summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordu.net>2012-01-24 13:16:26 +0100
committerLinus Nordberg <linus@nordu.net>2012-01-24 13:16:26 +0100
commitcb81fb758f13eb69945255655546995834e4ace0 (patch)
treeaf0696dcd836251385d32752339b261697aeb0f3 /lib
parent6eb1c6fd3f2ff41efa8ecd202750565fd38daeb4 (diff)
Add TLS PSK configuration options.
Diffstat (limited to 'lib')
-rw-r--r--lib/conf.c41
-rw-r--r--lib/examples/client.conf3
-rw-r--r--lib/include/radsec/radsec-impl.h9
3 files changed, 49 insertions, 4 deletions
diff --git a/lib/conf.c b/lib/conf.c
index 83c2e4b..e54ad54 100644
--- a/lib/conf.c
+++ b/lib/conf.c
@@ -7,6 +7,7 @@
#include <confuse.h>
#include <string.h>
+#include <assert.h>
#include <radsec/radsec.h>
#include <radsec/radsec-impl.h>
#include "peer.h"
@@ -25,6 +26,9 @@
#cacertpath = STRING
certfile = STRING
certkeyfile = STRING
+ psk = STRING # Transport pre-shared key.
+ pskid = STRING
+ pskex = "PSK"|"DHE_PSK"|"RSA_PSK"
}
# client specific realm config options
@@ -32,7 +36,7 @@
server {
hostname = STRING
service = STRING
- secret = STRING
+ secret = STRING # RADIUS secret
}
}
#endif
@@ -63,6 +67,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
/*CFG_STR ("cacertpath", NULL, CFGF_NONE),*/
CFG_STR ("certfile", NULL, CFGF_NONE),
CFG_STR ("certkeyfile", NULL, CFGF_NONE),
+ CFG_STR ("psk", NULL, CFGF_NONE),
+ CFG_STR ("pskid", NULL, CFGF_NONE),
+ CFG_STR ("pskex", "PSK", CFGF_NONE),
CFG_SEC ("server", server_opts, CFGF_MULTI),
CFG_END ()
};
@@ -103,6 +110,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
{
struct rs_realm *r = NULL;
const char *typestr;
+ char *psk;
r = rs_calloc (ctx, 1, sizeof(*r));
if (r == NULL)
@@ -146,6 +154,37 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
r->certfile = cfg_getstr (cfg_realm, "certfile");
r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile");
+ psk = cfg_getstr (cfg_realm, "psk");
+ if (psk)
+ {
+ char *kex = cfg_getstr (cfg_realm, "pskex");
+ rs_cred_type_t type = RS_CRED_NONE;
+ struct rs_credentials *cred = NULL;
+ assert (kex != NULL);
+
+ if (!strcmp (kex, "PSK"))
+ type = RS_CRED_TLS_PSK;
+ else
+ {
+ /* TODO: push a warning, using a separate warn stack or
+ onto the ordinary error stack? */
+ /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange"
+ " algorithm -- PSK not used", kex);*/
+ }
+
+ if (type != RS_CRED_NONE)
+ {
+ cred = rs_calloc (ctx, 1, sizeof (*cred));
+ if (cred == NULL)
+ return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__,
+ NULL);
+ cred->type = type;
+ cred->identity = cfg_getstr (cfg_realm, "pskid");
+ cred->secret = psk;
+ r->transport_cred = cred;
+ }
+ }
+
/* Add peers, one per server stanza. */
for (j = 0; j < cfg_size (cfg_realm, "server"); j++)
{
diff --git a/lib/examples/client.conf b/lib/examples/client.conf
index 07486c6..edd090e 100644
--- a/lib/examples/client.conf
+++ b/lib/examples/client.conf
@@ -18,6 +18,9 @@ realm blocking-tls {
cacertfile = "tests/demoCA/newcerts/01.pem"
certfile = "tests/demoCA/newcerts/02.pem"
certkeyfile = "tests/demoCA/private/c2key.pem"
+ psk = "sikrit psk"
+ pskid = "allan"
+ pskex = "PSK"
server {
hostname = "localhost"
service = "2083"
diff --git a/lib/include/radsec/radsec-impl.h b/lib/include/radsec/radsec-impl.h
index f8891ee..01288d3 100644
--- a/lib/include/radsec/radsec-impl.h
+++ b/lib/include/radsec/radsec-impl.h
@@ -16,7 +16,10 @@
/* Data types. */
enum rs_cred_type {
RS_CRED_NONE = 0,
- RS_CRED_TLS_PSK_RSA, /* RFC 4279. */
+ /* TLS pre-shared keys, RFC 4279. */
+ RS_CRED_TLS_PSK,
+ /* RS_CRED_TLS_DH_PSK, */
+ /* RS_CRED_TLS_RSA_PSK, */
};
typedef unsigned int rs_cred_type_t;
@@ -40,7 +43,7 @@ struct rs_peer {
struct rs_connection *conn;
struct rs_realm *realm;
struct evutil_addrinfo *addr;
- char *secret;
+ char *secret; /* RADIUS secret. */
struct rs_peer *next;
};
@@ -54,6 +57,7 @@ struct rs_realm {
char *cacertpath;
char *certfile;
char *certkeyfile;
+ struct rs_credentials *transport_cred;
struct rs_peer *peers;
struct rs_realm *next;
};
@@ -77,7 +81,6 @@ struct rs_connection {
struct rs_realm *realm; /* Owned by ctx. */
struct event_base *evb; /* Event base. */
struct event *tev; /* Timeout event. */
- struct rs_credentials transport_credentials;
struct rs_conn_callbacks callbacks;
void *user_data;
struct rs_peer *peers;