Conditionally compile TLS-PSK code (--enable-tls-psk).

Also, allow for PSK-only configuration, i.e. don't barf on missing cert stuff.

diff --git a/lib/conf.c b/lib/conf.c
index e863381..71bd169 100644 (file)
--- a/lib/conf.c
+++ b/lib/conf.c
@@ -42,7 +42,7 @@
   }
 #endif
 
-/* FIXME: Leaking memory in error cases?  */
+/* FIXME: Leaking memory in error cases.  */
 int
 rs_context_read_config(struct rs_context *ctx, const char *config_file)
 {
@@ -146,8 +146,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       else if (strcmp (typestr, "DTLS") == 0)
        r->type = RS_CONN_TYPE_DTLS;
       else
-       return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__,
-                                  "invalid connection type: %s", typestr);
+       return rs_err_ctx_push (ctx, RSE_CONFIG,
+                                "%s: invalid connection type: %s",
+                                r->name, typestr);
       r->timeout = cfg_getint (cfg_realm, "timeout");
       r->retries = cfg_getint (cfg_realm, "retries");
 
@@ -160,6 +161,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       pskhexstr = cfg_getstr (cfg_realm, "pskhexstr");
       if (pskstr || pskhexstr)
         {
+#if defined RS_ENABLE_TLS_PSK
           char *kex = cfg_getstr (cfg_realm, "pskex");
           rs_cred_type_t type = RS_CRED_NONE;
           struct rs_credentials *cred = NULL;
@@ -169,10 +171,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
             type = RS_CRED_TLS_PSK;
           else
             {
-              /* TODO: push a warning, using a separate warn stack or
-                 onto the ordinary error stack?  */
-              /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange"
-                 " algorithm -- PSK not used", kex);*/
+              /* TODO: push a warning on the error stack:*/
+              /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange"
+                               " algorithm -- PSK not used", kex);*/
             }
 
           if (type != RS_CRED_NONE)
@@ -198,8 +199,23 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
 
               r->transport_cred = cred;
             }
+#else  /* !RS_ENABLE_TLS_PSK */
+          /* TODO: push a warning on the error stack: */
+          /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with "
+                           "support for TLS preshared keys, ignoring pskstr "
+                           "and pskhexstr");*/
+#endif  /* RS_ENABLE_TLS_PSK */
         }
 
+      /* For TLS and DTLS realms, validate that we either have (i) CA
+         cert file or path or (ii) PSK.  */
+      if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS)
+          && (r->cacertfile == NULL && r->cacertpath == NULL)
+          && r->transport_cred == NULL)
+        return rs_err_ctx_push (ctx, RSE_CONFIG,
+                                "%s: missing both CA file/path and PSK",
+                                r->name);
+
       /* Add peers, one per server stanza.  */
       for (j = 0; j < cfg_size (cfg_realm, "server"); j++)
        {

diff --git a/lib/configure.ac b/lib/configure.ac
index 9c24310..3339352 100644 (file)
--- a/lib/configure.ac
+++ b/lib/configure.ac
@@ -21,6 +21,7 @@ AC_CHECK_LIB([freeradius-radius], [rad_alloc],,
     AC_MSG_ERROR([required library libfreeradius-radius not found]))
 
 # Enable-knobs.
+## Enable TLS (RadSec).
 AH_TEMPLATE([RS_ENABLE_TLS], [TLS (RadSec) enabled])
 AH_TEMPLATE([RADPROT_TLS], [])  dnl Legacy.
 AC_ARG_ENABLE([tls], AS_HELP_STRING([--enable-tls], [enable TLS (RadSec)]),
@@ -29,6 +30,13 @@ AC_ARG_ENABLE([tls], AS_HELP_STRING([--enable-tls], [enable TLS (RadSec)]),
      AC_DEFINE([RS_ENABLE_TLS])
      AC_DEFINE([RADPROT_TLS])]) dnl Legacy.
 AM_CONDITIONAL([RS_ENABLE_TLS], [test "${enable_tls+set}" = set])
+## Enable TLS-PSK (preshared keys).
+AH_TEMPLATE([RS_ENABLE_TLS_PSK], [TLS-PSK (TLS preshared keys) enabled])
+AC_ARG_ENABLE([tls-psk], AS_HELP_STRING([--enable-tls-psk], [enable TLS-PSK (TLS preshared keys)]),
+    [AC_CHECK_LIB([ssl], [SSL_set_psk_client_callback],,
+         AC_MSG_ERROR([required library openssl with SSL_set_psk_client_callback() not found]))
+     AC_DEFINE([RS_ENABLE_TLS_PSK])])
+AM_CONDITIONAL([RS_ENABLE_TLS_PSK], [test "${enable_tls_psk+set}" = set])
 
 # Checks for header files.
 AC_CHECK_HEADERS(

diff --git a/lib/rsp_tlscommon.c b/lib/rsp_tlscommon.c
index a34fe33..75aa891 100644 (file)
--- a/lib/rsp_tlscommon.c
+++ b/lib/rsp_tlscommon.c
@@ -271,14 +271,15 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
        }
     }
 
-    if (!tlsaddcacrl(ctx, conf)) {
-       if (conf->vpm) {
-           X509_VERIFY_PARAM_free(conf->vpm);
-           conf->vpm = NULL;
-       }
-       SSL_CTX_free(ctx);
-       return NULL;
-    }
+    if (conf->cacertfile != NULL || conf->cacertpath != NULL)
+        if (!tlsaddcacrl(ctx, conf)) {
+            if (conf->vpm) {
+                X509_VERIFY_PARAM_free(conf->vpm);
+                conf->vpm = NULL;
+            }
+            SSL_CTX_free(ctx);
+            return NULL;
+        }
 
     debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name);
     return ctx;

diff --git a/lib/tls.c b/lib/tls.c
index 12af489..0f07e46 100644 (file)
--- a/lib/tls.c
+++ b/lib/tls.c
@@ -42,6 +42,7 @@ _get_tlsconf (struct rs_connection *conn, const struct rs_realm *realm)
   return c;
 }
 
+#if defined RS_ENABLE_TLS_PSK
 static unsigned int
 psk_client_cb (SSL *ssl,
                const char *hint,
@@ -107,6 +108,7 @@ psk_client_cb (SSL *ssl,
 
   return cred->secret_len;
 }
+#endif  /* RS_ENABLE_TLS_PSK */
 
 int
 rs_tls_init (struct rs_connection *conn)
@@ -140,11 +142,14 @@ rs_tls_init (struct rs_connection *conn)
       return -1;
     }
 
+#if defined RS_ENABLE_TLS_PSK
   if (conn->active_peer->realm->transport_cred != NULL)
     {
       SSL_set_psk_client_callback (ssl, psk_client_cb);
       SSL_set_ex_data (ssl, 0, conn);
     }
+#endif  /* RS_ENABLE_TLS_PSK */
+
   conn->tls_ctx = ssl_ctx;
   conn->tls_ssl = ssl;
   rs_free (ctx, tlsconf);