From 010285e8814349c31ffb04f7ed0f3c0e3a3c878c Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Fri, 1 Apr 2011 20:42:49 +0200 Subject: Add configuration options for F-Ticks logging. --- radsecproxy.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++++ radsecproxy.conf-example | 25 +++++++++++++++++ radsecproxy.h | 18 +++++++++++++ 3 files changed, 113 insertions(+) diff --git a/radsecproxy.c b/radsecproxy.c index 80a721d..8ea990e 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -3002,11 +3002,76 @@ int setprotoopts(uint8_t type, char **listenargs, char *sourcearg) { return 1; } +int configure_fticks(char **reporting, char **mac, char **key) { + int r = 0; + + if (*reporting == NULL) + goto out; + + if (strcasecmp(*reporting, "None") == 0) + options.fticks_reporting = RSP_FTICKS_REPORTING_NONE; + else if (strcasecmp(*reporting, "Basic") == 0) + options.fticks_reporting = RSP_FTICKS_REPORTING_BASIC; + else if (strcasecmp(*reporting, "Full") == 0) + options.fticks_reporting = RSP_FTICKS_REPORTING_FULL; + else { + debugx(1, DBG_ERR, "config error: invalid F-Ticks-Reporting value: %s", + *reporting); + r = 1; + goto out; + } + + if (strcasecmp(*mac, "Static") == 0) + options.fticks_mac = RSP_FTICKS_MAC_STATIC; + else if (strcasecmp(*mac, "Original") == 0) + options.fticks_mac = RSP_FTICKS_MAC_ORIGINAL; + else if (strcasecmp(*mac, "VendorHashed") == 0) + options.fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; + else if (strcasecmp(*mac, "VendorKeyHashed") == 0) + options.fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; + else if (strcasecmp(*mac, "FullyHashed") == 0) + options.fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; + else if (strcasecmp(*mac, "FullyKeyHashed") == 0) + options.fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; + else { + debugx(1, DBG_ERR, "config error: invalid F-Ticks-MAC value: %s", *mac); + r = 1; + goto out; + } + + if (*key == NULL + && (options.fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED + || options.fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { + debugx(1, DBG_ERR, + "config error: F-Ticks-MAC %s requires an F-Ticks-Key", *mac); + options.fticks_mac = RSP_FTICKS_MAC_STATIC; + r = 1; + goto out; + } + + if (*key != NULL) + options.fticks_key = *key; + +out: + if (*reporting != NULL) { + free(*reporting); + *reporting = NULL; + } + if (*mac != NULL) { + free(*mac); + *mac = NULL; + } + return r; +} + void getmainconfig(const char *configfile) { long int addttl = LONG_MIN, loglevel = LONG_MIN; struct gconffile *cfs; char **listenargs[RAD_PROTOCOUNT]; char *sourcearg[RAD_PROTOCOUNT]; + char *fticks_reporting_str = NULL; + char *fticks_mac_str = NULL; + char *fticks_key_str = NULL; int i; cfs = openconfigfile(configfile); @@ -3060,6 +3125,9 @@ void getmainconfig(const char *configfile) { "TLS", CONF_CBK, conftls_cb, NULL, #endif "Rewrite", CONF_CBK, confrewrite_cb, NULL, + "F-Ticks-Reporting", CONF_STR, &fticks_reporting_str, + "F-Ticks-MAC", CONF_STR, &fticks_mac_str, + "F-Ticks-Key", CONF_STR, &fticks_key_str, NULL )) debugx(1, DBG_ERR, "configuration error"); @@ -3077,6 +3145,8 @@ void getmainconfig(const char *configfile) { if (!setttlattr(&options, DEFAULT_TTL_ATTR)) debugx(1, DBG_ERR, "Failed to set TTLAttribute, exiting"); + configure_fticks(&fticks_reporting_str, &fticks_mac_str, &fticks_key_str); + for (i = 0; i < RAD_PROTOCOUNT; i++) if (listenargs[i] || sourcearg[i]) setprotoopts(i, listenargs[i], sourcearg[i]); diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index 6d24ba8..9ec003d 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -17,6 +17,7 @@ #SourceTCP *:33000 #SourceTLS *:33001 #SourceDTLS *:33001 + # Optional log level. 3 is default, 1 is less, 5 is more #LogLevel 3 # Optional LogDestination, else stderr used for logging @@ -28,6 +29,30 @@ #LogDestination x-syslog:/// #LogDestination x-syslog:///log_local2 +# For generating log entries conforming to the F-Ticks system, specify +# F-Ticks-Reporting with one of +# None -- Do not log in F-Ticks format. This is the default. +# Basic -- Do log in F-Ticks format but do not log VISINST. +# Full -- Do log in F-Ticks format and do log VISINST. + +# You can optionally specify F-Ticks-MAC in order to determine if and +# how Calling-Station-Id is logged. +# Static -- Use a static string as a placeholder for +# Calling-Station-Id. This is the default. +# Original -- Log Calling-Station-Id as-is. +# VendorHashed -- Keep first three segments as-is, hash the rest. +# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. +# FullyHashed -- Hash the entire string. +# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. + +# In order to use F-Ticks-MAC with one of VendorKeyHashed or +# FullyKeyHashed, specify a key with F-Ticks-Key. +# F-Ticks-Key + +# Default F-Ticks configuration: +#F-Ticks-Reporting None +#F-Ticks-Mac FullyKeyHashed + # There is an option for doing some simple loop prevention. Note that # the LoopPrevention directive can be used in server blocks too, # overriding what's set here in the basic settings. diff --git a/radsecproxy.h b/radsecproxy.h index be57c56..2cd55ee 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -33,6 +33,21 @@ #define RAD_DTLS 3 #define RAD_PROTOCOUNT 4 +enum rsp_fticks_reporting_type { + RSP_FTICKS_REPORTING_NONE = 0, /* Default. */ + RSP_FTICKS_REPORTING_BASIC, + RSP_FTICKS_REPORTING_FULL +}; + +enum rsp_fticks_mac_type { + RSP_FTICKS_MAC_STATIC = 0, /* Default. */ + RSP_FTICKS_MAC_ORIGINAL, + RSP_FTICKS_MAC_VENDOR_HASHED, + RSP_FTICKS_MAC_VENDOR_KEY_HASHED, + RSP_FTICKS_MAC_FULLY_HASHED, + RSP_FTICKS_MAC_FULLY_KEY_HASHED +}; + struct options { char *logdestination; char *ttlattr; @@ -40,6 +55,9 @@ struct options { uint8_t addttl; uint8_t loglevel; uint8_t loopprevention; + enum rsp_fticks_reporting_type fticks_reporting; + enum rsp_fticks_mac_type fticks_mac; + char *fticks_key; }; struct commonprotoopts { -- cgit v1.1