config UPDATE add support for TLS
New API for configuring TLS added. For the server, only it's certificate
is currently supported. For the client, only it's end-entity and
certificate-authority certificates are supported (as compared to
ietf-netconf-server module).
Each source and header files' includes were refactored (added
missing/deleted redundant).
New file to generate documentation from added to replace the old one.
New API parameters position changed. Split the API to SSH/TLS/common
files and added new common header for these.
Made changes to some internal structures and renamed some members.
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 68aee07..24d769c 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -9,7 +9,7 @@
# list of all the tests in each directory
#set(tests test_io test_fd_comm test_init_destroy_client test_init_destroy_server test_client_thread test_thread_messages)
-set(tests test_two_channels test_keystore test_unix_socket test_config_new test_truststore test_ec test_ed25519 test_replace test_endpt_share_clients)
+set(tests test_unix_socket)
# only enable PAM tests if the version of PAM is greater than 1.4
if(LIBPAM_HAVE_CONFDIR)
@@ -37,15 +37,12 @@
endforeach()
#append tests depending on SSH/TLS
-if(ENABLE_SSH OR ENABLE_TLS)
- #list(APPEND tests test_server_thread)
- if(ENABLE_SSH)
- list(APPEND client_tests test_client_ssh)
- endif()
+if(ENABLE_SSH)
+ list(APPEND tests test_two_channels test_keystore test_config_new test_truststore test_ec test_ed25519 test_replace test_endpt_share_clients)
+endif()
- if(ENABLE_TLS)
- list(APPEND client_tests test_client_tls)
- endif()
+if(ENABLE_TLS)
+ list(APPEND tests test_tls)
endif()
foreach(src IN LISTS libsrc)
diff --git a/tests/test_config_new.c b/tests/test_config_new.c
index b82c6f2..0289ddc 100644
--- a/tests/test_config_new.c
+++ b/tests/test_config_new.c
@@ -152,11 +152,11 @@
assert_int_equal(ret, 0);
/* create new hostkey data */
- ret = nc_server_config_new_ssh_hostkey(TESTS_DIR "/data/server.key", NULL, ctx, "endpt", "hostkey", &tree);
+ ret = nc_server_config_new_ssh_hostkey(ctx, "endpt", "hostkey", TESTS_DIR "/data/server.key", NULL, &tree);
assert_int_equal(ret, 0);
/* create new address and port data */
- ret = nc_server_config_new_ssh_address_port("127.0.0.1", "10005", ctx, "endpt", &tree);
+ ret = nc_server_config_new_address_port(ctx, "endpt", NC_TI_LIBSSH, "127.0.0.1", "10005", &tree);
assert_int_equal(ret, 0);
/* create the host-key algorithms data */
@@ -164,7 +164,7 @@
assert_int_equal(ret, 0);
/* create the client authentication data, password only */
- ret = nc_server_config_new_ssh_client_auth_password("testpassword123", ctx, "endpt", "client", &tree);
+ ret = nc_server_config_new_ssh_client_auth_password(ctx, "endpt", "client", "testpassword123", &tree);
assert_int_equal(ret, 0);
/* configure the server based on the data */
diff --git a/tests/test_ec.c b/tests/test_ec.c
index ad95a4e..95f82ac 100644
--- a/tests/test_ec.c
+++ b/tests/test_ec.c
@@ -215,19 +215,19 @@
ret = nc_server_config_load_modules(&ctx);
assert_int_equal(ret, 0);
- ret = nc_server_config_new_ssh_hostkey(TESTS_DIR "/data/key_ecdsa", NULL, ctx, "endpt", "hostkey", &tree);
+ ret = nc_server_config_new_ssh_hostkey(ctx, "endpt", "hostkey", TESTS_DIR "/data/key_ecdsa", NULL, &tree);
assert_int_equal(ret, 0);
- ret = nc_server_config_new_ssh_address_port("127.0.0.1", "10009", ctx, "endpt", &tree);
+ ret = nc_server_config_new_address_port(ctx, "endpt", NC_TI_LIBSSH, "127.0.0.1", "10009", &tree);
assert_int_equal(ret, 0);
- ret = nc_server_config_new_ssh_client_auth_pubkey(TESTS_DIR "/data/id_ecdsa256.pub", ctx, "endpt", "test_ec256", "pubkey", &tree);
+ ret = nc_server_config_new_ssh_client_auth_pubkey(ctx, "endpt", "test_ec256", "pubkey", TESTS_DIR "/data/id_ecdsa256.pub", &tree);
assert_int_equal(ret, 0);
- ret = nc_server_config_new_ssh_client_auth_pubkey(TESTS_DIR "/data/id_ecdsa384.pub", ctx, "endpt", "test_ec384", "pubkey", &tree);
+ ret = nc_server_config_new_ssh_client_auth_pubkey(ctx, "endpt", "test_ec384", "pubkey", TESTS_DIR "/data/id_ecdsa384.pub", &tree);
assert_int_equal(ret, 0);
- ret = nc_server_config_new_ssh_client_auth_pubkey(TESTS_DIR "/data/id_ecdsa521.pub", ctx, "endpt", "test_ec521", "pubkey", &tree);
+ ret = nc_server_config_new_ssh_client_auth_pubkey(ctx, "endpt", "test_ec521", "pubkey", TESTS_DIR "/data/id_ecdsa521.pub", &tree);
assert_int_equal(ret, 0);
/* configure the server based on the data */
diff --git a/tests/test_ed25519.c b/tests/test_ed25519.c
index 3a84f22..7b27d7f 100644
--- a/tests/test_ed25519.c
+++ b/tests/test_ed25519.c
@@ -152,13 +152,13 @@
ret = nc_server_config_load_modules(&ctx);
assert_int_equal(ret, 0);
- ret = nc_server_config_new_ssh_hostkey(TESTS_DIR "/data/server.key", NULL, ctx, "endpt", "hostkey", &tree);
+ ret = nc_server_config_new_ssh_hostkey(ctx, "endpt", "hostkey", TESTS_DIR "/data/server.key", NULL, &tree);
assert_int_equal(ret, 0);
- ret = nc_server_config_new_ssh_address_port("127.0.0.1", "10009", ctx, "endpt", &tree);
+ ret = nc_server_config_new_address_port(ctx, "endpt", NC_TI_LIBSSH, "127.0.0.1", "10009", &tree);
assert_int_equal(ret, 0);
- ret = nc_server_config_new_ssh_client_auth_pubkey(TESTS_DIR "/data/id_ed25519.pub", ctx, "endpt", "test_ed25519", "pubkey", &tree);
+ ret = nc_server_config_new_ssh_client_auth_pubkey(ctx, "endpt", "test_ed25519", "pubkey", TESTS_DIR "/data/id_ed25519.pub", &tree);
assert_int_equal(ret, 0);
/* configure the server based on the data */
diff --git a/tests/test_tls.c b/tests/test_tls.c
new file mode 100644
index 0000000..6693016
--- /dev/null
+++ b/tests/test_tls.c
@@ -0,0 +1,207 @@
+/**
+ * @file test_tls.c
+ * @author Roman Janota <janota@cesnet.cz>
+ * @brief libnetconf2 TLS authentication test
+ *
+ * @copyright
+ * Copyright (c) 2023 CESNET, z.s.p.o.
+ *
+ * This source code is licensed under BSD 3-Clause License (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://opensource.org/licenses/BSD-3-Clause
+ */
+
+#define _GNU_SOURCE
+
+#include <pthread.h>
+#include <setjmp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <cmocka.h>
+
+#include "tests/config.h"
+
+#define NC_ACCEPT_TIMEOUT 2000
+#define NC_PS_POLL_TIMEOUT 2000
+
+struct ly_ctx *ctx;
+
+struct test_state {
+ pthread_barrier_t barrier;
+};
+
+static void *
+server_thread(void *arg)
+{
+ int ret;
+ NC_MSG_TYPE msgtype;
+ struct nc_session *session;
+ struct nc_pollsession *ps;
+ struct test_state *state = arg;
+
+ (void) arg;
+
+ ps = nc_ps_new();
+ assert_non_null(ps);
+
+ /* accept a session and add it to the poll session structure */
+ pthread_barrier_wait(&state->barrier);
+ msgtype = nc_accept(NC_ACCEPT_TIMEOUT, ctx, &session);
+ assert_int_equal(msgtype, NC_MSG_HELLO);
+
+ ret = nc_ps_add_session(ps, session);
+ assert_int_equal(ret, 0);
+
+ do {
+ ret = nc_ps_poll(ps, NC_PS_POLL_TIMEOUT, NULL);
+ assert_int_equal(ret & NC_PSPOLL_RPC, NC_PSPOLL_RPC);
+ } while (!(ret & NC_PSPOLL_SESSION_TERM));
+
+ nc_ps_clear(ps, 1, NULL);
+ nc_ps_free(ps);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static void *
+client_thread(void *arg)
+{
+ int ret;
+ struct nc_session *session = NULL;
+ struct test_state *state = arg;
+
+ ret = nc_client_set_schema_searchpath(MODULES_DIR);
+ assert_int_equal(ret, 0);
+
+ /* set client cert */
+ ret = nc_client_tls_set_cert_key_paths(TESTS_DIR "/data/client.crt", TESTS_DIR "/data/client.key");
+ assert_int_equal(ret, 0);
+
+ /* set client ca */
+ ret = nc_client_tls_set_trusted_ca_paths(NULL, TESTS_DIR "/data");
+ assert_int_equal(ret, 0);
+
+ pthread_barrier_wait(&state->barrier);
+ session = nc_connect_tls("127.0.0.1", 10005, NULL);
+ assert_non_null(session);
+
+ nc_session_free(session, NULL);
+ nc_thread_destroy();
+ return NULL;
+}
+
+static void
+test_nc_tls(void **state)
+{
+ int ret, i;
+ pthread_t tids[2];
+
+ assert_non_null(state);
+
+ ret = pthread_create(&tids[0], NULL, client_thread, *state);
+ assert_int_equal(ret, 0);
+ ret = pthread_create(&tids[1], NULL, server_thread, *state);
+ assert_int_equal(ret, 0);
+
+ for (i = 0; i < 2; i++) {
+ pthread_join(tids[i], NULL);
+ }
+}
+
+static int
+setup_f(void **state)
+{
+ int ret;
+ struct lyd_node *tree = NULL;
+ struct test_state *test_state;
+
+ nc_verbosity(NC_VERB_VERBOSE);
+
+ /* init barrier */
+ test_state = malloc(sizeof *test_state);
+ assert_non_null(test_state);
+
+ ret = pthread_barrier_init(&test_state->barrier, NULL, 2);
+ assert_int_equal(ret, 0);
+
+ *state = test_state;
+
+ ret = ly_ctx_new(MODULES_DIR, 0, &ctx);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_init_ctx(&ctx);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_config_load_modules(&ctx);
+ assert_int_equal(ret, 0);
+
+ /* create new address and port data */
+ ret = nc_server_config_new_address_port(ctx, "endpt", NC_TI_OPENSSL, "127.0.0.1", "10005", &tree);
+ assert_int_equal(ret, 0);
+
+ /* create new server certificate data */
+ ret = nc_server_config_new_tls_server_certificate(ctx, "endpt", NULL, TESTS_DIR "/data/server.key", TESTS_DIR "/data/server.crt", &tree);
+ assert_int_equal(ret, 0);
+
+ /* create new end entity client cert data */
+ ret = nc_server_config_new_tls_client_certificate(ctx, "endpt", "client_cert", TESTS_DIR "/data/client.crt", &tree);
+ assert_int_equal(ret, 0);
+
+ /* create new client ca data */
+ ret = nc_server_config_new_tls_client_ca(ctx, "endpt", "client_ca", TESTS_DIR "/data/serverca.pem", &tree);
+ assert_int_equal(ret, 0);
+
+ ret = nc_server_config_new_tls_ctn(ctx, "endpt", 1,
+ "04:85:6B:75:D1:1A:86:E0:D8:FE:5B:BD:72:F5:73:1D:07:EA:32:BF:09:11:21:6A:6E:23:78:8E:B6:D5:73:C3:2D",
+ NC_TLS_CTN_SPECIFIED, "client", &tree);
+ assert_int_equal(ret, 0);
+
+ /* configure the server based on the data */
+ ret = nc_server_config_setup_diff(tree);
+ assert_int_equal(ret, 0);
+
+ /* initialize client */
+ nc_client_init();
+
+ ret = nc_server_init();
+ assert_int_equal(ret, 0);
+
+ lyd_free_all(tree);
+
+ return 0;
+}
+
+static int
+teardown_f(void **state)
+{
+ int ret = 0;
+ struct test_state *test_state;
+
+ assert_non_null(state);
+ test_state = *state;
+
+ ret = pthread_barrier_destroy(&test_state->barrier);
+ assert_int_equal(ret, 0);
+
+ free(*state);
+ nc_client_destroy();
+ nc_server_destroy();
+ ly_ctx_destroy(ctx);
+
+ return 0;
+}
+
+int
+main(void)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_nc_tls, setup_f, teardown_f),
+ };
+
+ setenv("CMOCKA_TEST_ABORT", "1", 1);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/tests/test_unix_socket.c b/tests/test_unix_socket.c
index deed6f9..ec48496 100644
--- a/tests/test_unix_socket.c
+++ b/tests/test_unix_socket.c
@@ -83,9 +83,13 @@
static void *
client_thread(void *arg)
{
+ int ret = 0;
struct nc_session *session = NULL;
struct test_state *state = arg;
+ ret = nc_client_set_schema_searchpath(MODULES_DIR);
+ assert_int_equal(ret, 0);
+
pthread_barrier_wait(&state->barrier);
session = nc_connect_unix("/tmp/nc2_test_unix_sock", NULL);
assert_non_null(session);