diff --git a/src/server_config.c b/src/server_config.c index ffbede28..c226ffd9 100644 --- a/src/server_config.c +++ b/src/server_config.c @@ -2967,9 +2967,7 @@ nc_server_config_create_cert_to_name(const struct lyd_node *node, struct nc_serv int ret = 0; struct lyd_node *n; struct nc_ctn *new, *iter; - const char *map_type, *name = NULL; uint32_t id; - NC_TLS_CTN_MAPTYPE m_type; assert(!strcmp(LYD_NAME(node), "cert-to-name")); @@ -2978,39 +2976,6 @@ nc_server_config_create_cert_to_name(const struct lyd_node *node, struct nc_serv assert(n); id = ((struct lyd_node_term *)n)->value.uint32; - /* get CTN map-type */ - if (lyd_find_path(node, "map-type", 0, &n)) { - ERR(NULL, "Missing CTN map-type."); - ret = 1; - goto cleanup; - } - map_type = ((struct lyd_node_term *)n)->value.ident->name; - if (!strcmp(map_type, "specified")) { - m_type = NC_TLS_CTN_SPECIFIED; - - /* get CTN name */ - if (lyd_find_path(node, "name", 0, &n)) { - ERR(NULL, "Missing CTN \"specified\" user name."); - ret = 1; - goto cleanup; - } - name = lyd_get_value(n); - } else if (!strcmp(map_type, "san-rfc822-name")) { - m_type = NC_TLS_CTN_SAN_RFC822_NAME; - } else if (!strcmp(map_type, "san-dns-name")) { - m_type = NC_TLS_CTN_SAN_DNS_NAME; - } else if (!strcmp(map_type, "san-ip-address")) { - m_type = NC_TLS_CTN_SAN_IP_ADDRESS; - } else if (!strcmp(map_type, "san-any")) { - m_type = NC_TLS_CTN_SAN_ANY; - } else if (!strcmp(map_type, "common-name")) { - m_type = NC_TLS_CTN_COMMON_NAME; - } else { - ERR(NULL, "CTN map-type \"%s\" not supported.", map_type); - ret = 1; - goto cleanup; - } - /* create new ctn */ new = calloc(1, sizeof *new); NC_CHECK_ERRMEM_GOTO(!new, ret = 1, cleanup); @@ -3038,13 +3003,8 @@ nc_server_config_create_cert_to_name(const struct lyd_node *node, struct nc_serv } } - /* insert the right data */ + /* set the id, the other members will be filled later */ new->id = id; - if (name) { - new->name = strdup(name); - NC_CHECK_ERRMEM_GOTO(!new->name, ret = 1, cleanup); - } - new->map_type = m_type; cleanup: return ret; @@ -3088,7 +3048,7 @@ nc_server_config_cert_to_name(const struct lyd_node *node, enum nc_operation op) } static int -nc_server_config_fingerprint(const struct lyd_node *node, enum nc_operation op) +nc_server_config_fingerprint(const struct lyd_node *node, enum nc_operation UNUSED(op)) { int ret = 0; struct nc_ctn *ctn; @@ -3105,13 +3065,63 @@ nc_server_config_fingerprint(const struct lyd_node *node, enum nc_operation op) goto cleanup; } - if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) { - free(ctn->fingerprint); - ctn->fingerprint = strdup(lyd_get_value(node)); - NC_CHECK_ERRMEM_GOTO(!ctn->fingerprint, ret = 1, cleanup); + /* mandatory node, no need to check the op */ + free(ctn->fingerprint); + ctn->fingerprint = strdup(lyd_get_value(node)); + NC_CHECK_ERRMEM_GOTO(!ctn->fingerprint, ret = 1, cleanup); + +cleanup: + return ret; +} + +static int +nc_server_config_map_type(const struct lyd_node *node, enum nc_operation UNUSED(op)) +{ + int ret = 0; + struct nc_ctn *ctn; + struct nc_ch_client *ch_client = NULL; + const char *map_type, *name = NULL; + NC_TLS_CTN_MAPTYPE m_type; + + assert(!strcmp(LYD_NAME(node), "map-type")); + + if (is_ch(node) && nc_server_config_get_ch_client(node, &ch_client)) { + return 1; + } + + if (nc_server_config_get_ctn(node, ch_client, &ctn)) { + ret = 1; + goto cleanup; + } + + map_type = ((struct lyd_node_term *)node)->value.ident->name; + if (!strcmp(map_type, "specified")) { + m_type = NC_TLS_CTN_SPECIFIED; + + /* get CTN name */ + assert(!strcmp(LYD_NAME(node->next), "name")); + name = lyd_get_value(node->next); + } else if (!strcmp(map_type, "san-rfc822-name")) { + m_type = NC_TLS_CTN_SAN_RFC822_NAME; + } else if (!strcmp(map_type, "san-dns-name")) { + m_type = NC_TLS_CTN_SAN_DNS_NAME; + } else if (!strcmp(map_type, "san-ip-address")) { + m_type = NC_TLS_CTN_SAN_IP_ADDRESS; + } else if (!strcmp(map_type, "san-any")) { + m_type = NC_TLS_CTN_SAN_ANY; + } else if (!strcmp(map_type, "common-name")) { + m_type = NC_TLS_CTN_COMMON_NAME; } else { - free(ctn->fingerprint); - ctn->fingerprint = NULL; + ERR(NULL, "CTN map-type \"%s\" not supported.", map_type); + ret = 1; + goto cleanup; + } + + /* mandatory node, no need to check the op */ + ctn->map_type = m_type; + if (name) { + ctn->name = strdup(name); + NC_CHECK_ERRMEM_GOTO(!ctn->name, ret = 1, cleanup); } cleanup: @@ -3635,6 +3645,8 @@ nc_server_config_parse_netconf_server(const struct lyd_node *node, enum nc_opera ret = nc_server_config_local_port(node, op); } else if (!strcmp(name, "mac-alg")) { ret = nc_server_config_mac_alg(node, op); + } else if (!strcmp(name, "map-type")) { + ret = nc_server_config_map_type(node, op); } else if (!strcmp(name, "max-probes")) { ret = nc_server_config_max_probes(node, op); } else if (!strcmp(name, "none")) { diff --git a/src/session_server_tls.c b/src/session_server_tls.c index ac41f128..03574c2c 100644 --- a/src/session_server_tls.c +++ b/src/session_server_tls.c @@ -343,6 +343,8 @@ nc_server_tls_cert_to_name(struct nc_ctn *ctn, void *cert_chain, char **username cert_count = nc_tls_get_num_certs_wrap(cert_chain); for (i = 0; i < cert_count; i++) { + DBG(NULL, "Cert verify CTN: checking entry with id %" PRIu32 ".", ctn->id); + /* reset the flag */ fingerprint_match = 0; @@ -367,8 +369,6 @@ nc_server_tls_cert_to_name(struct nc_ctn *ctn, void *cert_chain, char **username } if (!strcasecmp(ctn->fingerprint + 3, digest_md5)) { - /* we got ourselves a potential winner! */ - VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found."); fingerprint_match = 1; } free(digest_md5); @@ -382,8 +382,6 @@ nc_server_tls_cert_to_name(struct nc_ctn *ctn, void *cert_chain, char **username } if (!strcasecmp(ctn->fingerprint + 3, digest_sha1)) { - /* we got ourselves a potential winner! */ - VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found."); fingerprint_match = 1; } free(digest_sha1); @@ -397,8 +395,6 @@ nc_server_tls_cert_to_name(struct nc_ctn *ctn, void *cert_chain, char **username } if (!strcasecmp(ctn->fingerprint + 3, digest_sha224)) { - /* we got ourselves a potential winner! */ - VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found."); fingerprint_match = 1; } free(digest_sha224); @@ -412,8 +408,6 @@ nc_server_tls_cert_to_name(struct nc_ctn *ctn, void *cert_chain, char **username } if (!strcasecmp(ctn->fingerprint + 3, digest_sha256)) { - /* we got ourselves a potential winner! */ - VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found."); fingerprint_match = 1; } free(digest_sha256); @@ -427,8 +421,6 @@ nc_server_tls_cert_to_name(struct nc_ctn *ctn, void *cert_chain, char **username } if (!strcasecmp(ctn->fingerprint + 3, digest_sha384)) { - /* we got ourselves a potential winner! */ - VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found."); fingerprint_match = 1; } free(digest_sha384); @@ -442,8 +434,6 @@ nc_server_tls_cert_to_name(struct nc_ctn *ctn, void *cert_chain, char **username } if (!strcasecmp(ctn->fingerprint + 3, digest_sha512)) { - /* we got ourselves a potential winner! */ - VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found."); fingerprint_match = 1; } free(digest_sha512); @@ -456,6 +446,8 @@ nc_server_tls_cert_to_name(struct nc_ctn *ctn, void *cert_chain, char **username if (fingerprint_match) { /* found a fingerprint match, try to obtain the username */ + VRB(NULL, "Cert verify CTN: entry with a matching fingerprint found."); + DBG(NULL, "Cert verify CTN: matched fingerprint: %s (id %" PRIu32 ").", ctn->fingerprint, ctn->id); ret = nc_server_tls_get_username(cert, ctn, username); if (ret == -1) { /* fatal error */