libnetconf4

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ on:
       - devel
 
 env:
-  DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev
+  DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev
 
 jobs:
   git-branch:
@@ -85,37 +85,13 @@ jobs:
             make-prepend: "",
             make-target: ""
           }
-          - {
-            name: "SSH Only",
-            os: "ubuntu-22.04",
-            build-type: "Debug",
-            dep-build-type: "Release",
-            cc: "gcc",
-            options: "-DENABLE_TLS=OFF -DENABLE_SSH=ON",
-            packages: "valgrind",
-            snaps: "",
-            make-prepend: "",
-            make-target: ""
-          }
-          - {
-            name: "TLS Only",
-            os: "ubuntu-22.04",
-            build-type: "Debug",
-            dep-build-type: "Release",
-            cc: "gcc",
-            options: "-DENABLE_TLS=ON -DENABLE_SSH=OFF",
-            packages: "valgrind",
-            snaps: "",
-            make-prepend: "",
-            make-target: ""
-          }
           - {
             name: "No SSH nor TLS",
             os: "ubuntu-22.04",
             build-type: "Debug",
             dep-build-type: "Release",
             cc: "gcc",
-            options: "-DENABLE_TLS=OFF -DENABLE_SSH=OFF",
+            options: "-DENABLE_SSH_TLS=OFF,
             packages: "valgrind",
             snaps: "",
             make-prepend: "",

.github/workflows/codeql.yml

@@ -7,7 +7,7 @@ on:
     branches: [ "devel" ]
 
 env:
-  DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev
+  DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev
 
 jobs:
   git-branch:

.github/workflows/devel-push.yml

@@ -5,7 +5,7 @@ on:
       - devel
 
 env:
-  DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev
+  DEFAULT_PACKAGES: libcmocka-dev zlib1g-dev libssh-dev libssl-dev libpam0g-dev libcurl4-openssl-dev
   COVERITY_PROJECT: CESNET%2Flibnetconf2
 
 jobs:

CMakeLists.txt

@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 2.8.12)
+cmake_minimum_required(VERSION 3.5)
 
 project(libnetconf2 C)
 
@@ -57,17 +57,17 @@ endif()
 # Generic version of not only the library. Major version is reserved for really big changes of the project,
 # minor version changes with added functionality (new tool, functionality of the tool or library, ...) and
 # micro version is changed with a set of small changes or bugfixes anywhere in the project.
-set(LIBNETCONF2_MAJOR_VERSION 2)
-set(LIBNETCONF2_MINOR_VERSION 1)
-set(LIBNETCONF2_MICRO_VERSION 40)
+set(LIBNETCONF2_MAJOR_VERSION 3)
+set(LIBNETCONF2_MINOR_VERSION 0)
+set(LIBNETCONF2_MICRO_VERSION 0)
 set(LIBNETCONF2_VERSION ${LIBNETCONF2_MAJOR_VERSION}.${LIBNETCONF2_MINOR_VERSION}.${LIBNETCONF2_MICRO_VERSION})
 
 # Version of the library
 # Major version is changed with every backward non-compatible API/ABI change in libyang, minor version changes
 # with backward compatible change and micro version is connected with any internal change of the library.
-set(LIBNETCONF2_MAJOR_SOVERSION 3)
-set(LIBNETCONF2_MINOR_SOVERSION 7)
-set(LIBNETCONF2_MICRO_SOVERSION 1)
+set(LIBNETCONF2_MAJOR_SOVERSION 4)
+set(LIBNETCONF2_MINOR_SOVERSION 0)
+set(LIBNETCONF2_MICRO_SOVERSION 0)
 set(LIBNETCONF2_SOVERSION_FULL ${LIBNETCONF2_MAJOR_SOVERSION}.${LIBNETCONF2_MINOR_SOVERSION}.${LIBNETCONF2_MICRO_SOVERSION})
 set(LIBNETCONF2_SOVERSION ${LIBNETCONF2_MAJOR_SOVERSION})
 
@@ -90,16 +90,14 @@ else()
 endif()
 option(ENABLE_EXAMPLES "Build examples" ON)
 option(ENABLE_COVERAGE "Build code coverage report from tests" OFF)
-option(ENABLE_SSH "Enable NETCONF over SSH support (via libssh)" ON)
-option(ENABLE_TLS "Enable NETCONF over TLS support (via OpenSSL)" ON)
+option(ENABLE_SSH_TLS "Enable NETCONF over SSH and TLS support (via libssh and OpenSSL)" ON)
 option(ENABLE_DNSSEC "Enable support for SSHFP retrieval using DNSSEC for SSH (requires OpenSSL and libval)" OFF)
 set(READ_INACTIVE_TIMEOUT 20 CACHE STRING "Maximum number of seconds waiting for new data once some data have arrived")
 set(READ_ACTIVE_TIMEOUT 300 CACHE STRING "Maximum number of seconds for receiving a full message")
 set(MAX_PSPOLL_THREAD_COUNT 6 CACHE STRING "Maximum number of threads that could simultaneously access a ps_poll structure")
 set(TIMEOUT_STEP 100 CACHE STRING "Number of microseconds tasks are repeated until timeout elapses")
 set(YANG_MODULE_DIR "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATADIR}/yang/modules/libnetconf2" CACHE STRING "Directory where to copy the YANG modules to")
 set(CLIENT_SEARCH_DIR "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATADIR}/yang/modules" CACHE STRING "Default NC client YANG module search directory")
-set(CALL_HOME_BACKOFF_WAIT 2 CACHE STRING "Number of seconds to wait between Call Home connection attempts")
 
 #
 # sources
@@ -111,20 +109,21 @@ set(libsrc
     src/messages_server.c
     src/session.c
     src/session_client.c
-    src/session_server.c)
+    src/session_server.c
+    src/server_config.c
+    src/server_config_util.c)
 
-if(ENABLE_SSH)
+if(ENABLE_SSH_TLS)
     list(APPEND libsrc
         src/session_client_ssh.c
-        src/session_server_ssh.c)
-    set(SSH_MACRO "#ifndef NC_ENABLED_SSH\n#define NC_ENABLED_SSH\n#endif")
-endif()
-
-if(ENABLE_TLS)
-    list(APPEND libsrc
+        src/session_server_ssh.c
+        src/server_config_util_ssh.c
         src/session_client_tls.c
-        src/session_server_tls.c)
-    set(TLS_MACRO "#ifndef NC_ENABLED_TLS\n#define NC_ENABLED_TLS\n#endif")
+        src/session_server_tls.c
+        src/server_config_util_tls.c
+        src/server_config_ks.c
+        src/server_config_ts.c)
+    set(SSH_TLS_MACRO "#ifndef NC_ENABLED_SSH_TLS\n#define NC_ENABLED_SSH_TLS\n#endif")
 endif()
 
 set(headers
@@ -136,11 +135,12 @@ set(headers
     src/session_client.h
     src/session_client_ch.h
     src/session_server.h
-    src/session_server_ch.h)
+    src/session_server_ch.h
+    src/server_config.h)
 
 # files to generate doxygen from
 set(doxy_files
-    src/libnetconf.h
+    doc/libnetconf.doc
     src/log.h
     src/netconf.h
     src/session.h
@@ -149,7 +149,8 @@ set(doxy_files
     src/session_client.h
     src/session_client_ch.h
     src/session_server.h
-    src/session_server_ch.h)
+    src/session_server_ch.h
+    src/server_config.h)
 
 # source files to be covered by the 'format' target
 set(format_sources
@@ -160,13 +161,12 @@ set(format_sources
     src/*.c
     src/*.h
     tests/*.c
-    tests/client/*.c
     tests/pam/*.c)
 
 #
 # checks
 #
-if(ENABLE_DNSSEC AND NOT ENABLE_SSH)
+if(ENABLE_DNSSEC AND NOT ENABLE_SSH_TLS)
     message(WARNING "DNSSEC SSHFP retrieval cannot be used without SSH support.")
     set(ENABLE_DNSSEC OFF)
 endif()
@@ -225,32 +225,21 @@ target_link_libraries(netconf2 ${CMAKE_THREAD_LIBS_INIT})
 set(CMAKE_REQUIRED_LIBRARIES pthread)
 check_function_exists(pthread_rwlockattr_setkind_np HAVE_PTHREAD_RWLOCKATTR_SETKIND_NP)
 
-# dependencies - openssl
-if(ENABLE_TLS OR ENABLE_DNSSEC OR ENABLE_SSH)
-    find_package(OpenSSL REQUIRED)
-    if(ENABLE_TLS)
-        message(STATUS "OpenSSL found, required for TLS")
-        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNC_ENABLED_TLS")
-    endif()
-    if(OPENSSL_VERSION VERSION_LESS 1.1.1)
-        message(WARNING "OpenSSL version ${OPENSSL_VERSION} is no longer maintained, consider an update.")
-    endif()
-
+if(ENABLE_SSH_TLS)
+    # dependencies - openssl
+    find_package(OpenSSL 3.0.0 REQUIRED)
     target_link_libraries(netconf2 ${OPENSSL_LIBRARIES})
     include_directories(${OPENSSL_INCLUDE_DIR})
-endif()
-
-# dependencies - libssh
-if(ENABLE_SSH)
-    find_package(LibSSH 0.7.1 REQUIRED)
-    if(LIBSSH_VERSION VERSION_EQUAL 0.9.3 OR LIBSSH_VERSION VERSION_EQUAL 0.9.4)
-        message(FATAL_ERROR "LibSSH ${LIBSSH_VERSION} includes regression bugs and libnetconf2 will NOT work properly, try to use another version")
-    endif()
 
+    # dependencies - libssh
+    find_package(LibSSH 0.9.5 REQUIRED)
     target_link_libraries(netconf2 ${LIBSSH_LIBRARIES})
     list(APPEND CMAKE_REQUIRED_LIBRARIES ${LIBSSH_LIBRARIES})
     include_directories(${LIBSSH_INCLUDE_DIRS})
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNC_ENABLED_SSH")
+
+    # dependencies - libcurl
+    find_package(CURL 7.30.0 REQUIRED)
+    target_link_libraries(netconf2 CURL::libcurl)
 
     # crypt
     if(${CMAKE_SYSTEM_NAME} MATCHES "QNX")
@@ -279,6 +268,9 @@ if(ENABLE_SSH)
     else()
         message(WARNING "LibPAM not found, PAM-based keyboard-interactive SSH server authentication method is disabled")
     endif()
+
+    # set compiler flag
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNC_ENABLED_SSH_TLS")
 endif()
 
 # dependencies - libval
@@ -344,8 +336,8 @@ endif()
 
 # examples
 if(ENABLE_EXAMPLES)
-    if(NOT ENABLE_SSH)
-        message(WARNING "Examples will not be compiled because SSH is disabled.")
+    if(NOT ENABLE_SSH_TLS)
+        message(WARNING "Examples will not be compiled because SSH and TLS are disabled.")
     else()
         add_subdirectory(examples)
     endif()

CMakeModules/UseCompat.cmake

@@ -62,6 +62,14 @@ macro(USE_COMPAT)
 
     check_symbol_exists(get_current_dir_name "unistd.h" HAVE_GET_CURRENT_DIR_NAME)
 
+    # crypt
+    if(${CMAKE_SYSTEM_NAME} MATCHES "QNX")
+        list(APPEND CMAKE_REQUIRED_LIBRARIES -llogin)
+    elseif(NOT APPLE)
+        list(APPEND CMAKE_REQUIRED_LIBRARIES -lcrypt)
+    endif()
+    check_symbol_exists(crypt_r "crypt.h" HAVE_CRYPT_R)
+
     TEST_BIG_ENDIAN(IS_BIG_ENDIAN)
 
     check_include_file("stdatomic.h" HAVE_STDATOMIC)

Doxyfile.in

@@ -561,7 +561,7 @@ INLINE_INFO            = YES
 # name. If set to NO, the members will appear in declaration order.
 # The default value is: YES.
 
-SORT_MEMBER_DOCS       = YES
+SORT_MEMBER_DOCS       = NO
 
 # If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
 # descriptions of file, namespace and class members alphabetically by member
@@ -2069,7 +2069,7 @@ INCLUDE_FILE_PATTERNS  =
 # recursively expanded use the := operator instead of the = operator.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
-PREDEFINED             = NC_ENABLED_SSH NC_ENABLED_TLS
+PREDEFINED             = NC_ENABLED_SSH_TLS
 
 # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
 # tag can be used to specify a list of macro names that should be expanded. The
@@ -2184,7 +2184,7 @@ HIDE_UNDOC_RELATIONS   = YES
 # set to NO
 # The default value is: NO.
 
-HAVE_DOT               = @HAVE_DOT@
+HAVE_DOT               = YES
 
 # The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
 # to run in parallel. When set to 0 doxygen will base this on the number of

README.md

@@ -22,7 +22,8 @@ NETCONF 1.0 ([RFC 4741](https://tools.ietf.org/html/rfc4741)) as well as NETCONF
 * NETCONF over pre-established transport sessions (using this mechanism the communication can be tunneled through
   sshd(8), for instance).
 * NETCONF Call Home ([RFC 8071](https://tools.ietf.org/html/rfc8071)).
-* NETCONF Event Notifications ([RFC 5277](https://tools.ietf.org/html/rfc5277)),
+* NETCONF Event Notifications ([RFC 5277](https://tools.ietf.org/html/rfc5277)).
+* Compatibility with the [ietf-netconf-server](https://datatracker.ietf.org/doc/html/draft-ietf-netconf-netconf-client-server-29#name-the-ietf-netconf-server-mod) YANG module.
 
 **libnetconf2** is maintained and further developed by the [Tools for
 Monitoring and Configuration](https://www.liberouter.org/) department of
@@ -59,11 +60,11 @@ the `distro` directory.
 ## Requirements
 
 * C compiler (gcc >= 4.8.4, clang >= 3.0, ...)
-* cmake >= 2.8.12
+* cmake >= 3.5.0
 * [libyang](https://github.com/CESNET/libyang)
-* libssh >= 0.7.1 (for SSH support)
-  * recommended >= 0.9.0
-* OpenSSL (for TLS support)
+* libssh >= 0.9.5 (for SSH support)
+* OpenSSL >= 3.0.0 (for TLS support)
+* curl >= 7.30.0
 
 #### Optional
 
@@ -122,7 +123,7 @@ and enabling both the transport protocols can be made
 in the same way. The following command has actually the same effect as
 specifying no option since it specifies the default settings.
 ```
-$ cmake -DENABLE_TLS=ON -DENABLE_SSH=ON ..
+$ cmake -DENABLE_SSH_TLS=ON ..
 ```
 
 ### DNSSEC SSHFP Retrieval

compat/compat.c

@@ -16,6 +16,7 @@
 
 #include "compat.h"
 
+#include <crypt.h>
 #include <errno.h>
 #include <inttypes.h>
 #include <limits.h>
@@ -372,3 +373,21 @@ get_current_dir_name(void)
 }
 
 #endif
+
+#ifndef HAVE_CRYPT_R
+char *
+crypt_r(const char *phrase, const char *setting, struct crypt_data *data)
+{
+    static pthread_mutex_t crypt_lock = PTHREAD_MUTEX_INITIALIZER;
+    char *hash;
+
+    (void) data;
+
+    pthread_mutex_lock(&crypt_lock);
+    hash = crypt(phrase, setting);
+    pthread_mutex_unlock(&crypt_lock);
+
+    return hash;
+}
+
+#endif

compat/compat.h.in

@@ -18,6 +18,7 @@
 #define _GNU_SOURCE /* pthread_rwlock_t */
 
 #include <alloca.h>
+#include <crypt.h>
 #include <limits.h>
 #include <pthread.h>
 #include <stdarg.h>
@@ -69,6 +70,7 @@
 #cmakedefine HAVE_STRDUPA
 #cmakedefine HAVE_STRCHRNUL
 #cmakedefine HAVE_GET_CURRENT_DIR_NAME
+#cmakedefine HAVE_CRYPT_R
 
 #ifndef bswap64
 #define bswap64(val) \
@@ -204,4 +206,8 @@ char *strchrnul(const char *s, int c);
 char *get_current_dir_name(void);
 #endif
 
+#ifndef HAVE_CRYPT_R
+char *crypt_r(const char *phrase, const char *setting, struct crypt_data *data);
+#endif
+
 #endif /* _COMPAT_H_ */