Commit 91f6c75d authored by Faidon Liambotis's avatar Faidon Liambotis

Import Upstream version 1.5

parent 122df949
2007-09-21 1.0
2007-10-16 1.0p1
Fixed crash when servers were configured after first realm block
2007-12-24 1.1-alpha
Pretend option for validating configuration
Include option for including additional config files
Allows clients configured by IP prefix, dynamic clients
Server failover support
Rewriting of username attribute
Source address and port can be specified for requests
2008-05-14 1.1-beta
No longer looks for radsecproxy.conf in current directory
Rewrite block that allows removal of specified attributes
certificateNameCheck option for disabling CN/SubjectAltName check
matchCertificateAttribute now also supports CN matching
Forwarding of accounting messages, accountingServer option for realms
Supports multiple client blocks for same source address with different
certificate checks
Removed weekday from log timestamps
2008-07-24 1.1
Logging stationid attribute
Added LoopPrevention option
Failover also without status-server
Options for RetryCount and RetryInterval
Working accounting and AccountingResponse option
CRL checking and option for enabling it
2008-10-07 1.2
listenTCP and sourceTCP options renamed to listenTLS and sourceTLS
Old options deprecated but available for backwards compatiblity
Logging reply-message attribute from Reject messages
Contribution from Arne Schwabe
Rewrite blocks have new options addAttribute and modifyAttribute
rewriteIn (replacing rewrite) and rewriteOut in client and server
blocks for specifying rewrite on input/output. rewrite deprecated
but available as an alias for rewriteIn for backwards compatibility.
rewritein rewriteout rewrite
regular expressions in realms etc can now be more advanced, including
use of "or".
cacheExpiry option in tls blocks for specifying expiry time for the
cache of CA certificates and CRLs. This is particularly useful for
regularly updating CRLs.
Some logging has been made more informative
2008-12-04 1.3-alpha
Support for TCP and DTLS transports (type tcp, type dtls)
Listen... options can be specified multiple times
Dynamic server discovery
DuplicateInterval option in client block for specifying for how
long a request/reply shall be stored for duplicate detection
Support for RADIUS TTL (hopcount) attribute. Decrements value of
the TTL attribute if present, discards message if becomes 0.
If addTTL option is used, the TTL attribute is added with the
specified value if the forwarded message does not have one.
PolicyOID option can be used to require certain CA policies.
2009-02-18 1.3-beta
Client and Server blocks may contain multiple host options.
Configure (Makefile) options for specifying which transports
should be supported in a build.
2009-03-12 1.3
Fixed some very minor bugs
Changed log levels for some messages, made loglevel 2 default
2009-07-22 1.3.1
Fixed header files for FreeBSD
Fix for multiple UDP servers on same IP address, solves accounting
problems.
2011-10-08 1.5
New features:
- Support for F-Ticks logging.
- New binary radsecproxy-hash.
- A DynamicLookupCommand script can now signal "server not found"
by exiting with code 10. The scripts in the tools directory now
do this.
Incompatible changes:
- catgconf renamed to radsecproxy-conf.
Bug fixes:
- All compiler warnings removed. Now compiling with -Werror.
2011-07-22 1.4.3
Notes:
- The default secret for TLS and DTLS will change in a future
release. Please make sure to specify a secret in both client and
server blocks to avoid surprises.
Bug fixes:
- Debug printout issue.
2010-11-23 1.4.2
Bug fixes:
- Don't disable OpenSSL session caching for 0.9.8p and newer in
the 0.9.x track.
- Detect OpenSSL version at runtime rather than at compile time.
2010-11-17 1.4.1
Bug fixes:
- OpenSSL session caching is disabled when built against OpenSSL
older than 1.0.0b to mitigate possible effects of
http://openssl.org/news/secadv_20101116.txt (RADSECPROXY-14).
- Crash bug when reading improper config file fixed.
2010-06-12 1.4
Incompatible changes:
- Log level 4 used to be DBG_DBG but is now DBG_NOTICE. In order
......@@ -81,21 +53,78 @@
- Build on Solaris when compiling with gcc.
- A bug in pwdencrypt() with passwords of a length greater than
16 octets.
2010-11-17 1.4.1
Bug fixes:
- OpenSSL session caching is disabled when built against OpenSSL
older than 1.0.0b to mitigate possible effects of
http://openssl.org/news/secadv_20101116.txt (RADSECPROXY-14).
- Crash bug when reading improper config file fixed.
2010-11-23 1.4.2
Bug fixes:
- Don't disable OpenSSL session caching for 0.9.8p and newer in
the 0.9.x track.
- Detect OpenSSL version at runtime rather than at compile time.
2011-07-22 1.4.3
Notes:
- The default secret for TLS and DTLS will change in a future
relase. Plaese make sure to specify a secret in both client and
server blocks to avoid surprises.
Bug fixes:
- Debug printout issue.
2009-07-22 1.3.1
Fixed header files for FreeBSD
Fix for multiple UDP servers on same IP address, solves accounting
problems.
2009-03-12 1.3
Fixed some very minor bugs
Changed log levels for some messages, made loglevel 2 default
2009-02-18 1.3-beta
Client and Server blocks may contain multiple host options.
Configure (Makefile) options for specifying which transports
should be supported in a build.
2008-12-04 1.3-alpha
Support for TCP and DTLS transports (type tcp, type dtls)
Listen... options can be specified multiple times
Dynamic server discovery
DuplicateInterval option in client block for specifying for how
long a request/reply shall be stored for duplicate detection
Support for RADIUS TTL (hopcount) attribute. Decrements value of
the TTL attribute if present, discards message if becomes 0.
If addTTL option is used, the TTL attribute is added with the
specified value if the forwarded message does not have one.
PolicyOID option can be used to require certain CA policies.
2008-10-07 1.2
listenTCP and sourceTCP options renamed to listenTLS and sourceTLS
Old options deprecated but available for backwards compatiblity
Logging reply-message attribute from Reject messages
Contribution from Arne Schwabe
Rewrite blocks have new options addAttribute and modifyAttribute
rewriteIn (replacing rewrite) and rewriteOut in client and server
blocks for specifying rewrite on input/output. rewrite deprecated
but available as an alias for rewriteIn for backwards compatibility.
rewritein rewriteout rewrite
regular expressions in realms etc can now be more advanced, including
use of "or".
cacheExpiry option in tls blocks for specifying expiry time for the
cache of CA certificates and CRLs. This is particularly useful for
regularly updating CRLs.
Some logging has been made more informative
2008-07-24 1.1
Logging stationid attribute
Added LoopPrevention option
Failover also without status-server
Options for RetryCount and RetryInterval
Working accounting and AccountingResponse option
CRL checking and option for enabling it
2008-05-14 1.1-beta
No longer looks for radsecproxy.conf in current directory
Rewrite block that allows removal of specified attributes
certificateNameCheck option for disabling CN/SubjectAltName check
matchCertificateAttribute now also supports CN matching
Forwarding of accounting messages, accountingServer option for realms
Supports multiple client blocks for same source address with different
certificate checks
Removed weekday from log timestamps
2007-12-24 1.1-alpha
Pretend option for validating configuration
Include option for including additional config files
Allows clients configured by IP prefix, dynamic clients
Server failover support
Rewriting of username attribute
Source address and port can be specified for requests
2007-10-16 1.0p1
Fixed crash when servers were configured after first realm block
2007-09-21 1.0
......@@ -8,6 +8,7 @@ Alternatively the radsecproxy source code is subject to the terms of the
below BSD style license.
* Copyright (c) 2006-2010, UNINETT AS
* Copyright (c) 2010,2011, NORDUnet A/S
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
......
AUTOMAKE_OPTIONS = foreign
SUBDIRS = tests
sbin_PROGRAMS = radsecproxy
bin_PROGRAMS = catgconf
radsecproxy_SOURCES = radsecproxy.c \
tlscommon.c \
gconfig.c \
util.c \
debug.c \
list.c \
hash.c \
tlv11.c \
hostport.c \
radmsg.c \
udp.c \
tcp.c \
tls.c \
dtls.c \
radsecproxy.h \
tlscommon.h \
gconfig.h \
debug.h \
util.h \
list.h \
hash.h \
tlv11.h \
hostport.h \
radmsg.h \
udp.h \
tcp.h \
tls.h \
dtls.h
catgconf_SOURCES = debug.c \
util.c \
gconfig.c \
catgconf.c
radsecproxy_CFLAGS = -g -Wall -fno-strict-aliasing @SSL_CFLAGS@ @TARGET_CFLAGS@
radsecproxy_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@
radsecproxy_LDADD = @SSL_LIBS@
bin_PROGRAMS = radsecproxy-conf
noinst_LIBRARIES = librsp.a
radsecproxy_SOURCES = main.c
librsp_a_SOURCES = \
debug.c debug.h \
dtls.c dtls.h \
gconfig.c gconfig.h \
hash.c hash.h \
hostport.c hostport.h \
list.c list.h \
radmsg.c radmsg.h \
radsecproxy.c radsecproxy.h \
tcp.c tcp.h \
tls.c tls.h \
tlscommon.c tlscommon.h \
tlv11.c tlv11.h \
udp.c udp.h \
util.c util.h
radsecproxy_conf_SOURCES = \
catgconf.c \
debug.c debug.h \
gconfig.c gconfig.h \
util.c util.h
####################
AM_CFLAGS = \
-g -Wall -Werror -fno-strict-aliasing @SSL_CFLAGS@ @TARGET_CFLAGS@
catgconf_CFLAGS = -g -Wall -fno-strict-aliasing @TARGET_CFLAGS@
catgconf_LDFLAGS = @TARGET_LDFLAGS@
radsecproxy_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@
radsecproxy_LDADD = librsp.a @SSL_LIBS@
dist_man_MANS = radsecproxy.1 $(GENMANPAGES)
EXTRA_DIST = LICENSE THANKS radsecproxy.conf-example radsecproxy.conf.5.xml \
tools/naptr-eduroam.sh tools/radsec-dynsrv.sh tools/README
radsecproxy_conf_LDFLAGS = @TARGET_LDFLAGS@
####################
if HAVE_DOCBOOK2X_MAN
GENMANPAGES = radsecproxy.conf.5
endif
dist_man_MANS = radsecproxy.1 radsecproxy-hash.1 $(GENMANPAGES)
EXTRA_DIST = \
configure Makefile.in tests/Makefile.in \
compile config.guess config.sub install-sh missing depcomp
EXTRA_DIST += \
LICENSE THANKS \
radsecproxy.conf.5.xml radsecproxy.conf-example \
tools/README tools/naptr-eduroam.sh tools/radsec-dynsrv.sh
DISTCHECK_CONFIGURE_FLAGS = --enable-fticks
####################
if WANT_FTICKS
librsp_a_SOURCES += fticks.c fticks.h fticks_hashmac.c fticks_hashmac.h
bin_PROGRAMS += radsecproxy-hash
radsecproxy_hash_LDADD = fticks_hashmac.o hash.o list.o
endif
####################
radsecproxy.conf.5: $(srcdir)/radsecproxy.conf.5.xml
docbook2x-man $<
......@@ -61,4 +73,4 @@ html: $(srcdir)/radsecproxy.conf.5.xml
-openjade -E2000 -t sgml-raw -d /usr/share/sgml/docbook/stylesheet/dsssl/modular/html/docbook.dsl -o radsecproxy.conf.html $<
clean-local:
-rm radsecproxy.conf.5
-rm $(GENMANPAGES)
This diff is collapsed.
No NEWS is good news.
See ChangeLog.
This is radsecproxy 1.4.3 from 22 July 2011.
This is radsecproxy 1.5 from Oct 8 2011.
radsecproxy is a generic RADIUS proxy that supports both UDP and TLS
(RadSec) RADIUS transports. There is also experimental support for
......
......@@ -44,7 +44,7 @@ int main(int argc, char **argv) {
int c, compact = 0;
struct gconffile *cfs;
debug_init("catgconf");
debug_init("radsecproxy-conf");
debug_set_level(DBG_WARN);
while ((c = getopt(argc, argv, "c")) != -1) {
......
This diff is collapsed.
AC_INIT(radsecproxy, 1.4.3, radsecproxy@uninett.no)
AC_INIT(radsecproxy, 1.5, radsecproxy@uninett.no)
AC_CANONICAL_TARGET
AM_INIT_AUTOMAKE
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_RANLIB
udp=yes
AC_ARG_ENABLE(udp,
[ --enable-udp whether to enable UDP transport: yes/no; default yes ],
......@@ -46,7 +47,26 @@ AC_ARG_ENABLE(dtls,
exit -1
fi
])
AC_ARG_ENABLE(fticks,
AC_HELP_STRING([--enable-fticks],[build with F-Ticks support [default=no]]),
[case $enableval in
yes|no) ;;
*) AC_MSG_ERROR([bad value $enableval for --enable-fticks, need yes or no]) ;;
esac],
[enable_fticks=no])
if test "$enable_fticks" = "yes"; then
AC_CHECK_LIB([nettle], [nettle_sha256_init],,
[AC_MSG_WARN([required library nettle not found, fticks support disabled])
enable_fticks=no])
fi
if test "$enable_fticks" = "yes"; then
AC_DEFINE([WANT_FTICKS], [1])
fi
AM_CONDITIONAL(WANT_FTICKS, test "$enable_fticks" = "yes")
dnl Check if we're on Solaris and set CFLAGS accordingly
AC_CANONICAL_SYSTEM
case "${target_os}" in
......@@ -88,4 +108,7 @@ AM_CONDITIONAL(HAVE_DOCBOOK2X_MAN, test "$DOCBOOK2X_MAN" = "yes")
AC_SUBST(TARGET_CFLAGS)
AC_SUBST(TARGET_LDFLAGS)
AX_CHECK_SSL
AC_OUTPUT(Makefile)
AC_OUTPUT([
Makefile
tests/Makefile
])
/*
* Copyright (C) 2007 Stig Venaas <venaas@uninett.no>
* Copyright (C) 2010 NORDUnet A/S
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......
/*
* Copyright (C) 2007 Stig Venaas <venaas@uninett.no>
* Copyright (C) 2010 NORDUnet A/S
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
......
......@@ -26,7 +26,6 @@
#include <pthread.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include "list.h"
#include "hash.h"
#include "radsecproxy.h"
......
/* Copyright (C) 2011 NORDUnet A/S
* See LICENSE for information about licensing.
*/
#include "radsecproxy.h"
#include "debug.h"
#include "fticks.h"
#include "fticks_hashmac.h"
int
fticks_configure(struct options *options,
uint8_t **reportingp,
uint8_t **macp,
uint8_t **keyp)
{
int r = 0;
const char *reporting = (const char *) *reportingp;
const char *mac = (const char *) *macp;
/* Set defaults. */
options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
if (reporting != NULL) {
if (strcasecmp(reporting, "None") == 0)
options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
else if (strcasecmp(reporting, "Basic") == 0)
options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC;
else if (strcasecmp(reporting, "Full") == 0)
options->fticks_reporting = RSP_FTICKS_REPORTING_FULL;
else {
debugx(1, DBG_ERR,
"config error: invalid FTicksReporting value: %s",
reporting);
r = 1;
}
}
if (mac != NULL) {
if (strcasecmp(mac, "Static") == 0)
options->fticks_mac = RSP_FTICKS_MAC_STATIC;
else if (strcasecmp(mac, "Original") == 0)
options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL;
else if (strcasecmp(mac, "VendorHashed") == 0)
options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED;
else if (strcasecmp(mac, "VendorKeyHashed") == 0)
options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED;
else if (strcasecmp(mac, "FullyHashed") == 0)
options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED;
else if (strcasecmp(mac, "FullyKeyHashed") == 0)
options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED;
else {
debugx(1, DBG_ERR,
"config error: invalid FTicksMAC value: %s", mac);
r = 1;
}
}
if (*keyp != NULL) {
options->fticks_key = *keyp;
if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED
&& options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED)
debugx(1, DBG_WARN, "config warning: FTicksKey not used");
}
else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE
&& (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED
|| options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) {
debugx(1, DBG_ERR,
"config error: FTicksMAC values VendorKeyHashed and "
"FullyKeyHashed require an FTicksKey");
options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
r = 1;
}
if (*reportingp != NULL) {
free(*reportingp);
*reportingp = NULL;
}
if (*macp != NULL) {
free(*macp);
*macp = NULL;
}
return r;
}
void
fticks_log(const struct options *options,
const struct client *client,
const struct radmsg *msg,
const struct rqout *rqout)
{
uint8_t *username = NULL;
uint8_t *realm = NULL;
uint8_t visinst[8+40+1+1]; /* Room for 40 octets of VISINST. */
uint8_t *macin = NULL;
uint8_t macout[2*32+1]; /* Room for ASCII representation of SHA256. */
username = radattr2ascii(radmsg_gettype(rqout->rq->msg,
RAD_Attr_User_Name));
if (username != NULL) {
realm = (uint8_t *) strrchr((char *) username, '@');
if (realm != NULL)
realm++;
}
if (realm == NULL)
realm = (uint8_t *) "";
memset(visinst, 0, sizeof(visinst));
if (options->fticks_reporting == RSP_FTICKS_REPORTING_FULL) {
snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#",
client->conf->name);
}
memset(macout, 0, sizeof(macout));
if (options->fticks_mac == RSP_FTICKS_MAC_STATIC) {
strncpy((char *) macout, "undisclosed", sizeof(macout) - 1);
}
else {
macin = radattr2ascii(radmsg_gettype(rqout->rq->msg,
RAD_Attr_Calling_Station_Id));
if (macin) {
switch (options->fticks_mac)
{
case RSP_FTICKS_MAC_ORIGINAL:
memcpy(macout, macin, sizeof(macout));
break;
case RSP_FTICKS_MAC_VENDOR_HASHED:
memcpy(macout, macin, 9);
fticks_hashmac(macin, NULL, sizeof(macout) - 9, macout + 9);
break;
case RSP_FTICKS_MAC_VENDOR_KEY_HASHED:
memcpy(macout, macin, 9);
/* We are hashing the first nine octets too for easier
* correlation between vendor-key-hashed and
* fully-key-hashed log records. This opens up for a
* known plaintext attack on the key but the
* consequences of that is considered outweighed by
* the convenience gained. */
fticks_hashmac(macin, options->fticks_key,
sizeof(macout) - 9, macout + 9);
break;
case RSP_FTICKS_MAC_FULLY_HASHED:
fticks_hashmac(macin, NULL, sizeof(macout), macout);
break;
case RSP_FTICKS_MAC_FULLY_KEY_HASHED:
fticks_hashmac(macin, options->fticks_key, sizeof(macout),
macout);
break;
default:
debugx(2, DBG_ERR, "invalid fticks mac configuration: %d",
options->fticks_mac);
}
}
}
debug(0xff,
"F-TICKS/eduroam/1.0#REALM=%s#VISCOUNTRY=%s#%sCSI=%s#RESULT=%s#",
realm,
client->conf->fticks_viscountry,
visinst,
macout,
msg->code == RAD_Access_Accept ? "OK" : "FAIL");
if (macin != NULL)
free(macin);
if (username != NULL)
free(username);
}
/* Local Variables: */
/* c-file-style: "stroustrup" */
/* End: */
/* Copyright (C) 2011 NORDUnet A/S
* See LICENSE for information about licensing.
*/
int fticks_configure(struct options *options,
uint8_t **reportingp,
uint8_t **macp,
uint8_t **keyp);
void fticks_log(const struct options *options,
const struct client *client,
const struct radmsg *msg,
const struct rqout *rqout);
/* Copyright (C) 2011 NORDUnet A/S
* See LICENSE for information about licensing.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <ctype.h>
#include <nettle/sha.h>
#include <nettle/hmac.h>
#include "fticks_hashmac.h"
static void
_format_hash(const uint8_t *hash, size_t out_len, uint8_t *out)
{
int ir, iw;
for (ir = 0, iw = 0; iw <= out_len - 3; ir++, iw += 2)
sprintf((char *) out + iw, "%02x", hash[ir % SHA256_DIGEST_SIZE]);
}
static void
_hash(const uint8_t *in,
const uint8_t *key,
size_t out_len,
uint8_t *out)
{
if (key == NULL) {
struct sha256_ctx ctx;
uint8_t hash[SHA256_DIGEST_SIZE];
sha256_init(&ctx);
sha256_update(&ctx, strlen((char *) in), in);
sha256_digest(&ctx, sizeof(hash), hash);
_format_hash(hash, out_len, out);
}
else {
struct hmac_sha256_ctx ctx;
uint8_t hash[SHA256_DIGEST_SIZE];
hmac_sha256_set_key(&ctx, strlen((char *) key), key);
hmac_sha256_update(&ctx, strlen((char *) in), in);
hmac_sha256_digest(&ctx, sizeof(hash), hash);
_format_hash(hash, out_len, out);
}
}
/** Hash the Ethernet MAC address in \a IN, keying a HMAC with \a KEY
unless \a KEY is NULL. If \a KEY is null \a IN is hashed with an
ordinary cryptographic hash function such as SHA-2.
\a IN and \a KEY are NULL terminated strings.
\a IN is supposed to be an Ethernet MAC address and is sanitised
by lowercasing it, removing all but [0-9a-f] and truncating it at
the first ';' found. The truncation is done because RADIUS
supposedly has a praxis of tacking on SSID to the MAC address in
Calling-Station-Id.
\return 0 on success, -ENOMEM on out of memory.
*/
int
fticks_hashmac(const uint8_t *in,
const uint8_t *key,
size_t out_len,
uint8_t *out)
{
uint8_t *in_copy = NULL;
uint8_t *p = NULL;
int i;
in_copy = calloc(1, strlen((const char *) in) + 1);
if (in_copy == NULL)
return -ENOMEM;
/* Sanitise and lowercase 'in' into 'in_copy'. */
for (i = 0, p = in_copy; in[i] != '\0'; i++) {
if (in[i] == ';') {
*p++ = '\0';
break;
}
if (in[i] >= '0' && in[i] <= '9') {
*p++ = in[i];
}
else if (tolower(in[i]) >= 'a' && tolower(in[i]) <= 'f') {
*p++ = tolower(in[i]);
}
}
_hash(in_copy, key, out_len, out);
free(in_copy);
return 0;
}
/* Copyright (C) 2011 NORDUnet A/S
* See LICENSE for information about licensing.
*/
#include <stdint.h>
#include <stddef.h>
int fticks_hashmac(const uint8_t *in,
const uint8_t *key,
size_t out_len,
uint8_t *out);
/* Copyright (C) 2011 NORDUnet A/S
* See LICENSE for information about licensing.
*/
int radsecproxy_main(int argc, char **argv);
int main(int argc, char **argv)
{
return radsecproxy_main(argc, argv);
}
.TH radsecproxy-hash 1 "29 Sep 2011"
.SH "NAME"
radsecproxy-hash - print digests of Ethernet MAC addresses
.SH "SYNOPSIS"
.HP 12
radsecproxy-hash [-h] [-k key] [-t type]
.sp
.SH "DESCRIPTION"
Print the hash or hmac of Ethernet MAC addresses read from standard
input.
.SH "OPTIONS"
.TP
.B -h
\fIdisplay help and exit\fR
.TP
.B -k key
\fIuse KEY for HMAC calculation\fR
.TP
.B -t type
\fIprint digest of type TYPE [hash|hmac]\fR
.SH "SEE ALSO"
radsecproxy.conf(5)