libnetconf2 UPDATE merge SSH and TLS req into one

In this commit I made the changes that if you want to use TLS, you have to have both OpenSSL and libssh installed and viceversa. Set the minimum required OpenSSL version to 3.0 and 0.9.5 for libssh.
CESNET · Jun 6, 2023 · 4ace933 · 4ace933
1 parent c8360c6
commit 4ace933
Show file tree

Hide file tree

Showing 40 changed files with 295 additions and 989 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -90,9 +90,7 @@ else()
 endif()
 option(ENABLE_EXAMPLES "Build examples" ON)
 option(ENABLE_COVERAGE "Build code coverage report from tests" OFF)
-option(ENABLE_SSH "Enable NETCONF over SSH support (via libssh)" ON)
-option(ENABLE_TLS "Enable NETCONF over TLS support (via OpenSSL)" ON)
-# option(ENABLE_SSH_TLS "Enable NETCONF over SSH and TLS support (via libssh and OpenSSL)" ON)
+option(ENABLE_SSH_TLS "Enable NETCONF over SSH and TLS support (via libssh and OpenSSL)" ON)
 option(ENABLE_DNSSEC "Enable support for SSHFP retrieval using DNSSEC for SSH (requires OpenSSL and libval)" OFF)
 set(READ_INACTIVE_TIMEOUT 20 CACHE STRING "Maximum number of seconds waiting for new data once some data have arrived")
 set(READ_ACTIVE_TIMEOUT 300 CACHE STRING "Maximum number of seconds for receiving a full message")
@@ -114,24 +112,19 @@ set(libsrc
     src/session_client.c
     src/session_server.c
     src/server_config.c
-    src/server_config_ks.c
-    src/server_config_ts.c
     src/config_new.c)
 
-if(ENABLE_SSH)
+if(ENABLE_SSH_TLS)
     list(APPEND libsrc
         src/session_client_ssh.c
         src/session_server_ssh.c
-        src/config_new_ssh.c)
-    set(SSH_MACRO "#ifndef NC_ENABLED_SSH\n#define NC_ENABLED_SSH\n#endif")
-endif()
-
-if(ENABLE_TLS)
-    list(APPEND libsrc
+        src/config_new_ssh.c
         src/session_client_tls.c
         src/session_server_tls.c
-        src/config_new_tls.c)
-    set(TLS_MACRO "#ifndef NC_ENABLED_TLS\n#define NC_ENABLED_TLS\n#endif")
+        src/config_new_tls.c
+        src/server_config_ks.c
+        src/server_config_ts.c)
+    set(SSH_TLS_MACRO "#ifndef NC_ENABLED_SSH_TLS\n#define NC_ENABLED_SSH_TLS\n#endif")
 endif()
 
 set(headers
@@ -175,7 +168,7 @@ set(format_sources
 #
 # checks
 #
-if(ENABLE_DNSSEC AND NOT ENABLE_SSH)
+if(ENABLE_DNSSEC AND NOT ENABLE_SSH_TLS)
     message(WARNING "DNSSEC SSHFP retrieval cannot be used without SSH support.")
     set(ENABLE_DNSSEC OFF)
 endif()
@@ -234,26 +227,17 @@ target_link_libraries(netconf2 ${CMAKE_THREAD_LIBS_INIT})
 set(CMAKE_REQUIRED_LIBRARIES pthread)
 check_function_exists(pthread_rwlockattr_setkind_np HAVE_PTHREAD_RWLOCKATTR_SETKIND_NP)
 
-# dependencies - openssl
-if(ENABLE_TLS OR ENABLE_DNSSEC OR ENABLE_SSH)
+if(ENABLE_SSH_TLS)
+    # dependencies - openssl
     find_package(OpenSSL 3.0.0 REQUIRED)
-    if(ENABLE_TLS)
-        message(STATUS "OpenSSL found, required for TLS")
-        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNC_ENABLED_TLS")
-    endif()
-
     target_link_libraries(netconf2 ${OPENSSL_LIBRARIES})
     include_directories(${OPENSSL_INCLUDE_DIR})
-endif()
 
-# dependencies - libssh
-if(ENABLE_SSH)
+    # dependencies - libssh
     find_package(LibSSH 0.9.5 REQUIRED)
-
     target_link_libraries(netconf2 ${LIBSSH_LIBRARIES})
     list(APPEND CMAKE_REQUIRED_LIBRARIES ${LIBSSH_LIBRARIES})
     include_directories(${LIBSSH_INCLUDE_DIRS})
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNC_ENABLED_SSH")
 
     # crypt
     if(${CMAKE_SYSTEM_NAME} MATCHES "QNX")
@@ -282,6 +266,9 @@ if(ENABLE_SSH)
     else()
         message(WARNING "LibPAM not found, PAM-based keyboard-interactive SSH server authentication method is disabled")
     endif()
+
+    # set compiler flag
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNC_ENABLED_SSH_TLS")
 endif()
 
 # dependencies - libval
@@ -347,8 +334,8 @@ endif()
 
 # examples
 if(ENABLE_EXAMPLES)
-    if(NOT ENABLE_SSH)
-        message(WARNING "Examples will not be compiled because SSH is disabled.")
+    if(NOT ENABLE_SSH_TLS)
+        message(WARNING "Examples will not be compiled because SSH and TLS are disabled.")
     else()
         add_subdirectory(examples)
     endif()

diff --git a/examples/client.c b/examples/client.c
@@ -149,8 +149,6 @@ main(int argc, char **argv)
         goto cleanup;
     }
 
-    nc_client_init();
-
     /* set the path to search for schemas */
     nc_client_set_schema_searchpath(MODULES_DIR);
 

diff --git a/nc_client.h.in b/nc_client.h.in
@@ -16,13 +16,12 @@
 #ifndef NC_CLIENT_H_
 #define NC_CLIENT_H_
 
-@SSH_MACRO@
-@TLS_MACRO@
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#cmakedefine SSH_TLS_MACRO
+
 #include <libnetconf2/netconf.h>
 #include <libnetconf2/log.h>
 #include <libnetconf2/messages_client.h>

diff --git a/nc_server.h.in b/nc_server.h.in
@@ -16,13 +16,12 @@
 #ifndef NC_SERVER_H_
 #define NC_SERVER_H_
 
-@SSH_MACRO@
-@TLS_MACRO@
-
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#cmakedefine SSH_TLS_MACRO
+
 #include <libnetconf2/netconf.h>
 #include <libnetconf2/log.h>
 #include <libnetconf2/messages_server.h>

diff --git a/src/config_new.c b/src/config_new.c
@@ -15,15 +15,17 @@
 
 #define _GNU_SOURCE
 
+#include <libyang/libyang.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
+#ifdef NC_ENABLED_SSH_TLS
 #include <libssh/libssh.h>
-#include <libyang/libyang.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
+#endif /* NC_ENABLED_SSH_TLS */
 
 #include "compat.h"
 #include "config_new.h"
@@ -47,6 +49,8 @@ nc_config_new_check_add_operation(const struct ly_ctx *ctx, struct lyd_node *top
     return 0;
 }
 
+#ifdef NC_ENABLED_SSH_TLS
+
 const char *
 nc_config_new_privkey_format_to_identityref(NC_PRIVKEY_FORMAT format)
 {
@@ -272,8 +276,6 @@ nc_server_config_new_read_pubkey_openssl(FILE *f, char **pubkey)
     return ret;
 }
 
-#ifdef NC_ENABLED_SSH
-
 static int
 nc_server_config_new_read_pubkey_libssh(const char *pubkey_path, char **pubkey)
 {
@@ -295,8 +297,6 @@ nc_server_config_new_read_pubkey_libssh(const char *pubkey_path, char **pubkey)
     return ret;
 }
 
-#endif /* NC_ENABLED_SSH */
-
 int
 nc_server_config_new_get_pubkey(const char *pubkey_path, char **pubkey, NC_PUBKEY_FORMAT *pubkey_type)
 {
@@ -332,13 +332,11 @@ nc_server_config_new_get_pubkey(const char *pubkey_path, char **pubkey, NC_PUBKE
         ret = nc_server_config_new_read_ssh2_pubkey(f, pubkey);
         *pubkey_type = NC_PUBKEY_FORMAT_SSH2;
     }
-#ifdef NC_ENABLED_SSH
     else {
         /* it's probably OpenSSH public key */
         ret = nc_server_config_new_read_pubkey_libssh(pubkey_path, pubkey);
         *pubkey_type = NC_PUBKEY_FORMAT_SSH2;
     }
-#endif /* NC_ENABLED_SSH */
 
     if (ret) {
         ERR(NULL, "Error getting public key from file \"%s\".", pubkey_path);
@@ -490,13 +488,11 @@ static int
 nc_server_config_new_privkey_to_pubkey(EVP_PKEY *priv_pkey, const ssh_key priv_sshkey, NC_PRIVKEY_FORMAT privkey_type, char **pubkey, NC_PUBKEY_FORMAT *pubkey_type)
 {
     switch (privkey_type) {
-#ifdef NC_ENABLED_SSH
     case NC_PRIVKEY_FORMAT_RSA:
     case NC_PRIVKEY_FORMAT_EC:
     case NC_PRIVKEY_FORMAT_OPENSSH:
         *pubkey_type = NC_PUBKEY_FORMAT_SSH2;
         return nc_server_config_new_privkey_to_pubkey_libssh(priv_sshkey, pubkey);
-#endif /* NC_ENABLED_SSH */
     case NC_PRIVKEY_FORMAT_X509:
         *pubkey_type = NC_PUBKEY_FORMAT_X509;
         return nc_server_config_new_privkey_to_pubkey_openssl(priv_pkey, pubkey);
@@ -507,8 +503,6 @@ nc_server_config_new_privkey_to_pubkey(EVP_PKEY *priv_pkey, const ssh_key priv_s
     return 1;
 }
 
-#ifdef NC_ENABLED_SSH
-
 static int
 nc_server_config_new_get_privkey_libssh(const char *privkey_path, char **privkey, ssh_key *priv_sshkey)
 {
@@ -530,8 +524,6 @@ nc_server_config_new_get_privkey_libssh(const char *privkey_path, char **privkey
     return ret;
 }
 
-#endif /* NC_ENABLED_SSH */
-
 int
 nc_server_config_new_get_keys(const char *privkey_path, const char *pubkey_path,
         char **privkey, char **pubkey, NC_PRIVKEY_FORMAT *privkey_type, NC_PUBKEY_FORMAT *pubkey_type)
@@ -567,9 +559,7 @@ nc_server_config_new_get_keys(const char *privkey_path, const char *pubkey_path,
         /* it's PKCS8 (X.509) private key */
         *privkey_type = NC_PRIVKEY_FORMAT_X509;
         ret = nc_server_config_new_get_privkey_openssl(f_privkey, privkey, &priv_pkey);
-    }
-#ifdef NC_ENABLED_SSH
-    else if (!strncmp(header, NC_OPENSSH_PRIVKEY_HEADER, strlen(NC_OPENSSH_PRIVKEY_HEADER))) {
+    } else if (!strncmp(header, NC_OPENSSH_PRIVKEY_HEADER, strlen(NC_OPENSSH_PRIVKEY_HEADER))) {
         /* it's OpenSSH private key */
         *privkey_type = NC_PRIVKEY_FORMAT_OPENSSH;
         ret = nc_server_config_new_get_privkey_libssh(privkey_path, privkey, &priv_sshkey);
@@ -581,9 +571,7 @@ nc_server_config_new_get_keys(const char *privkey_path, const char *pubkey_path,
         /* it's EC privkey in SEC1 format */
         *privkey_type = NC_PRIVKEY_FORMAT_EC;
         ret = nc_server_config_new_get_privkey_libssh(privkey_path, privkey, &priv_sshkey);
-    }
-#endif /* NC_ENABLED_SSH */
-    else {
+    } else {
         ERR(NULL, "Private key format not supported.");
         ret = 1;
         goto cleanup;
@@ -628,18 +616,17 @@ nc_server_config_new_address_port(const struct ly_ctx *ctx, const char *endpt_na
     NC_CHECK_ARG_RET(NULL, address, port, ctx, endpt_name, config, 1);
 
     /* prepare path for instertion of leaves later */
-#ifdef NC_ENABLED_SSH
     if (transport == NC_TI_LIBSSH) {
         asprintf(&tree_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/ssh/tcp-server-parameters", endpt_name);
-    }
-#endif
-#ifdef NC_ENABLED_TLS
-    if (transport == NC_TI_OPENSSL) {
+    } else if (transport == NC_TI_OPENSSL) {
         asprintf(&tree_path, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/tcp-server-parameters", endpt_name);
+    } else {
+        ERR(NULL, "Transport not supported.");
+        ret = 1;
+        goto cleanup;
     }
-#endif
     if (!tree_path) {
-        ERR(NULL, "Transport not supported or memory allocation error.");
+        ERRMEM;
         ret = 1;
         goto cleanup;
     }
@@ -691,3 +678,5 @@ nc_server_config_new_address_port(const struct ly_ctx *ctx, const char *endpt_na
     free(tree_path);
     return ret;
 }
+
+#endif /* NC_ENABLED_SSH_TLS */
diff --git a/src/config_new.h b/src/config_new.h
@@ -24,6 +24,8 @@
 extern "C" {
 #endif
 
+#ifdef NC_ENABLED_SSH_TLS
+
 /* private key's pkcs8 header */
 #define NC_PKCS8_PRIVKEY_HEADER "-----BEGIN PRIVATE KEY-----\n"
 
@@ -77,10 +79,12 @@ int nc_server_config_new_get_pubkey(const char *pubkey_path, char **pubkey, NC_P
 
 int nc_server_config_new_read_certificate(const char *cert_path, char **cert);
 
-int nc_config_new_check_add_operation(const struct ly_ctx *ctx, struct lyd_node *top);
-
 const char * nc_config_new_privkey_format_to_identityref(NC_PRIVKEY_FORMAT format);
 
+#endif /* NC_ENABLED_SSH_TLS */
+
+int nc_config_new_check_add_operation(const struct ly_ctx *ctx, struct lyd_node *top);
+
 #ifdef __cplusplus
 }
 #endif