Merging upstream version 3.5.5 (Closes: #1098233).

Signed-off-by: Daniel Baumann <daniel@debian.org>

README.md

@@ -22,13 +22,14 @@ NETCONF 1.0 ([RFC 4741](https://tools.ietf.org/html/rfc4741)) as well as NETCONF
 * NETCONF over pre-established transport sessions (using this mechanism the communication can be tunneled through
   sshd(8), for instance).
 * NETCONF Call Home ([RFC 8071](https://tools.ietf.org/html/rfc8071)).
-* NETCONF Event Notifications ([RFC 5277](https://tools.ietf.org/html/rfc5277)),
+* NETCONF Event Notifications ([RFC 5277](https://tools.ietf.org/html/rfc5277)).
+* Compatibility with the [ietf-netconf-server](https://datatracker.ietf.org/doc/html/draft-ietf-netconf-netconf-client-server-29#name-the-ietf-netconf-server-mod) YANG module.
 
 **libnetconf2** is maintained and further developed by the [Tools for
 Monitoring and Configuration](https://www.liberouter.org/) department of
 [CESNET](http://www.ces.net/). Any testing or improving/fixing the library
 is welcome. Please inform us about your experiences with using **libnetconf2**
-via the [issue tracker](https://github.com/CESNET/libnetconf/issues).
+via the [issue tracker](https://github.com/CESNET/libnetconf2/issues).
 
 Besides the [**libyang**](https://github.com/CESNET/libyang), **libnetconf2** is
 another basic building block for the [**Netopeer2** toolset](https://github.com/CESNET/Netopeer2).
@@ -51,79 +52,41 @@ and it occurs on the `master` branch, the **first response will likely be** to u
 of the [**libnetconf**](https://github.com/CESNET/libnetconf) library, which
 is now obsolete and should not be used.
 
-# Installation
+## Packages
 
-## Required Dependencies
+Binary RPM or DEB packages of the latest release can be built locally using `apkg`, look into `README` in
+the `distro` directory.
 
-Install the following libraries and tools the libnetconf2 depends on.
+## Requirements
 
-### libyang
-Follow the [libyang instructions](https://github.com/CESNET/libyang/blob/master/README.md),
-in short:
-```
-$ git clone https://github.com/CESNET/libyang.git
-$ cd libyang; mkdir build; cd build
-$ cmake ..
-$ make
-# make install
-```
+* C compiler (gcc >= 4.8.4, clang >= 3.0, ...)
+* cmake >= 3.5.0
+* crypt(3)
+* [libyang](https://github.com/CESNET/libyang)
+* libssh >= 0.9.5 (for SSH support)
+* OpenSSL >= 3.0.0 or MbedTLS >= 3.5.0 (for TLS support)
+* curl >= 7.30.0
 
-### libssh
-Required version is at least 0.7.1. This dependency can be removed by disabling
-SSH support (see the [Build Options](#build-options) section). Below si the basic
-sequence of commands for compiling and installing it from source. However, there
-are packages for certain Linux distributions available [here](https://www.libssh.org/get-it/).
-```
-$ git clone http://git.libssh.org/projects/libssh.git
-$ cd libssh; mkdir build; cd build
-$ cmake ..
-$ make
-# make install
-```
+#### Optional
 
-### OpenSSL
-This dependency is required when the TLS support is enabled, which it is by
-default but libssh requires it too. So, to remove this dependency, you need
-to disable both SSH and TLS (see the [Build Options](#build-options) section).
+* libpam (for PAM-based SSH `keyboard-interactive` authentication method)
+* libval (only for DNSSEC SSHFP retrieval)
+  * [DNSSEC-Tools/dnssec-tools/validator](https://github.com/DNSSEC-Tools/DNSSEC-Tools/tree/master/dnssec-tools/validator)
+    part of the DNSSEC-Tools suite
+* doxygen (for generating documentation)
+* cmocka >= 1.0.1 (for tests only, see [Tests](#Tests))
+* valgrind (for enhanced testing)
+* gcov (for code coverage)
+* lcov (for code coverage)
+* genhtml (for code coverage)
 
-OpenSSL is a standard part of the most distribution, so ask your package
-manager for OpenSSL package including the necessary development files
-(usually -dev or -devel package).
-
-## Optional Dependencies
-
-### libval (part of the DNSSEC-Tools suite)
-It is required only if DNSSEC SSHFP retrieval is enabled (it is disabled by
-default, see the [Build Options](#build-options) section).
-
-The easier way of installing it is as the libval-dev package (or a part of
-the dnssec-tools package), if you can find it for your distribution. Otherwise,
-compile and install it from [source](https://github.com/DNSSEC-Tools/DNSSEC-Tools/).
-Only the validator component (`DNSSEC-Tools/dnssec-tools/validator`) is needed.
-
-### cmocka
-For running the tests cmocka 1.0.1 is required (see the [Tests](#tests) section for more information).
-```
-$ sudo apt-get install libcmocka-dev
-```
-
-### Doxygen
-For building the library documentation.
-
-Doxygen is a standard part of the most distribution, so ask your package
-manager for doxygen package.
-
-### gcov
-
-For code coverage, `gcov`, `lcov`, and `genhtml` are needed.
-
-## Building libnetconf2
+## Building
 
 ```
 $ mkdir build; cd build
 $ cmake ..
 $ make
-# install
+# make install
 ```
 
 The library documentation can be generated directly from the source codes using
@@ -161,7 +124,7 @@ and enabling both the transport protocols can be made
 in the same way. The following command has actually the same effect as
 specifying no option since it specifies the default settings.
 ```
-$ cmake -DENABLE_TLS=ON -DENABLE_SSH=ON ..
+$ cmake -DENABLE_SSH_TLS=ON ..
 ```
 
 ### DNSSEC SSHFP Retrieval
@@ -229,10 +192,7 @@ $ make
 $ make coverage
 ```
 
-Note that `gcc` compiler is required for this option and additional tools are required:
-* gcov
-* lcov
-* genhtml
+Note that `gcc` compiler is required for this option.
 
 ### CMake Notes
 
@@ -248,7 +208,7 @@ All public functions are available via 2 headers:
 #include <nc_client.h>
 ```
 
-You need to include either one if imeplementing a NETCONF server or a NETCONF client,
+You need to include either one if implementing a NETCONF server or a NETCONF client,
 respectively.
 
 To compile your program with libnetconf2, it is necessary to link it with it using the
@@ -257,6 +217,10 @@ following linker parameters:
 -lnetconf2
 ```
 
+## Examples
+
+See [examples](examples) directory for an example client and server.
+
 ## Tests
 
 The repository includes several tests built with [cmocka](https://cmocka.org/).
@@ -283,3 +247,43 @@ Tests can be run by the make's `test` target:
 $ make test
 ```
 
+## Supported YANG modules
+
+### Server
+
+The *libnetconf2* NETCONF server has two APIs that load YANG modules into the context. The first API is [nc_server_init_ctx](https://netopeer.liberouter.org/doc/libnetconf2/master/html/group__server__functions.html#ga35cccf2dbe9204abe01ccb4b93db7438), which loads the following YANG modules with their features:
+
+- **ietf-netconf**: writable-running, candidate, rollback-on-error, validate, startup, url, xpath, confirmed-commit,
+- **ietf-netconf-monitoring**: no features.
+
+The second API is [nc_server_config_load_modules](https://netopeer.liberouter.org/doc/libnetconf2/master/html/group__server__config__functions.html#ga3760b87e3ab4309514e9ad82c4c09cdb). Supported features (marked by ✔) are loaded into the context by this API.
+
+- **iana-crypt-hash**: crypt-hash-md5 ✔, crypt-hash-sha-256 ✔, crypt-hash-sha-512 ✔,
+- **ietf-netconf-server**: ssh-listen ✔, tls-listen ✔, ssh-call-home ✔, tls-call-home ✔, central-netconf-server-supported ✔,
+- **iana-ssh-encryption-algs**: no features,
+- **iana-ssh-key-exchange-algs**: no features,
+- **iana-ssh-mac-algs**: no features,
+- **iana-ssh-public-key-algs**: no features,
+- **iana-tls-cipher-suite-algs**: no features,
+- **ietf-crypto-types**: cleartext-passwords ✔, cleartext-private-keys ✔, private-key-encryption ✘, csr-generation ✘, p10-csr-format ✘, certificate-expiration-notification **?**, encrypted-passwords ✘, hidden-symmetric-keys ✘, encrypted-symmetric-keys ✘, hidden-private-keys ✘, encrypted-private-keys ✘, one-symmetric-key-format ✘, one-asymmetric-key-format ✘, symmetrically-encrypted-value-format ✘, asymmetrically-encrypted-value-format ✘, cms-enveloped-data-format ✘, cms-encrypted-data-format ✘, cleartext-symmetric-keys ✘,
+- **ietf-keystore**: central-keystore-supported ✔, inline-definitions-supported ✔, asymmetric-keys ✔, symmetric-keys ✘,
+- **ietf-netconf-server**: ssh-listen ✔, tls-listen ✔, ssh-call-home ✔, tls-call-home ✔, central-netconf-server-supported ✔,
+- **ietf-ssh-common**: transport-params ✔, ssh-x509-certs ✘, public-key-generation ✘,
+- **ietf-ssh-server**: local-users-supported **?**, local-user-auth-publickey ✔, local-user-auth-password ✔, local-user-auth-none ✔, ssh-server-keepalives ✘, local-user-auth-hostbased ✘,
+- **ietf-tcp-client**: tcp-client-keepalives ✔, proxy-connect ✘, socks5-gss-api ✘, socks5-username-password ✘, local-binding-supported ✔,
+- **ietf-tcp-common**: transport-params ✔, ssh-x509-certs ✘, public-key-generation ✘,
+- **ietf-tcp-server**: tcp-server-keepalives ✔,
+- **ietf-tls-common**: tls10 ✔, tls11 ✔, tls12 ✔, tls13 ✔, hello-params ✔, public-key-generation ✘,
+- **ietf-tls-server**: server-ident-x509-cert ✔, client-auth-supported ✔, client-auth-x509-cert ✔, tls-server-keepalives ✘, server-ident-raw-public-key ✘, server-ident-tls12-psk ✘, server-ident-tls13-epsk ✘, client-auth-raw-public-key ✘, client-auth-tls12-psk ✘, client-auth-tls13-epsk ✘,
+- **ietf-truststore**: central-truststore-supported ✔, inline-definitions-supported ✔, certificates ✔, public-keys ✔,
+- **ietf-x509-cert-to-name**: no features,
+- **libnetconf2-netconf-server**: no features.
+
+The following features can be enabled/disabled to influence the behaviour of the `libnetconf2` NETCONF server:
+
+- `local-users-supported` - enabled by default, disable to change the behaviour of the SSH authentication (see the *libnetconf2* [documentation](https://netopeer.liberouter.org/doc/libnetconf2/master/html/howtoserver.html)).
+- `certificate-expiration-notification` - disabled by default, but certificate expiration notifications are supported and you can enable this feature to create such YANG data (see the *libnetconf2* documentation).
+
+### Client
+
+Currently no client specific YANG modules are supported.