From: Sam Hartman <hartmans@debian.org>
Date: Tue, 2 Apr 2013 16:59:01 +0000 (-0400)
Subject: tls: server stuff
X-Git-Tag: debian/3.0.0.rc0+git+moonshot1-6~43
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=a1f9c51352adf716936f5be324dccba9c2bd3012;p=freeradius.git

tls: server stuff
---

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 51b1099..63a3732 100644
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -474,8 +474,9 @@ ATTRIBUTE	TLS-Client-Cert-X509v3-Extended-Key-Usage 1927	string
 ATTRIBUTE	TLS-Client-Cert-X509v3-Subject-Key-Identifier 1928 string
 ATTRIBUTE	TLS-Client-Cert-X509v3-Authority-Key-Identifier 1929 string
 ATTRIBUTE	TLS-Client-Cert-X509v3-Basic-Constraints 1930 string
+ATTRIBUTE	TLS-PSK-Identity			1931	string
 
-# 1931 - 1939: reserved for future cert attributes
+# 1932 - 1939: reserved for future cert attributes
 
 #
 #	Range:	1940-2099
diff --git a/src/main/tls.c b/src/main/tls.c
index afe074c..e5ecc7b 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -61,21 +61,52 @@ static unsigned int 	record_minus(record_t *buf, void *ptr,
 				     unsigned int size);
 
 #ifdef PSK_MAX_IDENTITY_LEN
-static unsigned int psk_server_callback(SSL *ssl, char const *identity,
+int identity_is_safe( const char *identity)
+{
+	while (identity &&identity[0]) {
+		char c = identity[0];
+		identity++;
+		if (isalpha(c) || isdigit(c))
+			continue;
+		else if ((c == '@') || (c == '-') || (c == '_'))
+			continue;
+		else if (isspace(c) || (c == '.'))
+			continue;
+		else return 0;
+	}
+	return 1;
+}
+
+static unsigned int psk_server_callback(SSL *ssl, const char *identity,
 					unsigned char *psk,
 					unsigned int max_psk_len)
 {
-	unsigned int psk_len;
+	unsigned int psk_len = 0;
 	fr_tls_server_conf_t *conf;
+	REQUEST *request;
+	
 
 	conf = (fr_tls_server_conf_t *)SSL_get_ex_data(ssl,
 						       FR_TLS_EX_INDEX_CONF);
 	if (!conf) return 0;
 
-	/*
-	 *	FIXME: Look up the PSK password based on the identity!
-	 */
-	if (strcmp(identity, conf->psk_identity) != 0) {
+	request = (REQUEST *)SSL_get_ex_data(ssl,
+					     FR_TLS_EX_INDEX_REQUEST);
+	if (request) {
+		VALUE_PAIR *vp;
+		vp = rad_pairmake(request, &request->config_items,
+				  "tls-psk-identity",
+				  identity, T_OP_SET);
+		if (vp) {
+			if (identity_is_safe(identity))
+				psk_len = radius_xlat(psk, max_psk_len,
+						      "%{psksql:select key from psk_keys where keyid = '%{control:tls-psk-identity}';}",
+						      NULL, NULL);
+			if (psk_len > 0)
+				return psk_len;
+	}
+	
+		if ((strcmp(identity, conf->psk_identity) != )) {
 		return 0;
 	}