#include <stdio.h> /* For sprintf(). */
#include <string.h>
+#include <ctype.h>
+#include <errno.h>
#include <nettle/sha.h>
#include <nettle/hmac.h>
#include <regex.h>
#include <pthread.h>
#include <sys/time.h>
-#include "list.h"
#include "radsecproxy.h"
#include "debug.h"
#include "fticks.h"
static void
-format_hash(const uint8_t *hash, size_t out_len, uint8_t *out)
+_format_hash(const uint8_t *hash, size_t out_len, uint8_t *out)
{
- int i;
+ int ir, iw;
- for (i = 0; i < out_len / 2; i++)
- sprintf((char *) out + i*2, "%02x", hash[i % SHA256_DIGEST_SIZE]);
+ for (ir = 0, iw = 0; iw <= out_len - 3; ir++, iw += 2)
+ sprintf((char *) out + iw, "%02x", hash[ir % SHA256_DIGEST_SIZE]);
}
static void
-hash(const uint8_t *in,
- const uint8_t *key,
- size_t out_len,
- uint8_t *out)
+_hash(const uint8_t *in,
+ const uint8_t *key,
+ size_t out_len,
+ uint8_t *out)
{
if (key == NULL) {
struct sha256_ctx ctx;
sha256_init(&ctx);
sha256_update(&ctx, strlen((char *) in), in);
sha256_digest(&ctx, sizeof(hash), hash);
- format_hash(hash, out_len, out);
+ _format_hash(hash, out_len, out);
}
else {
struct hmac_sha256_ctx ctx;
hmac_sha256_set_key(&ctx, strlen((char *) key), key);
hmac_sha256_update(&ctx, strlen((char *) in), in);
hmac_sha256_digest(&ctx, sizeof(hash), hash);
- format_hash(hash, out_len, out);
+ _format_hash(hash, out_len, out);
}
}
if (reporting == NULL)
goto out;
-
if (strcasecmp(reporting, "None") == 0)
options->fticks_reporting = RSP_FTICKS_REPORTING_NONE;
else if (strcasecmp(reporting, "Basic") == 0)
goto out;
}
+ if (mac == NULL)
+ goto out;
if (strcasecmp(mac, "Static") == 0)
options->fticks_mac = RSP_FTICKS_MAC_STATIC;
else if (strcasecmp(mac, "Original") == 0)
return r;
}
-/** Hash the MAC in \a IN, keying with \a KEY if it's not NULL.
+/** Hash the Ethernet MAC address in \a IN, keying a HMAC with \a KEY
+ unless \a KEY is NULL. If \a KEY is null \a IN is hashed with an
+ ordinary cryptographic hash function such as SHA-2.
\a IN and \a KEY are NULL terminated strings.
- \a IN is sanitised by lowercasing it, removing all but [0-9a-f]
- and truncating it at first ';' (due to RADIUS praxis with tacking
- on SSID to MAC in Calling-Station-Id). */
-void
+ \a IN is supposed to be an Ethernet MAC address and is sanitised
+ by lowercasing it, removing all but [0-9a-f] and truncating it at
+ the first ';' found. The truncation is done because RADIUS
+ supposedly has a praxis of tacking on SSID to the MAC address in
+ Calling-Station-Id.
+
+ \return 0 on success, -ENOMEM on out of memory.
+*/
+int
fticks_hashmac(const uint8_t *in,
const uint8_t *key,
size_t out_len,
uint8_t *out)
{
- /* TODO: lowercase */
- /* TODO: s/[!0-9a-f]//1 */
- /* TODO: truncate after first ';', if any */
+ uint8_t *in_copy = NULL;
+ uint8_t *p = NULL;
+ int i;
+
+ in_copy = calloc(1, strlen((const char *) in) + 1);
+ if (in_copy == NULL)
+ return -ENOMEM;
+
+ /* Sanitise and lowercase 'in' into 'in_copy'. */
+ for (i = 0, p = in_copy; in[i] != '\0'; i++) {
+ if (in[i] == ';') {
+ *p++ = '\0';
+ break;
+ }
+ if (in[i] >= '0' && in[i] <= '9') {
+ *p++ = in[i];
+ }
+ else if (tolower(in[i]) >= 'a' && tolower(in[i]) <= 'f') {
+ *p++ = tolower(in[i]);
+ }
+ }
- hash(in, key, out_len, out);
+ _hash(in_copy, key, out_len, out);
+ free(in_copy);
+ return 0;
}
void
const struct radmsg *msg,
const struct rqout *rqout)
{
- unsigned char *username = NULL;
- unsigned char *realm = NULL;
+ uint8_t *username = NULL;
+ uint8_t *realm = NULL;
uint8_t visinst[8+40+1+1]; /* Room for 40 octets of VISINST. */
uint8_t *macin = NULL;
uint8_t macout[2*32+1]; /* Room for ASCII representation of SHA256. */
username = radattr2ascii(radmsg_gettype(rqout->rq->msg,
RAD_Attr_User_Name));
if (username != NULL) {
- realm = (unsigned char *) strrchr((char *) username, '@');
+ realm = (uint8_t *) strrchr((char *) username, '@');
if (realm != NULL)
realm++;
- else
- realm = (unsigned char *) "";
}
+ if (realm == NULL)
+ realm = (uint8_t *) "";
memset(visinst, 0, sizeof(visinst));
if (options->fticks_reporting == RSP_FTICKS_REPORTING_FULL) {
break;
case RSP_FTICKS_MAC_VENDOR_HASHED:
memcpy(macout, macin, 9);
- fticks_hashmac(macin + 9, NULL, sizeof(macout) - 9, macout + 9);
+ fticks_hashmac(macin, NULL, sizeof(macout) - 9, macout + 9);
break;
case RSP_FTICKS_MAC_VENDOR_KEY_HASHED:
memcpy(macout, macin, 9);
- fticks_hashmac(macin + 9, options->fticks_key,
+ /* We are hashing the first nine octets too for easier
+ * correlation between vendor-key-hashed and
+ * fully-key-hashed log records. This opens up for a
+ * known plaintext attack on the key but the
+ * consequences of that is considered outweighed by
+ * the convenience gained. */
+ fticks_hashmac(macin, options->fticks_key,
sizeof(macout) - 9, macout + 9);
break;
case RSP_FTICKS_MAC_FULLY_HASHED:
projects / libradsec.git / blobdiff