Radek Krejci | d0d1952 | 2015-09-02 13:49:25 +0200 | [diff] [blame] | 1 | /** |
| 2 | * \file libnetconf.h |
| 3 | * \author Radek Krejci <rkrejci@cesnet.cz> |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 4 | * \author Michal Vasko <mvasko@cesnet.cz> |
Radek Krejci | d0d1952 | 2015-09-02 13:49:25 +0200 | [diff] [blame] | 5 | * \brief libnetconf2 main internal header. |
| 6 | * |
| 7 | * Copyright (c) 2015 CESNET, z.s.p.o. |
| 8 | * |
Radek Krejci | 9b81f5b | 2016-02-24 13:14:49 +0100 | [diff] [blame] | 9 | * This source code is licensed under BSD 3-Clause License (the "License"). |
| 10 | * You may not use this file except in compliance with the License. |
| 11 | * You may obtain a copy of the License at |
Michal Vasko | afd416b | 2016-02-25 14:51:46 +0100 | [diff] [blame] | 12 | * |
Radek Krejci | 9b81f5b | 2016-02-24 13:14:49 +0100 | [diff] [blame] | 13 | * https://opensource.org/licenses/BSD-3-Clause |
Radek Krejci | d0d1952 | 2015-09-02 13:49:25 +0200 | [diff] [blame] | 14 | */ |
| 15 | |
| 16 | #ifndef NC_LIBNETCONF_H_ |
| 17 | #define NC_LIBNETCONF_H_ |
| 18 | |
| 19 | #include "config.h" |
Radek Krejci | 206fcd6 | 2015-10-07 15:42:48 +0200 | [diff] [blame] | 20 | #include "netconf.h" |
Radek Krejci | d0d1952 | 2015-09-02 13:49:25 +0200 | [diff] [blame] | 21 | #include "log_p.h" |
Radek Krejci | ac6d347 | 2015-10-22 15:47:18 +0200 | [diff] [blame] | 22 | #include "session_p.h" |
| 23 | #include "messages_p.h" |
Radek Krejci | ac6d347 | 2015-10-22 15:47:18 +0200 | [diff] [blame] | 24 | |
| 25 | /* Tests whether string is empty or non-empty. */ |
| 26 | #define strisempty(str) ((str)[0] == '\0') |
| 27 | #define strnonempty(str) ((str)[0] != '\0') |
Radek Krejci | d0d1952 | 2015-09-02 13:49:25 +0200 | [diff] [blame] | 28 | |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 29 | /** |
| 30 | * @mainpage About |
| 31 | * |
| 32 | * libnetconf2 is a NETCONF library in C handling NETCONF authentication and all NETCONF |
| 33 | * RPC communication both server and client-side. NETCONF datastore and session management is not a part of this library, |
| 34 | * but it helps a lot with the sessions. |
| 35 | * |
| 36 | * @section about-features Main Features |
| 37 | * |
| 38 | * - Creating SSH (using libssh) or TLS (using OpenSSL) authenticated NETCONF sessions. |
| 39 | * - Creating NETCONF sessions with a pre-established transport protocol |
| 40 | * (using this mechanism the communication can be tunneled through sshd(8), for instance). |
| 41 | * - Creating NETCONF Call Home sessions. |
| 42 | * - Creating, sending, receiving, and replying to RPCs. |
| 43 | * - Receiving notifications. |
| 44 | * |
| 45 | * - \todo Creating and sending notifications. |
| 46 | * |
| 47 | * @section about-license License |
| 48 | * |
| 49 | * Copyright (c) 2015-2016 CESNET, z.s.p.o. |
| 50 | * |
| 51 | * (The BSD 3-Clause License) |
| 52 | * |
| 53 | * Redistribution and use in source and binary forms, with or without |
| 54 | * modification, are permitted provided that the following conditions |
| 55 | * are met: |
| 56 | * 1. Redistributions of source code must retain the above copyright |
| 57 | * notice, this list of conditions and the following disclaimer. |
| 58 | * 2. Redistributions in binary form must reproduce the above copyright |
| 59 | * notice, this list of conditions and the following disclaimer in |
| 60 | * the documentation and/or other materials provided with the |
| 61 | * distribution. |
| 62 | * 3. Neither the name of the Company nor the names of its contributors |
| 63 | * may be used to endorse or promote products derived from this |
| 64 | * software without specific prior written permission. |
| 65 | */ |
| 66 | |
| 67 | /** |
| 68 | * @page howto How To ... |
| 69 | * |
| 70 | * - @subpage howtoinit |
| 71 | * - @subpage howtoclient |
| 72 | * - @subpage howtoserver |
| 73 | * - @subpage howtoclientcomm |
| 74 | * - @subpage howtoservercomm |
| 75 | */ |
| 76 | |
| 77 | /** |
| 78 | * @page howtoinit Init and Thread-safety Information |
| 79 | * |
Michal Vasko | c25921c | 2016-02-29 10:28:40 +0100 | [diff] [blame] | 80 | * Before working with the library, it must be initialized using nc_init(). |
| 81 | * Based on how the library was compiled, also libssh and/or libssh/libcrypto |
| 82 | * are initialized (for multi-threaded use) too. It is advised to compile |
| 83 | * libnetconf2, for instance, with TLS support even if you do not want to |
| 84 | * use lnc2 TLS functions, but only use libssl/libcrypto functions in your |
| 85 | * application. You can then use libnetconf2 cleanup function and do not |
| 86 | * trouble yourself with the cleanup. If you create |
| 87 | * only sessions with pre-established transport protocol (_inout functions), |
| 88 | * you do not need to call any init function at all, but there may be reachable |
| 89 | * dynamic memory after your application exits. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 90 | * |
| 91 | * To prevent any reachable memory at the end of your application, there |
| 92 | * are complementary destroy functions available. If your application is |
| 93 | * multi-threaded, call the destroy functions in the last thread, after all |
| 94 | * the other threads have ended. In every other thread you should call |
| 95 | * nc_thread_destroy() just before it exits. |
| 96 | * |
| 97 | * If libnetconf2 is used in accordance with this information, there should |
| 98 | * not be memory leaks of any kind at program exit. For thread-safety details |
| 99 | * of libssh, libssl, and libcrypto please refer to the corresponding project |
| 100 | * documentation. libnetconf2 thread-safety information is below. |
| 101 | * |
| 102 | * Client is NOT thread-safe and there is no access control in the client |
| 103 | * functions at all. Server is MOSTLY thread-safe meaning you can set all the |
| 104 | * options simultaneously while listening for or accepting new sessions or |
| 105 | * polling the existing ones. It should even be safe to poll one session in |
| 106 | * several threads, but it is definitely discouraged. Generally, servers can |
| 107 | * use more threads without any problems as long as they keep their workflow sane |
| 108 | * (behavior such as freeing sessions only after no thread uses them or similar). |
| 109 | * |
| 110 | * Functions List |
| 111 | * -------------- |
| 112 | * |
| 113 | * Available in both __nc_client.h__ and __nc_server.h__. |
| 114 | * |
Michal Vasko | c25921c | 2016-02-29 10:28:40 +0100 | [diff] [blame] | 115 | * - nc_init() |
| 116 | * - nc_destroy() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 117 | * - nc_thread_destroy() |
| 118 | */ |
| 119 | |
| 120 | /** |
| 121 | * @page howtoclient Client sessions |
| 122 | * |
| 123 | * There are a lot of options for both an SSH and a TLS client. All of them |
| 124 | * have setters and getters so that there is no need to duplicate them in |
| 125 | * a client. |
| 126 | * |
| 127 | * SSH |
| 128 | * === |
| 129 | * |
| 130 | * It is mostly required to set any SSH options and then simply connect to |
| 131 | * a NETCONF server. Optionally, some authetication callbacks can be set, |
| 132 | * which are particulary useful in automated clients (passwords cannot be |
| 133 | * asked a user) or simply if any additional information is retrieved some |
| 134 | * other way than from standard terminal input. |
| 135 | * |
| 136 | * Afterwards, there are 2 functions to use for a new server connection |
| 137 | * and an additional one for creating a new SSH channel on an existing |
| 138 | * NETCONF session. The libssh variant enables to customize the SSH session |
| 139 | * in every way the libssh allows, although that should not normally be needed. |
| 140 | * |
| 141 | * Functions List |
| 142 | * -------------- |
| 143 | * |
| 144 | * Available in __nc_client.h__. |
| 145 | * |
| 146 | * - nc_client_ssh_set_auth_hostkey_check_clb() |
| 147 | * - nc_client_ssh_set_auth_password_clb() |
| 148 | * - nc_client_ssh_set_auth_interactive_clb() |
| 149 | * - nc_client_ssh_set_auth_privkey_passphrase_clb() |
| 150 | * - nc_client_ssh_add_keypair() |
| 151 | * - nc_client_ssh_del_keypair() |
| 152 | * - nc_client_ssh_get_keypair_count() |
| 153 | * - nc_client_ssh_get_keypair() |
| 154 | * - nc_client_ssh_set_auth_pref() |
| 155 | * - nc_client_ssh_get_auth_pref() |
| 156 | * - nc_client_ssh_set_username() |
| 157 | * - nc_client_ssh_get_username() |
| 158 | * |
| 159 | * - nc_connect_ssh() |
| 160 | * - nc_connect_libssh() |
| 161 | * - nc_connect_ssh_channel() |
| 162 | * |
| 163 | * |
| 164 | * TLS |
| 165 | * === |
| 166 | * |
| 167 | * With TLS authentication, is is mandatory to set the client certificate |
| 168 | * with a private key and additional trusted certificates and revocation lists. |
| 169 | * |
| 170 | * Then there are again 2 functions for connecting, the libssl variant enables |
| 171 | * to customize the TLS session in every way the libssl allows. |
| 172 | * |
| 173 | * Functions List |
| 174 | * -------------- |
| 175 | * |
| 176 | * Available in __nc_client.h__. |
| 177 | * |
| 178 | * - nc_client_tls_set_cert_key_paths() |
| 179 | * - nc_client_tls_get_cert_key_paths() |
| 180 | * - nc_client_tls_set_trusted_ca_paths() |
| 181 | * - nc_client_tls_get_trusted_ca_paths() |
| 182 | * - nc_client_tls_set_crl_paths() |
| 183 | * - nc_client_tls_get_crl_paths() |
| 184 | * |
| 185 | * - nc_connect_tls() |
| 186 | * - nc_connect_libssl() |
| 187 | * |
| 188 | * |
| 189 | * FD |
| 190 | * == |
| 191 | * |
| 192 | * If you authenticated the connection using some tunneling software, you |
| 193 | * can pass its file descriptors to libnetconf2, which will continue to |
| 194 | * establish a full NETCONF session. |
| 195 | * |
| 196 | * Funtions List |
| 197 | * ------------- |
| 198 | * |
| 199 | * Available in __nc_client.h__. |
| 200 | * |
| 201 | * - nc_connect_inout() |
| 202 | * |
| 203 | * |
| 204 | * Call Home |
| 205 | * ========= |
| 206 | * |
| 207 | * Call Home needs the same options set as standard SSH or TLS and the functions |
| 208 | * reflect it exactly. However, to accept a connection, the client must first |
| 209 | * specify addresses and ports, which to listen on. Then connections can be |
| 210 | * accepted. |
| 211 | * |
| 212 | * Functions List |
| 213 | * -------------- |
| 214 | * |
| 215 | * Available in __nc_client.h__. |
| 216 | * |
| 217 | * - nc_client_ssh_ch_set_auth_hostkey_check_clb() |
| 218 | * - nc_client_ssh_ch_set_auth_password_clb() |
| 219 | * - nc_client_ssh_ch_set_auth_interactive_clb() |
| 220 | * - nc_client_ssh_ch_set_auth_privkey_passphrase_clb() |
| 221 | * - nc_client_ssh_ch_add_bind_listen() |
| 222 | * - nc_client_ssh_ch_del_bind() |
| 223 | * - nc_client_ssh_ch_add_keypair() |
| 224 | * - nc_client_ssh_ch_del_keypair() |
| 225 | * - nc_client_ssh_ch_get_keypair_count() |
| 226 | * - nc_client_ssh_ch_get_keypair() |
| 227 | * - nc_client_ssh_ch_set_auth_pref() |
| 228 | * - nc_client_ssh_ch_get_auth_pref() |
| 229 | * - nc_client_ssh_ch_set_username() |
| 230 | * - nc_client_ssh_ch_get_username() |
| 231 | * |
| 232 | * - nc_client_tls_ch_add_bind_listen() |
| 233 | * - nc_client_tls_ch_del_bind() |
| 234 | * - nc_client_tls_ch_set_cert_key_paths() |
| 235 | * - nc_client_tls_ch_get_cert_key_paths() |
| 236 | * - nc_client_tls_ch_set_trusted_ca_paths() |
| 237 | * - nc_client_tls_ch_get_trusted_ca_paths() |
| 238 | * - nc_client_tls_ch_set_crl_paths() |
| 239 | * - nc_client_tls_ch_get_crl_paths() |
| 240 | * |
| 241 | * - nc_accept_callhome() |
| 242 | * |
| 243 | * |
| 244 | * Cleanup |
| 245 | * ======= |
| 246 | * |
| 247 | * These options and the schema searchpath are stored in dynamically |
| 248 | * allocated memory. To free it, destroy the client, it cleans up all |
| 249 | * the options |
| 250 | * |
| 251 | * Functions List |
| 252 | * -------------- |
| 253 | * |
| 254 | * Available in __nc_client.h__. |
| 255 | * |
| 256 | * - nc_client_destroy() |
| 257 | */ |
| 258 | |
| 259 | /** |
| 260 | * @page howtoserver Server sessions |
| 261 | * |
| 262 | * Init |
| 263 | * ==== |
| 264 | * |
| 265 | * Server has its own initialization function. With it, you set the |
| 266 | * server context, which determines what modules it supports and what |
| 267 | * capabilities to advertise. Few capabilities that cannot be learnt |
| 268 | * from the context are set with separate functions. So are several |
| 269 | * general options. |
| 270 | * |
| 271 | * Context does not only determine server modules, but its overall |
| 272 | * functionality as well. For every RPC the server should support, |
| 273 | * an nc_rpc_clb callback should be set on that node in the context. |
| 274 | * Server then calls these as appropriate [during poll](@ref howtoservercomm). |
| 275 | * |
| 276 | * Server options can be only set, there are no getters. |
| 277 | * |
| 278 | * Functions List |
| 279 | * -------------- |
| 280 | * |
| 281 | * Available in __nc_server.h__. |
| 282 | * |
| 283 | * - nc_server_init() |
| 284 | * - nc_server_set_capab_withdefaults() |
| 285 | * - nc_server_set_capab_interleave() |
| 286 | * - nc_server_set_hello_timeout() |
| 287 | * - nc_server_set_idle_timeout() |
| 288 | * |
| 289 | * |
| 290 | * SSH |
| 291 | * === |
| 292 | * |
| 293 | * To be able to accept SSH connections, an endpoint must be added |
| 294 | * and its options set. |
| 295 | * |
| 296 | * Functions List |
| 297 | * -------------- |
| 298 | * |
| 299 | * Available in __nc_server.h__. |
| 300 | * |
| 301 | * - nc_server_ssh_add_endpt_listen() |
| 302 | * - nc_server_ssh_endpt_set_address() |
| 303 | * - nc_server_ssh_endpt_set_port() |
| 304 | * - nc_server_ssh_del_endpt() |
| 305 | * |
| 306 | * - nc_server_ssh_endpt_set_hostkey() |
| 307 | * - nc_server_ssh_endpt_set_banner() |
| 308 | * - nc_server_ssh_endpt_set_auth_methods() |
| 309 | * - nc_server_ssh_endpt_set_auth_attempts() |
| 310 | * - nc_server_ssh_endpt_set_auth_timeout() |
| 311 | * - nc_server_ssh_endpt_add_authkey() |
| 312 | * - nc_server_ssh_endpt_del_authkey() |
| 313 | * |
| 314 | * |
| 315 | * TLS |
| 316 | * === |
| 317 | * |
| 318 | * TLS requires at least one endpoint too, but its options differ |
| 319 | * significantly from the SSH ones, especially in the cert-to-name |
| 320 | * options that TLS uses to derive usernames from client certificates. |
| 321 | * |
| 322 | * Functions List |
| 323 | * -------------- |
| 324 | * |
| 325 | * Available in __nc_server.h__. |
| 326 | * |
| 327 | * - nc_server_tls_add_endpt_listen() |
| 328 | * - nc_server_tls_endpt_set_address() |
| 329 | * - nc_server_tls_endpt_set_port() |
| 330 | * - nc_server_tls_del_endpt() |
| 331 | * |
| 332 | * - nc_server_tls_endpt_set_cert() |
| 333 | * - nc_server_tls_endpt_set_cert_path() |
| 334 | * - nc_server_tls_endpt_set_key() |
| 335 | * - nc_server_tls_endpt_set_key_path() |
| 336 | * - nc_server_tls_endpt_add_trusted_cert() |
| 337 | * - nc_server_tls_endpt_add_trusted_cert_path() |
| 338 | * - nc_server_tls_endpt_set_trusted_ca_paths() |
| 339 | * - nc_server_tls_endpt_clear_certs() |
| 340 | * - nc_server_tls_endpt_set_crl_paths() |
| 341 | * - nc_server_tls_endpt_clear_crls() |
| 342 | * - nc_server_tls_endpt_add_ctn() |
| 343 | * - nc_server_tls_endpt_del_ctn() |
| 344 | * |
| 345 | * FD |
| 346 | * == |
| 347 | * |
| 348 | * If you used a tunneling software, which does its own authentication, |
| 349 | * you can accept a NETCONF session on its file descriptors. |
| 350 | * |
| 351 | * Functions List |
| 352 | * -------------- |
| 353 | * |
| 354 | * Available in __nc_server.h__. |
| 355 | * |
| 356 | * - nc_accept_inout() |
| 357 | * |
| 358 | * |
| 359 | * Call Home |
| 360 | * ========= |
| 361 | * |
| 362 | * Call Home does not work with endpoints like standard sessions. |
| 363 | * The options must be reset manually after another Call Home session |
| 364 | * (with different options than the previous one) is to be established. |
| 365 | * Also, monitoring of these sessions is up to the application. |
| 366 | * |
| 367 | * Functions List |
| 368 | * -------------- |
| 369 | * |
| 370 | * Available in __nc_server.h__. |
| 371 | * |
| 372 | * - nc_connect_callhome_ssh() |
| 373 | * - nc_connect_callhome_tls() |
| 374 | * |
| 375 | * - nc_server_ssh_ch_set_hostkey() |
| 376 | * - nc_server_ssh_ch_set_banner() |
| 377 | * - nc_server_ssh_ch_set_auth_methods() |
| 378 | * - nc_server_ssh_ch_set_auth_attempts() |
| 379 | * - nc_server_ssh_ch_set_auth_timeout() |
| 380 | * - nc_server_ssh_ch_add_authkey() |
| 381 | * - nc_server_ssh_ch_del_authkey() |
| 382 | * - nc_server_ssh_ch_clear_opts() |
| 383 | * |
| 384 | * - nc_server_tls_ch_set_cert() |
| 385 | * - nc_server_tls_ch_set_cert_path() |
| 386 | * - nc_server_tls_ch_set_key() |
| 387 | * - nc_server_tls_ch_set_key_path() |
| 388 | * - nc_server_tls_ch_add_trusted_cert() |
| 389 | * - nc_server_tls_ch_add_trusted_cert_path() |
| 390 | * - nc_server_tls_ch_set_trusted_ca_paths() |
| 391 | * - nc_server_tls_ch_clear_certs() |
| 392 | * - nc_server_tls_ch_set_crl_paths() |
| 393 | * - nc_server_tls_ch_clear_crls() |
| 394 | * - nc_server_tls_ch_add_ctn() |
| 395 | * - nc_server_tls_ch_del_ctn() |
| 396 | * - nc_server_tls_ch_clear_opts() |
| 397 | * |
| 398 | * |
| 399 | * Connecting And Cleanup |
| 400 | * ====================== |
| 401 | * |
| 402 | * When accepting connections, all the endpoints are examined |
| 403 | * and the first with a pending connection is used. To remove all |
| 404 | * the endpoints and free any used dynamic memory, destroy the server. |
| 405 | * |
| 406 | * Functions List |
| 407 | * -------------- |
| 408 | * |
| 409 | * Available in __nc_server.h__. |
| 410 | * |
| 411 | * - nc_accept() |
| 412 | * |
| 413 | * - nc_server_destroy() |
| 414 | */ |
| 415 | |
| 416 | /** |
| 417 | * @page howtoclientcomm Client communication |
| 418 | * |
| 419 | * To send RPCs on a session, you simply create an RPC, send it, |
| 420 | * and then wait for a reply. If you are subscribed, there are 2 ways |
| 421 | * of receiving notifications. Either you wait for them the same way |
| 422 | * as for standard replies or you create a dispatcher that asynchronously |
| 423 | * (in a separate thread) reads notifications and passes them to your |
| 424 | * callback. |
| 425 | * |
| 426 | * Functions List |
| 427 | * -------------- |
| 428 | * |
| 429 | * Available in __nc_client.h__. |
| 430 | * |
| 431 | * - nc_rpc_generic() |
| 432 | * - nc_rpc_generic_xml() |
| 433 | * - nc_rpc_getconfig() |
| 434 | * - nc_rpc_edit() |
| 435 | * - nc_rpc_copy() |
| 436 | * - nc_rpc_delete() |
| 437 | * - nc_rpc_lock() |
| 438 | * - nc_rpc_unlock() |
| 439 | * - nc_rpc_get() |
| 440 | * - nc_rpc_kill() |
| 441 | * - nc_rpc_commit() |
| 442 | * - nc_rpc_discard() |
| 443 | * - nc_rpc_cancel() |
| 444 | * - nc_rpc_validate() |
| 445 | * - nc_rpc_getschema() |
| 446 | * - nc_rpc_subscribe() |
| 447 | * |
| 448 | * - nc_send_rpc() |
| 449 | * - nc_recv_reply() |
| 450 | * - nc_recv_notif() |
| 451 | * - nc_recv_notif_dispatch() |
| 452 | */ |
| 453 | |
| 454 | /** |
| 455 | * @page howtoservercomm Server communication |
| 456 | * |
| 457 | * Once at least one session is established, an nc_pollsession structure |
| 458 | * should be created, filled with the session and polled. Based on |
| 459 | * the return value from the poll further actions can be taken. More |
| 460 | * sessions can be polled at the same time. Any requests received on |
| 461 | * the sessions are [handled internally](@ref howtoserver). |
| 462 | * |
| 463 | * Functions List |
| 464 | * -------------- |
| 465 | * |
| 466 | * Available in __nc_client.h__. |
| 467 | * |
| 468 | * - nc_ps_new() |
| 469 | * - nc_ps_add_session() |
| 470 | * - nc_ps_del_session() |
| 471 | * - nc_ps_free() |
| 472 | * |
| 473 | * - nc_ps_poll() |
| 474 | * - nc_ps_clear() |
| 475 | * - nc_ps_accept_ssh_channel() |
| 476 | */ |
| 477 | |
Radek Krejci | d0d1952 | 2015-09-02 13:49:25 +0200 | [diff] [blame] | 478 | #endif /* NC_LIBNETCONF_H_ */ |