X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=fticks.c;h=4d4d2eba8e2a59ab5d7a8eafbc614bc471ca64d7;hb=refs%2Fheads%2Flicensing-nogpl;hp=ce4888eb5f0a1846dfcaf5c664affb8a61966821;hpb=5042a29c4e80ca97fa51122954079d7d169037e9;p=libradsec.git diff --git a/fticks.c b/fticks.c index ce4888e..4d4d2eb 100644 --- a/fticks.c +++ b/fticks.c @@ -1,55 +1,11 @@ -/* Copyright (C) 2011 NORDUnet A/S - * See LICENSE for information about licensing. - */ +/* Copyright (c) 2006-2010, UNINETT AS + * Copyright (c) 2010-2012, NORDUnet A/S */ +/* See LICENSE for licensing information. */ -#include /* For sprintf(). */ -#include -#include -#include - -#include -#include -#include -#include "list.h" #include "radsecproxy.h" #include "debug.h" - #include "fticks.h" - -static void -format_hash(const uint8_t *hash, size_t out_len, uint8_t *out) -{ - int i; - - for (i = 0; i < out_len / 2 - 1; i++) - sprintf((char *) out + i*2, "%02x", hash[i % SHA256_DIGEST_SIZE]); -} - -static void -hash(const uint8_t *in, - const uint8_t *key, - size_t out_len, - uint8_t *out) -{ - if (key == NULL) { - struct sha256_ctx ctx; - uint8_t hash[SHA256_DIGEST_SIZE]; - - sha256_init(&ctx); - sha256_update(&ctx, strlen((char *) in), in); - sha256_digest(&ctx, sizeof(hash), hash); - format_hash(hash, out_len, out); - } - else { - struct hmac_sha256_ctx ctx; - uint8_t hash[SHA256_DIGEST_SIZE]; - - hmac_sha256_set_key(&ctx, strlen((char *) key), key); - hmac_sha256_update(&ctx, strlen((char *) in), in); - hmac_sha256_digest(&ctx, sizeof(hash), hash); - format_hash(hash, out_len, out); - } -} +#include "fticks_hashmac.h" int fticks_configure(struct options *options, @@ -61,54 +17,61 @@ fticks_configure(struct options *options, const char *reporting = (const char *) *reportingp; const char *mac = (const char *) *macp; - if (reporting == NULL) - goto out; - - if (strcasecmp(reporting, "None") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; - else if (strcasecmp(reporting, "Basic") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; - else if (strcasecmp(reporting, "Full") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; - else { - debugx(1, DBG_ERR, "config error: invalid FTicksReporting value: %s", - reporting); - r = 1; - goto out; + /* Set defaults. */ + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; + + if (reporting != NULL) { + if (strcasecmp(reporting, "None") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; + else if (strcasecmp(reporting, "Basic") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; + else if (strcasecmp(reporting, "Full") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; + else { + debugx(1, DBG_ERR, + "config error: invalid FTicksReporting value: %s", + reporting); + r = 1; + } } - if (strcasecmp(mac, "Static") == 0) - options->fticks_mac = RSP_FTICKS_MAC_STATIC; - else if (strcasecmp(mac, "Original") == 0) - options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; - else if (strcasecmp(mac, "VendorHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; - else if (strcasecmp(mac, "VendorKeyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; - else if (strcasecmp(mac, "FullyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; - else if (strcasecmp(mac, "FullyKeyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; - else { - debugx(1, DBG_ERR, "config error: invalid FTicksMAC value: %s", mac); - r = 1; - goto out; + if (mac != NULL) { + if (strcasecmp(mac, "Static") == 0) + options->fticks_mac = RSP_FTICKS_MAC_STATIC; + else if (strcasecmp(mac, "Original") == 0) + options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; + else if (strcasecmp(mac, "VendorHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; + else if (strcasecmp(mac, "VendorKeyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; + else if (strcasecmp(mac, "FullyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; + else if (strcasecmp(mac, "FullyKeyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; + else { + debugx(1, DBG_ERR, + "config error: invalid FTicksMAC value: %s", mac); + r = 1; + } } - if (*keyp == NULL - && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED - || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { + if (*keyp != NULL) { + options->fticks_key = *keyp; + if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED + && options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED) + debugx(1, DBG_WARN, "config warning: FTicksKey not used"); + } + else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE + && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED + || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { debugx(1, DBG_ERR, - "config error: FTicksMAC %s requires an FTicksKey", mac); - options->fticks_mac = RSP_FTICKS_MAC_STATIC; + "config error: FTicksMAC values VendorKeyHashed and " + "FullyKeyHashed require an FTicksKey"); + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; r = 1; - goto out; } - if (*keyp != NULL) - options->fticks_key = *keyp; - -out: if (*reportingp != NULL) { free(*reportingp); *reportingp = NULL; @@ -120,26 +83,6 @@ out: return r; } -/** Hash the MAC in \a IN, keying with \a KEY if it's not NULL. - - \a IN and \a KEY are NULL terminated strings. - - \a IN is sanitised by lowercasing it, removing all but [0-9a-f] - and truncating it at first ';' (due to RADIUS praxis with tacking - on SSID to MAC in Calling-Station-Id). */ -void -fticks_hashmac(const uint8_t *in, - const uint8_t *key, - size_t out_len, - uint8_t *out) -{ - /* TODO: lowercase */ - /* TODO: s/[!0-9a-f]//1 */ - /* TODO: truncate after first ';', if any */ - - hash(in, key, out_len, out); -} - void fticks_log(const struct options *options, const struct client *client, @@ -164,8 +107,13 @@ fticks_log(const struct options *options, memset(visinst, 0, sizeof(visinst)); if (options->fticks_reporting == RSP_FTICKS_REPORTING_FULL) { - snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", - client->conf->name); + if (client->conf->fticks_visinst != NULL ) { + snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", + client->conf->fticks_visinst); + } else { + snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", + client->conf->name); + } } memset(macout, 0, sizeof(macout)); @@ -183,11 +131,17 @@ fticks_log(const struct options *options, break; case RSP_FTICKS_MAC_VENDOR_HASHED: memcpy(macout, macin, 9); - fticks_hashmac(macin + 9, NULL, sizeof(macout) - 9, macout + 9); + fticks_hashmac(macin, NULL, sizeof(macout) - 9, macout + 9); break; case RSP_FTICKS_MAC_VENDOR_KEY_HASHED: memcpy(macout, macin, 9); - fticks_hashmac(macin + 9, options->fticks_key, + /* We are hashing the first nine octets too for easier + * correlation between vendor-key-hashed and + * fully-key-hashed log records. This opens up for a + * known plaintext attack on the key but the + * consequences of that is considered outweighed by + * the convenience gained. */ + fticks_hashmac(macin, options->fticks_key, sizeof(macout) - 9, macout + 9); break; case RSP_FTICKS_MAC_FULLY_HASHED: @@ -203,7 +157,7 @@ fticks_log(const struct options *options, } } } - debug(0xff, + fticks_debug( "F-TICKS/eduroam/1.0#REALM=%s#VISCOUNTRY=%s#%sCSI=%s#RESULT=%s#", realm, client->conf->fticks_viscountry,