Postpone resolving of DNS names of server.

[libradsec.git] / lib / conf.c

diff --git a/lib/conf.c b/lib/conf.c
index e813409..ad1a5f8 100644 (file)
--- a/lib/conf.c
+++ b/lib/conf.c
@@ -26,7 +26,8 @@
       #cacertpath = STRING
       certfile = STRING
       certkeyfile = STRING
-      psk = STRING             # Transport pre-shared key.
+      pskstr = STRING  # Transport pre-shared key, UTF-8 form.
+      pskhexstr = STRING # Transport pre-shared key, ASCII hex form.
       pskid = STRING
       pskex = "PSK"|"DHE_PSK"|"RSA_PSK"
   }
@@ -41,7 +42,7 @@
   }
 #endif
 
-/* FIXME: Leaking memory in error cases?  */
+/* FIXME: Leaking memory in error cases.  */
 int
 rs_context_read_config(struct rs_context *ctx, const char *config_file)
 {
@@ -67,7 +68,8 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       /*CFG_STR ("cacertpath", NULL, CFGF_NONE),*/
       CFG_STR ("certfile", NULL, CFGF_NONE),
       CFG_STR ("certkeyfile", NULL, CFGF_NONE),
-      CFG_STR ("psk", NULL, CFGF_NONE),
+      CFG_STR ("pskstr", NULL, CFGF_NONE),
+      CFG_STR ("pskhexstr", NULL, CFGF_NONE),
       CFG_STR ("pskid", NULL, CFGF_NONE),
       CFG_STR ("pskex", "PSK", CFGF_NONE),
       CFG_SEC ("server", server_opts, CFGF_MULTI),
@@ -110,7 +112,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
     {
       struct rs_realm *r = NULL;
       const char *typestr;
-      char *psk;
+      char *pskstr = NULL, *pskhexstr = NULL;
 
       r = rs_calloc (ctx, 1, sizeof(*r));
       if (r == NULL)
@@ -144,8 +146,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       else if (strcmp (typestr, "DTLS") == 0)
        r->type = RS_CONN_TYPE_DTLS;
       else
-       return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
-                                  "invalid connection type: %s", typestr);
+       return rs_err_ctx_push (ctx, RSE_CONFIG,
+                                "%s: invalid connection type: %s",
+                                r->name, typestr);
       r->timeout = cfg_getint (cfg_realm, "timeout");
       r->retries = cfg_getint (cfg_realm, "retries");
 
@@ -154,9 +157,11 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       r->certfile = cfg_getstr (cfg_realm, "certfile");
       r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile");
 
-      psk = cfg_getstr (cfg_realm, "psk");
-      if (psk)
+      pskstr = cfg_getstr (cfg_realm, "pskstr");
+      pskhexstr = cfg_getstr (cfg_realm, "pskhexstr");
+      if (pskstr || pskhexstr)
         {
+#if defined RS_ENABLE_TLS_PSK
           char *kex = cfg_getstr (cfg_realm, "pskex");
           rs_cred_type_t type = RS_CRED_NONE;
           struct rs_credentials *cred = NULL;
@@ -166,10 +171,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
             type = RS_CRED_TLS_PSK;
           else
             {
-              /* TODO: push a warning, using a separate warn stack or
-                 onto the ordinary error stack?  */
-              /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange"
-                 " algorithm -- PSK not used", kex);*/
+              /* TODO: push a warning on the error stack:*/
+              /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange"
+                               " algorithm -- PSK not used", kex);*/
             }
 
           if (type != RS_CRED_NONE)
@@ -180,11 +184,38 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
                                            NULL);
               cred->type = type;
               cred->identity = cfg_getstr (cfg_realm, "pskid");
-              cred->secret = psk;
+              if (pskhexstr)
+                {
+                  cred->secret_encoding = RS_KEY_ENCODING_ASCII_HEX;
+                  cred->secret = pskhexstr;
+                  if (pskstr)
+                    ;      /* TODO: warn that we're ignoring pskstr */
+                }
+              else
+                {
+                  cred->secret_encoding = RS_KEY_ENCODING_UTF8;
+                  cred->secret = pskstr;
+                }
+
               r->transport_cred = cred;
             }
+#else  /* !RS_ENABLE_TLS_PSK */
+          /* TODO: push a warning on the error stack: */
+          /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with "
+                           "support for TLS preshared keys, ignoring pskstr "
+                           "and pskhexstr");*/
+#endif  /* RS_ENABLE_TLS_PSK */
         }
 
+      /* For TLS and DTLS realms, validate that we either have (i) CA
+         cert file or path or (ii) PSK.  */
+      if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS)
+          && (r->cacertfile == NULL && r->cacertpath == NULL)
+          && r->transport_cred == NULL)
+        return rs_err_ctx_push (ctx, RSE_CONFIG,
+                                "%s: missing both CA file/path and PSK",
+                                r->name);
+
       /* Add peers, one per server stanza.  */
       for (j = 0; j < cfg_size (cfg_realm, "server"); j++)
        {
@@ -195,10 +226,8 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
          p->realm = r;
 
          cfg_server = cfg_getnsec (cfg_realm, "server", j);
-         /* FIXME: Handle resolve errors, possibly by postponing name
-            resolution.  */
-         rs_resolv (&p->addr, r->type, cfg_getstr (cfg_server, "hostname"),
-                    cfg_getstr (cfg_server, "service"));
+         p->hostname = cfg_getstr (cfg_server, "hostname");
+          p->service = cfg_getstr (cfg_server, "service");
          p->secret = cfg_getstr (cfg_server, "secret");
        }
     }