1 /* Copyright (C) 2011 NORDUnet A/S
2 * See LICENSE for information about licensing.
5 #include "radsecproxy.h"
8 #include "fticks_hashmac.h"
11 fticks_configure(struct options *options,
17 const char *reporting = (const char *) *reportingp;
18 const char *mac = (const char *) *macp;
21 options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
22 options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
24 if (reporting != NULL) {
25 if (strcasecmp(reporting, "None") == 0)
26 options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
27 else if (strcasecmp(reporting, "Basic") == 0)
28 options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC;
29 else if (strcasecmp(reporting, "Full") == 0)
30 options->fticks_reporting = RSP_FTICKS_REPORTING_FULL;
33 "config error: invalid FTicksReporting value: %s",
40 if (strcasecmp(mac, "Static") == 0)
41 options->fticks_mac = RSP_FTICKS_MAC_STATIC;
42 else if (strcasecmp(mac, "Original") == 0)
43 options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL;
44 else if (strcasecmp(mac, "VendorHashed") == 0)
45 options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED;
46 else if (strcasecmp(mac, "VendorKeyHashed") == 0)
47 options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
48 else if (strcasecmp(mac, "FullyHashed") == 0)
49 options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED;
50 else if (strcasecmp(mac, "FullyKeyHashed") == 0)
51 options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED;
54 "config error: invalid FTicksMAC value: %s", mac);
60 options->fticks_key = *keyp;
61 if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED
62 && options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED)
63 debugx(1, DBG_WARN, "config warning: FTicksKey not used");
65 else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE
66 && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED
67 || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) {
69 "config error: FTicksMAC values VendorKeyHashed and "
70 "FullyKeyHashed require an FTicksKey");
71 options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
75 if (*reportingp != NULL) {
87 fticks_log(const struct options *options,
88 const struct client *client,
89 const struct radmsg *msg,
90 const struct rqout *rqout)
92 uint8_t *username = NULL;
93 uint8_t *realm = NULL;
94 uint8_t visinst[8+40+1+1]; /* Room for 40 octets of VISINST. */
95 uint8_t *macin = NULL;
96 uint8_t macout[2*32+1]; /* Room for ASCII representation of SHA256. */
98 username = radattr2ascii(radmsg_gettype(rqout->rq->msg,
100 if (username != NULL) {
101 realm = (uint8_t *) strrchr((char *) username, '@');
106 realm = (uint8_t *) "";
108 memset(visinst, 0, sizeof(visinst));
109 if (options->fticks_reporting == RSP_FTICKS_REPORTING_FULL) {
110 if (client->conf->fticks_visinst != NULL ) {
111 snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#",
112 client->conf->fticks_visinst);
114 snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#",
119 memset(macout, 0, sizeof(macout));
120 if (options->fticks_mac == RSP_FTICKS_MAC_STATIC) {
121 strncpy((char *) macout, "undisclosed", sizeof(macout) - 1);
124 macin = radattr2ascii(radmsg_gettype(rqout->rq->msg,
125 RAD_Attr_Calling_Station_Id));
127 switch (options->fticks_mac)
129 case RSP_FTICKS_MAC_ORIGINAL:
130 memcpy(macout, macin, sizeof(macout));
132 case RSP_FTICKS_MAC_VENDOR_HASHED:
133 memcpy(macout, macin, 9);
134 fticks_hashmac(macin, NULL, sizeof(macout) - 9, macout + 9);
136 case RSP_FTICKS_MAC_VENDOR_KEY_HASHED:
137 memcpy(macout, macin, 9);
138 /* We are hashing the first nine octets too for easier
139 * correlation between vendor-key-hashed and
140 * fully-key-hashed log records. This opens up for a
141 * known plaintext attack on the key but the
142 * consequences of that is considered outweighed by
143 * the convenience gained. */
144 fticks_hashmac(macin, options->fticks_key,
145 sizeof(macout) - 9, macout + 9);
147 case RSP_FTICKS_MAC_FULLY_HASHED:
148 fticks_hashmac(macin, NULL, sizeof(macout), macout);
150 case RSP_FTICKS_MAC_FULLY_KEY_HASHED:
151 fticks_hashmac(macin, options->fticks_key, sizeof(macout),
155 debugx(2, DBG_ERR, "invalid fticks mac configuration: %d",
156 options->fticks_mac);
161 "F-TICKS/eduroam/1.0#REALM=%s#VISCOUNTRY=%s#%sCSI=%s#RESULT=%s#",
163 client->conf->fticks_viscountry,
166 msg->code == RAD_Access_Accept ? "OK" : "FAIL");
169 if (username != NULL)
173 /* Local Variables: */
174 /* c-file-style: "stroustrup" */