Sanitise MAC address before hashing it.

Almost closes RADSECPROXY-16.

3 files changed, 72 insertions, 12 deletions

diff --git a/fticks.c b/fticks.c
index 0147f1b..8d41c4f 100644
--- a/fticks.c
+++ b/fticks.c
@@ -4,6 +4,8 @@
 
 #include <stdio.h>		/* For sprintf().  */
 #include <string.h>
+#include <ctype.h>
+#include <errno.h>
 #include <nettle/sha.h>
 #include <nettle/hmac.h>
 
@@ -129,18 +131,41 @@ out:
     by lowercasing it, removing all but [0-9a-f] and truncating it at
     the first ';' found.  The truncation is done because RADIUS
     supposedly has a praxis of tacking on SSID to the MAC address in
-    Calling-Station-Id.  */
-void
+    Calling-Station-Id.
+
+    \return 0 on success, -ENOMEM on out of memory.
+*/
+int
 fticks_hashmac(const uint8_t *in,
 	       const uint8_t *key,
 	       size_t out_len,
 	       uint8_t *out)
 {
-    /* TODO: lowercase */
-    /* TODO: s/[!0-9a-f]//1 */
-    /* TODO: truncate after first ';', if any */
+    uint8_t *in_copy = NULL;
+    uint8_t *p = NULL;
+    int i;
+
+    in_copy = calloc(1, strlen(in) + 1);
+    if (in_copy == NULL)
+	return -ENOMEM;
+
+    /* Sanitise and lowercase 'in' into 'in_copy'.  */
+    for (i = 0, p = in_copy; in[i] != '\0'; i++) {
+	if (in[i] == ';') {
+	    *p++ = '\0';
+	    break;
+	}
+	if (in[i] >= '0' && in[i] <= '9') {
+	    *p++ = in[i];
+	}
+	else if (tolower(in[i]) >= 'a' && tolower(in[i]) <= 'f') {
+	    *p++ = tolower(in[i]);
+	}
+    }
 
-    _hash(in, key, out_len, out);
+    _hash(in_copy, key, out_len, out);
+    free(in_copy);
+    return 0;
 }
 
 void
diff --git a/fticks.h b/fticks.h
index 8af8633..eb880c0 100644
--- a/fticks.h
+++ b/fticks.h
@@ -6,10 +6,10 @@ int fticks_configure(struct options *options,
 		     uint8_t **reportingp,
 		     uint8_t **macp,
 		     uint8_t **keyp);
-void fticks_hashmac(const uint8_t *in,
-		    const uint8_t *key,
-		    size_t out_len,
-		    uint8_t *out);
+int fticks_hashmac(const uint8_t *in,
+		   const uint8_t *key,
+		   size_t out_len,
+		   uint8_t *out);
 void fticks_log(const struct options *options,
 		const struct client *client,
 		const struct radmsg *msg,
diff --git a/tests/t_fticks.c b/tests/t_fticks.c
index 71a015e..a0e44c3 100644
--- a/tests/t_fticks.c
+++ b/tests/t_fticks.c
@@ -1,11 +1,46 @@
+#include <stdio.h>
+#include <errno.h>
 #include "../radsecproxy.h"
 #include "../fticks.h"
 
+static int
+_check_hash(const char *mac, const char *key, const char *hash, const char*hmac)
+{
+  int rv = 0;
+  uint8_t buf[128];
+
+  if (fticks_hashmac((const uint8_t *) mac, NULL, sizeof(buf), buf) != 0)
+    return -ENOMEM;
+  if (strcmp(hash, (const char *) buf) != 0)
+    rv = !!fprintf(stderr, "%s: bad hash: %s\n", mac, buf);
+  if (fticks_hashmac((const uint8_t *) mac, (const uint8_t *) key,
+		     sizeof(buf), buf) != 0)
+    return -ENOMEM;
+  if (strcmp(hmac, (const char *) buf) != 0)
+    rv = !!fprintf(stderr, "%s: bad hash (key=\"%s\"): %s\n", mac, key, buf);
+
+  return rv;
+}
+
+#define MAC1 "00:23:14:0a:f7:24"
+#define MAC1_UC "00:23:14:0A:F7:24"
+#define MAC1_APPENDED "00:23:14:0a:f7:24;cruft"
+#define MAC1_WEIRD "00:23:-[?xyzzy!]-14:0a:f7:24"
+#define KEY1 "magic passphrase"
+#define HASH1 "29c0ee9d9c41771795a11ff75fefe9f5ccaab523ad31fc4fd8e776c707ad158129c0ee9d9c41771795a11ff75fefe9f5ccaab523ad31fc4fd8e776c707ad15"
+#define HMAC1 "57c8cd8031142c51ac9747370f48a5aa731006729d0cdf589ba101864f35f39057c8cd8031142c51ac9747370f48a5aa731006729d0cdf589ba101864f35f3"
+
 int
 main (int argc, char *argv[])
 {
-  uint8_t buf[128];
+  if (_check_hash(MAC1, KEY1, HASH1, HMAC1) != 0)
+    return 1;
+  if (_check_hash(MAC1_UC, KEY1, HASH1, HMAC1) != 0)
+    return 1;
+  if (_check_hash(MAC1_APPENDED, KEY1, HASH1, HMAC1) != 0)
+    return 1;
+  if (_check_hash(MAC1_WEIRD, KEY1, HASH1, HMAC1) != 0)
+    return 1;
 
-  fticks_hashmac((const uint8_t *) "xyzzy", NULL, sizeof(buf), buf);
   return 0;
 }