X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=lib%2Fconf.c;h=42f13731f02a8962cf28a72c7e8c499fd44d6256;hb=0efe1f109fd1953135be072f1516854e554e35d3;hp=e54ad548eca80a9652f9e6c9a1dd10a8ffbc59b2;hpb=cb81fb758f13eb69945255655546995834e4ace0;p=libradsec.git

diff --git a/lib/conf.c b/lib/conf.c
index e54ad54..42f1373 100644
--- a/lib/conf.c
+++ b/lib/conf.c
@@ -6,19 +6,20 @@
 #endif
 
 #include <confuse.h>
+#include <stdlib.h>
 #include <string.h>
 #include <assert.h>
 #include <radsec/radsec.h>
 #include <radsec/radsec-impl.h>
 #include "peer.h"
+#include "util.h"
 #include "debug.h"
 
 #if 0
   # common config options
-  dictionary = STRING
 
   # common realm config options
-  realm NAME {
+  realm STRING {
       type = "UDP"|"TCP"|"TLS"|"DTLS"
       timeout = INT
       retries = INT
@@ -26,13 +27,14 @@
       #cacertpath = STRING
       certfile = STRING
       certkeyfile = STRING
-      psk = STRING		# Transport pre-shared key.
+      pskstr = STRING	# Transport pre-shared key, UTF-8 form.
+      pskhexstr = STRING # Transport pre-shared key, ASCII hex form.
       pskid = STRING
       pskex = "PSK"|"DHE_PSK"|"RSA_PSK"
   }
 
   # client specific realm config options
-  realm NAME {
+  realm STRING {
       server {
           hostname = STRING
 	  service = STRING
@@ -41,7 +43,7 @@
   }
 #endif
 
-/* FIXME: Leaking memory in error cases?  */
+/* FIXME: Leaking memory in error cases.  */
 int
 rs_context_read_config(struct rs_context *ctx, const char *config_file)
 {
@@ -67,7 +69,8 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       /*CFG_STR ("cacertpath", NULL, CFGF_NONE),*/
       CFG_STR ("certfile", NULL, CFGF_NONE),
       CFG_STR ("certkeyfile", NULL, CFGF_NONE),
-      CFG_STR ("psk", NULL, CFGF_NONE),
+      CFG_STR ("pskstr", NULL, CFGF_NONE),
+      CFG_STR ("pskhexstr", NULL, CFGF_NONE),
       CFG_STR ("pskid", NULL, CFGF_NONE),
       CFG_STR ("pskex", "PSK", CFGF_NONE),
       CFG_SEC ("server", server_opts, CFGF_MULTI),
@@ -75,7 +78,6 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
     };
   cfg_opt_t opts[] =
     {
-      CFG_STR ("dictionary", NULL, CFGF_NONE),
       CFG_SEC ("realm", realm_opts, CFGF_TITLE | CFGF_MULTI),
       CFG_END ()
     };
@@ -104,13 +106,12 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
   if (config == NULL)
     return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
   ctx->config = config;
-  config->dictionary = cfg_getstr (cfg, "dictionary");
 
   for (i = 0; i < cfg_size (cfg, "realm"); i++)
     {
       struct rs_realm *r = NULL;
       const char *typestr;
-      char *psk;
+      char *pskstr = NULL, *pskhexstr = NULL;
 
       r = rs_calloc (ctx, 1, sizeof(*r));
       if (r == NULL)
@@ -125,14 +126,14 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
 	  config->realms = r;
 	}
       cfg_realm = cfg_getnsec (cfg, "realm", i);
-      /* We use a copy of the return value of cfg_title() since it's const.  */
       s = cfg_title (cfg_realm);
       if (s == NULL)
 	return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
 				   "missing realm name");
-      r->name = strdup (s);
+      /* We use a copy of the return value of cfg_title() since it's const.  */
+      r->name = rs_strdup (ctx, s);
       if (r->name == NULL)
-	return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
+	return RSE_NOMEM;
 
       typestr = cfg_getstr (cfg_realm, "type");
       if (strcmp (typestr, "UDP") == 0)
@@ -144,8 +145,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       else if (strcmp (typestr, "DTLS") == 0)
 	r->type = RS_CONN_TYPE_DTLS;
       else
-	return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
-				   "invalid connection type: %s", typestr);
+	return rs_err_ctx_push (ctx, RSE_CONFIG,
+                                "%s: invalid connection type: %s",
+                                r->name, typestr);
       r->timeout = cfg_getint (cfg_realm, "timeout");
       r->retries = cfg_getint (cfg_realm, "retries");
 
@@ -154,9 +156,11 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       r->certfile = cfg_getstr (cfg_realm, "certfile");
       r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile");
 
-      psk = cfg_getstr (cfg_realm, "psk");
-      if (psk)
+      pskstr = cfg_getstr (cfg_realm, "pskstr");
+      pskhexstr = cfg_getstr (cfg_realm, "pskhexstr");
+      if (pskstr || pskhexstr)
         {
+#if defined RS_ENABLE_TLS_PSK
           char *kex = cfg_getstr (cfg_realm, "pskex");
           rs_cred_type_t type = RS_CRED_NONE;
           struct rs_credentials *cred = NULL;
@@ -166,10 +170,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
             type = RS_CRED_TLS_PSK;
           else
             {
-              /* TODO: push a warning, using a separate warn stack or
-                 onto the ordinary error stack?  */
-              /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange"
-                 " algorithm -- PSK not used", kex);*/
+              /* TODO: push a warning on the error stack:*/
+              /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange"
+                               " algorithm -- PSK not used", kex);*/
             }
 
           if (type != RS_CRED_NONE)
@@ -180,11 +183,38 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
                                            NULL);
               cred->type = type;
               cred->identity = cfg_getstr (cfg_realm, "pskid");
-              cred->secret = psk;
+              if (pskhexstr)
+                {
+                  cred->secret_encoding = RS_KEY_ENCODING_ASCII_HEX;
+                  cred->secret = pskhexstr;
+                  if (pskstr)
+                    ;      /* TODO: warn that we're ignoring pskstr */
+                }
+              else
+                {
+                  cred->secret_encoding = RS_KEY_ENCODING_UTF8;
+                  cred->secret = pskstr;
+                }
+
               r->transport_cred = cred;
             }
+#else  /* !RS_ENABLE_TLS_PSK */
+          /* TODO: push a warning on the error stack: */
+          /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with "
+                           "support for TLS preshared keys, ignoring pskstr "
+                           "and pskhexstr");*/
+#endif  /* RS_ENABLE_TLS_PSK */
         }
 
+      /* For TLS and DTLS realms, validate that we either have (i) CA
+         cert file or path or (ii) PSK.  */
+      if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS)
+          && (r->cacertfile == NULL && r->cacertpath == NULL)
+          && r->transport_cred == NULL)
+        return rs_err_ctx_push (ctx, RSE_CONFIG,
+                                "%s: missing both CA file/path and PSK",
+                                r->name);
+
       /* Add peers, one per server stanza.  */
       for (j = 0; j < cfg_size (cfg_realm, "server"); j++)
 	{
@@ -195,10 +225,8 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
 	  p->realm = r;
 
 	  cfg_server = cfg_getnsec (cfg_realm, "server", j);
-	  /* FIXME: Handle resolve errors, possibly by postponing name
-	     resolution.  */
-	  rs_resolv (&p->addr, r->type, cfg_getstr (cfg_server, "hostname"),
-		     cfg_getstr (cfg_server, "service"));
+	  p->hostname = cfg_getstr (cfg_server, "hostname");
+          p->service = cfg_getstr (cfg_server, "service");
 	  p->secret = cfg_getstr (cfg_server, "secret");
 	}
     }