/* * ***** BEGIN LICENSE BLOCK ***** Copyright (C) 2009-2019 Olof Hagsand Copyright (C) 2020-2021 Olof Hagsand and Rubicon Communications, LLC(Netgate) This file is part of CLIXON. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Alternatively, the contents of this file may be used under the terms of the GNU General Public License Version 3 or later (the "GPL"), in which case the provisions of the GPL are applicable instead of those above. If you wish to allow use of your version of this file only under the terms of the GPL, and not to allow others to use your version of this file under the terms of Apache License version 2, indicate your decision by deleting the provisions above and replace them with the notice and other provisions required by the GPL. If you do not delete the provisions above, a recipient may use your version of this file under the terms of any one of the Apache License version 2 or the GPL. ***** END LICENSE BLOCK ***** */ #ifdef HAVE_CONFIG_H #include "clixon_config.h" /* generated by config & autoconf */ #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* cligen */ #include /* clicon */ #include /* restconf */ #include "restconf_lib.h" /* generic shared with plugins */ #include "restconf_handle.h" #include "restconf_err.h" #ifdef HAVE_LIBEVHTP #include /* evbuffer */ #define EVHTP_DISABLE_REGEX #define EVHTP_DISABLE_EVTHR #include #endif #ifdef HAVE_LIBNGHTTP2 #include #endif #include "restconf_native.h" /* Restconf-openssl mode specific headers*/ restconf_stream_data * restconf_stream_data_new(restconf_conn *rc, int32_t stream_id) { restconf_stream_data *sd; if ((sd = malloc(sizeof(restconf_stream_data))) == NULL){ clicon_err(OE_UNIX, errno, "malloc"); return NULL; } memset(sd, 0, sizeof(restconf_stream_data)); sd->sd_stream_id = stream_id; sd->sd_fd = -1; if ((sd->sd_indata = cbuf_new()) == NULL){ clicon_err(OE_UNIX, errno, "cbuf_new"); return NULL; } if ((sd->sd_outp_hdrs = cvec_new(0)) == NULL){ clicon_err(OE_UNIX, errno, "cvec_new"); return NULL; } if ((sd->sd_outp_buf = cbuf_new()) == NULL){ clicon_err(OE_UNIX, errno, "cbuf_new"); return NULL; } sd->sd_conn = rc; INSQ(sd, rc->rc_streams); return sd; } restconf_stream_data * restconf_stream_find(restconf_conn *rc, int32_t id) { restconf_stream_data *sd; if ((sd = rc->rc_streams) != NULL) { do { if (sd->sd_stream_id == id) return sd; sd = NEXTQ(restconf_stream_data *, sd); } while (sd && sd != rc->rc_streams); } return NULL; } int restconf_stream_free(restconf_stream_data *sd) { if (sd->sd_fd != -1) { close(sd->sd_fd); } if (sd->sd_indata) cbuf_free(sd->sd_indata); if (sd->sd_outp_hdrs) cvec_free(sd->sd_outp_hdrs); if (sd->sd_outp_buf) cbuf_free(sd->sd_outp_buf); if (sd->sd_body) cbuf_free(sd->sd_body); if (sd->sd_path) free(sd->sd_path); if (sd->sd_settings2) free(sd->sd_settings2); if (sd->sd_qvec) cvec_free(sd->sd_qvec); free(sd); return 0; } /*! Create restconf connection struct */ restconf_conn * restconf_conn_new(clicon_handle h, int s) { restconf_conn *rc; if ((rc = (restconf_conn*)malloc(sizeof(restconf_conn))) == NULL){ clicon_err(OE_UNIX, errno, "malloc"); return NULL; } memset(rc, 0, sizeof(restconf_conn)); rc->rc_h = h; rc->rc_s = s; return rc; } /*! Free clixon/cbuf resources related to an evhtp connection * @param[in] rc restconf connection */ int restconf_conn_free(restconf_conn *rc) { restconf_stream_data *sd; if (rc == NULL){ clicon_err(OE_RESTCONF, EINVAL, "rc is NULL"); return -1; } #ifdef HAVE_LIBNGHTTP2 if (rc->rc_ngsession) nghttp2_session_del(rc->rc_ngsession); #endif #ifdef HAVE_LIBEVHTP if (rc->rc_evconn) evhtp_connection_free(rc->rc_evconn); /* evhtp */ #endif /* Free all streams */ while ((sd = rc->rc_streams) != NULL) { DELQ(sd, rc->rc_streams, restconf_stream_data *); if (sd) restconf_stream_free(sd); } free(rc); return 0; } /*! Given SSL connection, get peer certificate one-line name * @param[in] ssl SSL session * @param[out] oneline Cert name one-line */ int ssl_x509_name_oneline(SSL *ssl, char **oneline) { int retval = -1; char *p = NULL; X509 *cert = NULL; X509_NAME *name; if (ssl == NULL || oneline == NULL) { clicon_err(OE_RESTCONF, EINVAL, "ssl or cn is NULL"); goto done; } if ((cert = SSL_get_peer_certificate(ssl)) == NULL) goto ok; if ((name = X509_get_subject_name(cert)) == NULL) goto ok; if ((p = X509_NAME_oneline(name, NULL, 0)) == NULL) goto ok; if ((*oneline = strdup(p)) == NULL){ clicon_err(OE_UNIX, errno, "strdup"); goto done; } ok: retval = 0; done: if (p) OPENSSL_free(p); if (cert) X509_free(cert); return retval; } /*! Check common connection sanity checks and terminate if found before request processing * * Tests of sanity of connection not really of an individual request, but is triggered by * the (first) request in http/1 and http/2 * These tests maybe could have done earlier, this is somewhat late since the session is * closed and that is always good to do as early as possible. * The following are current checks: * 1) Check if http/2 non-tls is disabled * 2) Check if ssl client certs ae valid * @param[in] h Clixon handle * @param[in] rc Restconf connection handle * @param[in] sd Http stream * @param[out] term Terminate session * @retval -1 Error * @retval 0 OK */ int restconf_connection_sanity(clicon_handle h, restconf_conn *rc, restconf_stream_data *sd) { int retval = -1; cxobj *xerr = NULL; long code; cbuf *cberr = NULL; restconf_media media_out = YANG_DATA_JSON; char *media_str = NULL; /* 1) Check if http/2 non-tls is disabled */ if (rc->rc_ssl == NULL && rc->rc_proto == HTTP_2 && clicon_option_bool(h, "CLICON_RESTCONF_HTTP2_PLAIN") == 0){ if (netconf_invalid_value_xml(&xerr, "protocol", "Non-tls HTTP/2 is disabled") < 0) goto done; if ((media_str = restconf_param_get(h, "HTTP_ACCEPT")) == NULL){ media_out = YANG_DATA_JSON; } else if ((int)(media_out = restconf_media_str2int(media_str)) == -1){ if (strcmp(media_str, "*/*") == 0) /* catch-all */ media_out = YANG_DATA_JSON; } if (api_return_err0(h, sd, xerr, 1, media_out, 0) < 0) goto done; rc->rc_exit = 1; } /* 2) Check if ssl client cert is valid */ else if (rc->rc_ssl != NULL && (code = SSL_get_verify_result(rc->rc_ssl)) != 0){ if ((cberr = cbuf_new()) == NULL){ clicon_err(OE_UNIX, errno, "cbuf_new"); goto done; } cprintf(cberr, "HTTP cert verification failed, unknown ca: (code:%ld)", code); if (netconf_invalid_value_xml(&xerr, "protocol", cbuf_get(cberr)) < 0) goto done; if ((media_str = restconf_param_get(h, "HTTP_ACCEPT")) == NULL){ media_out = YANG_DATA_JSON; } else if ((int)(media_out = restconf_media_str2int(media_str)) == -1){ if (strcmp(media_str, "*/*") == 0) /* catch-all */ media_out = YANG_DATA_JSON; } if (api_return_err0(sd->sd_conn->rc_h, sd, xerr, 1, media_out, 0) < 0) goto done; rc->rc_exit = 1; } retval = 0; done: if (cberr) cbuf_free(cberr); if (xerr) xml_free(xerr); return retval; }