+ "missing realm name");
+ /* We use a copy of the return value of cfg_title() since it's const. */
+ r->name = rs_strdup (ctx, s);
+ if (r->name == NULL)
+ return RSE_NOMEM;
+
+ typestr = cfg_getstr (cfg_realm, "type");
+ if (strcmp (typestr, "UDP") == 0)
+ r->type = RS_CONN_TYPE_UDP;
+ else if (strcmp (typestr, "TCP") == 0)
+ r->type = RS_CONN_TYPE_TCP;
+ else if (strcmp (typestr, "TLS") == 0)
+ r->type = RS_CONN_TYPE_TLS;
+ else if (strcmp (typestr, "DTLS") == 0)
+ r->type = RS_CONN_TYPE_DTLS;
+ else
+ return rs_err_ctx_push (ctx, RSE_CONFIG,
+ "%s: invalid connection type: %s",
+ r->name, typestr);
+ r->timeout = cfg_getint (cfg_realm, "timeout");
+ r->retries = cfg_getint (cfg_realm, "retries");
+
+ r->cacertfile = cfg_getstr (cfg_realm, "cacertfile");
+ /*r->cacertpath = cfg_getstr (cfg_realm, "cacertpath");*/
+ r->certfile = cfg_getstr (cfg_realm, "certfile");
+ r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile");
+
+ pskstr = cfg_getstr (cfg_realm, "pskstr");
+ pskhexstr = cfg_getstr (cfg_realm, "pskhexstr");
+ if (pskstr || pskhexstr)
+ {
+#if defined RS_ENABLE_TLS_PSK
+ char *kex = cfg_getstr (cfg_realm, "pskex");
+ rs_cred_type_t type = RS_CRED_NONE;
+ struct rs_credentials *cred = NULL;
+ assert (kex != NULL);
+
+ if (!strcmp (kex, "PSK"))
+ type = RS_CRED_TLS_PSK;
+ else
+ {
+ /* TODO: push a warning on the error stack:*/
+ /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange"
+ " algorithm -- PSK not used", kex);*/
+ }
+
+ if (type != RS_CRED_NONE)
+ {
+ cred = rs_calloc (ctx, 1, sizeof (*cred));
+ if (cred == NULL)
+ return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__,
+ NULL);
+ cred->type = type;
+ cred->identity = cfg_getstr (cfg_realm, "pskid");
+ if (pskhexstr)
+ {
+ cred->secret_encoding = RS_KEY_ENCODING_ASCII_HEX;
+ cred->secret = pskhexstr;
+ if (pskstr)
+ ; /* TODO: warn that we're ignoring pskstr */
+ }
+ else
+ {
+ cred->secret_encoding = RS_KEY_ENCODING_UTF8;
+ cred->secret = pskstr;
+ }
+
+ r->transport_cred = cred;
+ }
+#else /* !RS_ENABLE_TLS_PSK */
+ /* TODO: push a warning on the error stack: */
+ /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with "
+ "support for TLS preshared keys, ignoring pskstr "
+ "and pskhexstr");*/
+#endif /* RS_ENABLE_TLS_PSK */
+ }
+
+ /* For TLS and DTLS realms, validate that we either have (i) CA
+ cert file or path or (ii) PSK. */
+ if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS)
+ && (r->cacertfile == NULL && r->cacertpath == NULL)
+ && r->transport_cred == NULL)
+ return rs_err_ctx_push (ctx, RSE_CONFIG,
+ "%s: missing both CA file/path and PSK",
+ r->name);
+
+ /* Add peers, one per server stanza. */
+ for (j = 0; j < cfg_size (cfg_realm, "server"); j++)