From dcce5a04612c307453519d72f28caceb73fdab2a Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Mon, 23 Apr 2012 14:44:49 +0200 Subject: Conditionally compile TLS-PSK code (--enable-tls-psk). Also, allow for PSK-only configuration, i.e. don't barf on missing cert stuff. --- lib/conf.c | 30 +++++++++++++++++++++++------- lib/configure.ac | 8 ++++++++ lib/rsp_tlscommon.c | 17 +++++++++-------- lib/tls.c | 5 +++++ 4 files changed, 45 insertions(+), 15 deletions(-) diff --git a/lib/conf.c b/lib/conf.c index e863381..71bd169 100644 --- a/lib/conf.c +++ b/lib/conf.c @@ -42,7 +42,7 @@ } #endif -/* FIXME: Leaking memory in error cases? */ +/* FIXME: Leaking memory in error cases. */ int rs_context_read_config(struct rs_context *ctx, const char *config_file) { @@ -146,8 +146,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file) else if (strcmp (typestr, "DTLS") == 0) r->type = RS_CONN_TYPE_DTLS; else - return rs_err_ctx_push_fl (ctx, RSE_CONFIG, __FILE__, __LINE__, - "invalid connection type: %s", typestr); + return rs_err_ctx_push (ctx, RSE_CONFIG, + "%s: invalid connection type: %s", + r->name, typestr); r->timeout = cfg_getint (cfg_realm, "timeout"); r->retries = cfg_getint (cfg_realm, "retries"); @@ -160,6 +161,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file) pskhexstr = cfg_getstr (cfg_realm, "pskhexstr"); if (pskstr || pskhexstr) { +#if defined RS_ENABLE_TLS_PSK char *kex = cfg_getstr (cfg_realm, "pskex"); rs_cred_type_t type = RS_CRED_NONE; struct rs_credentials *cred = NULL; @@ -169,10 +171,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file) type = RS_CRED_TLS_PSK; else { - /* TODO: push a warning, using a separate warn stack or - onto the ordinary error stack? */ - /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange" - " algorithm -- PSK not used", kex);*/ + /* TODO: push a warning on the error stack:*/ + /*rs_err_ctx_push (ctx, RSE_WARN, "%s: unsupported PSK key exchange" + " algorithm -- PSK not used", kex);*/ } if (type != RS_CRED_NONE) @@ -198,8 +199,23 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file) r->transport_cred = cred; } +#else /* !RS_ENABLE_TLS_PSK */ + /* TODO: push a warning on the error stack: */ + /* rs_err_ctx_push (ctx, RSE_WARN, "libradsec wasn't configured with " + "support for TLS preshared keys, ignoring pskstr " + "and pskhexstr");*/ +#endif /* RS_ENABLE_TLS_PSK */ } + /* For TLS and DTLS realms, validate that we either have (i) CA + cert file or path or (ii) PSK. */ + if ((r->type == RS_CONN_TYPE_TLS || r->type == RS_CONN_TYPE_DTLS) + && (r->cacertfile == NULL && r->cacertpath == NULL) + && r->transport_cred == NULL) + return rs_err_ctx_push (ctx, RSE_CONFIG, + "%s: missing both CA file/path and PSK", + r->name); + /* Add peers, one per server stanza. */ for (j = 0; j < cfg_size (cfg_realm, "server"); j++) { diff --git a/lib/configure.ac b/lib/configure.ac index 9c24310..3339352 100644 --- a/lib/configure.ac +++ b/lib/configure.ac @@ -21,6 +21,7 @@ AC_CHECK_LIB([freeradius-radius], [rad_alloc],, AC_MSG_ERROR([required library libfreeradius-radius not found])) # Enable-knobs. +## Enable TLS (RadSec). AH_TEMPLATE([RS_ENABLE_TLS], [TLS (RadSec) enabled]) AH_TEMPLATE([RADPROT_TLS], []) dnl Legacy. AC_ARG_ENABLE([tls], AS_HELP_STRING([--enable-tls], [enable TLS (RadSec)]), @@ -29,6 +30,13 @@ AC_ARG_ENABLE([tls], AS_HELP_STRING([--enable-tls], [enable TLS (RadSec)]), AC_DEFINE([RS_ENABLE_TLS]) AC_DEFINE([RADPROT_TLS])]) dnl Legacy. AM_CONDITIONAL([RS_ENABLE_TLS], [test "${enable_tls+set}" = set]) +## Enable TLS-PSK (preshared keys). +AH_TEMPLATE([RS_ENABLE_TLS_PSK], [TLS-PSK (TLS preshared keys) enabled]) +AC_ARG_ENABLE([tls-psk], AS_HELP_STRING([--enable-tls-psk], [enable TLS-PSK (TLS preshared keys)]), + [AC_CHECK_LIB([ssl], [SSL_set_psk_client_callback],, + AC_MSG_ERROR([required library openssl with SSL_set_psk_client_callback() not found])) + AC_DEFINE([RS_ENABLE_TLS_PSK])]) +AM_CONDITIONAL([RS_ENABLE_TLS_PSK], [test "${enable_tls_psk+set}" = set]) # Checks for header files. AC_CHECK_HEADERS( diff --git a/lib/rsp_tlscommon.c b/lib/rsp_tlscommon.c index a34fe33..75aa891 100644 --- a/lib/rsp_tlscommon.c +++ b/lib/rsp_tlscommon.c @@ -271,14 +271,15 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { } } - if (!tlsaddcacrl(ctx, conf)) { - if (conf->vpm) { - X509_VERIFY_PARAM_free(conf->vpm); - conf->vpm = NULL; - } - SSL_CTX_free(ctx); - return NULL; - } + if (conf->cacertfile != NULL || conf->cacertpath != NULL) + if (!tlsaddcacrl(ctx, conf)) { + if (conf->vpm) { + X509_VERIFY_PARAM_free(conf->vpm); + conf->vpm = NULL; + } + SSL_CTX_free(ctx); + return NULL; + } debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name); return ctx; diff --git a/lib/tls.c b/lib/tls.c index 12af489..0f07e46 100644 --- a/lib/tls.c +++ b/lib/tls.c @@ -42,6 +42,7 @@ _get_tlsconf (struct rs_connection *conn, const struct rs_realm *realm) return c; } +#if defined RS_ENABLE_TLS_PSK static unsigned int psk_client_cb (SSL *ssl, const char *hint, @@ -107,6 +108,7 @@ psk_client_cb (SSL *ssl, return cred->secret_len; } +#endif /* RS_ENABLE_TLS_PSK */ int rs_tls_init (struct rs_connection *conn) @@ -140,11 +142,14 @@ rs_tls_init (struct rs_connection *conn) return -1; } +#if defined RS_ENABLE_TLS_PSK if (conn->active_peer->realm->transport_cred != NULL) { SSL_set_psk_client_callback (ssl, psk_client_cb); SSL_set_ex_data (ssl, 0, conn); } +#endif /* RS_ENABLE_TLS_PSK */ + conn->tls_ctx = ssl_ctx; conn->tls_ssl = ssl; rs_free (ctx, tlsconf); -- cgit v1.1