diff options
-rw-r--r-- | lib/conf.c | 41 | ||||
-rw-r--r-- | lib/examples/client.conf | 3 | ||||
-rw-r--r-- | lib/include/radsec/radsec-impl.h | 9 |
3 files changed, 49 insertions, 4 deletions
@@ -7,6 +7,7 @@ #include <confuse.h> #include <string.h> +#include <assert.h> #include <radsec/radsec.h> #include <radsec/radsec-impl.h> #include "peer.h" @@ -25,6 +26,9 @@ #cacertpath = STRING certfile = STRING certkeyfile = STRING + psk = STRING # Transport pre-shared key. + pskid = STRING + pskex = "PSK"|"DHE_PSK"|"RSA_PSK" } # client specific realm config options @@ -32,7 +36,7 @@ server { hostname = STRING service = STRING - secret = STRING + secret = STRING # RADIUS secret } } #endif @@ -63,6 +67,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file) /*CFG_STR ("cacertpath", NULL, CFGF_NONE),*/ CFG_STR ("certfile", NULL, CFGF_NONE), CFG_STR ("certkeyfile", NULL, CFGF_NONE), + CFG_STR ("psk", NULL, CFGF_NONE), + CFG_STR ("pskid", NULL, CFGF_NONE), + CFG_STR ("pskex", "PSK", CFGF_NONE), CFG_SEC ("server", server_opts, CFGF_MULTI), CFG_END () }; @@ -103,6 +110,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file) { struct rs_realm *r = NULL; const char *typestr; + char *psk; r = rs_calloc (ctx, 1, sizeof(*r)); if (r == NULL) @@ -146,6 +154,37 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file) r->certfile = cfg_getstr (cfg_realm, "certfile"); r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile"); + psk = cfg_getstr (cfg_realm, "psk"); + if (psk) + { + char *kex = cfg_getstr (cfg_realm, "pskex"); + rs_cred_type_t type = RS_CRED_NONE; + struct rs_credentials *cred = NULL; + assert (kex != NULL); + + if (!strcmp (kex, "PSK")) + type = RS_CRED_TLS_PSK; + else + { + /* TODO: push a warning, using a separate warn stack or + onto the ordinary error stack? */ + /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange" + " algorithm -- PSK not used", kex);*/ + } + + if (type != RS_CRED_NONE) + { + cred = rs_calloc (ctx, 1, sizeof (*cred)); + if (cred == NULL) + return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__, + NULL); + cred->type = type; + cred->identity = cfg_getstr (cfg_realm, "pskid"); + cred->secret = psk; + r->transport_cred = cred; + } + } + /* Add peers, one per server stanza. */ for (j = 0; j < cfg_size (cfg_realm, "server"); j++) { diff --git a/lib/examples/client.conf b/lib/examples/client.conf index 07486c6..edd090e 100644 --- a/lib/examples/client.conf +++ b/lib/examples/client.conf @@ -18,6 +18,9 @@ realm blocking-tls { cacertfile = "tests/demoCA/newcerts/01.pem" certfile = "tests/demoCA/newcerts/02.pem" certkeyfile = "tests/demoCA/private/c2key.pem" + psk = "sikrit psk" + pskid = "allan" + pskex = "PSK" server { hostname = "localhost" service = "2083" diff --git a/lib/include/radsec/radsec-impl.h b/lib/include/radsec/radsec-impl.h index f8891ee..01288d3 100644 --- a/lib/include/radsec/radsec-impl.h +++ b/lib/include/radsec/radsec-impl.h @@ -16,7 +16,10 @@ /* Data types. */ enum rs_cred_type { RS_CRED_NONE = 0, - RS_CRED_TLS_PSK_RSA, /* RFC 4279. */ + /* TLS pre-shared keys, RFC 4279. */ + RS_CRED_TLS_PSK, + /* RS_CRED_TLS_DH_PSK, */ + /* RS_CRED_TLS_RSA_PSK, */ }; typedef unsigned int rs_cred_type_t; @@ -40,7 +43,7 @@ struct rs_peer { struct rs_connection *conn; struct rs_realm *realm; struct evutil_addrinfo *addr; - char *secret; + char *secret; /* RADIUS secret. */ struct rs_peer *next; }; @@ -54,6 +57,7 @@ struct rs_realm { char *cacertpath; char *certfile; char *certkeyfile; + struct rs_credentials *transport_cred; struct rs_peer *peers; struct rs_realm *next; }; @@ -77,7 +81,6 @@ struct rs_connection { struct rs_realm *realm; /* Owned by ctx. */ struct event_base *evb; /* Event base. */ struct event *tev; /* Timeout event. */ - struct rs_credentials transport_credentials; struct rs_conn_callbacks callbacks; void *user_data; struct rs_peer *peers; |