blob: 6194db2982007fae5e51b95c5cc4bb68a8ac14db [file] [log] [blame]
Radek Krejcid0d19522015-09-02 13:49:25 +02001/**
Michal Vaskofdfd9dd2016-02-29 10:18:46 +01002 * @mainpage About
3 *
4 * libnetconf2 is a NETCONF library in C handling NETCONF authentication and all NETCONF
Radek Krejcib62d5b42017-05-19 10:20:00 +02005 * RPC communication both server and client-side. Note that NETCONF datastore implementation
6 * is not a part of this library. The library supports both NETCONF 1.0
7 * ([RFC 4741](https://tools.ietf.org/html/rfc4741)) as well as NETCONF 1.1
8 * ([RFC 6241](https://tools.ietf.org/html/rfc6241)).
Michal Vaskofdfd9dd2016-02-29 10:18:46 +01009 *
10 * @section about-features Main Features
11 *
Radek Krejcib62d5b42017-05-19 10:20:00 +020012 * - Creating SSH ([RFC 4742](https://tools.ietf.org/html/rfc4742), [RFC 6242](https://tools.ietf.org/html/rfc6242)),
13 * using [libssh](https://www.libssh.org/), or TLS ([RFC 7589](https://tools.ietf.org/html/rfc7589)),
14 * using [OpenSSL](https://www.openssl.org/), authenticated NETCONF sessions.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +010015 * - Creating NETCONF sessions with a pre-established transport protocol
16 * (using this mechanism the communication can be tunneled through sshd(8), for instance).
Radek Krejcib62d5b42017-05-19 10:20:00 +020017 * - Creating NETCONF Call Home sessions ([RFC 8071](https://tools.ietf.org/html/rfc8071)).
18 * - Creating, sending, receiving, and replying to RPCs ([RFC 4741](https://tools.ietf.org/html/rfc4741),
19 * [RFC 6241](https://tools.ietf.org/html/rfc6241)).
Roytak09e426c2023-09-29 15:25:55 +020020 * - Creating, sending and receiving NETCONF Event Notifications ([RFC 5277](https://tools.ietf.org/html/rfc5277)).
romand348b942023-10-13 14:32:19 +020021 * - Configuring the NETCONF server based on the [ietf-netconf-server](https://datatracker.ietf.org/doc/html/draft-ietf-netconf-netconf-client-server-29) YANG module
Michal Vaskofdfd9dd2016-02-29 10:18:46 +010022 *
23 * @section about-license License
24 *
Michal Vasko4e6d3242021-05-26 09:13:24 +020025 * Copyright (c) 2015-2021 CESNET, z.s.p.o.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +010026 *
27 * (The BSD 3-Clause License)
28 *
29 * Redistribution and use in source and binary forms, with or without
30 * modification, are permitted provided that the following conditions
31 * are met:
32 * 1. Redistributions of source code must retain the above copyright
33 * notice, this list of conditions and the following disclaimer.
34 * 2. Redistributions in binary form must reproduce the above copyright
35 * notice, this list of conditions and the following disclaimer in
36 * the documentation and/or other materials provided with the
37 * distribution.
38 * 3. Neither the name of the Company nor the names of its contributors
39 * may be used to endorse or promote products derived from this
40 * software without specific prior written permission.
41 */
42
43/**
44 * @page howto How To ...
45 *
46 * - @subpage howtoinit
47 * - @subpage howtoclient
48 * - @subpage howtoserver
49 * - @subpage howtoclientcomm
50 * - @subpage howtoservercomm
Michal Vaskoee087c62017-02-15 11:27:16 +010051 * - @subpage howtotimeouts
Michal Vaskofdfd9dd2016-02-29 10:18:46 +010052 */
53
54/**
55 * @page howtoinit Init and Thread-safety Information
56 *
Michal Vasko4e6d3242021-05-26 09:13:24 +020057 * Before working with the library, it must be initialized using ::nc_client_init()
roman694979e2023-11-02 15:00:09 +010058 * and/or ::nc_server_init(). To prevent any reachable memory at the end of your
59 * application, there are complementary destroy functions
60 * (::nc_server_destroy() and ::nc_client_destroy() available). If your
Radek Krejci5cebc6b2017-05-26 13:24:38 +020061 * application is multi-threaded, call the destroy functions in the main thread,
Roytak09e426c2023-09-29 15:25:55 +020062 * after all the other threads have ended.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +010063 *
Michal Vasko15b7a982016-03-02 10:53:31 +010064 * If _libnetconf2_ is used in accordance with this information, there should
Michal Vaskofdfd9dd2016-02-29 10:18:46 +010065 * not be memory leaks of any kind at program exit. For thread-safety details
Michal Vasko15b7a982016-03-02 10:53:31 +010066 * of _libssh_, _libssl_, and _libcrypto_, please refer to the corresponding project
67 * documentation. _libnetconf2_ thread-safety information is below.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +010068 *
Radek Krejci5cebc6b2017-05-26 13:24:38 +020069 * Client
70 * ------
71 *
Radek Krejcifd5b6682017-06-13 15:52:53 +020072 * Optionally, a client can specify two alternative ways to get schemas needed when connecting
73 * with a server. The primary way is to read local files in searchpath (and its subdirectories)
Michal Vasko4e6d3242021-05-26 09:13:24 +020074 * specified via ::nc_client_set_schema_searchpath(). Alternatively, _libnetconf2_ can use callback
75 * provided via ::nc_client_set_schema_callback(). If these ways do not succeed and the server
Radek Krejcifd5b6682017-06-13 15:52:53 +020076 * implements NETCONF \<get-schema\> operation, the schema is retrieved from the server and stored
Roytak09e426c2023-09-29 15:25:55 +020077 * locally into the searchpath (if specified) for a future use. If none of these methods succeed to
Radek Krejcifd5b6682017-06-13 15:52:53 +020078 * load particular schema, the data from this schema are ignored during the communication with the
79 * server.
Radek Krejci5cebc6b2017-05-26 13:24:38 +020080 *
Radek Krejcifd5b6682017-06-13 15:52:53 +020081 * Besides the mentioned setters, there are many other @ref howtoclientssh "SSH", @ref howtoclienttls "TLS"
82 * and @ref howtoclientch "Call Home" getter/setter functions to manipulate with various settings. All these
83 * settings are internally placed in a thread-specific context so they are independent and
Radek Krejci5cebc6b2017-05-26 13:24:38 +020084 * initialized to the default values within each new thread. However, the context can be shared among
Michal Vasko4e6d3242021-05-26 09:13:24 +020085 * the threads using ::nc_client_get_thread_context() and ::nc_client_set_thread_context() functions. In such
Radek Krejci5cebc6b2017-05-26 13:24:38 +020086 * a case, be careful and avoid concurrent execution of the mentioned setters/getters and functions
87 * creating connection (no matter if it is a standard NETCONF connection or Call Home).
88 *
Michal Vasko2d1e8d32023-03-15 07:29:09 +010089 * In the client, it is always thread-safe to work with a NETCONF session in a single thread since the client
90 * settings are thread-specific as described above. Generally, one can access a session in several threads
91 * as well but there is little incentive to do so.
Radek Krejci5cebc6b2017-05-26 13:24:38 +020092 *
93 * Server
94 * ------
95 *
96 * Server is __FULLY__ thread-safe meaning you can set all the (thread-shared in contrast to
97 * client) options simultaneously while listening for or accepting new sessions or
Michal Vaskoade892d2017-02-22 13:40:35 +010098 * polling the existing ones. It is even safe to poll one session in several
99 * pollsession structures or one pollsession structure in several threads. Generally,
100 * servers can use more threads without any problems as long as they keep their workflow sane
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100101 * (behavior such as freeing sessions only after no thread uses them or similar).
102 *
103 * Functions List
104 * --------------
105 *
Michal Vaskoa7b8ca52016-03-01 12:09:29 +0100106 * Available in __nc_client.h__.
107 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200108 * - ::nc_client_init()
109 * - ::nc_client_destroy()
Michal Vaskoa7b8ca52016-03-01 12:09:29 +0100110 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200111 * - ::nc_client_set_schema_searchpath()
112 * - ::nc_client_get_schema_searchpath()
113 * - ::nc_client_set_schema_callback()
114 * - ::nc_client_get_schema_callback()
Radek Krejci5cebc6b2017-05-26 13:24:38 +0200115 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200116 * - ::nc_client_set_thread_context()
117 * - ::nc_client_get_thread_context()
Michal Vasko26394692016-03-17 16:24:55 +0100118 *
Michal Vaskoa7b8ca52016-03-01 12:09:29 +0100119 * Available in __nc_server.h__.
120 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200121 * - ::nc_server_init()
122 * - ::nc_server_destroy()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100123 */
124
125/**
126 * @page howtoclient Client sessions
127 *
Michal Vasko15b7a982016-03-02 10:53:31 +0100128 * To connect to a NETCONF server, a NETCONF session must be established,
129 * which requires a working transport session. It is possible to create
130 * NETCONF sessions with SSH (using _libssh_) or TLS (using _libssl/libcrypto_)
131 * as the underlying transport protocol. It is also possible to establish
132 * the transport protocol outside _libnetconf2_ and then provide these file
133 * descriptors (FD) for full NETCONF session creation.
134 *
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100135 * There are a lot of options for both an SSH and a TLS client. All of them
136 * have setters and getters so that there is no need to duplicate them in
137 * a client.
138 *
Radek Krejci5cebc6b2017-05-26 13:24:38 +0200139 * @anchor howtoclientssh
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100140 * SSH
141 * ===
142 *
Michal Vasko15b7a982016-03-02 10:53:31 +0100143 * Connecting to a server using SSH does not strictly require to set any
144 * options, there are sensible default values for all the basic ones.
145 * Except all the SSH options, optionally some authetication callbacks can be set,
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100146 * which are particulary useful in automated clients (passwords cannot be
147 * asked a user) or simply if any additional information is retrieved some
148 * other way than from standard terminal input.
149 *
Michal Vasko15b7a982016-03-02 10:53:31 +0100150 * Having the default options or changing any unsuitable ones, there are 2 functions
Michal Vasko4e6d3242021-05-26 09:13:24 +0200151 * to use for a new server connection. ::nc_connect_ssh() is the standard function
Michal Vasko15b7a982016-03-02 10:53:31 +0100152 * that creates sessions using the set options. If there are some options, which
Michal Vasko4e6d3242021-05-26 09:13:24 +0200153 * cannot be changed with the provided API, there is ::nc_connect_libssh() available.
Michal Vasko15b7a982016-03-02 10:53:31 +0100154 * It requires a _libssh_ session, in which all the SSH options can be modified
155 * and even the connection established. This allows for full customization and
156 * should fit any specific situation.
157 *
158 * New NETCONF sessions can also be created on existing authenticated SSH sessions.
159 * There is a new SSH channel needed, on which the NETCONF session is then created.
Michal Vasko4e6d3242021-05-26 09:13:24 +0200160 * Use ::nc_connect_ssh_channel() for this purpose.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100161 *
162 * Functions List
163 * --------------
164 *
165 * Available in __nc_client.h__.
166 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200167 * - ::nc_client_ssh_set_auth_password_clb()
168 * - ::nc_client_ssh_get_auth_password_clb()
169 * - ::nc_client_ssh_set_auth_interactive_clb()
170 * - ::nc_client_ssh_get_auth_interactive_clb()
171 * - ::nc_client_ssh_set_auth_privkey_passphrase_clb()
172 * - ::nc_client_ssh_get_auth_privkey_passphrase_clb()
173 * - ::nc_client_ssh_add_keypair()
174 * - ::nc_client_ssh_del_keypair()
175 * - ::nc_client_ssh_get_keypair_count()
176 * - ::nc_client_ssh_get_keypair()
177 * - ::nc_client_ssh_set_auth_pref()
178 * - ::nc_client_ssh_get_auth_pref()
179 * - ::nc_client_ssh_set_username()
180 * - ::nc_client_ssh_get_username()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100181 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200182 * - ::nc_connect_ssh()
183 * - ::nc_connect_libssh()
184 * - ::nc_connect_ssh_channel()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100185 *
Radek Krejci5cebc6b2017-05-26 13:24:38 +0200186 * @anchor howtoclienttls
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100187 * TLS
188 * ===
189 *
Michal Vasko15b7a982016-03-02 10:53:31 +0100190 * To connect to a server using TLS, there must be some client identification
191 * options set. Client must specify its certificate with a private key using
Michal Vasko4e6d3242021-05-26 09:13:24 +0200192 * ::nc_client_tls_set_cert_key_paths(). Also, the Certificate Authority of
Michal Vasko15b7a982016-03-02 10:53:31 +0100193 * a server certificate must be considered trusted. Paths to all the trusted
Michal Vasko4e6d3242021-05-26 09:13:24 +0200194 * CA certificates can be set by ::nc_client_tls_set_trusted_ca_paths().
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100195 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200196 * Then there are again 2 functions for connecting, ::nc_connect_tls() being
197 * the standard way of connecting. ::nc_connect_libssl() again enables
Michal Vasko15b7a982016-03-02 10:53:31 +0100198 * to customize the TLS session in every way _libssl_ allows.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100199 *
200 * Functions List
201 * --------------
202 *
203 * Available in __nc_client.h__.
204 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200205 * - ::nc_client_tls_set_cert_key_paths()
206 * - ::nc_client_tls_get_cert_key_paths()
207 * - ::nc_client_tls_set_trusted_ca_paths()
208 * - ::nc_client_tls_get_trusted_ca_paths()
209 * - ::nc_client_tls_set_crl_paths()
210 * - ::nc_client_tls_get_crl_paths()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100211 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200212 * - ::nc_connect_tls()
213 * - ::nc_connect_libssl()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100214 *
215 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200216 * FD and UNIX socket
217 * ==================
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100218 *
219 * If you authenticated the connection using some tunneling software, you
Michal Vasko4e6d3242021-05-26 09:13:24 +0200220 * can pass its file descriptors to _libnetconf2_ using ::nc_connect_inout(),
221 * which will continue to establish a full NETCONF session. To connect locally
romand348b942023-10-13 14:32:19 +0200222 * on a UNIX socket avoiding all cryptography use ::nc_connect_unix().
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100223 *
224 * Funtions List
225 * -------------
226 *
227 * Available in __nc_client.h__.
228 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200229 * - ::nc_connect_inout()
230 * - ::nc_connect_unix()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100231 *
232 *
Radek Krejci5cebc6b2017-05-26 13:24:38 +0200233 * @anchor howtoclientch
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100234 * Call Home
235 * =========
236 *
237 * Call Home needs the same options set as standard SSH or TLS and the functions
238 * reflect it exactly. However, to accept a connection, the client must first
Michal Vasko4e6d3242021-05-26 09:13:24 +0200239 * specify addresses and ports, which to listen on by ::nc_client_ssh_ch_add_bind_listen()
240 * and ::nc_client_tls_ch_add_bind_listen(). Then connections can be
241 * accepted using ::nc_accept_callhome().
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100242 *
243 * Functions List
244 * --------------
245 *
246 * Available in __nc_client.h__.
247 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200248 * - ::nc_client_ssh_ch_set_auth_password_clb()
249 * - ::nc_client_ssh_ch_set_auth_interactive_clb()
250 * - ::nc_client_ssh_ch_set_auth_privkey_passphrase_clb()
251 * - ::nc_client_ssh_ch_add_bind_listen()
252 * - ::nc_client_ssh_ch_del_bind()
253 * - ::nc_client_ssh_ch_add_keypair()
254 * - ::nc_client_ssh_ch_del_keypair()
255 * - ::nc_client_ssh_ch_get_keypair_count()
256 * - ::nc_client_ssh_ch_get_keypair()
257 * - ::nc_client_ssh_ch_set_auth_pref()
258 * - ::nc_client_ssh_ch_get_auth_pref()
259 * - ::nc_client_ssh_ch_set_username()
260 * - ::nc_client_ssh_ch_get_username()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100261 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200262 * - ::nc_client_tls_ch_add_bind_listen()
263 * - ::nc_client_tls_ch_del_bind()
264 * - ::nc_client_tls_ch_set_cert_key_paths()
265 * - ::nc_client_tls_ch_get_cert_key_paths()
266 * - ::nc_client_tls_ch_set_trusted_ca_paths()
267 * - ::nc_client_tls_ch_get_trusted_ca_paths()
268 * - ::nc_client_tls_ch_set_crl_paths()
269 * - ::nc_client_tls_ch_get_crl_paths()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100270 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200271 * - ::nc_accept_callhome()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100272 *
273 *
274 * Cleanup
275 * =======
276 *
277 * These options and the schema searchpath are stored in dynamically
Michal Vasko15b7a982016-03-02 10:53:31 +0100278 * allocated memory. They are freed as a part of [destroying the client](@ref howtoinit).
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100279 */
280
281/**
282 * @page howtoserver Server sessions
283 *
284 * Init
285 * ====
286 *
Michal Vasko93224072021-11-09 12:14:28 +0100287 * Server must start with [initialization](@ref howtoinit). Its capabilities are
288 * determined by the context used when accepting new NETCONF sessions. Few capabilities that
Michal Vasko15b7a982016-03-02 10:53:31 +0100289 * cannot be learnt from the context are set with separate functions
Michal Vasko4e6d3242021-05-26 09:13:24 +0200290 * ::nc_server_set_capab_withdefaults() and generally ::nc_server_set_capability().
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100291 *
292 * Context does not only determine server modules, but its overall
293 * functionality as well. For every RPC the server should support,
Michal Vasko4e6d3242021-05-26 09:13:24 +0200294 * an nc_rpc_clb callback should be set on that node in the context using ::nc_set_rpc_callback().
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100295 * Server then calls these as appropriate [during poll](@ref howtoservercomm).
296 *
Michal Vasko15b7a982016-03-02 10:53:31 +0100297 * Just like in the [client](@ref howtoclient), you can let _libnetconf2_
298 * establish SSH or TLS transport or do it yourself and only provide the file
299 * descriptors of the connection.
300 *
Roytak09e426c2023-09-29 15:25:55 +0200301 * To be able to accept any connections, the server must first be configured.
Michal Vasko3a889fd2016-09-30 12:16:37 +0200302 *
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100303 * Functions List
304 * --------------
305 *
306 * Available in __nc_server.h__.
307 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200308 * - ::nc_server_set_capab_withdefaults()
309 * - ::nc_server_set_capability()
romanfb3f7cf2023-11-30 16:10:09 +0100310 * - ::nc_server_endpt_count()
311 * - ::nc_server_add_endpt_unix_socket_listen()
312 * - ::nc_server_del_endpt_unix_socket()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100313 *
Roytak09e426c2023-09-29 15:25:55 +0200314 * Server Configuration
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100315 * ===
316 *
Roytak09e426c2023-09-29 15:25:55 +0200317 * To successfully accept connections on a server, you first need to configure it.
Roytakb2794852023-10-18 14:30:22 +0200318 * The *libnetconf2* server natively supports the *ietf-netconf-server YANG* module.
319 * This allows for a bigger scaling and flexibility of the *NETCONF* server.
320 * By using *ietf-netconf-server YANG* data you can express network configurations
321 * in a standardized and hierarchical format, enabling you to define complex network
322 * structures with greater ease.
Michal Vaskod31b76e2017-02-15 12:18:06 +0100323 *
Roytakb2794852023-10-18 14:30:22 +0200324 * The process of configuring a server is comprised of two steps. The first step is creating the
325 * configuration data and the second is applying it. The server supports two forms of the configuration
326 * data - *YANG data* and *YANG diff*.
Roytak09e426c2023-09-29 15:25:55 +0200327 *
Roytakb2794852023-10-18 14:30:22 +0200328 * YANG data
roman694979e2023-11-02 15:00:09 +0100329 * ---
Roytakb2794852023-10-18 14:30:22 +0200330 * Configuring the server using YANG data simplifies the management of network services.
331 * With YANG data, you build a structured configuration tree and apply it as a whole.
332 * This approach is user-friendly, allowing you to modify the configuration by adding or deleting nodes,
333 * and then deploying the updated configuration tree in its entirety, providing a way to manage your server's settings.
334 * The *libnetconf2* library exports API functions that can help you with creation or deletion of the *YANG* data.
Roytakb2794852023-10-18 14:30:22 +0200335 *
336 * YANG diff
roman694979e2023-11-02 15:00:09 +0100337 * ---
Roytakb2794852023-10-18 14:30:22 +0200338 * YANG diff, enriched with operation attributes, offers advanced configuration control.
339 * It empowers the user to make precise changes within the configuration tree,
340 * enabling operations like specific node deletions, additions, and modifications.
341 * On the other hand, unlike YANG data, YANG diff represents only a subtree of the
342 * changes expecting the whole configuration to be managed externally.
romand348b942023-10-13 14:32:19 +0200343 * For example this is done by the tool [sysrepo](https://www.sysrepo.org/).
Roytakb2794852023-10-18 14:30:22 +0200344 *
345 * Usage
roman694979e2023-11-02 15:00:09 +0100346 * ---
Roytakb2794852023-10-18 14:30:22 +0200347 * To be able to configure the server, the required models first need to be implemented.
348 * To do this, see ::nc_server_config_load_modules().
349 * Not all of the *ietf-netconf-server* (and all of its associated modules) features are enabled.
350 * If you wish to see which features are enabled, extract them from the context after calling the mentioned function.
351 *
352 * If you wish not to create the __YANG data__ yourself, you may use the library's functions to do this for you.
353 * For example ::nc_server_config_add_address_port() creates __YANG data__ corresponding to an SSH/TLS endpoint.
roman50566972023-11-30 16:41:25 +0100354 * You can then apply this data by calling ::nc_server_config_setup_data() (or ::nc_server_config_setup_diff() for diff).
Roytakb2794852023-10-18 14:30:22 +0200355 * See *examples/server.c* for a simple example.
356 *
357 * You may also create entries in the keystore or truststore. For example the asymmetric key and certificate entries
Roytak09e426c2023-09-29 15:25:55 +0200358 * in the keystore can be then referenced as the SSH hostkeys or TLS server certificates, respectively.
359 * As for the truststore, you may create public key and certificate entries, which can then be used
360 * as SSH user's public keys or TLS server's end-entity/trust-anchor certificates, respectively.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100361 *
362 * Functions List
363 * --------------
364 *
365 * Available in __nc_server.h__.
366 *
Roytak09e426c2023-09-29 15:25:55 +0200367 * - ::nc_server_config_load_modules()
368 * - ::nc_server_config_setup_diff()
369 * - ::nc_server_config_setup_data()
370 * - ::nc_server_config_setup_path()
Michal Vaskod31b76e2017-02-15 12:18:06 +0100371 *
Roytakb2794852023-10-18 14:30:22 +0200372 * - ::nc_server_config_add_address_port()
Roytakb2794852023-10-18 14:30:22 +0200373 * - ::nc_server_config_del_endpt()
Roytakb2794852023-10-18 14:30:22 +0200374 * - ::nc_server_config_add_keystore_asym_key()
375 * - ::nc_server_config_del_keystore_asym_key()
376 * - ::nc_server_config_add_keystore_cert()
377 * - ::nc_server_config_del_keystore_cert()
378 * - ::nc_server_config_add_truststore_pubkey()
379 * - ::nc_server_config_del_truststore_pubkey()
380 * - ::nc_server_config_add_truststore_cert()
381 * - ::nc_server_config_del_truststore_cert()
Michal Vaskod31b76e2017-02-15 12:18:06 +0100382 *
Roytak09e426c2023-09-29 15:25:55 +0200383 * SSH
384 * ===
385 *
386 * To successfully accept an SSH session you must configure at least one host key.
Roytakb2794852023-10-18 14:30:22 +0200387 * You may create this data yourself or by using ::nc_server_config_add_ssh_hostkey().
Roytak09e426c2023-09-29 15:25:55 +0200388 *
389 * On top of that, each SSH endpoint can define it's own authorized clients and their authentication methods.
Roytakb2794852023-10-18 14:30:22 +0200390 * For example if you wish to create an SSH user that can authenticate using a password, use ::nc_server_config_add_ssh_user_password().
Roytak09e426c2023-09-29 15:25:55 +0200391 * Another option for authorized clients is to reference another endpoint's clients, however be careful not to create a cyclic reference
Roytakb2794852023-10-18 14:30:22 +0200392 * (see ::nc_server_config_add_ssh_endpoint_client_ref()). An authorized client MUST authenticate to all of it's configured authentication methods.
Roytak09e426c2023-09-29 15:25:55 +0200393 *
romand2db90a2023-12-21 13:18:10 +0100394 * \anchor ln2doc_pubkey
395 * The Public Key authentication method is supported. If you wish to use this method, you need to specify the given user's
396 * public keys, which will be compared with the key(s) presented by the SSH client when authenticating. One option is to configure
397 * the public keys directly in the ietf-netconf-server YANG data (inline-definition). Other option is to configure the keys' data
398 * in the ietf-trustore module's YANG data and then reference them (truststore-reference). The final option is to set the global
399 * path to file with public keys. This path may contain special tokens, see ::nc_server_ssh_set_authkey_path_format().
400 * If the path is set and the use-system-keys container is present in the data for the client wishing to authenticate,
401 * then the keys from the file will be used for authentication.
402 *
roman50566972023-11-30 16:41:25 +0100403 * \anchor ln2doc_kbdint
404 * The Keyboard Interactive authentication method is also supported. It can be done in three ways.
405 * If libpam is found, Linux PAM is used to handle the authentication. You need to specify the service name using ::nc_server_ssh_set_pam_conf_filename().
406 * Else if the standard functions for accessing local users are found on the system, they are used. The only Keyboard Interactive challenge will be the given
407 * user's password (that is if he's found on the system).
408 * Either way, you can always define your own callback to perform the authentication, see ::nc_server_ssh_set_interactive_auth_clb().
409 * The callback has a higher priority than the other two methods.
410 *
romand348b942023-10-13 14:32:19 +0200411 * There are also some other optional settings.
Roytak09e426c2023-09-29 15:25:55 +0200412 *
413 * Functions List
414 * --------------
415 *
416 * Available in __nc_server.h__.
417 *
Roytakb2794852023-10-18 14:30:22 +0200418 * - ::nc_server_config_add_ssh_hostkey()
419 * - ::nc_server_config_del_ssh_hostkey()
romand348b942023-10-13 14:32:19 +0200420 * - ::nc_server_config_add_ssh_keystore_ref()
421 * - ::nc_server_config_del_ssh_keystore_ref()
Roytak09e426c2023-09-29 15:25:55 +0200422 *
Roytakb2794852023-10-18 14:30:22 +0200423 * - ::nc_server_config_add_ssh_user_pubkey()
424 * - ::nc_server_config_del_ssh_user_pubkey()
425 * - ::nc_server_config_add_ssh_user_password()
426 * - ::nc_server_config_del_ssh_user_password()
427 * - ::nc_server_config_add_ssh_user_interactive()
428 * - ::nc_server_config_del_ssh_user_interactive()
429 * - ::nc_server_config_del_ssh_user()
romand348b942023-10-13 14:32:19 +0200430 * - ::nc_server_config_add_ssh_truststore_ref()
431 * - ::nc_server_config_del_ssh_truststore_ref()
Roytakb2794852023-10-18 14:30:22 +0200432 * - ::nc_server_config_add_ssh_endpoint_client_ref()
433 * - ::nc_server_config_del_ssh_endpoint_client_ref()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100434 *
romanb329fef2023-12-21 16:11:06 +0100435 * - ::nc_server_ssh_set_authkey_path_format()
roman50566972023-11-30 16:41:25 +0100436 * - ::nc_server_ssh_set_pam_conf_filename()
437 * - ::nc_server_ssh_set_interactive_auth_clb()
438 *
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100439 * TLS
440 * ===
441 *
Michal Vasko15b7a982016-03-02 10:53:31 +0100442 * TLS works with endpoints too, but its options differ
443 * significantly from the SSH ones, especially in the _cert-to-name_
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100444 * options that TLS uses to derive usernames from client certificates.
Michal Vasko15b7a982016-03-02 10:53:31 +0100445 *
Roytak09e426c2023-09-29 15:25:55 +0200446 * If you wish to listen on a TLS endpoint, you need to configure the endpoint's
romane6ec60e2023-10-19 15:21:52 +0200447 * server certificate (see ::nc_server_config_add_tls_server_cert()).
Roytak09e426c2023-09-29 15:25:55 +0200448 *
449 * To accept client certificates, they must first be considered trusted.
450 * For each TLS endpoint you may configure two types of client certificates.
451 * The first type are end-entity (client) certificates. These are certificates that belong
452 * to given clients. These certificates need to be trusted.
453 * The second type are trust-anchor (certificate authority) certificates,
454 * which carry over the trust (a chain of trust).
455 * Another option is to reference another TLS endpoint's end-entity certificates, however be careful not to create a cyclic reference
Roytakb2794852023-10-18 14:30:22 +0200456 * (see ::nc_server_config_add_tls_endpoint_client_ref()).
Michal Vasko15b7a982016-03-02 10:53:31 +0100457 *
458 * Then, from each trusted client certificate a username must be derived
459 * for the NETCONF session. This is accomplished by finding a matching
Roytak09e426c2023-09-29 15:25:55 +0200460 * _cert-to-name_ entry.
Michal Vasko15b7a982016-03-02 10:53:31 +0100461 *
Roytak09e426c2023-09-29 15:25:55 +0200462 * There are some further options. For example you can configure the TLS
romand348b942023-10-13 14:32:19 +0200463 * version and ciphers to be used. You may also choose to use a Certificate
romane6ec60e2023-10-19 15:21:52 +0200464 * Revocation List.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100465 *
466 * Functions List
467 * --------------
468 *
469 * Available in __nc_server.h__.
470 *
romane6ec60e2023-10-19 15:21:52 +0200471 * - ::nc_server_config_add_tls_server_cert()
472 * - ::nc_server_config_del_tls_server_cert()
romand348b942023-10-13 14:32:19 +0200473 * - ::nc_server_config_add_tls_keystore_ref()
474 * - ::nc_server_config_del_tls_keystore_ref()
Michal Vaskod31b76e2017-02-15 12:18:06 +0100475 *
romane6ec60e2023-10-19 15:21:52 +0200476 * - ::nc_server_config_add_tls_client_cert()
477 * - ::nc_server_config_del_tls_client_cert()
romand348b942023-10-13 14:32:19 +0200478 * - ::nc_server_config_add_tls_client_cert_truststore_ref()
479 * - ::nc_server_config_del_tls_client_cert_truststore_ref()
romane6ec60e2023-10-19 15:21:52 +0200480 * - ::nc_server_config_add_tls_ca_cert()
481 * - ::nc_server_config_del_tls_ca_cert()
482 * - ::nc_server_config_add_tls_ca_cert_truststore_ref()
483 * - ::nc_server_config_del_tls_ca_cert_truststore_ref()
Roytakb2794852023-10-18 14:30:22 +0200484 * - ::nc_server_config_add_tls_endpoint_client_ref()
485 * - ::nc_server_config_del_tls_endpoint_client_ref()
486 * - ::nc_server_config_add_tls_ctn()
487 * - ::nc_server_config_del_tls_ctn()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100488 *
489 * FD
490 * ==
491 *
492 * If you used a tunneling software, which does its own authentication,
Michal Vasko15b7a982016-03-02 10:53:31 +0100493 * you can accept a NETCONF session on its file descriptors with
Michal Vasko4e6d3242021-05-26 09:13:24 +0200494 * ::nc_accept_inout().
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100495 *
496 * Functions List
497 * --------------
498 *
499 * Available in __nc_server.h__.
500 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200501 * - ::nc_accept_inout()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100502 *
503 *
504 * Call Home
505 * =========
506 *
Michal Vaskod31b76e2017-02-15 12:18:06 +0100507 * _Call Home_ works with endpoints just like standard sessions, but
508 * the options are organized a bit differently and endpoints are added
roman450c00b2023-11-02 10:31:45 +0100509 * for CH clients.
510 * You may choose one of two approaches for creating a new Call Home
511 * session (or in other words making a server connect to a client).
512 * The first is to set all the required callbacks
513 * by calling ::nc_server_ch_set_dispatch_data(). By setting the callbacks,
514 * the server will automatically start connecting to a client, whenever
515 * a new Call Home client is created.
516 * The second approach is to create the Call Home thread manually.
517 * To do this, you need to call ::nc_connect_ch_client_dispatch(),
518 * which then creates a new thread and the server will start to connect.
Roytak09e426c2023-09-29 15:25:55 +0200519 * Unix socket _Call Home_ sessions are not supported.
Michal Vaskod31b76e2017-02-15 12:18:06 +0100520 *
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100521 * Functions List
522 * --------------
523 *
524 * Available in __nc_server.h__.
525 *
Roytakb2794852023-10-18 14:30:22 +0200526 * - ::nc_server_config_add_ch_address_port()
527 * - ::nc_server_config_del_ch_client()
528 * - ::nc_server_config_del_ch_endpt()
529 * - ::nc_server_config_add_ch_persistent()
530 * - ::nc_server_config_add_ch_period()
531 * - ::nc_server_config_del_ch_period()
532 * - ::nc_server_config_add_ch_anchor_time()
533 * - ::nc_server_config_del_ch_anchor_time()
534 * - ::nc_server_config_add_ch_idle_timeout()
535 * - ::nc_server_config_del_ch_idle_timeout()
536 * - ::nc_server_config_add_ch_reconnect_strategy()
537 * - ::nc_server_config_del_ch_reconnect_strategy()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100538 *
Roytakb2794852023-10-18 14:30:22 +0200539 * - ::nc_server_config_add_ch_ssh_hostkey()
540 * - ::nc_server_config_del_ch_ssh_hostkey()
romand348b942023-10-13 14:32:19 +0200541 * - ::nc_server_config_add_ch_ssh_keystore_ref()
542 * - ::nc_server_config_del_ch_ssh_keystore_ref()
Roytakb2794852023-10-18 14:30:22 +0200543 * - ::nc_server_config_add_ch_ssh_user_pubkey()
544 * - ::nc_server_config_del_ch_ssh_user_pubkey()
545 * - ::nc_server_config_add_ch_ssh_user_password()
546 * - ::nc_server_config_del_ch_ssh_user_password()
547 * - ::nc_server_config_add_ch_ssh_user_interactive()
548 * - ::nc_server_config_del_ch_ssh_user_interactive()
549 * - ::nc_server_config_del_ch_ssh_user()
romand348b942023-10-13 14:32:19 +0200550 * - ::nc_server_config_add_ch_ssh_truststore_ref()
551 * - ::nc_server_config_del_ch_ssh_truststore_ref()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100552 *
romane6ec60e2023-10-19 15:21:52 +0200553 * - ::nc_server_config_add_ch_tls_server_cert()
554 * - ::nc_server_config_del_ch_tls_server_cert()
romand348b942023-10-13 14:32:19 +0200555 * - ::nc_server_config_add_ch_tls_keystore_ref()
556 * - ::nc_server_config_del_ch_tls_keystore_ref()
romane6ec60e2023-10-19 15:21:52 +0200557 * - ::nc_server_config_add_ch_tls_client_cert()
558 * - ::nc_server_config_del_ch_tls_client_cert()
romand348b942023-10-13 14:32:19 +0200559 * - ::nc_server_config_add_ch_tls_client_cert_truststore_ref()
560 * - ::nc_server_config_del_ch_tls_client_cert_truststore_ref()
romane6ec60e2023-10-19 15:21:52 +0200561 * - ::nc_server_config_add_ch_tls_ca_cert()
562 * - ::nc_server_config_del_ch_tls_ca_cert()
563 * - ::nc_server_config_add_ch_tls_ca_cert_truststore_ref()
564 * - ::nc_server_config_del_ch_tls_ca_cert_truststore_ref()
Roytakb2794852023-10-18 14:30:22 +0200565 * - ::nc_server_config_add_ch_tls_ctn()
566 * - ::nc_server_config_del_ch_tls_ctn()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100567 *
568 * Connecting And Cleanup
569 * ======================
570 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200571 * When accepting connections with ::nc_accept(), all the endpoints are examined
Michal Vaskod31b76e2017-02-15 12:18:06 +0100572 * and the first with a pending connection is used. To remove all CH clients,
573 * endpoints, and free any used dynamic memory, [destroy](@ref howtoinit) the server.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100574 *
575 * Functions List
576 * --------------
577 *
578 * Available in __nc_server.h__.
579 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200580 * - ::nc_accept()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100581 */
582
583/**
584 * @page howtoclientcomm Client communication
585 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200586 * To send RPCs on a session, you simply create an RPC, send it using ::nc_send_rpc(),
587 * and then wait for a reply using ::nc_recv_reply(). If you are subscribed, there are 2 ways
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100588 * of receiving notifications. Either you wait for them the same way
Michal Vasko4e6d3242021-05-26 09:13:24 +0200589 * as for standard replies with ::nc_recv_notif() or you create a dispatcher
590 * with ::nc_recv_notif_dispatch() that asynchronously (in a separate thread)
Michal Vasko15b7a982016-03-02 10:53:31 +0100591 * reads notifications and passes them to your callback.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100592 *
593 * Functions List
594 * --------------
595 *
596 * Available in __nc_client.h__.
597 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200598 * - ::nc_rpc_act_generic()
599 * - ::nc_rpc_act_generic_xml()
600 * - ::nc_rpc_getconfig()
601 * - ::nc_rpc_edit()
602 * - ::nc_rpc_copy()
603 * - ::nc_rpc_delete()
604 * - ::nc_rpc_lock()
605 * - ::nc_rpc_unlock()
606 * - ::nc_rpc_get()
607 * - ::nc_rpc_kill()
608 * - ::nc_rpc_commit()
609 * - ::nc_rpc_discard()
610 * - ::nc_rpc_cancel()
611 * - ::nc_rpc_validate()
612 * - ::nc_rpc_getschema()
613 * - ::nc_rpc_subscribe()
614 * - ::nc_rpc_getdata()
615 * - ::nc_rpc_editdata()
616 * - ::nc_rpc_establishsub()
617 * - ::nc_rpc_modifysub()
618 * - ::nc_rpc_deletesub()
619 * - ::nc_rpc_killsub()
620 * - ::nc_rpc_establishpush_periodic()
621 * - ::nc_rpc_establishpush_onchange()
622 * - ::nc_rpc_modifypush_periodic()
623 * - ::nc_rpc_modifypush_onchange()
624 * - ::nc_rpc_resyncsub()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100625 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200626 * - ::nc_send_rpc()
627 * - ::nc_recv_reply()
628 * - ::nc_recv_notif()
629 * - ::nc_recv_notif_dispatch()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100630 */
631
632/**
633 * @page howtoservercomm Server communication
634 *
635 * Once at least one session is established, an nc_pollsession structure
Michal Vasko4e6d3242021-05-26 09:13:24 +0200636 * should be created with ::nc_ps_new(), filled with the session using
637 * ::nc_ps_add_session() and finally polled with ::nc_ps_poll(). Based on
Michal Vasko15b7a982016-03-02 10:53:31 +0100638 * the return value from the poll, further actions can be taken. More
639 * sessions can be polled at the same time and any requests received on
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100640 * the sessions are [handled internally](@ref howtoserver).
641 *
Michal Vasko15b7a982016-03-02 10:53:31 +0100642 * If an SSH NETCONF session asks for a new channel, you can accept
Michal Vasko4e6d3242021-05-26 09:13:24 +0200643 * this request with ::nc_ps_accept_ssh_channel() or ::nc_session_accept_ssh_channel()
Michal Vasko3a889fd2016-09-30 12:16:37 +0200644 * depending on the structure you want to use as the argument.
Michal Vasko15b7a982016-03-02 10:53:31 +0100645 *
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100646 * Functions List
647 * --------------
648 *
Michal Vasko15b7a982016-03-02 10:53:31 +0100649 * Available in __nc_server.h__.
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100650 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200651 * - ::nc_ps_new()
652 * - ::nc_ps_add_session()
653 * - ::nc_ps_del_session()
654 * - ::nc_ps_session_count()
655 * - ::nc_ps_free()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100656 *
Michal Vasko4e6d3242021-05-26 09:13:24 +0200657 * - ::nc_ps_poll()
658 * - ::nc_ps_clear()
659 * - ::nc_ps_accept_ssh_channel()
660 * - ::nc_session_accept_ssh_channel()
Michal Vaskofdfd9dd2016-02-29 10:18:46 +0100661 */
662
Michal Vaskoee087c62017-02-15 11:27:16 +0100663/**
664 * @page howtotimeouts Timeouts
665 *
666 * There are several timeouts which are used throughout _libnetconf2_ to
667 * assure that it will never indefinitely hang on any operation. Normally,
Roytak09e426c2023-09-29 15:25:55 +0200668 * you should not need to worry about them much because they are set by
Michal Vaskoee087c62017-02-15 11:27:16 +0100669 * default to reasonable values for common systems. However, if your
670 * platform is not common (embedded, ...), adjusting these timeouts may
671 * save a lot of debugging and time.
672 *
673 * Compile Options
674 * ---------------
675 *
676 * You can adjust active and inactive read timeout using `cmake` variables.
677 * For details look into `README.md`.
678 *
romaneaf84c72023-10-19 14:38:05 +0200679 * Configurable timeouts
680 * ---------------------
Michal Vaskoee087c62017-02-15 11:27:16 +0100681 *
682 * Once a new connection is established including transport protocol negotiations,
683 * _hello_ message is exchanged. You can set how long will the server wait for
684 * receiving this message from a client before dropping it.
685 *
686 * Having a NETCONF session working, it may not communicate for a longer time.
687 * To free up some resources, it is possible to adjust the maximum idle period
688 * of a session before it is disconnected. In _Call Home_, for both a persistent
689 * and periodic connection can this idle timeout be specified separately for each
romaneaf84c72023-10-19 14:38:05 +0200690 * client. Lastly, SSH user authentication timeout can be also modified. It is the time
Michal Vaskoee087c62017-02-15 11:27:16 +0100691 * a client has to successfully authenticate after connecting before it is disconnected.
692 *
romaneaf84c72023-10-19 14:38:05 +0200693 * These timeouts can be toggled by applying corresponding configuration data.
Michal Vaskoee087c62017-02-15 11:27:16 +0100694 */
695
Radek Krejci6799a052017-05-19 14:23:23 +0200696/**
697 * @defgroup misc Miscellaneous
698 * @brief Miscellaneous macros, types, structure and functions for a generic use by both server and client applications.
699 */
700
701/**
702 * @defgroup client Client
703 * @brief NETCONF client functionality.
704 */
705
706/**
707 * @defgroup server Server
708 * @brief NETCONF server functionality.
roman35120972023-08-08 10:39:12 +0200709 * @{
710 * @} Server
Radek Krejci6799a052017-05-19 14:23:23 +0200711 */