From 7f4c1aa892a4f42748aa7c6bbd99f200ef7f8674 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Tue, 27 Sep 2011 18:03:12 +0200 Subject: Sanitise MAC address before hashing it. Almost closes RADSECPROXY-16. --- fticks.c | 37 +++++++++++++++++++++++++++++++------ fticks.h | 8 ++++---- tests/t_fticks.c | 39 +++++++++++++++++++++++++++++++++++++-- 3 files changed, 72 insertions(+), 12 deletions(-) diff --git a/fticks.c b/fticks.c index 0147f1b..8d41c4f 100644 --- a/fticks.c +++ b/fticks.c @@ -4,6 +4,8 @@ #include /* For sprintf(). */ #include +#include +#include #include #include @@ -129,18 +131,41 @@ out: by lowercasing it, removing all but [0-9a-f] and truncating it at the first ';' found. The truncation is done because RADIUS supposedly has a praxis of tacking on SSID to the MAC address in - Calling-Station-Id. */ -void + Calling-Station-Id. + + \return 0 on success, -ENOMEM on out of memory. +*/ +int fticks_hashmac(const uint8_t *in, const uint8_t *key, size_t out_len, uint8_t *out) { - /* TODO: lowercase */ - /* TODO: s/[!0-9a-f]//1 */ - /* TODO: truncate after first ';', if any */ + uint8_t *in_copy = NULL; + uint8_t *p = NULL; + int i; + + in_copy = calloc(1, strlen(in) + 1); + if (in_copy == NULL) + return -ENOMEM; + + /* Sanitise and lowercase 'in' into 'in_copy'. */ + for (i = 0, p = in_copy; in[i] != '\0'; i++) { + if (in[i] == ';') { + *p++ = '\0'; + break; + } + if (in[i] >= '0' && in[i] <= '9') { + *p++ = in[i]; + } + else if (tolower(in[i]) >= 'a' && tolower(in[i]) <= 'f') { + *p++ = tolower(in[i]); + } + } - _hash(in, key, out_len, out); + _hash(in_copy, key, out_len, out); + free(in_copy); + return 0; } void diff --git a/fticks.h b/fticks.h index 8af8633..eb880c0 100644 --- a/fticks.h +++ b/fticks.h @@ -6,10 +6,10 @@ int fticks_configure(struct options *options, uint8_t **reportingp, uint8_t **macp, uint8_t **keyp); -void fticks_hashmac(const uint8_t *in, - const uint8_t *key, - size_t out_len, - uint8_t *out); +int fticks_hashmac(const uint8_t *in, + const uint8_t *key, + size_t out_len, + uint8_t *out); void fticks_log(const struct options *options, const struct client *client, const struct radmsg *msg, diff --git a/tests/t_fticks.c b/tests/t_fticks.c index 71a015e..a0e44c3 100644 --- a/tests/t_fticks.c +++ b/tests/t_fticks.c @@ -1,11 +1,46 @@ +#include +#include #include "../radsecproxy.h" #include "../fticks.h" +static int +_check_hash(const char *mac, const char *key, const char *hash, const char*hmac) +{ + int rv = 0; + uint8_t buf[128]; + + if (fticks_hashmac((const uint8_t *) mac, NULL, sizeof(buf), buf) != 0) + return -ENOMEM; + if (strcmp(hash, (const char *) buf) != 0) + rv = !!fprintf(stderr, "%s: bad hash: %s\n", mac, buf); + if (fticks_hashmac((const uint8_t *) mac, (const uint8_t *) key, + sizeof(buf), buf) != 0) + return -ENOMEM; + if (strcmp(hmac, (const char *) buf) != 0) + rv = !!fprintf(stderr, "%s: bad hash (key=\"%s\"): %s\n", mac, key, buf); + + return rv; +} + +#define MAC1 "00:23:14:0a:f7:24" +#define MAC1_UC "00:23:14:0A:F7:24" +#define MAC1_APPENDED "00:23:14:0a:f7:24;cruft" +#define MAC1_WEIRD "00:23:-[?xyzzy!]-14:0a:f7:24" +#define KEY1 "magic passphrase" +#define HASH1 "29c0ee9d9c41771795a11ff75fefe9f5ccaab523ad31fc4fd8e776c707ad158129c0ee9d9c41771795a11ff75fefe9f5ccaab523ad31fc4fd8e776c707ad15" +#define HMAC1 "57c8cd8031142c51ac9747370f48a5aa731006729d0cdf589ba101864f35f39057c8cd8031142c51ac9747370f48a5aa731006729d0cdf589ba101864f35f3" + int main (int argc, char *argv[]) { - uint8_t buf[128]; + if (_check_hash(MAC1, KEY1, HASH1, HMAC1) != 0) + return 1; + if (_check_hash(MAC1_UC, KEY1, HASH1, HMAC1) != 0) + return 1; + if (_check_hash(MAC1_APPENDED, KEY1, HASH1, HMAC1) != 0) + return 1; + if (_check_hash(MAC1_WEIRD, KEY1, HASH1, HMAC1) != 0) + return 1; - fticks_hashmac((const uint8_t *) "xyzzy", NULL, sizeof(buf), buf); return 0; } -- cgit v1.1