#endif
#include <confuse.h>
+#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <radsec/radsec.h>
#include <radsec/radsec-impl.h>
#include "peer.h"
+#include "util.h"
#include "debug.h"
#if 0
# common config options
- dictionary = STRING
# common realm config options
realm NAME {
}
#endif
-/* FIXME: Leaking memory in error cases? */
+/* FIXME: Leaking memory in error cases. */
int
rs_context_read_config(struct rs_context *ctx, const char *config_file)
{
};
cfg_opt_t opts[] =
{
- CFG_STR ("dictionary", NULL, CFGF_NONE),
CFG_SEC ("realm", realm_opts, CFGF_TITLE | CFGF_MULTI),
CFG_END ()
};
if (config == NULL)
return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
ctx->config = config;
- config->dictionary = cfg_getstr (cfg, "dictionary");
for (i = 0; i < cfg_size (cfg, "realm"); i++)
{
return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
"missing realm name");
/* We use a copy of the return value of cfg_title() since it's const. */
- r->name = strdup (s);
+ r->name = rs_strdup (ctx, s);
if (r->name == NULL)
- return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, NULL);
+ return RSE_NOMEM;
typestr = cfg_getstr (cfg_realm, "type");
if (strcmp (typestr, "UDP") == 0)
else if (strcmp (typestr, "DTLS") == 0)
r->type = RS_CONN_TYPE_DTLS;
else
- return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
- "invalid connection type: %s", typestr);
+ return rs_err_ctx_push (ctx, RSE_CONFIG,
+ "%s: invalid connection type: %s",
+ r->name, typestr);
r->timeout = cfg_getint (cfg_realm, "timeout");
r->retries = cfg_getint (cfg_realm, "retries");
pskhexstr = cfg_getstr (cfg_realm, "pskhexstr");
if (pskstr || pskhexstr)
{
+#if defined RS_ENABLE_TLS_PSK
char *kex = cfg_getstr (cfg_realm, "pskex");
rs_cred_type_t type = RS_CRED_NONE;
struct rs_credentials *cred = NULL;
type = RS_CRED_TLS_PSK;
else
{
- /* TODO: push a warning, using a separate warn stack or
- onto the ordinary error stack? */
- /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange"
- " algorithm -- PSK not used", kex);*/
+ /* TODO: push a warning on the error stack:*/
+ /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange"
+ " algorithm -- PSK not used", kex);*/
}
if (type != RS_CRED_NONE)
r->transport_cred = cred;
}
+#else /* !RS_ENABLE_TLS_PSK */
+ /* TODO: push a warning on the error stack: */
+ /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with "
+ "support for TLS preshared keys, ignoring pskstr "
+ "and pskhexstr");*/
+#endif /* RS_ENABLE_TLS_PSK */
}
+ /* For TLS and DTLS realms, validate that we either have (i) CA
+ cert file or path or (ii) PSK. */
+ if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS)
+ && (r->cacertfile == NULL && r->cacertpath == NULL)
+ && r->transport_cred == NULL)
+ return rs_err_ctx_push (ctx, RSE_CONFIG,
+ "%s: missing both CA file/path and PSK",
+ r->name);
+
/* Add peers, one per server stanza. */
for (j = 0; j < cfg_size (cfg_realm, "server"); j++)
{
p->realm = r;
cfg_server = cfg_getnsec (cfg_realm, "server", j);
- /* FIXME: Handle resolve errors, possibly by postponing name
- resolution. */
- rs_resolv (&p->addr, r->type, cfg_getstr (cfg_server, "hostname"),
- cfg_getstr (cfg_server, "service"));
+ p->hostname = cfg_getstr (cfg_server, "hostname");
+ p->service = cfg_getstr (cfg_server, "service");
p->secret = cfg_getstr (cfg_server, "secret");
}
}
projects / libradsec.git / blobdiff