_monitoring.c @@ -66,11 +66,9 @@ static int ncm_is_monitored(struct nc_session *session) { switch (nc_session_get_ti(session)) { -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case NC_TI_LIBSSH: return 1; -#endif -#ifdef NC_ENABLED_TLS case NC_TI_OPENSSL: return 1; #endif @@ -278,6 +276,7 @@ np2srv_ncm_oper_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const cha char **cpblts; char *time_str, buf[11]; uint32_t i; + struct timespec ts; /* context is locked while the callback is executed */ conn = sr_session_get_connection(session); @@ -333,12 +332,10 @@ np2srv_ncm_oper_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const cha lyd_new_list(cont, NULL, "session", 0, &list, buf); switch (nc_session_get_ti(stats.sessions[i])) { -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case NC_TI_LIBSSH: lyd_new_term(list, NULL, "transport", "netconf-ssh", 0, NULL); break; -#endif -#ifdef NC_ENABLED_TLS case NC_TI_OPENSSL: lyd_new_term(list, NULL, "transport", "netconf-tls", 0, NULL); break; @@ -350,7 +347,8 @@ np2srv_ncm_oper_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const cha } lyd_new_term(list, NULL, "username", nc_session_get_username(stats.sessions[i]), 0, NULL); lyd_new_term(list, NULL, "source-host", nc_session_get_host(stats.sessions[i]), 0, NULL); - ly_time_time2str(nc_session_get_start_time(stats.sessions[i]), NULL, &time_str); + ts = nc_session_get_start_time(stats.sessions[i]); + ly_time_ts2str(&ts, &time_str); lyd_new_term(list, NULL, "login-time", time_str, 0, NULL); free(time_str); diff --git a/src/netconf_server.c b/src/netconf_server.c deleted file mode 100644 index baba9723e..000000000 --- a/src/netconf_server.c +++ /dev/null @@ -1,548 +0,0 @@ -/** - * @file netconf_server.c - * @author Michal Vasko - * @brief ietf-netconf-server callbacks - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#define _GNU_SOURCE /* asprintf() */ - -#include "netconf_server.h" - -#include -#include -#include -#include - -#include -#include -#include - -#include "common.h" -#include "compat.h" -#include "log.h" - -int -np2srv_sr_get_privkey(const struct lyd_node *asym_key, char **privkey_data, NC_SSH_KEY_TYPE *privkey_type) -{ - struct lyd_node_term *alg = NULL; - struct lyd_node *node, *privkey = NULL; - - /* find the nodes */ - LY_LIST_FOR(lyd_child(asym_key), node) { - if (!strcmp(node->schema->name, "algorithm")) { - alg = (struct lyd_node_term *)node; - } else if (!strcmp(node->schema->name, "private-key")) { - privkey = node; - } - } - if (!alg || !privkey) { - ERR("Failed to find asymmetric key information."); - return -1; - } - - /* set algorithm */ - if (!strncmp(alg->value.ident->name, "rsa", 3)) { - *privkey_type = NC_SSH_KEY_RSA; - } else if (!strncmp(alg->value.ident->name, "secp", 4)) { - *privkey_type = NC_SSH_KEY_ECDSA; - } else { - ERR("Unknown private key algorithm \"%s\".", lyd_get_value(&alg->node)); - return -1; - } - - /* set data */ - *privkey_data = strdup(lyd_get_value(privkey)); - if (!*privkey_data) { - EMEM; - return -1; - } - - return 0; -} - -/* /ietf-netconf-server:netconf-server/listen/idle-timeout */ -int -np2srv_idle_timeout_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* ignore other operations */ - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - nc_server_set_idle_timeout(((struct lyd_node_term *)node)->value.uint16); - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -static int -np2srv_tcp_keepalives(const char *client_name, const char *endpt_name, sr_session_ctx_t *session, const char *xpath) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - int rc, idle_time = -1, max_probes = -1, probe_interval = -1; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - if (!strcmp(node->schema->name, "idle-time")) { - if (op == SR_OP_DELETED) { - idle_time = 1; - } else { - idle_time = ((struct lyd_node_term *)node)->value.uint16; - } - } else if (!strcmp(node->schema->name, "max-probes")) { - if (op == SR_OP_DELETED) { - max_probes = 10; - } else { - max_probes = ((struct lyd_node_term *)node)->value.uint16; - } - } else if (!strcmp(node->schema->name, "probe-interval")) { - if (op == SR_OP_DELETED) { - probe_interval = 5; - } else { - probe_interval = ((struct lyd_node_term *)node)->value.uint16; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - rc = 0; - - /* set new keepalive parameters */ - if (!client_name) { - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_endpt_set_keepalives(endpt_name, idle_time, max_probes, probe_interval); - } - } else { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_ch_client_endpt_set_keepalives(client_name, endpt_name, idle_time, max_probes, probe_interval); - } - } - if (rc) { - ERR("Keepalives configuration failed (%d).", rc); - return SR_ERR_INTERNAL; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ * /tcp-server-parameters */ -int -np2srv_endpt_tcp_params_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - char *xpath2; - int rc, failed = 0; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->child); - - if (!strcmp(node->schema->name, "local-address")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - if (nc_server_endpt_set_address(endpt_name, lyd_get_value(node))) { - failed = 1; - } - } - } else if (!strcmp(node->schema->name, "local-port")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - if (nc_server_endpt_set_port(endpt_name, ((struct lyd_node_term *)node)->value.uint16)) { - failed = 1; - } - } - } else if (!strcmp(node->schema->name, "keepalives")) { - if (op == SR_OP_CREATED) { - if (nc_server_endpt_enable_keepalives(endpt_name, 1)) { - failed = 1; - } - } else if (op == SR_OP_DELETED) { - if (nc_server_is_endpt(endpt_name)) { - if (nc_server_endpt_enable_keepalives(endpt_name, 0)) { - failed = 1; - } - } - } - - /* set specific parameters */ - if (asprintf(&xpath2, "%s/keepalives/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - if (np2srv_tcp_keepalives(NULL, endpt_name, session, xpath2)) { - failed = 1; - } - free(xpath2); - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return failed ? SR_ERR_CALLBACK_FAILED : SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client */ -int -np2srv_ch_client_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), const char *xpath, - sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *client_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get name */ - client_name = lyd_get_value(lyd_child(node)); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ch_add_client(client_name); - if (!rc) { - rc = nc_connect_ch_client_dispatch(client_name, np2srv_acquire_ctx_cb, np2srv_release_ctx_cb, - np2srv.sr_conn, np2srv_new_session_cb); - } - } else if (op == SR_OP_DELETED) { - rc = nc_server_ch_del_client(client_name); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ * /tcp-client-parameters */ -int -np2srv_ch_client_endpt_tcp_params_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find names */ - endpt_name = lyd_get_value(node->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - - if (!strcmp(node->schema->name, "remote-address")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - if (nc_server_ch_client_endpt_set_address(client_name, endpt_name, lyd_get_value(node))) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } else if (!strcmp(node->schema->name, "remote-port")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - if (nc_server_ch_client_endpt_set_port(client_name, endpt_name, ((struct lyd_node_term *)node)->value.uint16)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } else if (!strcmp(node->schema->name, "keepalives")) { - if (op == SR_OP_CREATED) { - rc = nc_server_ch_client_endpt_enable_keepalives(client_name, endpt_name, 1); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_ch_client_endpt_enable_keepalives(client_name, endpt_name, 0); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - - /* set specific parameters */ - if (asprintf(&xpath2, "%s/keepalives/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = np2srv_tcp_keepalives(client_name, endpt_name, session, xpath2); - free(xpath2); - if (rc != SR_ERR_OK) { - sr_free_change_iter(iter); - return rc; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/connection-type */ -int -np2srv_ch_connection_type_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *client_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find names */ - client_name = lyd_get_value(node->parent->parent->child); - - /* connection type */ - if (op == SR_OP_CREATED) { - if (!strcmp(node->schema->name, "persistent")) { - if (nc_server_ch_client_set_conn_type(client_name, NC_CH_PERSIST)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } else if (!strcmp(node->schema->name, "periodic")) { - if (nc_server_ch_client_set_conn_type(client_name, NC_CH_PERIOD)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/connection-type/periodic */ -int -np2srv_ch_periodic_params_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *client_name; - char *xpath2; - int rc; - time_t t; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find names */ - client_name = lyd_get_value(node->parent->parent->parent->child); - - if (!strcmp(node->schema->name, "period")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_periodic_set_period(client_name, 60); - } - } else { - rc = nc_server_ch_client_periodic_set_period(client_name, ((struct lyd_node_term *)node)->value.uint16); - } - } else if (!strcmp(node->schema->name, "anchor-time")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_periodic_set_anchor_time(client_name, 0); - } - } else { - ly_time_str2time(lyd_get_value(node), &t, NULL); - rc = nc_server_ch_client_periodic_set_anchor_time(client_name, t); - } - } else if (!strcmp(node->schema->name, "idle-timeout")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_periodic_set_idle_timeout(client_name, 120); - } - } else { - rc = nc_server_ch_client_periodic_set_idle_timeout(client_name, - ((struct lyd_node_term *)node)->value.uint16); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/reconnect-strategy */ -int -np2srv_ch_reconnect_strategy_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *client_name, *str; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - client_name = lyd_get_value(node->parent->parent->child); - - if (!strcmp(node->schema->name, "start-with")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_set_start_with(client_name, NC_CH_FIRST_LISTED); - } - } else { - str = lyd_get_value(node); - if (!strcmp(str, "first-listed")) { - rc = nc_server_ch_client_set_start_with(client_name, NC_CH_FIRST_LISTED); - } else if (!strcmp(str, "last-connected")) { - rc = nc_server_ch_client_set_start_with(client_name, NC_CH_LAST_CONNECTED); - } else if (!strcmp(str, "random-selection")) { - rc = nc_server_ch_client_set_start_with(client_name, NC_CH_RANDOM); - } - } - } else if (!strcmp(node->schema->name, "max-attempts")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_set_max_attempts(client_name, 3); - } - } else { - rc = nc_server_ch_client_set_max_attempts(client_name, ((struct lyd_node_term *)node)->value.uint8); - } - } - - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} diff --git a/src/netconf_server.h b/src/netconf_server.h deleted file mode 100644 index adc30cd5e..000000000 --- a/src/netconf_server.h +++ /dev/null @@ -1,46 +0,0 @@ -/** - * @file netconf_server.h - * @author Michal Vasko - * @brief ietf-netconf-server callbacks header - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#ifndef NP2SRV_NETCONF_SERVER_H_ -#define NP2SRV_NETCONF_SERVER_H_ - -#include -#include - -int np2srv_sr_get_privkey(const struct lyd_node *asym_key, char **privkey_data, NC_SSH_KEY_TYPE *privkey_type); - -int np2srv_idle_timeout_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_tcp_params_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tcp_params_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_connection_type_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_periodic_params_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_reconnect_strategy_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -#endif /* NP2SRV_NETCONF_SERVER_H_ */ diff --git a/src/netconf_server_ssh.c b/src/netconf_server_ssh.c deleted file mode 100644 index c571f5813..000000000 --- a/src/netconf_server_ssh.c +++ /dev/null @@ -1,678 +0,0 @@ -/** - * @file netconf_server_ssh.c - * @author Michal Vasko - * @brief ietf-netconf-server SSH callbacks - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#define _GNU_SOURCE /* asprintf() */ -#define _DEFAULT_SOURCE /* getpwent() */ -#define _POSIX_C_SOURCE 200809L /* getline() */ - -#include "netconf_server_ssh.h" - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include "common.h" -#include "compat.h" -#include "config.h" -#include "log.h" -#include "netconf_server.h" - -int -np2srv_hostkey_cb(const char *name, void *UNUSED(user_data), char **UNUSED(privkey_path), char **privkey_data, - NC_SSH_KEY_TYPE *privkey_type) -{ - sr_session_ctx_t *sr_sess; - char *xpath; - sr_data_t *data = NULL; - int r, rc = -1; - - r = sr_session_start(np2srv.sr_conn, SR_DS_RUNNING, &sr_sess); - if (r != SR_ERR_OK) { - return -1; - } - - /* get hostkey data from sysrepo */ - if (asprintf(&xpath, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']", name) == -1) { - EMEM; - goto cleanup; - } - r = sr_get_subtree(sr_sess, xpath, 0, &data); - free(xpath); - if (r != SR_ERR_OK) { - goto cleanup; - } else if (!data) { - ERR("Hostkey \"%s\" not found.", name); - goto cleanup; - } - - /* parse private key values */ - if (np2srv_sr_get_privkey(data->tree, privkey_data, privkey_type)) { - goto cleanup; - } - - /* success */ - rc = 0; - -cleanup: - sr_release_data(data); - sr_session_stop(sr_sess); - return rc; -} - -static int -np2srv_validate_posix_username(const char *username) -{ - /* use POSIX username definition - * https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_437 */ - - /* not empty */ - if (strlen(username) == 0) { - return -1; - } - - /* no hyphen as first char */ - if (username[0] == '-') { - return -1; - } - - /* check for Portable Filename Character Set */ - for (unsigned long i = 0; i < strlen(username); i++) { - if (!(isalnum(username[i]) || (username[i] == '.') || (username[i] == '_') || (username[i] == '-'))) { - return -1; - } - } - - return 0; -} - -int -np2srv_pubkey_auth_cb(const struct nc_session *session, ssh_key key, void *UNUSED(user_data)) -{ - FILE *f = NULL; - struct passwd *pwd; - ssh_key pub_key = NULL; - enum ssh_keytypes_e ktype; - const char *username; - char *line = NULL, *ptr, *ptr2; - size_t n; - int r, ret = 1, line_num = 0; - - username = nc_session_get_username(session); - - errno = 0; - pwd = getpwnam(username); - - if (!NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME && !pwd) { - ERR("Failed to find user entry for \"%s\" (%s).", username, errno ? strerror(errno) : "User not found"); - goto cleanup; - } - - if (!pwd && np2srv_validate_posix_username(username)) { - ERR("The username \"%s\" is not a valid posix username.", username); - goto cleanup; - } - - /* check any authorized keys */ - r = asprintf(&line, NP2SRV_SSH_AUTHORIZED_KEYS_PATTERN, NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME ? username : pwd->pw_dir); - if (r == -1) { - EMEM; - line = NULL; - goto cleanup; - } - n = r; - - f = fopen(line, "r"); - if (!f) { - if (errno == ENOENT) { - VRB("User \"%s\" has no authorized_keys file.", username); - } else { - ERR("Failed to open \"%s\" authorized_keys file (%s).", line, strerror(errno)); - } - goto cleanup; - } - - while (getline(&line, &n, f) > -1) { - ++line_num; - - /* separate key type */ - ptr = line; - for (ptr2 = ptr; !isspace(ptr2[0]); ++ptr2) {} - if (ptr2[0] == '\0') { - WRN("Invalid authorized key format of \"%s\" (line %d).", username, line_num); - continue; - } - ptr2[0] = '\0'; - - /* detect key type */ - ktype = ssh_key_type_from_name(ptr); - if (ktype == SSH_KEYTYPE_UNKNOWN) { - WRN("Unknown key type \"%s\" (line %d).", ptr, line_num); - continue; - } - - /* separate key data */ - ptr = ptr2 + 1; - for (ptr2 = ptr; !isspace(ptr2[0]); ++ptr2) {} - ptr2[0] = '\0'; - - r = ssh_pki_import_pubkey_base64(ptr, ktype, &pub_key); - if (r != SSH_OK) { - WRN("Failed to import authorized key of \"%s\" (%s, line %d).", - username, r == SSH_EOF ? "Unexpected end-of-file" : "SSH error", line_num); - continue; - } - - /* compare public keys */ - if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) { - /* key matches */ - ret = 0; - goto cleanup; - } - - /* not a match, next key */ - ssh_key_free(pub_key); - pub_key = NULL; - } - if (!feof(f)) { - WRN("Failed reading from authorized_keys file of \"%s\".", username); - goto cleanup; - } - - /* no match */ - -cleanup: - if (f) { - fclose(f); - } - free(line); - ssh_key_free(pub_key); - return ret; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ssh */ -int -np2srv_endpt_ssh_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - int rc, failed = 0; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get name */ - endpt_name = lyd_get_value(node->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - if (nc_server_add_endpt(endpt_name, NC_TI_LIBSSH)) { - failed = 1; - } - /* turn off all auth methods by default */ - nc_server_ssh_endpt_set_auth_methods(endpt_name, 0); - } else if (op == SR_OP_DELETED) { - if (nc_server_del_endpt(endpt_name, NC_TI_LIBSSH)) { - failed = 1; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return failed ? SR_ERR_INTERNAL : SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/server-identity/host-key/public-key/ - * keystore-reference */ -int -np2srv_endpt_ssh_hostkey_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *prev_val, *endpt_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, &prev_val, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ssh_endpt_add_hostkey(endpt_name, lyd_get_value(node), -1); - } else if (op == SR_OP_DELETED) { - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_ssh_endpt_del_hostkey(endpt_name, lyd_get_value(node), -1); - } - } else if (op == SR_OP_MOVED) { - rc = nc_server_ssh_endpt_mov_hostkey(endpt_name, lyd_get_value(node), prev_val); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -static int -np2srv_ssh_update_auth_method(const struct lyd_node *node, sr_change_oper_t op, int cur_auth) -{ - int auth; - - auth = cur_auth; - - if (!strcmp(node->schema->name, "publickey")) { - if (op == SR_OP_CREATED) { - auth |= NC_SSH_AUTH_PUBLICKEY; - } else if (op == SR_OP_DELETED) { - auth &= ~NC_SSH_AUTH_PUBLICKEY; - } - } else if (!strcmp(node->schema->name, "passsword")) { - if (op == SR_OP_CREATED) { - auth |= NC_SSH_AUTH_PASSWORD; - } else if (op == SR_OP_DELETED) { - auth &= ~NC_SSH_AUTH_PASSWORD; - } - } else if (!strcmp(node->schema->name, "hostbased") || !strcmp(node->schema->name, "none")) { - WRN("SSH authentication \"%s\" not supported.", node->schema->name); - } else if (!strcmp(node->schema->name, "other")) { - if (!strcmp(lyd_get_value(node), "interactive")) { - if (op == SR_OP_CREATED) { - auth |= NC_SSH_AUTH_INTERACTIVE; - } else if (op == SR_OP_DELETED) { - auth &= ~NC_SSH_AUTH_INTERACTIVE; - } - } else { - WRN("SSH authentication \"%s\" not supported.", lyd_get_value(node)); - } - } - - return auth; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/client-authentication/ - * supported-authentication-methods */ -int -np2srv_endpt_ssh_auth_methods_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - char *xpath2; - int rc, auth; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - - if ((op == SR_OP_DELETED) && !nc_server_is_endpt(endpt_name)) { - /* endpt deleted */ - continue; - } - - /* current methods */ - auth = nc_server_ssh_endpt_get_auth_methods(endpt_name); - - auth = np2srv_ssh_update_auth_method(node, op, auth); - - /* updated methods */ - if (nc_server_ssh_endpt_set_auth_methods(endpt_name, auth)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -static int -np2srv_user_add_auth_key(const char *alg, size_t alg_len, const char *key, size_t key_len, struct lyd_node *user, - uint8_t *key_idx) -{ - char name[7], *str; - struct lyd_node *authkey; - - /* list with name */ - sprintf(name, "key%d", (*key_idx)++); - if (lyd_new_list(user, NULL, "authorized-key", 0, &authkey, name)) { - return -1; - } - - /* algorithm */ - str = strndup(alg, alg_len); - if (!str) { - EMEM; - return -1; - } - lyd_new_term(authkey, NULL, "algorithm", str, 0, NULL); - free(str); - - /* key-data */ - str = strndup(key, key_len); - if (!str) { - EMEM; - return -1; - } - lyd_new_term(authkey, NULL, "key-data", str, 0, NULL); - free(str); - - return 0; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/client-authentication/users */ -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/ - * client-authentication/users */ -int -np2srv_endpt_ssh_auth_users_oper_cb(sr_session_ctx_t *UNUSED(session), uint32_t UNUSED(sub_id), - const char *UNUSED(module_name), const char *UNUSED(path), const char *UNUSED(request_xpath), - uint32_t UNUSED(request_id), struct lyd_node **parent, void *UNUSED(private_data)) -{ - struct passwd *pwd; - struct lyd_node *users, *user; - char *path, *line = NULL, *ptr, *alg, *data; - size_t line_len = 0; - FILE *f = NULL; - int rc = SR_ERR_INTERNAL; - uint8_t key_idx; - - if (lyd_new_inner(*parent, NULL, "users", 0, &users)) { - return SR_ERR_INTERNAL; - } - - while ((pwd = getpwent())) { - /* create user with name */ - if (lyd_new_list(users, NULL, "user", 0, &user, pwd->pw_name)) { - return SR_ERR_INTERNAL; - } - - /* check any authorized keys */ - if (asprintf(&path, NP2SRV_SSH_AUTHORIZED_KEYS_PATTERN, NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME ? - pwd->pw_name : pwd->pw_dir) == -1) { - EMEM; - goto cleanup; - } - f = fopen(path, "r"); - if (!f) { - if ((errno != ENOENT) && (errno != ENOTDIR) && (errno != EACCES)) { - ERR("Opening \"%s\" authorized key file failed (%s).", path, strerror(errno)); - free(path); - goto cleanup; - } - - if (errno == EACCES) { - VRB("Skipping \"%s\" authorized key file (%s).", path, strerror(errno)); - } - - free(path); - continue; - } - free(path); - - /* create authorized keys */ - key_idx = 1; - while (getline(&line, &line_len, f) != -1) { - if ((line[0] == '\0') || (line[0] == '#')) { - continue; - } - - /* find algorithm */ - ptr = line; - while (strncmp(ptr, "ssh-dss", 7) && strncmp(ptr, "ssh-rsa", 7) && strncmp(ptr, "ecdsa", 5)) { - ptr = strchr(ptr, ' '); - if (!ptr) { - break; - } - ++ptr; - } - if (!ptr) { - /* unrecognized line */ - continue; - } - alg = ptr; - - /* find data */ - ptr = strchr(ptr, ' '); - if (!ptr) { - /* unrecognized line */ - continue; - } - - ++ptr; - data = ptr; - if (!(ptr = strchr(data, ' ')) && !(ptr = strchr(data, '\n'))) { - ptr = data + strlen(data); - } - - /* create new authorized key */ - if (np2srv_user_add_auth_key(alg, strchr(alg, ' ') - alg, data, ptr - data, user, &key_idx)) { - goto cleanup; - } - } - if (ferror(f)) { - ERR("Reading from an authorized keys file failed (%s).", strerror(errno)); - goto cleanup; - } - fclose(f); - f = NULL; - } - - /* success */ - rc = SR_ERR_OK; - -cleanup: - free(line); - if (f) { - fclose(f); - } - endpwent(); - return rc; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh */ -int -np2srv_ch_client_endpt_ssh_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ch_client_add_endpt(client_name, endpt_name, NC_TI_LIBSSH); - /* turn off all auth methods by default */ - nc_server_ssh_ch_client_endpt_set_auth_methods(client_name, endpt_name, 0); - } else if (op == SR_OP_DELETED) { - rc = nc_server_ch_client_del_endpt(client_name, endpt_name, NC_TI_LIBSSH); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/ - * server-identity/host-key/public-key/keystore-reference */ -int -np2srv_ch_endpt_ssh_hostkey_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *prev_val, *endpt_name, *client_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, &prev_val, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ssh_ch_client_endpt_add_hostkey(client_name, endpt_name, lyd_get_value(node), -1); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_ssh_ch_client_endpt_del_hostkey(client_name, endpt_name, lyd_get_value(node), -1); - } - } else if (op == SR_OP_MOVED) { - rc = nc_server_ssh_ch_client_endpt_mov_hostkey(client_name, endpt_name, lyd_get_value(node), prev_val); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/ - * client-authentication/supported-authentication-methods */ -int -np2srv_ch_endpt_ssh_auth_methods_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - char *xpath2; - int rc, auth; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->child); - - if ((op == SR_OP_DELETED) && !nc_server_ch_client_is_endpt(client_name, endpt_name)) { - continue; - } - - /* current methods */ - auth = nc_server_ssh_ch_client_endpt_get_auth_methods(client_name, endpt_name); - - auth = np2srv_ssh_update_auth_method(node, op, auth); - - /* updated methods */ - if (nc_server_ssh_ch_client_endpt_set_auth_methods(client_name, endpt_name, auth)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} diff --git a/src/netconf_server_ssh.h b/src/netconf_server_ssh.h deleted file mode 100644 index 4ab60bce8..000000000 --- a/src/netconf_server_ssh.h +++ /dev/null @@ -1,49 +0,0 @@ -/** - * @file netconf_server_ssh.h - * @author Michal Vasko - * @brief ietf-netconf-server SSH callbacks header - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#ifndef NP2SRV_NETCONF_SERVER_SSH_H_ -#define NP2SRV_NETCONF_SERVER_SSH_H_ - -#include -#include - -int np2srv_hostkey_cb(const char *name, void *user_data, char **privkey_path, char **privkey_data, - NC_SSH_KEY_TYPE *privkey_type); - -int np2srv_pubkey_auth_cb(const struct nc_session *session, ssh_key key, void *user_data); - -int np2srv_endpt_ssh_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_ssh_hostkey_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_ssh_auth_methods_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_ssh_auth_users_oper_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *path, const char *request_xpath, uint32_t request_id, struct lyd_node **parent, void *private_data); - -int np2srv_ch_client_endpt_ssh_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_endpt_ssh_hostkey_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_endpt_ssh_auth_methods_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -#endif /* NP2SRV_NETCONF_SERVER_SSH_H_ */ diff --git a/src/netconf_server_tls.c b/src/netconf_server_tls.c deleted file mode 100644 index 52bf976bb..000000000 --- a/src/netconf_server_tls.c +++ /dev/null @@ -1,773 +0,0 @@ -/** - * @file netconf_server_ssh.c - * @author Michal Vasko - * @brief ietf-netconf-server SSH callbacks - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#define _GNU_SOURCE /* asprintf() */ - -#include "netconf_server_tls.h" - -#include -#include -#include -#include - -#include -#include -#include - -#include "common.h" -#include "compat.h" -#include "log.h" -#include "netconf_server.h" - -int -np2srv_cert_cb(const char *name, void *UNUSED(user_data), char **UNUSED(cert_path), char **cert_data, - char **UNUSED(privkey_path), char **privkey_data, NC_SSH_KEY_TYPE *privkey_type) -{ - sr_session_ctx_t *sr_sess; - char *xpath; - sr_data_t *data = NULL; - int r, rc = -1; - - r = sr_session_start(np2srv.sr_conn, SR_DS_RUNNING, &sr_sess); - if (r != SR_ERR_OK) { - return -1; - } - - /* get private key data from sysrepo */ - if (asprintf(&xpath, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[certificates/certificate/name='%s']", - name) == -1) { - EMEM; - goto cleanup; - } - r = sr_get_subtree(sr_sess, xpath, 0, &data); - free(xpath); - if (r != SR_ERR_OK) { - goto cleanup; - } else if (!data) { - ERR("Server certificate \"%s\" not found.", name); - goto cleanup; - } - - /* parse private key values */ - if (np2srv_sr_get_privkey(data->tree, privkey_data, privkey_type)) { - goto cleanup; - } - - /* get cert data from sysrepo */ - if (asprintf(&xpath, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key/certificates/" - "certificate[name='%s']/cert", name) == -1) { - EMEM; - goto cleanup; - } - sr_release_data(data); - r = sr_get_subtree(sr_sess, xpath, 0, &data); - free(xpath); - if (r != SR_ERR_OK) { - goto cleanup; - } else if (!data) { - ERR("Server certificate \"%s\" not found.", name); - goto cleanup; - } - - /* set cert data */ - *cert_data = strdup(lyd_get_value(data->tree)); - if (!*cert_data) { - EMEM; - goto cleanup; - } - - /* success */ - rc = 0; - -cleanup: - sr_release_data(data); - sr_session_stop(sr_sess); - return rc; -} - -int -np2srv_cert_list_cb(const char *name, void *UNUSED(user_data), char ***UNUSED(cert_paths), int *UNUSED(cert_path_count), - char ***cert_data, int *cert_data_count) -{ - sr_session_ctx_t *sr_sess; - char *xpath; - sr_data_t *data = NULL; - struct ly_set *set = NULL; - int r, rc = -1; - uint32_t i, j; - - r = sr_session_start(np2srv.sr_conn, SR_DS_RUNNING, &sr_sess); - if (r != SR_ERR_OK) { - return -1; - } - - /* get cert list data from sysrepo */ - if (asprintf(&xpath, "/ietf-truststore:truststore/certificates[name='%s']", name) == -1) { - EMEM; - goto cleanup; - } - r = sr_get_subtree(sr_sess, xpath, 0, &data); - free(xpath); - if (r != SR_ERR_OK) { - goto cleanup; - } else if (!data) { - ERR("Certificate list \"%s\" not found.", name); - goto cleanup; - } - - /* find all certificates */ - if (lyd_find_xpath(data->tree, "certificate/cert", &set)) { - /* libyang error printed */ - goto cleanup; - } else if (!set->count) { - WRN("Certificate list \"%s\" does not define any actual certificates.", name); - rc = 0; - goto cleanup; - } - - *cert_data = malloc(set->count * sizeof **cert_data); - if (!*cert_data) { - EMEM; - goto cleanup; - } - - /* collect all cert data */ - for (i = 0; i < set->count; ++i) { - (*cert_data)[i] = strdup(lyd_get_value(set->dnodes[i])); - if (!(*cert_data)[i]) { - EMEM; - for (j = 0; j < i - 1; ++j) { - free((*cert_data)[i]); - } - free(*cert_data); - goto cleanup; - } - } - *cert_data_count = set->count; - - /* success */ - rc = 0; - -cleanup: - sr_release_data(data); - ly_set_free(set, NULL); - sr_session_stop(sr_sess); - return rc; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/tls */ -int -np2srv_endpt_tls_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get name */ - endpt_name = lyd_get_value(node->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_add_endpt(endpt_name, NC_TI_OPENSSL); - } else if (op == SR_OP_DELETED) { - rc = nc_server_del_endpt(endpt_name, NC_TI_OPENSSL); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/server-identity/keystore-reference */ -int -np2srv_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - - /* we do not care about the "asymmetric-key", the certificate is enough */ - if (!strcmp(node->schema->name, "certificate")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - rc = nc_server_tls_endpt_set_server_cert(endpt_name, lyd_get_value(node)); - } else if (op == SR_OP_DELETED) { - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_tls_endpt_set_server_cert(endpt_name, NULL); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/client-authentication */ -int -np2srv_endpt_tls_client_auth_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *prev_val, *endpt_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, &prev_val, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->child); - - if (!strcmp(node->schema->name, "optional")) { - /* it is always required */ - ERR("TLS client authentication is always required."); - sr_free_change_iter(iter); - return SR_ERR_UNSUPPORTED; - } else if (!strcmp(node->schema->name, "ca-certs") || !strcmp(node->schema->name, "client-certs")) { - if (op == SR_OP_CREATED) { - rc = nc_server_tls_endpt_add_trusted_cert_list(endpt_name, lyd_get_value(node)); - } else if (op == SR_OP_DELETED) { - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_tls_endpt_del_trusted_cert_list(endpt_name, lyd_get_value(node)); - } - } else if (op == SR_OP_MODIFIED) { - nc_server_tls_endpt_del_trusted_cert_list(endpt_name, prev_val); - rc = nc_server_tls_endpt_add_trusted_cert_list(endpt_name, lyd_get_value(node)); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -static NC_TLS_CTN_MAPTYPE -np2srv_tls_ctn_str2map_type(const char *map_type) -{ - NC_TLS_CTN_MAPTYPE ret = 0; - - if (strncmp(map_type, "ietf-x509-cert-to-name:", 23)) { - return ret; - } - map_type += 23; - - if (!strcmp(map_type, "specified")) { - ret = NC_TLS_CTN_SPECIFIED; - } else if (!strcmp(map_type, "san-rfc822-name")) { - ret = NC_TLS_CTN_SAN_RFC822_NAME; - } else if (!strcmp(map_type, "san-dns-name")) { - ret = NC_TLS_CTN_SAN_DNS_NAME; - } else if (!strcmp(map_type, "san-ip-address")) { - ret = NC_TLS_CTN_SAN_IP_ADDRESS; - } else if (!strcmp(map_type, "san-any")) { - ret = NC_TLS_CTN_SAN_ANY; - } else if (!strcmp(map_type, "common-name")) { - ret = NC_TLS_CTN_COMMON_NAME; - } - - return ret; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/client-authentication/cert-maps */ -int -np2srv_endpt_tls_client_ctn_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node, *child; - const char *endpt_name; - char *fingerprint, *name, *xpath2; - int rc; - uint32_t id; - NC_TLS_CTN_MAPTYPE map_type; - - /* - * #1 create/delete of CTN entries - */ - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - - /* collect all attributes */ - id = 0; - fingerprint = NULL; - map_type = 0; - name = NULL; - LY_LIST_FOR(lyd_child(node), child) { - if (!strcmp(child->schema->name, "id")) { - id = ((struct lyd_node_term *)child)->value.uint32; - } else if (!strcmp(child->schema->name, "fingerprint")) { - fingerprint = (char *)lyd_get_value(child); - } else if (!strcmp(child->schema->name, "map-type")) { - map_type = np2srv_tls_ctn_str2map_type(lyd_get_value(child)); - } else if (!strcmp(child->schema->name, "name")) { - name = (char *)lyd_get_value(child); - } - } - /* it was validated */ - assert(fingerprint && map_type); - - if (op == SR_OP_CREATED) { - rc = nc_server_tls_endpt_add_ctn(endpt_name, id, fingerprint, map_type, name); - } else { - assert(op == SR_OP_DELETED); - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_tls_endpt_del_ctn(endpt_name, id, fingerprint, map_type, name); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - /* - * #2 modification of existing CTN entries - */ - if (asprintf(&xpath2, "%s/cert-to-name/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - if ((op != SR_OP_MODIFIED) && strcmp(LYD_NAME(node), "name")) { - /* all leaves mandatory (but "name" has when) so handled in parent, must have the same operation */ - continue; - } - - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - - /* get the current entry */ - lyd_find_sibling_val(node, lyd_first_sibling(node)->schema, NULL, 0, (struct lyd_node **)&child); - assert(child && !strcmp(LYD_NAME(child), "id")); - id = ((struct lyd_node_term *)child)->value.uint32; - fingerprint = NULL; - map_type = 0; - name = NULL; - nc_server_tls_endpt_get_ctn(endpt_name, &id, &fingerprint, &map_type, &name); - - /* update the leaf */ - if (!strcmp(node->schema->name, "fingerprint")) { - free(fingerprint); - fingerprint = strdup(lyd_get_value(node)); - } else if (!strcmp(node->schema->name, "map-type")) { - map_type = np2srv_tls_ctn_str2map_type(lyd_get_value(node)); - } else if (!strcmp(node->schema->name, "name")) { - free(name); - name = (op == SR_OP_DELETED) ? NULL : strdup(lyd_get_value(node)); - } - - /* update the CTN entry */ - nc_server_tls_endpt_del_ctn(endpt_name, id, NULL, 0, NULL); - rc = nc_server_tls_endpt_add_ctn(endpt_name, id, fingerprint, map_type, name); - free(fingerprint); - free(name); - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls */ -int -np2srv_ch_client_endpt_tls_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ch_client_add_endpt(client_name, endpt_name, NC_TI_OPENSSL); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - rc = nc_server_ch_client_del_endpt(client_name, endpt_name, NC_TI_OPENSSL); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - * server-identity/keystore-reference */ -int -np2srv_ch_client_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), - const char *UNUSED(module_name), const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), - void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->child); - - /* we do not care about the "asymmetric-key", the certificate is enough */ - if (!strcmp(node->schema->name, "certificate")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - rc = nc_server_tls_ch_client_endpt_set_server_cert(client_name, endpt_name, lyd_get_value(node)); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_tls_ch_client_endpt_set_server_cert(client_name, endpt_name, NULL); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - * client-authentication */ -int -np2srv_ch_client_endpt_tls_client_auth_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), - const char *UNUSED(module_name), const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), - void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *prev_val, *endpt_name, *client_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, &prev_val, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - - if (!strcmp(node->schema->name, "optional")) { - /* it is always required */ - ERR("TLS client authentication is always required."); - sr_free_change_iter(iter); - return SR_ERR_UNSUPPORTED; - } else if (!strcmp(node->schema->name, "ca-certs") || !strcmp(node->schema->name, "client-certs")) { - if (op == SR_OP_CREATED) { - rc = nc_server_tls_ch_client_endpt_add_trusted_cert_list(client_name, endpt_name, lyd_get_value(node)); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_tls_ch_client_endpt_del_trusted_cert_list(client_name, endpt_name, lyd_get_value(node)); - } - } else if (op == SR_OP_MODIFIED) { - nc_server_tls_ch_client_endpt_del_trusted_cert_list(client_name, endpt_name, prev_val); - rc = nc_server_tls_ch_client_endpt_add_trusted_cert_list(client_name, endpt_name, lyd_get_value(node)); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - * client-authentication/cert-maps */ -int -np2srv_ch_client_endpt_tls_client_ctn_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), - const char *UNUSED(module_name), const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), - void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node, *child; - const char *endpt_name, *client_name; - char *xpath2, *fingerprint, *name; - int rc; - uint32_t id; - NC_TLS_CTN_MAPTYPE map_type; - - /* - * #1 create/delete of CTN entries - */ - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->child); - - /* collect all attributes */ - id = 0; - fingerprint = NULL; - map_type = 0; - name = NULL; - LY_LIST_FOR(lyd_child(node), child) { - if (!strcmp(child->schema->name, "id")) { - id = ((struct lyd_node_term *)child)->value.uint32; - } else if (!strcmp(child->schema->name, "fingerprint")) { - fingerprint = (char *)lyd_get_value(child); - } else if (!strcmp(child->schema->name, "map-type")) { - map_type = np2srv_tls_ctn_str2map_type(lyd_get_value(child)); - } else if (!strcmp(child->schema->name, "name")) { - name = (char *)lyd_get_value(child); - } - } - /* it was validated */ - assert(fingerprint && map_type); - - if (op == SR_OP_CREATED) { - rc = nc_server_tls_ch_client_endpt_add_ctn(client_name, endpt_name, id, fingerprint, map_type, name); - } else { - assert(op == SR_OP_DELETED); - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_tls_ch_client_endpt_del_ctn(client_name, endpt_name, id, fingerprint, map_type, name); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - /* - * #2 modification of existing CTN entries - */ - if (asprintf(&xpath2, "%s/cert-to-name/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - if ((op != SR_OP_MODIFIED) && strcmp(LYD_NAME(node), "name")) { - /* all leaves mandatory (but "name" has when) so handled in parent, must have the same operation */ - continue; - } - - /* get names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->parent->child); - - /* get the current entry */ - lyd_find_sibling_val(node, lyd_first_sibling(node)->schema, NULL, 0, (struct lyd_node **)&child); - assert(child && !strcmp(LYD_NAME(child), "id")); - id = ((struct lyd_node_term *)child)->value.uint32; - fingerprint = NULL; - map_type = 0; - name = NULL; - nc_server_tls_ch_client_endpt_get_ctn(client_name, endpt_name, &id, &fingerprint, &map_type, &name); - - /* update the leaf */ - if (!strcmp(node->schema->name, "fingerprint")) { - free(fingerprint); - fingerprint = strdup(lyd_get_value(node)); - } else if (!strcmp(node->schema->name, "map-type")) { - map_type = np2srv_tls_ctn_str2map_type(lyd_get_value(node)); - } else if (!strcmp(node->schema->name, "name")) { - free(name); - name = (op == SR_OP_DELETED) ? NULL : strdup(lyd_get_value(node)); - } - - /* update the CTN entry */ - nc_server_tls_ch_client_endpt_del_ctn(client_name, endpt_name, id, NULL, 0, NULL); - rc = nc_server_tls_ch_client_endpt_add_ctn(client_name, endpt_name, id, fingerprint, map_type, name); - free(fingerprint); - free(name); - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} diff --git a/src/netconf_server_tls.h b/src/netconf_server_tls.h deleted file mode 100644 index d502ec013..000000000 --- a/src/netconf_server_tls.h +++ /dev/null @@ -1,53 +0,0 @@ -/** - * @file netconf_server_tks.h - * @author Michal Vasko - * @brief ietf-netconf-server TLS callbacks header - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#ifndef NP2SRV_NETCONF_SERVER_TLS_H_ -#define NP2SRV_NETCONF_SERVER_TLS_H_ - -#include -#include - -int np2srv_cert_cb(const char *name, void *user_data, char **cert_path, char **cert_data, char **privkey_path, - char **privkey_data, NC_SSH_KEY_TYPE *privkey_type); - -int np2srv_cert_list_cb(const char *name, void *user_data, char ***cert_paths, int *cert_path_count, char ***cert_data, - int *cert_data_count); - -int np2srv_endpt_tls_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_tls_client_auth_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_tls_client_ctn_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tls_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tls_client_auth_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tls_client_ctn_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -#endif /* NP2SRV_NETCONF_SERVER_TLS_H_ */ diff --git a/tests/np_test.c b/tests/np_test.c index d8086e96a..c320b0127 100644 --- a/tests/np_test.c +++ b/tests/np_test.c @@ -54,15 +54,15 @@ parse_arg(int argc, char **argv) } static int -setup_server_socket_wait(const char *socket_path) +setup_server_file_exists_wait(const char *path) { /* max sleep 10s */ - const uint32_t sleep_count = 400; - const struct timespec ts = {.tv_sec = 0, .tv_nsec = 25000000}; + const uint32_t sleep_count = 200; + const struct timespec ts = {.tv_sec = 0, .tv_nsec = 50000000}; uint32_t count = 0; while (count < sleep_count) { - if (!access(socket_path, F_OK)) { + if (!access(path, F_OK)) { break; } @@ -135,7 +135,7 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) { struct np_test *st; pid_t pid; - char str[256], server_dir[256], sock_param[128], extdata_path[256]; + char str[256], server_dir[256], extdata_path[256], sock_path[256], pidfile_path[256]; int fd, pipefd[2], buf; if (!getcwd(str, 256)) { @@ -155,6 +155,10 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) SETUP_FAIL_LOG; return 1; } + if (setenv("LN2_MODULE_DIR", LN2_YANG_MODULE_DIR, 1)) { + SETUP_FAIL_LOG; + return 1; + } if (setenv("NP2_MODULE_PERMS", "600", 1)) { SETUP_FAIL_LOG; return 1; @@ -167,6 +171,10 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) SETUP_FAIL_LOG; return 1; } + if (unsetenv("LN2_MODULE_DIR")) { + SETUP_FAIL_LOG; + return 1; + } if (unsetenv("NP2_MODULE_PERMS")) { SETUP_FAIL_LOG; return 1; @@ -185,7 +193,7 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) } /* generate path to socket */ - sprintf(sock_param, "-U%s/%s/%s", NP_TEST_DIR, test_name, NP_SOCKET_FILE); + sprintf(sock_path, "%s/%s/%s", NP_TEST_DIR, test_name, NP_SOCKET_FILE); /* generate path to server-files */ sprintf(server_dir, "%s/%s", NP_TEST_DIR, test_name); @@ -193,6 +201,9 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) /* generate path to the schema-mount ext data */ sprintf(extdata_path, "%s/%s", NP_TEST_MODULE_DIR, NP_EXT_DATA_FILE); + /* generate path to the server's pidfile */ + sprintf(pidfile_path, "%s/%s/%s", NP_TEST_DIR, test_name, NP_PID_FILE); + /* fork and start the server */ if (!(pid = fork())) { /* open log file */ @@ -220,10 +231,8 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) close(fd); - /* exec server listening on a unix socket */ - sprintf(str, "-p%s/%s/%s", NP_TEST_DIR, test_name, NP_PID_FILE); - execl(NP_BINARY_DIR "/netopeer2-server", NP_BINARY_DIR "/netopeer2-server", "-d", "-v3", "-t10", str, sock_param, - "-m 600", "-f", server_dir, "-x", extdata_path, NULL); + /* exec the server */ + execl(NP_BINARY_DIR "/netopeer2-server", NP_BINARY_DIR "/netopeer2-server", "-d", "-v3", "-t10", "-p", pidfile_path, "-f", server_dir, "-x", extdata_path, NULL); child_error: printf("Child execution failed\n"); @@ -241,8 +250,8 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) close(pipefd[0]); } - /* wait for the server, until it creates its socket */ - if (setup_server_socket_wait(sock_param + 2)) { + /* wait until the server creates a pidfile */ + if (setup_server_file_exists_wait(pidfile_path)) { SETUP_FAIL_LOG; return 1; } @@ -255,7 +264,7 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) } *state = st; st->server_pid = pid; - strncpy(st->socket_path, sock_param + 2, sizeof st->socket_path - 1); + strncpy(st->socket_path, sock_path, sizeof st->socket_path - 1); strncpy(st->test_name, test_name, sizeof st->test_name - 1); /* create connection and install modules */ @@ -268,18 +277,39 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) return 1; } - /* start session and acquire context */ + /* start session */ if (sr_session_start(st->conn, SR_DS_RUNNING, &st->sr_sess)) { SETUP_FAIL_LOG; return 1; } + + /* prepare UNIX socket data for server configuration in the data store */ + if (sr_set_item_str(st->sr_sess, "/ietf-netconf-server:netconf-server/listen/endpoint[name='unix']/libnetconf2-netconf-server:unix-socket/path", sock_path, NULL, 0) != SR_ERR_OK) { + SETUP_FAIL_LOG; + return 1; + } + if (sr_set_item_str(st->sr_sess, "/ietf-netconf-server:netconf-server/listen/endpoint[name='unix']/libnetconf2-netconf-server:unix-socket/mode", "600", NULL, 0) != SR_ERR_OK) { + SETUP_FAIL_LOG; + return 1; + } + + /* apply the configuration */ + if (sr_apply_changes(st->sr_sess, 0)) { + SETUP_FAIL_LOG; + return 1; + } + + /* acquire context */ if (!(st->ctx = sr_acquire_context(st->conn))) { SETUP_FAIL_LOG; return 1; } /* init LNC2 */ - nc_client_init(); + if (nc_client_init()) { + SETUP_FAIL_LOG; + return 1; + } nc_client_set_schema_searchpath(NP_TEST_MODULE_DIR); /* create NETCONF sessions */ @@ -320,7 +350,7 @@ np_glob_teardown(void **state, const char **modules) /* uninstall modules */ if (modules && (rc = sr_remove_modules(st->conn, modules, 0))) { - printf("sr_remove_module() failed (%s)\n", sr_strerror(rc)); + printf("sr_remove_modules() failed (%s)\n", sr_strerror(rc)); ret = 1; } diff --git a/tests/np_test.h b/tests/np_test.h index a02a4b5eb..07fd06742 100644 --- a/tests/np_test.h +++ b/tests/np_test.h @@ -180,8 +180,8 @@ " \n" \ "\n" -#define ASSERT_EMPTY_CONFIG(state) \ - GET_CONFIG(state); \ +#define ASSERT_EMPTY_CONFIG_FILTER(state, filter) \ + GET_CONFIG_FILTER(state, filter); \ assert_string_equal(state->str, EMPTY_GETCONFIG); \ FREE_TEST_VARS(state); diff --git a/tests/np_test_config.h.in b/tests/np_test_config.h.in index 47985e790..b5dc4aa74 100644 --- a/tests/np_test_config.h.in +++ b/tests/np_test_config.h.in @@ -55,4 +55,7 @@ /** @brief diretory for server backup files for confirmed commit */ #define NCC_TEST_DIR NP2SRV_TEST_DIR "/confirmed_commit" +/** @brief directory for libnetconf2 YANG modules */ +#define LN2_YANG_MODULE_DIR "@LN2_YANG_MODULE_DIR@" + #endif /* _NP_TEST_CONFIG_H_ */ diff --git a/tests/test_candidate.c b/tests/test_candidate.c index e3608c7ee..d3d2e2aba 100644 --- a/tests/test_candidate.c +++ b/tests/test_candidate.c @@ -138,7 +138,7 @@ test_edit_basic(void **state) FREE_TEST_VARS(st); /* Check if it was merged */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit1:*"); expected = "\n" @@ -172,8 +172,8 @@ test_commit(void **state) SR_EDIT_SESSION(st, st->sr_sess2, data); - /* Check if running is empty */ - GET_DS_CONFIG(st, NC_DATASTORE_RUNNING); + /* Check if running of edit1 is empty */ + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_RUNNING, "/edit1:*"); expected = "\n" @@ -193,8 +193,8 @@ test_commit(void **state) FREE_TEST_VARS(st); - /* Check if running is now same as candidate */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + /* Check if running is now same as candidate of edit1 */ + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit1:*"); expected = "\n" @@ -215,7 +215,7 @@ test_discard_changes(void **state) char *expected; /* check if Running is empty */ - GET_DS_CONFIG(st, NC_DATASTORE_RUNNING); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_RUNNING, "/edit1:*"); expected = "\n" " \n" @@ -250,7 +250,7 @@ test_discard_changes(void **state) FREE_TEST_VARS(st); /* check if Candidate is now empty too */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit1:*"); expected = "\n" " \n" @@ -462,7 +462,7 @@ test_discard_changes_advanced(void **state) const char *expected; /* Check if running has correct data */ - GET_DS_CONFIG(st, NC_DATASTORE_RUNNING); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_RUNNING, "/edit2:*"); expected = "\n" @@ -478,7 +478,7 @@ test_discard_changes_advanced(void **state) FREE_TEST_VARS(st); /* Check if candidate has correct dada */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit2:*"); expected = "\n" @@ -504,7 +504,7 @@ test_discard_changes_advanced(void **state) FREE_TEST_VARS(st); /* Check if candidate is now same as running */ - GET_DS_CONFIG(st, NC_DATASTORE_RUNNING); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_RUNNING, "/edit2:*"); expected = "\n" @@ -570,7 +570,7 @@ test_locked_discard_changes(void **state) FREE_TEST_VARS(st); /* check candidate */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit2:*"); data = "\n" " \n" diff --git a/tests/test_confirmed_commit.c b/tests/test_confirmed_commit.c index 3afe651a1..d379eef0c 100644 --- a/tests/test_confirmed_commit.c +++ b/tests/test_confirmed_commit.c @@ -125,8 +125,8 @@ test_sameas_commit(void **state) struct np_test *st = *state; const char *expected; - /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + /* Prior to the test running of edit1 should be empty */ + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*") /* Send a confirmed-commit rpc */ st->rpc = nc_rpc_commit(1, 0, NULL, NULL, NC_PARAMTYPE_CONST); @@ -138,7 +138,7 @@ test_sameas_commit(void **state) FREE_TEST_VARS(st); /* Running should now be same as candidate, same as basic commit */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -164,8 +164,8 @@ test_timeout_runout(void **state) struct np_test *st = *state; const char *expected; - /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + /* Prior to the test running of edit1 should be empty */ + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*") /* running lock RPC */ st->rpc = nc_rpc_lock(NC_DATASTORE_RUNNING); @@ -202,7 +202,7 @@ test_timeout_runout(void **state) sleep(2); /* Running should have reverted back to it's original value */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* running unlock RPC */ st->rpc = nc_rpc_unlock(NC_DATASTORE_RUNNING); @@ -221,7 +221,7 @@ test_timeout_confirm(void **state) const char *expected; /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* Send a confirmed-commit rpc with 1s timeout */ st->rpc = nc_rpc_commit(1, 1, NULL, NULL, NC_PARAMTYPE_CONST); @@ -233,7 +233,7 @@ test_timeout_confirm(void **state) FREE_TEST_VARS(st); /* Running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -255,7 +255,7 @@ test_timeout_confirm(void **state) sleep(2); /* Data should remain unchanged */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); assert_string_equal(st->str, expected); FREE_TEST_VARS(st); } @@ -268,7 +268,7 @@ test_timeout_confirm_modify(void **state) const char *data; /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* Send a confirmed-commit rpc with 1s timeout */ st->rpc = nc_rpc_commit(1, 1, NULL, NULL, NC_PARAMTYPE_CONST); @@ -280,7 +280,7 @@ test_timeout_confirm_modify(void **state) FREE_TEST_VARS(st); /* Running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -307,7 +307,7 @@ test_timeout_confirm_modify(void **state) sleep(2); /* Data should change */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -325,7 +325,7 @@ test_timeout_followup(void **state) const char *data, *expected; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* send a confirmed-commit rpc with 60s timeout */ st->rpc = nc_rpc_commit(1, 60, NULL, NULL, NC_PARAMTYPE_CONST); @@ -347,7 +347,7 @@ test_timeout_followup(void **state) FREE_TEST_VARS(st); /* running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -361,7 +361,7 @@ test_timeout_followup(void **state) sleep(2); /* data should remain unchanged, empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static void @@ -371,7 +371,7 @@ test_cancel(void **state) const char *expected, *data; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* send cancel-commit rpc, should fail as there is no commit */ st->rpc = nc_rpc_cancel(NULL, NC_PARAMTYPE_CONST); @@ -397,7 +397,7 @@ test_cancel(void **state) FREE_TEST_VARS(st); /* running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -417,7 +417,7 @@ test_cancel(void **state) FREE_TEST_VARS(st); /* running should now be back how it was */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -440,7 +440,7 @@ test_rollback_disconnect(void **state) const char *expected; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* create a new session */ ncs = nc_connect_unix(st->socket_path, NULL); @@ -458,7 +458,7 @@ test_rollback_disconnect(void **state) FREE_TEST_VARS(st); /* running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -475,7 +475,7 @@ test_rollback_disconnect(void **state) usleep(100000); /* data should remain unchanged, empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static void @@ -485,7 +485,7 @@ test_rollback_locked(void **state) const char *expected; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* running lock RPC */ st->rpc = nc_rpc_lock(NC_DATASTORE_RUNNING); @@ -502,7 +502,7 @@ test_rollback_locked(void **state) FREE_TEST_VARS(st); /* running should now be the same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -527,7 +527,7 @@ test_rollback_locked(void **state) FREE_TEST_VARS(st); /* data should remain unchanged, empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* running unlock RPC */ st->rpc = nc_rpc_unlock(NC_DATASTORE_RUNNING); @@ -544,7 +544,7 @@ test_confirm_persist(void **state) const char *expected, *persist = "test-persist-1"; /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* Send a confirmed-commit rpc with persist */ st->rpc = nc_rpc_commit(1, 0, persist, NULL, NC_PARAMTYPE_CONST); @@ -556,7 +556,7 @@ test_confirm_persist(void **state) FREE_TEST_VARS(st); /* Running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -576,7 +576,7 @@ test_confirm_persist(void **state) FREE_TEST_VARS(st); /* Data should remain unchanged */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); assert_string_equal(st->str, expected); FREE_TEST_VARS(st); } @@ -589,7 +589,7 @@ test_cancel_persist(void **state) struct nc_session *nc_sess; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* start a new NC session */ nc_sess = nc_connect_unix(st->socket_path, NULL); @@ -605,7 +605,7 @@ test_cancel_persist(void **state) FREE_TEST_VARS(st); /* running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -628,7 +628,7 @@ test_cancel_persist(void **state) FREE_TEST_VARS(st); /* running should now be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static void @@ -739,7 +739,7 @@ test_failed_file(void **state) DIR *dir = NULL; /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* Send a confirmed-commit rpc with 1s timeout */ st->rpc = nc_rpc_commit(1, 1, NULL, NULL, NC_PARAMTYPE_CONST); diff --git a/tests/test_edit.c b/tests/test_edit.c index 3f2ad16da..1196d4585 100644 --- a/tests/test_edit.c +++ b/tests/test_edit.c @@ -175,7 +175,7 @@ test_delete_edit1(void **state) FREE_TEST_VARS(st); /* Check if the config was deleted */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static int @@ -209,7 +209,7 @@ test_delete_edit2(void **state) FREE_TEST_VARS(st); /* Check if the config was deleted */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit2:*"); } static int @@ -345,7 +345,7 @@ test_merge_partial(void **state) FREE_TEST_VARS(st); /* Check if merged successfully */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit2:*"); expected = "\n" " \n" @@ -387,7 +387,7 @@ test_merge_into_existing(void **state) FREE_TEST_VARS(st); /* Check if correctly merged */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit2:*"); expected = "\n" " \n" @@ -431,7 +431,7 @@ test_merge_overwrite(void **state) FREE_TEST_VARS(st); /* Check if config was correctly overwritten */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit2:*"); expected = "\n" " \n" @@ -476,7 +476,7 @@ test_replace(void **state) FREE_TEST_VARS(st); /* Check if replaced correctly */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit3:*"); expected = "\n" " \n" @@ -505,7 +505,7 @@ test_replace_create(void **state) FREE_TEST_VARS(st); /* Check if created correctly */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit3:*"); expected = "\n" " \n" @@ -533,7 +533,7 @@ test_create(void **state) FREE_TEST_VARS(st); /* Check if config config now contains edit1 */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -594,7 +594,7 @@ test_remove(void **state) SEND_EDIT_RPC(st, data); ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static void @@ -606,7 +606,7 @@ test_remove_empty(void **state) SEND_EDIT_RPC(st, data); ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static int @@ -650,7 +650,7 @@ test_ex1(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/example1:*"); expected = "\n" " \n" @@ -724,7 +724,7 @@ test_ex2(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/example2:*"); expected = "\n" " \n" @@ -765,7 +765,7 @@ test_autodel_case(void **state) FREE_TEST_VARS(st); /* check data */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit4:*"); assert_non_null(strstr(st->str, "l1")); assert_non_null(strstr(st->str, "l2")); FREE_TEST_VARS(st); @@ -780,7 +780,7 @@ test_autodel_case(void **state) FREE_TEST_VARS(st); /* check data */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit4:*"); assert_null(strstr(st->str, "l1")); assert_null(strstr(st->str, "l2")); assert_non_null(strstr(st->str, "c2")); @@ -798,7 +798,7 @@ test_autodel_case(void **state) FREE_TEST_VARS(st); /* check data */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit4:*"); assert_null(strstr(st->str, "c2")); assert_non_null(strstr(st->str, "l3")); FREE_TEST_VARS(st); @@ -814,7 +814,7 @@ test_autodel_case(void **state) FREE_TEST_VARS(st); /* check data */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit4:*"); assert_null(strstr(st->str, "l3")); assert_non_null(strstr(st->str, "l4")); assert_non_null(strstr(st->str, "l5")); diff --git a/tests/test_nacm.c b/tests/test_nacm.c index 9db5ea6e8..fe0b98bae 100644 --- a/tests/test_nacm.c +++ b/tests/test_nacm.c @@ -265,22 +265,6 @@ setup_test_get_config(void **state) return 0; } -static void -test_get_config(void **state) -{ - struct np_test *st = *state; - const char *expected; - - /* Since reading of this node is denied it should return empty config */ - GET_CONFIG(st); - expected = - "\n" - " \n" - "\n"; - assert_string_equal(st->str, expected); - FREE_TEST_VARS(st); -} - static void test_get_config_filter(void **state) { @@ -396,7 +380,7 @@ test_filter_key_list(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/nacm-test2:*"); expected = "\n" " \n" @@ -589,7 +573,7 @@ test_edit_config_update(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -761,7 +745,7 @@ test_edit_config_when(void **state) SEND_EDIT_RPC(st, data); ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/nacm-test1:*"); expected = "\n \n\n"; assert_string_equal(st->str, expected); FREE_TEST_VARS(st); @@ -973,7 +957,7 @@ test_commit(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/nacm-test1:*"); expected = "\n" " \n" @@ -1029,7 +1013,7 @@ test_discard_changes(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, NULL); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit1:*"); expected = "\n" " \n" @@ -1102,9 +1086,6 @@ main(int argc, char **argv) cmocka_unit_test_setup_teardown(test_read_default_allow_path, setup_test_read_default_allow_path, teardown_common), - cmocka_unit_test_setup_teardown(test_get_config, - setup_test_get_config, - teardown_common), cmocka_unit_test_setup_teardown(test_get_config_filter, setup_test_get_config, teardown_common), @@ -1132,9 +1113,6 @@ main(int argc, char **argv) cmocka_unit_test_setup_teardown(test_read_default_allow_path, setup_test_read_default_allow_path, teardown_common), - cmocka_unit_test_setup_teardown(test_get_config, - setup_test_get_config, - teardown_common), cmocka_unit_test_setup_teardown(test_get_config_filter, setup_test_get_config, teardown_common), diff --git a/tests/test_rpc.c b/tests/test_rpc.c index da03f895b..1b6ac4e9c 100644 --- a/tests/test_rpc.c +++ b/tests/test_rpc.c @@ -376,7 +376,7 @@ test_getconfig(void **state) } /* get-config */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); assert_string_equal(st->str, "\n" " \n" diff --git a/tests/test_url.c b/tests/test_url.c index 873e428b7..5d6ec7ad3 100644 --- a/tests/test_url.c +++ b/tests/test_url.c @@ -159,7 +159,7 @@ test_copy_config(void **state) FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" @@ -288,6 +288,10 @@ test_copy_config_into_file(void **state) " \n" " \n" " \n" + " \n" + " 60\n" + " 0\n" + " \n" "\n"; assert_int_not_equal(-1, asprintf(&expected, template, np_get_user()) == -1); @@ -415,6 +419,10 @@ test_edit_config(void **state) " \n" " \n" " \n" + " \n" + " 60\n" + " 0\n" + " \n" " \n" "\n"; diff --git a/tests/test_with_defaults.c b/tests/test_with_defaults.c index 3aa191154..bc1084583 100644 --- a/tests/test_with_defaults.c +++ b/tests/test_with_defaults.c @@ -71,7 +71,7 @@ test_all_nothing_set(void **state) const char *expected; /* Send RPC trying to get all including default values */ - st->rpc = nc_rpc_getconfig(NC_DATASTORE_RUNNING, NULL, NC_WD_ALL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_getconfig(NC_DATASTORE_RUNNING, "/defaults1:*", NC_WD_ALL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(NC_MSG_RPC, st->msgtype); st->msgtype = nc_recv_reply(st->nc_sess, st->rpc, st->msgid, 2000, &st->envp, &st->op); @@ -163,7 +163,7 @@ test_all_non_default_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_ALL); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_ALL, "/defaults1:*"); expected = "\n" @@ -186,7 +186,7 @@ test_all_tag_non_default_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_ALL_TAG); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_ALL_TAG, "/defaults1:*"); expected = "\n" @@ -210,7 +210,7 @@ test_trim_non_default_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_TRIM); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_TRIM, "/defaults1:*"); expected = "\n" @@ -232,7 +232,7 @@ test_explicit_non_default_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_TRIM); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_TRIM, "/defaults1:*"); expected = "\n" @@ -254,7 +254,7 @@ test_all_set_all(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_ALL); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_ALL, "/defaults1:*"); expected = "\n" @@ -277,7 +277,7 @@ test_all_tag_set_all(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_ALL_TAG); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_ALL_TAG, "/defaults1:*"); expected = "\n" @@ -300,7 +300,7 @@ test_trim_set_all(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_TRIM); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_TRIM, "/defaults1:*"); expected = "\n" @@ -323,7 +323,7 @@ test_explicit_all_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_EXPLICIT); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_EXPLICIT, "/defaults1:*"); expected = "\n" @@ -346,7 +346,7 @@ test_explicit_all_set_default(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_EXPLICIT); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_EXPLICIT, "/defaults1:*"); expected = "\n" diff --git a/tests/test_yang_push.c b/tests/test_yang_push.c index 2ed863263..89fa4d638 100644 --- a/tests/test_yang_push.c +++ b/tests/test_yang_push.c @@ -123,7 +123,7 @@ test_periodic_basic(void **state) char *ntf; /* establish periodic push */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 10, NULL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit1:*", NULL, NULL, 10, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); ASSERT_OK_SUB_NTF(st); @@ -336,7 +336,7 @@ test_periodic_anchor_time(void **state) char *ntf; /* Establish periodic push with anchor-time */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 10, + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit1:*", NULL, NULL, 10, "1970-01-01T01:00:00+01:00", NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); @@ -686,7 +686,7 @@ test_sync_on_start(void **state) char *ntf; /* Establish on-change push with sync on start */ - st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", NULL, NULL, NULL, 0, 1, + st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", "/edit1:*", NULL, NULL, 0, 1, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); @@ -728,7 +728,7 @@ test_sync_on_start_non_empty(void **state) char *ntf; /* Establish on-change push with sync on start */ - st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", NULL, NULL, NULL, 0, 1, + st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", "/edit1:*", NULL, NULL, 0, 1, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); @@ -758,7 +758,7 @@ test_resync(void **state) char *ntf; /* Establish on-change push */ - st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", NULL, NULL, NULL, 0, 0, + st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", "/edit1:*", NULL, NULL, 0, 0, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); @@ -796,7 +796,7 @@ test_resync_id_reset(void **state) char *ntf; /* Establish on-change push */ - st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", NULL, NULL, NULL, 0, 0, + st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", "/edit1:*", NULL, NULL, 0, 0, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); diff --git a/tests/test_yang_push_advanced.c b/tests/test_yang_push_advanced.c index d2f083865..8a8c46a23 100644 --- a/tests/test_yang_push_advanced.c +++ b/tests/test_yang_push_advanced.c @@ -317,7 +317,7 @@ test_periodic_modify_filter(void **state) char *ntf; /* Establish periodic push */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 25, NULL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit2:*", NULL, NULL, 25, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); ASSERT_OK_SUB_NTF(st); @@ -367,7 +367,7 @@ test_periodic_modify_period(void **state) char *ntf; /* Establish periodic push */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 50, NULL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit1:*", NULL, NULL, 50, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); ASSERT_OK_SUB_NTF(st); @@ -416,7 +416,7 @@ test_periodic_deletesub(void **state) char *ntf; /* Establish periodic push */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 50, NULL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit1:*", NULL, NULL, 50, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); ASSERT_OK_SUB_NTF(st);