1 /* Copyright 2010-2013 NORDUnet A/S. All rights reserved.
2 See LICENSE for licensing information. */
4 #if defined HAVE_CONFIG_H
12 #include <radsec/radsec.h>
13 #include <radsec/radsec-impl.h>
19 # common config options
21 # common realm config options
23 type = "UDP"|"TCP"|"TLS"|"DTLS"
30 pskstr = STRING # Transport pre-shared key, UTF-8 form.
31 pskhexstr = STRING # Transport pre-shared key, ASCII hex form.
33 pskex = "PSK"|"DHE_PSK"|"RSA_PSK"
34 disable_hostname_check = "yes"|"no"
37 # client specific realm config options
42 secret = STRING # RADIUS secret
47 /* FIXME: Leaking memory in error cases. */
49 rs_context_read_config(struct rs_context *ctx, const char *config_file)
51 cfg_t *cfg, *cfg_realm, *cfg_server;
55 struct rs_config *config = NULL;
57 cfg_opt_t server_opts[] =
59 CFG_STR ("hostname", NULL, CFGF_NONE),
60 CFG_STR ("service", "2083", CFGF_NONE),
61 CFG_STR ("secret", "radsec", CFGF_NONE),
64 cfg_opt_t realm_opts[] =
66 CFG_STR ("type", "UDP", CFGF_NONE),
67 CFG_INT ("timeout", 2, CFGF_NONE), /* FIXME: Remove? */
68 CFG_INT ("retries", 2, CFGF_NONE), /* FIXME: Remove? */
69 CFG_STR ("cacertfile", NULL, CFGF_NONE),
70 /*CFG_STR ("cacertpath", NULL, CFGF_NONE),*/
71 CFG_STR ("certfile", NULL, CFGF_NONE),
72 CFG_STR ("certkeyfile", NULL, CFGF_NONE),
73 CFG_STR ("pskstr", NULL, CFGF_NONE),
74 CFG_STR ("pskhexstr", NULL, CFGF_NONE),
75 CFG_STR ("pskid", NULL, CFGF_NONE),
76 CFG_STR ("pskex", "PSK", CFGF_NONE),
77 CFG_BOOL ("disable_hostname_check", cfg_false, CFGF_NONE),
78 CFG_SEC ("server", server_opts, CFGF_MULTI),
83 CFG_SEC ("realm", realm_opts, CFGF_TITLE | CFGF_MULTI),
87 cfg = cfg_init (opts, CFGF_NONE);
89 return rs_err_ctx_push (ctx, RSE_CONFIG, "unable to initialize libconfuse");
90 err = cfg_parse (cfg, config_file);
96 return rs_err_ctx_push (ctx, RSE_CONFIG,
97 "%s: unable to open configuration file",
100 return rs_err_ctx_push (ctx, RSE_CONFIG, "%s: invalid configuration file",
103 return rs_err_ctx_push (ctx, RSE_CONFIG, "%s: unknown parse error",
107 config = rs_calloc (ctx, 1, sizeof (*config));
109 return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
110 ctx->config = config;
112 for (i = 0; i < cfg_size (cfg, "realm"); i++)
114 struct rs_realm *r = NULL;
116 char *pskstr = NULL, *pskhexstr = NULL;
118 r = rs_calloc (ctx, 1, sizeof(*r));
120 return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
121 if (config->realms != NULL)
123 r->next = config->realms->next;
124 config->realms->next = r;
130 cfg_realm = cfg_getnsec (cfg, "realm", i);
131 s = cfg_title (cfg_realm);
133 return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
134 "missing realm name");
135 /* We use a copy of the return value of cfg_title() since it's const. */
136 r->name = rs_strdup (ctx, s);
140 typestr = cfg_getstr (cfg_realm, "type");
141 if (strcmp (typestr, "UDP") == 0)
142 r->type = RS_CONN_TYPE_UDP;
143 else if (strcmp (typestr, "TCP") == 0)
144 r->type = RS_CONN_TYPE_TCP;
145 else if (strcmp (typestr, "TLS") == 0)
146 r->type = RS_CONN_TYPE_TLS;
147 else if (strcmp (typestr, "DTLS") == 0)
148 r->type = RS_CONN_TYPE_DTLS;
150 return rs_err_ctx_push (ctx, RSE_CONFIG,
151 "%s: invalid connection type: %s",
153 r->timeout = cfg_getint (cfg_realm, "timeout");
154 r->retries = cfg_getint (cfg_realm, "retries");
155 r->disable_hostname_check = cfg_getbool (cfg_realm, "disable_hostname_check");
157 r->cacertfile = cfg_getstr (cfg_realm, "cacertfile");
158 /*r->cacertpath = cfg_getstr (cfg_realm, "cacertpath");*/
159 r->certfile = cfg_getstr (cfg_realm, "certfile");
160 r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile");
162 pskstr = cfg_getstr (cfg_realm, "pskstr");
163 pskhexstr = cfg_getstr (cfg_realm, "pskhexstr");
164 if (pskstr || pskhexstr)
166 #if defined RS_ENABLE_TLS_PSK
167 char *kex = cfg_getstr (cfg_realm, "pskex");
168 rs_cred_type_t type = RS_CRED_NONE;
169 struct rs_credentials *cred = NULL;
170 assert (kex != NULL);
172 if (!strcmp (kex, "PSK"))
173 type = RS_CRED_TLS_PSK;
176 /* TODO: push a warning on the error stack:*/
177 /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange"
178 " algorithm -- PSK not used", kex);*/
181 if (type != RS_CRED_NONE)
183 cred = rs_calloc (ctx, 1, sizeof (*cred));
185 return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__,
188 cred->identity = cfg_getstr (cfg_realm, "pskid");
191 cred->secret_encoding = RS_KEY_ENCODING_ASCII_HEX;
192 cred->secret = pskhexstr;
194 ; /* TODO: warn that we're ignoring pskstr */
198 cred->secret_encoding = RS_KEY_ENCODING_UTF8;
199 cred->secret = pskstr;
202 r->transport_cred = cred;
204 #else /* !RS_ENABLE_TLS_PSK */
205 /* TODO: push a warning on the error stack: */
206 /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with "
207 "support for TLS preshared keys, ignoring pskstr "
209 #endif /* RS_ENABLE_TLS_PSK */
212 /* For TLS and DTLS realms, validate that we either have (i) CA
213 cert file or path or (ii) PSK. */
214 if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS)
215 && (r->cacertfile == NULL && r->cacertpath == NULL)
216 && r->transport_cred == NULL)
217 return rs_err_ctx_push (ctx, RSE_CONFIG,
218 "%s: missing both CA file/path and PSK",
221 /* Add peers, one per server stanza. */
222 for (j = 0; j < cfg_size (cfg_realm, "server"); j++)
224 struct rs_peer *p = peer_create (ctx, &r->peers);
226 return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__,
230 cfg_server = cfg_getnsec (cfg_realm, "server", j);
231 p->hostname = cfg_getstr (cfg_server, "hostname");
232 p->service = cfg_getstr (cfg_server, "service");
233 p->secret = cfg_getstr (cfg_server, "secret");
237 /* Save config object in context, for freeing in rs_context_destroy(). */
238 ctx->config->cfg = cfg;
244 rs_conf_find_realm(struct rs_context *ctx, const char *name)
250 for (r = ctx->config->realms; r; r = r->next)
251 if (strcmp (r->name, name) == 0)