blob: 2c759e595f37ef54f56b9831a3f3d508b5268769 [file] [log] [blame]
/**
* \file libnetconf.h
* \author Radek Krejci <rkrejci@cesnet.cz>
* \author Michal Vasko <mvasko@cesnet.cz>
* \brief libnetconf2 main internal header.
*
* Copyright (c) 2015 CESNET, z.s.p.o.
*
* This source code is licensed under BSD 3-Clause License (the "License").
* You may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://opensource.org/licenses/BSD-3-Clause
*/
#ifndef NC_LIBNETCONF_H_
#define NC_LIBNETCONF_H_
#include "config.h"
#include "netconf.h"
#include "log_p.h"
#include "session_p.h"
#include "messages_p.h"
/* Tests whether string is empty or non-empty. */
#define strisempty(str) ((str)[0] == '\0')
#define strnonempty(str) ((str)[0] != '\0')
/**
* @mainpage About
*
* libnetconf2 is a NETCONF library in C handling NETCONF authentication and all NETCONF
* RPC communication both server and client-side. NETCONF datastore and session management is not a part of this library,
* but it helps a lot with the sessions.
*
* @section about-features Main Features
*
* - Creating SSH (using libssh) or TLS (using OpenSSL) authenticated NETCONF sessions.
* - Creating NETCONF sessions with a pre-established transport protocol
* (using this mechanism the communication can be tunneled through sshd(8), for instance).
* - Creating NETCONF Call Home sessions.
* - Creating, sending, receiving, and replying to RPCs.
* - Receiving notifications.
*
* - \todo Creating and sending notifications.
*
* @section about-license License
*
* Copyright (c) 2015-2016 CESNET, z.s.p.o.
*
* (The BSD 3-Clause License)
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
* 3. Neither the name of the Company nor the names of its contributors
* may be used to endorse or promote products derived from this
* software without specific prior written permission.
*/
/**
* @page howto How To ...
*
* - @subpage howtoinit
* - @subpage howtoclient
* - @subpage howtoserver
* - @subpage howtoclientcomm
* - @subpage howtoservercomm
*/
/**
* @page howtoinit Init and Thread-safety Information
*
* Before working with the library, it must be initialized using nc_client_init()
* or nc_server_init(). Optionally, a client can use nc_client_set_schema_searchpath()
* to set the path to a directory with modules that will be loaded from there if they
* could not be downloaded from the server (it does not support \<get-schema\>).
* However, to be able to create at least the \<get-schema\> RPC, this directory must
* contain the module _ietf-netconf-monitoring_. If this directory is not set,
* the default _libnetconf2_ schema directory is used that includes this module
* and a few others.
*
* Based on how the library was compiled, also _libssh_ and/or
* _libssh_/_libcrypto_ are initialized (for multi-threaded use) too. It is advised
* to compile _libnetconf2_, for instance, with TLS support even if you do not want
* to use _lnc2_ TLS functions, but only use _libssl/libcrypto_ functions in your
* application. You can then use _libnetconf2_ cleanup function and do not
* trouble yourself with the cleanup.
*
* To prevent any reachable memory at the end of your application, there
* are complementary destroy functions available. If your application is
* multi-threaded, call the destroy functions in the last thread, after all
* the other threads have ended. In every other thread you should call
* nc_thread_destroy() just before it exits.
*
* If _libnetconf2_ is used in accordance with this information, there should
* not be memory leaks of any kind at program exit. For thread-safety details
* of _libssh_, _libssl_, and _libcrypto_, please refer to the corresponding project
* documentation. _libnetconf2_ thread-safety information is below.
*
* Client is __NOT__ thread-safe and there is no access control in the client
* functions at all. Server is __MOSTLY__ thread-safe meaning you can set all the
* options simultaneously while listening for or accepting new sessions or
* polling the existing ones. It should even be safe to poll one session in
* several threads, but it is definitely discouraged. Generally, servers can
* use more threads without any problems as long as they keep their workflow sane
* (behavior such as freeing sessions only after no thread uses them or similar).
*
* Functions List
* --------------
*
* Available in __nc_client.h__.
*
* - nc_client_init()
* - nc_client_destroy()
*
* - nc_client_set_schema_searchpath()
* - nc_client_get_schema_searchpath()
*
* Available in __nc_server.h__.
*
* - nc_server_init()
* - nc_server_destroy()
*
* Available in both __nc_client.h__ and __nc_server.h__.
*
* - nc_thread_destroy()
*/
/**
* @page howtoclient Client sessions
*
* To connect to a NETCONF server, a NETCONF session must be established,
* which requires a working transport session. It is possible to create
* NETCONF sessions with SSH (using _libssh_) or TLS (using _libssl/libcrypto_)
* as the underlying transport protocol. It is also possible to establish
* the transport protocol outside _libnetconf2_ and then provide these file
* descriptors (FD) for full NETCONF session creation.
*
* There are a lot of options for both an SSH and a TLS client. All of them
* have setters and getters so that there is no need to duplicate them in
* a client.
*
* SSH
* ===
*
* Connecting to a server using SSH does not strictly require to set any
* options, there are sensible default values for all the basic ones.
* Except all the SSH options, optionally some authetication callbacks can be set,
* which are particulary useful in automated clients (passwords cannot be
* asked a user) or simply if any additional information is retrieved some
* other way than from standard terminal input.
*
* Having the default options or changing any unsuitable ones, there are 2 functions
* to use for a new server connection. nc_connect_ssh() is the standard function
* that creates sessions using the set options. If there are some options, which
* cannot be changed with the provided API, there is nc_connect_libssh() available.
* It requires a _libssh_ session, in which all the SSH options can be modified
* and even the connection established. This allows for full customization and
* should fit any specific situation.
*
* New NETCONF sessions can also be created on existing authenticated SSH sessions.
* There is a new SSH channel needed, on which the NETCONF session is then created.
* Use nc_connect_ssh_channel() for this purpose.
*
* Functions List
* --------------
*
* Available in __nc_client.h__.
*
* - nc_client_ssh_set_auth_hostkey_check_clb()
* - nc_client_ssh_set_auth_password_clb()
* - nc_client_ssh_set_auth_interactive_clb()
* - nc_client_ssh_set_auth_privkey_passphrase_clb()
* - nc_client_ssh_add_keypair()
* - nc_client_ssh_del_keypair()
* - nc_client_ssh_get_keypair_count()
* - nc_client_ssh_get_keypair()
* - nc_client_ssh_set_auth_pref()
* - nc_client_ssh_get_auth_pref()
* - nc_client_ssh_set_username()
* - nc_client_ssh_get_username()
*
* - nc_connect_ssh()
* - nc_connect_libssh()
* - nc_connect_ssh_channel()
*
*
* TLS
* ===
*
* To connect to a server using TLS, there must be some client identification
* options set. Client must specify its certificate with a private key using
* nc_client_tls_set_cert_key_paths(). Also, the Certificate Authority of
* a server certificate must be considered trusted. Paths to all the trusted
* CA certificates can be set by nc_client_tls_set_trusted_ca_paths().
*
* Then there are again 2 functions for connecting, nc_connect_tls() being
* the standard way of connecting. nc_connect_libssl() again enables
* to customize the TLS session in every way _libssl_ allows.
*
* Functions List
* --------------
*
* Available in __nc_client.h__.
*
* - nc_client_tls_set_cert_key_paths()
* - nc_client_tls_get_cert_key_paths()
* - nc_client_tls_set_trusted_ca_paths()
* - nc_client_tls_get_trusted_ca_paths()
* - nc_client_tls_set_crl_paths()
* - nc_client_tls_get_crl_paths()
*
* - nc_connect_tls()
* - nc_connect_libssl()
*
*
* FD
* ==
*
* If you authenticated the connection using some tunneling software, you
* can pass its file descriptors to _libnetconf2_ using nc_connect_inout(),
* which will continue to establish a full NETCONF session.
*
* Funtions List
* -------------
*
* Available in __nc_client.h__.
*
* - nc_connect_inout()
*
*
* Call Home
* =========
*
* Call Home needs the same options set as standard SSH or TLS and the functions
* reflect it exactly. However, to accept a connection, the client must first
* specify addresses and ports, which to listen on by nc_client_ssh_ch_add_bind_listen()
* and nc_client_tls_ch_add_bind_listen(). Then connections can be
* accepted using nc_accept_callhome().
*
* Functions List
* --------------
*
* Available in __nc_client.h__.
*
* - nc_client_ssh_ch_set_auth_hostkey_check_clb()
* - nc_client_ssh_ch_set_auth_password_clb()
* - nc_client_ssh_ch_set_auth_interactive_clb()
* - nc_client_ssh_ch_set_auth_privkey_passphrase_clb()
* - nc_client_ssh_ch_add_bind_listen()
* - nc_client_ssh_ch_del_bind()
* - nc_client_ssh_ch_add_keypair()
* - nc_client_ssh_ch_del_keypair()
* - nc_client_ssh_ch_get_keypair_count()
* - nc_client_ssh_ch_get_keypair()
* - nc_client_ssh_ch_set_auth_pref()
* - nc_client_ssh_ch_get_auth_pref()
* - nc_client_ssh_ch_set_username()
* - nc_client_ssh_ch_get_username()
*
* - nc_client_tls_ch_add_bind_listen()
* - nc_client_tls_ch_del_bind()
* - nc_client_tls_ch_set_cert_key_paths()
* - nc_client_tls_ch_get_cert_key_paths()
* - nc_client_tls_ch_set_trusted_ca_paths()
* - nc_client_tls_ch_get_trusted_ca_paths()
* - nc_client_tls_ch_set_crl_paths()
* - nc_client_tls_ch_get_crl_paths()
*
* - nc_accept_callhome()
*
*
* Cleanup
* =======
*
* These options and the schema searchpath are stored in dynamically
* allocated memory. They are freed as a part of [destroying the client](@ref howtoinit).
*/
/**
* @page howtoserver Server sessions
*
* Init
* ====
*
* Server takes an argument for its [initialization function](@ref howtoinit).
* In it, you set the server context, which determines what modules it
* supports and what capabilities to advertise. Few capabilities that
* cannot be learnt from the context are set with separate functions
* nc_server_set_capab_withdefaults() and nc_server_set_capab_interleave().
* Timeout for receiving the _hello_ message on a new session can be set
* by nc_server_set_hello_timeout() and the timeout for disconnecting
* an inactive session by nc_server_set_idle_timeout().
*
* Context does not only determine server modules, but its overall
* functionality as well. For every RPC the server should support,
* an nc_rpc_clb callback should be set on that node in the context using nc_set_rpc_callback().
* Server then calls these as appropriate [during poll](@ref howtoservercomm).
*
* Just like in the [client](@ref howtoclient), you can let _libnetconf2_
* establish SSH or TLS transport or do it yourself and only provide the file
* descriptors of the connection.
*
* Server options can be only set, there are no getters.
*
* To be able to accept any connections, general endpoints must first be added
* with nc_server_add_endpt(). They can then be modified to accept either SSH, TLS,
* or both kinds of sessions.
*
* Functions List
* --------------
*
* Available in __nc_server.h__.
*
* - nc_server_set_capab_withdefaults()
* - nc_server_set_capab_interleave()
* - nc_server_set_hello_timeout()
* - nc_server_set_idle_timeout()
*
* - nc_server_add_endpt()
* - nc_server_del_endpt()
*
*
* SSH
* ===
*
* To start listening for SSH connections you must set the address
* and port to listen on for a particular endpoint using nc_server_ssh_endpt_set_address()
* and nc_server_endpt_set_port().
* To then successfully accept an SSH session you must also set the host key using
* nc_server_ssh_endpt_add_hostkey().
*
* Functions List
* --------------
*
* Available in __nc_server.h__.
*
* - nc_server_ssh_endpt_set_address()
* - nc_server_ssh_endpt_set_port()
*
* - nc_server_ssh_endpt_add_hostkey()
* - nc_server_ssh_endpt_del_hostkey()
* - nc_server_ssh_endpt_set_banner()
* - nc_server_ssh_endpt_set_auth_methods()
* - nc_server_ssh_endpt_set_auth_attempts()
* - nc_server_ssh_endpt_set_auth_timeout()
* - nc_server_ssh_endpt_add_authkey()
* - nc_server_ssh_endpt_del_authkey()
*
*
* TLS
* ===
*
* TLS works with endpoints too, but its options differ
* significantly from the SSH ones, especially in the _cert-to-name_
* options that TLS uses to derive usernames from client certificates.
* So, after starting listening on an endpoint by calling nc_server_tls_endpt_set_address()
* and nc_server_tls_endpt_set_port(),
* you need to set the server certificate (nc_server_tls_endpt_set_cert()
* or nc_server_tls_endpt_set_cert_path()) and private key (nc_server_tls_endpt_set_key()
* or nc_server_tls_endpt_set_key_path()).
*
* To accept client certificates, they must first be considered trusted,
* which you have three ways of achieving. You can add each of their Certificate Authority
* certificates to the trusted ones or mark a specific client certificate
* as trusted using nc_server_tls_endpt_add_trusted_cert(). Lastly, you can
* set paths with all the trusted CA certificates with nc_server_tls_endpt_set_trusted_ca_paths().
*
* Then, from each trusted client certificate a username must be derived
* for the NETCONF session. This is accomplished by finding a matching
* _cert-to-name_ entry. They are added using nc_server_tls_endpt_add_ctn().
*
* If you need to remove trusted certificates, you can do so with nc_server_tls_endpt_del_trusted_cert().
* To clear all Certificate Revocation Lists use nc_server_tls_endpt_clear_crls().
*
* Functions List
* --------------
*
* Available in __nc_server.h__.
*
* - nc_server_tls_endpt_set_address()
* - nc_server_tls_endpt_set_port()
*
* - nc_server_tls_endpt_set_cert()
* - nc_server_tls_endpt_set_cert_path()
* - nc_server_tls_endpt_set_key()
* - nc_server_tls_endpt_set_key_path()
* - nc_server_tls_endpt_add_trusted_cert()
* - nc_server_tls_endpt_add_trusted_cert_path()
* - nc_server_tls_endpt_set_trusted_ca_paths()
* - nc_server_tls_endpt_del_trusted_cert();
* - nc_server_tls_endpt_set_crl_paths()
* - nc_server_tls_endpt_clear_crls()
* - nc_server_tls_endpt_add_ctn()
* - nc_server_tls_endpt_del_ctn()
*
* FD
* ==
*
* If you used a tunneling software, which does its own authentication,
* you can accept a NETCONF session on its file descriptors with
* nc_accept_inout().
*
* Functions List
* --------------
*
* Available in __nc_server.h__.
*
* - nc_accept_inout()
*
*
* Call Home
* =========
*
* Call Home does not work with endpoints like standard sessions.
* Connecting is similar to the [client](@ref howtoclient), just call
* nc_connect_callhome_ssh() or nc_connect_callhome_tls(). Any options
* must be reset manually by nc_server_ssh_ch_clear_opts()
* or using nc_server_tls_ch_del_trusted_cert() and nc_server_tls_ch_clear_crls()
* after another Call Home session (with different options than the previous one)
* is to be established. Also, monitoring of these sessions is up to the application.
*
* Functions List
* --------------
*
* Available in __nc_server.h__.
*
* - nc_connect_callhome_ssh()
* - nc_connect_callhome_tls()
*
* - nc_server_ssh_ch_add_hostkey()
* - nc_server_ssh_ch_del_hostkey()
* - nc_server_ssh_ch_set_banner()
* - nc_server_ssh_ch_set_auth_methods()
* - nc_server_ssh_ch_set_auth_attempts()
* - nc_server_ssh_ch_set_auth_timeout()
* - nc_server_ssh_ch_add_authkey()
* - nc_server_ssh_ch_del_authkey()
* - nc_server_ssh_ch_clear_opts()
*
* - nc_server_tls_ch_set_cert()
* - nc_server_tls_ch_set_cert_path()
* - nc_server_tls_ch_set_key()
* - nc_server_tls_ch_set_key_path()
* - nc_server_tls_ch_add_trusted_cert()
* - nc_server_tls_ch_add_trusted_cert_path()
* - nc_server_tls_ch_set_trusted_ca_paths()
* - nc_server_tls_ch_del_trusted_cert();
* - nc_server_tls_ch_set_crl_paths()
* - nc_server_tls_ch_clear_crls()
* - nc_server_tls_ch_add_ctn()
* - nc_server_tls_ch_del_ctn()
* - nc_server_tls_ch_clear_opts()
*
*
* Connecting And Cleanup
* ======================
*
* When accepting connections with nc_accept(), all the endpoints are examined
* and the first with a pending connection is used. To remove all
* the endpoints and free any used dynamic memory, [destroy](@ref howtoinit) the server.
*
* Functions List
* --------------
*
* Available in __nc_server.h__.
*
* - nc_accept()
*/
/**
* @page howtoclientcomm Client communication
*
* To send RPCs on a session, you simply create an RPC, send it using nc_send_rpc(),
* and then wait for a reply using nc_recv_reply(). If you are subscribed, there are 2 ways
* of receiving notifications. Either you wait for them the same way
* as for standard replies with nc_recv_notif() or you create a dispatcher
* with nc_recv_notif_dispatch() that asynchronously (in a separate thread)
* reads notifications and passes them to your callback.
*
* Functions List
* --------------
*
* Available in __nc_client.h__.
*
* - nc_rpc_act_generic()
* - nc_rpc_act_generic_xml()
* - nc_rpc_getconfig()
* - nc_rpc_edit()
* - nc_rpc_copy()
* - nc_rpc_delete()
* - nc_rpc_lock()
* - nc_rpc_unlock()
* - nc_rpc_get()
* - nc_rpc_kill()
* - nc_rpc_commit()
* - nc_rpc_discard()
* - nc_rpc_cancel()
* - nc_rpc_validate()
* - nc_rpc_getschema()
* - nc_rpc_subscribe()
*
* - nc_send_rpc()
* - nc_recv_reply()
* - nc_recv_notif()
* - nc_recv_notif_dispatch()
*/
/**
* @page howtoservercomm Server communication
*
* Once at least one session is established, an nc_pollsession structure
* should be created with nc_ps_new(), filled with the session using
* nc_ps_add_session() and finally polled with nc_ps_poll(). Based on
* the return value from the poll, further actions can be taken. More
* sessions can be polled at the same time and any requests received on
* the sessions are [handled internally](@ref howtoserver).
*
* If an SSH NETCONF session asks for a new channel, you can accept
* this request with nc_ps_accept_ssh_channel() or nc_session_accept_ssh_channel()
* depending on the structure you want to use as the argument.
*
* Functions List
* --------------
*
* Available in __nc_server.h__.
*
* - nc_ps_new()
* - nc_ps_add_session()
* - nc_ps_del_session()
* - nc_ps_session_count()
* - nc_ps_free()
*
* - nc_ps_poll()
* - nc_ps_clear()
* - nc_ps_accept_ssh_channel()
* - nc_session_accept_ssh_channel()
*/
#endif /* NC_LIBNETCONF_H_ */