Add TLS PSK configuration options.

author: Linus Nordberg <linus@nordu.net> 2012-01-24 13:16:26 +0100
committer: Linus Nordberg <linus@nordu.net> 2012-01-24 13:16:26 +0100
commit: cb81fb758f13eb69945255655546995834e4ace0 (patch)
tree: af0696dcd836251385d32752339b261697aeb0f3
parent: 6eb1c6fd3f2ff41efa8ecd202750565fd38daeb4 (diff)
3 files changed, 49 insertions, 4 deletions
diff --git a/lib/conf.c b/lib/conf.c
index 83c2e4b..e54ad54 100644
--- a/lib/conf.c
+++ b/lib/conf.c
@@ -7,6 +7,7 @@
 
 #include <confuse.h>
 #include <string.h>
+#include <assert.h>
 #include <radsec/radsec.h>
 #include <radsec/radsec-impl.h>
 #include "peer.h"
@@ -25,6 +26,9 @@
       #cacertpath = STRING
       certfile = STRING
       certkeyfile = STRING
+      psk = STRING		# Transport pre-shared key.
+      pskid = STRING
+      pskex = "PSK"|"DHE_PSK"|"RSA_PSK"
   }
 
   # client specific realm config options
@@ -32,7 +36,7 @@
       server {
           hostname = STRING
 	  service = STRING
-	  secret = STRING
+          secret = STRING       # RADIUS secret
       }
   }
 #endif
@@ -63,6 +67,9 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       /*CFG_STR ("cacertpath", NULL, CFGF_NONE),*/
       CFG_STR ("certfile", NULL, CFGF_NONE),
       CFG_STR ("certkeyfile", NULL, CFGF_NONE),
+      CFG_STR ("psk", NULL, CFGF_NONE),
+      CFG_STR ("pskid", NULL, CFGF_NONE),
+      CFG_STR ("pskex", "PSK", CFGF_NONE),
       CFG_SEC ("server", server_opts, CFGF_MULTI),
       CFG_END ()
     };
@@ -103,6 +110,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
     {
       struct rs_realm *r = NULL;
       const char *typestr;
+      char *psk;
 
       r = rs_calloc (ctx, 1, sizeof(*r));
       if (r == NULL)
@@ -146,6 +154,37 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       r->certfile = cfg_getstr (cfg_realm, "certfile");
       r->certkeyfile = cfg_getstr (cfg_realm, "certkeyfile");
 
+      psk = cfg_getstr (cfg_realm, "psk");
+      if (psk)
+        {
+          char *kex = cfg_getstr (cfg_realm, "pskex");
+          rs_cred_type_t type = RS_CRED_NONE;
+          struct rs_credentials *cred = NULL;
+          assert (kex != NULL);
+
+          if (!strcmp (kex, "PSK"))
+            type = RS_CRED_TLS_PSK;
+          else
+            {
+              /* TODO: push a warning, using a separate warn stack or
+                 onto the ordinary error stack?  */
+              /* rs_err_ctx_push (ctx, FIXME, "%s: unsupported PSK key exchange"
+                 " algorithm -- PSK not used", kex);*/
+            }
+
+          if (type != RS_CRED_NONE)
+            {
+              cred = rs_calloc (ctx, 1, sizeof (*cred));
+              if (cred == NULL)
+                return rs_err_ctx_push_fl (ctx, RSE_NOMEM, __FILE__, __LINE__,
+                                           NULL);
+              cred->type = type;
+              cred->identity = cfg_getstr (cfg_realm, "pskid");
+              cred->secret = psk;
+              r->transport_cred = cred;
+            }
+        }
+
       /* Add peers, one per server stanza.  */
       for (j = 0; j < cfg_size (cfg_realm, "server"); j++)
 	{
diff --git a/lib/examples/client.conf b/lib/examples/client.conf
index 07486c6..edd090e 100644
--- a/lib/examples/client.conf
+++ b/lib/examples/client.conf
@@ -18,6 +18,9 @@ realm blocking-tls {
     cacertfile = "tests/demoCA/newcerts/01.pem"
     certfile = "tests/demoCA/newcerts/02.pem"
     certkeyfile = "tests/demoCA/private/c2key.pem"
+    psk = "sikrit psk"
+    pskid = "allan"
+    pskex = "PSK"
     server {
         hostname = "localhost"
 	service = "2083"
diff --git a/lib/include/radsec/radsec-impl.h b/lib/include/radsec/radsec-impl.h
index f8891ee..01288d3 100644
--- a/lib/include/radsec/radsec-impl.h
+++ b/lib/include/radsec/radsec-impl.h
@@ -16,7 +16,10 @@
 /* Data types.  */
 enum rs_cred_type {
     RS_CRED_NONE = 0,
-    RS_CRED_TLS_PSK_RSA,	/* RFC 4279.  */
+    /* TLS pre-shared keys, RFC 4279.  */
+    RS_CRED_TLS_PSK,
+    /* RS_CRED_TLS_DH_PSK, */
+    /* RS_CRED_TLS_RSA_PSK, */
 };
 typedef unsigned int rs_cred_type_t;
 
@@ -40,7 +43,7 @@ struct rs_peer {
     struct rs_connection *conn;
     struct rs_realm *realm;
     struct evutil_addrinfo *addr;
-    char *secret;
+    char *secret;               /* RADIUS secret.  */
     struct rs_peer *next;
 };
 
@@ -54,6 +57,7 @@ struct rs_realm {
     char *cacertpath;
     char *certfile;
     char *certkeyfile;
+    struct rs_credentials *transport_cred;
     struct rs_peer *peers;
     struct rs_realm *next;
 };
@@ -77,7 +81,6 @@ struct rs_connection {
     struct rs_realm *realm;	/* Owned by ctx.  */
     struct event_base *evb;	/* Event base.  */
     struct event *tev;		/* Timeout event.  */
-    struct rs_credentials transport_credentials;
     struct rs_conn_callbacks callbacks;
     void *user_data;
     struct rs_peer *peers;
author	Linus Nordberg <linus@nordu.net>	2012-01-24 13:16:26 +0100
committer	Linus Nordberg <linus@nordu.net>	2012-01-24 13:16:26 +0100
commit	cb81fb758f13eb69945255655546995834e4ace0 (patch)
tree	af0696dcd836251385d32752339b261697aeb0f3
parent	6eb1c6fd3f2ff41efa8ecd202750565fd38daeb4 (diff)