X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=fticks.c;h=43b37fe961634f5f4c56d325cf712652dcf735a2;hb=28e1381a49869874b7fd291b8d82f6a231691dbb;hp=fd9a57d533627b44830427f0ea67b426cfe5c378;hpb=efccefde3e17d3202dff7714491ed85bcd56d371;p=libradsec.git diff --git a/fticks.c b/fticks.c index fd9a57d..43b37fe 100644 --- a/fticks.c +++ b/fticks.c @@ -2,54 +2,10 @@ * See LICENSE for information about licensing. */ -#include /* For sprintf(). */ -#include -#include -#include - -#include -#include -#include -#include "list.h" #include "radsecproxy.h" #include "debug.h" - #include "fticks.h" - -static void -format_hash(const uint8_t *hash, size_t out_len, uint8_t *out) -{ - int i; - - for (i = 0; i < out_len / 2; i++) - sprintf((char *) out + i*2, "%02x", hash[i % SHA256_DIGEST_SIZE]); -} - -static void -hash(const uint8_t *in, - const uint8_t *key, - size_t out_len, - uint8_t *out) -{ - if (key == NULL) { - struct sha256_ctx ctx; - uint8_t hash[SHA256_DIGEST_SIZE]; - - sha256_init(&ctx); - sha256_update(&ctx, strlen((char *) in), in); - sha256_digest(&ctx, sizeof(hash), hash); - format_hash(hash, out_len, out); - } - else { - struct hmac_sha256_ctx ctx; - uint8_t hash[SHA256_DIGEST_SIZE]; - - hmac_sha256_set_key(&ctx, strlen((char *) key), key); - hmac_sha256_update(&ctx, strlen((char *) in), in); - hmac_sha256_digest(&ctx, sizeof(hash), hash); - format_hash(hash, out_len, out); - } -} +#include "fticks_hashmac.h" int fticks_configure(struct options *options, @@ -61,54 +17,61 @@ fticks_configure(struct options *options, const char *reporting = (const char *) *reportingp; const char *mac = (const char *) *macp; - if (reporting == NULL) - goto out; - - if (strcasecmp(reporting, "None") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; - else if (strcasecmp(reporting, "Basic") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; - else if (strcasecmp(reporting, "Full") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; - else { - debugx(1, DBG_ERR, "config error: invalid FTicksReporting value: %s", - reporting); - r = 1; - goto out; + /* Set defaults. */ + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; + + if (reporting != NULL) { + if (strcasecmp(reporting, "None") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; + else if (strcasecmp(reporting, "Basic") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; + else if (strcasecmp(reporting, "Full") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; + else { + debugx(1, DBG_ERR, + "config error: invalid FTicksReporting value: %s", + reporting); + r = 1; + } } - if (strcasecmp(mac, "Static") == 0) - options->fticks_mac = RSP_FTICKS_MAC_STATIC; - else if (strcasecmp(mac, "Original") == 0) - options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; - else if (strcasecmp(mac, "VendorHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; - else if (strcasecmp(mac, "VendorKeyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; - else if (strcasecmp(mac, "FullyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; - else if (strcasecmp(mac, "FullyKeyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; - else { - debugx(1, DBG_ERR, "config error: invalid FTicksMAC value: %s", mac); - r = 1; - goto out; + if (mac != NULL) { + if (strcasecmp(mac, "Static") == 0) + options->fticks_mac = RSP_FTICKS_MAC_STATIC; + else if (strcasecmp(mac, "Original") == 0) + options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; + else if (strcasecmp(mac, "VendorHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; + else if (strcasecmp(mac, "VendorKeyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; + else if (strcasecmp(mac, "FullyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; + else if (strcasecmp(mac, "FullyKeyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; + else { + debugx(1, DBG_ERR, + "config error: invalid FTicksMAC value: %s", mac); + r = 1; + } } - if (*keyp == NULL - && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED - || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { + if (*keyp != NULL) { + options->fticks_key = *keyp; + if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED + && options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED) + debugx(1, DBG_WARN, "config warning: FTicksKey not used"); + } + else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE + && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED + || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { debugx(1, DBG_ERR, - "config error: FTicksMAC %s requires an FTicksKey", mac); - options->fticks_mac = RSP_FTICKS_MAC_STATIC; + "config error: FTicksMAC values VendorKeyHashed and " + "FullyKeyHashed require an FTicksKey"); + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; r = 1; - goto out; } - if (*keyp != NULL) - options->fticks_key = *keyp; - -out: if (*reportingp != NULL) { free(*reportingp); *reportingp = NULL; @@ -120,34 +83,14 @@ out: return r; } -/** Hash the MAC in \a IN, keying with \a KEY if it's not NULL. - - \a IN and \a KEY are NULL terminated strings. - - \a IN is sanitised by lowercasing it, removing all but [0-9a-f] - and truncating it at first ';' (due to RADIUS praxis with tacking - on SSID to MAC in Calling-Station-Id). */ -void -fticks_hashmac(const uint8_t *in, - const uint8_t *key, - size_t out_len, - uint8_t *out) -{ - /* TODO: lowercase */ - /* TODO: s/[!0-9a-f]//1 */ - /* TODO: truncate after first ';', if any */ - - hash(in, key, out_len, out); -} - void fticks_log(const struct options *options, const struct client *client, const struct radmsg *msg, const struct rqout *rqout) { - unsigned char *username = NULL; - unsigned char *realm = NULL; + uint8_t *username = NULL; + uint8_t *realm = NULL; uint8_t visinst[8+40+1+1]; /* Room for 40 octets of VISINST. */ uint8_t *macin = NULL; uint8_t macout[2*32+1]; /* Room for ASCII representation of SHA256. */ @@ -155,17 +98,22 @@ fticks_log(const struct options *options, username = radattr2ascii(radmsg_gettype(rqout->rq->msg, RAD_Attr_User_Name)); if (username != NULL) { - realm = (unsigned char *) strrchr((char *) username, '@'); + realm = (uint8_t *) strrchr((char *) username, '@'); if (realm != NULL) realm++; - else - realm = (unsigned char *) ""; } + if (realm == NULL) + realm = (uint8_t *) ""; memset(visinst, 0, sizeof(visinst)); if (options->fticks_reporting == RSP_FTICKS_REPORTING_FULL) { - snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", - client->conf->name); + if (client->conf->fticks_visinst != NULL ) { + snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", + client->conf->fticks_visinst); + } else { + snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", + client->conf->name); + } } memset(macout, 0, sizeof(macout)); @@ -183,11 +131,17 @@ fticks_log(const struct options *options, break; case RSP_FTICKS_MAC_VENDOR_HASHED: memcpy(macout, macin, 9); - fticks_hashmac(macin + 9, NULL, sizeof(macout) - 9, macout + 9); + fticks_hashmac(macin, NULL, sizeof(macout) - 9, macout + 9); break; case RSP_FTICKS_MAC_VENDOR_KEY_HASHED: memcpy(macout, macin, 9); - fticks_hashmac(macin + 9, options->fticks_key, + /* We are hashing the first nine octets too for easier + * correlation between vendor-key-hashed and + * fully-key-hashed log records. This opens up for a + * known plaintext attack on the key but the + * consequences of that is considered outweighed by + * the convenience gained. */ + fticks_hashmac(macin, options->fticks_key, sizeof(macout) - 9, macout + 9); break; case RSP_FTICKS_MAC_FULLY_HASHED: @@ -203,7 +157,7 @@ fticks_log(const struct options *options, } } } - debug(0xff, + fticks_debug( "F-TICKS/eduroam/1.0#REALM=%s#VISCOUNTRY=%s#%sCSI=%s#RESULT=%s#", realm, client->conf->fticks_viscountry,