* See LICENSE for information about licensing.
*/
-#include <stdio.h> /* For sprintf(). */
-#include <string.h>
-#include <ctype.h>
-#include <errno.h>
-#include <nettle/sha.h>
-#include <nettle/hmac.h>
-
-#include <regex.h>
-#include <pthread.h>
-#include <sys/time.h>
#include "radsecproxy.h"
#include "debug.h"
-
#include "fticks.h"
-
-static void
-_format_hash(const uint8_t *hash, size_t out_len, uint8_t *out)
-{
- int ir, iw;
-
- for (ir = 0, iw = 0; iw <= out_len - 3; ir++, iw += 2)
- sprintf((char *) out + iw, "%02x", hash[ir % SHA256_DIGEST_SIZE]);
-}
-
-static void
-_hash(const uint8_t *in,
- const uint8_t *key,
- size_t out_len,
- uint8_t *out)
-{
- if (key == NULL) {
- struct sha256_ctx ctx;
- uint8_t hash[SHA256_DIGEST_SIZE];
-
- sha256_init(&ctx);
- sha256_update(&ctx, strlen((char *) in), in);
- sha256_digest(&ctx, sizeof(hash), hash);
- _format_hash(hash, out_len, out);
- }
- else {
- struct hmac_sha256_ctx ctx;
- uint8_t hash[SHA256_DIGEST_SIZE];
-
- hmac_sha256_set_key(&ctx, strlen((char *) key), key);
- hmac_sha256_update(&ctx, strlen((char *) in), in);
- hmac_sha256_digest(&ctx, sizeof(hash), hash);
- _format_hash(hash, out_len, out);
- }
-}
+#include "fticks_hashmac.h"
int
fticks_configure(struct options *options,
const char *reporting = (const char *) *reportingp;
const char *mac = (const char *) *macp;
- if (reporting == NULL)
- goto out;
-
- if (strcasecmp(reporting, "None") == 0)
- options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
- else if (strcasecmp(reporting, "Basic") == 0)
- options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC;
- else if (strcasecmp(reporting, "Full") == 0)
- options->fticks_reporting = RSP_FTICKS_REPORTING_FULL;
- else {
- debugx(1, DBG_ERR, "config error: invalid FTicksReporting value: %s",
- reporting);
- r = 1;
- goto out;
+ /* Set defaults. */
+ options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
+ options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
+
+ if (reporting != NULL) {
+ if (strcasecmp(reporting, "None") == 0)
+ options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
+ else if (strcasecmp(reporting, "Basic") == 0)
+ options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC;
+ else if (strcasecmp(reporting, "Full") == 0)
+ options->fticks_reporting = RSP_FTICKS_REPORTING_FULL;
+ else {
+ debugx(1, DBG_ERR,
+ "config error: invalid FTicksReporting value: %s",
+ reporting);
+ r = 1;
+ }
}
- if (strcasecmp(mac, "Static") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_STATIC;
- else if (strcasecmp(mac, "Original") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL;
- else if (strcasecmp(mac, "VendorHashed") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED;
- else if (strcasecmp(mac, "VendorKeyHashed") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
- else if (strcasecmp(mac, "FullyHashed") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED;
- else if (strcasecmp(mac, "FullyKeyHashed") == 0)
- options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED;
- else {
- debugx(1, DBG_ERR, "config error: invalid FTicksMAC value: %s", mac);
- r = 1;
- goto out;
+ if (mac != NULL) {
+ if (strcasecmp(mac, "Static") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_STATIC;
+ else if (strcasecmp(mac, "Original") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL;
+ else if (strcasecmp(mac, "VendorHashed") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED;
+ else if (strcasecmp(mac, "VendorKeyHashed") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
+ else if (strcasecmp(mac, "FullyHashed") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED;
+ else if (strcasecmp(mac, "FullyKeyHashed") == 0)
+ options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED;
+ else {
+ debugx(1, DBG_ERR,
+ "config error: invalid FTicksMAC value: %s", mac);
+ r = 1;
+ }
}
- if (*keyp == NULL
- && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED
- || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) {
+ if (*keyp != NULL) {
+ options->fticks_key = *keyp;
+ if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED
+ && options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED)
+ debugx(1, DBG_WARN, "config warning: FTicksKey not used");
+ }
+ else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE
+ && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED
+ || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) {
debugx(1, DBG_ERR,
- "config error: FTicksMAC %s requires an FTicksKey", mac);
- options->fticks_mac = RSP_FTICKS_MAC_STATIC;
+ "config error: FTicksMAC values VendorKeyHashed and "
+ "FullyKeyHashed require an FTicksKey");
+ options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
r = 1;
- goto out;
}
- if (*keyp != NULL)
- options->fticks_key = *keyp;
-
-out:
if (*reportingp != NULL) {
free(*reportingp);
*reportingp = NULL;
return r;
}
-/** Hash the Ethernet MAC address in \a IN, keying a HMAC with \a KEY
- unless \a KEY is NULL. If \a KEY is null \a IN is hashed with an
- ordinary cryptographic hash function such as SHA-2.
-
- \a IN and \a KEY are NULL terminated strings.
-
- \a IN is supposed to be an Ethernet MAC address and is sanitised
- by lowercasing it, removing all but [0-9a-f] and truncating it at
- the first ';' found. The truncation is done because RADIUS
- supposedly has a praxis of tacking on SSID to the MAC address in
- Calling-Station-Id.
-
- \return 0 on success, -ENOMEM on out of memory.
-*/
-int
-fticks_hashmac(const uint8_t *in,
- const uint8_t *key,
- size_t out_len,
- uint8_t *out)
-{
- uint8_t *in_copy = NULL;
- uint8_t *p = NULL;
- int i;
-
- in_copy = calloc(1, strlen((const char *) in) + 1);
- if (in_copy == NULL)
- return -ENOMEM;
-
- /* Sanitise and lowercase 'in' into 'in_copy'. */
- for (i = 0, p = in_copy; in[i] != '\0'; i++) {
- if (in[i] == ';') {
- *p++ = '\0';
- break;
- }
- if (in[i] >= '0' && in[i] <= '9') {
- *p++ = in[i];
- }
- else if (tolower(in[i]) >= 'a' && tolower(in[i]) <= 'f') {
- *p++ = tolower(in[i]);
- }
- }
-
- _hash(in_copy, key, out_len, out);
- free(in_copy);
- return 0;
-}
-
void
fticks_log(const struct options *options,
const struct client *client,