Remove CRL path and url configuration

doc/libnetconf.doc

@@ -206,8 +206,6 @@
  * - ::nc_client_tls_get_cert_key_paths()
  * - ::nc_client_tls_set_trusted_ca_paths()
  * - ::nc_client_tls_get_trusted_ca_paths()
- * - ::nc_client_tls_set_crl_paths()
- * - ::nc_client_tls_get_crl_paths()
  *
  * - ::nc_connect_tls()
  * - ::nc_connect_libssl()
@@ -265,8 +263,6 @@
  * - ::nc_client_tls_ch_get_cert_key_paths()
  * - ::nc_client_tls_ch_set_trusted_ca_paths()
  * - ::nc_client_tls_ch_get_trusted_ca_paths()
- * - ::nc_client_tls_ch_set_crl_paths()
- * - ::nc_client_tls_ch_get_crl_paths()
  *
  * - ::nc_accept_callhome()
  *
@@ -467,8 +463,12 @@
  * _cert-to-name_ entry.
  *
  * There are some further options. For example you can configure the TLS
- * version and ciphers to be used. You may also choose to use a Certificate
- * Revocation List.
+ * version and ciphers to be used.
+ *
+ * You may also choose to use a Certificate Revocation List. These lists
+ * are downloaded from the URIs specified in the x509 CRLDistributionPoints extensions.
+ * Be mindful that if any CRL is successfully downloaded and set, then at least one of them has to belong
+ * to the peer (e.g. the client) certificate (in other words it has to be issued by peer's CA).
  *
  * Functions List
  * --------------

modules/libnetconf2-netconf-server@2024-01-15.yang

@@ -244,13 +244,6 @@ module libnetconf2-netconf-server {
     description
       "Grouping for SSH authentication parameters.";
 
-    leaf auth-attempts {
-      type uint16;
-      default 3;
-      description
-        "Represents the number of failed attempts before an authentication is deemed unsuccessful.";
-    }
-
     leaf auth-timeout {
       type uint16;
       default 30;
@@ -329,48 +322,6 @@ module libnetconf2-netconf-server {
     }
   }
 
-  grouping certificate-revocation-list-grouping {
-    description
-      "A grouping for the Certificate Revocation List, which is used
-       to authenticate clients or to deny access for certain certificates.
-       The given Certificate Revocation List must be PEM or DER encoded.";
-
-    reference
-      "RFC 5280:
-         Internet X.509 Public Key Infrastructure Certificate
-         and Certificate Revocation List (CRL) Profile";
-
-    choice certificate-revocation-list {
-      leaf crl-url {
-        type string;
-        description
-          "An URL from which the Certificate Revocation List will be
-           downloaded and used. The HTTP protocol works, but other
-           protocols, such as FTP, may work as well.";
-      }
-
-      leaf crl-path {
-        type string;
-        description
-          "A path to a Certificate Revocation List file.";
-      }
-
-      leaf crl-cert-ext {
-        type empty;
-        description
-          "Indicates that the Certificate Revocation List
-           Distribution Points extension will be used to fetch
-           Certificate Revocation Lists from. This will be done
-           for all the configured Certificate Authority certificates.";
-
-        reference
-          "RFC 5280:
-             Internet X.509 Public Key Infrastructure Certificate
-             and Certificate Revocation List (CRL) Profile, Section 4.2.1.13";
-      }
-    }
-  }
-
   augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
           "/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
     uses ssh-authentication-params-grouping;
@@ -424,14 +375,4 @@ module libnetconf2-netconf-server {
           "/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
     uses endpoint-reference-grouping;
   }
-
-  augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls" +
-          "/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
-    uses certificate-revocation-list-grouping;
-  }
-
-  augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
-          "/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
-    uses certificate-revocation-list-grouping;
-  }
 }

src/server_config.c

@@ -831,9 +831,6 @@ nc_server_config_del_tls_opts(struct nc_bind *bind, struct nc_server_tls_opts *o
     nc_server_config_del_certs(&opts->ca_certs);
     nc_server_config_del_certs(&opts->ee_certs);
 
-    free(opts->crl_path);
-    free(opts->crl_url);
-
     nc_server_config_del_ctns(opts);
     free(opts->ciphers);
     free(opts);
@@ -2111,38 +2108,6 @@ nc_server_config_user(const struct lyd_node *node, NC_OPERATION op)
     return ret;
 }
 
-static int
-nc_server_config_auth_attempts(const struct lyd_node *node, NC_OPERATION op)
-{
-    int ret = 0;
-    struct nc_server_ssh_opts *opts;
-    struct nc_ch_client *ch_client = NULL;
-
-    assert(!strcmp(LYD_NAME(node), "auth-attempts"));
-
-    /* LOCK */
-    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
-        /* to avoid unlock on fail */
-        return 1;
-    }
-
-    if (nc_server_config_get_ssh_opts(node, ch_client, &opts)) {
-        ret = 1;
-        goto cleanup;
-    }
-
-    if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
-        opts->auth_attempts = ((struct lyd_node_term *)node)->value.uint16;
-    }
-
-cleanup:
-    if (is_ch(node)) {
-        /* UNLOCK */
-        nc_ch_client_unlock(ch_client);
-    }
-    return ret;
-}
-
 static int
 nc_server_config_auth_timeout(const struct lyd_node *node, NC_OPERATION op)
 {
@@ -3307,114 +3272,6 @@ nc_server_config_cipher_suite(const struct lyd_node *node, NC_OPERATION op)
     return ret;
 }
 
-static int
-nc_server_config_crl_url(const struct lyd_node *node, NC_OPERATION op)
-{
-    int ret = 0;
-    struct nc_server_tls_opts *opts;
-    struct nc_ch_client *ch_client = NULL;
-
-    assert(!strcmp(LYD_NAME(node), "crl-url"));
-
-    /* LOCK */
-    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
-        /* to avoid unlock on fail */
-        return 1;
-    }
-
-    if (nc_server_config_get_tls_opts(node, ch_client, &opts)) {
-        ret = 1;
-        goto cleanup;
-    }
-
-    if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
-        free(opts->crl_url);
-        opts->crl_url = strdup(lyd_get_value(node));
-        NC_CHECK_ERRMEM_GOTO(!opts->crl_url, ret = 1, cleanup);
-    } else if (op == NC_OP_DELETE) {
-        free(opts->crl_url);
-        opts->crl_url = NULL;
-    }
-
-cleanup:
-    if (is_ch(node)) {
-        /* UNLOCK */
-        nc_ch_client_unlock(ch_client);
-    }
-    return ret;
-}
-
-static int
-nc_server_config_crl_path(const struct lyd_node *node, NC_OPERATION op)
-{
-    int ret = 0;
-    struct nc_server_tls_opts *opts;
-    struct nc_ch_client *ch_client = NULL;
-
-    assert(!strcmp(LYD_NAME(node), "crl-path"));
-
-    /* LOCK */
-    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
-        /* to avoid unlock on fail */
-        return 1;
-    }
-
-    if (nc_server_config_get_tls_opts(node, ch_client, &opts)) {
-        ret = 1;
-        goto cleanup;
-    }
-
-    if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
-        free(opts->crl_path);
-        opts->crl_path = strdup(lyd_get_value(node));
-        NC_CHECK_ERRMEM_GOTO(!opts->crl_path, ret = 1, cleanup);
-    } else if (op == NC_OP_DELETE) {
-        free(opts->crl_path);
-        opts->crl_path = NULL;
-    }
-
-cleanup:
-    if (is_ch(node)) {
-        /* UNLOCK */
-        nc_ch_client_unlock(ch_client);
-    }
-    return ret;
-}
-
-static int
-nc_server_config_crl_cert_ext(const struct lyd_node *node, NC_OPERATION op)
-{
-    int ret = 0;
-    struct nc_server_tls_opts *opts;
-    struct nc_ch_client *ch_client = NULL;
-
-    assert(!strcmp(LYD_NAME(node), "crl-cert-ext"));
-
-    /* LOCK */
-    if (is_ch(node) && nc_server_config_get_ch_client_with_lock(node, &ch_client)) {
-        /* to avoid unlock on fail */
-        return 1;
-    }
-
-    if (nc_server_config_get_tls_opts(node, ch_client, &opts)) {
-        ret = 1;
-        goto cleanup;
-    }
-
-    if ((op == NC_OP_CREATE) || (op == NC_OP_REPLACE)) {
-        opts->crl_cert_ext = 1;
-    } else if (op == NC_OP_DELETE) {
-        opts->crl_cert_ext = 0;
-    }
-
-cleanup:
-    if (is_ch(node)) {
-        /* UNLOCK */
-        nc_ch_client_unlock(ch_client);
-    }
-    return ret;
-}
-
 #endif /* NC_ENABLED_SSH_TLS */
 
 static int
@@ -3817,8 +3674,6 @@ nc_server_config_parse_netconf_server(const struct lyd_node *node, NC_OPERATION
         ret = nc_server_config_keystore_reference(node, op);
     } else if (!strcmp(name, "user")) {
         ret = nc_server_config_user(node, op);
-    } else if (!strcmp(name, "auth-attempts")) {
-        ret = nc_server_config_auth_attempts(node, op);
     } else if (!strcmp(name, "auth-timeout")) {
         ret = nc_server_config_auth_timeout(node, op);
     } else if (!strcmp(name, "central-truststore-reference")) {
@@ -3857,12 +3712,6 @@ nc_server_config_parse_netconf_server(const struct lyd_node *node, NC_OPERATION
         ret = nc_server_config_tls_version(node, op);
     } else if (!strcmp(name, "cipher-suite")) {
         ret = nc_server_config_cipher_suite(node, op);
-    } else if (!strcmp(name, "crl-url")) {
-        ret = nc_server_config_crl_url(node, op);
-    } else if (!strcmp(name, "crl-path")) {
-        ret = nc_server_config_crl_path(node, op);
-    } else if (!strcmp(name, "crl-cert-ext")) {
-        ret = nc_server_config_crl_cert_ext(node, op);
     }
 #endif /* NC_ENABLED_SSH_TLS */
     else if (!strcmp(name, "netconf-client")) {