Radek Krejci | d0d1952 | 2015-09-02 13:49:25 +0200 | [diff] [blame] | 1 | /** |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 2 | * @mainpage About |
| 3 | * |
| 4 | * libnetconf2 is a NETCONF library in C handling NETCONF authentication and all NETCONF |
Radek Krejci | b62d5b4 | 2017-05-19 10:20:00 +0200 | [diff] [blame] | 5 | * RPC communication both server and client-side. Note that NETCONF datastore implementation |
| 6 | * is not a part of this library. The library supports both NETCONF 1.0 |
| 7 | * ([RFC 4741](https://tools.ietf.org/html/rfc4741)) as well as NETCONF 1.1 |
| 8 | * ([RFC 6241](https://tools.ietf.org/html/rfc6241)). |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 9 | * |
| 10 | * @section about-features Main Features |
| 11 | * |
Radek Krejci | b62d5b4 | 2017-05-19 10:20:00 +0200 | [diff] [blame] | 12 | * - Creating SSH ([RFC 4742](https://tools.ietf.org/html/rfc4742), [RFC 6242](https://tools.ietf.org/html/rfc6242)), |
| 13 | * using [libssh](https://www.libssh.org/), or TLS ([RFC 7589](https://tools.ietf.org/html/rfc7589)), |
| 14 | * using [OpenSSL](https://www.openssl.org/), authenticated NETCONF sessions. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 15 | * - Creating NETCONF sessions with a pre-established transport protocol |
| 16 | * (using this mechanism the communication can be tunneled through sshd(8), for instance). |
Radek Krejci | b62d5b4 | 2017-05-19 10:20:00 +0200 | [diff] [blame] | 17 | * - Creating NETCONF Call Home sessions ([RFC 8071](https://tools.ietf.org/html/rfc8071)). |
| 18 | * - Creating, sending, receiving, and replying to RPCs ([RFC 4741](https://tools.ietf.org/html/rfc4741), |
| 19 | * [RFC 6241](https://tools.ietf.org/html/rfc6241)). |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 20 | * - Creating, sending and receiving NETCONF Event Notifications ([RFC 5277](https://tools.ietf.org/html/rfc5277)). |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 21 | * - Configuring the NETCONF server based on the [ietf-netconf-server](https://datatracker.ietf.org/doc/html/draft-ietf-netconf-netconf-client-server-29) YANG module |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 22 | * |
| 23 | * @section about-license License |
| 24 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 25 | * Copyright (c) 2015-2021 CESNET, z.s.p.o. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 26 | * |
| 27 | * (The BSD 3-Clause License) |
| 28 | * |
| 29 | * Redistribution and use in source and binary forms, with or without |
| 30 | * modification, are permitted provided that the following conditions |
| 31 | * are met: |
| 32 | * 1. Redistributions of source code must retain the above copyright |
| 33 | * notice, this list of conditions and the following disclaimer. |
| 34 | * 2. Redistributions in binary form must reproduce the above copyright |
| 35 | * notice, this list of conditions and the following disclaimer in |
| 36 | * the documentation and/or other materials provided with the |
| 37 | * distribution. |
| 38 | * 3. Neither the name of the Company nor the names of its contributors |
| 39 | * may be used to endorse or promote products derived from this |
| 40 | * software without specific prior written permission. |
| 41 | */ |
| 42 | |
| 43 | /** |
| 44 | * @page howto How To ... |
| 45 | * |
| 46 | * - @subpage howtoinit |
| 47 | * - @subpage howtoclient |
| 48 | * - @subpage howtoserver |
| 49 | * - @subpage howtoclientcomm |
| 50 | * - @subpage howtoservercomm |
Michal Vasko | ee087c6 | 2017-02-15 11:27:16 +0100 | [diff] [blame] | 51 | * - @subpage howtotimeouts |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 52 | */ |
| 53 | |
| 54 | /** |
| 55 | * @page howtoinit Init and Thread-safety Information |
| 56 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 57 | * Before working with the library, it must be initialized using ::nc_client_init() |
roman | 694979e | 2023-11-02 15:00:09 +0100 | [diff] [blame] | 58 | * and/or ::nc_server_init(). To prevent any reachable memory at the end of your |
| 59 | * application, there are complementary destroy functions |
| 60 | * (::nc_server_destroy() and ::nc_client_destroy() available). If your |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 61 | * application is multi-threaded, call the destroy functions in the main thread, |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 62 | * after all the other threads have ended. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 63 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 64 | * If _libnetconf2_ is used in accordance with this information, there should |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 65 | * not be memory leaks of any kind at program exit. For thread-safety details |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 66 | * of _libssh_, _libssl_, and _libcrypto_, please refer to the corresponding project |
| 67 | * documentation. _libnetconf2_ thread-safety information is below. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 68 | * |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 69 | * Client |
| 70 | * ------ |
| 71 | * |
Radek Krejci | fd5b668 | 2017-06-13 15:52:53 +0200 | [diff] [blame] | 72 | * Optionally, a client can specify two alternative ways to get schemas needed when connecting |
| 73 | * with a server. The primary way is to read local files in searchpath (and its subdirectories) |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 74 | * specified via ::nc_client_set_schema_searchpath(). Alternatively, _libnetconf2_ can use callback |
| 75 | * provided via ::nc_client_set_schema_callback(). If these ways do not succeed and the server |
Radek Krejci | fd5b668 | 2017-06-13 15:52:53 +0200 | [diff] [blame] | 76 | * implements NETCONF \<get-schema\> operation, the schema is retrieved from the server and stored |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 77 | * locally into the searchpath (if specified) for a future use. If none of these methods succeed to |
Radek Krejci | fd5b668 | 2017-06-13 15:52:53 +0200 | [diff] [blame] | 78 | * load particular schema, the data from this schema are ignored during the communication with the |
| 79 | * server. |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 80 | * |
Radek Krejci | fd5b668 | 2017-06-13 15:52:53 +0200 | [diff] [blame] | 81 | * Besides the mentioned setters, there are many other @ref howtoclientssh "SSH", @ref howtoclienttls "TLS" |
| 82 | * and @ref howtoclientch "Call Home" getter/setter functions to manipulate with various settings. All these |
| 83 | * settings are internally placed in a thread-specific context so they are independent and |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 84 | * initialized to the default values within each new thread. However, the context can be shared among |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 85 | * the threads using ::nc_client_get_thread_context() and ::nc_client_set_thread_context() functions. In such |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 86 | * a case, be careful and avoid concurrent execution of the mentioned setters/getters and functions |
| 87 | * creating connection (no matter if it is a standard NETCONF connection or Call Home). |
| 88 | * |
Michal Vasko | 2d1e8d3 | 2023-03-15 07:29:09 +0100 | [diff] [blame] | 89 | * In the client, it is always thread-safe to work with a NETCONF session in a single thread since the client |
| 90 | * settings are thread-specific as described above. Generally, one can access a session in several threads |
| 91 | * as well but there is little incentive to do so. |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 92 | * |
| 93 | * Server |
| 94 | * ------ |
| 95 | * |
| 96 | * Server is __FULLY__ thread-safe meaning you can set all the (thread-shared in contrast to |
| 97 | * client) options simultaneously while listening for or accepting new sessions or |
Michal Vasko | ade892d | 2017-02-22 13:40:35 +0100 | [diff] [blame] | 98 | * polling the existing ones. It is even safe to poll one session in several |
| 99 | * pollsession structures or one pollsession structure in several threads. Generally, |
| 100 | * servers can use more threads without any problems as long as they keep their workflow sane |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 101 | * (behavior such as freeing sessions only after no thread uses them or similar). |
| 102 | * |
| 103 | * Functions List |
| 104 | * -------------- |
| 105 | * |
Michal Vasko | a7b8ca5 | 2016-03-01 12:09:29 +0100 | [diff] [blame] | 106 | * Available in __nc_client.h__. |
| 107 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 108 | * - ::nc_client_init() |
| 109 | * - ::nc_client_destroy() |
Michal Vasko | a7b8ca5 | 2016-03-01 12:09:29 +0100 | [diff] [blame] | 110 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 111 | * - ::nc_client_set_schema_searchpath() |
| 112 | * - ::nc_client_get_schema_searchpath() |
| 113 | * - ::nc_client_set_schema_callback() |
| 114 | * - ::nc_client_get_schema_callback() |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 115 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 116 | * - ::nc_client_set_thread_context() |
| 117 | * - ::nc_client_get_thread_context() |
Michal Vasko | 2639469 | 2016-03-17 16:24:55 +0100 | [diff] [blame] | 118 | * |
Michal Vasko | a7b8ca5 | 2016-03-01 12:09:29 +0100 | [diff] [blame] | 119 | * Available in __nc_server.h__. |
| 120 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 121 | * - ::nc_server_init() |
| 122 | * - ::nc_server_destroy() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 123 | */ |
| 124 | |
| 125 | /** |
| 126 | * @page howtoclient Client sessions |
| 127 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 128 | * To connect to a NETCONF server, a NETCONF session must be established, |
| 129 | * which requires a working transport session. It is possible to create |
| 130 | * NETCONF sessions with SSH (using _libssh_) or TLS (using _libssl/libcrypto_) |
| 131 | * as the underlying transport protocol. It is also possible to establish |
| 132 | * the transport protocol outside _libnetconf2_ and then provide these file |
| 133 | * descriptors (FD) for full NETCONF session creation. |
| 134 | * |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 135 | * There are a lot of options for both an SSH and a TLS client. All of them |
| 136 | * have setters and getters so that there is no need to duplicate them in |
| 137 | * a client. |
| 138 | * |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 139 | * @anchor howtoclientssh |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 140 | * SSH |
| 141 | * === |
| 142 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 143 | * Connecting to a server using SSH does not strictly require to set any |
| 144 | * options, there are sensible default values for all the basic ones. |
| 145 | * Except all the SSH options, optionally some authetication callbacks can be set, |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 146 | * which are particulary useful in automated clients (passwords cannot be |
| 147 | * asked a user) or simply if any additional information is retrieved some |
| 148 | * other way than from standard terminal input. |
| 149 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 150 | * Having the default options or changing any unsuitable ones, there are 2 functions |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 151 | * to use for a new server connection. ::nc_connect_ssh() is the standard function |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 152 | * that creates sessions using the set options. If there are some options, which |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 153 | * cannot be changed with the provided API, there is ::nc_connect_libssh() available. |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 154 | * It requires a _libssh_ session, in which all the SSH options can be modified |
| 155 | * and even the connection established. This allows for full customization and |
| 156 | * should fit any specific situation. |
| 157 | * |
| 158 | * New NETCONF sessions can also be created on existing authenticated SSH sessions. |
| 159 | * There is a new SSH channel needed, on which the NETCONF session is then created. |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 160 | * Use ::nc_connect_ssh_channel() for this purpose. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 161 | * |
| 162 | * Functions List |
| 163 | * -------------- |
| 164 | * |
| 165 | * Available in __nc_client.h__. |
| 166 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 167 | * - ::nc_client_ssh_set_auth_password_clb() |
| 168 | * - ::nc_client_ssh_get_auth_password_clb() |
| 169 | * - ::nc_client_ssh_set_auth_interactive_clb() |
| 170 | * - ::nc_client_ssh_get_auth_interactive_clb() |
| 171 | * - ::nc_client_ssh_set_auth_privkey_passphrase_clb() |
| 172 | * - ::nc_client_ssh_get_auth_privkey_passphrase_clb() |
| 173 | * - ::nc_client_ssh_add_keypair() |
| 174 | * - ::nc_client_ssh_del_keypair() |
| 175 | * - ::nc_client_ssh_get_keypair_count() |
| 176 | * - ::nc_client_ssh_get_keypair() |
| 177 | * - ::nc_client_ssh_set_auth_pref() |
| 178 | * - ::nc_client_ssh_get_auth_pref() |
| 179 | * - ::nc_client_ssh_set_username() |
| 180 | * - ::nc_client_ssh_get_username() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 181 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 182 | * - ::nc_connect_ssh() |
| 183 | * - ::nc_connect_libssh() |
| 184 | * - ::nc_connect_ssh_channel() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 185 | * |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 186 | * @anchor howtoclienttls |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 187 | * TLS |
| 188 | * === |
| 189 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 190 | * To connect to a server using TLS, there must be some client identification |
| 191 | * options set. Client must specify its certificate with a private key using |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 192 | * ::nc_client_tls_set_cert_key_paths(). Also, the Certificate Authority of |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 193 | * a server certificate must be considered trusted. Paths to all the trusted |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 194 | * CA certificates can be set by ::nc_client_tls_set_trusted_ca_paths(). |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 195 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 196 | * Then there are again 2 functions for connecting, ::nc_connect_tls() being |
| 197 | * the standard way of connecting. ::nc_connect_libssl() again enables |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 198 | * to customize the TLS session in every way _libssl_ allows. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 199 | * |
| 200 | * Functions List |
| 201 | * -------------- |
| 202 | * |
| 203 | * Available in __nc_client.h__. |
| 204 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 205 | * - ::nc_client_tls_set_cert_key_paths() |
| 206 | * - ::nc_client_tls_get_cert_key_paths() |
| 207 | * - ::nc_client_tls_set_trusted_ca_paths() |
| 208 | * - ::nc_client_tls_get_trusted_ca_paths() |
| 209 | * - ::nc_client_tls_set_crl_paths() |
| 210 | * - ::nc_client_tls_get_crl_paths() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 211 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 212 | * - ::nc_connect_tls() |
| 213 | * - ::nc_connect_libssl() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 214 | * |
| 215 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 216 | * FD and UNIX socket |
| 217 | * ================== |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 218 | * |
| 219 | * If you authenticated the connection using some tunneling software, you |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 220 | * can pass its file descriptors to _libnetconf2_ using ::nc_connect_inout(), |
| 221 | * which will continue to establish a full NETCONF session. To connect locally |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 222 | * on a UNIX socket avoiding all cryptography use ::nc_connect_unix(). |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 223 | * |
| 224 | * Funtions List |
| 225 | * ------------- |
| 226 | * |
| 227 | * Available in __nc_client.h__. |
| 228 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 229 | * - ::nc_connect_inout() |
| 230 | * - ::nc_connect_unix() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 231 | * |
| 232 | * |
Radek Krejci | 5cebc6b | 2017-05-26 13:24:38 +0200 | [diff] [blame] | 233 | * @anchor howtoclientch |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 234 | * Call Home |
| 235 | * ========= |
| 236 | * |
| 237 | * Call Home needs the same options set as standard SSH or TLS and the functions |
| 238 | * reflect it exactly. However, to accept a connection, the client must first |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 239 | * specify addresses and ports, which to listen on by ::nc_client_ssh_ch_add_bind_listen() |
| 240 | * and ::nc_client_tls_ch_add_bind_listen(). Then connections can be |
| 241 | * accepted using ::nc_accept_callhome(). |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 242 | * |
| 243 | * Functions List |
| 244 | * -------------- |
| 245 | * |
| 246 | * Available in __nc_client.h__. |
| 247 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 248 | * - ::nc_client_ssh_ch_set_auth_password_clb() |
| 249 | * - ::nc_client_ssh_ch_set_auth_interactive_clb() |
| 250 | * - ::nc_client_ssh_ch_set_auth_privkey_passphrase_clb() |
| 251 | * - ::nc_client_ssh_ch_add_bind_listen() |
| 252 | * - ::nc_client_ssh_ch_del_bind() |
| 253 | * - ::nc_client_ssh_ch_add_keypair() |
| 254 | * - ::nc_client_ssh_ch_del_keypair() |
| 255 | * - ::nc_client_ssh_ch_get_keypair_count() |
| 256 | * - ::nc_client_ssh_ch_get_keypair() |
| 257 | * - ::nc_client_ssh_ch_set_auth_pref() |
| 258 | * - ::nc_client_ssh_ch_get_auth_pref() |
| 259 | * - ::nc_client_ssh_ch_set_username() |
| 260 | * - ::nc_client_ssh_ch_get_username() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 261 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 262 | * - ::nc_client_tls_ch_add_bind_listen() |
| 263 | * - ::nc_client_tls_ch_del_bind() |
| 264 | * - ::nc_client_tls_ch_set_cert_key_paths() |
| 265 | * - ::nc_client_tls_ch_get_cert_key_paths() |
| 266 | * - ::nc_client_tls_ch_set_trusted_ca_paths() |
| 267 | * - ::nc_client_tls_ch_get_trusted_ca_paths() |
| 268 | * - ::nc_client_tls_ch_set_crl_paths() |
| 269 | * - ::nc_client_tls_ch_get_crl_paths() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 270 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 271 | * - ::nc_accept_callhome() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 272 | * |
| 273 | * |
| 274 | * Cleanup |
| 275 | * ======= |
| 276 | * |
| 277 | * These options and the schema searchpath are stored in dynamically |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 278 | * allocated memory. They are freed as a part of [destroying the client](@ref howtoinit). |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 279 | */ |
| 280 | |
| 281 | /** |
| 282 | * @page howtoserver Server sessions |
| 283 | * |
| 284 | * Init |
| 285 | * ==== |
| 286 | * |
Michal Vasko | 9322407 | 2021-11-09 12:14:28 +0100 | [diff] [blame] | 287 | * Server must start with [initialization](@ref howtoinit). Its capabilities are |
| 288 | * determined by the context used when accepting new NETCONF sessions. Few capabilities that |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 289 | * cannot be learnt from the context are set with separate functions |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 290 | * ::nc_server_set_capab_withdefaults() and generally ::nc_server_set_capability(). |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 291 | * |
| 292 | * Context does not only determine server modules, but its overall |
| 293 | * functionality as well. For every RPC the server should support, |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 294 | * an nc_rpc_clb callback should be set on that node in the context using ::nc_set_rpc_callback(). |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 295 | * Server then calls these as appropriate [during poll](@ref howtoservercomm). |
| 296 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 297 | * Just like in the [client](@ref howtoclient), you can let _libnetconf2_ |
| 298 | * establish SSH or TLS transport or do it yourself and only provide the file |
| 299 | * descriptors of the connection. |
| 300 | * |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 301 | * To be able to accept any connections, the server must first be configured. |
Michal Vasko | 3a889fd | 2016-09-30 12:16:37 +0200 | [diff] [blame] | 302 | * |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 303 | * Functions List |
| 304 | * -------------- |
| 305 | * |
| 306 | * Available in __nc_server.h__. |
| 307 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 308 | * - ::nc_server_set_capab_withdefaults() |
| 309 | * - ::nc_server_set_capability() |
roman | fb3f7cf | 2023-11-30 16:10:09 +0100 | [diff] [blame] | 310 | * - ::nc_server_endpt_count() |
| 311 | * - ::nc_server_add_endpt_unix_socket_listen() |
| 312 | * - ::nc_server_del_endpt_unix_socket() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 313 | * |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 314 | * Server Configuration |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 315 | * === |
| 316 | * |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 317 | * To successfully accept connections on a server, you first need to configure it. |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 318 | * The *libnetconf2* server natively supports the *ietf-netconf-server YANG* module. |
| 319 | * This allows for a bigger scaling and flexibility of the *NETCONF* server. |
| 320 | * By using *ietf-netconf-server YANG* data you can express network configurations |
| 321 | * in a standardized and hierarchical format, enabling you to define complex network |
| 322 | * structures with greater ease. |
Michal Vasko | d31b76e | 2017-02-15 12:18:06 +0100 | [diff] [blame] | 323 | * |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 324 | * The process of configuring a server is comprised of two steps. The first step is creating the |
| 325 | * configuration data and the second is applying it. The server supports two forms of the configuration |
| 326 | * data - *YANG data* and *YANG diff*. |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 327 | * |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 328 | * YANG data |
roman | 694979e | 2023-11-02 15:00:09 +0100 | [diff] [blame] | 329 | * --- |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 330 | * Configuring the server using YANG data simplifies the management of network services. |
| 331 | * With YANG data, you build a structured configuration tree and apply it as a whole. |
| 332 | * This approach is user-friendly, allowing you to modify the configuration by adding or deleting nodes, |
| 333 | * and then deploying the updated configuration tree in its entirety, providing a way to manage your server's settings. |
| 334 | * The *libnetconf2* library exports API functions that can help you with creation or deletion of the *YANG* data. |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 335 | * |
| 336 | * YANG diff |
roman | 694979e | 2023-11-02 15:00:09 +0100 | [diff] [blame] | 337 | * --- |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 338 | * YANG diff, enriched with operation attributes, offers advanced configuration control. |
| 339 | * It empowers the user to make precise changes within the configuration tree, |
| 340 | * enabling operations like specific node deletions, additions, and modifications. |
| 341 | * On the other hand, unlike YANG data, YANG diff represents only a subtree of the |
| 342 | * changes expecting the whole configuration to be managed externally. |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 343 | * For example this is done by the tool [sysrepo](https://www.sysrepo.org/). |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 344 | * |
| 345 | * Usage |
roman | 694979e | 2023-11-02 15:00:09 +0100 | [diff] [blame] | 346 | * --- |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 347 | * To be able to configure the server, the required models first need to be implemented. |
| 348 | * To do this, see ::nc_server_config_load_modules(). |
| 349 | * Not all of the *ietf-netconf-server* (and all of its associated modules) features are enabled. |
| 350 | * If you wish to see which features are enabled, extract them from the context after calling the mentioned function. |
| 351 | * |
| 352 | * If you wish not to create the __YANG data__ yourself, you may use the library's functions to do this for you. |
| 353 | * For example ::nc_server_config_add_address_port() creates __YANG data__ corresponding to an SSH/TLS endpoint. |
roman | 5056697 | 2023-11-30 16:41:25 +0100 | [diff] [blame] | 354 | * You can then apply this data by calling ::nc_server_config_setup_data() (or ::nc_server_config_setup_diff() for diff). |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 355 | * See *examples/server.c* for a simple example. |
| 356 | * |
| 357 | * You may also create entries in the keystore or truststore. For example the asymmetric key and certificate entries |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 358 | * in the keystore can be then referenced as the SSH hostkeys or TLS server certificates, respectively. |
| 359 | * As for the truststore, you may create public key and certificate entries, which can then be used |
| 360 | * as SSH user's public keys or TLS server's end-entity/trust-anchor certificates, respectively. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 361 | * |
| 362 | * Functions List |
| 363 | * -------------- |
| 364 | * |
| 365 | * Available in __nc_server.h__. |
| 366 | * |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 367 | * - ::nc_server_config_load_modules() |
| 368 | * - ::nc_server_config_setup_diff() |
| 369 | * - ::nc_server_config_setup_data() |
| 370 | * - ::nc_server_config_setup_path() |
Michal Vasko | d31b76e | 2017-02-15 12:18:06 +0100 | [diff] [blame] | 371 | * |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 372 | * - ::nc_server_config_add_address_port() |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 373 | * - ::nc_server_config_del_endpt() |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 374 | * - ::nc_server_config_add_keystore_asym_key() |
| 375 | * - ::nc_server_config_del_keystore_asym_key() |
| 376 | * - ::nc_server_config_add_keystore_cert() |
| 377 | * - ::nc_server_config_del_keystore_cert() |
| 378 | * - ::nc_server_config_add_truststore_pubkey() |
| 379 | * - ::nc_server_config_del_truststore_pubkey() |
| 380 | * - ::nc_server_config_add_truststore_cert() |
| 381 | * - ::nc_server_config_del_truststore_cert() |
Michal Vasko | d31b76e | 2017-02-15 12:18:06 +0100 | [diff] [blame] | 382 | * |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 383 | * SSH |
| 384 | * === |
| 385 | * |
| 386 | * To successfully accept an SSH session you must configure at least one host key. |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 387 | * You may create this data yourself or by using ::nc_server_config_add_ssh_hostkey(). |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 388 | * |
| 389 | * On top of that, each SSH endpoint can define it's own authorized clients and their authentication methods. |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 390 | * For example if you wish to create an SSH user that can authenticate using a password, use ::nc_server_config_add_ssh_user_password(). |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 391 | * Another option for authorized clients is to reference another endpoint's clients, however be careful not to create a cyclic reference |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 392 | * (see ::nc_server_config_add_ssh_endpoint_client_ref()). An authorized client MUST authenticate to all of it's configured authentication methods. |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 393 | * |
roman | d2db90a | 2023-12-21 13:18:10 +0100 | [diff] [blame] | 394 | * \anchor ln2doc_pubkey |
| 395 | * The Public Key authentication method is supported. If you wish to use this method, you need to specify the given user's |
| 396 | * public keys, which will be compared with the key(s) presented by the SSH client when authenticating. One option is to configure |
| 397 | * the public keys directly in the ietf-netconf-server YANG data (inline-definition). Other option is to configure the keys' data |
| 398 | * in the ietf-trustore module's YANG data and then reference them (truststore-reference). The final option is to set the global |
| 399 | * path to file with public keys. This path may contain special tokens, see ::nc_server_ssh_set_authkey_path_format(). |
| 400 | * If the path is set and the use-system-keys container is present in the data for the client wishing to authenticate, |
| 401 | * then the keys from the file will be used for authentication. |
| 402 | * |
roman | 5056697 | 2023-11-30 16:41:25 +0100 | [diff] [blame] | 403 | * \anchor ln2doc_kbdint |
| 404 | * The Keyboard Interactive authentication method is also supported. It can be done in three ways. |
| 405 | * If libpam is found, Linux PAM is used to handle the authentication. You need to specify the service name using ::nc_server_ssh_set_pam_conf_filename(). |
| 406 | * Else if the standard functions for accessing local users are found on the system, they are used. The only Keyboard Interactive challenge will be the given |
| 407 | * user's password (that is if he's found on the system). |
| 408 | * Either way, you can always define your own callback to perform the authentication, see ::nc_server_ssh_set_interactive_auth_clb(). |
| 409 | * The callback has a higher priority than the other two methods. |
| 410 | * |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 411 | * There are also some other optional settings. |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 412 | * |
| 413 | * Functions List |
| 414 | * -------------- |
| 415 | * |
| 416 | * Available in __nc_server.h__. |
| 417 | * |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 418 | * - ::nc_server_config_add_ssh_hostkey() |
| 419 | * - ::nc_server_config_del_ssh_hostkey() |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 420 | * - ::nc_server_config_add_ssh_keystore_ref() |
| 421 | * - ::nc_server_config_del_ssh_keystore_ref() |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 422 | * |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 423 | * - ::nc_server_config_add_ssh_user_pubkey() |
| 424 | * - ::nc_server_config_del_ssh_user_pubkey() |
| 425 | * - ::nc_server_config_add_ssh_user_password() |
| 426 | * - ::nc_server_config_del_ssh_user_password() |
| 427 | * - ::nc_server_config_add_ssh_user_interactive() |
| 428 | * - ::nc_server_config_del_ssh_user_interactive() |
| 429 | * - ::nc_server_config_del_ssh_user() |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 430 | * - ::nc_server_config_add_ssh_truststore_ref() |
| 431 | * - ::nc_server_config_del_ssh_truststore_ref() |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 432 | * - ::nc_server_config_add_ssh_endpoint_client_ref() |
| 433 | * - ::nc_server_config_del_ssh_endpoint_client_ref() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 434 | * |
roman | b329fef | 2023-12-21 16:11:06 +0100 | [diff] [blame] | 435 | * - ::nc_server_ssh_set_authkey_path_format() |
roman | 5056697 | 2023-11-30 16:41:25 +0100 | [diff] [blame] | 436 | * - ::nc_server_ssh_set_pam_conf_filename() |
| 437 | * - ::nc_server_ssh_set_interactive_auth_clb() |
| 438 | * |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 439 | * TLS |
| 440 | * === |
| 441 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 442 | * TLS works with endpoints too, but its options differ |
| 443 | * significantly from the SSH ones, especially in the _cert-to-name_ |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 444 | * options that TLS uses to derive usernames from client certificates. |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 445 | * |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 446 | * If you wish to listen on a TLS endpoint, you need to configure the endpoint's |
roman | e6ec60e | 2023-10-19 15:21:52 +0200 | [diff] [blame] | 447 | * server certificate (see ::nc_server_config_add_tls_server_cert()). |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 448 | * |
| 449 | * To accept client certificates, they must first be considered trusted. |
| 450 | * For each TLS endpoint you may configure two types of client certificates. |
| 451 | * The first type are end-entity (client) certificates. These are certificates that belong |
| 452 | * to given clients. These certificates need to be trusted. |
| 453 | * The second type are trust-anchor (certificate authority) certificates, |
| 454 | * which carry over the trust (a chain of trust). |
| 455 | * Another option is to reference another TLS endpoint's end-entity certificates, however be careful not to create a cyclic reference |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 456 | * (see ::nc_server_config_add_tls_endpoint_client_ref()). |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 457 | * |
| 458 | * Then, from each trusted client certificate a username must be derived |
| 459 | * for the NETCONF session. This is accomplished by finding a matching |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 460 | * _cert-to-name_ entry. |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 461 | * |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 462 | * There are some further options. For example you can configure the TLS |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 463 | * version and ciphers to be used. You may also choose to use a Certificate |
roman | e6ec60e | 2023-10-19 15:21:52 +0200 | [diff] [blame] | 464 | * Revocation List. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 465 | * |
| 466 | * Functions List |
| 467 | * -------------- |
| 468 | * |
| 469 | * Available in __nc_server.h__. |
| 470 | * |
roman | e6ec60e | 2023-10-19 15:21:52 +0200 | [diff] [blame] | 471 | * - ::nc_server_config_add_tls_server_cert() |
| 472 | * - ::nc_server_config_del_tls_server_cert() |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 473 | * - ::nc_server_config_add_tls_keystore_ref() |
| 474 | * - ::nc_server_config_del_tls_keystore_ref() |
Michal Vasko | d31b76e | 2017-02-15 12:18:06 +0100 | [diff] [blame] | 475 | * |
roman | e6ec60e | 2023-10-19 15:21:52 +0200 | [diff] [blame] | 476 | * - ::nc_server_config_add_tls_client_cert() |
| 477 | * - ::nc_server_config_del_tls_client_cert() |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 478 | * - ::nc_server_config_add_tls_client_cert_truststore_ref() |
| 479 | * - ::nc_server_config_del_tls_client_cert_truststore_ref() |
roman | e6ec60e | 2023-10-19 15:21:52 +0200 | [diff] [blame] | 480 | * - ::nc_server_config_add_tls_ca_cert() |
| 481 | * - ::nc_server_config_del_tls_ca_cert() |
| 482 | * - ::nc_server_config_add_tls_ca_cert_truststore_ref() |
| 483 | * - ::nc_server_config_del_tls_ca_cert_truststore_ref() |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 484 | * - ::nc_server_config_add_tls_endpoint_client_ref() |
| 485 | * - ::nc_server_config_del_tls_endpoint_client_ref() |
| 486 | * - ::nc_server_config_add_tls_ctn() |
| 487 | * - ::nc_server_config_del_tls_ctn() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 488 | * |
| 489 | * FD |
| 490 | * == |
| 491 | * |
| 492 | * If you used a tunneling software, which does its own authentication, |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 493 | * you can accept a NETCONF session on its file descriptors with |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 494 | * ::nc_accept_inout(). |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 495 | * |
| 496 | * Functions List |
| 497 | * -------------- |
| 498 | * |
| 499 | * Available in __nc_server.h__. |
| 500 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 501 | * - ::nc_accept_inout() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 502 | * |
| 503 | * |
| 504 | * Call Home |
| 505 | * ========= |
| 506 | * |
Michal Vasko | d31b76e | 2017-02-15 12:18:06 +0100 | [diff] [blame] | 507 | * _Call Home_ works with endpoints just like standard sessions, but |
| 508 | * the options are organized a bit differently and endpoints are added |
roman | 450c00b | 2023-11-02 10:31:45 +0100 | [diff] [blame] | 509 | * for CH clients. |
| 510 | * You may choose one of two approaches for creating a new Call Home |
| 511 | * session (or in other words making a server connect to a client). |
| 512 | * The first is to set all the required callbacks |
| 513 | * by calling ::nc_server_ch_set_dispatch_data(). By setting the callbacks, |
| 514 | * the server will automatically start connecting to a client, whenever |
| 515 | * a new Call Home client is created. |
| 516 | * The second approach is to create the Call Home thread manually. |
| 517 | * To do this, you need to call ::nc_connect_ch_client_dispatch(), |
| 518 | * which then creates a new thread and the server will start to connect. |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 519 | * Unix socket _Call Home_ sessions are not supported. |
Michal Vasko | d31b76e | 2017-02-15 12:18:06 +0100 | [diff] [blame] | 520 | * |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 521 | * Functions List |
| 522 | * -------------- |
| 523 | * |
| 524 | * Available in __nc_server.h__. |
| 525 | * |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 526 | * - ::nc_server_config_add_ch_address_port() |
| 527 | * - ::nc_server_config_del_ch_client() |
| 528 | * - ::nc_server_config_del_ch_endpt() |
| 529 | * - ::nc_server_config_add_ch_persistent() |
| 530 | * - ::nc_server_config_add_ch_period() |
| 531 | * - ::nc_server_config_del_ch_period() |
| 532 | * - ::nc_server_config_add_ch_anchor_time() |
| 533 | * - ::nc_server_config_del_ch_anchor_time() |
| 534 | * - ::nc_server_config_add_ch_idle_timeout() |
| 535 | * - ::nc_server_config_del_ch_idle_timeout() |
| 536 | * - ::nc_server_config_add_ch_reconnect_strategy() |
| 537 | * - ::nc_server_config_del_ch_reconnect_strategy() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 538 | * |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 539 | * - ::nc_server_config_add_ch_ssh_hostkey() |
| 540 | * - ::nc_server_config_del_ch_ssh_hostkey() |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 541 | * - ::nc_server_config_add_ch_ssh_keystore_ref() |
| 542 | * - ::nc_server_config_del_ch_ssh_keystore_ref() |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 543 | * - ::nc_server_config_add_ch_ssh_user_pubkey() |
| 544 | * - ::nc_server_config_del_ch_ssh_user_pubkey() |
| 545 | * - ::nc_server_config_add_ch_ssh_user_password() |
| 546 | * - ::nc_server_config_del_ch_ssh_user_password() |
| 547 | * - ::nc_server_config_add_ch_ssh_user_interactive() |
| 548 | * - ::nc_server_config_del_ch_ssh_user_interactive() |
| 549 | * - ::nc_server_config_del_ch_ssh_user() |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 550 | * - ::nc_server_config_add_ch_ssh_truststore_ref() |
| 551 | * - ::nc_server_config_del_ch_ssh_truststore_ref() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 552 | * |
roman | e6ec60e | 2023-10-19 15:21:52 +0200 | [diff] [blame] | 553 | * - ::nc_server_config_add_ch_tls_server_cert() |
| 554 | * - ::nc_server_config_del_ch_tls_server_cert() |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 555 | * - ::nc_server_config_add_ch_tls_keystore_ref() |
| 556 | * - ::nc_server_config_del_ch_tls_keystore_ref() |
roman | e6ec60e | 2023-10-19 15:21:52 +0200 | [diff] [blame] | 557 | * - ::nc_server_config_add_ch_tls_client_cert() |
| 558 | * - ::nc_server_config_del_ch_tls_client_cert() |
roman | d348b94 | 2023-10-13 14:32:19 +0200 | [diff] [blame] | 559 | * - ::nc_server_config_add_ch_tls_client_cert_truststore_ref() |
| 560 | * - ::nc_server_config_del_ch_tls_client_cert_truststore_ref() |
roman | e6ec60e | 2023-10-19 15:21:52 +0200 | [diff] [blame] | 561 | * - ::nc_server_config_add_ch_tls_ca_cert() |
| 562 | * - ::nc_server_config_del_ch_tls_ca_cert() |
| 563 | * - ::nc_server_config_add_ch_tls_ca_cert_truststore_ref() |
| 564 | * - ::nc_server_config_del_ch_tls_ca_cert_truststore_ref() |
Roytak | b279485 | 2023-10-18 14:30:22 +0200 | [diff] [blame] | 565 | * - ::nc_server_config_add_ch_tls_ctn() |
| 566 | * - ::nc_server_config_del_ch_tls_ctn() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 567 | * |
| 568 | * Connecting And Cleanup |
| 569 | * ====================== |
| 570 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 571 | * When accepting connections with ::nc_accept(), all the endpoints are examined |
Michal Vasko | d31b76e | 2017-02-15 12:18:06 +0100 | [diff] [blame] | 572 | * and the first with a pending connection is used. To remove all CH clients, |
| 573 | * endpoints, and free any used dynamic memory, [destroy](@ref howtoinit) the server. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 574 | * |
| 575 | * Functions List |
| 576 | * -------------- |
| 577 | * |
| 578 | * Available in __nc_server.h__. |
| 579 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 580 | * - ::nc_accept() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 581 | */ |
| 582 | |
| 583 | /** |
| 584 | * @page howtoclientcomm Client communication |
| 585 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 586 | * To send RPCs on a session, you simply create an RPC, send it using ::nc_send_rpc(), |
| 587 | * and then wait for a reply using ::nc_recv_reply(). If you are subscribed, there are 2 ways |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 588 | * of receiving notifications. Either you wait for them the same way |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 589 | * as for standard replies with ::nc_recv_notif() or you create a dispatcher |
| 590 | * with ::nc_recv_notif_dispatch() that asynchronously (in a separate thread) |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 591 | * reads notifications and passes them to your callback. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 592 | * |
| 593 | * Functions List |
| 594 | * -------------- |
| 595 | * |
| 596 | * Available in __nc_client.h__. |
| 597 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 598 | * - ::nc_rpc_act_generic() |
| 599 | * - ::nc_rpc_act_generic_xml() |
| 600 | * - ::nc_rpc_getconfig() |
| 601 | * - ::nc_rpc_edit() |
| 602 | * - ::nc_rpc_copy() |
| 603 | * - ::nc_rpc_delete() |
| 604 | * - ::nc_rpc_lock() |
| 605 | * - ::nc_rpc_unlock() |
| 606 | * - ::nc_rpc_get() |
| 607 | * - ::nc_rpc_kill() |
| 608 | * - ::nc_rpc_commit() |
| 609 | * - ::nc_rpc_discard() |
| 610 | * - ::nc_rpc_cancel() |
| 611 | * - ::nc_rpc_validate() |
| 612 | * - ::nc_rpc_getschema() |
| 613 | * - ::nc_rpc_subscribe() |
| 614 | * - ::nc_rpc_getdata() |
| 615 | * - ::nc_rpc_editdata() |
| 616 | * - ::nc_rpc_establishsub() |
| 617 | * - ::nc_rpc_modifysub() |
| 618 | * - ::nc_rpc_deletesub() |
| 619 | * - ::nc_rpc_killsub() |
| 620 | * - ::nc_rpc_establishpush_periodic() |
| 621 | * - ::nc_rpc_establishpush_onchange() |
| 622 | * - ::nc_rpc_modifypush_periodic() |
| 623 | * - ::nc_rpc_modifypush_onchange() |
| 624 | * - ::nc_rpc_resyncsub() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 625 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 626 | * - ::nc_send_rpc() |
| 627 | * - ::nc_recv_reply() |
| 628 | * - ::nc_recv_notif() |
| 629 | * - ::nc_recv_notif_dispatch() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 630 | */ |
| 631 | |
| 632 | /** |
| 633 | * @page howtoservercomm Server communication |
| 634 | * |
| 635 | * Once at least one session is established, an nc_pollsession structure |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 636 | * should be created with ::nc_ps_new(), filled with the session using |
| 637 | * ::nc_ps_add_session() and finally polled with ::nc_ps_poll(). Based on |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 638 | * the return value from the poll, further actions can be taken. More |
| 639 | * sessions can be polled at the same time and any requests received on |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 640 | * the sessions are [handled internally](@ref howtoserver). |
| 641 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 642 | * If an SSH NETCONF session asks for a new channel, you can accept |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 643 | * this request with ::nc_ps_accept_ssh_channel() or ::nc_session_accept_ssh_channel() |
Michal Vasko | 3a889fd | 2016-09-30 12:16:37 +0200 | [diff] [blame] | 644 | * depending on the structure you want to use as the argument. |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 645 | * |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 646 | * Functions List |
| 647 | * -------------- |
| 648 | * |
Michal Vasko | 15b7a98 | 2016-03-02 10:53:31 +0100 | [diff] [blame] | 649 | * Available in __nc_server.h__. |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 650 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 651 | * - ::nc_ps_new() |
| 652 | * - ::nc_ps_add_session() |
| 653 | * - ::nc_ps_del_session() |
| 654 | * - ::nc_ps_session_count() |
| 655 | * - ::nc_ps_free() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 656 | * |
Michal Vasko | 4e6d324 | 2021-05-26 09:13:24 +0200 | [diff] [blame] | 657 | * - ::nc_ps_poll() |
| 658 | * - ::nc_ps_clear() |
| 659 | * - ::nc_ps_accept_ssh_channel() |
| 660 | * - ::nc_session_accept_ssh_channel() |
Michal Vasko | fdfd9dd | 2016-02-29 10:18:46 +0100 | [diff] [blame] | 661 | */ |
| 662 | |
Michal Vasko | ee087c6 | 2017-02-15 11:27:16 +0100 | [diff] [blame] | 663 | /** |
| 664 | * @page howtotimeouts Timeouts |
| 665 | * |
| 666 | * There are several timeouts which are used throughout _libnetconf2_ to |
| 667 | * assure that it will never indefinitely hang on any operation. Normally, |
Roytak | 09e426c | 2023-09-29 15:25:55 +0200 | [diff] [blame] | 668 | * you should not need to worry about them much because they are set by |
Michal Vasko | ee087c6 | 2017-02-15 11:27:16 +0100 | [diff] [blame] | 669 | * default to reasonable values for common systems. However, if your |
| 670 | * platform is not common (embedded, ...), adjusting these timeouts may |
| 671 | * save a lot of debugging and time. |
| 672 | * |
| 673 | * Compile Options |
| 674 | * --------------- |
| 675 | * |
| 676 | * You can adjust active and inactive read timeout using `cmake` variables. |
| 677 | * For details look into `README.md`. |
| 678 | * |
roman | eaf84c7 | 2023-10-19 14:38:05 +0200 | [diff] [blame] | 679 | * Configurable timeouts |
| 680 | * --------------------- |
Michal Vasko | ee087c6 | 2017-02-15 11:27:16 +0100 | [diff] [blame] | 681 | * |
| 682 | * Once a new connection is established including transport protocol negotiations, |
| 683 | * _hello_ message is exchanged. You can set how long will the server wait for |
| 684 | * receiving this message from a client before dropping it. |
| 685 | * |
| 686 | * Having a NETCONF session working, it may not communicate for a longer time. |
| 687 | * To free up some resources, it is possible to adjust the maximum idle period |
| 688 | * of a session before it is disconnected. In _Call Home_, for both a persistent |
| 689 | * and periodic connection can this idle timeout be specified separately for each |
roman | eaf84c7 | 2023-10-19 14:38:05 +0200 | [diff] [blame] | 690 | * client. Lastly, SSH user authentication timeout can be also modified. It is the time |
Michal Vasko | ee087c6 | 2017-02-15 11:27:16 +0100 | [diff] [blame] | 691 | * a client has to successfully authenticate after connecting before it is disconnected. |
| 692 | * |
roman | eaf84c7 | 2023-10-19 14:38:05 +0200 | [diff] [blame] | 693 | * These timeouts can be toggled by applying corresponding configuration data. |
Michal Vasko | ee087c6 | 2017-02-15 11:27:16 +0100 | [diff] [blame] | 694 | */ |
| 695 | |
Radek Krejci | 6799a05 | 2017-05-19 14:23:23 +0200 | [diff] [blame] | 696 | /** |
| 697 | * @defgroup misc Miscellaneous |
| 698 | * @brief Miscellaneous macros, types, structure and functions for a generic use by both server and client applications. |
| 699 | */ |
| 700 | |
| 701 | /** |
| 702 | * @defgroup client Client |
| 703 | * @brief NETCONF client functionality. |
| 704 | */ |
| 705 | |
| 706 | /** |
| 707 | * @defgroup server Server |
| 708 | * @brief NETCONF server functionality. |
roman | 3512097 | 2023-08-08 10:39:12 +0200 | [diff] [blame] | 709 | * @{ |
| 710 | * @} Server |
Radek Krejci | 6799a05 | 2017-05-19 14:23:23 +0200 | [diff] [blame] | 711 | */ |