X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=lib%2Fconf.c;h=1cb70491302e79e80a11bdb7790b3da508abc6cd;hb=4b0ff99282a91bba93eec9db37831be73b8134e4;hp=e863381f40ff7641d663941cc4c1a78e49dae3ce;hpb=0a81dc0c72ea7cb7a5d04fbb89dbb69e83bbf8fb;p=libradsec.git

diff --git a/lib/conf.c b/lib/conf.c
index e863381..1cb7049 100644
--- a/lib/conf.c
+++ b/lib/conf.c
@@ -6,16 +6,17 @@
 #endif
 
 #include <confuse.h>
+#include <stdlib.h>
 #include <string.h>
 #include <assert.h>
 #include <radsec/radsec.h>
 #include <radsec/radsec-impl.h>
 #include "peer.h"
+#include "util.h"
 #include "debug.h"
 
 #if 0
   # common config options
-  dictionary = STRING
 
   # common realm config options
   realm NAME {
@@ -42,7 +43,7 @@
   }
 #endif
 
-/* FIXME: Leaking memory in error cases?  */
+/* FIXME: Leaking memory in error cases.  */
 int
 rs_context_read_config(struct rs_context *ctx, const char *config_file)
 {
@@ -77,7 +78,6 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
     };
   cfg_opt_t opts[] =
     {
-      CFG_STR ("dictionary", NULL, CFGF_NONE),
       CFG_SEC ("realm", realm_opts, CFGF_TITLE | CFGF_MULTI),
       CFG_END ()
     };
@@ -106,7 +106,6 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
   if (config == NULL)
     return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
   ctx->config = config;
-  config->dictionary = cfg_getstr (cfg, "dictionary");
 
   for (i = 0; i < cfg_size (cfg, "realm"); i++)
     {
@@ -132,9 +131,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
 	return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
 				   "missing realm name");
       /* We use a copy of the return value of cfg_title() since it's const.  */
-      r->name = strdup (s);
+      r->name = rs_strdup (ctx, s);
       if (r->name == NULL)
-	return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
+	return RSE_NOMEM;
 
       typestr = cfg_getstr (cfg_realm, "type");
       if (strcmp (typestr, "UDP") == 0)
@@ -146,8 +145,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       else if (strcmp (typestr, "DTLS") == 0)
 	r->type = RS_CONN_TYPE_DTLS;
       else
-	return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
-				   "invalid connection type: %s", typestr);
+	return rs_err_ctx_push (ctx, RSE_CONFIG,
+                                "%s: invalid connection type: %s",
+                                r->name, typestr);
       r->timeout = cfg_getint (cfg_realm, "timeout");
       r->retries = cfg_getint (cfg_realm, "retries");
 
@@ -160,6 +160,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       pskhexstr = cfg_getstr (cfg_realm, "pskhexstr");
       if (pskstr || pskhexstr)
         {
+#if defined RS_ENABLE_TLS_PSK
           char *kex = cfg_getstr (cfg_realm, "pskex");
           rs_cred_type_t type = RS_CRED_NONE;
           struct rs_credentials *cred = NULL;
@@ -169,10 +170,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
             type = RS_CRED_TLS_PSK;
           else
             {
-              /* TODO: push a warning, using a separate warn stack or
-                 onto the ordinary error stack?  */
-              /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange"
-                 " algorithm -- PSK not used", kex);*/
+              /* TODO: push a warning on the error stack:*/
+              /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange"
+                               " algorithm -- PSK not used", kex);*/
             }
 
           if (type != RS_CRED_NONE)
@@ -198,8 +198,23 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
 
               r->transport_cred = cred;
             }
+#else  /* !RS_ENABLE_TLS_PSK */
+          /* TODO: push a warning on the error stack: */
+          /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with "
+                           "support for TLS preshared keys, ignoring pskstr "
+                           "and pskhexstr");*/
+#endif  /* RS_ENABLE_TLS_PSK */
         }
 
+      /* For TLS and DTLS realms, validate that we either have (i) CA
+         cert file or path or (ii) PSK.  */
+      if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS)
+          && (r->cacertfile == NULL && r->cacertpath == NULL)
+          && r->transport_cred == NULL)
+        return rs_err_ctx_push (ctx, RSE_CONFIG,
+                                "%s: missing both CA file/path and PSK",
+                                r->name);
+
       /* Add peers, one per server stanza.  */
       for (j = 0; j < cfg_size (cfg_realm, "server"); j++)
 	{
@@ -210,10 +225,8 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
 	  p->realm = r;
 
 	  cfg_server = cfg_getnsec (cfg_realm, "server", j);
-	  /* FIXME: Handle resolve errors, possibly by postponing name
-	     resolution.  */
-	  rs_resolv (&p->addr, r->type, cfg_getstr (cfg_server, "hostname"),
-		     cfg_getstr (cfg_server, "service"));
+	  p->hostname = cfg_getstr (cfg_server, "hostname");
+          p->service = cfg_getstr (cfg_server, "service");
 	  p->secret = cfg_getstr (cfg_server, "secret");
 	}
     }