diff options
-rw-r--r-- | fticks.c | 88 | ||||
-rw-r--r-- | radsecproxy.conf-example | 7 | ||||
-rw-r--r-- | radsecproxy.conf.5.xml | 36 | ||||
-rw-r--r-- | radsecproxy.h | 4 |
4 files changed, 77 insertions, 58 deletions
@@ -17,55 +17,61 @@ fticks_configure(struct options *options, const char *reporting = (const char *) *reportingp; const char *mac = (const char *) *macp; - if (reporting == NULL) - goto out; - if (strcasecmp(reporting, "None") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; - else if (strcasecmp(reporting, "Basic") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; - else if (strcasecmp(reporting, "Full") == 0) - options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; - else { - debugx(1, DBG_ERR, "config error: invalid FTicksReporting value: %s", - reporting); - r = 1; - goto out; + /* Set defaults. */ + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; + + if (reporting != NULL) { + if (strcasecmp(reporting, "None") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; + else if (strcasecmp(reporting, "Basic") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; + else if (strcasecmp(reporting, "Full") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; + else { + debugx(1, DBG_ERR, + "config error: invalid FTicksReporting value: %s", + reporting); + r = 1; + } } - if (mac == NULL) - goto out; - if (strcasecmp(mac, "Static") == 0) - options->fticks_mac = RSP_FTICKS_MAC_STATIC; - else if (strcasecmp(mac, "Original") == 0) - options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; - else if (strcasecmp(mac, "VendorHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; - else if (strcasecmp(mac, "VendorKeyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; - else if (strcasecmp(mac, "FullyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; - else if (strcasecmp(mac, "FullyKeyHashed") == 0) - options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; - else { - debugx(1, DBG_ERR, "config error: invalid FTicksMAC value: %s", mac); - r = 1; - goto out; + if (mac != NULL) { + if (strcasecmp(mac, "Static") == 0) + options->fticks_mac = RSP_FTICKS_MAC_STATIC; + else if (strcasecmp(mac, "Original") == 0) + options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; + else if (strcasecmp(mac, "VendorHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; + else if (strcasecmp(mac, "VendorKeyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; + else if (strcasecmp(mac, "FullyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; + else if (strcasecmp(mac, "FullyKeyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; + else { + debugx(1, DBG_ERR, + "config error: invalid FTicksMAC value: %s", mac); + r = 1; + } } - if (*keyp == NULL - && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED - || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { + if (*keyp != NULL) { + options->fticks_key = *keyp; + if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED + && options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED) + debugx(1, DBG_WARN, "config warning: FTicksKey not used"); + } + else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE + && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED + || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { debugx(1, DBG_ERR, - "config error: FTicksMAC %s requires an FTicksKey", mac); - options->fticks_mac = RSP_FTICKS_MAC_STATIC; + "config error: FTicksMAC values VendorKeyHashed and " + "FullyKeyHashed require an FTicksKey"); + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; r = 1; - goto out; } - if (*keyp != NULL) - options->fticks_key = *keyp; - -out: if (*reportingp != NULL) { free(*reportingp); *reportingp = NULL; diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index 909356c..2c1b35b 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -39,12 +39,13 @@ # fticksVISCOUNTRY option. # You can optionally specify FTicksMAC in order to determine if and -# how Calling-Station-Id is logged. +# how Calling-Station-Id (users Ethernet MAC address) is being logged. # Static -- Use a static string as a placeholder for -# Calling-Station-Id. This is the default. +# Calling-Station-Id. # Original -- Log Calling-Station-Id as-is. # VendorHashed -- Keep first three segments as-is, hash the rest. -# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. +# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This +# is the default. # FullyHashed -- Hash the entire string. # FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 7fef19c..993eb44 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -176,13 +176,17 @@ blocktype name { The FTicksReporting option is used to enable F-Ticks logging and can be set to <literal>None</literal>, <literal>Basic</literal> or <literal>Full</literal>. Its - default value is <literal>None</literal>. + default value is <literal>None</literal>. If + FTicksReporting is set to anything other than + <literal>None</literal>, note that the default value for + FTicksMAC is <literal>VendorKeyHashed</literal> which + needs FTicksKey to be set. </para> <para> See <literal>radsecproxy.conf-example</literal> for details. Note that radsecproxy has to be configured with - support for F-Ticks (<literal>--enable-fticks</literal>) - for this option to have any effect. + F-Ticks support (<literal>--enable-fticks</literal>) for + this option to have any effect. </para> </listitem> </varlistentry> @@ -192,23 +196,31 @@ blocktype name { <listitem> <para> The FTicksMAC option can be used to control if and how - Calling-Station-Id is being logged. It can be set to one - of <literal>Static</literal>, - <literal>Original</literal>, + Calling-Station-Id (the users Ethernet MAC address) is + being logged. It can be set to one of + <literal>Static</literal>, <literal>Original</literal>, <literal>VendorHashed</literal>, <literal>VendorKeyHashed</literal>, <literal>FullyHashed</literal> or <literal>FullyKeyHashed</literal>. </para> <para> - The default value for FTicksMAC is <literal>Static</literal>. - Before chosing any of <literal>Original</literal> + The default value for FTicksMAC is + <literal>VendorKeyHashed</literal>. This means that + FTicksKey has to be set. + <para> + Before chosing any of <literal>Original</literal>, + <literal>FullyHashed</literal> or + <literal>VendorHashed</literal>, consider the implications + for user privacy when MAC addresses are collected. How + will the logs be stored, transferred and accessed? + </para> </para> <para> See <literal>radsecproxy.conf-example</literal> for details. Note that radsecproxy has to be configured with - support for F-Ticks (<literal>--enable-fticks</literal>) - for this option to have any effect. + F-Ticks support (<literal>--enable-fticks</literal>) for + this option to have any effect. </para> </listitem> </varlistentry> @@ -223,8 +235,8 @@ blocktype name { option. </para> <para> - Note that radsecproxy has to be configured with support - for F-Ticks (<literal>--enable-fticks</literal>) for this + Note that radsecproxy has to be configured with F-Ticks + support (<literal>--enable-fticks</literal>) for this option to have any effect. </para> </listitem> diff --git a/radsecproxy.h b/radsecproxy.h index f7cc570..08e98b2 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -45,10 +45,10 @@ enum rsp_fticks_reporting_type { }; enum rsp_fticks_mac_type { - RSP_FTICKS_MAC_STATIC = 0, /* Default. */ + RSP_FTICKS_MAC_STATIC = 0, RSP_FTICKS_MAC_ORIGINAL, RSP_FTICKS_MAC_VENDOR_HASHED, - RSP_FTICKS_MAC_VENDOR_KEY_HASHED, + RSP_FTICKS_MAC_VENDOR_KEY_HASHED, /* Default. */ RSP_FTICKS_MAC_FULLY_HASHED, RSP_FTICKS_MAC_FULLY_KEY_HASHED }; |