From 3ff50879a58316c7e37a7aa064fe3eaf1ade354b Mon Sep 17 00:00:00 2001 From: roman Date: Mon, 11 Sep 2023 15:03:44 +0200 Subject: [PATCH 01/23] main UPDATE use new libnetconf2 API The new libnetconf2 API can handle making changes to configuration by simply being given a diff. This means that (almost) all the callbacks and configuration API calls can be replaced by a single callback. Some command line opts are now redundant too. --- src/main.c | 319 ++++++++++++----------------------------------------- 1 file changed, 70 insertions(+), 249 deletions(-) diff --git a/src/main.c b/src/main.c index 5e322168..0e543d72 100644 --- a/src/main.c +++ b/src/main.c @@ -40,18 +40,10 @@ #include "err_netconf.h" #include "log.h" #include "netconf.h" -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) -# include "netconf_server.h" -#endif -#ifdef NC_ENABLED_SSH -# include "netconf_server_ssh.h" -#endif -#ifdef NC_ENABLED_TLS -# include "netconf_server_tls.h" -#endif #include "netconf_confirmed_commit.h" #include "netconf_monitoring.h" #include "netconf_nmda.h" +#include "netconf_server.h" #include "netconf_subscribed_notifications.h" #include "yang_push.h" @@ -189,7 +181,6 @@ np2srv_del_session_cb(struct nc_session *session) } free(event_data); } - /* stop monitoring and free NC session */ ncm_session_del(session); nc_session_free(session, NULL); @@ -620,38 +611,11 @@ server_init(void) /* set libnetconf2 global PRC callback */ nc_set_global_rpc_clb(np2srv_rpc_cb); -#ifdef NC_ENABLED_SSH - /* set libnetconf2 SSH callbacks */ - nc_server_ssh_set_hostkey_clb(np2srv_hostkey_cb, NULL, NULL); +#ifdef NC_ENABLED_SSH_TLS + /* set libnetconf2 SSH pubkey auth callback */ nc_server_ssh_set_pubkey_auth_clb(np2srv_pubkey_auth_cb, NULL, NULL); - - /* configure netconf2 PAM module */ - if (np2srv.pam_config_name) { - nc_server_ssh_set_pam_conf_path(np2srv.pam_config_name, np2srv.pam_config_dir); - } -#endif - -#ifdef NC_ENABLED_TLS - /* set libnetconf2 TLS callbacks */ - nc_server_tls_set_server_cert_clb(np2srv_cert_cb, NULL, NULL); - nc_server_tls_set_trusted_cert_list_clb(np2srv_cert_list_cb, NULL, NULL); #endif - /* UNIX socket */ - if (np2srv.unix_path) { - if (nc_server_add_endpt("unix", NC_TI_UNIX)) { - goto error; - } - - if (nc_server_endpt_set_perms("unix", np2srv.unix_mode, np2srv.unix_uid, np2srv.unix_gid)) { - goto error; - } - - if (nc_server_endpt_set_address("unix", np2srv.unix_path)) { - goto error; - } - } - /* restore a previous confirmed commit if restore file exists */ ncc_try_restore(); @@ -670,9 +634,18 @@ server_destroy(void) { struct nc_session *sess; -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) +#ifdef NC_ENABLED_SSH_TLS + struct lyd_node *data = NULL, *node = NULL; + const struct ly_ctx *ly_ctx; + /* remove all CH clients so they do not reconnect */ - nc_server_ch_del_client(NULL); + ly_ctx = sr_acquire_context(np2srv.sr_conn); + lyd_new_path2(NULL, ly_ctx, "/ietf-netconf-server:netconf-server/call-home", NULL, 0, 0, 0, &data, &node); + lyd_new_meta(ly_ctx, data, NULL, "yang:operation", "none", 0, NULL); + lyd_new_meta(ly_ctx, node, NULL, "yang:operation", "delete", 0, NULL); + nc_server_config_setup_diff(data); + lyd_free_tree(data); + sr_release_context(np2srv.sr_conn); #endif /* close all open sessions */ @@ -696,11 +669,6 @@ server_destroy(void) /* libnetconf2 cleanup */ nc_server_destroy(); - /* UNIX socket can now be removed */ - if (np2srv.unix_path) { - unlink(np2srv.unix_path); - } - /* monitoring cleanup */ ncm_destroy(); @@ -717,16 +685,45 @@ server_destroy(void) sr_disconnect(np2srv.sr_conn); } -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - static int -np2srv_dummy_cb(sr_session_ctx_t *UNUSED(session), uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *UNUSED(xpath), sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) +server_open_pidfile(const char *pidfile) { - return SR_ERR_OK; -} + int pidfd, len; + char pid[8]; -#endif + /* make sure we are the only instance - lock the PID file and write the PID */ + pidfd = open(pidfile, O_RDWR | O_CREAT, 00644); + if (pidfd < 0) { + ERR("Unable to open the PID file \"%s\" (%s).", pidfile, strerror(errno)); + return -1; + } + + if (lockf(pidfd, F_TLOCK, 0) < 0) { + close(pidfd); + if ((errno == EACCES) || (errno == EAGAIN)) { + ERR("Another instance of the Netopeer2 server is running."); + } else { + ERR("Unable to lock the PID file \"%s\" (%s).", pidfile, strerror(errno)); + } + return -1; + } + + if (ftruncate(pidfd, 0)) { + ERR("Failed to truncate PID file (%s).", strerror(errno)); + close(pidfd); + return -1; + } + + len = snprintf(pid, sizeof(pid), "%d\n", getpid()); + if ((len < 0) || (write(pidfd, pid, len) < len)) { + ERR("Failed to write into PID file."); + close(pidfd); + return -1; + } + + close(pidfd); + return 0; +} /** * @brief Subscribe to all the handled RPCs of the server. @@ -847,122 +844,11 @@ server_data_subscribe(void) SR_OPER_SUBSCR(mod_name, "/ietf-subscribed-notifications:subscriptions", np2srv_oper_sub_ntf_subscriptions_cb); /* - * ietf-netconf-server + * ietf-netconf-server, ietf-keystore and ietf-trustore handled by ln2 */ - mod_name = "ietf-netconf-server"; - -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - xpath = "/ietf-netconf-server:netconf-server/listen/idle-timeout"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_idle_timeout_cb); -#endif - -#ifdef NC_ENABLED_SSH - /* subscribe for server SSH listen configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_ssh_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh/tcp-server-parameters"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tcp_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/server-identity/host-key/" - "public-key/keystore-reference"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_ssh_hostkey_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/client-authentication/" - "supported-authentication-methods"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_ssh_auth_methods_cb); - - /* subscribe for providing SSH operational data */ - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/client-authentication/users"; - SR_OPER_SUBSCR(mod_name, xpath, np2srv_endpt_ssh_auth_users_oper_cb); -#endif - -#ifdef NC_ENABLED_TLS - /* subscribe for server TLS listen configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tcp-server-parameters"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tcp_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/server-identity/keystore-reference"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_servercert_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/client-authentication"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_client_auth_cb); - - xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/client-authentication/cert-maps"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_client_ctn_cb); -#endif - -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - /* subscribe for generic Call Home configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/connection-type"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_connection_type_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/connection-type/periodic"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_periodic_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/reconnect-strategy"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_reconnect_strategy_cb); -#endif - -#ifdef NC_ENABLED_SSH - /* subscribe for server SSH Call Home configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_ssh_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/tcp-client-parameters"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tcp_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/" - "server-identity/host-key/public-key/keystore-reference"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_endpt_ssh_hostkey_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/" - "client-authentication/supported-authentication-methods"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_endpt_ssh_auth_methods_cb); -#endif - -#ifdef NC_ENABLED_TLS - /* subscribe for TLS Call Home configuration changes */ - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tls_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tcp-client-parameters"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tcp_params_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - "server-identity/keystore-reference"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tls_servercert_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - "client-authentication"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tls_client_auth_cb); - - xpath = "/ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - "client-authentication/cert-maps"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_ch_client_endpt_tls_client_ctn_cb); -#endif - -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - /* - * ietf-keystore (just for in-use operational data) - */ - mod_name = "ietf-keystore"; - xpath = "/ietf-keystore:keystore/asymmetric-keys"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_dummy_cb); - - /* - * ietf-truststore (just for in-use operational data) - */ - mod_name = "ietf-truststore"; - xpath = "/ietf-truststore:truststore/certificates"; - SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_dummy_cb); -#endif + SR_CONFIG_SUBSCR("ietf-netconf-server", NULL, np2srv_libnetconf2_config_cb); + SR_CONFIG_SUBSCR("ietf-keystore", NULL, np2srv_libnetconf2_config_cb); + SR_CONFIG_SUBSCR("ietf-truststore", NULL, np2srv_libnetconf2_config_cb); /* * ietf-netconf-acm @@ -1023,11 +909,13 @@ server_accept_session(void) static void * worker_thread(void *arg) { +#ifdef NC_ENABLED_SSH_TLS NC_MSG_TYPE msgtype; +#endif /* NC_ENABLED_SSH_TLS */ int rc, idx = *((int *)arg); struct nc_session *ncs; -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(np2_libssh_verbose_level); #endif @@ -1062,7 +950,7 @@ worker_thread(void *arg) np2srv_del_session_cb(ncs); sr_release_context(np2srv.sr_conn); } -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS else if (rc & NC_PSPOLL_SSH_CHANNEL) { /* a new SSH channel on existing session was created */ VRB("Session %d: thread %d event new SSH channel.", nc_session_get_id(ncs), idx); @@ -1083,9 +971,6 @@ worker_thread(void *arg) } /* cleanup */ -#if defined (NC_ENABLED_SSH) || defined (NC_ENABLED_TLS) - nc_thread_destroy(); -#endif free(arg); return NULL; } @@ -1125,7 +1010,7 @@ print_usage(char *progname) fprintf(stdout, " -c CATEGORY[,CATEGORY...]\n"); #ifndef NDEBUG fprintf(stdout, " Verbose debug level, print only these debug message categories.\n"); -# ifdef NC_ENABLED_SSH +# ifdef NC_ENABLED_SSH_TLS fprintf(stdout, " Categories: DICT, YANG, YIN, XPATH, DIFF, MSG, LN2DBG, SSH, SYSREPO\n"); # else fprintf(stdout, " Categories: DICT, YANG, YIN, XPATH, DIFF, MSG, LN2DBG, SYSREPO\n"); @@ -1142,12 +1027,8 @@ main(int argc, char *argv[]) int ret = EXIT_SUCCESS; int c, *idx, i; int daemonize = 1, verb = 0; - int pidfd; const char *pidfile = NP2SRV_PID_FILE_PATH; - char pid[8]; char *ptr; - struct passwd *pwd; - struct group *grp; struct sigaction action; sigset_t block_mask; @@ -1174,7 +1055,7 @@ main(int argc, char *argv[]) np2srv.server_dir = SERVER_DIR; /* process command line options */ - while ((c = getopt(argc, argv, "dFhVp:f:U::m:u:g:n:i:t:x:v:c:")) != -1) { + while ((c = getopt(argc, argv, "dFhVp:f:t:x:v:c:")) != -1) { switch (c) { case 'd': daemonize = 0; @@ -1212,7 +1093,7 @@ main(int argc, char *argv[]) } nc_verbosity(np2_verbose_level); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(np2_libssh_verbose_level); #endif break; @@ -1225,44 +1106,6 @@ main(int argc, char *argv[]) case 'f': np2srv.server_dir = optarg; break; - case 'U': - np2srv.unix_path = optarg ? optarg : NP2SRV_UNIX_SOCK_PATH; - break; - case 'm': - np2srv.unix_mode = strtoul(optarg, &ptr, 8); - if (*ptr || (np2srv.unix_mode > 0777)) { - ERR("Invalid UNIX socket mode \"%s\".", optarg); - return EXIT_FAILURE; - } - break; - case 'u': - np2srv.unix_uid = strtoul(optarg, &ptr, 10); - if (*ptr) { - pwd = getpwnam(optarg); - if (!pwd) { - ERR("Invalid UNIX socket UID/user \"%s\".", optarg); - return EXIT_FAILURE; - } - np2srv.unix_uid = pwd->pw_uid; - } - break; - case 'g': - np2srv.unix_gid = strtoul(optarg, &ptr, 10); - if (*ptr) { - grp = getgrnam(optarg); - if (!grp) { - ERR("Invalid UNIX socket GID/group \"%s\".", optarg); - return EXIT_FAILURE; - } - np2srv.unix_gid = grp->gr_gid; - } - break; - case 'n': - np2srv.pam_config_name = optarg; - break; - case 'i': - np2srv.pam_config_dir = optarg; - break; case 't': np2srv.sr_timeout = strtoul(optarg, &ptr, 10); if (*ptr) { @@ -1295,11 +1138,11 @@ main(int argc, char *argv[]) } else if (!strcmp(ptr, "XPATH")) { verb |= LY_LDGXPATH; } else if (!strcmp(ptr, "MSG")) { - /* NETCONF messages - only lnc2 debug verbosity */ + /* NETCONF messages - only ln2 debug verbosity */ np2_verbose_level = NC_VERB_DEBUG; } else if (!strcmp(ptr, "LN2DBG")) { np2_verbose_level = NC_VERB_DEBUG_LOWLVL; -# ifdef NC_ENABLED_SSH +# ifdef NC_ENABLED_SSH_TLS } else if (!strcmp(ptr, "SSH")) { /* 2 should be always enough, 3 is too much useless info */ np2_libssh_verbose_level = 2; @@ -1313,7 +1156,7 @@ main(int argc, char *argv[]) } while ((ptr = strtok(NULL, ","))); /* set final verbosity */ nc_verbosity(np2_verbose_level); -# ifdef NC_ENABLED_SSH +# ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(np2_libssh_verbose_level); # endif if (verb) { @@ -1345,34 +1188,6 @@ main(int argc, char *argv[]) np2_stderr_log = 0; } - /* make sure we are the only instance - lock the PID file and write the PID */ - pidfd = open(pidfile, O_RDWR | O_CREAT, 00644); - if (pidfd < 0) { - ERR("Unable to open the PID file \"%s\" (%s).", pidfile, strerror(errno)); - return EXIT_FAILURE; - } - if (lockf(pidfd, F_TLOCK, 0) < 0) { - close(pidfd); - if ((errno == EACCES) || (errno == EAGAIN)) { - ERR("Another instance of the Netopeer2 server is running."); - } else { - ERR("Unable to lock the PID file \"%s\" (%s).", pidfile, strerror(errno)); - } - return EXIT_FAILURE; - } - if (ftruncate(pidfd, 0)) { - ERR("Failed to truncate PID file (%s).", strerror(errno)); - close(pidfd); - return EXIT_FAILURE; - } - c = snprintf(pid, sizeof(pid), "%d\n", getpid()); - if (write(pidfd, pid, c) < c) { - ERR("Failed to write into PID file."); - close(pidfd); - return EXIT_FAILURE; - } - close(pidfd); - /* set printer callbacks for the used libraries and set proper log levels */ nc_set_print_clb_session(np2log_cb_nc2); /* libnetconf2 */ ly_set_log_clb(np2log_cb_ly, 1); /* libyang */ @@ -1394,6 +1209,12 @@ main(int argc, char *argv[]) goto cleanup; } + /* open/create pidfile */ + if (server_open_pidfile(pidfile)) { + ret = EXIT_FAILURE; + goto cleanup; + } + #ifdef NP2SRV_HAVE_SYSTEMD /* notify systemd */ sd_notify(0, "READY=1"); From e0d20ad3e5eb74ab0f25724277945d187efed4fb Mon Sep 17 00:00:00 2001 From: roman Date: Mon, 11 Sep 2023 15:09:33 +0200 Subject: [PATCH 02/23] np2srv UPDATE remove unix and pam config --- src/common.c | 2 +- src/common.h | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/src/common.c b/src/common.c index edd2b5fa..0ae12e46 100644 --- a/src/common.c +++ b/src/common.c @@ -49,7 +49,7 @@ #include "log.h" #include "netconf_monitoring.h" -struct np2srv np2srv = {.unix_mode = -1, .unix_uid = -1, .unix_gid = -1, .pam_config_name = NULL, .pam_config_dir = NULL}; +struct np2srv np2srv = {0}; int np_ignore_rpc(sr_session_ctx_t *ev_sess, sr_event_t event, int *rc) diff --git a/src/common.h b/src/common.h index cf7a5cfa..c00a4987 100644 --- a/src/common.h +++ b/src/common.h @@ -69,14 +69,8 @@ struct np2srv { sr_subscription_ctx_t *sr_nacm_stats_sub; /**< sysrepo NACM global stats subscription context */ sr_subscription_ctx_t *sr_notif_sub; /**< sysrepo notification subscription context */ - const char *unix_path; /**< path to the UNIX socket to listen on, if any */ - mode_t unix_mode; /**< UNIX socket mode */ - uid_t unix_uid; /**< UNIX socket UID */ - gid_t unix_gid; /**< UNIX socket GID */ uint32_t sr_timeout; /**< timeout in ms for all sysrepo functions */ const char *ext_data_path; /**< path to the data file with data for LY ext data callback */ - const char *pam_config_name; /**< name of the PAM config file */ - const char *pam_config_dir; /**< path to the PAM config dir */ const char *server_dir; /**< path to server files (just confirmed commit for the moment) */ From e68636acd58a9192289a16cd69b32d29c8ef9cc4 Mon Sep 17 00:00:00 2001 From: roman Date: Mon, 11 Sep 2023 15:11:25 +0200 Subject: [PATCH 03/23] server UPDATE replace all cbs with ln2 cb --- src/netconf_server.c | 569 ++++++---------------------- src/netconf_server.h | 37 +- src/netconf_server_ssh.c | 678 ---------------------------------- src/netconf_server_ssh.h | 49 --- src/netconf_server_tls.c | 773 --------------------------------------- src/netconf_server_tls.h | 53 --- 6 files changed, 123 insertions(+), 2036 deletions(-) delete mode 100644 src/netconf_server_ssh.c delete mode 100644 src/netconf_server_ssh.h delete mode 100644 src/netconf_server_tls.c delete mode 100644 src/netconf_server_tls.h diff --git a/src/netconf_server.c b/src/netconf_server.c index baba9723..91ba6761 100644 --- a/src/netconf_server.c +++ b/src/netconf_server.c @@ -19,6 +19,9 @@ #include "netconf_server.h" #include +#include +#include +#include #include #include #include @@ -32,517 +35,153 @@ #include "log.h" int -np2srv_sr_get_privkey(const struct lyd_node *asym_key, char **privkey_data, NC_SSH_KEY_TYPE *privkey_type) +np2srv_libnetconf2_config_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), + const char *UNUSED(xpath), sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) { - struct lyd_node_term *alg = NULL; - struct lyd_node *node, *privkey = NULL; + int rc = 0; + const struct lyd_node *diff = NULL; - /* find the nodes */ - LY_LIST_FOR(lyd_child(asym_key), node) { - if (!strcmp(node->schema->name, "algorithm")) { - alg = (struct lyd_node_term *)node; - } else if (!strcmp(node->schema->name, "private-key")) { - privkey = node; - } - } - if (!alg || !privkey) { - ERR("Failed to find asymmetric key information."); - return -1; - } - - /* set algorithm */ - if (!strncmp(alg->value.ident->name, "rsa", 3)) { - *privkey_type = NC_SSH_KEY_RSA; - } else if (!strncmp(alg->value.ident->name, "secp", 4)) { - *privkey_type = NC_SSH_KEY_ECDSA; - } else { - ERR("Unknown private key algorithm \"%s\".", lyd_get_value(&alg->node)); - return -1; - } - - /* set data */ - *privkey_data = strdup(lyd_get_value(privkey)); - if (!*privkey_data) { - EMEM; - return -1; - } - - return 0; -} - -/* /ietf-netconf-server:netconf-server/listen/idle-timeout */ -int -np2srv_idle_timeout_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* ignore other operations */ - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - nc_server_set_idle_timeout(((struct lyd_node_term *)node)->value.uint16); - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); + /* get diff and apply it */ + diff = sr_get_change_diff(session); + rc = nc_server_config_setup_diff(diff); + if (rc) { + ERR("Configuring NETCONF server failed."); return rc; } return SR_ERR_OK; } +#ifdef NC_ENABLED_SSH_TLS + static int -np2srv_tcp_keepalives(const char *client_name, const char *endpt_name, sr_session_ctx_t *session, const char *xpath) +np2srv_validate_posix_username(const char *username) { - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - int rc, idle_time = -1, max_probes = -1, probe_interval = -1; + /* use POSIX username definition + * https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_437 */ - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; + /* not empty */ + if (strlen(username) == 0) { + return -1; } - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - if (!strcmp(node->schema->name, "idle-time")) { - if (op == SR_OP_DELETED) { - idle_time = 1; - } else { - idle_time = ((struct lyd_node_term *)node)->value.uint16; - } - } else if (!strcmp(node->schema->name, "max-probes")) { - if (op == SR_OP_DELETED) { - max_probes = 10; - } else { - max_probes = ((struct lyd_node_term *)node)->value.uint16; - } - } else if (!strcmp(node->schema->name, "probe-interval")) { - if (op == SR_OP_DELETED) { - probe_interval = 5; - } else { - probe_interval = ((struct lyd_node_term *)node)->value.uint16; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; + /* no hyphen as first char */ + if (username[0] == '-') { + return -1; } - rc = 0; - - /* set new keepalive parameters */ - if (!client_name) { - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_endpt_set_keepalives(endpt_name, idle_time, max_probes, probe_interval); - } - } else { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_ch_client_endpt_set_keepalives(client_name, endpt_name, idle_time, max_probes, probe_interval); + /* check for Portable Filename Character Set */ + for (unsigned long i = 0; i < strlen(username); i++) { + if (!(isalnum(username[i]) || (username[i] == '.') || (username[i] == '_') || (username[i] == '-'))) { + return -1; } } - if (rc) { - ERR("Keepalives configuration failed (%d).", rc); - return SR_ERR_INTERNAL; - } - return SR_ERR_OK; + return 0; } -/* /ietf-netconf-server:netconf-server/listen/endpoint/ * /tcp-server-parameters */ int -np2srv_endpt_tcp_params_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) +np2srv_pubkey_auth_cb(const struct nc_session *session, ssh_key key, void *UNUSED(user_data)) { - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - char *xpath2; - int rc, failed = 0; + FILE *f = NULL; + struct passwd *pwd; + ssh_key pub_key = NULL; + enum ssh_keytypes_e ktype; + const char *username; + char *line = NULL, *ptr, *ptr2; + size_t n; + int r, ret = 1, line_num = 0; - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } + username = nc_session_get_username(session); - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->child); + errno = 0; + pwd = getpwnam(username); - if (!strcmp(node->schema->name, "local-address")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - if (nc_server_endpt_set_address(endpt_name, lyd_get_value(node))) { - failed = 1; - } - } - } else if (!strcmp(node->schema->name, "local-port")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - if (nc_server_endpt_set_port(endpt_name, ((struct lyd_node_term *)node)->value.uint16)) { - failed = 1; - } - } - } else if (!strcmp(node->schema->name, "keepalives")) { - if (op == SR_OP_CREATED) { - if (nc_server_endpt_enable_keepalives(endpt_name, 1)) { - failed = 1; - } - } else if (op == SR_OP_DELETED) { - if (nc_server_is_endpt(endpt_name)) { - if (nc_server_endpt_enable_keepalives(endpt_name, 0)) { - failed = 1; - } - } - } - - /* set specific parameters */ - if (asprintf(&xpath2, "%s/keepalives/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - if (np2srv_tcp_keepalives(NULL, endpt_name, session, xpath2)) { - failed = 1; - } - free(xpath2); - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return failed ? SR_ERR_CALLBACK_FAILED : SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client */ -int -np2srv_ch_client_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), const char *xpath, - sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *client_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; + if (!NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME && !pwd) { + ERR("Failed to find user entry for \"%s\" (%s).", username, errno ? strerror(errno) : "User not found"); + goto cleanup; } - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get name */ - client_name = lyd_get_value(lyd_child(node)); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ch_add_client(client_name); - if (!rc) { - rc = nc_connect_ch_client_dispatch(client_name, np2srv_acquire_ctx_cb, np2srv_release_ctx_cb, - np2srv.sr_conn, np2srv_new_session_cb); - } - } else if (op == SR_OP_DELETED) { - rc = nc_server_ch_del_client(client_name); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; + if (!pwd && np2srv_validate_posix_username(username)) { + ERR("The username \"%s\" is not a valid posix username.", username); + goto cleanup; } - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ * /tcp-client-parameters */ -int -np2srv_ch_client_endpt_tcp_params_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { + /* check any authorized keys */ + r = asprintf(&line, NP2SRV_SSH_AUTHORIZED_KEYS_PATTERN, NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME ? username : pwd->pw_dir); + if (r == -1) { EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; + line = NULL; + goto cleanup; } + n = r; - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find names */ - endpt_name = lyd_get_value(node->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - - if (!strcmp(node->schema->name, "remote-address")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - if (nc_server_ch_client_endpt_set_address(client_name, endpt_name, lyd_get_value(node))) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } else if (!strcmp(node->schema->name, "remote-port")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - if (nc_server_ch_client_endpt_set_port(client_name, endpt_name, ((struct lyd_node_term *)node)->value.uint16)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } else if (!strcmp(node->schema->name, "keepalives")) { - if (op == SR_OP_CREATED) { - rc = nc_server_ch_client_endpt_enable_keepalives(client_name, endpt_name, 1); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_ch_client_endpt_enable_keepalives(client_name, endpt_name, 0); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - - /* set specific parameters */ - if (asprintf(&xpath2, "%s/keepalives/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = np2srv_tcp_keepalives(client_name, endpt_name, session, xpath2); - free(xpath2); - if (rc != SR_ERR_OK) { - sr_free_change_iter(iter); - return rc; - } + f = fopen(line, "r"); + if (!f) { + if (errno == ENOENT) { + VRB("User \"%s\" has no authorized_keys file.", username); + } else { + ERR("Failed to open \"%s\" authorized_keys file (%s).", line, strerror(errno)); } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; + goto cleanup; } - return SR_ERR_OK; -} + while (getline(&line, &n, f) > -1) { + ++line_num; -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/connection-type */ -int -np2srv_ch_connection_type_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *client_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find names */ - client_name = lyd_get_value(node->parent->parent->child); - - /* connection type */ - if (op == SR_OP_CREATED) { - if (!strcmp(node->schema->name, "persistent")) { - if (nc_server_ch_client_set_conn_type(client_name, NC_CH_PERSIST)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } else if (!strcmp(node->schema->name, "periodic")) { - if (nc_server_ch_client_set_conn_type(client_name, NC_CH_PERIOD)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } + /* separate key type */ + ptr = line; + for (ptr2 = ptr; !isspace(ptr2[0]); ++ptr2) {} + if (ptr2[0] == '\0') { + WRN("Invalid authorized key format of \"%s\" (line %d).", username, line_num); + continue; } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} + ptr2[0] = '\0'; -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/connection-type/periodic */ -int -np2srv_ch_periodic_params_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *client_name; - char *xpath2; - int rc; - time_t t; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } + /* detect key type */ + ktype = ssh_key_type_from_name(ptr); + if (ktype == SSH_KEYTYPE_UNKNOWN) { + WRN("Unknown key type \"%s\" (line %d).", ptr, line_num); + continue; + } - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find names */ - client_name = lyd_get_value(node->parent->parent->parent->child); + /* separate key data */ + ptr = ptr2 + 1; + for (ptr2 = ptr; !isspace(ptr2[0]); ++ptr2) {} + ptr2[0] = '\0'; - if (!strcmp(node->schema->name, "period")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_periodic_set_period(client_name, 60); - } - } else { - rc = nc_server_ch_client_periodic_set_period(client_name, ((struct lyd_node_term *)node)->value.uint16); - } - } else if (!strcmp(node->schema->name, "anchor-time")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_periodic_set_anchor_time(client_name, 0); - } - } else { - ly_time_str2time(lyd_get_value(node), &t, NULL); - rc = nc_server_ch_client_periodic_set_anchor_time(client_name, t); - } - } else if (!strcmp(node->schema->name, "idle-timeout")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_periodic_set_idle_timeout(client_name, 120); - } - } else { - rc = nc_server_ch_client_periodic_set_idle_timeout(client_name, - ((struct lyd_node_term *)node)->value.uint16); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; + r = ssh_pki_import_pubkey_base64(ptr, ktype, &pub_key); + if (r != SSH_OK) { + WRN("Failed to import authorized key of \"%s\" (%s, line %d).", + username, r == SSH_EOF ? "Unexpected end-of-file" : "SSH error", line_num); + continue; } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/reconnect-strategy */ -int -np2srv_ch_reconnect_strategy_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *client_name, *str; - char *xpath2; - int rc; + /* compare public keys */ + if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) { + /* key matches */ + ret = 0; + goto cleanup; + } - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; + /* not a match, next key */ + ssh_key_free(pub_key); + pub_key = NULL; } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; + if (!feof(f)) { + WRN("Failed reading from authorized_keys file of \"%s\".", username); + goto cleanup; } - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - client_name = lyd_get_value(node->parent->parent->child); - - if (!strcmp(node->schema->name, "start-with")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_set_start_with(client_name, NC_CH_FIRST_LISTED); - } - } else { - str = lyd_get_value(node); - if (!strcmp(str, "first-listed")) { - rc = nc_server_ch_client_set_start_with(client_name, NC_CH_FIRST_LISTED); - } else if (!strcmp(str, "last-connected")) { - rc = nc_server_ch_client_set_start_with(client_name, NC_CH_LAST_CONNECTED); - } else if (!strcmp(str, "random-selection")) { - rc = nc_server_ch_client_set_start_with(client_name, NC_CH_RANDOM); - } - } - } else if (!strcmp(node->schema->name, "max-attempts")) { - if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - /* set default */ - rc = nc_server_ch_client_set_max_attempts(client_name, 3); - } - } else { - rc = nc_server_ch_client_set_max_attempts(client_name, ((struct lyd_node_term *)node)->value.uint8); - } - } + /* no match */ - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; +cleanup: + if (f) { + fclose(f); } - - return SR_ERR_OK; + free(line); + ssh_key_free(pub_key); + return ret; } + +#endif /* NC_ENABLED_SSH_TLS */ diff --git a/src/netconf_server.h b/src/netconf_server.h index adc30cd5..df46ac04 100644 --- a/src/netconf_server.h +++ b/src/netconf_server.h @@ -20,27 +20,28 @@ #include #include -int np2srv_sr_get_privkey(const struct lyd_node *asym_key, char **privkey_data, NC_SSH_KEY_TYPE *privkey_type); - -int np2srv_idle_timeout_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_tcp_params_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, +/** + * @brief Callback for handling netconf-server, ietf-keystore and ietf-truststore data changes. + * + * The diff is given to libnetconf2, which then handles the changes. + * + * @param session sysrepo session. + * @param[in] sub_id Subscription identifier. + * @param[in] module_name Module's name. + * @param[in] xpath XPath. + * @param[in] event Event. + * @param[in] request_id Request identifier. + * @param private_data Private data. + * + * @return SR_ERR_OK on success, on error any other value. + */ +int np2srv_libnetconf2_config_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); -int np2srv_ch_client_endpt_tcp_params_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); +#ifdef NC_ENABLED_SSH_TLS -int np2srv_ch_connection_type_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_periodic_params_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); +int np2srv_pubkey_auth_cb(const struct nc_session *session, ssh_key key, void *user_data); -int np2srv_ch_reconnect_strategy_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); +#endif /* NC_ENABLED_SSH_TLS */ #endif /* NP2SRV_NETCONF_SERVER_H_ */ diff --git a/src/netconf_server_ssh.c b/src/netconf_server_ssh.c deleted file mode 100644 index c571f581..00000000 --- a/src/netconf_server_ssh.c +++ /dev/null @@ -1,678 +0,0 @@ -/** - * @file netconf_server_ssh.c - * @author Michal Vasko - * @brief ietf-netconf-server SSH callbacks - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#define _GNU_SOURCE /* asprintf() */ -#define _DEFAULT_SOURCE /* getpwent() */ -#define _POSIX_C_SOURCE 200809L /* getline() */ - -#include "netconf_server_ssh.h" - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include "common.h" -#include "compat.h" -#include "config.h" -#include "log.h" -#include "netconf_server.h" - -int -np2srv_hostkey_cb(const char *name, void *UNUSED(user_data), char **UNUSED(privkey_path), char **privkey_data, - NC_SSH_KEY_TYPE *privkey_type) -{ - sr_session_ctx_t *sr_sess; - char *xpath; - sr_data_t *data = NULL; - int r, rc = -1; - - r = sr_session_start(np2srv.sr_conn, SR_DS_RUNNING, &sr_sess); - if (r != SR_ERR_OK) { - return -1; - } - - /* get hostkey data from sysrepo */ - if (asprintf(&xpath, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']", name) == -1) { - EMEM; - goto cleanup; - } - r = sr_get_subtree(sr_sess, xpath, 0, &data); - free(xpath); - if (r != SR_ERR_OK) { - goto cleanup; - } else if (!data) { - ERR("Hostkey \"%s\" not found.", name); - goto cleanup; - } - - /* parse private key values */ - if (np2srv_sr_get_privkey(data->tree, privkey_data, privkey_type)) { - goto cleanup; - } - - /* success */ - rc = 0; - -cleanup: - sr_release_data(data); - sr_session_stop(sr_sess); - return rc; -} - -static int -np2srv_validate_posix_username(const char *username) -{ - /* use POSIX username definition - * https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_437 */ - - /* not empty */ - if (strlen(username) == 0) { - return -1; - } - - /* no hyphen as first char */ - if (username[0] == '-') { - return -1; - } - - /* check for Portable Filename Character Set */ - for (unsigned long i = 0; i < strlen(username); i++) { - if (!(isalnum(username[i]) || (username[i] == '.') || (username[i] == '_') || (username[i] == '-'))) { - return -1; - } - } - - return 0; -} - -int -np2srv_pubkey_auth_cb(const struct nc_session *session, ssh_key key, void *UNUSED(user_data)) -{ - FILE *f = NULL; - struct passwd *pwd; - ssh_key pub_key = NULL; - enum ssh_keytypes_e ktype; - const char *username; - char *line = NULL, *ptr, *ptr2; - size_t n; - int r, ret = 1, line_num = 0; - - username = nc_session_get_username(session); - - errno = 0; - pwd = getpwnam(username); - - if (!NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME && !pwd) { - ERR("Failed to find user entry for \"%s\" (%s).", username, errno ? strerror(errno) : "User not found"); - goto cleanup; - } - - if (!pwd && np2srv_validate_posix_username(username)) { - ERR("The username \"%s\" is not a valid posix username.", username); - goto cleanup; - } - - /* check any authorized keys */ - r = asprintf(&line, NP2SRV_SSH_AUTHORIZED_KEYS_PATTERN, NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME ? username : pwd->pw_dir); - if (r == -1) { - EMEM; - line = NULL; - goto cleanup; - } - n = r; - - f = fopen(line, "r"); - if (!f) { - if (errno == ENOENT) { - VRB("User \"%s\" has no authorized_keys file.", username); - } else { - ERR("Failed to open \"%s\" authorized_keys file (%s).", line, strerror(errno)); - } - goto cleanup; - } - - while (getline(&line, &n, f) > -1) { - ++line_num; - - /* separate key type */ - ptr = line; - for (ptr2 = ptr; !isspace(ptr2[0]); ++ptr2) {} - if (ptr2[0] == '\0') { - WRN("Invalid authorized key format of \"%s\" (line %d).", username, line_num); - continue; - } - ptr2[0] = '\0'; - - /* detect key type */ - ktype = ssh_key_type_from_name(ptr); - if (ktype == SSH_KEYTYPE_UNKNOWN) { - WRN("Unknown key type \"%s\" (line %d).", ptr, line_num); - continue; - } - - /* separate key data */ - ptr = ptr2 + 1; - for (ptr2 = ptr; !isspace(ptr2[0]); ++ptr2) {} - ptr2[0] = '\0'; - - r = ssh_pki_import_pubkey_base64(ptr, ktype, &pub_key); - if (r != SSH_OK) { - WRN("Failed to import authorized key of \"%s\" (%s, line %d).", - username, r == SSH_EOF ? "Unexpected end-of-file" : "SSH error", line_num); - continue; - } - - /* compare public keys */ - if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) { - /* key matches */ - ret = 0; - goto cleanup; - } - - /* not a match, next key */ - ssh_key_free(pub_key); - pub_key = NULL; - } - if (!feof(f)) { - WRN("Failed reading from authorized_keys file of \"%s\".", username); - goto cleanup; - } - - /* no match */ - -cleanup: - if (f) { - fclose(f); - } - free(line); - ssh_key_free(pub_key); - return ret; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ssh */ -int -np2srv_endpt_ssh_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - int rc, failed = 0; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get name */ - endpt_name = lyd_get_value(node->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - if (nc_server_add_endpt(endpt_name, NC_TI_LIBSSH)) { - failed = 1; - } - /* turn off all auth methods by default */ - nc_server_ssh_endpt_set_auth_methods(endpt_name, 0); - } else if (op == SR_OP_DELETED) { - if (nc_server_del_endpt(endpt_name, NC_TI_LIBSSH)) { - failed = 1; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return failed ? SR_ERR_INTERNAL : SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/server-identity/host-key/public-key/ - * keystore-reference */ -int -np2srv_endpt_ssh_hostkey_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *prev_val, *endpt_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, &prev_val, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ssh_endpt_add_hostkey(endpt_name, lyd_get_value(node), -1); - } else if (op == SR_OP_DELETED) { - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_ssh_endpt_del_hostkey(endpt_name, lyd_get_value(node), -1); - } - } else if (op == SR_OP_MOVED) { - rc = nc_server_ssh_endpt_mov_hostkey(endpt_name, lyd_get_value(node), prev_val); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -static int -np2srv_ssh_update_auth_method(const struct lyd_node *node, sr_change_oper_t op, int cur_auth) -{ - int auth; - - auth = cur_auth; - - if (!strcmp(node->schema->name, "publickey")) { - if (op == SR_OP_CREATED) { - auth |= NC_SSH_AUTH_PUBLICKEY; - } else if (op == SR_OP_DELETED) { - auth &= ~NC_SSH_AUTH_PUBLICKEY; - } - } else if (!strcmp(node->schema->name, "passsword")) { - if (op == SR_OP_CREATED) { - auth |= NC_SSH_AUTH_PASSWORD; - } else if (op == SR_OP_DELETED) { - auth &= ~NC_SSH_AUTH_PASSWORD; - } - } else if (!strcmp(node->schema->name, "hostbased") || !strcmp(node->schema->name, "none")) { - WRN("SSH authentication \"%s\" not supported.", node->schema->name); - } else if (!strcmp(node->schema->name, "other")) { - if (!strcmp(lyd_get_value(node), "interactive")) { - if (op == SR_OP_CREATED) { - auth |= NC_SSH_AUTH_INTERACTIVE; - } else if (op == SR_OP_DELETED) { - auth &= ~NC_SSH_AUTH_INTERACTIVE; - } - } else { - WRN("SSH authentication \"%s\" not supported.", lyd_get_value(node)); - } - } - - return auth; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/client-authentication/ - * supported-authentication-methods */ -int -np2srv_endpt_ssh_auth_methods_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - char *xpath2; - int rc, auth; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - - if ((op == SR_OP_DELETED) && !nc_server_is_endpt(endpt_name)) { - /* endpt deleted */ - continue; - } - - /* current methods */ - auth = nc_server_ssh_endpt_get_auth_methods(endpt_name); - - auth = np2srv_ssh_update_auth_method(node, op, auth); - - /* updated methods */ - if (nc_server_ssh_endpt_set_auth_methods(endpt_name, auth)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -static int -np2srv_user_add_auth_key(const char *alg, size_t alg_len, const char *key, size_t key_len, struct lyd_node *user, - uint8_t *key_idx) -{ - char name[7], *str; - struct lyd_node *authkey; - - /* list with name */ - sprintf(name, "key%d", (*key_idx)++); - if (lyd_new_list(user, NULL, "authorized-key", 0, &authkey, name)) { - return -1; - } - - /* algorithm */ - str = strndup(alg, alg_len); - if (!str) { - EMEM; - return -1; - } - lyd_new_term(authkey, NULL, "algorithm", str, 0, NULL); - free(str); - - /* key-data */ - str = strndup(key, key_len); - if (!str) { - EMEM; - return -1; - } - lyd_new_term(authkey, NULL, "key-data", str, 0, NULL); - free(str); - - return 0; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/ssh/ssh-server-parameters/client-authentication/users */ -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/ - * client-authentication/users */ -int -np2srv_endpt_ssh_auth_users_oper_cb(sr_session_ctx_t *UNUSED(session), uint32_t UNUSED(sub_id), - const char *UNUSED(module_name), const char *UNUSED(path), const char *UNUSED(request_xpath), - uint32_t UNUSED(request_id), struct lyd_node **parent, void *UNUSED(private_data)) -{ - struct passwd *pwd; - struct lyd_node *users, *user; - char *path, *line = NULL, *ptr, *alg, *data; - size_t line_len = 0; - FILE *f = NULL; - int rc = SR_ERR_INTERNAL; - uint8_t key_idx; - - if (lyd_new_inner(*parent, NULL, "users", 0, &users)) { - return SR_ERR_INTERNAL; - } - - while ((pwd = getpwent())) { - /* create user with name */ - if (lyd_new_list(users, NULL, "user", 0, &user, pwd->pw_name)) { - return SR_ERR_INTERNAL; - } - - /* check any authorized keys */ - if (asprintf(&path, NP2SRV_SSH_AUTHORIZED_KEYS_PATTERN, NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME ? - pwd->pw_name : pwd->pw_dir) == -1) { - EMEM; - goto cleanup; - } - f = fopen(path, "r"); - if (!f) { - if ((errno != ENOENT) && (errno != ENOTDIR) && (errno != EACCES)) { - ERR("Opening \"%s\" authorized key file failed (%s).", path, strerror(errno)); - free(path); - goto cleanup; - } - - if (errno == EACCES) { - VRB("Skipping \"%s\" authorized key file (%s).", path, strerror(errno)); - } - - free(path); - continue; - } - free(path); - - /* create authorized keys */ - key_idx = 1; - while (getline(&line, &line_len, f) != -1) { - if ((line[0] == '\0') || (line[0] == '#')) { - continue; - } - - /* find algorithm */ - ptr = line; - while (strncmp(ptr, "ssh-dss", 7) && strncmp(ptr, "ssh-rsa", 7) && strncmp(ptr, "ecdsa", 5)) { - ptr = strchr(ptr, ' '); - if (!ptr) { - break; - } - ++ptr; - } - if (!ptr) { - /* unrecognized line */ - continue; - } - alg = ptr; - - /* find data */ - ptr = strchr(ptr, ' '); - if (!ptr) { - /* unrecognized line */ - continue; - } - - ++ptr; - data = ptr; - if (!(ptr = strchr(data, ' ')) && !(ptr = strchr(data, '\n'))) { - ptr = data + strlen(data); - } - - /* create new authorized key */ - if (np2srv_user_add_auth_key(alg, strchr(alg, ' ') - alg, data, ptr - data, user, &key_idx)) { - goto cleanup; - } - } - if (ferror(f)) { - ERR("Reading from an authorized keys file failed (%s).", strerror(errno)); - goto cleanup; - } - fclose(f); - f = NULL; - } - - /* success */ - rc = SR_ERR_OK; - -cleanup: - free(line); - if (f) { - fclose(f); - } - endpwent(); - return rc; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh */ -int -np2srv_ch_client_endpt_ssh_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ch_client_add_endpt(client_name, endpt_name, NC_TI_LIBSSH); - /* turn off all auth methods by default */ - nc_server_ssh_ch_client_endpt_set_auth_methods(client_name, endpt_name, 0); - } else if (op == SR_OP_DELETED) { - rc = nc_server_ch_client_del_endpt(client_name, endpt_name, NC_TI_LIBSSH); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/ - * server-identity/host-key/public-key/keystore-reference */ -int -np2srv_ch_endpt_ssh_hostkey_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *prev_val, *endpt_name, *client_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, &prev_val, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ssh_ch_client_endpt_add_hostkey(client_name, endpt_name, lyd_get_value(node), -1); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_ssh_ch_client_endpt_del_hostkey(client_name, endpt_name, lyd_get_value(node), -1); - } - } else if (op == SR_OP_MOVED) { - rc = nc_server_ssh_ch_client_endpt_mov_hostkey(client_name, endpt_name, lyd_get_value(node), prev_val); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/ssh/ssh-server-parameters/ - * client-authentication/supported-authentication-methods */ -int -np2srv_ch_endpt_ssh_auth_methods_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - char *xpath2; - int rc, auth; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->child); - - if ((op == SR_OP_DELETED) && !nc_server_ch_client_is_endpt(client_name, endpt_name)) { - continue; - } - - /* current methods */ - auth = nc_server_ssh_ch_client_endpt_get_auth_methods(client_name, endpt_name); - - auth = np2srv_ssh_update_auth_method(node, op, auth); - - /* updated methods */ - if (nc_server_ssh_ch_client_endpt_set_auth_methods(client_name, endpt_name, auth)) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} diff --git a/src/netconf_server_ssh.h b/src/netconf_server_ssh.h deleted file mode 100644 index 4ab60bce..00000000 --- a/src/netconf_server_ssh.h +++ /dev/null @@ -1,49 +0,0 @@ -/** - * @file netconf_server_ssh.h - * @author Michal Vasko - * @brief ietf-netconf-server SSH callbacks header - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#ifndef NP2SRV_NETCONF_SERVER_SSH_H_ -#define NP2SRV_NETCONF_SERVER_SSH_H_ - -#include -#include - -int np2srv_hostkey_cb(const char *name, void *user_data, char **privkey_path, char **privkey_data, - NC_SSH_KEY_TYPE *privkey_type); - -int np2srv_pubkey_auth_cb(const struct nc_session *session, ssh_key key, void *user_data); - -int np2srv_endpt_ssh_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_ssh_hostkey_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_ssh_auth_methods_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_ssh_auth_users_oper_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *path, const char *request_xpath, uint32_t request_id, struct lyd_node **parent, void *private_data); - -int np2srv_ch_client_endpt_ssh_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_endpt_ssh_hostkey_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_endpt_ssh_auth_methods_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -#endif /* NP2SRV_NETCONF_SERVER_SSH_H_ */ diff --git a/src/netconf_server_tls.c b/src/netconf_server_tls.c deleted file mode 100644 index 52bf976b..00000000 --- a/src/netconf_server_tls.c +++ /dev/null @@ -1,773 +0,0 @@ -/** - * @file netconf_server_ssh.c - * @author Michal Vasko - * @brief ietf-netconf-server SSH callbacks - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#define _GNU_SOURCE /* asprintf() */ - -#include "netconf_server_tls.h" - -#include -#include -#include -#include - -#include -#include -#include - -#include "common.h" -#include "compat.h" -#include "log.h" -#include "netconf_server.h" - -int -np2srv_cert_cb(const char *name, void *UNUSED(user_data), char **UNUSED(cert_path), char **cert_data, - char **UNUSED(privkey_path), char **privkey_data, NC_SSH_KEY_TYPE *privkey_type) -{ - sr_session_ctx_t *sr_sess; - char *xpath; - sr_data_t *data = NULL; - int r, rc = -1; - - r = sr_session_start(np2srv.sr_conn, SR_DS_RUNNING, &sr_sess); - if (r != SR_ERR_OK) { - return -1; - } - - /* get private key data from sysrepo */ - if (asprintf(&xpath, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[certificates/certificate/name='%s']", - name) == -1) { - EMEM; - goto cleanup; - } - r = sr_get_subtree(sr_sess, xpath, 0, &data); - free(xpath); - if (r != SR_ERR_OK) { - goto cleanup; - } else if (!data) { - ERR("Server certificate \"%s\" not found.", name); - goto cleanup; - } - - /* parse private key values */ - if (np2srv_sr_get_privkey(data->tree, privkey_data, privkey_type)) { - goto cleanup; - } - - /* get cert data from sysrepo */ - if (asprintf(&xpath, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key/certificates/" - "certificate[name='%s']/cert", name) == -1) { - EMEM; - goto cleanup; - } - sr_release_data(data); - r = sr_get_subtree(sr_sess, xpath, 0, &data); - free(xpath); - if (r != SR_ERR_OK) { - goto cleanup; - } else if (!data) { - ERR("Server certificate \"%s\" not found.", name); - goto cleanup; - } - - /* set cert data */ - *cert_data = strdup(lyd_get_value(data->tree)); - if (!*cert_data) { - EMEM; - goto cleanup; - } - - /* success */ - rc = 0; - -cleanup: - sr_release_data(data); - sr_session_stop(sr_sess); - return rc; -} - -int -np2srv_cert_list_cb(const char *name, void *UNUSED(user_data), char ***UNUSED(cert_paths), int *UNUSED(cert_path_count), - char ***cert_data, int *cert_data_count) -{ - sr_session_ctx_t *sr_sess; - char *xpath; - sr_data_t *data = NULL; - struct ly_set *set = NULL; - int r, rc = -1; - uint32_t i, j; - - r = sr_session_start(np2srv.sr_conn, SR_DS_RUNNING, &sr_sess); - if (r != SR_ERR_OK) { - return -1; - } - - /* get cert list data from sysrepo */ - if (asprintf(&xpath, "/ietf-truststore:truststore/certificates[name='%s']", name) == -1) { - EMEM; - goto cleanup; - } - r = sr_get_subtree(sr_sess, xpath, 0, &data); - free(xpath); - if (r != SR_ERR_OK) { - goto cleanup; - } else if (!data) { - ERR("Certificate list \"%s\" not found.", name); - goto cleanup; - } - - /* find all certificates */ - if (lyd_find_xpath(data->tree, "certificate/cert", &set)) { - /* libyang error printed */ - goto cleanup; - } else if (!set->count) { - WRN("Certificate list \"%s\" does not define any actual certificates.", name); - rc = 0; - goto cleanup; - } - - *cert_data = malloc(set->count * sizeof **cert_data); - if (!*cert_data) { - EMEM; - goto cleanup; - } - - /* collect all cert data */ - for (i = 0; i < set->count; ++i) { - (*cert_data)[i] = strdup(lyd_get_value(set->dnodes[i])); - if (!(*cert_data)[i]) { - EMEM; - for (j = 0; j < i - 1; ++j) { - free((*cert_data)[i]); - } - free(*cert_data); - goto cleanup; - } - } - *cert_data_count = set->count; - - /* success */ - rc = 0; - -cleanup: - sr_release_data(data); - ly_set_free(set, NULL); - sr_session_stop(sr_sess); - return rc; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/tls */ -int -np2srv_endpt_tls_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get name */ - endpt_name = lyd_get_value(node->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_add_endpt(endpt_name, NC_TI_OPENSSL); - } else if (op == SR_OP_DELETED) { - rc = nc_server_del_endpt(endpt_name, NC_TI_OPENSSL); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/server-identity/keystore-reference */ -int -np2srv_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - - /* we do not care about the "asymmetric-key", the certificate is enough */ - if (!strcmp(node->schema->name, "certificate")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - rc = nc_server_tls_endpt_set_server_cert(endpt_name, lyd_get_value(node)); - } else if (op == SR_OP_DELETED) { - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_tls_endpt_set_server_cert(endpt_name, NULL); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/client-authentication */ -int -np2srv_endpt_tls_client_auth_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *prev_val, *endpt_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, &prev_val, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->child); - - if (!strcmp(node->schema->name, "optional")) { - /* it is always required */ - ERR("TLS client authentication is always required."); - sr_free_change_iter(iter); - return SR_ERR_UNSUPPORTED; - } else if (!strcmp(node->schema->name, "ca-certs") || !strcmp(node->schema->name, "client-certs")) { - if (op == SR_OP_CREATED) { - rc = nc_server_tls_endpt_add_trusted_cert_list(endpt_name, lyd_get_value(node)); - } else if (op == SR_OP_DELETED) { - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_tls_endpt_del_trusted_cert_list(endpt_name, lyd_get_value(node)); - } - } else if (op == SR_OP_MODIFIED) { - nc_server_tls_endpt_del_trusted_cert_list(endpt_name, prev_val); - rc = nc_server_tls_endpt_add_trusted_cert_list(endpt_name, lyd_get_value(node)); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -static NC_TLS_CTN_MAPTYPE -np2srv_tls_ctn_str2map_type(const char *map_type) -{ - NC_TLS_CTN_MAPTYPE ret = 0; - - if (strncmp(map_type, "ietf-x509-cert-to-name:", 23)) { - return ret; - } - map_type += 23; - - if (!strcmp(map_type, "specified")) { - ret = NC_TLS_CTN_SPECIFIED; - } else if (!strcmp(map_type, "san-rfc822-name")) { - ret = NC_TLS_CTN_SAN_RFC822_NAME; - } else if (!strcmp(map_type, "san-dns-name")) { - ret = NC_TLS_CTN_SAN_DNS_NAME; - } else if (!strcmp(map_type, "san-ip-address")) { - ret = NC_TLS_CTN_SAN_IP_ADDRESS; - } else if (!strcmp(map_type, "san-any")) { - ret = NC_TLS_CTN_SAN_ANY; - } else if (!strcmp(map_type, "common-name")) { - ret = NC_TLS_CTN_COMMON_NAME; - } - - return ret; -} - -/* /ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/client-authentication/cert-maps */ -int -np2srv_endpt_tls_client_ctn_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node, *child; - const char *endpt_name; - char *fingerprint, *name, *xpath2; - int rc; - uint32_t id; - NC_TLS_CTN_MAPTYPE map_type; - - /* - * #1 create/delete of CTN entries - */ - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - - /* collect all attributes */ - id = 0; - fingerprint = NULL; - map_type = 0; - name = NULL; - LY_LIST_FOR(lyd_child(node), child) { - if (!strcmp(child->schema->name, "id")) { - id = ((struct lyd_node_term *)child)->value.uint32; - } else if (!strcmp(child->schema->name, "fingerprint")) { - fingerprint = (char *)lyd_get_value(child); - } else if (!strcmp(child->schema->name, "map-type")) { - map_type = np2srv_tls_ctn_str2map_type(lyd_get_value(child)); - } else if (!strcmp(child->schema->name, "name")) { - name = (char *)lyd_get_value(child); - } - } - /* it was validated */ - assert(fingerprint && map_type); - - if (op == SR_OP_CREATED) { - rc = nc_server_tls_endpt_add_ctn(endpt_name, id, fingerprint, map_type, name); - } else { - assert(op == SR_OP_DELETED); - if (nc_server_is_endpt(endpt_name)) { - rc = nc_server_tls_endpt_del_ctn(endpt_name, id, fingerprint, map_type, name); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - /* - * #2 modification of existing CTN entries - */ - if (asprintf(&xpath2, "%s/cert-to-name/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - if ((op != SR_OP_MODIFIED) && strcmp(LYD_NAME(node), "name")) { - /* all leaves mandatory (but "name" has when) so handled in parent, must have the same operation */ - continue; - } - - /* find name */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - - /* get the current entry */ - lyd_find_sibling_val(node, lyd_first_sibling(node)->schema, NULL, 0, (struct lyd_node **)&child); - assert(child && !strcmp(LYD_NAME(child), "id")); - id = ((struct lyd_node_term *)child)->value.uint32; - fingerprint = NULL; - map_type = 0; - name = NULL; - nc_server_tls_endpt_get_ctn(endpt_name, &id, &fingerprint, &map_type, &name); - - /* update the leaf */ - if (!strcmp(node->schema->name, "fingerprint")) { - free(fingerprint); - fingerprint = strdup(lyd_get_value(node)); - } else if (!strcmp(node->schema->name, "map-type")) { - map_type = np2srv_tls_ctn_str2map_type(lyd_get_value(node)); - } else if (!strcmp(node->schema->name, "name")) { - free(name); - name = (op == SR_OP_DELETED) ? NULL : strdup(lyd_get_value(node)); - } - - /* update the CTN entry */ - nc_server_tls_endpt_del_ctn(endpt_name, id, NULL, 0, NULL); - rc = nc_server_tls_endpt_add_ctn(endpt_name, id, fingerprint, map_type, name); - free(fingerprint); - free(name); - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls */ -int -np2srv_ch_client_endpt_tls_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - int rc; - - rc = sr_get_changes_iter(session, xpath, &iter); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->child); - - /* ignore other operations */ - if (op == SR_OP_CREATED) { - rc = nc_server_ch_client_add_endpt(client_name, endpt_name, NC_TI_OPENSSL); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_is_client(client_name)) { - rc = nc_server_ch_client_del_endpt(client_name, endpt_name, NC_TI_OPENSSL); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - * server-identity/keystore-reference */ -int -np2srv_ch_client_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), - const char *UNUSED(module_name), const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), - void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *endpt_name, *client_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->child); - - /* we do not care about the "asymmetric-key", the certificate is enough */ - if (!strcmp(node->schema->name, "certificate")) { - if ((op == SR_OP_CREATED) || (op == SR_OP_MODIFIED)) { - rc = nc_server_tls_ch_client_endpt_set_server_cert(client_name, endpt_name, lyd_get_value(node)); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_tls_ch_client_endpt_set_server_cert(client_name, endpt_name, NULL); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - * client-authentication */ -int -np2srv_ch_client_endpt_tls_client_auth_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), - const char *UNUSED(module_name), const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), - void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node; - const char *prev_val, *endpt_name, *client_name; - char *xpath2; - int rc; - - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, &prev_val, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - - if (!strcmp(node->schema->name, "optional")) { - /* it is always required */ - ERR("TLS client authentication is always required."); - sr_free_change_iter(iter); - return SR_ERR_UNSUPPORTED; - } else if (!strcmp(node->schema->name, "ca-certs") || !strcmp(node->schema->name, "client-certs")) { - if (op == SR_OP_CREATED) { - rc = nc_server_tls_ch_client_endpt_add_trusted_cert_list(client_name, endpt_name, lyd_get_value(node)); - } else if (op == SR_OP_DELETED) { - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_tls_ch_client_endpt_del_trusted_cert_list(client_name, endpt_name, lyd_get_value(node)); - } - } else if (op == SR_OP_MODIFIED) { - nc_server_tls_ch_client_endpt_del_trusted_cert_list(client_name, endpt_name, prev_val); - rc = nc_server_tls_ch_client_endpt_add_trusted_cert_list(client_name, endpt_name, lyd_get_value(node)); - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} - -/* /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints/endpoint/tls/tls-server-parameters/" - * client-authentication/cert-maps */ -int -np2srv_ch_client_endpt_tls_client_ctn_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), - const char *UNUSED(module_name), const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), - void *UNUSED(private_data)) -{ - sr_change_iter_t *iter; - sr_change_oper_t op; - const struct lyd_node *node, *child; - const char *endpt_name, *client_name; - char *xpath2, *fingerprint, *name; - int rc; - uint32_t id; - NC_TLS_CTN_MAPTYPE map_type; - - /* - * #1 create/delete of CTN entries - */ - if (asprintf(&xpath2, "%s/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - /* get names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->child); - - /* collect all attributes */ - id = 0; - fingerprint = NULL; - map_type = 0; - name = NULL; - LY_LIST_FOR(lyd_child(node), child) { - if (!strcmp(child->schema->name, "id")) { - id = ((struct lyd_node_term *)child)->value.uint32; - } else if (!strcmp(child->schema->name, "fingerprint")) { - fingerprint = (char *)lyd_get_value(child); - } else if (!strcmp(child->schema->name, "map-type")) { - map_type = np2srv_tls_ctn_str2map_type(lyd_get_value(child)); - } else if (!strcmp(child->schema->name, "name")) { - name = (char *)lyd_get_value(child); - } - } - /* it was validated */ - assert(fingerprint && map_type); - - if (op == SR_OP_CREATED) { - rc = nc_server_tls_ch_client_endpt_add_ctn(client_name, endpt_name, id, fingerprint, map_type, name); - } else { - assert(op == SR_OP_DELETED); - if (nc_server_ch_client_is_endpt(client_name, endpt_name)) { - rc = nc_server_tls_ch_client_endpt_del_ctn(client_name, endpt_name, id, fingerprint, map_type, name); - } - } - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - /* - * #2 modification of existing CTN entries - */ - if (asprintf(&xpath2, "%s/cert-to-name/*", xpath) == -1) { - EMEM; - return SR_ERR_NO_MEMORY; - } - rc = sr_get_changes_iter(session, xpath2, &iter); - free(xpath2); - if (rc != SR_ERR_OK) { - ERR("Getting changes iter failed (%s).", sr_strerror(rc)); - return rc; - } - - while ((rc = sr_get_change_tree_next(session, iter, &op, &node, NULL, NULL, NULL)) == SR_ERR_OK) { - if ((op != SR_OP_MODIFIED) && strcmp(LYD_NAME(node), "name")) { - /* all leaves mandatory (but "name" has when) so handled in parent, must have the same operation */ - continue; - } - - /* get names */ - endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->child); - client_name = lyd_get_value(node->parent->parent->parent->parent->parent->parent->parent->parent->child); - - /* get the current entry */ - lyd_find_sibling_val(node, lyd_first_sibling(node)->schema, NULL, 0, (struct lyd_node **)&child); - assert(child && !strcmp(LYD_NAME(child), "id")); - id = ((struct lyd_node_term *)child)->value.uint32; - fingerprint = NULL; - map_type = 0; - name = NULL; - nc_server_tls_ch_client_endpt_get_ctn(client_name, endpt_name, &id, &fingerprint, &map_type, &name); - - /* update the leaf */ - if (!strcmp(node->schema->name, "fingerprint")) { - free(fingerprint); - fingerprint = strdup(lyd_get_value(node)); - } else if (!strcmp(node->schema->name, "map-type")) { - map_type = np2srv_tls_ctn_str2map_type(lyd_get_value(node)); - } else if (!strcmp(node->schema->name, "name")) { - free(name); - name = (op == SR_OP_DELETED) ? NULL : strdup(lyd_get_value(node)); - } - - /* update the CTN entry */ - nc_server_tls_ch_client_endpt_del_ctn(client_name, endpt_name, id, NULL, 0, NULL); - rc = nc_server_tls_ch_client_endpt_add_ctn(client_name, endpt_name, id, fingerprint, map_type, name); - free(fingerprint); - free(name); - if (rc) { - sr_free_change_iter(iter); - return SR_ERR_INTERNAL; - } - } - sr_free_change_iter(iter); - if (rc != SR_ERR_NOT_FOUND) { - ERR("Getting next change failed (%s).", sr_strerror(rc)); - return rc; - } - - return SR_ERR_OK; -} diff --git a/src/netconf_server_tls.h b/src/netconf_server_tls.h deleted file mode 100644 index d502ec01..00000000 --- a/src/netconf_server_tls.h +++ /dev/null @@ -1,53 +0,0 @@ -/** - * @file netconf_server_tks.h - * @author Michal Vasko - * @brief ietf-netconf-server TLS callbacks header - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#ifndef NP2SRV_NETCONF_SERVER_TLS_H_ -#define NP2SRV_NETCONF_SERVER_TLS_H_ - -#include -#include - -int np2srv_cert_cb(const char *name, void *user_data, char **cert_path, char **cert_data, char **privkey_path, - char **privkey_data, NC_SSH_KEY_TYPE *privkey_type); - -int np2srv_cert_list_cb(const char *name, void *user_data, char ***cert_paths, int *cert_path_count, char ***cert_data, - int *cert_data_count); - -int np2srv_endpt_tls_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_tls_client_auth_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_endpt_tls_client_ctn_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tls_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tls_client_auth_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -int np2srv_ch_client_endpt_tls_client_ctn_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, - const char *xpath, sr_event_t event, uint32_t request_id, void *private_data); - -#endif /* NP2SRV_NETCONF_SERVER_TLS_H_ */ From 70d31ffaca0cc2cd216c0fe29df59f81a8879c1e Mon Sep 17 00:00:00 2001 From: roman Date: Mon, 11 Sep 2023 15:24:48 +0200 Subject: [PATCH 04/23] modules UPDATE remove unnecessary modules Remove modules that are related to the ietf-netconf-server modules, because they are installed using libnetconf2's module dir. --- modules/iana-crypt-hash@2014-08-06.yang | 120 - modules/ietf-crypto-types@2019-07-02.yang | 2058 ----------------- modules/ietf-keystore@2019-07-02.yang | 458 ---- modules/ietf-netconf-server@2019-07-02.yang | 520 ----- modules/ietf-ssh-common@2019-07-02.yang | 462 ---- modules/ietf-ssh-server@2019-07-02.yang | 385 --- modules/ietf-tcp-client@2019-07-02.yang | 145 -- modules/ietf-tcp-common@2019-07-02.yang | 130 -- modules/ietf-tcp-server@2019-07-02.yang | 114 - modules/ietf-tls-common@2019-07-02.yang | 406 ---- modules/ietf-tls-server@2019-07-02.yang | 263 --- modules/ietf-truststore@2019-07-02.yang | 294 --- .../ietf-x509-cert-to-name@2014-12-10.yang | 303 --- 13 files changed, 5658 deletions(-) delete mode 100644 modules/iana-crypt-hash@2014-08-06.yang delete mode 100644 modules/ietf-crypto-types@2019-07-02.yang delete mode 100644 modules/ietf-keystore@2019-07-02.yang delete mode 100644 modules/ietf-netconf-server@2019-07-02.yang delete mode 100644 modules/ietf-ssh-common@2019-07-02.yang delete mode 100644 modules/ietf-ssh-server@2019-07-02.yang delete mode 100644 modules/ietf-tcp-client@2019-07-02.yang delete mode 100644 modules/ietf-tcp-common@2019-07-02.yang delete mode 100644 modules/ietf-tcp-server@2019-07-02.yang delete mode 100644 modules/ietf-tls-common@2019-07-02.yang delete mode 100644 modules/ietf-tls-server@2019-07-02.yang delete mode 100644 modules/ietf-truststore@2019-07-02.yang delete mode 100644 modules/ietf-x509-cert-to-name@2014-12-10.yang diff --git a/modules/iana-crypt-hash@2014-08-06.yang b/modules/iana-crypt-hash@2014-08-06.yang deleted file mode 100644 index 86fcb51a..00000000 --- a/modules/iana-crypt-hash@2014-08-06.yang +++ /dev/null @@ -1,120 +0,0 @@ - module iana-crypt-hash { - namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; - prefix ianach; - - organization "IANA"; - contact - " Internet Assigned Numbers Authority - - Postal: ICANN - 12025 Waterfront Drive, Suite 300 - Los Angeles, CA 90094-2536 - United States - - Tel: +1 310 301 5800 - E-Mail: iana@iana.org>"; - description - "This YANG module defines a type for storing passwords - using a hash function and features to indicate which hash - functions are supported by an implementation. - - The latest revision of this YANG module can be obtained from - the IANA web site. - - Requests for new values should be made to IANA via - email (iana@iana.org). - - Copyright (c) 2014 IETF Trust and the persons identified as - authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with or - without modification, is permitted pursuant to, and subject - to the license terms contained in, the Simplified BSD License - set forth in Section 4.c of the IETF Trust's Legal Provisions - Relating to IETF Documents - (http://trustee.ietf.org/license-info). - - The initial version of this YANG module is part of RFC 7317; - see the RFC itself for full legal notices."; - - revision 2014-08-06 { - description - "Initial revision."; - reference - "RFC 7317: A YANG Data Model for System Management"; - } - - typedef crypt-hash { - type string { - pattern - '$0$.*' - + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' - + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' - + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; - } - description - "The crypt-hash type is used to store passwords using - a hash function. The algorithms for applying the hash - function and encoding the result are implemented in - various UNIX systems as the function crypt(3). - - A value of this type matches one of the forms: - - $0$ - $$$ - $$$$ - - The '$0$' prefix signals that the value is clear text. When - such a value is received by the server, a hash value is - calculated, and the string '$$$' or - $$$$ is prepended to the result. This - value is stored in the configuration data store. - If a value starting with '$$', where is not '0', is - received, the server knows that the value already represents a - hashed value and stores it 'as is' in the data store. - - When a server needs to verify a password given by a user, it - finds the stored password hash string for that user, extracts - the salt, and calculates the hash with the salt and given - password as input. If the calculated hash value is the same - as the stored value, the password given by the client is - accepted. - - This type defines the following hash functions: - - id | hash function | feature - ---+---------------+------------------- - 1 | MD5 | crypt-hash-md5 - 5 | SHA-256 | crypt-hash-sha-256 - 6 | SHA-512 | crypt-hash-sha-512 - - The server indicates support for the different hash functions - by advertising the corresponding feature."; - reference - "IEEE Std 1003.1-2008 - crypt() function - RFC 1321: The MD5 Message-Digest Algorithm - FIPS.180-4.2012: Secure Hash Standard (SHS)"; - } - - feature crypt-hash-md5 { - description - "Indicates that the device supports the MD5 - hash function in 'crypt-hash' values."; - reference "RFC 1321: The MD5 Message-Digest Algorithm"; - } - - feature crypt-hash-sha-256 { - description - "Indicates that the device supports the SHA-256 - hash function in 'crypt-hash' values."; - reference "FIPS.180-4.2012: Secure Hash Standard (SHS)"; - } - - feature crypt-hash-sha-512 { - description - "Indicates that the device supports the SHA-512 - hash function in 'crypt-hash' values."; - reference "FIPS.180-4.2012: Secure Hash Standard (SHS)"; - } - - } diff --git a/modules/ietf-crypto-types@2019-07-02.yang b/modules/ietf-crypto-types@2019-07-02.yang deleted file mode 100644 index 3313a8c3..00000000 --- a/modules/ietf-crypto-types@2019-07-02.yang +++ /dev/null @@ -1,2058 +0,0 @@ - module ietf-crypto-types { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; - prefix ct; - - import ietf-yang-types { - prefix yang; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Wang Haiguang "; - - description - "This module defines common YANG types for cryptographic - applications. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: Common YANG Data Types for Cryptography"; - } - - /**************************************/ - /* Identities for Hash Algorithms */ - /**************************************/ - - typedef hash-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Hash algorithm is NULL."; - } - enum sha1 { - value 1; - status obsolete; - description - "The SHA1 algorithm."; - reference - "RFC 3174: US Secure Hash Algorithms 1 (SHA1)."; - } - enum sha-224 { - value 2; - description - "The SHA-224 algorithm."; - reference - "RFC 6234: US Secure Hash Algorithms."; - } - enum sha-256 { - value 3; - description - "The SHA-256 algorithm."; - reference - "RFC 6234: US Secure Hash Algorithms."; - } - enum sha-384 { - value 4; - description - "The SHA-384 algorithm."; - reference - "RFC 6234: US Secure Hash Algorithms."; - } - enum sha-512 { - value 5; - description - "The SHA-512 algorithm."; - reference - "RFC 6234: US Secure Hash Algorithms."; - } - enum shake-128 { - value 6; - description - "The SHA3 algorithm with 128-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - enum shake-224 { - value 7; - description - "The SHA3 algorithm with 224-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - enum shake-256 { - value 8; - description - "The SHA3 algorithm with 256-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - enum shake-384 { - value 9; - description - "The SHA3 algorithm with 384-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - enum shake-512 { - value 10; - description - "The SHA3 algorithm with 384-bits output."; - reference - "National Institute of Standards and Technology, - SHA-3 Standard: Permutation-Based Hash and - Extendable-Output Functions, FIPS PUB 202, DOI - 10.6028/NIST.FIPS.202, August 2015."; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol families - according to the hash algorithm value assigned by IANA. The - setting is optional and by default is 0. The enumeration - filed is set to the selected hash algorithm."; - } - - /***********************************************/ - /* Identities for Asymmetric Key Algorithms */ - /***********************************************/ - - typedef asymmetric-key-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Asymetric key algorithm is NULL."; - } - enum rsa1024 { - value 1; - description - "The RSA algorithm using a 1024-bit key."; - reference - "RFC 8017: PKCS #1: RSA Cryptography - Specifications Version 2.2."; - } - enum rsa2048 { - value 2; - description - "The RSA algorithm using a 2048-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum rsa3072 { - value 3; - description - "The RSA algorithm using a 3072-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum rsa4096 { - value 4; - description - "The RSA algorithm using a 4096-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum rsa7680 { - value 5; - description - "The RSA algorithm using a 7680-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum rsa15360 { - value 6; - description - "The RSA algorithm using a 15360-bit key."; - reference - "RFC 8017: - PKCS #1: RSA Cryptography Specifications Version 2.2."; - } - enum secp192r1 { - value 7; - description - "The asymmetric algorithm using a NIST P192 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum secp224r1 { - value 8; - description - "The asymmetric algorithm using a NIST P224 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum secp256r1 { - value 9; - description - "The asymmetric algorithm using a NIST P256 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum secp384r1 { - value 10; - description - "The asymmetric algorithm using a NIST P384 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum secp521r1 { - value 11; - description - "The asymmetric algorithm using a NIST P521 Curve."; - reference - "RFC 6090: - Fundamental Elliptic Curve Cryptography Algorithms. - RFC 5480: - Elliptic Curve Cryptography Subject Public Key - Information."; - } - enum x25519 { - value 12; - description - "The asymmetric algorithm using a x.25519 Curve."; - reference - "RFC 7748: - Elliptic Curves for Security."; - } - enum x448 { - value 13; - description - "The asymmetric algorithm using a x.448 Curve."; - reference - "RFC 7748: - Elliptic Curves for Security."; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the asymmetric key algorithm value - assigned by IANA. The setting is optional and by default - is 0. The enumeration filed is set to the selected - asymmetric key algorithm."; - } - - /*************************************/ - /* Identities for MAC Algorithms */ - /*************************************/ - - typedef mac-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "mac algorithm is NULL."; - } - enum hmac-sha1 { - value 1; - description - "Generating MAC using SHA1 hash function"; - reference - "RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; - } - enum hmac-sha1-96 { - value 2; - description - "Generating MAC using SHA1 hash function"; - reference - "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; - } - enum hmac-sha2-224 { - value 3; - description - "Generating MAC using SHA2 hash function"; - reference - "RFC 6234: US Secure Hash Algorithms - (SHA and SHA-based HMAC and HKDF)"; - } - enum hmac-sha2-256 { - value 4; - description - "Generating MAC using SHA2 hash function"; - reference - "RFC 6234: US Secure Hash Algorithms - (SHA and SHA-based HMAC and HKDF)"; - } - enum hmac-sha2-256-128 { - value 5; - description - "Generating a 256 bits MAC using SHA2 hash function and - truncate it to 128 bits"; - reference - "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, - and HMAC-SHA-512 with IPsec"; - } - enum hmac-sha2-384 { - value 6; - description - "Generating a 384 bits MAC using SHA2 hash function"; - reference - "RFC 6234: US Secure Hash Algorithms - (SHA and SHA-based HMAC and HKDF)"; - } - enum hmac-sha2-384-192 { - value 7; - description - "Generating a 384 bits MAC using SHA2 hash function and - truncate it to 192 bits"; - reference - "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, - and HMAC-SHA-512 with IPsec"; - } - enum hmac-sha2-512 { - value 8; - description - "Generating a 512 bits MAC using SHA2 hash function"; - reference - "RFC 6234: US Secure Hash Algorithms - (SHA and SHA-based HMAC and HKDF)"; - } - enum hmac-sha2-512-256 { - value 9; - description - "Generating a 512 bits MAC using SHA2 hash function and - truncate it to 256 bits"; - reference - "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, - and HMAC-SHA-512 with IPsec"; - } - enum aes-128-gmac { - value 10; - description - "Generating 128-bit MAC using the Advanced Encryption - Standard (AES) Galois Message Authentication Code - (GMAC) as a mechanism to provide data origin - authentication."; - reference - "RFC 4543: - The Use of Galois Message Authentication Code (GMAC) - in IPsec ESP and AH"; - } - enum aes-192-gmac { - value 11; - description - "Generating 192-bit MAC using the Advanced Encryption - Standard (AES) Galois Message Authentication Code - (GMAC) as a mechanism to provide data origin - authentication."; - reference - "RFC 4543: - The Use of Galois Message Authentication Code (GMAC) - in IPsec ESP and AH"; - } - enum aes-256-gmac { - value 12; - description - "Generating 256-bit MAC using the Advanced Encryption - Standard (AES) Galois Message Authentication Code - (GMAC) as a mechanism to provide data origin - authentication."; - reference - "RFC 4543: - The Use of Galois Message Authentication Code (GMAC) - in IPsec ESP and AH"; - } - enum aes-cmac-96 { - value 13; - description - "Generating 96-bit MAC using Advanced Encryption - Standard (AES) Cipher-based Message Authentication - Code (CMAC)"; - reference - "RFC 4494: - The AES-CMAC Algorithm and its Use with IPsec"; - } - enum aes-cmac-128 { - value 14; - description - "Generating 128-bit MAC using Advanced Encryption - Standard (AES) Cipher-based Message Authentication - Code (CMAC)"; - reference - "RFC 4494: - The AES-CMAC Algorithm and its Use with IPsec"; - } - enum sha1-des3-kd { - value 15; - description - "Generating MAC using triple DES encryption function"; - reference - "RFC 3961: - Encryption and Checksum Specifications for Kerberos - 5"; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the mac algorithm value assigned by - IANA. The setting is optional and by default is 0. The - enumeration filed is set to the selected mac algorithm."; - } - - /********************************************/ - /* Identities for Encryption Algorithms */ - /********************************************/ - - typedef encryption-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Encryption algorithm is NULL."; - } - enum aes-128-cbc { - value 1; - description - "Encrypt message with AES algorithm in CBC mode with - a key length of 128 bits."; - reference - "RFC 3565: Use of the Advanced Encryption Standard (AES) - Encryption Algorithm in Cryptographic Message Syntax - (CMS)"; - } - enum aes-192-cbc { - value 2; - description - "Encrypt message with AES algorithm in CBC mode with - a key length of 192 bits"; - reference - "RFC 3565: Use of the Advanced Encryption Standard (AES) - Encryption Algorithm in Cryptographic Message Syntax - (CMS)"; - } - enum aes-256-cbc { - value 3; - description - "Encrypt message with AES algorithm in CBC mode with - a key length of 256 bits"; - reference - "RFC 3565: Use of the Advanced Encryption Standard (AES) - Encryption Algorithm in Cryptographic Message Syntax - (CMS)"; - } - enum aes-128-ctr { - value 4; - description - "Encrypt message with AES algorithm in CTR mode with - a key length of 128 bits"; - reference - "RFC 3686: - Using Advanced Encryption Standard (AES) Counter - Mode with IPsec Encapsulating Security Payload - (ESP)"; - } - enum aes-192-ctr { - value 5; - description - "Encrypt message with AES algorithm in CTR mode with - a key length of 192 bits"; - reference - "RFC 3686: - Using Advanced Encryption Standard (AES) Counter - Mode with IPsec Encapsulating Security Payload - (ESP)"; - } - enum aes-256-ctr { - value 6; - description - "Encrypt message with AES algorithm in CTR mode with - a key length of 256 bits"; - reference - "RFC 3686: - Using Advanced Encryption Standard (AES) Counter - Mode with IPsec Encapsulating Security Payload - (ESP)"; - } - enum des3-cbc-sha1-kd { - value 7; - description - "Encrypt message with 3DES algorithm in CBC mode - with sha1 function for key derivation"; - reference - "RFC 3961: - Encryption and Checksum Specifications for - Kerberos 5"; - } - enum rc4-hmac { - value 8; - description - "Encrypt message with rc4 algorithm"; - reference - "RFC 4757: - The RC4-HMAC Kerberos Encryption Types Used by - Microsoft Windows"; - } - enum rc4-hmac-exp { - value 9; - description - "Encrypt message with rc4 algorithm that is exportable"; - reference - "RFC 4757: - The RC4-HMAC Kerberos Encryption Types Used by - Microsoft Windows"; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the encryption algorithm value - assigned by IANA. The setting is optional and by default - is 0. The enumeration filed is set to the selected - encryption algorithm."; - } - - /****************************************************/ - /* Identities for Encryption and MAC Algorithms */ - /****************************************************/ - - typedef encryption-and-mac-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Encryption and MAC algorithm is NULL."; - reference - "None"; - } - enum aes-128-ccm { - value 1; - description - "Encrypt message with AES algorithm in CCM - mode with a key length of 128 bits; it can - also be used for generating MAC"; - reference - "RFC 4309: Using Advanced Encryption Standard - (AES) CCM Mode with IPsec Encapsulating Security - Payload (ESP)"; - } - enum aes-192-ccm { - value 2; - description - "Encrypt message with AES algorithm in CCM - mode with a key length of 192 bits; it can - also be used for generating MAC"; - reference - "RFC 4309: Using Advanced Encryption Standard - (AES) CCM Mode with IPsec Encapsulating Security - Payload (ESP)"; - } - enum aes-256-ccm { - value 3; - description - "Encrypt message with AES algorithm in CCM - mode with a key length of 256 bits; it can - also be used for generating MAC"; - reference - "RFC 4309: Using Advanced Encryption Standard - (AES) CCM Mode with IPsec Encapsulating Security - Payload (ESP)"; - } - enum aes-128-gcm { - value 4; - description - "Encrypt message with AES algorithm in GCM - mode with a key length of 128 bits; it can - also be used for generating MAC"; - reference - "RFC 4106: The Use of Galois/Counter Mode (GCM) - in IPsec Encapsulating Security Payload (ESP)"; - } - enum aes-192-gcm { - value 5; - description - "Encrypt message with AES algorithm in GCM - mode with a key length of 192 bits; it can - also be used for generating MAC"; - reference - "RFC 4106: The Use of Galois/Counter Mode (GCM) - in IPsec Encapsulating Security Payload (ESP)"; - } - enum aes-256-gcm { - value 6; - description - "Encrypt message with AES algorithm in GCM - mode with a key length of 256 bits; it can - also be used for generating MAC"; - reference - "RFC 4106: The Use of Galois/Counter Mode (GCM) - in IPsec Encapsulating Security Payload (ESP)"; - } - enum chacha20-poly1305 { - value 7; - description - "Encrypt message with chacha20 algorithm and generate - MAC with POLY1305; it can also be used for generating - MAC"; - reference - "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols"; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the encryption and mac algorithm value - assigned by IANA. The setting is optional and by default is - 0. The enumeration filed is set to the selected encryption - and mac algorithm."; - } - - /******************************************/ - /* Identities for signature algorithm */ - /******************************************/ - - typedef signature-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Signature algorithm is NULL"; - } - enum dsa-sha1 { - value 1; - description - "The signature algorithm using DSA algorithm with SHA1 - hash algorithm"; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - enum rsassa-pkcs1-sha1 { - value 2; - description - "The signature algorithm using RSASSA-PKCS1-v1_5 with - the SHA1 hash algorithm."; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - enum rsassa-pkcs1-sha256 { - value 3; - description - "The signature algorithm using RSASSA-PKCS1-v1_5 with - the SHA256 hash algorithm."; - reference - "RFC 8332: - Use of RSA Keys with SHA-256 and SHA-512 in the - Secure Shell (SSH) Protocol - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pkcs1-sha384 { - value 4; - description - "The signature algorithm using RSASSA-PKCS1-v1_5 with - the SHA384 hash algorithm."; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pkcs1-sha512 { - value 5; - description - "The signature algorithm using RSASSA-PKCS1-v1_5 with - the SHA512 hash algorithm."; - reference - "RFC 8332: - Use of RSA Keys with SHA-256 and SHA-512 in the - Secure Shell (SSH) Protocol - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-rsae-sha256 { - value 6; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA256 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-rsae-sha384 { - value 7; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA384 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-rsae-sha512 { - value 8; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA512 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-pss-sha256 { - value 9; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA256 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-pss-sha384 { - value 10; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA384 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum rsassa-pss-pss-sha512 { - value 11; - description - "The signature algorithm using RSASSA-PSS with mask - generation function 1 and SHA512 hash algorithm. If - the public key is carried in an X.509 certificate, - it MUST use the rsaEncryption OID"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ecdsa-secp256r1-sha256 { - value 12; - description - "The signature algorithm using ECDSA with curve name - secp256r1 and SHA256 hash algorithm."; - reference - "RFC 5656: - Elliptic Curve Algorithm Integration in the Secure - Shell Transport Layer - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ecdsa-secp384r1-sha384 { - value 13; - description - "The signature algorithm using ECDSA with curve name - secp384r1 and SHA384 hash algorithm."; - reference - "RFC 5656: - Elliptic Curve Algorithm Integration in the Secure - Shell Transport Layer - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ecdsa-secp521r1-sha512 { - value 14; - description - "The signature algorithm using ECDSA with curve name - secp521r1 and SHA512 hash algorithm."; - reference - "RFC 5656: - Elliptic Curve Algorithm Integration in the Secure - Shell Transport Layer - RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ed25519 { - value 15; - description - "The signature algorithm using EdDSA with curve x25519"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed25519-cts { - value 16; - description - "The signature algorithm using EdDSA with curve x25519 - with phflag = 0"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed25519-ph { - value 17; - description - "The signature algorithm using EdDSA with curve x25519 - with phflag = 1"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed25519-sha512 { - value 18; - description - "The signature algorithm using EdDSA with curve x25519 - and SHA-512 function"; - reference - "RFC 8419: - Use of Edwards-Curve Digital Signature Algorithm - (EdDSA) Signatures in the Cryptographic Message - Syntax (CMS)"; - } - enum ed448 { - value 19; - description - "The signature algorithm using EdDSA with curve x448"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed448-ph { - value 20; - description - "The signature algorithm using EdDSA with curve x448 - and with PH being SHAKE256(x, 64) and phflag being 1"; - reference - "RFC 8032: - Edwards-Curve Digital Signature Algorithm (EdDSA)"; - } - enum ed448-shake256 { - value 21; - description - "The signature algorithm using EdDSA with curve x448 - and SHAKE-256 function"; - reference - "RFC 8419: - Use of Edwards-Curve Digital Signature Algorithm - (EdDSA) Signatures in the Cryptographic Message - Syntax (CMS)"; - } - enum ed448-shake256-len { - value 22; - description - "The signature algorithm using EdDSA with curve x448 - and SHAKE-256 function and a customized hash output"; - reference - "RFC 8419: - Use of Edwards-Curve Digital Signature Algorithm - (EdDSA) Signatures in the Cryptographic Message - Syntax (CMS)"; - } - enum rsa-sha2-256 { - value 23; - description - "The signature algorithm using RSA with SHA2 function - for SSH protocol"; - reference - "RFC 8332: - Use of RSA Keys with SHA-256 and SHA-512 - in the Secure Shell (SSH) Protocol"; - } - enum rsa-sha2-512 { - value 24; - description - "The signature algorithm using RSA with SHA2 function - for SSH protocol"; - reference - "RFC 8332: - Use of RSA Keys with SHA-256 and SHA-512 - in the Secure Shell (SSH) Protocol"; - } - enum eccsi { - value 25; - description - "The signature algorithm using ECCSI signature as - defined in RFC 6507."; - reference - "RFC 6507: - Elliptic Curve-Based Certificateless Signatures - for Identity-based Encryption (ECCSI)"; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the signature algorithm value - assigned by IANA. The setting is optional and by default - is 0. The enumeration filed is set to the selected - signature algorithm."; - } - - /**********************************************/ - /* Identities for key exchange algorithms */ - /**********************************************/ - - typedef key-exchange-algorithm-t { - type union { - type uint16; - type enumeration { - enum NONE { - value 0; - description - "Key exchange algorithm is NULL."; - } - enum psk-only { - value 1; - description - "Using Pre-shared key for authentication and key - exchange"; - reference - "RFC 4279: - Pre-Shared Key cipher suites for Transport Layer - Security (TLS)"; - } - enum dhe-ffdhe2048 { - value 2; - description - "Ephemeral Diffie Hellman key exchange with 2048 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum dhe-ffdhe3072 { - value 3; - description - "Ephemeral Diffie Hellman key exchange with 3072 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum dhe-ffdhe4096 { - value 4; - description - "Ephemeral Diffie Hellman key exchange with 4096 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum dhe-ffdhe6144 { - value 5; - description - "Ephemeral Diffie Hellman key exchange with 6144 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum dhe-ffdhe8192 { - value 6; - description - "Ephemeral Diffie Hellman key exchange with 8192 bit - finite field"; - reference - "RFC 7919: - Negotiated Finite Field Diffie-Hellman Ephemeral - Parameters for Transport Layer Security (TLS)"; - } - enum psk-dhe-ffdhe2048 { - value 7; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE2048"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-dhe-ffdhe3072 { - value 8; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE3072"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-dhe-ffdhe4096 { - value 9; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE4096"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-dhe-ffdhe6144 { - value 10; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE6144"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-dhe-ffdhe8192 { - value 11; - description - "Key exchange using pre-shared key with Diffie-Hellman - key generation mechanism, where the DH group is - FFDHE8192"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum ecdhe-secp256r1 { - value 12; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve secp256r1"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum ecdhe-secp384r1 { - value 13; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve secp384r1"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum ecdhe-secp521r1 { - value 14; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve secp521r1"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum ecdhe-x25519 { - value 15; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve x25519"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum ecdhe-x448 { - value 16; - description - "Ephemeral Diffie Hellman key exchange with elliptic - group over curve x448"; - reference - "RFC 8422: - Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS) Versions 1.2 - and Earlier"; - } - enum psk-ecdhe-secp256r1 { - value 17; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve secp256r1"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-ecdhe-secp384r1 { - value 18; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve secp384r1"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-ecdhe-secp521r1 { - value 19; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve secp521r1"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-ecdhe-x25519 { - value 20; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve x25519"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum psk-ecdhe-x448 { - value 21; - description - "Key exchange using pre-shared key with elliptic - group-based Ephemeral Diffie Hellman key exchange - over curve x448"; - reference - "RFC 8446: - The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - enum diffie-hellman-group14-sha1 { - value 22; - description - "Using DH group14 and SHA1 for key exchange"; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - enum diffie-hellman-group14-sha256 { - value 23; - description - "Using DH group14 and SHA-256 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum diffie-hellman-group15-sha512 { - value 24; - description - "Using DH group15 and SHA-512 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum diffie-hellman-group16-sha512 { - value 25; - description - "Using DH group16 and SHA-512 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum diffie-hellman-group17-sha512 { - value 26; - description - "Using DH group17 and SHA-512 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum diffie-hellman-group18-sha512 { - value 27; - description - "Using DH group18 and SHA-512 for key exchange"; - reference - "RFC 8268: - More Modular Exponentiation (MODP) Diffie-Hellman (DH) - Key Exchange (KEX) Groups for Secure Shell (SSH)"; - } - enum ecdh-sha2-secp256r1 { - value 28; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve ecp256r1 and using SHA2 for MAC generation"; - reference - "RFC 6239: - Suite B Cryptographic Suites for Secure Shell (SSH)"; - } - enum ecdh-sha2-secp384r1 { - value 29; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve ecp384r1 and using SHA2 for MAC generation"; - reference - "RFC 6239: - Suite B Cryptographic Suites for Secure Shell (SSH)"; - } - enum ecdh-x25519-x9.63-sha256 { - value 30; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using ANSI x9.63 with SHA256 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-x9.63-sha384 { - value 31; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using ANSI x9.63 with SHA384 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-x9.63-sha512 { - value 32; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using ANSI x9.63 with SHA512 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-hkdf-sha256 { - value 33; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using HKDF with SHA256 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-hkdf-sha384 { - value 34; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using HKDF with SHA384 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x25519-hkdf-sha512 { - value 35; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.25519 and using HKDF with SHA512 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-x9.63-sha256 { - value 36; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using ANSI x9.63 with SHA256 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-x9.63-sha384 { - value 37; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using ANSI x9.63 with SHA384 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-x9.63-sha512 { - value 38; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using ANSI x9.63 with SHA512 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-hkdf-sha256 { - value 39; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using HKDF with SHA256 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-hkdf-sha384 { - value 40; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using HKDF with SHA384 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum ecdh-x448-hkdf-sha512 { - value 41; - description - "Elliptic curve-based Diffie Hellman key exchange over - curve x.448 and using HKDF with SHA512 as KDF"; - reference - "RFC 8418: - Use of the Elliptic Curve Diffie-Hellman Key Agreement - Algorithm with X25519 and X448 in the Cryptographic - Message Syntax (CMS)"; - } - enum rsaes-oaep { - value 42; - description - "RSAES-OAEP combines the RSAEP and RSADP primitives with - the EME-OAEP encoding method"; - reference - "RFC 8017: - PKCS #1: - RSA Cryptography Specifications Version 2.2."; - } - enum rsaes-pkcs1-v1_5 { - value 43; - description - "RSAES-PKCS1-v1_5 combines the RSAEP and RSADP - primitives with the EME-PKCS1-v1_5 encoding method"; - reference - "RFC 8017: - PKCS #1: - RSA Cryptography Specifications Version 2.2."; - } - } - } - default "0"; - description - "The uint16 filed shall be set by individual protocol - families according to the key exchange algorithm value - assigned by IANA. The setting is optional and by default - is 0. The enumeration filed is set to the selected key - exchange algorithm."; - } - - /***************************************************/ - /* Typedefs for ASN.1 structures from RFC 5280 */ - /***************************************************/ - - typedef x509 { - type binary; - description - "A Certificate structure, as specified in RFC 5280, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - - typedef crl { - type binary; - description - "A CertificateList structure, as specified in RFC 5280, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - - /***********************************************/ - /* Typedefs for ASN.1 structures from 5652 */ - /***********************************************/ - - typedef cms { - type binary; - description - "A ContentInfo structure, as specified in RFC 5652, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5652: - Cryptographic Message Syntax (CMS) - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - - typedef data-content-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - data content type, as described by Section 4 in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef signed-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - signed-data content type, as described by Section 5 in - RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef enveloped-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - enveloped-data content type, as described by Section 6 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef digested-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - digested-data content type, as described by Section 7 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef encrypted-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - encrypted-data content type, as described by Section 8 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef authenticated-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - authenticated-data content type, as described by Section 9 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - /***************************************************/ - /* Typedefs for structures related to RFC 4253 */ - /***************************************************/ - - typedef ssh-host-key { - type binary; - description - "The binary public key data for this SSH key, as - specified by RFC 4253, Section 6.6, i.e.: - - string certificate or public key format - identifier - byte[n] key/certificate data."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer - Protocol"; - } - - /*********************************************************/ - /* Typedefs for ASN.1 structures related to RFC 5280 */ - /*********************************************************/ - - typedef trust-anchor-cert-x509 { - type x509; - description - "A Certificate structure that MUST encode a self-signed - root certificate."; - } - - typedef end-entity-cert-x509 { - type x509; - description - "A Certificate structure that MUST encode a certificate - that is neither self-signed nor having Basic constraint - CA true."; - } - - /*********************************************************/ - /* Typedefs for ASN.1 structures related to RFC 5652 */ - /*********************************************************/ - - typedef trust-anchor-cert-cms { - type signed-data-cms; - description - "A CMS SignedData structure that MUST contain the chain of - X.509 certificates needed to authenticate the certificate - presented by a client or end-entity. - - The CMS MUST contain only a single chain of certificates. - The client or end-entity certificate MUST only authenticate - to last intermediate CA certificate listed in the chain. - - In all cases, the chain MUST include a self-signed root - certificate. In the case where the root certificate is - itself the issuer of the client or end-entity certificate, - only one certificate is present. - - This CMS structure MAY (as applicable where this type is - used) also contain suitably fresh (as defined by local - policy) revocation objects with which the device can - verify the revocation status of the certificates. - - This CMS encodes the degenerate form of the SignedData - structure that is commonly used to disseminate X.509 - certificates and revocation objects (RFC 5280)."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile."; - } - - typedef end-entity-cert-cms { - type signed-data-cms; - description - "A CMS SignedData structure that MUST contain the end - entity certificate itself, and MAY contain any number - of intermediate certificates leading up to a trust - anchor certificate. The trust anchor certificate - MAY be included as well. - - The CMS MUST contain a single end entity certificate. - The CMS MUST NOT contain any spurious certificates. - - This CMS structure MAY (as applicable where this type is - used) also contain suitably fresh (as defined by local - policy) revocation objects with which the device can - verify the revocation status of the certificates. - - This CMS encodes the degenerate form of the SignedData - structure that is commonly used to disseminate X.509 - certificates and revocation objects (RFC 5280)."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile."; - } - - /**********************************************/ - /* Groupings for keys and/or certificates */ - /**********************************************/ - - grouping symmetric-key-grouping { - description - "A symmetric key and algorithm."; - leaf algorithm { - type encryption-algorithm-t; - mandatory true; - description - "The algorithm to be used when generating the key."; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - choice key-type { - mandatory true; - description - "Choice between key types."; - leaf key { - nacm:default-deny-all; - type binary; - description - "The binary value of the key. The interpretation of - the value is defined by 'algorithm'. For example, - FIXME."; - reference - "RFC XXXX: FIXME"; - } - leaf hidden-key { - nacm:default-deny-write; - type empty; - description - "A permanently hidden key. How such keys are created - is outside the scope of this module."; - } - } - } - - grouping public-key-grouping { - description - "A public key and its associated algorithm."; - leaf algorithm { - nacm:default-deny-write; - type asymmetric-key-algorithm-t; - mandatory true; - description - "Identifies the key's algorithm."; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - leaf public-key { - nacm:default-deny-write; - type binary; - mandatory true; - description - "The binary value of the public key. The interpretation - of the value is defined by 'algorithm'. For example, - a DSA key is an integer, an RSA key is represented as - RSAPublicKey per RFC 8017, and an ECC key is represented - using the 'publicKey' described in RFC 5915."; - reference - "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: - RSA Cryptography Specifications Version 2.2. - RFC 5915: Elliptic Curve Private Key Structure."; - } - } - - grouping asymmetric-key-pair-grouping { - description - "A private key and its associated public key and algorithm."; - uses public-key-grouping; - choice private-key-type { - mandatory true; - description - "Choice between key types."; - leaf private-key { - nacm:default-deny-all; - type binary; - description - "The value of the binary key. The key's value is - interpreted by the 'algorithm'. For example, a DSA key - is an integer, an RSA key is represented as RSAPrivateKey - as defined in RFC 8017, and an ECC key is represented as - ECPrivateKey as defined in RFC 5915."; - reference - "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: - RSA Cryptography Specifications Version 2.2. - RFC 5915: Elliptic Curve Private Key Structure."; - } - leaf hidden-private-key { - nacm:default-deny-write; - type empty; - description - "A permanently hidden key. How such keys are created - is outside the scope of this module."; - } - } - } - - grouping trust-anchor-cert-grouping { - description - "A trust anchor certificate, and a notification for when - it is about to (or already has) expire."; - leaf cert { - nacm:default-deny-write; - type trust-anchor-cert-cms; - description - "The binary certificate data for this certificate."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - notification certificate-expiration { - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping trust-anchor-certs-grouping { - description - "A list of trust anchor certificates, and a notification - for when one is about to (or already has) expire."; - leaf-list cert { - nacm:default-deny-write; - type trust-anchor-cert-cms; - description - "The binary certificate data for this certificate."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - notification certificate-expiration { - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping end-entity-cert-grouping { - description - "An end entity certificate, and a notification for when - it is about to (or already has) expire. Implementations - SHOULD assert that, where used, the end entity certificate - contains the expected public key."; - leaf cert { - nacm:default-deny-write; - type end-entity-cert-cms; - description - "The binary certificate data for this certificate."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - notification certificate-expiration { - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping end-entity-certs-grouping { - description - "A list of end entity certificates, and a notification for - when one is about to (or already has) expire."; - leaf-list cert { - nacm:default-deny-write; - type end-entity-cert-cms; - description - "The binary certificate data for this certificate."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - notification certificate-expiration { - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping asymmetric-key-pair-with-cert-grouping { - description - "A private/public key pair and an associated certificate. - Implementations SHOULD assert that certificates contain - the matching public key."; - uses asymmetric-key-pair-grouping; - uses end-entity-cert-grouping; - action generate-certificate-signing-request { - nacm:default-deny-all; - description - "Generates a certificate signing request structure for - the associated asymmetric key using the passed subject - and attribute values. The specified assertions need - to be appropriate for the certificate's use. For - example, an entity certificate for a TLS server - SHOULD have values that enable clients to satisfy - RFC 6125 processing."; - input { - leaf subject { - type binary; - mandatory true; - description - "The 'subject' field per the CertificationRequestInfo - structure as specified by RFC 2986, Section 4.1 - encoded using the ASN.1 distinguished encoding - rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - leaf attributes { - type binary; // FIXME: does this need to be mandatory? - description - "The 'attributes' field from the structure - CertificationRequestInfo as specified by RFC 2986, - Section 4.1 encoded using the ASN.1 distinguished - encoding rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - } - output { - leaf certificate-signing-request { - type binary; - mandatory true; - description - "A CertificationRequest structure as specified by - RFC 2986, Section 4.2 encoded using the ASN.1 - distinguished encoding rules (DER), as specified - in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - } - } // generate-certificate-signing-request - } // asymmetric-key-pair-with-cert-grouping - - grouping asymmetric-key-pair-with-certs-grouping { - description - "A private/public key pair and associated certificates. - Implementations SHOULD assert that certificates contain - the matching public key."; - uses asymmetric-key-pair-grouping; - container certificates { - nacm:default-deny-write; - description - "Certificates associated with this asymmetric key. - More than one certificate supports, for instance, - a TPM-protected asymmetric key that has both IDevID - and LDevID certificates associated."; - list certificate { - key "name"; - description - "A certificate for this asymmetric key."; - leaf name { - type string; - description - "An arbitrary name for the certificate. If the name - matches the name of a certificate that exists - independently in (i.e., an IDevID), - then the 'cert' node MUST NOT be configured."; - } - uses end-entity-cert-grouping; - } - } // certificates - action generate-certificate-signing-request { - nacm:default-deny-all; - description - "Generates a certificate signing request structure for - the associated asymmetric key using the passed subject - and attribute values. The specified assertions need - to be appropriate for the certificate's use. For - example, an entity certificate for a TLS server - SHOULD have values that enable clients to satisfy - RFC 6125 processing."; - input { - leaf subject { - type binary; - mandatory true; - description - "The 'subject' field per the CertificationRequestInfo - structure as specified by RFC 2986, Section 4.1 - encoded using the ASN.1 distinguished encoding - rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - leaf attributes { - type binary; // FIXME: does this need to be mandatory? - description - "The 'attributes' field from the structure - CertificationRequestInfo as specified by RFC 2986, - Section 4.1 encoded using the ASN.1 distinguished - encoding rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - } - output { - leaf certificate-signing-request { - type binary; - mandatory true; - description - "A CertificationRequest structure as specified by - RFC 2986, Section 4.2 encoded using the ASN.1 - distinguished encoding rules (DER), as specified - in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax - Specification Version 1.7. - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; - } - } - } // generate-certificate-signing-request - } // asymmetric-key-pair-with-certs-grouping - } diff --git a/modules/ietf-keystore@2019-07-02.yang b/modules/ietf-keystore@2019-07-02.yang deleted file mode 100644 index a4724c0b..00000000 --- a/modules/ietf-keystore@2019-07-02.yang +++ /dev/null @@ -1,458 +0,0 @@ - module ietf-keystore { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-keystore"; - prefix ks; - - import ietf-crypto-types { - prefix ct; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen "; - - description - "This module defines a keystore to centralize management - of security credentials. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC VVVV: A YANG Data Model for a Keystore"; - } - - /****************/ - /* Features */ - /****************/ - - feature keystore-supported { - description - "The 'keystore-supported' feature indicates that the server - supports the keystore."; - } - - feature local-definitions-supported { - description - "The 'local-definitions-supported' feature indicates that the - server supports locally-defined keys."; - } - - feature key-generation { - description - "Indicates that the server supports the actions related to - the life cycling keys in . To be used by - configuration, keys in must be copied to - ."; - } - - /****************/ - /* Typedefs */ - /****************/ - - typedef asymmetric-key-ref { - type leafref { - path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key" - + "/ks:name"; - } - description - "This typedef enables modules to easily define a reference - to an asymmetric key stored in the keystore."; - } - - /*****************/ - /* Groupings */ - /*****************/ - - - grouping key-reference-type-grouping { - description - "A reusable grouping for a choice for the type of key - referenced in the keystore."; - choice key-type { - mandatory true; - description - "A choice between a reference to a symmetric or asymmetric - key in the keystore."; - leaf symmetric-key-ref { - if-feature "keystore-supported"; - type leafref { - path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/" - + "ks:name"; - } - description - "Identifies a symmetric key used to encrypt this key."; - } - leaf asymmetric-key-ref { - if-feature "keystore-supported"; - type leafref { - path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/" - + "ks:name"; - } - description - "Identifies an asymmetric key used to encrypt this key."; - } - } - } - - grouping encrypted-value-grouping { - description - "A reusable grouping for a value that has been encrypted by - a symmetric or asymmetric key in the keystore."; - uses "key-reference-type-grouping"; - leaf value { - type binary; - description - "The private key, encrypted using the specified symmetric - or asymmetric key."; - } - } - - grouping symmetric-key-grouping { - description - "This grouping is identical to the one in ietf-crypt-types - except that it adds a couple case statements enabling the - key value to be encrypted by a symmetric or an asymmetric - key known to the keystore."; - uses ct:symmetric-key-grouping { - augment "key-type" { - description - "Augments a new 'case' statement into the 'choice' - statement defined by the ietf-crypto-types module."; - container encrypted-key { - description - "A container for the encrypted symmetric key value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping asymmetric-key-pair-grouping { - description - "This grouping is identical to the one in ietf-crypt-types - except that it adds a couple case statements enabling the - key value to be encrypted by a symmetric or an asymmetric - key known to the keystore."; - uses ct:asymmetric-key-pair-grouping { - augment "private-key-type" { - description - "Augments a new 'case' statement into the 'choice' - statement defined by the ietf-crypto-types module."; - container encrypted-private-key { - description - "A container for the encrypted asymmetric private - key value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping asymmetric-key-pair-with-cert-grouping { - description - "This grouping is identical to the one in ietf-crypt-types - except that it adds a couple case statements enabling the - key value to be encrypted by a symmetric or an asymmetric - key known to the keystore."; - uses ct:asymmetric-key-pair-with-cert-grouping { - augment "private-key-type" { - description - "Augments a new 'case' statement into the 'choice' - statement defined by the ietf-crypto-types module."; - container encrypted-private-key { - description - "A container for the encrypted asymmetric private - key value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping asymmetric-key-pair-with-certs-grouping { - description - "This grouping is identical to the one in ietf-crypt-types - except that it adds a couple case statements enabling the - key value to be encrypted by a symmetric or an asymmetric - key known to the keystore."; - uses ct:asymmetric-key-pair-with-certs-grouping { - augment "private-key-type" { - description - "Augments a new 'case' statement into the 'choice' - statement defined by the ietf-crypto-types module."; - container encrypted-private-key { - description - "A container for the encrypted asymmetric private - key value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping asymmetric-key-certificate-ref-grouping { - leaf asymmetric-key { - type ks:asymmetric-key-ref; - must '../certificate'; - description - "A reference to an asymmetric key in the keystore."; - } - leaf certificate { - type leafref { - path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key[ks:" - + "name = current()/../asymmetric-key]/ks:certificates" - + "/ks:certificate/ks:name"; - } - must '../asymmetric-key'; - description - "A reference to a specific certificate of the - asymmetric key in the keystore."; - } - description - "This grouping defines a reference to a specific certificate - associated with an asymmetric key stored in the keystore."; - } - - grouping local-or-keystore-asymmetric-key-grouping { - description - "A grouping that expands to allow the asymmetric key to be - either stored locally, within the using data model, or be - a reference to an asymmetric key stored in the keystore."; - choice local-or-keystore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local key definition."; - uses asymmetric-key-pair-grouping; - } - } - case keystore { - if-feature "keystore-supported"; - leaf keystore-reference { - type ks:asymmetric-key-ref; - description - "A reference to an asymmetric key that exists in - the keystore. The intent is to reference just the - asymmetric key, not any certificates that may also - be associated with the asymmetric key."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the keystore."; - } - } - - grouping local-or-keystore-asymmetric-key-with-certs-grouping { - description - "A grouping that expands to allow an asymmetric key and its - associated certificates to be either stored locally, within - the using data model, or be a reference to an asymmetric key - (and its associated certificates) stored in the keystore."; - choice local-or-keystore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local key definition."; - uses asymmetric-key-pair-with-certs-grouping; - } - } - case keystore { - if-feature "keystore-supported"; - leaf keystore-reference { - type ks:asymmetric-key-ref; - description - "A reference to an asymmetric-key (and all of its - associated certificates) in the keystore."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the keystore."; - } - } - - grouping local-or-keystore-end-entity-cert-with-key-grouping { - description - "A grouping that expands to allow an end-entity certificate - (and its associated private key) to be either stored locally, - within the using data model, or be a reference to a specific - certificate in the keystore."; - choice local-or-keystore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local key definition."; - uses asymmetric-key-pair-with-cert-grouping; - } - } - case keystore { - if-feature "keystore-supported"; - container keystore-reference { - uses asymmetric-key-certificate-ref-grouping; - description - "A reference to a specific certificate (and its - associated private key) in the keystore."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the keystore."; - } - } - - grouping keystore-grouping { - description - "Grouping definition enables use in other contexts. If ever - done, implementations SHOULD augment new 'case' statements - into local-or-keystore 'choice' statements to supply leafrefs - to the new location."; - container asymmetric-keys { - description - "A list of asymmetric keys."; - list asymmetric-key { - key "name"; - description - "An asymmetric key."; - leaf name { - type string; - description - "An arbitrary name for the asymmetric key."; - } - uses ks:asymmetric-key-pair-with-certs-grouping; - } - } - container symmetric-keys { - description - "A list of symmetric keys."; - list symmetric-key { - key "name"; - description - "A symmetric key."; - leaf name { - type string; - description - "An arbitrary name for the symmetric key."; - } - uses ks:symmetric-key-grouping; - } - } - } // grouping keystore-grouping - - - /*********************************/ - /* Protocol accessible nodes */ - /*********************************/ - - container keystore { - nacm:default-deny-write; - description - "The keystore contains a list of keys."; - uses keystore-grouping; - } - - rpc generate-symmetric-key { - //nacm:default-deny-all; - description - "Requests the device to generate an symmetric key using - the specified key algorithm, optionally encrypted using - a key in the keystore. The output is this RPC can be - used as input to a subsequent configuration request."; - input { - leaf algorithm { - type ct:encryption-algorithm-t; - mandatory true; - description - "The algorithm to be used when generating the key."; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - container encrypt-with { - presence - "Indicates that the key should be encrypted using - the specified symmetric or asymmetric key. If not - specified, then the private key is not encrypted - when returned."; - description - "A container for the 'key-type' choice."; - uses key-reference-type-grouping; - } - } - output { - uses ks:symmetric-key-grouping; - } - } // end generate-symmetric-key - - rpc generate-asymmetric-key { - //nacm:default-deny-all; - description - "Requests the device to generate an asymmetric key using - the specified key algorithm, optionally encrypted using - a key in the keystore. The output is this RPC can be - used as input to a subsequent configuration request."; - input { - leaf algorithm { - type ct:asymmetric-key-algorithm-t; - mandatory true; - description - "The algorithm to be used when generating the key."; - reference - "RFC CCCC: Common YANG Data Types for Cryptography"; - } - container encrypt-with { - presence - "Indicates that the key should be encrypted using - the specified symmetric or asymmetric key. If not - specified, then the private key is not encrypted - when returned."; - description - "A container for the 'key-type' choice."; - uses key-reference-type-grouping; - } - } - output { - uses ks:asymmetric-key-pair-grouping; - } - } // end generate-asymmetric-key - - } diff --git a/modules/ietf-netconf-server@2019-07-02.yang b/modules/ietf-netconf-server@2019-07-02.yang deleted file mode 100644 index ed6bfbbd..00000000 --- a/modules/ietf-netconf-server@2019-07-02.yang +++ /dev/null @@ -1,520 +0,0 @@ - module ietf-netconf-server { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server"; - prefix ncs; - - import ietf-yang-types { - prefix yang; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-x509-cert-to-name { - prefix x509c2n; - reference - "RFC 7407: A YANG Data Model for SNMP Configuration"; - } - - import ietf-tcp-client { - prefix tcpc; - reference - "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; - } - - import ietf-tcp-server { - prefix tcps; - reference - "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; - } - - import ietf-ssh-server { - prefix sshs; - revision-date 2019-07-02; // stable grouping definitions - reference - "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers"; - } - - import ietf-tls-server { - prefix tlss; - revision-date 2019-07-02; // stable grouping definitions - reference - "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu - Author: Juergen Schoenwaelder - "; - description - "This module contains a collection of YANG definitions - for configuring NETCONF servers. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: NETCONF Client and Server Models"; - } - - // Features - - feature ssh-listen { - description - "The 'ssh-listen' feature indicates that the NETCONF server - supports opening a port to accept NETCONF over SSH - client connections."; - reference - "RFC 6242: - Using the NETCONF Protocol over Secure Shell (SSH)"; - } - - feature tls-listen { - description - "The 'tls-listen' feature indicates that the NETCONF server - supports opening a port to accept NETCONF over TLS - client connections."; - reference - "RFC 7589: Using the NETCONF Protocol over Transport - Layer Security (TLS) with Mutual X.509 - Authentication"; - } - - feature ssh-call-home { - description - "The 'ssh-call-home' feature indicates that the NETCONF - server supports initiating a NETCONF over SSH call - home connection to NETCONF clients."; - reference - "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; - } - - feature tls-call-home { - description - "The 'tls-call-home' feature indicates that the NETCONF - server supports initiating a NETCONF over TLS call - home connection to NETCONF clients."; - reference - "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; - } - - // Groupings - - grouping netconf-server-grouping { - description - "Top-level grouping for NETCONF server configuration."; - container listen { - if-feature "ssh-listen or tls-listen"; - presence - "Enables server to listen for NETCONF client connections."; - description - "Configures listen behavior"; - leaf idle-timeout { - type uint16; - units "seconds"; - default 3600; // one hour - description - "Specifies the maximum number of seconds that a NETCONF - session may remain idle. A NETCONF session will be - dropped if it is idle for an interval longer than this - number of seconds. If set to zero, then the server - will never drop a session because it is idle. Sessions - that have a notification subscription active are never - dropped."; - } - list endpoint { - key "name"; - min-elements 1; - description - "List of endpoints to listen for NETCONF connections."; - leaf name { - type string; - description - "An arbitrary name for the NETCONF listen endpoint."; - } - choice transport { - mandatory true; - description - "Selects between available transports."; - case ssh { - if-feature "ssh-listen"; - container ssh { - description - "SSH-specific listening configuration for inbound - connections."; - container tcp-server-parameters { - description - "A wrapper around the TCP client parameters - to avoid name collisions."; - uses tcps:tcp-server-grouping { - refine "local-port" { - default "830"; - description - "The NETCONF server will listen on the - IANA-assigned well-known port value - for 'netconf-ssh' (830) if no value - is specified."; - } - } - } - container ssh-server-parameters { - description - "A wrapper around the SSH server parameters - to avoid name collisions."; - uses sshs:ssh-server-grouping; - } - } - } - case tls { - if-feature "tls-listen"; - container tls { - description - "TLS-specific listening configuration for inbound - connections."; - container tcp-server-parameters { - description - "A wrapper around the TCP client parameters - to avoid name collisions."; - uses tcps:tcp-server-grouping { - refine "local-port" { - default "6513"; - description - "The NETCONF server will listen on the - IANA-assigned well-known port value - for 'netconf-tls' (6513) if no value - is specified."; - } - } - } - container tls-server-parameters { - description - "A wrapper around the TLS server parameters to - avoid name collisions."; - uses tlss:tls-server-grouping { - refine "client-authentication" { - //must 'ca-certs or client-certs'; - description - "NETCONF/TLS servers MUST validate client - certificates."; - } - augment "client-authentication" { - description - "Augments in the cert-to-name structure."; - container cert-maps { - uses x509c2n:cert-to-name; - description - "The cert-maps container is used by a TLS- - based NETCONF server to map the NETCONF - client's presented X.509 certificate to - a NETCONF username. If no matching and - valid cert-to-name list entry can be found, - then the NETCONF server MUST close the - connection, and MUST NOT accept NETCONF - messages over it."; - reference - "RFC WWWW: NETCONF over TLS, Section 7"; - } - } - } - } - } - } - } - } - } - container call-home { - if-feature "ssh-call-home or tls-call-home"; - presence - "Enables the NETCONF server to initiate the underlying - transport connection to NETCONF clients."; - description "Configures call home behavior."; - list netconf-client { - key "name"; - min-elements 1; - description - "List of NETCONF clients the NETCONF server is to - initiate call-home connections to in parallel."; - leaf name { - type string; - description - "An arbitrary name for the remote NETCONF client."; - } - container endpoints { - description - "Container for the list of endpoints."; - list endpoint { - key "name"; - min-elements 1; - ordered-by user; - description - "A non-empty user-ordered list of endpoints for this - NETCONF server to try to connect to in sequence. - Defining more than one enables high-availability."; - leaf name { - type string; - description - "An arbitrary name for this endpoint."; - } - choice transport { - mandatory true; - description - "Selects between available transports."; - case ssh { - if-feature "ssh-call-home"; - container ssh { - description - "Specifies SSH-specific call-home transport - configuration."; - container tcp-client-parameters { - description - "A wrapper around the TCP client parameters - to avoid name collisions."; - uses tcpc:tcp-client-grouping { - refine "remote-port" { - default "4334"; - description - "The NETCONF server will attempt to connect - to the IANA-assigned well-known port for - 'netconf-ch-tls' (4334) if no value is - specified."; - } - } - } - container ssh-server-parameters { - description - "A wrapper around the SSH server parameters - to avoid name collisions."; - uses sshs:ssh-server-grouping; - } - } - } - case tls { - if-feature "tls-call-home"; - container tls { - description - "Specifies TLS-specific call-home transport - configuration."; - container tcp-client-parameters { - description - "A wrapper around the TCP client parameters - to avoid name collisions."; - uses tcpc:tcp-client-grouping { - refine "remote-port" { - default "4335"; - description - "The NETCONF server will attempt to connect - to the IANA-assigned well-known port for - 'netconf-ch-tls' (4335) if no value is - specified."; - } - } - } - container tls-server-parameters { - description - "A wrapper around the TLS server parameters - to avoid name collisions."; - uses tlss:tls-server-grouping { - refine "client-authentication" { - /* commented out since auth could be external - must 'ca-certs or client-certs'; - */ - description - "NETCONF/TLS servers MUST validate client - certificates."; - } - augment "client-authentication" { - description - "Augments in the cert-to-name structure."; - container cert-maps { - uses x509c2n:cert-to-name; - description - "The cert-maps container is used by a - TLS-based NETCONF server to map the - NETCONF client's presented X.509 - certificate to a NETCONF username. If - no matching and valid cert-to-name list - entry can be found, then the NETCONF - server MUST close the connection, and - MUST NOT accept NETCONF messages over - it."; - reference - "RFC WWWW: NETCONF over TLS, Section 7"; - } - } - } - } - } - } // tls - } // choice - } // endpoint - } // endpoints - container connection-type { - description - "Indicates the NETCONF server's preference for how the - NETCONF connection is maintained."; - choice connection-type { - mandatory true; - description - "Selects between available connection types."; - case persistent-connection { - container persistent { - presence "Indicates that a persistent connection is - to be maintained."; - description - "Maintain a persistent connection to the NETCONF - client. If the connection goes down, immediately - start trying to reconnect to the NETCONF client, - using the reconnection strategy. - - This connection type minimizes any NETCONF client - to NETCONF server data-transfer delay, albeit at - the expense of holding resources longer."; - } // container persistent - } // case persistent-connection - case periodic-connection { - container periodic { - presence "Indicates that a periodic connection is - to be maintained."; - description - "Periodically connect to the NETCONF client. - - This connection type increases resource - utilization, albeit with increased delay in - NETCONF client to NETCONF client interactions. - - The NETCONF client SHOULD gracefully close the - connection using upon completing - planned activities. If the NETCONF session is - not closed gracefully, the NETCONF server MUST - immediately attempt to reestablish the connection. - - In the case that the previous connection is still - active (i.e., the NETCONF client has not closed - it yet), establishing a new connection is NOT - RECOMMENDED."; - leaf period { - type uint16; - units "minutes"; - default "60"; - description - "Duration of time between periodic connections."; - } - leaf anchor-time { - type yang:date-and-time { - // constrained to minute-level granularity - pattern '[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:00' - + '(Z|[\+\-][0-9]{2}:[0-9]{2})'; - } - description - "Designates a timestamp before or after which a - series of periodic connections are determined. - The periodic connections occur at a whole - multiple interval from the anchor time. For - example, for an anchor time is 15 minutes past - midnight and a period interval of 24 hours, then - a periodic connection will occur 15 minutes past - midnight everyday."; - } - leaf idle-timeout { - type uint16; - units "seconds"; - default 120; // two minutes - description - "Specifies the maximum number of seconds that - a NETCONF session may remain idle. A NETCONF - session will be dropped if it is idle for an - interval longer than this number of seconds. - If set to zero, then the server will never - drop a session because it is idle."; - } - } // container periodic - } // case periodic-connection - } // choice connection-type - } // container connection-type - container reconnect-strategy { - description - "The reconnection strategy directs how a NETCONF server - reconnects to a NETCONF client, after discovering its - connection to the client has dropped, even if due to a - reboot. The NETCONF server starts with the specified - endpoint and tries to connect to it max-attempts times - before trying the next endpoint in the list (round - robin)."; - leaf start-with { - type enumeration { - enum first-listed { - description - "Indicates that reconnections should start with - the first endpoint listed."; - } - enum last-connected { - description - "Indicates that reconnections should start with - the endpoint last connected to. If no previous - connection has ever been established, then the - first endpoint configured is used. NETCONF - servers SHOULD be able to remember the last - endpoint connected to across reboots."; - } - enum random-selection { - description - "Indicates that reconnections should start with - a random endpoint."; - } - } - default "first-listed"; - description - "Specifies which of the NETCONF client's endpoints - the NETCONF server should start with when trying - to connect to the NETCONF client."; - } - leaf max-attempts { - type uint8 { - range "1..max"; - } - default "3"; - description - "Specifies the number times the NETCONF server tries - to connect to a specific endpoint before moving on - to the next endpoint in the list (round robin)."; - } - } // container reconnect-strategy - } // list netconf-client - } // container call-home - } // grouping netconf-server-grouping - - // Protocol accessible node, for servers that implement this - // module. - - container netconf-server { - uses netconf-server-grouping; - description - "Top-level container for NETCONF server configuration."; - } - } diff --git a/modules/ietf-ssh-common@2019-07-02.yang b/modules/ietf-ssh-common@2019-07-02.yang deleted file mode 100644 index 671f7874..00000000 --- a/modules/ietf-ssh-common@2019-07-02.yang +++ /dev/null @@ -1,462 +0,0 @@ - module ietf-ssh-common { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common"; - prefix sshcmn; - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu "; - - description - "This module defines a common features, identities, and - groupings for Secure Shell (SSH). - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers"; - } - - // Features - - feature ssh-ecc { - description - "Elliptic Curve Cryptography is supported for SSH."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - feature ssh-x509-certs { - description - "X.509v3 certificates are supported for SSH per RFC 6187."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - feature ssh-dh-group-exchange { - description - "Diffie-Hellman Group Exchange is supported for SSH."; - reference - "RFC 4419: Diffie-Hellman Group Exchange for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - feature ssh-ctr { - description - "SDCTR encryption mode is supported for SSH."; - reference - "RFC 4344: The Secure Shell (SSH) Transport Layer - Encryption Modes"; - } - - feature ssh-sha2 { - description - "The SHA2 family of cryptographic hash functions is - supported for SSH."; - reference - "FIPS PUB 180-4: Secure Hash Standard (SHS)"; - } - - // Identities - - identity public-key-alg-base { - description - "Base identity used to identify public key algorithms."; - } - - identity ssh-dss { - base public-key-alg-base; - description - "Digital Signature Algorithm using SHA-1 as the - hashing algorithm."; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity ssh-rsa { - base public-key-alg-base; - description - "RSASSA-PKCS1-v1_5 signature scheme using SHA-1 as the - hashing algorithm."; - reference - "RFC 4253: - The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity ecdsa-sha2-nistp256 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) using the - nistp256 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity ecdsa-sha2-nistp384 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) using the - nistp384 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity ecdsa-sha2-nistp521 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) using the - nistp521 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity x509v3-ssh-rsa { - base public-key-alg-base; - if-feature "ssh-x509-certs"; - description - "RSASSA-PKCS1-v1_5 signature scheme using a public key stored - in an X.509v3 certificate and using SHA-1 as the hashing - algorithm."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity x509v3-rsa2048-sha256 { - base public-key-alg-base; - if-feature "ssh-x509-certs and ssh-sha2"; - description - "RSASSA-PKCS1-v1_5 signature scheme using a public key stored - in an X.509v3 certificate and using SHA-256 as the hashing - algorithm. RSA keys conveyed using this format MUST have a - modulus of at least 2048 bits."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity x509v3-ecdsa-sha2-nistp256 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) - using the nistp256 curve with a public key stored in - an X.509v3 certificate and using the SHA2 family of - hashing algorithms."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity x509v3-ecdsa-sha2-nistp384 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) - using the nistp384 curve with a public key stored in - an X.509v3 certificate and using the SHA2 family of - hashing algorithms."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity x509v3-ecdsa-sha2-nistp521 { - base public-key-alg-base; - if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2"; - description - "Elliptic Curve Digital Signature Algorithm (ECDSA) - using the nistp521 curve with a public key stored in - an X.509v3 certificate and using the SHA2 family of - hashing algorithms."; - reference - "RFC 6187: X.509v3 Certificates for Secure Shell - Authentication"; - } - - identity key-exchange-alg-base { - description - "Base identity used to identify key exchange algorithms."; - } - - identity diffie-hellman-group14-sha1 { - base key-exchange-alg-base; - description - "Diffie-Hellman key exchange with SHA-1 as HASH and - Oakley Group 14 (2048-bit MODP Group)."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity diffie-hellman-group-exchange-sha1 { - base key-exchange-alg-base; - if-feature "ssh-dh-group-exchange"; - description - "Diffie-Hellman Group and Key Exchange with SHA-1 as HASH."; - reference - "RFC 4419: Diffie-Hellman Group Exchange for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - identity diffie-hellman-group-exchange-sha256 { - base key-exchange-alg-base; - if-feature "ssh-dh-group-exchange and ssh-sha2"; - description - "Diffie-Hellman Group and Key Exchange with SHA-256 as HASH."; - reference - "RFC 4419: Diffie-Hellman Group Exchange for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - identity ecdh-sha2-nistp256 { - base key-exchange-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the - nistp256 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity ecdh-sha2-nistp384 { - base key-exchange-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the - nistp384 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity ecdh-sha2-nistp521 { - base key-exchange-alg-base; - if-feature "ssh-ecc and ssh-sha2"; - description - "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the - nistp521 curve and the SHA2 family of hashing algorithms."; - reference - "RFC 5656: Elliptic Curve Algorithm Integration in the - Secure Shell Transport Layer"; - } - - identity encryption-alg-base { - description - "Base identity used to identify encryption algorithms."; - } - - identity triple-des-cbc { - base encryption-alg-base; - description - "Three-key 3DES in CBC mode."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity aes128-cbc { - base encryption-alg-base; - description - "AES in CBC mode, with a 128-bit key."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity aes192-cbc { - base encryption-alg-base; - description - "AES in CBC mode, with a 192-bit key."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity aes256-cbc { - base encryption-alg-base; - description - "AES in CBC mode, with a 256-bit key."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity aes128-ctr { - base encryption-alg-base; - if-feature "ssh-ctr"; - description - "AES in SDCTR mode, with 128-bit key."; - reference - "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption - Modes"; - } - - identity aes192-ctr { - base encryption-alg-base; - if-feature "ssh-ctr"; - description - "AES in SDCTR mode, with 192-bit key."; - reference - "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption - Modes"; - } - - identity aes256-ctr { - base encryption-alg-base; - if-feature "ssh-ctr"; - description - "AES in SDCTR mode, with 256-bit key."; - reference - "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption - Modes"; - } - - identity mac-alg-base { - description - "Base identity used to identify message authentication - code (MAC) algorithms."; - } - - identity hmac-sha1 { - base mac-alg-base; - description - "HMAC-SHA1"; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity hmac-sha2-256 { - base mac-alg-base; - if-feature "ssh-sha2"; - description - "HMAC-SHA2-256"; - reference - "RFC 6668: SHA-2 Data Integrity Verification for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - identity hmac-sha2-512 { - base mac-alg-base; - if-feature "ssh-sha2"; - description - "HMAC-SHA2-512"; - reference - "RFC 6668: SHA-2 Data Integrity Verification for the - Secure Shell (SSH) Transport Layer Protocol"; - } - - // Groupings - - grouping transport-params-grouping { - description - "A reusable grouping for SSH transport parameters."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - container host-key { - description - "Parameters regarding host key."; - leaf-list host-key-alg { - type identityref { - base public-key-alg-base; - } - ordered-by user; - description - "Acceptable host key algorithms in order of descending - preference. The configured host key algorithms should - be compatible with the algorithm used by the configured - private key. Please see Section 5 of RFC XXXX for - valid combinations. - - If this leaf-list is not configured (has zero elements) - the acceptable host key algorithms are implementation- - defined."; - reference - "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers"; - } - } - container key-exchange { - description - "Parameters regarding key exchange."; - leaf-list key-exchange-alg { - type identityref { - base key-exchange-alg-base; - } - ordered-by user; - description - "Acceptable key exchange algorithms in order of descending - preference. - - If this leaf-list is not configured (has zero elements) - the acceptable key exchange algorithms are implementation - defined."; - } - } - container encryption { - description - "Parameters regarding encryption."; - leaf-list encryption-alg { - type identityref { - base encryption-alg-base; - } - ordered-by user; - description - "Acceptable encryption algorithms in order of descending - preference. - - If this leaf-list is not configured (has zero elements) - the acceptable encryption algorithms are implementation - defined."; - } - } - container mac { - description - "Parameters regarding message authentication code (MAC)."; - leaf-list mac-alg { - type identityref { - base mac-alg-base; - } - ordered-by user; - description - "Acceptable MAC algorithms in order of descending - preference. - - If this leaf-list is not configured (has zero elements) - the acceptable MAC algorithms are implementation- - defined."; - } - } - } - } diff --git a/modules/ietf-ssh-server@2019-07-02.yang b/modules/ietf-ssh-server@2019-07-02.yang deleted file mode 100644 index d96bbd0e..00000000 --- a/modules/ietf-ssh-server@2019-07-02.yang +++ /dev/null @@ -1,385 +0,0 @@ - module ietf-ssh-server { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server"; - prefix sshs; - - import ietf-ssh-common { - prefix sshcmn; - revision-date 2019-07-02; // stable grouping definitions - reference - "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers"; - } - /* - import ietf-truststore { - prefix ta; - reference - "RFC YYYY: A YANG Data Model for a Truststore"; - } - */ - import ietf-keystore { - prefix ks; - reference - "RFC ZZZZ: A YANG Data Model for a Keystore"; - } - - import iana-crypt-hash { - prefix ianach; - reference - "RFC 7317: A YANG Data Model for System Management"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu "; - - description - "This module defines reusable groupings for SSH servers that - can be used as a basis for specific SSH server instances. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers"; - } - - // Features - - feature ssh-server-transport-params-config { - description - "SSH transport layer parameters are configurable on an SSH - server."; - } - - feature ssh-server-keepalives { - description - "Per socket SSH keepalive parameters are configurable for - SSH servers on the server implementing this feature."; - } - - feature local-client-auth-supported { - description - "Indicates that the SSH server supports local configuration - of client credentials."; - } - - feature external-client-auth-supported { - description - "Indicates that the SSH server supports external configuration - of client credentials."; - } - - // Groupings - - grouping ssh-server-grouping { - description - "A reusable grouping for configuring a SSH server without - any consideration for how underlying TCP sessions are - established. - - Note that this grouping uses fairly typical descendent - node names such that a stack of 'uses' statements will - have name conflicts. It is intended that the consuming - data model will resolve the issue (e.g., by wrapping - the 'uses' statement in a container called - 'ssh-server-parameters'). This model purposely does - not do this itself so as to provide maximum flexibility - to consuming models."; - - container server-identity { - nacm:default-deny-write; - description - "The list of host-keys the SSH server will present when - establishing a SSH connection."; - list host-key { - key "name"; - min-elements 1; - ordered-by user; - description - "An ordered list of host keys the SSH server will use to - construct its ordered list of algorithms, when sending - its SSH_MSG_KEXINIT message, as defined in Section 7.1 - of RFC 4253."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer - Protocol"; - leaf name { - type string; - description - "An arbitrary name for this host-key"; - } - choice host-key-type { - mandatory true; - description - "The type of host key being specified"; - container public-key { - uses ks:local-or-keystore-asymmetric-key-grouping; - description - "A locally-defined or referenced asymmetric key pair - to be used for the SSH server's host key."; - reference - "RFC ZZZZ: YANG Data Model for a Centralized - Keystore Mechanism"; - } - container certificate { - if-feature "sshcmn:ssh-x509-certs"; - uses - ks:local-or-keystore-end-entity-cert-with-key-grouping; - description - "A locally-defined or referenced end-entity - certificate to be used for the SSH server's - host key."; - reference - "RFC ZZZZ: YANG Data Model for a Centralized - Keystore Mechanism"; - } - } - } - } // container server-identity - - container client-authentication { - nacm:default-deny-write; - description - "Specifies if SSH client authentication is required or - optional, and specifies if the SSH client authentication - credentials are configured locally or externally."; - container supported-authentication-methods { - description - "Indicates which authentication methods the server - supports."; - leaf publickey { - type empty; - description - "Indicates that the 'publickey' method is supported. - Note that RFC 6187 X.509v3 Certificates for SSH uses - the 'publickey' method name."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol. - RFC 6187: X.509v3 Certificates for Secure Shell - Authentication."; - } - leaf passsword { - type empty; - description - "Indicates that the 'password' method is supported."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol."; - } - leaf hostbased { - type empty; - description - "Indicates that the 'hostbased' method is supported."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol."; - } - leaf none { - type empty; - description - "Indicates that the 'none' method is supported."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol."; - } - leaf-list other { - type string; - description - "Indicates a supported method name not defined by - RFC 4253."; - reference - "RFC 4252: The Secure Shell (SSH) Authentication - Protocol."; - } - } - choice local-or-external { - description - "Indicates if the client credentials are configured - locally or externally."; - case local { - if-feature "local-client-auth-supported"; - description - "Client credentials are configured locally."; - container users { - description - "A list of locally configured users."; - list user { - key name; - description - "The list of local users configured on this device."; - - leaf name { - type string; - description - "The user name string identifying this entry."; - } - leaf password { - type ianach:crypt-hash; - description - "The password for this entry."; - } - list authorized-key { - key name; - description - "A list of public SSH keys for this user. These - keys are allowed for SSH authentication, as - described in RFC 4253."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer - Protocol"; - leaf name { - type string; - description - "An arbitrary name for the SSH key."; - } - leaf algorithm { - type string; - mandatory true; - description - "The public key algorithm name for this SSH key. - - Valid values are the values in the IANA 'Secure - Shell (SSH) Protocol Parameters' registry, - Public Key Algorithm Names."; - reference - "IANA 'Secure Shell (SSH) Protocol Parameters' - registry, Public Key Algorithm Names"; - } - leaf key-data { - type binary; - mandatory true; - description - "The binary public key data for this SSH key, as - specified by RFC 4253, Section 6.6, i.e.: - - string certificate or public key format - identifier - byte[n] key/certificate data."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer - Protocol"; - } - } - } // list user - /* - if-feature "sshcmn:ssh-x509-certs"; - description - "A reference to a list of certificate authority - (CA) certificates and a reference to a list of - client certificates."; - leaf ca-certs { - if-feature "ts:x509-certificates"; - type ts:certificates-ref; // local or remote - description - "A reference to a list of certificate authority (CA) - certificates used by the SSH server to authenticate - SSH client certificates. A client certificate is - authenticated if it has a valid chain of trust to - a configured CA certificate."; - reference - "RFC YYYY: YANG Data Model for Global Trust Anchors"; - } - leaf client-certs { - if-feature "ts:x509-certificates"; - type ts:certificates-ref; // local or remote - description - "A reference to a list of client certificates - used by the SSH server to authenticate SSH - client certificates. A clients certificate - is authenticated if it is an exact match to - a configured client certificate."; - reference - "RFC YYYY: YANG Data Model for Global Trust Anchors"; - } - */ - } // container users - } // case local - case external { - if-feature "external-client-auth-supported"; - description - "Client credentials are configured externally, such - as via RADIUS, RFC 7317, or another mechanism."; - leaf client-auth-defined-elsewhere { - type empty; - description - "Indicates that client credentials are configured - elsewhere."; - } - } - } // choice local-or-external - } // container client-authentication - - container transport-params { - nacm:default-deny-write; - if-feature "ssh-server-transport-params-config"; - description - "Configurable parameters of the SSH transport layer."; - uses sshcmn:transport-params-grouping; - } // container transport-params - - container keepalives { - nacm:default-deny-write; - if-feature "ssh-server-keepalives"; - presence "Indicates that keepalives are enabled."; - description - "Configures the keep-alive policy, to proactively test - the aliveness of the SSL client. An unresponsive SSL - client is dropped after approximately max-wait * - max-attempts seconds."; - leaf max-wait { - type uint16 { - range "1..max"; - } - units "seconds"; - default "30"; - description - "Sets the amount of time in seconds after which - if no data has been received from the SSL client, - a SSL-level message will be sent to test the - aliveness of the SSL client."; - } - leaf max-attempts { - type uint8; - default "3"; - description - "Sets the maximum number of sequential keep-alive - messages that can fail to obtain a response from - the SSL client before assuming the SSL client is - no longer alive."; - } - } // container keepalives - } // grouping server-identity-grouping - } diff --git a/modules/ietf-tcp-client@2019-07-02.yang b/modules/ietf-tcp-client@2019-07-02.yang deleted file mode 100644 index b6177156..00000000 --- a/modules/ietf-tcp-client@2019-07-02.yang +++ /dev/null @@ -1,145 +0,0 @@ - module ietf-tcp-client { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-client"; - prefix tcpc; - - import ietf-inet-types { - prefix inet; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-tcp-common { - prefix tcpcmn; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group and the - IETF TCP Maintenance and Minor Extensions (TCPM) Working Group"; - - contact - "WG Web: - - WG List: - - Authors: Kent Watsen - Michael Scharf - "; - - description - "This module defines reusable groupings for TCP clients that - can be used as a basis for specific TCP client instances. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - // Features - - feature local-binding-supported { - description - "Indicates that the server supports configuring local - bindings (i.e., the local address and local port) for - TCP clients."; - } - - feature tcp-client-keepalives { - description - "Per socket TCP keepalive parameters are configurable for - TCP clients on the server implementing this feature."; - } - - // Groupings - - grouping tcp-client-grouping { - description - "A reusable grouping for configuring a TCP client. - - Note that this grouping uses fairly typical descendent - node names such that a stack of 'uses' statements will - have name conflicts. It is intended that the consuming - data model will resolve the issue (e.g., by wrapping - the 'uses' statement in a container called - 'tcp-client-parameters'). This model purposely does - not do this itself so as to provide maximum flexibility - to consuming models."; - - leaf remote-address { - type inet:host; - mandatory true; - description - "The IP address or hostname of the remote peer to - establish a connection with. If a domain name is - configured, then the DNS resolution should happen on - each connection attempt. If the the DNS resolution - results in multiple IP addresses, the IP addresses - are tried according to local preference order until - a connection has been established or until all IP - addresses have failed."; - } - leaf remote-port { - type inet:port-number; - default "0"; - description - "The IP port number for the remote peer to establish a - connection with. An invalid default value (0) is used - (instead of 'mandatory true') so that as application - level data model may 'refine' it with an application - specific default port number value."; - } - leaf local-address { - if-feature "local-binding-supported"; - type inet:ip-address; - description - "The local IP address/interface (VRF?) to bind to for when - connecting to the remote peer. INADDR_ANY ('0.0.0.0') or - INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to - explicitly indicate the implicit default, that the server - can bind to any IPv4 or IPv6 addresses, respectively."; - } - leaf local-port { - if-feature "local-binding-supported"; - type inet:port-number; - default "0"; - description - "The local IP port number to bind to for when connecting - to the remote peer. The port number '0', which is the - default value, indicates that any available local port - number may be used."; - } - uses tcpcmn:tcp-connection-grouping { - augment "keepalives" { - if-feature "tcp-client-keepalives"; - description - "Add an if-feature statement so that implementations - can choose to support TCP client keepalives."; - } - } - } - } diff --git a/modules/ietf-tcp-common@2019-07-02.yang b/modules/ietf-tcp-common@2019-07-02.yang deleted file mode 100644 index 076a662a..00000000 --- a/modules/ietf-tcp-common@2019-07-02.yang +++ /dev/null @@ -1,130 +0,0 @@ - module ietf-tcp-common { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-common"; - prefix tcpcmn; - - organization - "IETF NETCONF (Network Configuration) Working Group and the - IETF TCP Maintenance and Minor Extensions (TCPM) Working Group"; - - contact - "WG Web: - - WG List: - - Authors: Kent Watsen - Michael Scharf - "; - - description - "This module defines reusable groupings for TCP commons that - can be used as a basis for specific TCP common instances. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - // Features - feature keepalives-supported { - description - "Indicates that keepalives are supported."; - } - - // Groupings - - grouping tcp-common-grouping { - description - "A reusable grouping for configuring TCP parameters common - to TCP connections as well as the operating system as a - whole."; - container keepalives { - if-feature "keepalives-supported"; - presence "Indicates that keepalives are enabled."; - description - "Configures the keep-alive policy, to proactively test the - aliveness of the TCP peer. An unresponsive TCP peer is - dropped after approximately (idle-time * 60) + (max-probes - * probe-interval) seconds."; - leaf idle-time { - type uint16 { - range "1..max"; - } - units "seconds"; - mandatory true; - description - "Sets the amount of time after which if no data has been - received from the TCP peer, a TCP-level probe message - will be sent to test the aliveness of the TCP peer."; - } - leaf max-probes { - type uint16 { - range "1..max"; - } - mandatory true; - description - "Sets the maximum number of sequential keep-alive probes - that can fail to obtain a response from the TCP peer - before assuming the TCP peer is no longer alive."; - } - leaf probe-interval { - type uint16 { - range "1..max"; - } - units "seconds"; - mandatory true; - description - "Sets the time interval between failed probes."; - } - } // container keepalives - } // grouping tcp-common-grouping - - - grouping tcp-connection-grouping { - description - "A reusable grouping for configuring TCP parameters common - to TCP connections."; - uses tcp-common-grouping; - } - - /* - The following is for a future bis... - This comment is here now so as support discussion with TCPM. - This comment will be removed before publication. - - Should future system-level parameters be defined as a - grouping or a container? - - grouping tcp-system-grouping { - description - "A reusable grouping for configuring TCP parameters common - to the operating system as a whole."; - - // currently just a placeholder - } - */ - - } diff --git a/modules/ietf-tcp-server@2019-07-02.yang b/modules/ietf-tcp-server@2019-07-02.yang deleted file mode 100644 index 18c51991..00000000 --- a/modules/ietf-tcp-server@2019-07-02.yang +++ /dev/null @@ -1,114 +0,0 @@ - module ietf-tcp-server { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-server"; - prefix tcps; - - import ietf-inet-types { - prefix inet; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-tcp-common { - prefix tcpcmn; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group and the - IETF TCP Maintenance and Minor Extensions (TCPM) Working Group"; - - contact - "WG Web: - - WG List: - - Authors: Kent Watsen - Michael Scharf - "; - - description - "This module defines reusable groupings for TCP servers that - can be used as a basis for specific TCP server instances. - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers"; - } - - // Features - - feature tcp-server-keepalives { - description - "Per socket TCP keepalive parameters are configurable for - TCP servers on the server implementing this feature."; - } - - - // Groupings - - grouping tcp-server-grouping { - description - "A reusable grouping for configuring a TCP server. - - Note that this grouping uses fairly typical descendent - node names such that a stack of 'uses' statements will - have name conflicts. It is intended that the consuming - data model will resolve the issue (e.g., by wrapping - the 'uses' statement in a container called - 'tcp-server-parameters'). This model purposely does - not do this itself so as to provide maximum flexibility - to consuming models."; - leaf local-address { - type inet:ip-address; - mandatory true; - description - "The local IP address to listen on for incoming - TCP client connections. INADDR_ANY (0.0.0.0) or - INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be - used when the server is to listen on all IPv4 or - IPv6 addresses, respectively."; - } - leaf local-port { - type inet:port-number; - default "0"; - description - "The local port number to listen on for incoming TCP - client connections. An invalid default value (0) - is used (instead of 'mandatory true') so that an - application level data model may 'refine' it with - an application specific default port number value."; - } - uses tcpcmn:tcp-connection-grouping { - augment "keepalives" { - if-feature "tcp-server-keepalives"; - description - "Add an if-feature statement so that implementations - can choose to support TCP server keepalives."; - } - } - } - } diff --git a/modules/ietf-tls-common@2019-07-02.yang b/modules/ietf-tls-common@2019-07-02.yang deleted file mode 100644 index bb7c25ca..00000000 --- a/modules/ietf-tls-common@2019-07-02.yang +++ /dev/null @@ -1,406 +0,0 @@ - module ietf-tls-common { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; - prefix tlscmn; - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu "; - - description - "This module defines a common features, identities, and - groupings for Transport Layer Security (TLS). - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; - } - - // Features - - feature tls-1_0 { - description - "TLS Protocol Version 1.0 is supported."; - reference - "RFC 2246: The TLS Protocol Version 1.0"; - } - - feature tls-1_1 { - description - "TLS Protocol Version 1.1 is supported."; - reference - "RFC 4346: The Transport Layer Security (TLS) Protocol - Version 1.1"; - } - - feature tls-1_2 { - description - "TLS Protocol Version 1.2 is supported."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - feature tls-1_3 { - description - "TLS Protocol Version 1.2 is supported."; - reference - "RFC 8446: The Transport Layer Security (TLS) Protocol - Version 1.3"; - } - - feature tls-ecc { - description - "Elliptic Curve Cryptography (ECC) is supported for TLS."; - reference - "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS)"; - } - - feature tls-dhe { - description - "Ephemeral Diffie-Hellman key exchange is supported for TLS."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - feature tls-3des { - description - "The Triple-DES block cipher is supported for TLS."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - feature tls-gcm { - description - "The Galois/Counter Mode authenticated encryption mode is - supported for TLS."; - reference - "RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for - TLS"; - } - - feature tls-sha2 { - description - "The SHA2 family of cryptographic hash functions is supported - for TLS."; - reference - "FIPS PUB 180-4: Secure Hash Standard (SHS)"; - } - - // Identities - - identity tls-version-base { - description - "Base identity used to identify TLS protocol versions."; - } - - identity tls-1.0 { - base tls-version-base; - if-feature "tls-1_0"; - description - "TLS Protocol Version 1.0."; - reference - "RFC 2246: The TLS Protocol Version 1.0"; - } - - identity tls-1.1 { - base tls-version-base; - if-feature "tls-1_1"; - description - "TLS Protocol Version 1.1."; - reference - "RFC 4346: The Transport Layer Security (TLS) Protocol - Version 1.1"; - } - - identity tls-1.2 { - base tls-version-base; - if-feature "tls-1_2"; - description - "TLS Protocol Version 1.2."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity cipher-suite-base { - description - "Base identity used to identify TLS cipher suites."; - } - - identity rsa-with-aes-128-cbc-sha { - base cipher-suite-base; - description - "Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity rsa-with-aes-256-cbc-sha { - base cipher-suite-base; - description - "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity rsa-with-aes-128-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-sha2"; - description - "Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity rsa-with-aes-256-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-sha2"; - description - "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity dhe-rsa-with-aes-128-cbc-sha { - base cipher-suite-base; - if-feature "tls-dhe"; - description - "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity dhe-rsa-with-aes-256-cbc-sha { - base cipher-suite-base; - if-feature "tls-dhe"; - description - "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity dhe-rsa-with-aes-128-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-dhe and tls-sha2"; - description - "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity dhe-rsa-with-aes-256-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-dhe and tls-sha2"; - description - "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity ecdhe-ecdsa-with-aes-128-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-ecc and tls-sha2"; - description - "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-ecdsa-with-aes-256-cbc-sha384 { - base cipher-suite-base; - if-feature "tls-ecc and tls-sha2"; - description - "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-rsa-with-aes-128-cbc-sha256 { - base cipher-suite-base; - if-feature "tls-ecc and tls-sha2"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-rsa-with-aes-256-cbc-sha384 { - base cipher-suite-base; - if-feature "tls-ecc and tls-sha2"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-ecdsa-with-aes-128-gcm-sha256 { - base cipher-suite-base; - if-feature "tls-ecc and tls-gcm and tls-sha2"; - description - "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-ecdsa-with-aes-256-gcm-sha384 { - base cipher-suite-base; - if-feature "tls-ecc and tls-gcm and tls-sha2"; - description - "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-rsa-with-aes-128-gcm-sha256 { - base cipher-suite-base; - if-feature "tls-ecc and tls-gcm and tls-sha2"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity ecdhe-rsa-with-aes-256-gcm-sha384 { - base cipher-suite-base; - if-feature "tls-ecc and tls-gcm and tls-sha2"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384."; - reference - "RFC 5289: TLS Elliptic Curve Cipher Suites with - SHA-256/384 and AES Galois Counter Mode (GCM)"; - } - - identity rsa-with-3des-ede-cbc-sha { - base cipher-suite-base; - if-feature "tls-3des"; - description - "Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - } - - identity ecdhe-rsa-with-3des-ede-cbc-sha { - base cipher-suite-base; - if-feature "tls-ecc and tls-3des"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA."; - reference - "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS)"; - } - - identity ecdhe-rsa-with-aes-128-cbc-sha { - base cipher-suite-base; - if-feature "tls-ecc"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA."; - reference - "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS)"; - } - - identity ecdhe-rsa-with-aes-256-cbc-sha { - base cipher-suite-base; - if-feature "tls-ecc"; - description - "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA."; - reference - "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites - for Transport Layer Security (TLS)"; - } - - // Groupings - - grouping hello-params-grouping { - description - "A reusable grouping for TLS hello message parameters."; - reference - "RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2"; - container tls-versions { - description - "Parameters regarding TLS versions."; - leaf-list tls-version { - type identityref { - base tls-version-base; - } - description - "Acceptable TLS protocol versions. - - If this leaf-list is not configured (has zero elements) - the acceptable TLS protocol versions are implementation- - defined."; - } - } - container cipher-suites { - description - "Parameters regarding cipher suites."; - leaf-list cipher-suite { - type identityref { - base cipher-suite-base; - } - ordered-by user; - description - "Acceptable cipher suites in order of descending - preference. The configured host key algorithms should - be compatible with the algorithm used by the configured - private key. Please see Section 5 of RFC XXXX for - valid combinations. - - If this leaf-list is not configured (has zero elements) - the acceptable cipher suites are implementation- - defined."; - reference - "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; - } - } - } - } diff --git a/modules/ietf-tls-server@2019-07-02.yang b/modules/ietf-tls-server@2019-07-02.yang deleted file mode 100644 index 22cfb20c..00000000 --- a/modules/ietf-tls-server@2019-07-02.yang +++ /dev/null @@ -1,263 +0,0 @@ - module ietf-tls-server { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; - prefix tlss; - - import ietf-tls-common { - prefix tlscmn; - revision-date 2019-07-02; // stable grouping definitions - reference - "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; - } - - import ietf-truststore { - prefix ts; - reference - "RFC YYYY: A YANG Data Model for a Truststore"; - } - - import ietf-keystore { - prefix ks; - reference - "RFC ZZZZ: A YANG Data Model for a Keystore"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen - Author: Gary Wu "; - - description - "This module defines reusable groupings for TLS servers that - can be used as a basis for specific TLS server instances. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; - } - - // Features - - feature tls-server-hello-params-config { - description - "TLS hello message parameters are configurable on a TLS - server."; - } - - feature tls-server-keepalives { - description - "Per socket TLS keepalive parameters are configurable for - TLS servers on the server implementing this feature."; - } - - feature local-client-auth-supported { - description - "Indicates that the TLS server supports local - configuration of client credentials."; - } - - - feature external-client-auth-supported { - description - "Indicates that the TLS server supports external - configuration of client credentials."; - } - - // Groupings - - grouping tls-server-grouping { - description - "A reusable grouping for configuring a TLS server without - any consideration for how underlying TCP sessions are - established. - - Note that this grouping uses fairly typical descendent - node names such that a stack of 'uses' statements will - have name conflicts. It is intended that the consuming - data model will resolve the issue (e.g., by wrapping - the 'uses' statement in a container called - 'tls-server-parameters'). This model purposely does - not do this itself so as to provide maximum flexibility - to consuming models."; - - - container server-identity { // FIXME: what about PSKs? - nacm:default-deny-write; - description - "A locally-defined or referenced end-entity certificate, - including any configured intermediate certificates, the - TLS server will present when establishing a TLS connection - in its Certificate message, as defined in Section 7.4.2 - in RFC 5246."; - reference - "RFC 5246: - The Transport Layer Security (TLS) Protocol Version 1.2 - RFC ZZZZ: - YANG Data Model for a 'Keystore' Mechanism"; - uses ks:local-or-keystore-end-entity-cert-with-key-grouping; - } // container server-identity - - container client-authentication { // FIXME: what about PSKs? - nacm:default-deny-write; - presence - "Indicates that certificate based client authentication - is supported (i.e., the server will request that the - client send a certificate)."; - description - "Specifies if TLS client authentication is required or - optional, and specifies if the certificates needed to - authenticate the TLS client are configured locally or - externally. If configured locally, the data model - enables both trust anchors and end-entity certificate - to be set."; - choice required-or-optional { - mandatory true; // or default to 'required' ? - description - "Indicates if TLS-level client authentication is required - or optional. This is necessary for some protocols (e.g., - RESTCONF) the may optionally authenticate a client via - TLS-level authentication, HTTP-level authentication, or - both simultaneously)."; - leaf required { - type empty; - description - "Indicates that TLS-level client authentication is - required."; - } - leaf optional { - type empty; - description - "Indicates that TLS-level client authentication is - optional."; - } - } - choice local-or-external { - mandatory true; - description - "Indicates if the certificates needed to authenticate - the client are configured locally or externally. The - need to support external configuration for client - authentication stems from the desire to support - consuming data models that prefer to place client - authentication with client definitions, rather then - in a data model principally concerned with configuring - the transport."; - case local { - if-feature "local-client-auth-supported"; - description - "The certificates needed to authenticate the clients - are configured locally."; - leaf ca-certs { - if-feature "ts:x509-certificates"; - type ts:certificates-ref;//FIXME: local-or-remote? - description - "A reference to a list of certificate authority (CA) - certificates used by the TLS server to authenticate - TLS client certificates. A client certificate is - authenticated if it has a valid chain of trust to - a configured CA certificate."; - reference - "RFC YYYY: YANG Data Model for Global Trust Anchors"; - } - leaf client-certs { - if-feature "ts:x509-certificates"; - type ts:certificates-ref;//FIXME: local-or-remote? - description - "A reference to a list of client certificates - used by the TLS server to authenticate TLS - client certificates. A clients certificate - is authenticated if it is an exact match to - a configured client certificate."; - reference - "RFC YYYY: YANG Data Model for Global Trust Anchors"; - } - } - case external { - if-feature "external-client-auth-supported"; - description - "The certificates needed to authenticate the clients - are configured externally."; - leaf client-auth-defined-elsewhere { - type empty; - description - "Indicates that certificates needed to authenticate - clients are configured elsewhere."; - } - } - } // choice local-or-external - } // container client-authentication - - container hello-params { - nacm:default-deny-write; - if-feature "tls-server-hello-params-config"; - uses tlscmn:hello-params-grouping; - description - "Configurable parameters for the TLS hello message."; - } // container hello-params - - container keepalives { - nacm:default-deny-write; - if-feature "tls-server-keepalives"; - presence "Indicates that keepalives are enabled."; - description - "Configures the keep-alive policy, to proactively test - the aliveness of the TLS client. An unresponsive - TLS client is dropped after approximately max-wait - * max-attempts seconds."; - leaf max-wait { - type uint16 { - range "1..max"; - } - units "seconds"; - default "30"; - description - "Sets the amount of time in seconds after which if - no data has been received from the TLS client, a - TLS-level message will be sent to test the - aliveness of the TLS client."; - } - leaf max-attempts { - type uint8; - default "3"; - description - "Sets the maximum number of sequential keep-alive - messages that can fail to obtain a response from - the TLS client before assuming the TLS client is - no longer alive."; - } - } // container keepalives - } // grouping tls-server-grouping - } diff --git a/modules/ietf-truststore@2019-07-02.yang b/modules/ietf-truststore@2019-07-02.yang deleted file mode 100644 index 98e193d4..00000000 --- a/modules/ietf-truststore@2019-07-02.yang +++ /dev/null @@ -1,294 +0,0 @@ - module ietf-truststore { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-truststore"; - prefix ts; - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - import ietf-crypto-types { - prefix ct; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: - WG List: - Author: Kent Watsen "; - - description - "This module defines a truststore to centralize management - of trust anchors including both X.509 certificates and - SSH host keys. - - Copyright (c) 2019 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Simplified - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC XXXX - (https://www.rfc-editor.org/info/rfcXXXX); see the RFC - itself for full legal notices.; - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2019-07-02 { - description - "Initial version"; - reference - "RFC XXXX: A YANG Data Model for a Truststore"; - } - - /****************/ - /* Features */ - /****************/ - - feature truststore-supported { - description - "The 'truststore-supported' feature indicates that the - server supports the truststore."; - } - - feature local-definitions-supported { - description - "The 'local-definitions-supported' feature indicates that - the server supports locally-defined trust anchors."; - } - - feature x509-certificates { - description - "The 'x509-certificates' feature indicates that the server - implements the /truststore/certificates subtree."; - } - - feature ssh-host-keys { - description - "The 'ssh-host-keys' feature indicates that the server - implements the /truststore/host-keys subtree."; - } - - /****************/ - /* Typedefs */ - /****************/ - - typedef certificates-ref { - type leafref { - path "/ts:truststore/ts:certificates/ts:name"; - } - description - "This typedef enables modules to easily define a reference - to a set of certificates defined in the truststore."; - } - - typedef host-keys-ref { - type leafref { - path "/ts:truststore/ts:host-keys/ts:name"; - } - description - "This typedef enables modules to easily define a reference - to a set of host keys defined in the truststore."; - } - - /*****************/ - /* Groupings */ - /*****************/ - - grouping local-or-truststore-certs-grouping { - description - "A grouping that expands to allow trust anchors to be - either stored locally, within the using data model, or be - a reference to trust anchors stored in the truststore."; - choice local-or-truststore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local trust anchor definitions. - A list is defined so as to be symmetric with the - truststore definition."; - uses ct:trust-anchor-certs-grouping; - } - } - case truststore { - if-feature "truststore-supported"; - if-feature "x509-certificates"; - leaf truststore-reference { - type ts:certificates-ref; - description - "A reference to a set of trust anchors that exists - in the truststore."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the truststore."; - } - } - - grouping local-or-truststore-host-keys-grouping { - description - "A grouping that expands to allow trust anchors to be - either stored locally, within the using data model, or be - a reference to trust anchors stored in the truststore."; - choice local-or-truststore { - mandatory true; - case local { - if-feature "local-definitions-supported"; - container local-definition { - description - "Container to hold the local trust anchor definitions. - A list is defined so as to be symmetric with the - truststore definition."; - leaf-list host-key { - nacm:default-deny-write; - type ct:ssh-host-key; - description - "The binary data for this host key."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - uses ct:trust-anchor-certs-grouping; - } - } - case truststore { - if-feature "truststore-supported"; - if-feature "ssh-host-keys"; - leaf truststore-reference { - type ts:host-keys-ref; - description - "A reference to a set of trust anchors that exists - in the truststore."; - } - } - description - "A choice between an inlined definition and a definition - that exists in the truststore."; - } - } - - - grouping truststore-grouping { - description - "Grouping definition enables use in other contexts. If ever - done, implementations SHOULD augment new 'case' statements - into local-or-keystore 'choice' statements to supply leafrefs - to the new location."; - list certificates { - if-feature "x509-certificates"; - key "name"; - description - "A list of certificates. These certificates can be - used by a server to authenticate clients, or by a client - to authenticate servers. Each list of certificates - SHOULD be specific to a purpose, as the list as a whole - may be referenced by other modules. For instance, a - RESTCONF server's configuration might use a specific list - of certificates for when authenticating RESTCONF - client connections."; - leaf name { - type string; - description - "An arbitrary name for this list of certificates."; - } - leaf description { - type string; - description - "An arbitrary description for this list of - certificates."; - } - list certificate { - key "name"; - description - "A certificate."; - leaf name { - type string; - description - "An arbitrary name for this certificate. The - name must be unique across all lists of - certificates (not just this list) so that leafrefs - from another module can resolve to unique values."; - } - uses ct:trust-anchor-cert-grouping { - refine "cert" { - mandatory true; - } - } - } - } - list host-keys { - if-feature "ssh-host-keys"; - key "name"; - description - "A list of host keys. These host-keys can - be used by clients to authenticate SSH servers. Each - list of host keys SHOULD be specific to a purpose, - so the list as a whole may be referenced by other modules. - For instance, a NETCONF client's configuration might - point to a specific list of host keys for when - authenticating specific SSH servers."; - leaf name { - type string; - description - "An arbitrary name for this list of SSH - host keys."; - } - leaf description { - type string; - description - "An arbitrary description for this list of SSH - host keys."; - } - list host-key { - key "name"; - description - "A host key."; - leaf name { - type string; - description - "An arbitrary name for this host-key. Must be - unique across all lists of host-keys (not just - this list) so that a leafref to it from another module - can resolve to unique values."; - } - leaf host-key { - type ct:ssh-host-key; - mandatory true; - description - "The binary public key data for this host key."; - reference - "RFC YYYY: Common YANG Data Types for Cryptography"; - } - } - } - } - - /*********************************/ - /* Protocol accessible nodes */ - /*********************************/ - - container truststore { - nacm:default-deny-write; - description - "The truststore contains sets of X.509 certificates and - SSH host keys."; - uses truststore-grouping; - } - } diff --git a/modules/ietf-x509-cert-to-name@2014-12-10.yang b/modules/ietf-x509-cert-to-name@2014-12-10.yang deleted file mode 100644 index 00be8bb1..00000000 --- a/modules/ietf-x509-cert-to-name@2014-12-10.yang +++ /dev/null @@ -1,303 +0,0 @@ - module ietf-x509-cert-to-name { - - namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; - prefix x509c2n; - - import ietf-yang-types { - prefix yang; - } - - organization - "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; - - contact - "WG Web: - WG List: - - WG Chair: Thomas Nadeau - - - WG Chair: Juergen Schoenwaelder - - - Editor: Martin Bjorklund - - - Editor: Juergen Schoenwaelder - "; - - description - "This module contains a collection of YANG definitions for - extracting a name from an X.509 certificate. - The algorithm used to extract a name from an X.509 certificate - was first defined in RFC 6353. - - Copyright (c) 2014 IETF Trust and the persons identified as - authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with or - without modification, is permitted pursuant to, and subject - to the license terms contained in, the Simplified BSD License - set forth in Section 4.c of the IETF Trust's Legal Provisions - Relating to IETF Documents - (http://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC 7407; see - the RFC itself for full legal notices."; - - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model for - the Simple Network Management Protocol (SNMP)"; - - revision 2014-12-10 { - description - "Initial revision."; - reference - "RFC 7407: A YANG Data Model for SNMP Configuration"; - - } - - typedef tls-fingerprint { - type yang:hex-string { - pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; - } - description - "A fingerprint value that can be used to uniquely reference - other data of potentially arbitrary length. - - A tls-fingerprint value is composed of a 1-octet hashing - algorithm identifier followed by the fingerprint value. The - first octet value identifying the hashing algorithm is taken - from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The - remaining octets are filled using the results of the hashing - algorithm."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; - } - - /* Identities */ - - identity cert-to-name { - description - "Base identity for algorithms to derive a name from a - certificate."; - } - - identity specified { - base cert-to-name; - description - "Directly specifies the name to be used for the certificate. - The value of the leaf 'name' in the cert-to-name list is - used."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; - } - - identity san-rfc822-name { - base cert-to-name; - description - "Maps a subjectAltName's rfc822Name to a name. The local part - of the rfc822Name is passed unaltered, but the host-part of - the name must be passed in lowercase. For example, the - rfc822Name field FooBar@Example.COM is mapped to name - FooBar@example.com."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; - } - - identity san-dns-name { - base cert-to-name; - description - "Maps a subjectAltName's dNSName to a name after first - converting it to all lowercase (RFC 5280 does not specify - converting to lowercase, so this involves an extra step). - This mapping results in a 1:1 correspondence between - subjectAltName dNSName values and the name values."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; - } - - identity san-ip-address { - base cert-to-name; - description - "Maps a subjectAltName's iPAddress to a name by - transforming the binary-encoded address as follows: - - 1) for IPv4, the value is converted into a - decimal-dotted quad address (e.g., '192.0.2.1'). - - 2) for IPv6 addresses, the value is converted into a - 32-character, all-lowercase hexadecimal string - without any colon separators. - - This mapping results in a 1:1 correspondence between - subjectAltName iPAddress values and the name values."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; - } - - identity san-any { - base cert-to-name; - description - "Maps any of the following fields using the corresponding - mapping algorithms: - - +------------+-----------------+ - | Type | Algorithm | - |------------+-----------------| - | rfc822Name | san-rfc822-name | - | dNSName | san-dns-name | - | iPAddress | san-ip-address | - +------------+-----------------+ - - The first matching subjectAltName value found in the - certificate of the above types MUST be used when deriving - the name. The mapping algorithm specified in the - 'Algorithm' column MUST be used to derive the name. - - This mapping results in a 1:1 correspondence between - subjectAltName values and name values. The three sub-mapping - algorithms produced by this combined algorithm cannot produce - conflicting results between themselves."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; - } - - identity common-name { - base cert-to-name; - description - "Maps a certificate's CommonName to a name after converting - it to a UTF-8 encoding. The usage of CommonNames is - deprecated, and users are encouraged to use subjectAltName - mapping methods instead. This mapping results in a 1:1 - correspondence between certificate CommonName values and name - values."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; - } - - /* - * Groupings - */ - - grouping cert-to-name { - description - "Defines nodes for mapping certificates to names. Modules - that use this grouping should describe how the resulting - name is used."; - - list cert-to-name { - key id; - description - "This list defines how certificates are mapped to names. - The name is derived by considering each cert-to-name - list entry in order. The cert-to-name entry's fingerprint - determines whether the list entry is a match: - - 1) If the cert-to-name list entry's fingerprint value - matches that of the presented certificate, then consider - the list entry a successful match. - - 2) If the cert-to-name list entry's fingerprint value - matches that of a locally held copy of a trusted CA - certificate, and that CA certificate was part of the CA - certificate chain to the presented certificate, then - consider the list entry a successful match. - - Once a matching cert-to-name list entry has been found, the - map-type is used to determine how the name associated with - the certificate should be determined. See the map-type - leaf's description for details on determining the name value. - If it is impossible to determine a name from the cert-to-name - list entry's data combined with the data presented in the - certificate, then additional cert-to-name list entries MUST - be searched to look for another potential match. - - Security administrators are encouraged to make use of - certificates with subjectAltName fields that can be mapped to - names so that a single root CA certificate can allow all - child certificates' subjectAltName fields to map directly to - a name via a 1:1 transformation."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; - - leaf id { - type uint32; - description - "The id specifies the order in which the entries in the - cert-to-name list are searched. Entries with lower - numbers are searched first."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol - (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; - } - - leaf fingerprint { - type x509c2n:tls-fingerprint; - mandatory true; - description - "Specifies a value with which the fingerprint of the - full certificate presented by the peer is compared. If - the fingerprint of the full certificate presented by the - peer does not match the fingerprint configured, then the - entry is skipped, and the search for a match continues."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol - (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; - } - - leaf map-type { - type identityref { - base cert-to-name; - } - mandatory true; - description - "Specifies the algorithm used to map the certificate - presented by the peer to a name. - - Mappings that need additional configuration objects should - use the 'when' statement to make them conditional based on - the map-type."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol - (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; - } - - leaf name { - when "../map-type = 'x509c2n:specified'"; - type string; - mandatory true; - description - "Directly specifies the NETCONF username when the - map-type is 'specified'."; - reference - "RFC 6353: Transport Layer Security (TLS) Transport Model - for the Simple Network Management Protocol - (SNMP). - SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; - } - } - } - } From 112914c923b7bdc260ceb1cdb8bd509941367d66 Mon Sep 17 00:00:00 2001 From: roman Date: Mon, 11 Sep 2023 15:27:08 +0200 Subject: [PATCH 05/23] scripts UPDATE install modules from ln2's dir Install ietf-netconf-server related modules from libnetconf2's schema dir, update default config with an only SSH user being the user who invoked the script and his password. --- scripts/merge_config.sh | 15 +++-- scripts/merge_hostkey.sh | 11 +-- scripts/setup.sh | 140 +++++++++++++++++++++++---------------- 3 files changed, 95 insertions(+), 71 deletions(-) diff --git a/scripts/merge_config.sh b/scripts/merge_config.sh index 38978458..adceb745 100755 --- a/scripts/merge_config.sh +++ b/scripts/merge_config.sh @@ -17,6 +17,10 @@ KS_KEY_NAME=genkey SERVER_CONFIG=`$SYSREPOCFG -X -x "/ietf-netconf-server:netconf-server/listen/endpoint[1]/name | /ietf-netconf-server:netconf-server/call-home/netconf-client[1]/name"` if [ -z "$SERVER_CONFIG" ]; then +# get the user who invoked the script and his password, use it to create an SSH user in the default config +CURRENT_USER="$SUDO_USER" +CURRENT_USER_PASSWORD=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow) + # import default config CONFIG=" @@ -41,11 +45,12 @@ CONFIG=" - - - - - + + + $CURRENT_USER + $CURRENT_USER_PASSWORD + + diff --git a/scripts/merge_hostkey.sh b/scripts/merge_hostkey.sh index 555af38c..5aef8ad1 100755 --- a/scripts/merge_hostkey.sh +++ b/scripts/merge_hostkey.sh @@ -29,19 +29,14 @@ PRIVPEM=`$OPENSSL genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform # remove header/footer and newlines PRIVKEY=`echo "$PRIVPEM" | grep -v -- "-----" | tr -d "\n"` -# get public key -PUBPEM=`echo "$PRIVPEM" | $OPENSSL rsa -pubout 2>/dev/null` -# remove header/footer and newlines -PUBKEY=`echo "$PUBPEM" | grep -v -- "-----" | tr -d "\n"` - # generate edit config CONFIG=" genkey - rsa2048 - $PUBKEY - $PRIVKEY + ct:ssh-public-key-format + ct:rsa-private-key-format + $PRIVKEY " diff --git a/scripts/setup.sh b/scripts/setup.sh index 45ec2c72..fe087400 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash -# env variables NP2_MODULE_DIR, NP2_MODULE_PERMS must be defined and NP2_MODULE_OWNER, NP2_MODULE_GROUP will be used if +# env variables NP2_MODULE_DIR, NP2_MODULE_PERMS and LN2_MODULE_DIR must be defined and NP2_MODULE_OWNER, NP2_MODULE_GROUP will be used if # defined when executing this script! -if [ -z "$NP2_MODULE_DIR" -o -z "$NP2_MODULE_PERMS" ]; then +if [ -z "$NP2_MODULE_DIR" -o -z "$NP2_MODULE_PERMS" -o -z "$LN2_MODULE_DIR" ]; then echo "Required environment variables not defined!" exit 1 fi @@ -16,41 +16,57 @@ elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then else SYSREPOCTL=`command -v sysrepoctl` fi -MODDIR=${DESTDIR}${NP2_MODULE_DIR} + +NP2_MODDIR=${DESTDIR}${NP2_MODULE_DIR} +LN2_MODDIR=${DESTDIR}${LN2_MODULE_DIR} PERMS=${NP2_MODULE_PERMS} OWNER=${NP2_MODULE_OWNER} GROUP=${NP2_MODULE_GROUP} -# array of modules to install -MODULES=( +# arrays of modules to install +NP2_MODULES=( "ietf-netconf@2013-09-29.yang -e writable-running -e candidate -e rollback-on-error -e validate -e startup -e url -e xpath -e confirmed-commit" "ietf-netconf-monitoring@2010-10-04.yang" "ietf-netconf-nmda@2019-01-07.yang -e origin -e with-defaults" "nc-notifications@2008-07-14.yang" "notifications@2008-07-14.yang" -"ietf-x509-cert-to-name@2014-12-10.yang" -"ietf-keystore@2019-07-02.yang -e keystore-supported" -"ietf-truststore@2019-07-02.yang -e truststore-supported -e x509-certificates" -"ietf-tcp-common@2019-07-02.yang -e keepalives-supported" -"ietf-ssh-server@2019-07-02.yang -e local-client-auth-supported" -"ietf-tls-server@2019-07-02.yang -e local-client-auth-supported" -"ietf-netconf-server@2019-07-02.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home" "ietf-interfaces@2018-02-20.yang" "ietf-ip@2018-02-22.yang" -"ietf-network-instance@2019-01-21.yang" "ietf-subscribed-notifications@2019-09-09.yang -e encode-xml -e replay -e subtree -e xpath" "ietf-yang-push@2019-09-09.yang -e on-change" ) +LN2_MODULES=( +"iana-ssh-encryption-algs@2022-06-16.yang" +"iana-ssh-key-exchange-algs@2022-06-16.yang" +"iana-ssh-mac-algs@2022-06-16.yang" +"iana-ssh-public-key-algs@2022-06-16.yang" +"iana-tls-cipher-suite-algs@2022-06-16.yang" +"ietf-x509-cert-to-name@2014-12-10.yang" +"iana-crypt-hash@2014-04-04.yang -e crypt-hash-md5 -e crypt-hash-sha-256 -e crypt-hash-sha-512" +"ietf-crypto-types@2023-04-17.yang -e cleartext-passwords -e cleartext-private-keys" +"ietf-keystore@2023-04-17.yang -e central-keystore-supported -e inline-definitions-supported -e asymmetric-keys" +"ietf-truststore@2023-04-17.yang -e central-truststore-supported -e inline-definitions-supported -e certificates -e public-keys" +"ietf-tcp-common@2023-04-17.yang -e keepalives-supported" +"ietf-tcp-server@2023-04-17.yang -e tcp-server-keepalives" +"ietf-tcp-client@2023-04-17.yang -e local-binding-supported -e tcp-client-keepalives" +"ietf-ssh-common@2023-04-17.yang -e transport-params" +"ietf-ssh-server@2023-04-17.yang -e local-users-supported -e local-user-auth-publickey -e local-user-auth-password -e local-user-auth-none" +"ietf-tls-common@2023-04-17.yang -e tls10 -e tls11 -e tls12 -e tls13 -e hello-params" +"ietf-tls-server@2023-04-17.yang -e server-ident-x509-cert -e client-auth-supported -e client-auth-x509-cert" +"ietf-netconf-server@2023-04-17.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home -e central-netconf-server-supported" +"libnetconf2-netconf-server@2023-09-07.yang" +) + CMD_INSTALL= # functions INSTALL_MODULE_CMD() { if [ -z "${CMD_INSTALL}" ]; then - CMD_INSTALL="'$SYSREPOCTL' -s '$MODDIR' -v2" + CMD_INSTALL="'$SYSREPOCTL' -s '$1' -v2" fi - CMD_INSTALL="$CMD_INSTALL -i $MODDIR/$1 -p '$PERMS'" + CMD_INSTALL="$CMD_INSTALL -i $1/$2 -p '$PERMS'" if [ ! -z "${OWNER}" ]; then CMD_INSTALL="$CMD_INSTALL -o '$OWNER'" fi @@ -60,7 +76,7 @@ INSTALL_MODULE_CMD() { } UPDATE_MODULE() { - CMD="'$SYSREPOCTL' -U $MODDIR/$1 -s '$MODDIR' -v2" + CMD="'$SYSREPOCTL' -U $1/$2 -s '$1' -v2" eval $CMD local rc=$? if [ $rc -ne 0 ]; then @@ -94,53 +110,61 @@ ENABLE_FEATURE() { # get current modules SCTL_MODULES=`$SYSREPOCTL -l` -for i in "${MODULES[@]}"; do - name=`echo "$i" | sed 's/\([^@]*\).*/\1/'` - - SCTL_MODULE=`echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I"` - if [ -z "$SCTL_MODULE" ]; then - # prepare command to install module with all its features - INSTALL_MODULE_CMD "$i" - continue - fi - - sctl_revision=`echo "$SCTL_MODULE" | sed 's/[^|]*| \([^ ]*\).*/\1/'` - revision=`echo "$i" | sed 's/[^@]*@\([^\.]*\).*/\1/'` - if [ "$sctl_revision" \< "$revision" ]; then - # update module without any features - file=`echo "$i" | cut -d' ' -f 1` - UPDATE_MODULE "$file" - fi +SETUP_CMD() { + module_dir="$1" # first argument - module directory + shift # shift all args to the left + modules=("$@") # the rest of the arguments are module names (and their features) + for i in "${modules[@]}"; do + name=`echo "$i" | sed 's/\([^@]*\).*/\1/'` + SCTL_MODULE=`echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I"` + if [ -z "$SCTL_MODULE" ]; then + # prepare command to install module with all its features + INSTALL_MODULE_CMD "$module_dir" "$i" + continue + fi - sctl_owner=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{3\} \([^:]*\).*/\2/'` - sctl_group=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{3\}[^:]*:\([^ ]*\).*/\2/'` - sctl_perms=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{4\} \([^ ]*\).*/\2/'` - if [ "$sctl_perms" != "$PERMS" ] || [ ! -z "${OWNER}" -a "$sctl_owner" != "$OWNER" ] || [ ! -z "${GROUP}" -a "$sctl_group" != "$GROUP" ]; then - # change permissions/owner - CHANGE_PERMS "$name" - fi + sctl_revision=`echo "$SCTL_MODULE" | sed 's/[^|]*| \([^ ]*\).*/\1/'` + revision=`echo "$i" | sed 's/[^@]*@\([^\.]*\).*/\1/'` + if [ "$sctl_revision" \< "$revision" ]; then + # update module without any features + file=`echo "$i" | cut -d' ' -f 1` + UPDATE_MODULE "$module_dir" "$file" + fi - # parse sysrepoctl features and add extra space at the end for easier matching - sctl_features="`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{6\}\(.*\)/\2/'` " - # parse features we want to enable - features=`echo "$i" | sed 's/[^ ]* \(.*\)/\1/'` - while [ "${features:0:3}" = "-e " ]; do - # skip "-e " - features=${features:3} - # parse feature - feature=`echo "$features" | sed 's/\([^[:space:]]*\).*/\1/'` - - # enable feature if not already - sctl_feature=`echo "$sctl_features" | grep " ${feature} "` - if [ -z "$sctl_feature" ]; then - # enable feature - ENABLE_FEATURE $name $feature + sctl_owner=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{3\} \([^:]*\).*/\2/'` + sctl_group=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{3\}[^:]*:\([^ ]*\).*/\2/'` + sctl_perms=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{4\} \([^ ]*\).*/\2/'` + if [ "$sctl_perms" != "$PERMS" ] || [ ! -z "${OWNER}" -a "$sctl_owner" != "$OWNER" ] || [ ! -z "${GROUP}" -a "$sctl_group" != "$GROUP" ]; then + # change permissions/owner + CHANGE_PERMS "$name" fi - # next iteration, skip this feature - features=`echo "$features" | sed 's/[^[:space:]]* \(.*\)/\1/'` + # parse sysrepoctl features and add extra space at the end for easier matching + sctl_features="`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{6\}\(.*\)/\2/'` " + # parse features we want to enable + features=`echo "$i" | sed 's/[^ ]* \(.*\)/\1/'` + while [ "${features:0:3}" = "-e " ]; do + # skip "-e " + features=${features:3} + # parse feature + feature=`echo "$features" | sed 's/\([^[:space:]]*\).*/\1/'` + + # enable feature if not already + sctl_feature=`echo "$sctl_features" | grep " ${feature} "` + if [ -z "$sctl_feature" ]; then + # enable feature + ENABLE_FEATURE $name $feature + fi + + # next iteration, skip this feature + features=`echo "$features" | sed 's/[^[:space:]]* \(.*\)/\1/'` + done done -done +} + +SETUP_CMD "$NP2_MODDIR" "${NP2_MODULES[@]}" + +SETUP_CMD "$LN2_MODDIR" "${LN2_MODULES[@]}" # install all the new modules if [ ! -z "${CMD_INSTALL}" ]; then From ca639723808effe61bc5904171a83fe6100223bc Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 14 Sep 2023 08:53:59 +0200 Subject: [PATCH 06/23] cmake UPDATE use pkgconfig for ln2 module dir Also replace NC_ENABLED_SSH and NC_ENABLED_TLS macros by NC_ENABLED_SSH_TLS, because these macros were merged into one in ln2. Update to CMake 3.5. --- CMakeLists.txt | 61 +++++++++++++++--------------- CMakeModules/FindLibNETCONF2.cmake | 6 +-- 2 files changed, 33 insertions(+), 34 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 4a1b1f74..6ff11ff5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 2.8.12) +cmake_minimum_required(VERSION 3.5) project(netopeer2 C) set(NETOPEER2_DESC "NETCONF tools suite including a server and command-line client") @@ -155,27 +155,37 @@ set(FORMAT_SRC # checks # -find_package(PkgConfig) -if(PKG_CONFIG_FOUND) - # lnc2 support for np2srv thread count - execute_process(COMMAND ${PKG_CONFIG_EXECUTABLE} "--variable=LNC2_MAX_THREAD_COUNT" "libnetconf2" OUTPUT_VARIABLE LNC2_THREAD_COUNT) - if(LNC2_THREAD_COUNT) - string(STRIP ${LNC2_THREAD_COUNT} LNC2_THREAD_COUNT) - if(LNC2_THREAD_COUNT LESS THREAD_COUNT) - message(FATAL_ERROR "libnetconf2 was compiled with support up to ${LNC2_THREAD_COUNT} threads, server is configured with ${THREAD_COUNT}.") - else() - message(STATUS "libnetconf2 was compiled with support of up to ${LNC2_THREAD_COUNT} threads") - endif() +# PKGCONFIG { + +find_package(PkgConfig REQUIRED) + +# find libnetconf2 pkg +pkg_check_modules(PKG_LN2 REQUIRED libnetconf2) + +# libnetconf2 thread count check +pkg_get_variable(LN2_THREAD_COUNT libnetconf2 LN2_MAX_THREAD_COUNT) +if(LN2_THREAD_COUNT) + if(LN2_THREAD_COUNT LESS THREAD_COUNT) + message(FATAL_ERROR "libnetconf2 was compiled with support up to ${LN2_THREAD_COUNT} threads, server is configured with ${THREAD_COUNT}.") else() - message(STATUS "Unable to learn libnetconf2 thread support, check skipped") + message(STATUS "libnetconf2 was compiled with support of up to ${LN2_THREAD_COUNT} threads") endif() - - # sysrepo group - execute_process(COMMAND ${PKG_CONFIG_EXECUTABLE} "--variable=SR_GROUP" "sysrepo" OUTPUT_VARIABLE SR_GROUP OUTPUT_STRIP_TRAILING_WHITESPACE) else() - message(STATUS "pkg-config not found, so it was not possible to check if libnetconf2 supports ${THREAD_COUNT} threads") + message(STATUS "Unable to learn libnetconf2 thread support, check skipped") +endif() + +# get libnetconf2 module directory, use it later when installing modules +pkg_get_variable(LN2_YANG_MODULE_DIR libnetconf2 LN2_SCHEMAS_DIR) +if(NOT LN2_YANG_MODULE_DIR) + message(FATAL_ERROR "Unable to learn libnetconf2 module search directory.") endif() +# find sysrepo pkg and get sysrepo group +pkg_check_modules(PKG_SR REQUIRED sysrepo) +pkg_get_variable(SR_GROUP sysrepo SR_GROUP) + +# } PKGCONFIG + if(ENABLE_VALGRIND_TESTS) find_program(VALGRIND_FOUND valgrind) if(NOT VALGRIND_FOUND) @@ -229,21 +239,11 @@ include_directories(${LIBNETCONF2_INCLUDE_DIRS}) list(APPEND CMAKE_REQUIRED_INCLUDES ${LIBNETCONF2_INCLUDE_DIRS}) list(APPEND CMAKE_REQUIRED_LIBRARIES ${LIBNETCONF2_LIBRARIES}) -# at least some remote transport is enabled -if(LIBNETCONF2_ENABLED_SSH OR LIBNETCONF2_ENABLED_TLS) +# SSH and TLS enabled +if(LIBNETCONF2_ENABLED_SSH_TLS) list(APPEND SERVER_SRC src/netconf_server.c) endif() -# SSH is enabled -if(LIBNETCONF2_ENABLED_SSH) - list(APPEND SERVER_SRC src/netconf_server_ssh.c) -endif() - -# TLS is enabled -if(LIBNETCONF2_ENABLED_TLS) - list(APPEND SERVER_SRC src/netconf_server_tls.c) -endif() - # link compat use_compat() @@ -265,7 +265,7 @@ endif() target_link_libraries(netopeer2-server ${LIBNETCONF2_LIBRARIES}) # libssh (was already found, if exists) -if(LIBSSH_FOUND AND LIBNETCONF2_ENABLED_SSH) +if(LIBSSH_FOUND AND LIBNETCONF2_ENABLED_SSH_TLS) target_link_libraries(netopeer2-server ${LIBSSH_LIBRARIES}) include_directories(${LIBSSH_INCLUDE_DIRS}) endif() @@ -361,6 +361,7 @@ if(INSTALL_MODULES) set(ENV{NP2_MODULE_PERMS} \"${MODULES_PERMS}\") set(ENV{NP2_MODULE_OWNER} \"${MODULES_OWNER}\") set(ENV{NP2_MODULE_GROUP} \"${MODULES_GROUP}\") + set(ENV{LN2_MODULE_DIR} \"${LN2_YANG_MODULE_DIR}\") set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/setup.sh\" RESULT_VARIABLE SETUP_RES) diff --git a/CMakeModules/FindLibNETCONF2.cmake b/CMakeModules/FindLibNETCONF2.cmake index b400dbb8..8ba5d539 100644 --- a/CMakeModules/FindLibNETCONF2.cmake +++ b/CMakeModules/FindLibNETCONF2.cmake @@ -5,8 +5,7 @@ # LIBNETCONF2_INCLUDE_DIRS - the LibNETCONF2 include directory # LIBNETCONF2_LIBRARIES - Link these to use LibNETCONF2 # LIBNETCONF2_VERSION - SO version of the found libNETCONF2 library -# LIBNETCONF2_ENABLED_SSH - LibNETCONF2 was compiled with SSH support -# LIBNETCONF2_ENABLED_TLS - LibNETCONF2 was compiled with TLS support +# LIBNETCONF2_ENABLED_SSH_TLS - LibNETCONF2 was compiled with SSH and TLS support # # Author Michal Vasko # Copyright (c) 2021 CESNET, z.s.p.o. @@ -93,8 +92,7 @@ else() # check the configured options and make them available through cmake list(INSERT CMAKE_REQUIRED_INCLUDES 0 "${LIBNETCONF2_INCLUDE_DIR}") - check_symbol_exists("NC_ENABLED_SSH" "nc_client.h" LIBNETCONF2_ENABLED_SSH) - check_symbol_exists("NC_ENABLED_TLS" "nc_client.h" LIBNETCONF2_ENABLED_TLS) + check_symbol_exists("NC_ENABLED_SSH_TLS" "nc_client.h" LIBNETCONF2_ENABLED_SSH_TLS) list(REMOVE_AT CMAKE_REQUIRED_INCLUDES 0) endif() From e79af48289e04611956444cce622474334420cba Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 14 Sep 2023 08:56:11 +0200 Subject: [PATCH 07/23] cli UPDATE replace SSH and TLS macros --- cli/CMakeLists.txt | 9 +++--- cli/commands.c | 73 ++++++++++++--------------------------------- cli/completion.c | 8 ++--- cli/configuration.c | 18 ++++++----- 4 files changed, 37 insertions(+), 71 deletions(-) diff --git a/cli/CMakeLists.txt b/cli/CMakeLists.txt index 0cc07f88..6263bcb5 100644 --- a/cli/CMakeLists.txt +++ b/cli/CMakeLists.txt @@ -27,17 +27,16 @@ target_link_libraries(netopeer2-cli ${CMAKE_THREAD_LIBS_INIT}) target_link_libraries(netopeer2-cli ${LIBYANG_LIBRARIES}) target_link_libraries(netopeer2-cli ${LIBNETCONF2_LIBRARIES}) -# dependencies - libssh -if(LIBNETCONF2_ENABLED_SSH) +# dependencies +if(LIBNETCONF2_ENABLED_SSH_TLS) + # - libssh if(NOT LIBSSH_FOUND) message(FATAL_ERROR "libnetconf2 supports SSH but libssh was not found, CLI compilation failed!") endif() target_link_libraries(netopeer2-cli ${LIBSSH_LIBRARIES}) include_directories(${LIBSSH_INCLUDE_DIRS}) -endif() -# dependencies - libssl (and openssl) -if(LIBNETCONF2_ENABLED_TLS) + # - openssl if(NOT OPENSSL_FOUND) message(FATAL_ERROR "libnetconf2 supports TLS but OpenSSL was not found, CLI compilation failed!") endif() diff --git a/cli/commands.c b/cli/commands.c index afe78dfc..cfbadea4 100644 --- a/cli/commands.c +++ b/cli/commands.c @@ -34,7 +34,7 @@ #include #include -#ifdef NC_ENABLED_TLS +#ifdef NC_ENABLED_SSH_TLS # include # include #endif @@ -663,13 +663,9 @@ cmd_verb_help(void) static void cmd_connect_help(void) { -#if defined (NC_ENABLED_SSH) && defined (NC_ENABLED_TLS) +#ifdef NC_ENABLED_SSH_TLS printf("connect [--help] [--ssh] [--host ] [--port ] [--login ]\n"); printf("connect [--help] --tls [--host ] [--port ] [--cert [--key ]] [--trusted ]\n"); -#elif defined (NC_ENABLED_SSH) - printf("connect [--help] [--ssh] [--host ] [--port ] [--login ]\n"); -#elif defined (NC_ENABLED_TLS) - printf("connect [--help] [--tls] [--host ] [--port ] [--cert [--key ]] [--trusted ]\n"); #endif printf("connect [--help] --unix [--socket ]\n"); } @@ -677,15 +673,10 @@ cmd_connect_help(void) static void cmd_listen_help(void) { -#if defined (NC_ENABLED_SSH) && defined (NC_ENABLED_TLS) +#ifdef NC_ENABLED_SSH_TLS printf("listen [--help] [--timeout ] [--host ] [--port ]\n"); printf(" SSH [--ssh] [--login ]\n"); printf(" TLS --tls [--cert [--key ]] [--trusted ] [--peername ]\n"); -#elif defined (NC_ENABLED_SSH) - printf("listen [--help] [--ssh] [--timeout ] [--host ] [--port ] [--login ]\n"); -#elif defined (NC_ENABLED_TLS) - printf("listen [--help] [--tls] [--timeout ] [--host ] [--port ]" - " [--cert [--key ]] [--trusted ] [--peername ]\n"); #endif } @@ -1273,7 +1264,7 @@ cmd_timed_help(void) printf("timed [--help] [on | off]\n"); } -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS static void cmd_auth_help(void) @@ -1287,10 +1278,6 @@ cmd_knownhosts_help(void) printf("knownhosts [--help] [--del ]\n"); } -#endif /* NC_ENABLED_SSH */ - -#ifdef NC_ENABLED_TLS - static void cmd_cert_help(void) { @@ -1303,10 +1290,6 @@ cmd_crl_help(void) printf("crl [--help | display | add | remove ]\n"); } -#endif /* NC_ENABLED_TLS */ - -#ifdef NC_ENABLED_SSH - static int cmd_auth(const char *arg, char **UNUSED(tmp_config_file)) { @@ -1763,10 +1746,6 @@ cmd_connect_listen_ssh(struct arglist *cmd, int is_connect) return EXIT_SUCCESS; } -#endif /* NC_ENABLED_SSH */ - -#ifdef NC_ENABLED_TLS - static int cp(const char *to, const char *from) { @@ -2602,7 +2581,7 @@ cmd_connect_listen_tls(struct arglist *cmd, int is_connect) return ret; } -#endif /* NC_ENABLED_TLS */ +#endif /* NC_ENABLED_SSH_TLS */ static int cmd_connect_listen_unix(struct arglist *cmd, int is_connect) @@ -2739,22 +2718,22 @@ cmd_verb(const char *arg, char **UNUSED(tmp_config_file)) verb = arg + 5; if (!strcmp(verb, "error") || !strcmp(verb, "0")) { nc_verbosity(0); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(0); #endif } else if (!strcmp(verb, "warning") || !strcmp(verb, "1")) { nc_verbosity(1); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(1); #endif } else if (!strcmp(verb, "verbose") || !strcmp(verb, "2")) { nc_verbosity(2); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(2); #endif } else if (!strcmp(verb, "debug") || !strcmp(verb, "3")) { nc_verbosity(3); -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS nc_libssh_thread_verbosity(3); #endif } else { @@ -2793,14 +2772,12 @@ cmd_status(const char *UNUSED(arg), char **UNUSED(tmp_config_file)) printf("Current NETCONF session:\n"); printf(" ID : %u\n", nc_session_get_id(session)); switch (transport) { -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case NC_TI_LIBSSH: s = "SSH"; printf(" Host : %s\n", nc_session_get_host(session)); printf(" Port : %u\n", nc_session_get_port(session)); break; -#endif -#ifdef NC_ENABLED_TLS case NC_TI_OPENSSL: s = "TLS"; printf(" Host : %s\n", nc_session_get_host(session)); @@ -2839,14 +2816,12 @@ cmd_connect_listen(const char *arg, int is_connect) struct arglist cmd; struct option long_options[] = { {"help", 0, 0, 'h'}, -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS {"ssh", 0, 0, 's'}, {"timeout", 1, 0, 'i'}, {"host", 1, 0, 'o'}, {"port", 1, 0, 'p'}, {"login", 1, 0, 'l'}, -#endif -#ifdef NC_ENABLED_TLS {"tls", 0, 0, 't'}, {"timeout", 1, 0, 'i'}, {"host", 1, 0, 'o'}, @@ -2879,12 +2854,8 @@ cmd_connect_listen(const char *arg, int is_connect) ret = -1; -#if defined (NC_ENABLED_SSH) && defined (NC_ENABLED_TLS) +#ifdef NC_ENABLED_SSH_TLS optstring = "hsti:o:p:l:c:k:r:e:uS:"; -#elif defined (NC_ENABLED_SSH) - optstring = "hsi:o:p:l:uS:"; -#elif defined (NC_ENABLED_TLS) - optstring = "hti:o:p:c:k:r:e:uS:"; #else optstring = "hi:o:p:c:k:r:e:uS:"; #endif @@ -2894,12 +2865,10 @@ cmd_connect_listen(const char *arg, int is_connect) case 'h': ti = NC_TI_FD; break; -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case 's': ti = NC_TI_LIBSSH; break; -#endif -#ifdef NC_ENABLED_TLS case 't': ti = NC_TI_OPENSSL; break; @@ -2914,10 +2883,8 @@ cmd_connect_listen(const char *arg, int is_connect) if (!ti) { /* default transport */ -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS ti = NC_TI_LIBSSH; -#elif defined (NC_ENABLED_TLS) - ti = NC_TI_OPENSSL; #endif } @@ -2932,12 +2899,10 @@ cmd_connect_listen(const char *arg, int is_connect) case NC_TI_UNIX: ret = cmd_connect_listen_unix(&cmd, is_connect); break; -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case NC_TI_LIBSSH: ret = cmd_connect_listen_ssh(&cmd, is_connect); break; -#endif -#ifdef NC_ENABLED_TLS case NC_TI_OPENSSL: ret = cmd_connect_listen_tls(&cmd, is_connect); break; @@ -6765,17 +6730,17 @@ cmd_timed(const char *arg, char **UNUSED(tmp_config_file)) } COMMAND commands[] = { -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS {"auth", cmd_auth, cmd_auth_help, "Manage SSH authentication options"}, #endif {"cancel-commit", cmd_cancelcommit, cmd_cancelcommit_help, "ietf-netconf operation"}, -#ifdef NC_ENABLED_TLS +#ifdef NC_ENABLED_SSH_TLS {"cert", cmd_cert, cmd_cert_help, "Manage trusted or your own certificates"}, #endif {"commit", cmd_commit, cmd_commit_help, "ietf-netconf operation"}, {"connect", cmd_connect, cmd_connect_help, "Connect to a NETCONF server"}, {"copy-config", cmd_copyconfig, cmd_copyconfig_help, "ietf-netconf operation"}, -#ifdef NC_ENABLED_TLS +#ifdef NC_ENABLED_SSH_TLS {"crl", cmd_crl, cmd_crl_help, "Manage Certificate Revocation List directory"}, #endif {"delete-config", cmd_deleteconfig, cmd_deleteconfig_help, "ietf-netconf operation"}, @@ -6801,7 +6766,7 @@ COMMAND commands[] = { {"help", cmd_help, NULL, "Display commands description"}, {"kill-session", cmd_killsession, cmd_killsession_help, "ietf-netconf operation"}, {"kill-sub", cmd_killsub, cmd_killsub_help, "ietf-subscribed-notifications operation"}, -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS {"knownhosts", cmd_knownhosts, cmd_knownhosts_help, "Manage the user knownhosts file"}, #endif {"listen", cmd_listen, cmd_listen_help, "Wait for a Call Home connection from a NETCONF server"}, diff --git a/cli/completion.c b/cli/completion.c index 29669212..d979b602 100644 --- a/cli/completion.c +++ b/cli/completion.c @@ -82,11 +82,9 @@ complete_cmd(const char *buf, const char *hint, linenoiseCompletions *lc) unsigned int match_count = 0, i; if (!strncmp(buf, "searchpath ", 11) -#ifdef NC_ENABLED_SSH - || !strncmp(buf, "auth keys add ", 14) -#endif -#ifdef NC_ENABLED_TLS - || !strncmp(buf, "cert add ", 9) || !strncmp(buf, "cert remove ", 12) || !strncmp(buf, "cert replaceown ", 16) || +#ifdef NC_ENABLED_SSH_TLS + || !strncmp(buf, "auth keys add ", 14) || + !strncmp(buf, "cert add ", 9) || !strncmp(buf, "cert remove ", 12) || !strncmp(buf, "cert replaceown ", 16) || !strncmp(buf, "crl add ", 8) || !strncmp(buf, "crl remove ", 11) #endif ) { diff --git a/cli/configuration.c b/cli/configuration.c index c475f9ab..2d90cf4e 100644 --- a/cli/configuration.c +++ b/cli/configuration.c @@ -303,7 +303,7 @@ load_config(void) struct lyd_node *config = NULL, *child; struct ly_ctx *ctx = NULL; -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS const char *key_pub, *key_priv; struct lyd_node *auth_child, *pref_child, *key_child, *pair_child; #endif @@ -367,7 +367,7 @@ load_config(void) opts.output_flag = LYD_PRINT_SHRINK; } /* else default (formatted XML) */ } -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS else if (!strcmp(LYD_NAME(child), "authentication")) { /* -> */ LY_LIST_FOR(lyd_child(child), auth_child) { @@ -402,7 +402,7 @@ load_config(void) } } } -#endif /* ENABLE_SSH */ +#endif /* NC_ENABLED_SSH_TLS */ } cleanup: @@ -415,9 +415,13 @@ load_config(void) void store_config(void) { - char *netconf_dir = NULL, *history_file = NULL, *config_file = NULL, buf[23]; +#ifdef NC_ENABLED_SSH_TLS + char buf[23]; + struct lyd_node *auth, *pref, *keys, *pair; +#endif /* NC_ENABLED_SSH_TLS */ + char *netconf_dir = NULL, *history_file = NULL, *config_file = NULL; struct ly_ctx *ctx = NULL; - struct lyd_node *root = NULL, *auth, *pref, *keys, *pair; + struct lyd_node *root = NULL; const char *str, *ns = "urn:cesnet:netconf-client"; if (ly_ctx_new(NULL, 0, &ctx)) { @@ -452,7 +456,7 @@ store_config(void) goto cleanup; } -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS /* SSH authentication */ if (lyd_new_opaq2(root, NULL, "authentication", NULL, NULL, ns, &auth)) { goto cleanup; @@ -498,7 +502,7 @@ store_config(void) } } } -#endif +#endif /* NC_ENABLED_SSH_TLS */ /* get netconf dir */ if ((netconf_dir = get_netconf_dir()) == NULL) { From c8e8dc1164d434bfc5680a6a87226a6228b622ba Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 14 Sep 2023 08:56:55 +0200 Subject: [PATCH 08/23] monitoring UPDATE replace SSH and TLS macros --- src/netconf_monitoring.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/netconf_monitoring.c b/src/netconf_monitoring.c index 467338b1..436c8126 100644 --- a/src/netconf_monitoring.c +++ b/src/netconf_monitoring.c @@ -66,11 +66,9 @@ static int ncm_is_monitored(struct nc_session *session) { switch (nc_session_get_ti(session)) { -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case NC_TI_LIBSSH: return 1; -#endif -#ifdef NC_ENABLED_TLS case NC_TI_OPENSSL: return 1; #endif @@ -333,12 +331,10 @@ np2srv_ncm_oper_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const cha lyd_new_list(cont, NULL, "session", 0, &list, buf); switch (nc_session_get_ti(stats.sessions[i])) { -#ifdef NC_ENABLED_SSH +#ifdef NC_ENABLED_SSH_TLS case NC_TI_LIBSSH: lyd_new_term(list, NULL, "transport", "netconf-ssh", 0, NULL); break; -#endif -#ifdef NC_ENABLED_TLS case NC_TI_OPENSSL: lyd_new_term(list, NULL, "transport", "netconf-tls", 0, NULL); break; From f83baf9367b764599e4ea2eb2090a8a51a3c6dec Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 14 Sep 2023 09:01:22 +0200 Subject: [PATCH 09/23] np_test UPDATE set ln2 mod dir env & default cfg Sets the env variable from which the modules will be loaded in a test. No longer wait for a socket to know that server is ready, instead wait for its pidfile. Create default UNIX socket manually, since the -U opt was removed from np2-srv as it's no longer needed. --- tests/np_test.c | 60 +++++++++++++++++++++++++++++---------- tests/np_test_config.h.in | 3 ++ 2 files changed, 48 insertions(+), 15 deletions(-) diff --git a/tests/np_test.c b/tests/np_test.c index d8086e96..48defff1 100644 --- a/tests/np_test.c +++ b/tests/np_test.c @@ -54,15 +54,15 @@ parse_arg(int argc, char **argv) } static int -setup_server_socket_wait(const char *socket_path) +setup_server_file_exists_wait(const char *path) { /* max sleep 10s */ - const uint32_t sleep_count = 400; - const struct timespec ts = {.tv_sec = 0, .tv_nsec = 25000000}; + const uint32_t sleep_count = 200; + const struct timespec ts = {.tv_sec = 0, .tv_nsec = 50000000}; uint32_t count = 0; while (count < sleep_count) { - if (!access(socket_path, F_OK)) { + if (!access(path, F_OK)) { break; } @@ -135,7 +135,7 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) { struct np_test *st; pid_t pid; - char str[256], server_dir[256], sock_param[128], extdata_path[256]; + char str[256], server_dir[256], extdata_path[256], sock_path[256], pidfile_path[256]; int fd, pipefd[2], buf; if (!getcwd(str, 256)) { @@ -155,6 +155,10 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) SETUP_FAIL_LOG; return 1; } + if (setenv("LN2_MODULE_DIR", LN2_YANG_MODULE_DIR, 1)) { + SETUP_FAIL_LOG; + return 1; + } if (setenv("NP2_MODULE_PERMS", "600", 1)) { SETUP_FAIL_LOG; return 1; @@ -167,6 +171,10 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) SETUP_FAIL_LOG; return 1; } + if (unsetenv("LN2_MODULE_DIR")) { + SETUP_FAIL_LOG; + return 1; + } if (unsetenv("NP2_MODULE_PERMS")) { SETUP_FAIL_LOG; return 1; @@ -185,7 +193,7 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) } /* generate path to socket */ - sprintf(sock_param, "-U%s/%s/%s", NP_TEST_DIR, test_name, NP_SOCKET_FILE); + sprintf(sock_path, "%s/%s/%s", NP_TEST_DIR, test_name, NP_SOCKET_FILE); /* generate path to server-files */ sprintf(server_dir, "%s/%s", NP_TEST_DIR, test_name); @@ -193,6 +201,9 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) /* generate path to the schema-mount ext data */ sprintf(extdata_path, "%s/%s", NP_TEST_MODULE_DIR, NP_EXT_DATA_FILE); + /* generate path to the server's pidfile */ + sprintf(pidfile_path, "%s/%s/%s", NP_TEST_DIR, test_name, NP_PID_FILE); + /* fork and start the server */ if (!(pid = fork())) { /* open log file */ @@ -221,9 +232,7 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) close(fd); /* exec server listening on a unix socket */ - sprintf(str, "-p%s/%s/%s", NP_TEST_DIR, test_name, NP_PID_FILE); - execl(NP_BINARY_DIR "/netopeer2-server", NP_BINARY_DIR "/netopeer2-server", "-d", "-v3", "-t10", str, sock_param, - "-m 600", "-f", server_dir, "-x", extdata_path, NULL); + execl(NP_BINARY_DIR "/netopeer2-server", NP_BINARY_DIR "/netopeer2-server", "-d", "-v3", "-t10", "-p", pidfile_path, "-f", server_dir, "-x", extdata_path, NULL); child_error: printf("Child execution failed\n"); @@ -241,8 +250,8 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) close(pipefd[0]); } - /* wait for the server, until it creates its socket */ - if (setup_server_socket_wait(sock_param + 2)) { + /* wait until the server creates a pidfile */ + if (setup_server_file_exists_wait(pidfile_path)) { SETUP_FAIL_LOG; return 1; } @@ -255,7 +264,7 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) } *state = st; st->server_pid = pid; - strncpy(st->socket_path, sock_param + 2, sizeof st->socket_path - 1); + strncpy(st->socket_path, sock_path, sizeof st->socket_path - 1); strncpy(st->test_name, test_name, sizeof st->test_name - 1); /* create connection and install modules */ @@ -268,18 +277,39 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) return 1; } - /* start session and acquire context */ + /* start session */ if (sr_session_start(st->conn, SR_DS_RUNNING, &st->sr_sess)) { SETUP_FAIL_LOG; return 1; } + + /* prepare UNIX socket data for server configuration in the data store */ + if (sr_set_item_str(st->sr_sess, "/ietf-netconf-server:netconf-server/listen/endpoint[name='unix']/libnetconf2-netconf-server:unix-socket/path", sock_path, NULL, 0) != SR_ERR_OK) { + SETUP_FAIL_LOG; + return 1; + } + if (sr_set_item_str(st->sr_sess, "/ietf-netconf-server:netconf-server/listen/endpoint[name='unix']/libnetconf2-netconf-server:unix-socket/mode", "600", NULL, 0) != SR_ERR_OK) { + SETUP_FAIL_LOG; + return 1; + } + + /* apply the configuration */ + if (sr_apply_changes(st->sr_sess, 0)) { + SETUP_FAIL_LOG; + return 1; + } + + /* acquire context */ if (!(st->ctx = sr_acquire_context(st->conn))) { SETUP_FAIL_LOG; return 1; } /* init LNC2 */ - nc_client_init(); + if (nc_client_init()) { + SETUP_FAIL_LOG; + return 1; + } nc_client_set_schema_searchpath(NP_TEST_MODULE_DIR); /* create NETCONF sessions */ @@ -320,7 +350,7 @@ np_glob_teardown(void **state, const char **modules) /* uninstall modules */ if (modules && (rc = sr_remove_modules(st->conn, modules, 0))) { - printf("sr_remove_module() failed (%s)\n", sr_strerror(rc)); + printf("sr_remove_modules() failed (%s)\n", sr_strerror(rc)); ret = 1; } diff --git a/tests/np_test_config.h.in b/tests/np_test_config.h.in index 47985e79..b5dc4aa7 100644 --- a/tests/np_test_config.h.in +++ b/tests/np_test_config.h.in @@ -55,4 +55,7 @@ /** @brief diretory for server backup files for confirmed commit */ #define NCC_TEST_DIR NP2SRV_TEST_DIR "/confirmed_commit" +/** @brief directory for libnetconf2 YANG modules */ +#define LN2_YANG_MODULE_DIR "@LN2_YANG_MODULE_DIR@" + #endif /* _NP_TEST_CONFIG_H_ */ From 407f903b17d21f20bec498c10edaffcf84cd3778 Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 14 Sep 2023 09:09:13 +0200 Subject: [PATCH 10/23] tests UPDATE account for server cfg in the DS Filters had to be added when getting config from DS in order for them to work like they did, because server config was getting in the way. Substring checking was used where it wasn't as simple. --- tests/np_test.c | 10 +++++- tests/np_test.h | 4 +-- tests/test_candidate.c | 22 ++++++------ tests/test_confirmed_commit.c | 62 ++++++++++++++++----------------- tests/test_edit.c | 32 ++++++++--------- tests/test_nacm.c | 24 +------------ tests/test_rpc.c | 2 +- tests/test_with_defaults.c | 20 +++++------ tests/test_yang_push.c | 12 +++---- tests/test_yang_push_advanced.c | 6 ++-- 10 files changed, 90 insertions(+), 104 deletions(-) diff --git a/tests/np_test.c b/tests/np_test.c index 48defff1..35f4b059 100644 --- a/tests/np_test.c +++ b/tests/np_test.c @@ -155,6 +155,10 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) SETUP_FAIL_LOG; return 1; } + if (setenv("NP2_SCRIPTS_DIR", NP_ROOT_DIR "/scripts", 1)) { + SETUP_FAIL_LOG; + return 1; + } if (setenv("LN2_MODULE_DIR", LN2_YANG_MODULE_DIR, 1)) { SETUP_FAIL_LOG; return 1; @@ -171,6 +175,10 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) SETUP_FAIL_LOG; return 1; } + if (unsetenv("NP2_SCRIPTS_DIR")) { + SETUP_FAIL_LOG; + return 1; + } if (unsetenv("LN2_MODULE_DIR")) { SETUP_FAIL_LOG; return 1; @@ -231,7 +239,7 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) close(fd); - /* exec server listening on a unix socket */ + /* exec the server */ execl(NP_BINARY_DIR "/netopeer2-server", NP_BINARY_DIR "/netopeer2-server", "-d", "-v3", "-t10", "-p", pidfile_path, "-f", server_dir, "-x", extdata_path, NULL); child_error: diff --git a/tests/np_test.h b/tests/np_test.h index a02a4b5e..07fd0674 100644 --- a/tests/np_test.h +++ b/tests/np_test.h @@ -180,8 +180,8 @@ " \n" \ "\n" -#define ASSERT_EMPTY_CONFIG(state) \ - GET_CONFIG(state); \ +#define ASSERT_EMPTY_CONFIG_FILTER(state, filter) \ + GET_CONFIG_FILTER(state, filter); \ assert_string_equal(state->str, EMPTY_GETCONFIG); \ FREE_TEST_VARS(state); diff --git a/tests/test_candidate.c b/tests/test_candidate.c index e3608c7e..d3d2e2ab 100644 --- a/tests/test_candidate.c +++ b/tests/test_candidate.c @@ -138,7 +138,7 @@ test_edit_basic(void **state) FREE_TEST_VARS(st); /* Check if it was merged */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit1:*"); expected = "\n" @@ -172,8 +172,8 @@ test_commit(void **state) SR_EDIT_SESSION(st, st->sr_sess2, data); - /* Check if running is empty */ - GET_DS_CONFIG(st, NC_DATASTORE_RUNNING); + /* Check if running of edit1 is empty */ + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_RUNNING, "/edit1:*"); expected = "\n" @@ -193,8 +193,8 @@ test_commit(void **state) FREE_TEST_VARS(st); - /* Check if running is now same as candidate */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + /* Check if running is now same as candidate of edit1 */ + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit1:*"); expected = "\n" @@ -215,7 +215,7 @@ test_discard_changes(void **state) char *expected; /* check if Running is empty */ - GET_DS_CONFIG(st, NC_DATASTORE_RUNNING); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_RUNNING, "/edit1:*"); expected = "\n" " \n" @@ -250,7 +250,7 @@ test_discard_changes(void **state) FREE_TEST_VARS(st); /* check if Candidate is now empty too */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit1:*"); expected = "\n" " \n" @@ -462,7 +462,7 @@ test_discard_changes_advanced(void **state) const char *expected; /* Check if running has correct data */ - GET_DS_CONFIG(st, NC_DATASTORE_RUNNING); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_RUNNING, "/edit2:*"); expected = "\n" @@ -478,7 +478,7 @@ test_discard_changes_advanced(void **state) FREE_TEST_VARS(st); /* Check if candidate has correct dada */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit2:*"); expected = "\n" @@ -504,7 +504,7 @@ test_discard_changes_advanced(void **state) FREE_TEST_VARS(st); /* Check if candidate is now same as running */ - GET_DS_CONFIG(st, NC_DATASTORE_RUNNING); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_RUNNING, "/edit2:*"); expected = "\n" @@ -570,7 +570,7 @@ test_locked_discard_changes(void **state) FREE_TEST_VARS(st); /* check candidate */ - GET_DS_CONFIG(st, NC_DATASTORE_CANDIDATE); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit2:*"); data = "\n" " \n" diff --git a/tests/test_confirmed_commit.c b/tests/test_confirmed_commit.c index 3afe651a..d379eef0 100644 --- a/tests/test_confirmed_commit.c +++ b/tests/test_confirmed_commit.c @@ -125,8 +125,8 @@ test_sameas_commit(void **state) struct np_test *st = *state; const char *expected; - /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + /* Prior to the test running of edit1 should be empty */ + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*") /* Send a confirmed-commit rpc */ st->rpc = nc_rpc_commit(1, 0, NULL, NULL, NC_PARAMTYPE_CONST); @@ -138,7 +138,7 @@ test_sameas_commit(void **state) FREE_TEST_VARS(st); /* Running should now be same as candidate, same as basic commit */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -164,8 +164,8 @@ test_timeout_runout(void **state) struct np_test *st = *state; const char *expected; - /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + /* Prior to the test running of edit1 should be empty */ + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*") /* running lock RPC */ st->rpc = nc_rpc_lock(NC_DATASTORE_RUNNING); @@ -202,7 +202,7 @@ test_timeout_runout(void **state) sleep(2); /* Running should have reverted back to it's original value */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* running unlock RPC */ st->rpc = nc_rpc_unlock(NC_DATASTORE_RUNNING); @@ -221,7 +221,7 @@ test_timeout_confirm(void **state) const char *expected; /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* Send a confirmed-commit rpc with 1s timeout */ st->rpc = nc_rpc_commit(1, 1, NULL, NULL, NC_PARAMTYPE_CONST); @@ -233,7 +233,7 @@ test_timeout_confirm(void **state) FREE_TEST_VARS(st); /* Running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -255,7 +255,7 @@ test_timeout_confirm(void **state) sleep(2); /* Data should remain unchanged */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); assert_string_equal(st->str, expected); FREE_TEST_VARS(st); } @@ -268,7 +268,7 @@ test_timeout_confirm_modify(void **state) const char *data; /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* Send a confirmed-commit rpc with 1s timeout */ st->rpc = nc_rpc_commit(1, 1, NULL, NULL, NC_PARAMTYPE_CONST); @@ -280,7 +280,7 @@ test_timeout_confirm_modify(void **state) FREE_TEST_VARS(st); /* Running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -307,7 +307,7 @@ test_timeout_confirm_modify(void **state) sleep(2); /* Data should change */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -325,7 +325,7 @@ test_timeout_followup(void **state) const char *data, *expected; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* send a confirmed-commit rpc with 60s timeout */ st->rpc = nc_rpc_commit(1, 60, NULL, NULL, NC_PARAMTYPE_CONST); @@ -347,7 +347,7 @@ test_timeout_followup(void **state) FREE_TEST_VARS(st); /* running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -361,7 +361,7 @@ test_timeout_followup(void **state) sleep(2); /* data should remain unchanged, empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static void @@ -371,7 +371,7 @@ test_cancel(void **state) const char *expected, *data; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* send cancel-commit rpc, should fail as there is no commit */ st->rpc = nc_rpc_cancel(NULL, NC_PARAMTYPE_CONST); @@ -397,7 +397,7 @@ test_cancel(void **state) FREE_TEST_VARS(st); /* running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -417,7 +417,7 @@ test_cancel(void **state) FREE_TEST_VARS(st); /* running should now be back how it was */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -440,7 +440,7 @@ test_rollback_disconnect(void **state) const char *expected; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* create a new session */ ncs = nc_connect_unix(st->socket_path, NULL); @@ -458,7 +458,7 @@ test_rollback_disconnect(void **state) FREE_TEST_VARS(st); /* running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -475,7 +475,7 @@ test_rollback_disconnect(void **state) usleep(100000); /* data should remain unchanged, empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static void @@ -485,7 +485,7 @@ test_rollback_locked(void **state) const char *expected; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* running lock RPC */ st->rpc = nc_rpc_lock(NC_DATASTORE_RUNNING); @@ -502,7 +502,7 @@ test_rollback_locked(void **state) FREE_TEST_VARS(st); /* running should now be the same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -527,7 +527,7 @@ test_rollback_locked(void **state) FREE_TEST_VARS(st); /* data should remain unchanged, empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* running unlock RPC */ st->rpc = nc_rpc_unlock(NC_DATASTORE_RUNNING); @@ -544,7 +544,7 @@ test_confirm_persist(void **state) const char *expected, *persist = "test-persist-1"; /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* Send a confirmed-commit rpc with persist */ st->rpc = nc_rpc_commit(1, 0, persist, NULL, NC_PARAMTYPE_CONST); @@ -556,7 +556,7 @@ test_confirm_persist(void **state) FREE_TEST_VARS(st); /* Running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -576,7 +576,7 @@ test_confirm_persist(void **state) FREE_TEST_VARS(st); /* Data should remain unchanged */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); assert_string_equal(st->str, expected); FREE_TEST_VARS(st); } @@ -589,7 +589,7 @@ test_cancel_persist(void **state) struct nc_session *nc_sess; /* prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* start a new NC session */ nc_sess = nc_connect_unix(st->socket_path, NULL); @@ -605,7 +605,7 @@ test_cancel_persist(void **state) FREE_TEST_VARS(st); /* running should now be same as candidate */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -628,7 +628,7 @@ test_cancel_persist(void **state) FREE_TEST_VARS(st); /* running should now be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static void @@ -739,7 +739,7 @@ test_failed_file(void **state) DIR *dir = NULL; /* Prior to the test running should be empty */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); /* Send a confirmed-commit rpc with 1s timeout */ st->rpc = nc_rpc_commit(1, 1, NULL, NULL, NC_PARAMTYPE_CONST); diff --git a/tests/test_edit.c b/tests/test_edit.c index 3f2ad16d..1196d458 100644 --- a/tests/test_edit.c +++ b/tests/test_edit.c @@ -175,7 +175,7 @@ test_delete_edit1(void **state) FREE_TEST_VARS(st); /* Check if the config was deleted */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static int @@ -209,7 +209,7 @@ test_delete_edit2(void **state) FREE_TEST_VARS(st); /* Check if the config was deleted */ - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit2:*"); } static int @@ -345,7 +345,7 @@ test_merge_partial(void **state) FREE_TEST_VARS(st); /* Check if merged successfully */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit2:*"); expected = "\n" " \n" @@ -387,7 +387,7 @@ test_merge_into_existing(void **state) FREE_TEST_VARS(st); /* Check if correctly merged */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit2:*"); expected = "\n" " \n" @@ -431,7 +431,7 @@ test_merge_overwrite(void **state) FREE_TEST_VARS(st); /* Check if config was correctly overwritten */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit2:*"); expected = "\n" " \n" @@ -476,7 +476,7 @@ test_replace(void **state) FREE_TEST_VARS(st); /* Check if replaced correctly */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit3:*"); expected = "\n" " \n" @@ -505,7 +505,7 @@ test_replace_create(void **state) FREE_TEST_VARS(st); /* Check if created correctly */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit3:*"); expected = "\n" " \n" @@ -533,7 +533,7 @@ test_create(void **state) FREE_TEST_VARS(st); /* Check if config config now contains edit1 */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -594,7 +594,7 @@ test_remove(void **state) SEND_EDIT_RPC(st, data); ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static void @@ -606,7 +606,7 @@ test_remove_empty(void **state) SEND_EDIT_RPC(st, data); ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - ASSERT_EMPTY_CONFIG(st); + ASSERT_EMPTY_CONFIG_FILTER(st, "/edit1:*"); } static int @@ -650,7 +650,7 @@ test_ex1(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/example1:*"); expected = "\n" " \n" @@ -724,7 +724,7 @@ test_ex2(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/example2:*"); expected = "\n" " \n" @@ -765,7 +765,7 @@ test_autodel_case(void **state) FREE_TEST_VARS(st); /* check data */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit4:*"); assert_non_null(strstr(st->str, "l1")); assert_non_null(strstr(st->str, "l2")); FREE_TEST_VARS(st); @@ -780,7 +780,7 @@ test_autodel_case(void **state) FREE_TEST_VARS(st); /* check data */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit4:*"); assert_null(strstr(st->str, "l1")); assert_null(strstr(st->str, "l2")); assert_non_null(strstr(st->str, "c2")); @@ -798,7 +798,7 @@ test_autodel_case(void **state) FREE_TEST_VARS(st); /* check data */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit4:*"); assert_null(strstr(st->str, "c2")); assert_non_null(strstr(st->str, "l3")); FREE_TEST_VARS(st); @@ -814,7 +814,7 @@ test_autodel_case(void **state) FREE_TEST_VARS(st); /* check data */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit4:*"); assert_null(strstr(st->str, "l3")); assert_non_null(strstr(st->str, "l4")); assert_non_null(strstr(st->str, "l5")); diff --git a/tests/test_nacm.c b/tests/test_nacm.c index 9db5ea6e..2f0bc50f 100644 --- a/tests/test_nacm.c +++ b/tests/test_nacm.c @@ -265,22 +265,6 @@ setup_test_get_config(void **state) return 0; } -static void -test_get_config(void **state) -{ - struct np_test *st = *state; - const char *expected; - - /* Since reading of this node is denied it should return empty config */ - GET_CONFIG(st); - expected = - "\n" - " \n" - "\n"; - assert_string_equal(st->str, expected); - FREE_TEST_VARS(st); -} - static void test_get_config_filter(void **state) { @@ -396,7 +380,7 @@ test_filter_key_list(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/nacm-test2:*"); expected = "\n" " \n" @@ -1102,9 +1086,6 @@ main(int argc, char **argv) cmocka_unit_test_setup_teardown(test_read_default_allow_path, setup_test_read_default_allow_path, teardown_common), - cmocka_unit_test_setup_teardown(test_get_config, - setup_test_get_config, - teardown_common), cmocka_unit_test_setup_teardown(test_get_config_filter, setup_test_get_config, teardown_common), @@ -1132,9 +1113,6 @@ main(int argc, char **argv) cmocka_unit_test_setup_teardown(test_read_default_allow_path, setup_test_read_default_allow_path, teardown_common), - cmocka_unit_test_setup_teardown(test_get_config, - setup_test_get_config, - teardown_common), cmocka_unit_test_setup_teardown(test_get_config_filter, setup_test_get_config, teardown_common), diff --git a/tests/test_rpc.c b/tests/test_rpc.c index da03f895..1b6ac4e9 100644 --- a/tests/test_rpc.c +++ b/tests/test_rpc.c @@ -376,7 +376,7 @@ test_getconfig(void **state) } /* get-config */ - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); assert_string_equal(st->str, "\n" " \n" diff --git a/tests/test_with_defaults.c b/tests/test_with_defaults.c index 3aa19115..bc108458 100644 --- a/tests/test_with_defaults.c +++ b/tests/test_with_defaults.c @@ -71,7 +71,7 @@ test_all_nothing_set(void **state) const char *expected; /* Send RPC trying to get all including default values */ - st->rpc = nc_rpc_getconfig(NC_DATASTORE_RUNNING, NULL, NC_WD_ALL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_getconfig(NC_DATASTORE_RUNNING, "/defaults1:*", NC_WD_ALL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(NC_MSG_RPC, st->msgtype); st->msgtype = nc_recv_reply(st->nc_sess, st->rpc, st->msgid, 2000, &st->envp, &st->op); @@ -163,7 +163,7 @@ test_all_non_default_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_ALL); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_ALL, "/defaults1:*"); expected = "\n" @@ -186,7 +186,7 @@ test_all_tag_non_default_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_ALL_TAG); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_ALL_TAG, "/defaults1:*"); expected = "\n" @@ -210,7 +210,7 @@ test_trim_non_default_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_TRIM); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_TRIM, "/defaults1:*"); expected = "\n" @@ -232,7 +232,7 @@ test_explicit_non_default_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_TRIM); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_TRIM, "/defaults1:*"); expected = "\n" @@ -254,7 +254,7 @@ test_all_set_all(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_ALL); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_ALL, "/defaults1:*"); expected = "\n" @@ -277,7 +277,7 @@ test_all_tag_set_all(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_ALL_TAG); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_ALL_TAG, "/defaults1:*"); expected = "\n" @@ -300,7 +300,7 @@ test_trim_set_all(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_TRIM); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_TRIM, "/defaults1:*"); expected = "\n" @@ -323,7 +323,7 @@ test_explicit_all_set(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_EXPLICIT); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_EXPLICIT, "/defaults1:*"); expected = "\n" @@ -346,7 +346,7 @@ test_explicit_all_set_default(void **state) struct np_test *st = *state; const char *expected; - GET_CONFIG_WD(st, NC_WD_EXPLICIT); + GET_CONFIG_DS_WD_FILTER(st, NC_DATASTORE_RUNNING, NC_WD_EXPLICIT, "/defaults1:*"); expected = "\n" diff --git a/tests/test_yang_push.c b/tests/test_yang_push.c index 2ed86326..89fa4d63 100644 --- a/tests/test_yang_push.c +++ b/tests/test_yang_push.c @@ -123,7 +123,7 @@ test_periodic_basic(void **state) char *ntf; /* establish periodic push */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 10, NULL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit1:*", NULL, NULL, 10, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); ASSERT_OK_SUB_NTF(st); @@ -336,7 +336,7 @@ test_periodic_anchor_time(void **state) char *ntf; /* Establish periodic push with anchor-time */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 10, + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit1:*", NULL, NULL, 10, "1970-01-01T01:00:00+01:00", NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); @@ -686,7 +686,7 @@ test_sync_on_start(void **state) char *ntf; /* Establish on-change push with sync on start */ - st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", NULL, NULL, NULL, 0, 1, + st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", "/edit1:*", NULL, NULL, 0, 1, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); @@ -728,7 +728,7 @@ test_sync_on_start_non_empty(void **state) char *ntf; /* Establish on-change push with sync on start */ - st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", NULL, NULL, NULL, 0, 1, + st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", "/edit1:*", NULL, NULL, 0, 1, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); @@ -758,7 +758,7 @@ test_resync(void **state) char *ntf; /* Establish on-change push */ - st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", NULL, NULL, NULL, 0, 0, + st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", "/edit1:*", NULL, NULL, 0, 0, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); @@ -796,7 +796,7 @@ test_resync_id_reset(void **state) char *ntf; /* Establish on-change push */ - st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", NULL, NULL, NULL, 0, 0, + st->rpc = nc_rpc_establishpush_onchange("ietf-datastores:running", "/edit1:*", NULL, NULL, 0, 0, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); diff --git a/tests/test_yang_push_advanced.c b/tests/test_yang_push_advanced.c index d2f08386..8a8c46a2 100644 --- a/tests/test_yang_push_advanced.c +++ b/tests/test_yang_push_advanced.c @@ -317,7 +317,7 @@ test_periodic_modify_filter(void **state) char *ntf; /* Establish periodic push */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 25, NULL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit2:*", NULL, NULL, 25, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); ASSERT_OK_SUB_NTF(st); @@ -367,7 +367,7 @@ test_periodic_modify_period(void **state) char *ntf; /* Establish periodic push */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 50, NULL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit1:*", NULL, NULL, 50, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); ASSERT_OK_SUB_NTF(st); @@ -416,7 +416,7 @@ test_periodic_deletesub(void **state) char *ntf; /* Establish periodic push */ - st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", NULL, NULL, NULL, 50, NULL, NC_PARAMTYPE_CONST); + st->rpc = nc_rpc_establishpush_periodic("ietf-datastores:running", "/edit1:*", NULL, NULL, 50, NULL, NC_PARAMTYPE_CONST); st->msgtype = nc_send_rpc(st->nc_sess, st->rpc, 1000, &st->msgid); assert_int_equal(st->msgtype, NC_MSG_RPC); ASSERT_OK_SUB_NTF(st); From 7e4d7e1eab04ee514bbf4bab8a36e2d82e868b3f Mon Sep 17 00:00:00 2001 From: Roytak Date: Wed, 27 Sep 2023 11:33:01 +0200 Subject: [PATCH 11/23] scripts UPDATE install ln2 modules and refactor --- CMakeLists.txt | 25 +++++++-- scripts/common.sh | 94 +++++++++++++++++++++++++++++++++ scripts/merge_config.sh | 41 ++++++++------- scripts/merge_hostkey.sh | 44 +++++++--------- scripts/remove.sh | 87 ++++++++++++------------------- scripts/setup.sh | 110 +++++++++++++-------------------------- 6 files changed, 227 insertions(+), 174 deletions(-) create mode 100644 scripts/common.sh diff --git a/CMakeLists.txt b/CMakeLists.txt index 6ff11ff5..c3c32c6e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -86,6 +86,7 @@ set(SCRIPT_DIR "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATADIR}/netopeer2" CACH option(INSTALL_MODULES "Install required modules into sysrepo" ON) option(GENERATE_HOSTKEY "Generate a new RSA host key in the keystore named \"genkey\"" ON) option(MERGE_LISTEN_CONFIG "Merge default server configuration for listening on all IPv4 interfaces" ON) +option(MERGE_AUTH_CONFIG "Merge public keys from authorized_keys into the server configuration" OFF) set(MODULES_PERMS 600 CACHE STRING "File access permissions set for all the server modules") if(NOT MODULES_OWNER) execute_process(COMMAND id -un RESULT_VARIABLE RET @@ -361,6 +362,7 @@ if(INSTALL_MODULES) set(ENV{NP2_MODULE_PERMS} \"${MODULES_PERMS}\") set(ENV{NP2_MODULE_OWNER} \"${MODULES_OWNER}\") set(ENV{NP2_MODULE_GROUP} \"${MODULES_GROUP}\") + set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\") set(ENV{LN2_MODULE_DIR} \"${LN2_YANG_MODULE_DIR}\") set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") @@ -372,11 +374,13 @@ if(INSTALL_MODULES) else() message(WARNING "Server will refuse to start if the modules are not installed!") endif() + if(GENERATE_HOSTKEY) install(CODE " message(STATUS \"Generating a new RSA host key \\\"genkey\\\" if not already added...\") set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") + set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\") execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/merge_hostkey.sh\" RESULT_VARIABLE MERGE_HOSTKEY_RES) if(NOT MERGE_HOSTKEY_RES EQUAL \"0\") message(FATAL_ERROR \" scripts/merge_hostkey.sh failed: \${MERGE_HOSTKEY_RES}\") @@ -388,12 +392,25 @@ if(MERGE_LISTEN_CONFIG) message(STATUS \"Merging default server listen configuration if there is none...\") set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") + set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\") execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/merge_config.sh\" RESULT_VARIABLE MERGE_CONFIG_RES) if(NOT MERGE_CONFIG_RES EQUAL \"0\") message(FATAL_ERROR \" scripts/merge_config.sh failed: \${MERGE_CONFIG_RES}\") endif() ") endif() +if(MERGE_AUTH_CONFIG) + install(CODE " + message(STATUS \"Merging authorized keys into the server configuration...\") + set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") + set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") + set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\") + execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/merge_auth_config.sh\" RESULT_VARIABLE MERGE_AUTH_CONFIG_RES) + if(NOT MERGE_AUTH_CONFIG_RES EQUAL \"0\") + message(FATAL_ERROR \" scripts/merge_auth_config.sh failed: \${MERGE_AUTH_CONFIG_RES}\") + endif() + ") +endif() # tests if(ENABLE_TESTS) @@ -421,6 +438,8 @@ add_custom_target(cleancache ) # uninstall -add_custom_target(uninstall ${SCRIPT_DIR}/remove.sh - COMMAND "${CMAKE_COMMAND}" -P "${CMAKE_MODULE_PATH}/uninstall.cmake" - COMMENT "Removing netopeer2 modules from sysrepo...") +add_custom_target(uninstall + COMMAND ${CMAKE_COMMAND} -E env "NP2_SCRIPTS_DIR=${SCRIPT_DIR}" ${SCRIPT_DIR}/remove.sh + COMMAND ${CMAKE_COMMAND} -P ${CMAKE_MODULE_PATH}/uninstall.cmake + COMMENT "Removing netopeer2 modules from sysrepo..." +) diff --git a/scripts/common.sh b/scripts/common.sh new file mode 100644 index 00000000..ec773875 --- /dev/null +++ b/scripts/common.sh @@ -0,0 +1,94 @@ +# common.sh - contains common functions and variables for the scripts + +# arrays of modules to (un)install +NP2_MODULES=( +"ietf-interfaces@2018-02-20.yang" +"ietf-ip@2018-02-22.yang" +"ietf-netconf@2013-09-29.yang -e writable-running -e candidate -e rollback-on-error -e validate -e startup -e url -e xpath -e confirmed-commit" +"ietf-netconf-nmda@2019-01-07.yang -e origin -e with-defaults" +"notifications@2008-07-14.yang" +"nc-notifications@2008-07-14.yang" +"ietf-netconf-monitoring@2010-10-04.yang" +"ietf-network-instance@2019-01-21.yang" +"ietf-subscribed-notifications@2019-09-09.yang -e encode-xml -e replay -e subtree -e xpath" +"ietf-yang-push@2019-09-09.yang -e on-change" +) + +LN2_MODULES=( +"iana-ssh-encryption-algs@2022-06-16.yang" +"iana-ssh-key-exchange-algs@2022-06-16.yang" +"iana-ssh-mac-algs@2022-06-16.yang" +"iana-ssh-public-key-algs@2022-06-16.yang" +"iana-tls-cipher-suite-algs@2022-06-16.yang" +"ietf-x509-cert-to-name@2014-12-10.yang" +"iana-crypt-hash@2014-04-04.yang -e crypt-hash-md5 -e crypt-hash-sha-256 -e crypt-hash-sha-512" +"ietf-crypto-types@2023-04-17.yang -e cleartext-passwords -e cleartext-private-keys" +"ietf-keystore@2023-04-17.yang -e central-keystore-supported -e inline-definitions-supported -e asymmetric-keys" +"ietf-truststore@2023-04-17.yang -e central-truststore-supported -e inline-definitions-supported -e certificates -e public-keys" +"ietf-tcp-common@2023-04-17.yang -e keepalives-supported" +"ietf-tcp-server@2023-04-17.yang -e tcp-server-keepalives" +"ietf-tcp-client@2023-04-17.yang -e local-binding-supported -e tcp-client-keepalives" +"ietf-ssh-common@2023-04-17.yang -e transport-params" +"ietf-ssh-server@2023-04-17.yang -e local-users-supported -e local-user-auth-publickey -e local-user-auth-password -e local-user-auth-none" +"ietf-tls-common@2023-04-17.yang -e tls10 -e tls11 -e tls12 -e tls13 -e hello-params" +"ietf-tls-server@2023-04-17.yang -e server-ident-x509-cert -e client-auth-supported -e client-auth-x509-cert" +"ietf-netconf-server@2023-04-17.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home -e central-netconf-server-supported" +"libnetconf2-netconf-server@2023-09-07.yang" +) + +# get path to the sysrepocfg executable +function SYSREPOCFG_GET_PATH() { + if [ -n "$SYSREPOCFG_EXECUTABLE" ]; then + # from env + SYSREPOCFG="$SYSREPOCFG_EXECUTABLE" + elif [ $(id -u) -eq 0 ] && [ -n "$USER" ] && [ $(command -v su) ]; then + # running as root, avoid problems with sudo PATH + SYSREPOCFG=$(su -c 'command -v sysrepocfg' -l "$USER") + else + # normal user + SYSREPOCFG=$(command -v sysrepocfg) + fi + + if [ -z "$SYSREPOCFG" ]; then + echo "$0: Unable to find sysrepocfg executable." >&2 + exit 1 + fi +} + +# get path to the sysrepoctl executable +function SYSREPOCTL_GET_PATH() { + if [ -n "$SYSREPOCTL_EXECUTABLE" ]; then + # from env + SYSREPOCTL="$SYSREPOCTL_EXECUTABLE" + elif [ $(id -u) -eq 0 ] && [ -n "$USER" ] && [ $(command -v su) ]; then + # running as root, avoid problems with sudo PATH + SYSREPOCTL=$(su -c 'command -v sysrepoctl' -l "$USER") + else + # normal user + SYSREPOCTL=$(command -v sysrepoctl) + fi + + if [ -z "$SYSREPOCTL" ]; then + echo "$0: Unable to find sysrepoctl executable." >&2 + exit 1 + fi +} + +# get path to the openssl executable +function OPENSSL_GET_PATH() { + if [ -n "$OPENSSL_EXECUTABLE" ]; then + # from env + OPENSSL="$OPENSSL_EXECUTABLE" + elif [ $(id -u) -eq 0 ] && [ -n "$USER" ] && [ $(command -v su) ]; then + # running as root, avoid problems with sudo PATH + OPENSSL=$(su -c 'command -v openssl' -l "$USER") + else + # normal user + OPENSSL=$(command -v openssl) + fi + + if [ -z "$OPENSSL" ]; then + echo "$0: Unable to find sysrepoctl executable." >&2 + exit 1 + fi +} diff --git a/scripts/merge_config.sh b/scripts/merge_config.sh index adceb745..6469e376 100755 --- a/scripts/merge_config.sh +++ b/scripts/merge_config.sh @@ -2,24 +2,27 @@ set -e -# optional env variable override -if [ -n "$SYSREPOCFG_EXECUTABLE" ]; then - SYSREPOCFG="$SYSREPOCFG_EXECUTABLE" -# avoid problems with sudo PATH -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - SYSREPOCFG=`su -c 'command -v sysrepocfg' -l $USER` -else - SYSREPOCFG=`command -v sysrepocfg` +if [ -z "$NP2_SCRIPTS_DIR" ]; then + echo "$0: Required environment variable NP2_SCRIPTS_DIR not set." >&2 + exit 1 fi -KS_KEY_NAME=genkey + +# import functions +source "${NP2_SCRIPTS_DIR}/common.sh" + +# get path to sysrepocfg executable, this will be stored in $SYSREPOCFG +SYSREPOCFG_GET_PATH # check that there is no listen/Call Home configuration yet -SERVER_CONFIG=`$SYSREPOCFG -X -x "/ietf-netconf-server:netconf-server/listen/endpoint[1]/name | /ietf-netconf-server:netconf-server/call-home/netconf-client[1]/name"` -if [ -z "$SERVER_CONFIG" ]; then +SERVER_CONFIG=$($SYSREPOCFG -X -x "/ietf-netconf-server:netconf-server/listen/endpoint | /ietf-netconf-server:netconf-server/call-home/netconf-client") +if [ -n "$SERVER_CONFIG" ]; then + # the server is configured, just exit + exit 0 +fi -# get the user who invoked the script and his password, use it to create an SSH user in the default config +# get the user who invoked the script and his password hash, use it to create an SSH user in the default config CURRENT_USER="$SUDO_USER" -CURRENT_USER_PASSWORD=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow) +CURRENT_USER_PW_HASH=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow) # import default config CONFIG=" @@ -40,15 +43,15 @@ CONFIG=" default-key - $KS_KEY_NAME + genkey - $CURRENT_USER - $CURRENT_USER_PASSWORD + ${CURRENT_USER} + ${CURRENT_USER_PW_HASH} @@ -59,7 +62,5 @@ CONFIG="" # apply it to startup and running -echo "$CONFIG" | $SYSREPOCFG --edit -d startup -f xml -m ietf-netconf-server -v2 -$SYSREPOCFG -C startup -m ietf-netconf-server -v2 - -fi +echo "$CONFIG" | "$SYSREPOCFG" --edit -d startup -f xml -m ietf-netconf-server -v2 +"$SYSREPOCFG" -C startup -m ietf-netconf-server -v2 diff --git a/scripts/merge_hostkey.sh b/scripts/merge_hostkey.sh index 5aef8ad1..c7928028 100755 --- a/scripts/merge_hostkey.sh +++ b/scripts/merge_hostkey.sh @@ -2,32 +2,28 @@ set -e -# optional env variable override -if [ -n "$SYSREPOCFG_EXECUTABLE" ]; then - SYSREPOCFG="$SYSREPOCFG_EXECUTABLE" -# avoid problems with sudo PATH -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - SYSREPOCFG=`su -c 'command -v sysrepocfg' -l $USER` -else - SYSREPOCFG=`command -v sysrepocfg` +if [ -z "$NP2_SCRIPTS_DIR" ]; then + echo "$0: Required environment variable NP2_SCRIPTS_DIR not set." >&2 + exit 1 fi -if [ -n "$OPENSSL_EXECUTABLE" ]; then - OPENSSL="$OPENSSL_EXECUTABLE" -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - OPENSSL=`su -c 'command -v openssl' -l $USER` -else - OPENSSL=`command -v openssl` -fi +# import functions +source "${NP2_SCRIPTS_DIR}/common.sh" + +# get path to sysrepocfg and openssl executables, these will be stored in $SYSREPOCFG and $OPENSSL, respectively +SYSREPOCFG_GET_PATH +OPENSSL_GET_PATH -# check that there is no SSH key with this name yet -KEYSTORE_KEY=`$SYSREPOCFG -X -x "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='genkey']/name"` -if [ -z "$KEYSTORE_KEY" ]; then +# check that there is no SSH key with this name yet, if so just exit +KEYSTORE_KEY=$($SYSREPOCFG -X -x "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='genkey']") +if [ -n "$KEYSTORE_KEY" ]; then + exit 0 +fi # generate a new key -PRIVPEM=`$OPENSSL genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM 2>/dev/null` +PRIVPEM=$($OPENSSL genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM 2>/dev/null) # remove header/footer and newlines -PRIVKEY=`echo "$PRIVPEM" | grep -v -- "-----" | tr -d "\n"` +PRIVKEY=$(echo "$PRIVPEM" | grep -v -- "-----" | tr -d "\n") # generate edit config CONFIG=" @@ -36,13 +32,11 @@ CONFIG=" genkey ct:ssh-public-key-format ct:rsa-private-key-format - $PRIVKEY + ${PRIVKEY} " # apply it to startup and running -echo "$CONFIG" | $SYSREPOCFG --edit -d startup -f xml -m ietf-keystore -v2 -$SYSREPOCFG -C startup -m ietf-keystore -v2 - -fi +echo "$CONFIG" | "$SYSREPOCFG" --edit -d startup -f xml -m ietf-keystore -v2 +"$SYSREPOCFG" -C startup -m ietf-keystore -v2 diff --git a/scripts/remove.sh b/scripts/remove.sh index 42d45a69..8774781a 100755 --- a/scripts/remove.sh +++ b/scripts/remove.sh @@ -1,46 +1,22 @@ #!/usr/bin/env bash -# {% raw %} - jinja2 command to not process "{#" in the script -# optional env variable override -if [ -n "$SYSREPOCTL_EXECUTABLE" ]; then - SYSREPOCTL="$SYSREPOCTL_EXECUTABLE" -# avoid problems with sudo PATH -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - SYSREPOCTL=`su -c 'command -v sysrepoctl' -l $USER` -else - SYSREPOCTL=`command -v sysrepoctl` +if [ -z "$NP2_SCRIPTS_DIR" ]; then + echo "$0: Required environment variable NP2_SCRIPTS_DIR not set." >&2 + exit 1 fi -# array of modules to remove, exact same as setup.sh -MODULES=( -"ietf-netconf@2013-09-29.yang -e writable-running -e candidate -e rollback-on-error -e validate -e startup -e url -e xpath -e confirmed-commit" -"ietf-netconf-monitoring@2010-10-04.yang" -"ietf-netconf-nmda@2019-01-07.yang -e origin -e with-defaults" -"nc-notifications@2008-07-14.yang" -"notifications@2008-07-14.yang" -"ietf-x509-cert-to-name@2014-12-10.yang" -"ietf-crypto-types@2019-07-02.yang" -"ietf-keystore@2019-07-02.yang -e keystore-supported" -"ietf-truststore@2019-07-02.yang -e truststore-supported -e x509-certificates" -"ietf-tcp-common@2019-07-02.yang -e keepalives-supported" -"ietf-ssh-server@2019-07-02.yang -e local-client-auth-supported" -"ietf-tls-server@2019-07-02.yang -e local-client-auth-supported" -"ietf-netconf-server@2019-07-02.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home" -"ietf-interfaces@2018-02-20.yang" -"ietf-ip@2018-02-22.yang" -"ietf-network-instance@2019-01-21.yang" -"ietf-subscribed-notifications@2019-09-09.yang -e encode-xml -e replay -e subtree -e xpath" -"ietf-yang-push@2019-09-09.yang -e on-change" -) +# import functions and modules arrays +source "${NP2_SCRIPTS_DIR}/common.sh" -CMD_UNINSTALL= +# get path to sysrepoctl executable, this will be stored in $SYSREPOCTL +SYSREPOCTL_GET_PATH # functions -UNINSTALL_MODULE_QUIET() { +function UNINSTALL_MODULE_QUIET() { "$SYSREPOCTL" -u $1 &> /dev/null } -DISABLE_FEATURE() { +function DISABLE_FEATURE() { "$SYSREPOCTL" -c $1 -d $2 -v2 local rc=$? if [ $rc -ne 0 ]; then @@ -48,7 +24,7 @@ DISABLE_FEATURE() { fi } -DISABLE_MODULE_FEATURES() { +function DISABLE_MODULE_FEATURES() { name=$1 sctl_module=$2 module=$3 @@ -70,26 +46,31 @@ DISABLE_MODULE_FEATURES() { done } -# get current modules -SCTL_MODULES=`$SYSREPOCTL -l` -MODULES_LEN=${#MODULES[@]} -for (( i = 0; i < $MODULES_LEN; i++ )); do - # backwards iteration to avoid module dependencies - module=${MODULES[$MODULES_LEN - ($i + 1)]} - name=`echo "$module" | sed 's/\([^@]*\).*/\1/'` +function UNINSTALL_CMD() { + modules=("$@") + nmodules=${#modules[@]} + for (( i = 0; i < $nmodules; i++ )); do + module=${modules[$nmodules - ($i + 1)]} + name=$(echo "$module" | sed 's/\([^@]*\).*/\1/') - SCTL_MODULE=`echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I"` - if [ -n "$SCTL_MODULE" ]; then - if [ "$name" = "ietf-netconf" ]; then - # internal module, we can only disable features - DISABLE_MODULE_FEATURES $name "$SCTL_MODULE" "$module" - else - # uninstall module and ignore the result, there may be new modules depending on this one - UNINSTALL_MODULE_QUIET "$name" + sctl_module=$(echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I") + if [ -n "$sctl_module" ]; then + if [ "$name" = "ietf-netconf" ]; then + # internal module, we can only disable features + DISABLE_MODULE_FEATURES $name "$sctl_module" "$module" + else + # uninstall module and ignore the result, there may be new modules depending on this one + UNINSTALL_MODULE_QUIET "$name" + fi + continue fi - continue - fi -done + done +} + +# get current modules +SCTL_MODULES=`$SYSREPOCTL -l` -# {% endraw %} +# uninstall np2 and ln2 modules +UNINSTALL_CMD "${NP2_MODULES[@]}" +UNINSTALL_CMD "${LN2_MODULES[@]}" diff --git a/scripts/setup.sh b/scripts/setup.sh index fe087400..56be917c 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -1,21 +1,17 @@ #!/usr/bin/env bash -# env variables NP2_MODULE_DIR, NP2_MODULE_PERMS and LN2_MODULE_DIR must be defined and NP2_MODULE_OWNER, NP2_MODULE_GROUP will be used if -# defined when executing this script! -if [ -z "$NP2_MODULE_DIR" -o -z "$NP2_MODULE_PERMS" -o -z "$LN2_MODULE_DIR" ]; then +# env variables NP2_MODULE_DIR, NP2_MODULE_PERMS, LN2_MODULE_DIR and NP2_SCRIPTS_DIR must be defined +# and NP2_MODULE_OWNER, NP2_MODULE_GROUP will be used if defined when executing this script! +if [ -z "$NP2_MODULE_DIR" -o -z "$NP2_MODULE_PERMS" -o -z "$LN2_MODULE_DIR" -o -z "$NP2_SCRIPTS_DIR" ]; then echo "Required environment variables not defined!" exit 1 fi -# optional env variable override -if [ -n "$SYSREPOCTL_EXECUTABLE" ]; then - SYSREPOCTL="$SYSREPOCTL_EXECUTABLE" -# avoid problems with sudo PATH -elif [ `id -u` -eq 0 ] && [ -n "$USER" ] && [ `command -v su` ]; then - SYSREPOCTL=`su -c 'command -v sysrepoctl' -l $USER` -else - SYSREPOCTL=`command -v sysrepoctl` -fi +# import functions and modules arrays +source "${NP2_SCRIPTS_DIR}/common.sh" + +# get path to sysrepoctl executable, this will be stored in $SYSREPOCTL +SYSREPOCTL_GET_PATH NP2_MODDIR=${DESTDIR}${NP2_MODULE_DIR} LN2_MODDIR=${DESTDIR}${LN2_MODULE_DIR} @@ -23,45 +19,8 @@ PERMS=${NP2_MODULE_PERMS} OWNER=${NP2_MODULE_OWNER} GROUP=${NP2_MODULE_GROUP} -# arrays of modules to install -NP2_MODULES=( -"ietf-netconf@2013-09-29.yang -e writable-running -e candidate -e rollback-on-error -e validate -e startup -e url -e xpath -e confirmed-commit" -"ietf-netconf-monitoring@2010-10-04.yang" -"ietf-netconf-nmda@2019-01-07.yang -e origin -e with-defaults" -"nc-notifications@2008-07-14.yang" -"notifications@2008-07-14.yang" -"ietf-interfaces@2018-02-20.yang" -"ietf-ip@2018-02-22.yang" -"ietf-subscribed-notifications@2019-09-09.yang -e encode-xml -e replay -e subtree -e xpath" -"ietf-yang-push@2019-09-09.yang -e on-change" -) - -LN2_MODULES=( -"iana-ssh-encryption-algs@2022-06-16.yang" -"iana-ssh-key-exchange-algs@2022-06-16.yang" -"iana-ssh-mac-algs@2022-06-16.yang" -"iana-ssh-public-key-algs@2022-06-16.yang" -"iana-tls-cipher-suite-algs@2022-06-16.yang" -"ietf-x509-cert-to-name@2014-12-10.yang" -"iana-crypt-hash@2014-04-04.yang -e crypt-hash-md5 -e crypt-hash-sha-256 -e crypt-hash-sha-512" -"ietf-crypto-types@2023-04-17.yang -e cleartext-passwords -e cleartext-private-keys" -"ietf-keystore@2023-04-17.yang -e central-keystore-supported -e inline-definitions-supported -e asymmetric-keys" -"ietf-truststore@2023-04-17.yang -e central-truststore-supported -e inline-definitions-supported -e certificates -e public-keys" -"ietf-tcp-common@2023-04-17.yang -e keepalives-supported" -"ietf-tcp-server@2023-04-17.yang -e tcp-server-keepalives" -"ietf-tcp-client@2023-04-17.yang -e local-binding-supported -e tcp-client-keepalives" -"ietf-ssh-common@2023-04-17.yang -e transport-params" -"ietf-ssh-server@2023-04-17.yang -e local-users-supported -e local-user-auth-publickey -e local-user-auth-password -e local-user-auth-none" -"ietf-tls-common@2023-04-17.yang -e tls10 -e tls11 -e tls12 -e tls13 -e hello-params" -"ietf-tls-server@2023-04-17.yang -e server-ident-x509-cert -e client-auth-supported -e client-auth-x509-cert" -"ietf-netconf-server@2023-04-17.yang -e ssh-listen -e tls-listen -e ssh-call-home -e tls-call-home -e central-netconf-server-supported" -"libnetconf2-netconf-server@2023-09-07.yang" -) - -CMD_INSTALL= - # functions -INSTALL_MODULE_CMD() { +function INSTALL_MODULE_CMD() { if [ -z "${CMD_INSTALL}" ]; then CMD_INSTALL="'$SYSREPOCTL' -s '$1' -v2" fi @@ -75,16 +34,16 @@ INSTALL_MODULE_CMD() { fi } -UPDATE_MODULE() { +function UPDATE_MODULE() { CMD="'$SYSREPOCTL' -U $1/$2 -s '$1' -v2" - eval $CMD + eval "$CMD" local rc=$? if [ $rc -ne 0 ]; then exit $rc fi } -CHANGE_PERMS() { +function CHANGE_PERMS() { CMD="'$SYSREPOCTL' -c $1 -p '$PERMS' -v2" if [ ! -z "${OWNER}" ]; then CMD="$CMD -o '$OWNER'" @@ -92,14 +51,15 @@ CHANGE_PERMS() { if [ ! -z "${GROUP}" ]; then CMD="$CMD -g '$GROUP'" fi - eval $CMD + + eval "$CMD" local rc=$? if [ $rc -ne 0 ]; then exit $rc fi } -ENABLE_FEATURE() { +function ENABLE_FEATURE() { "$SYSREPOCTL" -c $1 -e $2 -v2 local rc=$? if [ $rc -ne 0 ]; then @@ -107,61 +67,65 @@ ENABLE_FEATURE() { fi } -# get current modules -SCTL_MODULES=`$SYSREPOCTL -l` - -SETUP_CMD() { +function SETUP_CMD() { module_dir="$1" # first argument - module directory shift # shift all args to the left modules=("$@") # the rest of the arguments are module names (and their features) for i in "${modules[@]}"; do - name=`echo "$i" | sed 's/\([^@]*\).*/\1/'` - SCTL_MODULE=`echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I"` - if [ -z "$SCTL_MODULE" ]; then + name=$(echo "$i" | sed 's/\([^@]*\).*/\1/') + sctl_module=$(echo "$SCTL_MODULES" | grep "^$name \+|[^|]*| I") + if [ -z "$sctl_module" ]; then # prepare command to install module with all its features INSTALL_MODULE_CMD "$module_dir" "$i" continue fi - sctl_revision=`echo "$SCTL_MODULE" | sed 's/[^|]*| \([^ ]*\).*/\1/'` - revision=`echo "$i" | sed 's/[^@]*@\([^\.]*\).*/\1/'` + sctl_revision=$(echo "$sctl_module" | sed 's/[^|]*| \([^ ]*\).*/\1/') + revision=$(echo "$i" | sed 's/[^@]*@\([^\.]*\).*/\1/') if [ "$sctl_revision" \< "$revision" ]; then # update module without any features - file=`echo "$i" | cut -d' ' -f 1` + file=$(echo "$i" | cut -d' ' -f 1) UPDATE_MODULE "$module_dir" "$file" fi - sctl_owner=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{3\} \([^:]*\).*/\2/'` - sctl_group=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{3\}[^:]*:\([^ ]*\).*/\2/'` - sctl_perms=`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{4\} \([^ ]*\).*/\2/'` + sctl_owner=$(echo "$sctl_module" | sed 's/\([^|]*|\)\{3\} \([^:]*\).*/\2/') + sctl_group=$(echo "$sctl_module" | sed 's/\([^|]*|\)\{3\}[^:]*:\([^ ]*\).*/\2/') + sctl_perms=$(echo "$sctl_module" | sed 's/\([^|]*|\)\{4\} \([^ ]*\).*/\2/') if [ "$sctl_perms" != "$PERMS" ] || [ ! -z "${OWNER}" -a "$sctl_owner" != "$OWNER" ] || [ ! -z "${GROUP}" -a "$sctl_group" != "$GROUP" ]; then # change permissions/owner CHANGE_PERMS "$name" fi # parse sysrepoctl features and add extra space at the end for easier matching - sctl_features="`echo "$SCTL_MODULE" | sed 's/\([^|]*|\)\{6\}\(.*\)/\2/'` " + sctl_features="`echo "$sctl_module" | sed 's/\([^|]*|\)\{6\}\(.*\)/\2/'` " # parse features we want to enable - features=`echo "$i" | sed 's/[^ ]* \(.*\)/\1/'` + features=$(echo "$i" | sed 's/[^ ]* \(.*\)/\1/') while [ "${features:0:3}" = "-e " ]; do # skip "-e " features=${features:3} # parse feature - feature=`echo "$features" | sed 's/\([^[:space:]]*\).*/\1/'` + feature=$(echo "$features" | sed 's/\([^[:space:]]*\).*/\1/') # enable feature if not already - sctl_feature=`echo "$sctl_features" | grep " ${feature} "` + sctl_feature=$(echo "$sctl_features" | grep " ${feature} ") if [ -z "$sctl_feature" ]; then # enable feature ENABLE_FEATURE $name $feature fi # next iteration, skip this feature - features=`echo "$features" | sed 's/[^[:space:]]* \(.*\)/\1/'` + features=$(echo "$features" | sed 's/[^[:space:]]* \(.*\)/\1/') done done } +# get current modules +SCTL_MODULES=`$SYSREPOCTL -l` + +# the install command will be stored in this variable +CMD_INSTALL= + +# setup the cmd for install, modules are listed in common.sh SETUP_CMD "$NP2_MODDIR" "${NP2_MODULES[@]}" SETUP_CMD "$LN2_MODDIR" "${LN2_MODULES[@]}" From 4ddf28695cbb339e5174c315423937cc987eefa1 Mon Sep 17 00:00:00 2001 From: Roytak Date: Wed, 27 Sep 2023 11:33:49 +0200 Subject: [PATCH 12/23] scripts UPDATE add authorized_keys/pw auth in script --- CMakeLists.txt | 19 +++------------- scripts/merge_config.sh | 48 ++++++++++++++++++++++++++++++++++++++--- 2 files changed, 48 insertions(+), 19 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index c3c32c6e..2855c28f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -86,7 +86,6 @@ set(SCRIPT_DIR "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATADIR}/netopeer2" CACH option(INSTALL_MODULES "Install required modules into sysrepo" ON) option(GENERATE_HOSTKEY "Generate a new RSA host key in the keystore named \"genkey\"" ON) option(MERGE_LISTEN_CONFIG "Merge default server configuration for listening on all IPv4 interfaces" ON) -option(MERGE_AUTH_CONFIG "Merge public keys from authorized_keys into the server configuration" OFF) set(MODULES_PERMS 600 CACHE STRING "File access permissions set for all the server modules") if(NOT MODULES_OWNER) execute_process(COMMAND id -un RESULT_VARIABLE RET @@ -164,7 +163,7 @@ find_package(PkgConfig REQUIRED) pkg_check_modules(PKG_LN2 REQUIRED libnetconf2) # libnetconf2 thread count check -pkg_get_variable(LN2_THREAD_COUNT libnetconf2 LN2_MAX_THREAD_COUNT) +pkg_get_variable(LN2_THREAD_COUNT libnetconf2 "LN2_MAX_THREAD_COUNT") if(LN2_THREAD_COUNT) if(LN2_THREAD_COUNT LESS THREAD_COUNT) message(FATAL_ERROR "libnetconf2 was compiled with support up to ${LN2_THREAD_COUNT} threads, server is configured with ${THREAD_COUNT}.") @@ -176,14 +175,14 @@ else() endif() # get libnetconf2 module directory, use it later when installing modules -pkg_get_variable(LN2_YANG_MODULE_DIR libnetconf2 LN2_SCHEMAS_DIR) +pkg_get_variable(LN2_YANG_MODULE_DIR libnetconf2 "LN2_SCHEMAS_DIR") if(NOT LN2_YANG_MODULE_DIR) message(FATAL_ERROR "Unable to learn libnetconf2 module search directory.") endif() # find sysrepo pkg and get sysrepo group pkg_check_modules(PKG_SR REQUIRED sysrepo) -pkg_get_variable(SR_GROUP sysrepo SR_GROUP) +pkg_get_variable(SR_GROUP sysrepo "SR_GROUP") # } PKGCONFIG @@ -399,18 +398,6 @@ if(MERGE_LISTEN_CONFIG) endif() ") endif() -if(MERGE_AUTH_CONFIG) - install(CODE " - message(STATUS \"Merging authorized keys into the server configuration...\") - set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") - set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") - set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\") - execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/merge_auth_config.sh\" RESULT_VARIABLE MERGE_AUTH_CONFIG_RES) - if(NOT MERGE_AUTH_CONFIG_RES EQUAL \"0\") - message(FATAL_ERROR \" scripts/merge_auth_config.sh failed: \${MERGE_AUTH_CONFIG_RES}\") - endif() - ") -endif() # tests if(ENABLE_TESTS) diff --git a/scripts/merge_config.sh b/scripts/merge_config.sh index 6469e376..8a4bd4a7 100755 --- a/scripts/merge_config.sh +++ b/scripts/merge_config.sh @@ -20,9 +20,51 @@ if [ -n "$SERVER_CONFIG" ]; then exit 0 fi -# get the user who invoked the script and his password hash, use it to create an SSH user in the default config +# get the user who invoked the script CURRENT_USER="$SUDO_USER" -CURRENT_USER_PW_HASH=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow) +# get his home dir +CURRENT_USER_HOME=$(eval echo "~$CURRENT_USER") +# try to get his authorized_keys file +AUTHORIZED_KEYS_FILE="$CURRENT_USER_HOME/.ssh/authorized_keys" +# check if the authorized keys file exists +if [ -f "$AUTHORIZED_KEYS_FILE" ]; then + # it exists, create public keys that are authorized in the server's configuration + AUTH_CONFIG=" + + " + + IDX=0 +# read lines from authorized_keys + while IFS= read -r LINE; do + # check if the line is empty or starts with a comment (#) + if [[ -n "$LINE" && ! "$LINE" =~ ^\s*# ]]; then + # extract the base64 public key + PUB_BASE64=$(echo "$LINE" | awk '{print $2}') + + NEW_PUBKEY_ENTRY=" + authorized_key_${IDX} + ct:ssh-public-key-format + ${PUB_BASE64} + " + # append + AUTH_CONFIG="${AUTH_CONFIG}${NEW_PUBKEY_ENTRY}" + IDX=$((IDX + 1)) + fi + done < "$AUTHORIZED_KEYS_FILE" + + # append the ending tags + AUTH_CONFIG="${AUTH_CONFIG} + + " + + echo "Added user \"${CURRENT_USER}\" that can authenticate with a key pair from his authorized_keys to the server configuration..." +else + # authorized_keys doesn't exist, get the user's pw hash from /etc/shadow and use that for authentication + CURRENT_USER_PW_HASH=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow) + AUTH_CONFIG="${CURRENT_USER_PW_HASH}" + + echo "Added user \"${CURRENT_USER}\" that can authenticate with his password to the server configuration..." +fi # import default config CONFIG=" @@ -51,7 +93,7 @@ CONFIG=" ${CURRENT_USER} - ${CURRENT_USER_PW_HASH} + ${AUTH_CONFIG} From 3eb6e97609fc19100589bce354ef544c1a22ee50 Mon Sep 17 00:00:00 2001 From: Roytak Date: Wed, 11 Oct 2023 09:59:41 +0200 Subject: [PATCH 13/23] server UPDATE remove netconf_server.c/h --- CMakeLists.txt | 5 -- src/main.c | 39 +++++++-- src/netconf_server.c | 187 ------------------------------------------- src/netconf_server.h | 47 ----------- 4 files changed, 33 insertions(+), 245 deletions(-) delete mode 100644 src/netconf_server.c delete mode 100644 src/netconf_server.h diff --git a/CMakeLists.txt b/CMakeLists.txt index 2855c28f..825673a4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -239,11 +239,6 @@ include_directories(${LIBNETCONF2_INCLUDE_DIRS}) list(APPEND CMAKE_REQUIRED_INCLUDES ${LIBNETCONF2_INCLUDE_DIRS}) list(APPEND CMAKE_REQUIRED_LIBRARIES ${LIBNETCONF2_LIBRARIES}) -# SSH and TLS enabled -if(LIBNETCONF2_ENABLED_SSH_TLS) - list(APPEND SERVER_SRC src/netconf_server.c) -endif() - # link compat use_compat() diff --git a/src/main.c b/src/main.c index 0e543d72..91c26c1d 100644 --- a/src/main.c +++ b/src/main.c @@ -43,7 +43,6 @@ #include "netconf_confirmed_commit.h" #include "netconf_monitoring.h" #include "netconf_nmda.h" -#include "netconf_server.h" #include "netconf_subscribed_notifications.h" #include "yang_push.h" @@ -611,11 +610,6 @@ server_init(void) /* set libnetconf2 global PRC callback */ nc_set_global_rpc_clb(np2srv_rpc_cb); -#ifdef NC_ENABLED_SSH_TLS - /* set libnetconf2 SSH pubkey auth callback */ - nc_server_ssh_set_pubkey_auth_clb(np2srv_pubkey_auth_cb, NULL, NULL); -#endif - /* restore a previous confirmed commit if restore file exists */ ncc_try_restore(); @@ -725,6 +719,39 @@ server_open_pidfile(const char *pidfile) return 0; } +/** + * @brief Callback for handling netconf-server, ietf-keystore and ietf-truststore data changes. + * + * The diff is given to libnetconf2, which then handles the changes. + * + * @param session sysrepo session. + * @param[in] sub_id Subscription identifier. + * @param[in] module_name Module's name. + * @param[in] xpath XPath. + * @param[in] event Event. + * @param[in] request_id Request identifier. + * @param private_data Private data. + * + * @return SR_ERR_OK on success, on error any other value. + */ +static int +np2srv_libnetconf2_config_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), + const char *UNUSED(xpath), sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) +{ + int rc = 0; + const struct lyd_node *diff = NULL; + + /* get diff and apply it */ + diff = sr_get_change_diff(session); + rc = nc_server_config_setup_diff(diff); + if (rc) { + ERR("Configuring NETCONF server failed."); + return rc; + } + + return SR_ERR_OK; +} + /** * @brief Subscribe to all the handled RPCs of the server. * diff --git a/src/netconf_server.c b/src/netconf_server.c deleted file mode 100644 index 91ba6761..00000000 --- a/src/netconf_server.c +++ /dev/null @@ -1,187 +0,0 @@ -/** - * @file netconf_server.c - * @author Michal Vasko - * @brief ietf-netconf-server callbacks - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#define _GNU_SOURCE /* asprintf() */ - -#include "netconf_server.h" - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include - -#include "common.h" -#include "compat.h" -#include "log.h" - -int -np2srv_libnetconf2_config_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name), - const char *UNUSED(xpath), sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data)) -{ - int rc = 0; - const struct lyd_node *diff = NULL; - - /* get diff and apply it */ - diff = sr_get_change_diff(session); - rc = nc_server_config_setup_diff(diff); - if (rc) { - ERR("Configuring NETCONF server failed."); - return rc; - } - - return SR_ERR_OK; -} - -#ifdef NC_ENABLED_SSH_TLS - -static int -np2srv_validate_posix_username(const char *username) -{ - /* use POSIX username definition - * https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_437 */ - - /* not empty */ - if (strlen(username) == 0) { - return -1; - } - - /* no hyphen as first char */ - if (username[0] == '-') { - return -1; - } - - /* check for Portable Filename Character Set */ - for (unsigned long i = 0; i < strlen(username); i++) { - if (!(isalnum(username[i]) || (username[i] == '.') || (username[i] == '_') || (username[i] == '-'))) { - return -1; - } - } - - return 0; -} - -int -np2srv_pubkey_auth_cb(const struct nc_session *session, ssh_key key, void *UNUSED(user_data)) -{ - FILE *f = NULL; - struct passwd *pwd; - ssh_key pub_key = NULL; - enum ssh_keytypes_e ktype; - const char *username; - char *line = NULL, *ptr, *ptr2; - size_t n; - int r, ret = 1, line_num = 0; - - username = nc_session_get_username(session); - - errno = 0; - pwd = getpwnam(username); - - if (!NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME && !pwd) { - ERR("Failed to find user entry for \"%s\" (%s).", username, errno ? strerror(errno) : "User not found"); - goto cleanup; - } - - if (!pwd && np2srv_validate_posix_username(username)) { - ERR("The username \"%s\" is not a valid posix username.", username); - goto cleanup; - } - - /* check any authorized keys */ - r = asprintf(&line, NP2SRV_SSH_AUTHORIZED_KEYS_PATTERN, NP2SRV_SSH_AUTHORIZED_KEYS_ARG_IS_USERNAME ? username : pwd->pw_dir); - if (r == -1) { - EMEM; - line = NULL; - goto cleanup; - } - n = r; - - f = fopen(line, "r"); - if (!f) { - if (errno == ENOENT) { - VRB("User \"%s\" has no authorized_keys file.", username); - } else { - ERR("Failed to open \"%s\" authorized_keys file (%s).", line, strerror(errno)); - } - goto cleanup; - } - - while (getline(&line, &n, f) > -1) { - ++line_num; - - /* separate key type */ - ptr = line; - for (ptr2 = ptr; !isspace(ptr2[0]); ++ptr2) {} - if (ptr2[0] == '\0') { - WRN("Invalid authorized key format of \"%s\" (line %d).", username, line_num); - continue; - } - ptr2[0] = '\0'; - - /* detect key type */ - ktype = ssh_key_type_from_name(ptr); - if (ktype == SSH_KEYTYPE_UNKNOWN) { - WRN("Unknown key type \"%s\" (line %d).", ptr, line_num); - continue; - } - - /* separate key data */ - ptr = ptr2 + 1; - for (ptr2 = ptr; !isspace(ptr2[0]); ++ptr2) {} - ptr2[0] = '\0'; - - r = ssh_pki_import_pubkey_base64(ptr, ktype, &pub_key); - if (r != SSH_OK) { - WRN("Failed to import authorized key of \"%s\" (%s, line %d).", - username, r == SSH_EOF ? "Unexpected end-of-file" : "SSH error", line_num); - continue; - } - - /* compare public keys */ - if (!ssh_key_cmp(key, pub_key, SSH_KEY_CMP_PUBLIC)) { - /* key matches */ - ret = 0; - goto cleanup; - } - - /* not a match, next key */ - ssh_key_free(pub_key); - pub_key = NULL; - } - if (!feof(f)) { - WRN("Failed reading from authorized_keys file of \"%s\".", username); - goto cleanup; - } - - /* no match */ - -cleanup: - if (f) { - fclose(f); - } - free(line); - ssh_key_free(pub_key); - return ret; -} - -#endif /* NC_ENABLED_SSH_TLS */ diff --git a/src/netconf_server.h b/src/netconf_server.h deleted file mode 100644 index df46ac04..00000000 --- a/src/netconf_server.h +++ /dev/null @@ -1,47 +0,0 @@ -/** - * @file netconf_server.h - * @author Michal Vasko - * @brief ietf-netconf-server callbacks header - * - * @copyright - * Copyright (c) 2019 - 2021 Deutsche Telekom AG. - * Copyright (c) 2017 - 2021 CESNET, z.s.p.o. - * - * This source code is licensed under BSD 3-Clause License (the "License"). - * You may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://opensource.org/licenses/BSD-3-Clause - */ - -#ifndef NP2SRV_NETCONF_SERVER_H_ -#define NP2SRV_NETCONF_SERVER_H_ - -#include -#include - -/** - * @brief Callback for handling netconf-server, ietf-keystore and ietf-truststore data changes. - * - * The diff is given to libnetconf2, which then handles the changes. - * - * @param session sysrepo session. - * @param[in] sub_id Subscription identifier. - * @param[in] module_name Module's name. - * @param[in] xpath XPath. - * @param[in] event Event. - * @param[in] request_id Request identifier. - * @param private_data Private data. - * - * @return SR_ERR_OK on success, on error any other value. - */ -int np2srv_libnetconf2_config_cb(sr_session_ctx_t *session, uint32_t sub_id, const char *module_name, const char *xpath, - sr_event_t event, uint32_t request_id, void *private_data); - -#ifdef NC_ENABLED_SSH_TLS - -int np2srv_pubkey_auth_cb(const struct nc_session *session, ssh_key key, void *user_data); - -#endif /* NC_ENABLED_SSH_TLS */ - -#endif /* NP2SRV_NETCONF_SERVER_H_ */ From 9f0c4d83833b8ff8317525e1dca4ab6754fa82a1 Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 2 Nov 2023 10:37:31 +0100 Subject: [PATCH 14/23] config UPDATE update example data to new models --- example_configuration/ssh_callhome.xml | 6 +--- example_configuration/tls_callhome.xml | 37 ++++++++++++++---------- example_configuration/tls_keystore.xml | 7 +++-- example_configuration/tls_listen.xml | 37 ++++++++++++++---------- example_configuration/tls_truststore.xml | 30 ++++++++++--------- src/common.c | 2 +- src/common.h | 3 +- src/main.c | 7 +++-- 8 files changed, 73 insertions(+), 56 deletions(-) diff --git a/example_configuration/ssh_callhome.xml b/example_configuration/ssh_callhome.xml index b30794bc..876ccaed 100644 --- a/example_configuration/ssh_callhome.xml +++ b/example_configuration/ssh_callhome.xml @@ -24,11 +24,7 @@ - - - - - + default-ssh diff --git a/example_configuration/tls_callhome.xml b/example_configuration/tls_callhome.xml index 312fe0f8..9b910bcc 100644 --- a/example_configuration/tls_callhome.xml +++ b/example_configuration/tls_callhome.xml @@ -16,25 +16,32 @@ - - serverkey - servercert - + + + serverkey + servercert + + - - cacerts - clientcerts - - - 1 - 02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74 - x509c2n:specified - tls-test - - + + cacerts + + + eecerts + + + + + 1 + 02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74 + x509c2n:specified + tls-test + + + diff --git a/example_configuration/tls_keystore.xml b/example_configuration/tls_keystore.xml index add1877e..bd97e4ed 100644 --- a/example_configuration/tls_keystore.xml +++ b/example_configuration/tls_keystore.xml @@ -2,13 +2,14 @@ serverkey - rsa2048 + ct:subject-public-key-info-format MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3VrgFBOc/kZOADDFEs3dhktPJyB+EPkRSD1EnTDtlsrR0wG7HgAA+gdoEwbb2cqJxYH5hhUec0alDQ4l7PUe9ycw6L99ZsJsRTAAlcD0JhpgPngAuX24NVqQDv7Cg5Yx3BOS+Q0pO6GGyuOv2DczQ9BLYPAUAldaAIaa424YaJJ4oUNbS76FwqTs+WDaWtkqQRAqPa/9zg4hbiyCQpTbPNesU5GcTuWQpuuWpw1ZqXRKwJ92kYRNGCUYntJYwSdKnhukkEHYxMYVdfwaG3xFmPCDKy5OVBJmwuzWZC7KHrCK7yTzGZ7/izAWb+3JzhwYqhzq/ZF17eZWC/JDyUkBLwIDAQAB - MIIEogIBAAKCAQEA3VrgFBOc/kZOADDFEs3dhktPJyB+EPkRSD1EnTDtlsrR0wG7HgAA+gdoEwbb2cqJxYH5hhUec0alDQ4l7PUe9ycw6L99ZsJsRTAAlcD0JhpgPngAuX24NVqQDv7Cg5Yx3BOS+Q0pO6GGyuOv2DczQ9BLYPAUAldaAIaa424YaJJ4oUNbS76FwqTs+WDaWtkqQRAqPa/9zg4hbiyCQpTbPNesU5GcTuWQpuuWpw1ZqXRKwJ92kYRNGCUYntJYwSdKnhukkEHYxMYVdfwaG3xFmPCDKy5OVBJmwuzWZC7KHrCK7yTzGZ7/izAWb+3JzhwYqhzq/ZF17eZWC/JDyUkBLwIDAQABAoIBAHWhVFD290fc/ph1UlUi12UFYkPNrZDBeyCjhnHuTWQD1itG0TQpFlvIUdNCotSDIGG4J2zMjkj+MrnUWe0pedInnoMhN7fC/BxsXPM3/ca934Vy6heoqpqXzNRbJ+0bhNWKBWGaT94jgWkSRCEnfHO+HkCedFOmLer3nRndKNVwe+bHoXqnsXdOflc3mb71/BM/qfJI3GZBDTZaodTsS2LkuW4DTSNkxGqfZ0Bu1LyYm4mQ50/3nej9ILoT/ejnd17SPNpoBNnEyVJbExrk9pEoFPPKxQ3rCve7FE7y+ILmB4BdiSZm5lOyyJl1Y2Had6fZDubaNKACNWHMkdJ1GokCgYEA8dV97LUZbtgpMyKdzvAfSCXmGyRtucp2FXy5/9UXYU8MXMcOgbMpyrZLbfEwk0YMxKOw8nI4gCaSvIJb0Pek/agjaXIajoYvVIOhvDEq3+2JeT0eQh+9ue5bVOq65FHorDyRV64wwEucBN5CTCaEHdtEJY5WFkOzbrXVipjQxBsCgYEA6lJIm/Yzn92GQw/44XweoWtATtBwDDMvlWWQ8I7U5Rl6ZItPAGuaMmzDolAZjlRPoEPmxPpLKXYgCahkNnfPuuMgI8wA/65uZAqKfOuiGoIyj9oObJ/xb2zI3s4V8EwtfUE+lgg4D29/Cy33V9G6gHgl+CHjT00AZuvHTBsfwH0CgYAJyTXbSkjJL34bT59LLHRXmxEAsCywg/zbSbzNGXZkvaomZvezT+i1B0NuI4BvtTn3Cxix9uVKakUt06ibgCnxCcjFD5T7h3qK1PjKgMLXZOlXOp3q1xX6XCbd/NGrQ5VCwwCup6HZZjXeDJBqPHTEMIdFbckWBY9RP5JwlVZ9WQKBgCy/8iX26v0I7W85SaqmbaMePHXQ0NVDoT7C2t9WJ8ppBzrUcA4Afr5Kj0IcUgUgjORqk1PjCR+t84hkpF7SmtVyMt0jRL2Prn1klfYtehPd8ZIPbtnH4fAJsoL6kK4HnlhhcXZts2cfP//+k1IuN5P5Xib5MdQfPIhrVvBt7a5xAoGAH59S+aygEEIVf5pO8QmqQUpe3WbbuDvlAx3agP2jkeH5A7ZlxFpH7VJSGAoPIsX+nlixUH1P3Esw9ch7ByJ/JRFUX5+G5coTBQj+PAkyGKtmBmnBFxZydMpTdRMyDrKNKpeMZv7yn05YwnbZdS74L49mkY3pFrjRMDH1ltBxobk= + ct:rsa-private-key-format + MIIEogIBAAKCAQEA3VrgFBOc/kZOADDFEs3dhktPJyB+EPkRSD1EnTDtlsrR0wG7HgAA+gdoEwbb2cqJxYH5hhUec0alDQ4l7PUe9ycw6L99ZsJsRTAAlcD0JhpgPngAuX24NVqQDv7Cg5Yx3BOS+Q0pO6GGyuOv2DczQ9BLYPAUAldaAIaa424YaJJ4oUNbS76FwqTs+WDaWtkqQRAqPa/9zg4hbiyCQpTbPNesU5GcTuWQpuuWpw1ZqXRKwJ92kYRNGCUYntJYwSdKnhukkEHYxMYVdfwaG3xFmPCDKy5OVBJmwuzWZC7KHrCK7yTzGZ7/izAWb+3JzhwYqhzq/ZF17eZWC/JDyUkBLwIDAQABAoIBAHWhVFD290fc/ph1UlUi12UFYkPNrZDBeyCjhnHuTWQD1itG0TQpFlvIUdNCotSDIGG4J2zMjkj+MrnUWe0pedInnoMhN7fC/BxsXPM3/ca934Vy6heoqpqXzNRbJ+0bhNWKBWGaT94jgWkSRCEnfHO+HkCedFOmLer3nRndKNVwe+bHoXqnsXdOflc3mb71/BM/qfJI3GZBDTZaodTsS2LkuW4DTSNkxGqfZ0Bu1LyYm4mQ50/3nej9ILoT/ejnd17SPNpoBNnEyVJbExrk9pEoFPPKxQ3rCve7FE7y+ILmB4BdiSZm5lOyyJl1Y2Had6fZDubaNKACNWHMkdJ1GokCgYEA8dV97LUZbtgpMyKdzvAfSCXmGyRtucp2FXy5/9UXYU8MXMcOgbMpyrZLbfEwk0YMxKOw8nI4gCaSvIJb0Pek/agjaXIajoYvVIOhvDEq3+2JeT0eQh+9ue5bVOq65FHorDyRV64wwEucBN5CTCaEHdtEJY5WFkOzbrXVipjQxBsCgYEA6lJIm/Yzn92GQw/44XweoWtATtBwDDMvlWWQ8I7U5Rl6ZItPAGuaMmzDolAZjlRPoEPmxPpLKXYgCahkNnfPuuMgI8wA/65uZAqKfOuiGoIyj9oObJ/xb2zI3s4V8EwtfUE+lgg4D29/Cy33V9G6gHgl+CHjT00AZuvHTBsfwH0CgYAJyTXbSkjJL34bT59LLHRXmxEAsCywg/zbSbzNGXZkvaomZvezT+i1B0NuI4BvtTn3Cxix9uVKakUt06ibgCnxCcjFD5T7h3qK1PjKgMLXZOlXOp3q1xX6XCbd/NGrQ5VCwwCup6HZZjXeDJBqPHTEMIdFbckWBY9RP5JwlVZ9WQKBgCy/8iX26v0I7W85SaqmbaMePHXQ0NVDoT7C2t9WJ8ppBzrUcA4Afr5Kj0IcUgUgjORqk1PjCR+t84hkpF7SmtVyMt0jRL2Prn1klfYtehPd8ZIPbtnH4fAJsoL6kK4HnlhhcXZts2cfP//+k1IuN5P5Xib5MdQfPIhrVvBt7a5xAoGAH59S+aygEEIVf5pO8QmqQUpe3WbbuDvlAx3agP2jkeH5A7ZlxFpH7VJSGAoPIsX+nlixUH1P3Esw9ch7ByJ/JRFUX5+G5coTBQj+PAkyGKtmBmnBFxZydMpTdRMyDrKNKpeMZv7yn05YwnbZdS74L49mkY3pFrjRMDH1ltBxobk= servercert - MIIDrDCCApQCFEf4LBXF80V6bTWn6kJ/RuccpJ/BMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEYMBYGA1UECgwPQ0VTTkVUIHoucy5wLm8uMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUub3JnMB4XDTIxMDkwMzEwMzAyMloXDTMxMDkwMTEwMzAyMlowgZMxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZIhvcNAQkBFhJzZXJ2ZXJAZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdWuAUE5z+Rk4AMMUSzd2GS08nIH4Q+RFIPUSdMO2WytHTAbseAAD6B2gTBtvZyonFgfmGFR5zRqUNDiXs9R73JzDov31mwmxFMACVwPQmGmA+eAC5fbg1WpAO/sKDljHcE5L5DSk7oYbK46/YNzND0Etg8BQCV1oAhprjbhhoknihQ1tLvoXCpOz5YNpa2SpBECo9r/3ODiFuLIJClNs816xTkZxO5ZCm65anDVmpdErAn3aRhE0YJRie0ljBJ0qeG6SQQdjExhV1/BobfEWY8IMrLk5UEmbC7NZkLsoesIrvJPMZnv+LMBZv7cnOHBiqHOr9kXXt5lYL8kPJSQEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGIBnIrbkvRThfXyhWwf4522fTer4lP0znXCNuQ8/86irl6ZWMF2H0HuUha2g1mqAUjJPeM5x2PHr0Ulm3greKXmHl9Oto4SXPOO8tRD/tE09KRGiV/fk+MzFJqbMQj4Dq9P8yOxMMAj95RKN+fH2cIwOKSe8s3gPjldYDPOwIHZhWw3g0LCu/XVhNV2Os3wcWMx/ZWAvSfBUlldc5/dFW3vCy9UpcNj0lfs2LOcAx7R8mdd7wz/9iIZ6mE0OIh1alqKELAbf2hxX6WLoNCYZeVxixsbKhwgAG0XateRjkGjCy7V0q1dpOIs95stxRKNuOlFHXXyCBG1JzpPTfV+RL0= + MIIDrDCCApQCFEf4LBXF80V6bTWn6kJ/RuccpJ/BMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEYMBYGA1UECgwPQ0VTTkVUIHoucy5wLm8uMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUub3JnMB4XDTIxMDkwMzEwMzAyMloXDTMxMDkwMTEwMzAyMlowgZMxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzESMBAGA1UEAwwJbG9jYWxob3N0MSEwHwYJKoZIhvcNAQkBFhJzZXJ2ZXJAZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdWuAUE5z+Rk4AMMUSzd2GS08nIH4Q+RFIPUSdMO2WytHTAbseAAD6B2gTBtvZyonFgfmGFR5zRqUNDiXs9R73JzDov31mwmxFMACVwPQmGmA+eAC5fbg1WpAO/sKDljHcE5L5DSk7oYbK46/YNzND0Etg8BQCV1oAhprjbhhoknihQ1tLvoXCpOz5YNpa2SpBECo9r/3ODiFuLIJClNs816xTkZxO5ZCm65anDVmpdErAn3aRhE0YJRie0ljBJ0qeG6SQQdjExhV1/BobfEWY8IMrLk5UEmbC7NZkLsoesIrvJPMZnv+LMBZv7cnOHBiqHOr9kXXt5lYL8kPJSQEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGIBnIrbkvRThfXyhWwf4522fTer4lP0znXCNuQ8/86irl6ZWMF2H0HuUha2g1mqAUjJPeM5x2PHr0Ulm3greKXmHl9Oto4SXPOO8tRD/tE09KRGiV/fk+MzFJqbMQj4Dq9P8yOxMMAj95RKN+fH2cIwOKSe8s3gPjldYDPOwIHZhWw3g0LCu/XVhNV2Os3wcWMx/ZWAvSfBUlldc5/dFW3vCy9UpcNj0lfs2LOcAx7R8mdd7wz/9iIZ6mE0OIh1alqKELAbf2hxX6WLoNCYZeVxixsbKhwgAG0XateRjkGjCy7V0q1dpOIs95stxRKNuOlFHXXyCBG1JzpPTfV+RL0= diff --git a/example_configuration/tls_listen.xml b/example_configuration/tls_listen.xml index 8317e987..d0d6d893 100644 --- a/example_configuration/tls_listen.xml +++ b/example_configuration/tls_listen.xml @@ -13,25 +13,32 @@ - - serverkey - servercert - + + + serverkey + servercert + + - - cacerts - clientcerts - - - 1 - 02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74 - x509c2n:specified - tls-test - - + + cacerts + + + eecerts + + + + + 1 + 02:20:E1:AD:CC:92:71:E9:EA:6A:85:DF:A7:FF:8C:BB:B9:D5:E4:EE:74 + x509c2n:specified + tls-test + + + diff --git a/example_configuration/tls_truststore.xml b/example_configuration/tls_truststore.xml index de132389..7d59c0f8 100644 --- a/example_configuration/tls_truststore.xml +++ b/example_configuration/tls_truststore.xml @@ -1,16 +1,18 @@ - - clientcerts - - clientcert - MIIDqTCCApECFEf4LBXF80V6bTWn6kJ/RuccpJ/AMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEYMBYGA1UECgwPQ0VTTkVUIHoucy5wLm8uMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUub3JnMB4XDTIxMDkwMzEwMjgxOFoXDTMxMDkwMTEwMjgxOFowgZAxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzEPMA0GA1UEAwwGY2xpZW50MSEwHwYJKoZIhvcNAQkBFhJjbGllbnRAZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8zbCEJ0MSbFN+KjWhQKbGVkG+TKKtxMatpKMJ5lYDmB1dwWBHc+jj3+htAtc43BUTxQs/7Cb28VVp7kB1dGOd0b/HGL9n8cBmqRcxe+NEhiIFWANy7dzSNF1uKbBLzjMpgjKBcZ4c4O80pBww0U0Q1DPZ/9AhU9GKgUHiwfHKe8/it7T6lhQ2yXqClkW0xnzTiipYC6T3QNvTHWOCfzsUuHcVcA4seqZYMOOiPqMujgUws2jJ2y0lDXg2bcayDwtahX2oZP+Fil9ifO5CLNv9mw+ze8RxXeDrtFEJzzZfmMp5cmj8LmvdzOszrxfdMoG28gxOGYXXunv3+e4vK32RAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANwq9tqHYiet73ZdZcsUA2Aoa7mdjrYvmTeb4rrRbW5KGxoVhRJYAG/8OTZ3P8liorlPtWDci6iXBk/Ev8f1kqlC35xpRaidXSNAancAj4gS30sdCAAj8KzuWmtYTWT5aR0eAV1UTA4mo2N7OidRk+vVWs5tbbRmFmE/aJj8+Ol8rCgqRW08uLHy4pGljCDJWEiaIpPNflomui35r2F4bXp+7aoYmqL63XVkvlWyZBVQfN6p05l2bTTn2N5IrqPq2r7PF0jZtnEnbFc5Rc7gW25EFym70JQQ2kXOft4++G/NK3JcCk3IHwl7tNN7ZVChbMpbVH5TEV8QXR7DqYG0O7Y= - - - - cacerts - - cacert - MIIEAzCCAuugAwIBAgIURc4sipHvJSlNrQIhRhZilBvV4RowDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzETMBEGA1UEAwwKZXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5vcmcwHhcNMjEwOTAzMTAyMTAxWhcNMzEwOTAxMTAyMTAxWjCBkDELMAkGA1UEBhMCQ1oxFjAUBgNVBAgMDVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xGDAWBgNVBAoMD0NFU05FVCB6LnMucC5vLjEMMAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4Ld3JDDocyy9KXNJhEUPeZpQW3UdUNXloeh5n/bxasgThkBuQ7oF/nKyVUe517U1CJA993ZIc0jhIWThAnqXkz70DX5EZ7ancPd01MidA6T8k1RYYJWr+vyIRYYBYzK7LSnU6wMWqPTgzZB+KMWwb065ooLEB5XwqAeTIMPLRqM1Galewl4ZSuRJnrXxRjfF3AWNyC9dZw6wIg8cppvoLdBGQiFJQf9SgiVy+HyedAytFEixqKAAIgQUJwhCgbEd6jGFbeaL8HT4MFp1VmaaUBQMkZj/GnKBwCk5BEMu76EN1pzHc4Dd6DabQNGCnsqOPe31yhQGmNFy9R6zNnWZMCAwEAAaNTMFEwHQYDVR0OBBYEFM7w/pO8vk5oowvWPoCKo0RW/JcnMB8GA1UdIwQYMBaAFM7w/pO8vk5oowvWPoCKo0RW/JcnMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG/xfYuRKnCyiwYC/K7kAjHmCNnLCr1mx8P1ECsSJPme3OThDTNeGf8iN2952tGmMFDa+DaAwPc6Gt3cWTb/NYMTLWlt2yj5rJAcLXxIU0SMafBf+F7E/R8Ab/HDDjs0pQaJ0EJhQJVkMdfj3Wq9l0dJT5iEBUrUQflDufiMdEJEIGKZh86MgzELbcn1QX8dlLc91M2OifWStqLzXPicG+jjuoPUceC0flMQDb2qx03sxvJKfYfS5ArACqvdWyXLoP7DI9THJrMI/vBHJKpl4Wtmsh2OLn9VHauFMzPSGke5GwjXCpbXGepj9qWN8Gd/FWgSDH2OBvZ6aHdB1pPjN9k= - - + + + eecerts + + eecert + MIIDqTCCApECFEf4LBXF80V6bTWn6kJ/RuccpJ/AMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNU291dGggTW9yYXZpYTENMAsGA1UEBwwEQnJubzEYMBYGA1UECgwPQ0VTTkVUIHoucy5wLm8uMQwwCgYDVQQLDANUTUMxEzARBgNVBAMMCmV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1wbGUub3JnMB4XDTIxMDkwMzEwMjgxOFoXDTMxMDkwMTEwMjgxOFowgZAxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzEPMA0GA1UEAwwGY2xpZW50MSEwHwYJKoZIhvcNAQkBFhJjbGllbnRAZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8zbCEJ0MSbFN+KjWhQKbGVkG+TKKtxMatpKMJ5lYDmB1dwWBHc+jj3+htAtc43BUTxQs/7Cb28VVp7kB1dGOd0b/HGL9n8cBmqRcxe+NEhiIFWANy7dzSNF1uKbBLzjMpgjKBcZ4c4O80pBww0U0Q1DPZ/9AhU9GKgUHiwfHKe8/it7T6lhQ2yXqClkW0xnzTiipYC6T3QNvTHWOCfzsUuHcVcA4seqZYMOOiPqMujgUws2jJ2y0lDXg2bcayDwtahX2oZP+Fil9ifO5CLNv9mw+ze8RxXeDrtFEJzzZfmMp5cmj8LmvdzOszrxfdMoG28gxOGYXXunv3+e4vK32RAgMBAAEwDQYJKoZIhvcNAQELBQADggEBANwq9tqHYiet73ZdZcsUA2Aoa7mdjrYvmTeb4rrRbW5KGxoVhRJYAG/8OTZ3P8liorlPtWDci6iXBk/Ev8f1kqlC35xpRaidXSNAancAj4gS30sdCAAj8KzuWmtYTWT5aR0eAV1UTA4mo2N7OidRk+vVWs5tbbRmFmE/aJj8+Ol8rCgqRW08uLHy4pGljCDJWEiaIpPNflomui35r2F4bXp+7aoYmqL63XVkvlWyZBVQfN6p05l2bTTn2N5IrqPq2r7PF0jZtnEnbFc5Rc7gW25EFym70JQQ2kXOft4++G/NK3JcCk3IHwl7tNN7ZVChbMpbVH5TEV8QXR7DqYG0O7Y= + + + + cacerts + + cacert + MIIEAzCCAuugAwIBAgIURc4sipHvJSlNrQIhRhZilBvV4RowDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1Tb3V0aCBNb3JhdmlhMQ0wCwYDVQQHDARCcm5vMRgwFgYDVQQKDA9DRVNORVQgei5zLnAuby4xDDAKBgNVBAsMA1RNQzETMBEGA1UEAwwKZXhhbXBsZSBDQTEdMBsGCSqGSIb3DQEJARYOY2FAZXhhbXBsZS5vcmcwHhcNMjEwOTAzMTAyMTAxWhcNMzEwOTAxMTAyMTAxWjCBkDELMAkGA1UEBhMCQ1oxFjAUBgNVBAgMDVNvdXRoIE1vcmF2aWExDTALBgNVBAcMBEJybm8xGDAWBgNVBAoMD0NFU05FVCB6LnMucC5vLjEMMAoGA1UECwwDVE1DMRMwEQYDVQQDDApleGFtcGxlIENBMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4Ld3JDDocyy9KXNJhEUPeZpQW3UdUNXloeh5n/bxasgThkBuQ7oF/nKyVUe517U1CJA993ZIc0jhIWThAnqXkz70DX5EZ7ancPd01MidA6T8k1RYYJWr+vyIRYYBYzK7LSnU6wMWqPTgzZB+KMWwb065ooLEB5XwqAeTIMPLRqM1Galewl4ZSuRJnrXxRjfF3AWNyC9dZw6wIg8cppvoLdBGQiFJQf9SgiVy+HyedAytFEixqKAAIgQUJwhCgbEd6jGFbeaL8HT4MFp1VmaaUBQMkZj/GnKBwCk5BEMu76EN1pzHc4Dd6DabQNGCnsqOPe31yhQGmNFy9R6zNnWZMCAwEAAaNTMFEwHQYDVR0OBBYEFM7w/pO8vk5oowvWPoCKo0RW/JcnMB8GA1UdIwQYMBaAFM7w/pO8vk5oowvWPoCKo0RW/JcnMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG/xfYuRKnCyiwYC/K7kAjHmCNnLCr1mx8P1ECsSJPme3OThDTNeGf8iN2952tGmMFDa+DaAwPc6Gt3cWTb/NYMTLWlt2yj5rJAcLXxIU0SMafBf+F7E/R8Ab/HDDjs0pQaJ0EJhQJVkMdfj3Wq9l0dJT5iEBUrUQflDufiMdEJEIGKZh86MgzELbcn1QX8dlLc91M2OifWStqLzXPicG+jjuoPUceC0flMQDb2qx03sxvJKfYfS5ArACqvdWyXLoP7DI9THJrMI/vBHJKpl4Wtmsh2OLn9VHauFMzPSGke5GwjXCpbXGepj9qWN8Gd/FWgSDH2OBvZ6aHdB1pPjN9k= + + + diff --git a/src/common.c b/src/common.c index 0ae12e46..6e1ba156 100644 --- a/src/common.c +++ b/src/common.c @@ -384,7 +384,7 @@ np2srv_release_ctx_cb(void *cb_data) } int -np2srv_new_session_cb(const char *UNUSED(client_name), struct nc_session *new_session) +np2srv_new_session_cb(const char *UNUSED(client_name), struct nc_session *new_session, void *UNUSED(user_data)) { int c; sr_val_t *event_data; diff --git a/src/common.h b/src/common.h index c00a4987..62287826 100644 --- a/src/common.h +++ b/src/common.h @@ -235,10 +235,11 @@ void np2srv_release_ctx_cb(void *cb_data); * * @param[in] client_name CH client name, unused. * @param[in] new_session Created NC session. + * @param[in] user_data Arbitrary data, unused. * @return 0 on success; * @return -1 on error. */ -int np2srv_new_session_cb(const char *client_name, struct nc_session *new_session); +int np2srv_new_session_cb(const char *client_name, struct nc_session *new_session, void *user_data); /** * @brief Set URL capability to be advertised for new NETCONF sessions. diff --git a/src/main.c b/src/main.c index 91c26c1d..d56b2bf6 100644 --- a/src/main.c +++ b/src/main.c @@ -598,6 +598,9 @@ server_init(void) /* set with-defaults capability basic-mode */ nc_server_set_capab_withdefaults(NC_WD_EXPLICIT, NC_WD_ALL | NC_WD_ALL_TAG | NC_WD_TRIM | NC_WD_EXPLICIT); + /* set ln2 call home call backs and data */ + nc_server_ch_set_dispatch_data(np2srv_acquire_ctx_cb, np2srv_release_ctx_cb, np2srv.sr_conn, np2srv_new_session_cb, NULL); + /* set capabilities for the NETCONF Notifications */ nc_server_set_capability("urn:ietf:params:netconf:capability:notification:1.0"); nc_server_set_capability("urn:ietf:params:netconf:capability:interleave:1.0"); @@ -917,7 +920,7 @@ server_accept_session(void) /* accept session */ msgtype = nc_accept(0, ly_ctx, &ncs); - if ((msgtype == NC_MSG_HELLO) && !np2srv_new_session_cb(NULL, ncs)) { + if ((msgtype == NC_MSG_HELLO) && !np2srv_new_session_cb(NULL, ncs, NULL)) { /* callback success, keep the session with the context lock */ return; } @@ -983,7 +986,7 @@ worker_thread(void *arg) VRB("Session %d: thread %d event new SSH channel.", nc_session_get_id(ncs), idx); msgtype = nc_session_accept_ssh_channel(ncs, &ncs); if (msgtype == NC_MSG_HELLO) { - if (np2srv_new_session_cb(NULL, ncs)) { + if (np2srv_new_session_cb(NULL, ncs, NULL)) { nc_session_free(ncs, NULL); continue; } From 28fc82aea9c3df102cc1508b2c5682d7f27a5c9a Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 2 Nov 2023 12:28:37 +0100 Subject: [PATCH 15/23] test_url BUGFIX expect netconf-server config --- tests/test_url.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tests/test_url.c b/tests/test_url.c index 873e428b..5d6ec7ad 100644 --- a/tests/test_url.c +++ b/tests/test_url.c @@ -159,7 +159,7 @@ test_copy_config(void **state) FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" @@ -288,6 +288,10 @@ test_copy_config_into_file(void **state) " \n" " \n" " \n" + " \n" + " 60\n" + " 0\n" + " \n" "\n"; assert_int_not_equal(-1, asprintf(&expected, template, np_get_user()) == -1); @@ -415,6 +419,10 @@ test_edit_config(void **state) " \n" " \n" " \n" + " \n" + " 60\n" + " 0\n" + " \n" " \n" "\n"; From 8ed2c48d4603fc62b5b43458b258601d9dc4c09b Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 2 Nov 2023 13:12:16 +0100 Subject: [PATCH 16/23] test_nacm BUGFIX add filter --- tests/test_nacm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/test_nacm.c b/tests/test_nacm.c index 2f0bc50f..fe0b98ba 100644 --- a/tests/test_nacm.c +++ b/tests/test_nacm.c @@ -573,7 +573,7 @@ test_edit_config_update(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/edit1:*"); expected = "\n" " \n" @@ -745,7 +745,7 @@ test_edit_config_when(void **state) SEND_EDIT_RPC(st, data); ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/nacm-test1:*"); expected = "\n \n\n"; assert_string_equal(st->str, expected); FREE_TEST_VARS(st); @@ -957,7 +957,7 @@ test_commit(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG(st); + GET_CONFIG_FILTER(st, "/nacm-test1:*"); expected = "\n" " \n" @@ -1013,7 +1013,7 @@ test_discard_changes(void **state) ASSERT_OK_REPLY(st); FREE_TEST_VARS(st); - GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, NULL); + GET_CONFIG_DS_FILTER(st, NC_DATASTORE_CANDIDATE, "/edit1:*"); expected = "\n" " \n" From 554a27c4b2b1a46cd93831d9e28e8a3059204bd5 Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 2 Nov 2023 13:54:43 +0100 Subject: [PATCH 17/23] VERSION bump to version 2.2.0 --- CMakeLists.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 825673a4..8fd6e31f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -46,7 +46,7 @@ endif() # Generic version of not only the library. Major version is reserved for really big changes of the project, # minor version changes with added functionality (new tool, functionality of the tool or library, ...) and # micro version is changed with a set of small changes or bugfixes anywhere in the project. -set(NP2SRV_VERSION 2.1.72) +set(NP2SRV_VERSION 2.2.0) # libyang required version set(LIBYANG_DEP_VERSION 2.1.87) @@ -54,9 +54,9 @@ set(LIBYANG_DEP_SOVERSION 2.37.1) set(LIBYANG_DEP_SOVERSION_MAJOR 2) # libnetconf2 required version -set(LIBNETCONF2_DEP_VERSION 2.1.27) -set(LIBNETCONF2_DEP_SOVERSION 3.5.3) -set(LIBNETCONF2_DEP_SOVERSION_MAJOR 3) +set(LIBNETCONF2_DEP_VERSION 3.0.0) +set(LIBNETCONF2_DEP_SOVERSION 4.0.0) +set(LIBNETCONF2_DEP_SOVERSION_MAJOR 4) # sysrepo required version set(SYSREPO_DEP_VERSION 2.2.111) From 9bf0f70665d044350a1907feaa0a308592f9be8c Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 2 Nov 2023 14:28:43 +0100 Subject: [PATCH 18/23] workflow UPDATE add libcurl dependency --- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/devel-push.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc435c9f..b8b01870 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ on: - devel env: - DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev + DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev jobs: git-branch: @@ -67,7 +67,7 @@ jobs: dep-build-type: "Debug", cc: "gcc", options: "", - packages: "libcurl4-openssl-dev valgrind", + packages: "valgrind", snaps: "", make-prepend: "", make-target: "" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b254e4e8..bea0cdee 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,7 +7,7 @@ on: branches: [ "devel" ] env: - DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev + DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev jobs: git-branch: diff --git a/.github/workflows/devel-push.yml b/.github/workflows/devel-push.yml index 9f28ab48..9cd5935e 100644 --- a/.github/workflows/devel-push.yml +++ b/.github/workflows/devel-push.yml @@ -5,7 +5,7 @@ on: - devel env: - DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev + DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev COVERITY_PROJECT: CESNET%2FNetopeer2 jobs: From ceaad4db53e7efac068070cef81a3926a7904163 Mon Sep 17 00:00:00 2001 From: roman Date: Thu, 2 Nov 2023 15:31:24 +0100 Subject: [PATCH 19/23] merge_config UPDATE emphasize creating auth users --- scripts/merge_config.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/merge_config.sh b/scripts/merge_config.sh index 8a4bd4a7..a98a8960 100755 --- a/scripts/merge_config.sh +++ b/scripts/merge_config.sh @@ -57,13 +57,17 @@ if [ -f "$AUTHORIZED_KEYS_FILE" ]; then " - echo "Added user \"${CURRENT_USER}\" that can authenticate with a key pair from his authorized_keys to the server configuration..." + echo "--" + echo "-- Added user \"${CURRENT_USER}\" that can authenticate with a key pair from his authorized_keys to the server configuration..." + echo "--" else # authorized_keys doesn't exist, get the user's pw hash from /etc/shadow and use that for authentication CURRENT_USER_PW_HASH=$(awk -v user="$CURRENT_USER" -F':' '$1 == user {print $2}' /etc/shadow) AUTH_CONFIG="${CURRENT_USER_PW_HASH}" - echo "Added user \"${CURRENT_USER}\" that can authenticate with his password to the server configuration..." + echo "--" + echo "-- Added user \"${CURRENT_USER}\" that can authenticate with his password to the server configuration..." + echo "--" fi # import default config From c7c43a6377351d0fa48f3ca30dbc1de71f116cf2 Mon Sep 17 00:00:00 2001 From: roman Date: Fri, 3 Nov 2023 14:01:53 +0100 Subject: [PATCH 20/23] scripts UPDATE remove NP2_SCRIPTS_DIR env var --- CMakeLists.txt | 8 ++------ CMakeModules/uninstall.cmake | 2 +- scripts/merge_config.sh | 8 ++------ scripts/merge_hostkey.sh | 8 ++------ scripts/remove.sh | 8 ++------ scripts/setup.sh | 8 +++++--- tests/np_test.c | 8 -------- 7 files changed, 14 insertions(+), 36 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 8fd6e31f..706f8b48 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -356,7 +356,6 @@ if(INSTALL_MODULES) set(ENV{NP2_MODULE_PERMS} \"${MODULES_PERMS}\") set(ENV{NP2_MODULE_OWNER} \"${MODULES_OWNER}\") set(ENV{NP2_MODULE_GROUP} \"${MODULES_GROUP}\") - set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\") set(ENV{LN2_MODULE_DIR} \"${LN2_YANG_MODULE_DIR}\") set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") @@ -374,7 +373,6 @@ if(GENERATE_HOSTKEY) message(STATUS \"Generating a new RSA host key \\\"genkey\\\" if not already added...\") set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") - set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\") execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/merge_hostkey.sh\" RESULT_VARIABLE MERGE_HOSTKEY_RES) if(NOT MERGE_HOSTKEY_RES EQUAL \"0\") message(FATAL_ERROR \" scripts/merge_hostkey.sh failed: \${MERGE_HOSTKEY_RES}\") @@ -386,7 +384,6 @@ if(MERGE_LISTEN_CONFIG) message(STATUS \"Merging default server listen configuration if there is none...\") set(ENV{SYSREPOCTL_EXECUTABLE} \"${SYSREPOCTL_EXECUTABLE}\") set(ENV{SYSREPOCFG_EXECUTABLE} \"${SYSREPOCFG_EXECUTABLE}\") - set(ENV{NP2_SCRIPTS_DIR} \"${SCRIPT_DIR}\") execute_process(COMMAND \"\$ENV{DESTDIR}${SCRIPT_DIR}/merge_config.sh\" RESULT_VARIABLE MERGE_CONFIG_RES) if(NOT MERGE_CONFIG_RES EQUAL \"0\") message(FATAL_ERROR \" scripts/merge_config.sh failed: \${MERGE_CONFIG_RES}\") @@ -420,8 +417,7 @@ add_custom_target(cleancache ) # uninstall -add_custom_target(uninstall - COMMAND ${CMAKE_COMMAND} -E env "NP2_SCRIPTS_DIR=${SCRIPT_DIR}" ${SCRIPT_DIR}/remove.sh - COMMAND ${CMAKE_COMMAND} -P ${CMAKE_MODULE_PATH}/uninstall.cmake +add_custom_target(uninstall ${SCRIPT_DIR}/remove.sh + COMMAND "${CMAKE_COMMAND}" -P "${CMAKE_MODULE_PATH}/uninstall.cmake" COMMENT "Removing netopeer2 modules from sysrepo..." ) diff --git a/CMakeModules/uninstall.cmake b/CMakeModules/uninstall.cmake index b9618a29..39a57533 100644 --- a/CMakeModules/uninstall.cmake +++ b/CMakeModules/uninstall.cmake @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 3.0.2) +cmake_minimum_required(VERSION 3.5) set(MANIFEST "${CMAKE_CURRENT_BINARY_DIR}/install_manifest.txt") diff --git a/scripts/merge_config.sh b/scripts/merge_config.sh index a98a8960..bc624cc2 100755 --- a/scripts/merge_config.sh +++ b/scripts/merge_config.sh @@ -2,13 +2,9 @@ set -e -if [ -z "$NP2_SCRIPTS_DIR" ]; then - echo "$0: Required environment variable NP2_SCRIPTS_DIR not set." >&2 - exit 1 -fi - # import functions -source "${NP2_SCRIPTS_DIR}/common.sh" +script_directory=$(dirname "$0") +source "${script_directory}/common.sh" # get path to sysrepocfg executable, this will be stored in $SYSREPOCFG SYSREPOCFG_GET_PATH diff --git a/scripts/merge_hostkey.sh b/scripts/merge_hostkey.sh index c7928028..fedc3a78 100755 --- a/scripts/merge_hostkey.sh +++ b/scripts/merge_hostkey.sh @@ -2,13 +2,9 @@ set -e -if [ -z "$NP2_SCRIPTS_DIR" ]; then - echo "$0: Required environment variable NP2_SCRIPTS_DIR not set." >&2 - exit 1 -fi - # import functions -source "${NP2_SCRIPTS_DIR}/common.sh" +script_directory=$(dirname "$0") +source "${script_directory}/common.sh" # get path to sysrepocfg and openssl executables, these will be stored in $SYSREPOCFG and $OPENSSL, respectively SYSREPOCFG_GET_PATH diff --git a/scripts/remove.sh b/scripts/remove.sh index 8774781a..8cfbbdf4 100755 --- a/scripts/remove.sh +++ b/scripts/remove.sh @@ -1,12 +1,8 @@ #!/usr/bin/env bash -if [ -z "$NP2_SCRIPTS_DIR" ]; then - echo "$0: Required environment variable NP2_SCRIPTS_DIR not set." >&2 - exit 1 -fi - # import functions and modules arrays -source "${NP2_SCRIPTS_DIR}/common.sh" +script_directory=$(dirname "$0") +source "${script_directory}/common.sh" # get path to sysrepoctl executable, this will be stored in $SYSREPOCTL SYSREPOCTL_GET_PATH diff --git a/scripts/setup.sh b/scripts/setup.sh index 56be917c..02c1b10c 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -1,14 +1,16 @@ #!/usr/bin/env bash -# env variables NP2_MODULE_DIR, NP2_MODULE_PERMS, LN2_MODULE_DIR and NP2_SCRIPTS_DIR must be defined +# env variables NP2_MODULE_DIR, NP2_MODULE_PERMS and LN2_MODULE_DIR must be defined # and NP2_MODULE_OWNER, NP2_MODULE_GROUP will be used if defined when executing this script! -if [ -z "$NP2_MODULE_DIR" -o -z "$NP2_MODULE_PERMS" -o -z "$LN2_MODULE_DIR" -o -z "$NP2_SCRIPTS_DIR" ]; then + +if [ -z "$NP2_MODULE_DIR" -o -z "$NP2_MODULE_PERMS" -o -z "$LN2_MODULE_DIR" ]; then echo "Required environment variables not defined!" exit 1 fi # import functions and modules arrays -source "${NP2_SCRIPTS_DIR}/common.sh" +script_directory=$(dirname "$0") +source "${script_directory}/common.sh" # get path to sysrepoctl executable, this will be stored in $SYSREPOCTL SYSREPOCTL_GET_PATH diff --git a/tests/np_test.c b/tests/np_test.c index 35f4b059..c320b012 100644 --- a/tests/np_test.c +++ b/tests/np_test.c @@ -155,10 +155,6 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) SETUP_FAIL_LOG; return 1; } - if (setenv("NP2_SCRIPTS_DIR", NP_ROOT_DIR "/scripts", 1)) { - SETUP_FAIL_LOG; - return 1; - } if (setenv("LN2_MODULE_DIR", LN2_YANG_MODULE_DIR, 1)) { SETUP_FAIL_LOG; return 1; @@ -175,10 +171,6 @@ np_glob_setup_np2(void **state, const char *test_name, const char **modules) SETUP_FAIL_LOG; return 1; } - if (unsetenv("NP2_SCRIPTS_DIR")) { - SETUP_FAIL_LOG; - return 1; - } if (unsetenv("LN2_MODULE_DIR")) { SETUP_FAIL_LOG; return 1; From a83c184a58dca6d0da543a5ce94c13ebb891e0aa Mon Sep 17 00:00:00 2001 From: roman Date: Fri, 3 Nov 2023 14:02:25 +0100 Subject: [PATCH 21/23] monitoring UPDATE time_t to timespec --- src/netconf_monitoring.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/netconf_monitoring.c b/src/netconf_monitoring.c index 436c8126..938f7178 100644 --- a/src/netconf_monitoring.c +++ b/src/netconf_monitoring.c @@ -276,6 +276,7 @@ np2srv_ncm_oper_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const cha char **cpblts; char *time_str, buf[11]; uint32_t i; + struct timespec ts; /* context is locked while the callback is executed */ conn = sr_session_get_connection(session); @@ -346,7 +347,8 @@ np2srv_ncm_oper_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const cha } lyd_new_term(list, NULL, "username", nc_session_get_username(stats.sessions[i]), 0, NULL); lyd_new_term(list, NULL, "source-host", nc_session_get_host(stats.sessions[i]), 0, NULL); - ly_time_time2str(nc_session_get_start_time(stats.sessions[i]), NULL, &time_str); + ts = nc_session_get_start_time(stats.sessions[i]); + ly_time_ts2str(&ts, &time_str); lyd_new_term(list, NULL, "login-time", time_str, 0, NULL); free(time_str); From ac09c5c7f35f6961c530f245de0acde5658d6858 Mon Sep 17 00:00:00 2001 From: roman Date: Fri, 3 Nov 2023 14:03:05 +0100 Subject: [PATCH 22/23] pkg UPDATE versions, curl and env --- distro/pkg/deb/control | 5 +++-- distro/pkg/rpm/netopeer2.spec | 7 ++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/distro/pkg/deb/control b/distro/pkg/deb/control index b62a46b1..d738527f 100644 --- a/distro/pkg/deb/control +++ b/distro/pkg/deb/control @@ -8,13 +8,14 @@ Build-Depends: cmake, graphviz, libcmocka-dev, libsystemd-dev, - libnetconf2-dev (>= 2.0.0), + libnetconf2-dev (>= 3.0.0), libssh-dev, libssl-dev, libsysrepo-dev (>= 2.0.0), libyang2-dev (>= 2.0.0), pkg-config, - sysrepo-tools (>= 2.0.0) + sysrepo-tools (>= 2.0.0), + libcurl4-openssl-dev (>= 7.30.0) Homepage: https://github.com/CESNET/netopeer2/ Package: netopeer2 diff --git a/distro/pkg/rpm/netopeer2.spec b/distro/pkg/rpm/netopeer2.spec index c62458e9..a7b01763 100644 --- a/distro/pkg/rpm/netopeer2.spec +++ b/distro/pkg/rpm/netopeer2.spec @@ -9,9 +9,9 @@ License: BSD-3-Clause BuildRequires: gcc BuildRequires: cmake -BuildRequires: pkgconfig(libyang) >= 2.0.194 -BuildRequires: pkgconfig(libnetconf2) >= 2.1.11 -BuildRequires: pkgconfig(sysrepo) >= 2.1.64 +BuildRequires: pkgconfig(libyang) >= 2.1.87 +BuildRequires: pkgconfig(libnetconf2) >= 3.0.0 +BuildRequires: pkgconfig(sysrepo) >= 2.2.111 BuildRequires: sysrepo-tools BuildRequires: libcurl-devel BuildRequires: libssh-devel @@ -80,6 +80,7 @@ set -e export NP2_MODULE_DIR=%{_datadir}/yang/modules/netopeer2 export NP2_MODULE_PERMS=600 export NP2_MODULE_OWNER=root +export LN2_MODULE_DIR=%{_datadir}/yang/modules/libnetconf2 %{_datadir}/netopeer2/setup.sh %{_datadir}/netopeer2/merge_hostkey.sh From 3e9d893a436c40537dbb18e3a26bf271b8ea8389 Mon Sep 17 00:00:00 2001 From: roman Date: Fri, 3 Nov 2023 14:03:21 +0100 Subject: [PATCH 23/23] cli UPDATE dont use deprecated print clb --- cli/main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cli/main.c b/cli/main.c index 6a6f9404..37a20780 100644 --- a/cli/main.c +++ b/cli/main.c @@ -41,7 +41,7 @@ int done; extern struct nc_session *session; void -lnc2_print_clb(NC_VERB_LEVEL level, const char *msg) +lnc2_print_clb(const struct nc_session *UNUSED(session), NC_VERB_LEVEL level, const char *msg) { int was_rawmode = 0; @@ -138,7 +138,7 @@ main(void) action.sa_handler = SIG_IGN; sigaction(SIGPIPE, &action, NULL); - nc_set_print_clb(lnc2_print_clb); + nc_set_print_clb_session(lnc2_print_clb); ly_set_log_clb(ly_print_clb, 1); linenoiseSetCompletionCallback(complete_cmd); linenoiseHistoryDataFree(free);