Initial implementation of checksum support in sudoers.

Currently supports SHA-224, SHA-256, SHA-384, SHA-512.
TODO: checksum format validation in parser and base64 support.
      checksum support for ldap sudoers

MANIFEST

@@ -200,6 +200,7 @@ plugins/sudoers/gram.c
 plugins/sudoers/gram.h
 plugins/sudoers/gram.y
 plugins/sudoers/group_plugin.c
+plugins/sudoers/hexchar.c
 plugins/sudoers/ins_2001.h
 plugins/sudoers/ins_classic.h
 plugins/sudoers/ins_csops.h
@@ -268,6 +269,8 @@ plugins/sudoers/regress/logging/check_wrap.in
 plugins/sudoers/regress/logging/check_wrap.out.ok
 plugins/sudoers/regress/parser/check_addr.c
 plugins/sudoers/regress/parser/check_addr.in
+plugins/sudoers/regress/parser/check_digest.c
+plugins/sudoers/regress/parser/check_digest.out.ok
 plugins/sudoers/regress/parser/check_fill.c
 plugins/sudoers/regress/sudoers/test1.in
 plugins/sudoers/regress/sudoers/test1.out.ok
@@ -331,6 +334,8 @@ plugins/sudoers/regress/visudo/test3.err.ok
 plugins/sudoers/regress/visudo/test3.out.ok
 plugins/sudoers/regress/visudo/test3.sh
 plugins/sudoers/set_perms.c
+plugins/sudoers/sha2.c
+plugins/sudoers/sha2.h
 plugins/sudoers/sssd.c
 plugins/sudoers/sudo_nss.c
 plugins/sudoers/sudo_nss.h

config.h.in

@@ -960,6 +960,15 @@
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef uid_t
 
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef uint32_t
+
+/* Define to `unsigned long long' if <sys/types.h> does not define. */
+#undef uint64_t
+
+/* Define to `unsigned char' if <sys/types.h> does not define. */
+#undef uint8_t
+
 /* Define to empty if the keyword `volatile' does not work. Warning: valid
    code using `volatile' can become incorrect without. Disable with care. */
 #undef volatile

configure

@@ -16247,6 +16247,39 @@ _ACEOF
 
 fi
 
+ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" "$ac_includes_default"
+if test "x$ac_cv_type_uint8_t" = xyes; then :
+
+else
+
+cat >>confdefs.h <<_ACEOF
+#define uint8_t unsigned char
+_ACEOF
+
+fi
+
+ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "$ac_includes_default"
+if test "x$ac_cv_type_uint32_t" = xyes; then :
+
+else
+
+cat >>confdefs.h <<_ACEOF
+#define uint32_t unsigned int
+_ACEOF
+
+fi
+
+ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "$ac_includes_default"
+if test "x$ac_cv_type_uint64_t" = xyes; then :
+
+else
+
+cat >>confdefs.h <<_ACEOF
+#define uint64_t unsigned long long
+_ACEOF
+
+fi
+
 ac_fn_c_check_type "$LINENO" "socklen_t" "ac_cv_type_socklen_t" "
 $ac_includes_default
 #include <sys/socket.h>

configure.in

@@ -2169,6 +2169,9 @@ AC_CHECK_TYPE(size_t, unsigned int)
 AC_CHECK_TYPE(ssize_t, int)
 AC_CHECK_TYPE(dev_t, int)
 AC_CHECK_TYPE(ino_t, unsigned int)
+AC_CHECK_TYPE(uint8_t, unsigned char)
+AC_CHECK_TYPE(uint32_t, unsigned int)
+AC_CHECK_TYPE(uint64_t, unsigned long long)
 AC_CHECK_TYPE(socklen_t, [], [AC_DEFINE(socklen_t, unsigned int)], [
 AC_INCLUDES_DEFAULT
 #include <sys/socket.h>])

plugins/sudoers/Makefile.in

@@ -123,13 +123,14 @@ SHELL = @SHELL@
 
 PROGS = sudoers.la visudo sudoreplay testsudoers
 
-TEST_PROGS = check_iolog_path check_fill check_wrap check_addr check_symbols
+TEST_PROGS = check_iolog_path check_fill check_wrap check_addr check_symbols \
+	     check_digest
 
 AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@
 
-LIBPARSESUDOERS_OBJS = alias.lo audit.lo defaults.lo gram.lo match.lo \
+LIBPARSESUDOERS_OBJS = alias.lo audit.lo defaults.lo hexchar.lo gram.lo \
-		       match_addr.lo pwutil.lo pwutil_impl.lo timestr.lo \
+		       match.lo match_addr.lo pwutil.lo pwutil_impl.lo \
-		       toke.lo toke_util.lo redblack.lo
+		       timestr.lo toke.lo toke_util.lo redblack.lo sha2.lo
 
 SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo env.lo find_path.lo \
 	       goodpath.lo group_plugin.lo interfaces.lo iolog.lo \
@@ -146,7 +147,9 @@ TEST_OBJS = group_plugin.o interfaces.o locale.o net_ifs.o \
 
 CHECK_ADDR_OBJS = check_addr.o interfaces.o locale.o match_addr.o
 
-CHECK_FILL_OBJS = check_fill.o locale.o toke_util.o
+CHECK_DIGEST_OBJS = check_digest.o sha2.o
+
+CHECK_FILL_OBJS = check_fill.o hexchar.o locale.o toke_util.o
 
 CHECK_IOLOG_PATH_OBJS = check_iolog_path.o iolog_path.o locale.o \
 			pwutil.o pwutil_impl.o redblack.o
@@ -202,12 +205,15 @@ testsudoers: libparsesudoers.la $(TEST_OBJS) $(LT_LIBS)
 check_addr: $(CHECK_ADDR_OBJS) $(LT_LIBS)
 	$(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_ADDR_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(NET_LIBS)
 
-check_iolog_path: $(CHECK_IOLOG_PATH_OBJS) $(LT_LIBS)
+check_digest: $(CHECK_DIGEST_OBJS) $(LT_LIBS)
-	$(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_IOLOG_PATH_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
+	$(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_DIGEST_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
 
 check_fill: $(CHECK_FILL_OBJS) $(LT_LIBS)
 	$(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_FILL_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
 
+check_iolog_path: $(CHECK_IOLOG_PATH_OBJS) $(LT_LIBS)
+	$(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_IOLOG_PATH_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
+
 check_symbols: $(CHECK_SYMBOLS_OBJS) $(LT_LIBS)
 	if [ X"$(soext)" != X"" ]; then \
 	    $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_SYMBOLS_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) @SUDO_LIBS@; \
@@ -310,7 +316,10 @@ check: $(TEST_PROGS) visudo testsudoers
 	@if test X"$(cross_compiling)" != X"yes"; then \
 	    rval=0; \
 	    CWD=`pwd`; \
+	    mkdir -p regress/parser; \
 	    ./check_addr $(srcdir)/regress/parser/check_addr.in || rval=`expr $$rval + $$?`; \
+	    ./check_digest > regress/parser/check_digest.out; \
+	    diff regress/parser/check_digest.out $(srcdir)/regress/parser/check_digest.out.ok || rval=`expr $$rval + $$?`; \
 	    ./check_fill || rval=`expr $$rval + $$?`; \
 	    ./check_iolog_path $(srcdir)/regress/iolog_path/data || rval=`expr $$rval + $$?`; \
 	    if [ X"$(soext)" != X"" ]; then \
@@ -473,6 +482,9 @@ check_addr.o: $(srcdir)/regress/parser/check_addr.c $(top_builddir)/config.h \
               $(incdir)/sudo_debug.h $(incdir)/gettext.h $(srcdir)/parse.h \
               $(srcdir)/interfaces.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_addr.c
+check_digest.o: $(srcdir)/regress/parser/check_digest.c \
+                $(top_builddir)/config.h $(srcdir)/sha2.h
+	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_digest.c
 check_fill.o: $(srcdir)/regress/parser/check_fill.c $(top_builddir)/config.h \
               $(top_srcdir)/compat/stdbool.h $(incdir)/missing.h \
               $(incdir)/list.h $(srcdir)/parse.h $(srcdir)/toke.h \
@@ -571,6 +583,10 @@ group_plugin.lo: $(srcdir)/group_plugin.c $(top_builddir)/config.h \
                  $(incdir)/gettext.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/group_plugin.c
 group_plugin.o: group_plugin.lo
+hexchar.lo: $(srcdir)/hexchar.c $(top_builddir)/config.h $(incdir)/missing.h \
+            $(incdir)/sudo_debug.h $(incdir)/error.h
+	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/hexchar.c
+hexchar.o: hexchar.lo
 interfaces.lo: $(srcdir)/interfaces.c $(top_builddir)/config.h \
                $(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
                $(top_builddir)/pathnames.h $(incdir)/missing.h \
@@ -646,7 +662,8 @@ match.lo: $(srcdir)/match.c $(top_builddir)/config.h \
           $(incdir)/alloc.h $(incdir)/list.h $(incdir)/fileops.h \
           $(srcdir)/defaults.h $(devdir)/def_data.h $(srcdir)/logging.h \
           $(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
-          $(incdir)/gettext.h $(srcdir)/parse.h $(devdir)/gram.h
+          $(incdir)/gettext.h $(srcdir)/parse.h $(srcdir)/sha2.h \
+          $(devdir)/gram.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/match.c
 match_addr.lo: $(srcdir)/match_addr.c $(top_builddir)/config.h \
                $(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
@@ -754,6 +771,9 @@ set_perms.lo: $(srcdir)/set_perms.c $(top_builddir)/config.h \
               $(srcdir)/logging.h $(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
               $(incdir)/sudo_debug.h $(incdir)/gettext.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/set_perms.c
+sha2.lo: $(srcdir)/sha2.c $(top_builddir)/config.h $(srcdir)/sha2.h
+	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sha2.c
+sha2.o: sha2.lo
 sia.lo: $(authdir)/sia.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
         $(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
         $(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \

plugins/sudoers/gram.h

@@ -32,6 +32,10 @@
 #define PRIVS 288
 #define LIMITPRIVS 289
 #define MYSELF 290
+#define SHA224 291
+#define SHA256 292
+#define SHA384 293
+#define SHA512 294
 #ifndef YYSTYPE_DEFINED
 #define YYSTYPE_DEFINED
 typedef union {
@@ -40,6 +44,7 @@ typedef union {
     struct member *member;
     struct runascontainer *runas;
     struct privilege *privilege;
+    struct sudo_digest *digest;
     struct sudo_command command;
     struct cmndtag tag;
     struct selinux_info seinfo;

plugins/sudoers/gram.y

@@ -89,6 +89,7 @@ static void  add_defaults(int, struct member *, struct defaults *);
 static void  add_userspec(struct member *, struct privilege *);
 static struct defaults *new_default(char *, char *, int);
 static struct member *new_member(char *, int);
+static struct sudo_digest *new_digest(int, const char *);
 %}
 
 %union {
@@ -97,6 +98,7 @@ static struct member *new_member(char *, int);
     struct member *member;
     struct runascontainer *runas;
     struct privilege *privilege;
+    struct sudo_digest *digest;
     struct sudo_command command;
     struct cmndtag tag;
     struct selinux_info seinfo;
@@ -142,6 +144,10 @@ static struct member *new_member(char *, int);
 %token <tok>	 PRIVS			/* Solaris privileges */
 %token <tok>	 LIMITPRIVS		/* Solaris limit privileges */
 %token <tok>	 MYSELF			/* run as myself, not another user */
+%token <tok>	 SHA224			/* sha224 digest */
+%token <tok>	 SHA256			/* sha256 digest */
+%token <tok>	 SHA384			/* sha384 digest */
+%token <tok>	 SHA512			/* sha512 digest */
 
 %type <cmndspec>  cmndspec
 %type <cmndspec>  cmndspeclist
@@ -149,6 +155,7 @@ static struct member *new_member(char *, int);
 %type <defaults>  defaults_list
 %type <member>	  cmnd
 %type <member>	  opcmnd
+%type <member>	  digcmnd
 %type <member>	  cmndlist
 %type <member>	  host
 %type <member>	  hostlist
@@ -170,6 +177,7 @@ static struct member *new_member(char *, int);
 %type <privinfo>  solarisprivs
 %type <string>	  privsspec
 %type <string>	  limitprivsspec
+%type <digest>	  digest
 
 %%
 
@@ -327,7 +335,7 @@ cmndspeclist	:	cmndspec
 			}
 		;
 
-cmndspec	:	runasspec selinux solarisprivs cmndtag opcmnd {
+cmndspec	:	runasspec selinux solarisprivs cmndtag digcmnd {
 			    struct cmndspec *cs = ecalloc(1, sizeof(*cs));
 			    if ($1 != NULL) {
 				list2tq(&cs->runasuserlist, $1->runasusers);
@@ -357,6 +365,31 @@ cmndspec	:	runasspec selinux solarisprivs cmndtag opcmnd {
 			}
 		;
 
+digest		:	SHA224 ':' WORD {
+			    $$ = new_digest(SUDO_DIGEST_SHA224, $3);
+			}
+		|	SHA256 ':' WORD {
+			    $$ = new_digest(SUDO_DIGEST_SHA256, $3);
+			}
+		|	SHA384 ':' WORD {
+			    $$ = new_digest(SUDO_DIGEST_SHA384, $3);
+			}
+		|	SHA512 ':' WORD {
+			    $$ = new_digest(SUDO_DIGEST_SHA512, $3);
+			}
+		;
+
+digcmnd		:	opcmnd {
+			    $$ = $1;
+			}
+		|	digest opcmnd {
+			    /* XXX - yuck */
+			    struct sudo_command *c = (struct sudo_command *)($2->name);
+			    c->digest = $1;
+			    $$ = $2;
+			}
+		;
+
 opcmnd		:	cmnd {
 			    $$ = $1;
 			    $$->negated = false;
@@ -548,8 +581,8 @@ cmndalias	:	ALIAS '=' cmndlist {
 			}
 		;
 
-cmndlist	:	opcmnd
+cmndlist	:	digcmnd
-		|	cmndlist ',' opcmnd {
+		|	cmndlist ',' digcmnd {
 			    list_append($1, $3);
 			    $$ = $1;
 			}
@@ -650,7 +683,6 @@ sudoerserror(const char *s)
     debug_decl(sudoerserror, SUDO_DEBUG_PARSER)
 
     /* If we last saw a newline the error is on the preceding line. */
-    /* XXX - COMMENT not yet defined - XXX */
     if (last_token == COMMENT)
 	sudolineno--;
 
@@ -710,6 +742,19 @@ new_member(char *name, int type)
     debug_return_ptr(m);
 }
 
+struct sudo_digest *
+new_digest(int digest_type, const char *digest_str)
+{
+    struct sudo_digest *dig;
+    debug_decl(new_digest, SUDO_DEBUG_PARSER)
+
+    dig = emalloc(sizeof(*dig));
+    dig->digest_type = digest_type;
+    dig->digest_str = estrdup(digest_str);
+
+    debug_return_ptr(dig);
+}
+
 /*
  * Add a list of defaults structures to the defaults list.
  * The binding, if non-NULL, specifies a list of hosts, users, or

plugins/sudoers/hexchar.c

@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <stdio.h>
+
+#include "missing.h"
+#include "sudo_debug.h"
+#include "error.h"
+
+int
+hexchar(const char *s)
+{
+    unsigned char result[2];
+    int i;
+    debug_decl(hexchar, SUDO_DEBUG_UTIL)
+
+    for (i = 0; i < 2; i++) {
+	switch (s[i]) {
+	case '0':
+	    result[i] = 0;
+	    break;
+	case '1':
+	    result[i] = 1;
+	    break;
+	case '2':
+	    result[i] = 2;
+	    break;
+	case '3':
+	    result[i] = 3;
+	    break;
+	case '4':
+	    result[i] = 4;
+	    break;
+	case '5':
+	    result[i] = 5;
+	    break;
+	case '6':
+	    result[i] = 6;
+	    break;
+	case '7':
+	    result[i] = 7;
+	    break;
+	case '8':
+	    result[i] = 8;
+	    break;
+	case '9':
+	    result[i] = 9;
+	    break;
+	case 'A':
+	case 'a':
+	    result[i] = 10;
+	    break;
+	case 'B':
+	case 'b':
+	    result[i] = 11;
+	    break;
+	case 'C':
+	case 'c':
+	    result[i] = 12;
+	    break;
+	case 'D':
+	case 'd':
+	    result[i] = 13;
+	    break;
+	case 'E':
+	case 'e':
+	    result[i] = 14;
+	    break;
+	case 'F':
+	case 'f':
+	    result[i] = 15;
+	    break;
+	default:
+	    /* Should not happen. */
+	    errorx(1, "internal error, \\x%s not in proper hex format", s);
+	}
+    }
+    debug_return_int((result[0] << 4) | result[1]);
+}

plugins/sudoers/ldap.c

@@ -855,7 +855,7 @@ sudo_ldap_check_command(LDAP *ld, LDAPMessage *entry, int *setenv_implied)
 	    *allowed_args++ = '\0';
 
 	/* check the command like normal */
-	if (command_matches(allowed_cmnd, allowed_args)) {
+	if (command_matches(allowed_cmnd, allowed_args, NULL)) {
 	    /*
 	     * If allowed (no bang) set ret but keep on checking.
 	     * If disallowed (bang), exit loop.

plugins/sudoers/match.c

@@ -60,9 +60,6 @@
 #else
 # include <netdb.h>
 #endif /* HAVE_NETGROUP_H */
-#include <ctype.h>
-#include <pwd.h>
-#include <grp.h>
 #ifdef HAVE_DIRENT_H
 # include <dirent.h>
 # define NAMLEN(dirent) strlen((dirent)->d_name)
@@ -79,9 +76,14 @@
 #  include <ndir.h>
 # endif
 #endif
+#include <ctype.h>
+#include <pwd.h>
+#include <grp.h>
+#include <errno.h>
 
 #include "sudoers.h"
 #include "parse.h"
+#include "sha2.h"
 #include <gram.h>
 
 static struct member_list empty;
@@ -91,7 +93,7 @@ static bool command_matches_dir(char *, size_t);
 static bool command_matches_glob(char *, char *);
 #endif
 static bool command_matches_fnmatch(char *, char *);
-static bool command_matches_normal(char *, char *);
+static bool command_matches_normal(char *, char *, struct sudo_digest *);
 
 /*
  * Returns true if string 's' contains meta characters.
@@ -367,7 +369,7 @@ cmnd_matches(struct member *m)
 	    break;
 	case COMMAND:
 	    c = (struct sudo_command *)m->name;
-	    if (command_matches(c->cmnd, c->args))
+	    if (command_matches(c->cmnd, c->args, c->digest))
 		matched = !m->negated;
 	    break;
     }
@@ -375,9 +377,7 @@ cmnd_matches(struct member *m)
 }
 
 static bool
-command_args_match(sudoers_cmnd, sudoers_args)
+command_args_match(char *sudoers_cmnd, char *sudoers_args)
-    char *sudoers_cmnd;
-    char *sudoers_args;
 {
     int flags = 0;
     debug_decl(command_args_match, SUDO_DEBUG_MATCH)
@@ -408,7 +408,7 @@ command_args_match(sudoers_cmnd, sudoers_args)
  * otherwise, return true if user_cmnd names one of the inodes in path.
  */
 bool
-command_matches(char *sudoers_cmnd, char *sudoers_args)
+command_matches(char *sudoers_cmnd, char *sudoers_args, struct sudo_digest *digest)
 {
     debug_decl(command_matches, SUDO_DEBUG_MATCH)
 
@@ -444,7 +444,7 @@ command_matches(char *sudoers_cmnd, char *sudoers_args)
 	debug_return_bool(command_matches_glob(sudoers_cmnd, sudoers_args));
 #endif
     }
-    debug_return_bool(command_matches_normal(sudoers_cmnd, sudoers_args));
+    debug_return_bool(command_matches_normal(sudoers_cmnd, sudoers_args, digest));
 }
 
 static bool
@@ -545,28 +545,129 @@ command_matches_glob(char *sudoers_cmnd, char *sudoers_args)
 
 #ifdef SUDOERS_NAME_MATCH
 static bool
-command_matches_normal(char *sudoers_cmnd, char *sudoers_args)
+command_matches_normal(char *sudoers_cmnd, char *sudoers_args, struct sudo_digest *digest)
 {
     size_t dlen;
+    debug_decl(command_matches_normal, SUDO_DEBUG_MATCH)
 
     dlen = strlen(sudoers_cmnd);
 
     /* If it ends in '/' it is a directory spec. */
     if (sudoers_cmnd[dlen - 1] == '/')
-	return command_matches_dir(sudoers_cmnd, dlen);
+	debug_return_bool(command_matches_dir(sudoers_cmnd, dlen));
 
     if (strcmp(user_cmnd, sudoers_cmnd) == 0) {
 	if (command_args_match(sudoers_cmnd, sudoers_args)) {
 	    efree(safe_cmnd);
 	    safe_cmnd = estrdup(sudoers_cmnd);
-	    return true;
+	    debug_return_bool(true);
 	}
     }
-    return false;
+    debug_return_bool(false);
 }
 #else /* !SUDOERS_NAME_MATCH */
+
+static struct digest_function {
+    const char *digest_name;
+    const int digest_len;
+    void (*init)(SHA2_CTX *);
+    void (*update)(SHA2_CTX *, const unsigned char *, size_t);
+    void (*final)(unsigned char *, SHA2_CTX *);
+} digest_functions[] = {
+    {
+	"SHA224",
+	SHA224_DIGEST_LENGTH,
+	SHA224Init,
+	SHA224Update,
+	SHA224Final
+    }, {
+	"SHA256",
+	SHA256_DIGEST_LENGTH,
+	SHA256Init,
+	SHA256Update,
+	SHA256Final
+    }, {
+	"SHA384",
+	SHA384_DIGEST_LENGTH,
+	SHA384Init,
+	SHA384Update,
+	SHA384Final
+    }, {
+	"SHA512",
+	SHA512_DIGEST_LENGTH,
+	SHA512Init,
+	SHA512Update,
+	SHA512Final
+    }, {
+	NULL
+    }
+};
+
 static bool
-command_matches_normal(char *sudoers_cmnd, char *sudoers_args)
+digest_matches(char *file, struct sudo_digest *sd)
+{
+    char file_digest[SHA512_DIGEST_LENGTH];
+    char sudoers_digest[SHA512_DIGEST_LENGTH];
+    unsigned char buf[32 * 1024];
+    struct digest_function *func = NULL;
+    size_t nread;
+    SHA2_CTX ctx;
+    FILE *fp;
+    int i;
+    debug_decl(digest_matches, SUDO_DEBUG_MATCH)
+
+    for (i = 0; digest_functions[i].digest_name != NULL; i++) {
+	if (sd->digest_type == i) {
+	    func = &digest_functions[i];
+	    break;
+	}
+    }
+    if (func == NULL) {
+	warningx(_("unsupported digest type %d for %s"), sd->digest_type, file);
+	debug_return_bool(false);
+    }
+    /* XXX - support base64 type too */
+    if (strlen(sd->digest_str) != func->digest_len * 2) {
+	warningx(_("digest for %s (%s) is not in %s form"), file,
+	    sd->digest_str, func->digest_name);
+	debug_return_bool(false);
+    }
+
+    /* First convert the digest from sudoers from ascii to binary. */
+    /* XXX - parse base64 type too */
+    for (i = 0; i < func->digest_len; i++) {
+	if (!isxdigit((unsigned char)sd->digest_str[i + i]) ||
+	    !isxdigit((unsigned char)sd->digest_str[i + i + 1])) {
+	    warningx(_("digest for %s (%s) is not in %s form"), file,
+		sd->digest_str, func->digest_name);
+	    debug_return_bool(false);
+	}
+	sudoers_digest[i] = hexchar(&sd->digest_str[i + i]);
+    }
+
+    if ((fp = fopen(file, "r")) == NULL) {
+	sudo_debug_printf(SUDO_DEBUG_INFO, "unable to open %s: %s",
+	    file, strerror(errno));
+	debug_return_bool(false);
+    }
+
+    func->init(&ctx);
+    while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) {
+	func->update(&ctx, buf, nread);
+    }
+    if (ferror(fp)) {
+	warningx(_("%s: read error"), file);
+	fclose(fp);
+	debug_return_bool(false);
+    }
+    fclose(fp);
+    func->final(file_digest, &ctx);
+
+    debug_return_bool(memcmp(file_digest, sudoers_digest, func->digest_len) == 0);
+}
+
+static bool
+command_matches_normal(char *sudoers_cmnd, char *sudoers_args, struct sudo_digest *digest)
 {
     struct stat sudoers_stat;
     char *base;
@@ -592,17 +693,21 @@ command_matches_normal(char *sudoers_cmnd, char *sudoers_args)
      *  a) there are no args in sudoers OR
      *  b) there are no args on command line and none req by sudoers OR
      *  c) there are args in sudoers and on command line and they match
+     *  d) there is a digest and it matches
      */
     if (user_stat != NULL &&
 	(user_stat->st_dev != sudoers_stat.st_dev ||
 	user_stat->st_ino != sudoers_stat.st_ino))
 	debug_return_bool(false);
-    if (command_args_match(sudoers_cmnd, sudoers_args)) {
+    if (!command_args_match(sudoers_cmnd, sudoers_args))
-	efree(safe_cmnd);
+	debug_return_bool(false);
-	safe_cmnd = estrdup(sudoers_cmnd);
+    if (digest != NULL && !digest_matches(sudoers_cmnd, digest)) {
-	debug_return_bool(true);
+	/* XXX - log functions not available but we should log very loudly */
+	debug_return_bool(false);
     }
-    debug_return_bool(false);
+    efree(safe_cmnd);
+    safe_cmnd = estrdup(sudoers_cmnd);
+    debug_return_bool(true);
 }
 #endif /* SUDOERS_NAME_MATCH */
 
@@ -614,7 +719,8 @@ command_matches_normal(char *sudoers_cmnd, char *sudoers_args)
 static bool
 command_matches_dir(char *sudoers_dir, size_t dlen)
 {
-    return strncmp(user_cmnd, sudoers_dir, dlen) == 0;
+    debug_decl(command_matches_normal, SUDO_DEBUG_MATCH)
+    debug_return_bool(strncmp(user_cmnd, sudoers_dir, dlen) == 0);
 }
 #else /* !SUDOERS_NAME_MATCH */
 /*

plugins/sudoers/parse.h

@@ -27,12 +27,24 @@
 #undef IMPLIED
 #define IMPLIED	 2
 
+#define SUDO_DIGEST_SHA224	0
+#define SUDO_DIGEST_SHA256	1
+#define SUDO_DIGEST_SHA384	2
+#define SUDO_DIGEST_SHA512	3
+
+struct sudo_digest {
+    int digest_type;
+    char *digest_str;
+};
+
 /*
- * A command with args. XXX - merge into struct member.
+ * A command with option args and digest.
+ * XXX - merge into struct member
  */
 struct sudo_command {
     char *cmnd;
     char *args;
+    struct sudo_digest *digest;
 };
 
 /*
@@ -117,6 +129,7 @@ struct cmndspec {
     struct member_list runasuserlist;	/* list of runas users */
     struct member_list runasgrouplist;	/* list of runas groups */
     struct member *cmnd;		/* command to allow/deny */
+    char *digest;			/* optional command digest */
     struct cmndtag tags;		/* tag specificaion */
 #ifdef HAVE_SELINUX
     char *role, *type;			/* SELinux role and type */
@@ -182,7 +195,7 @@ char *alias_add(char *, int, struct member *);
 bool addr_matches(char *);
 int cmnd_matches(struct member *);
 int cmndlist_matches(struct member_list *);
-bool command_matches(char *, char *);
+bool command_matches(char *, char *, struct sudo_digest *);
 int hostlist_matches(struct member_list *);
 bool hostname_matches(char *, char *, char *);
 bool netgr_matches(char *, char *, char *, char *);
@@ -200,5 +213,6 @@ void init_aliases(void);
 void init_lexer(void);
 void init_parser(const char *, bool);
 int alias_compare(const void *, const void *);
+int hexchar(const char *s);
 
 #endif /* _SUDOERS_PARSE_H */

plugins/sudoers/regress/parser/check_digest.c

@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif /* STDC_HEADERS */
+#ifdef HAVE_STRING_H
+# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
+#  include <memory.h>
+# endif
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#if defined(HAVE_STDINT_H)
+# include <stdint.h>
+#elif defined(HAVE_INTTYPES_H)
+# include <inttypes.h>
+#endif
+
+#include "missing.h"
+#include "sha2.h"
+
+__dso_public int main(int argc, char *argv[]);
+
+static struct digest_function {
+    const char *digest_name;
+    const int digest_len;
+    void (*init)(SHA2_CTX *);
+    void (*update)(SHA2_CTX *, const unsigned char *, size_t);
+    void (*final)(unsigned char *, SHA2_CTX *);
+} digest_functions[] = {
+    {
+	"SHA224",
+	SHA224_DIGEST_LENGTH,
+	SHA224Init,
+	SHA224Update,
+	SHA224Final
+    }, {
+	"SHA256",
+	SHA256_DIGEST_LENGTH,
+	SHA256Init,
+	SHA256Update,
+	SHA256Final
+    }, {
+	"SHA384",
+	SHA384_DIGEST_LENGTH,
+	SHA384Init,
+	SHA384Update,
+	SHA384Final
+    }, {
+	"SHA512",
+	SHA512_DIGEST_LENGTH,
+	SHA512Init,
+	SHA512Update,
+	SHA512Final
+    }, {
+	NULL
+    }
+};
+
+int
+main(int argc, char *argv[])
+{
+    SHA2_CTX ctx;
+    int i, j;
+    struct digest_function *func;
+    unsigned char digest[SHA512_DIGEST_LENGTH];
+    static const char hex[] = "0123456789abcdef";
+    unsigned char buf[1000];
+    unsigned const char *test_strings[] = {
+	"",
+	"a",
+	"abc",
+	"message digest",
+	"abcdefghijklmnopqrstuvwxyz",
+	"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	    "0123456789",
+	"12345678901234567890123456789012345678901234567890123456789"
+	    "012345678901234567890",
+    };
+
+    for (func = digest_functions; func->digest_name != NULL; func++) {
+	for (i = 0; i < 8; i++) {
+	    func->init(&ctx);
+	    func->update(&ctx, test_strings[i], strlen(test_strings[i]));
+	    func->final(digest, &ctx);
+	    printf("%s (\"%s\") = ", func->digest_name, test_strings[i]);
+	    for (j = 0; j < func->digest_len; j++) {
+		putchar(hex[digest[j] >> 4]);
+		putchar(hex[digest[j] & 0x0f]);
+	    }
+	    putchar('\n');
+	}
+
+	/* Simulate a string of a million 'a' characters. */
+	memset(buf, 'a', sizeof(buf));
+	func->init(&ctx);
+	for (i = 0; i < 1000; i++) {
+	    func->update(&ctx, buf, sizeof(buf));
+	}
+	func->final(digest, &ctx);
+	printf("%s (one million 'a' characters) = ", func->digest_name);
+	for (j = 0; j < func->digest_len; j++) {
+	    putchar(hex[digest[j] >> 4]);
+	    putchar(hex[digest[j] & 0x0f]);
+	}
+	putchar('\n');
+    }
+    exit(0);
+}

plugins/sudoers/regress/parser/check_digest.out.ok

@@ -0,0 +1,36 @@
+SHA224 ("") = d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
+SHA224 ("a") = abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5
+SHA224 ("abc") = 23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7
+SHA224 ("message digest") = 2cb21c83ae2f004de7e81c3c7019cbcb65b71ab656b22d6d0c39b8eb
+SHA224 ("abcdefghijklmnopqrstuvwxyz") = 45a5f72c39c5cff2522eb3429799e49e5f44b356ef926bcf390dccc2
+SHA224 ("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq") = 75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525
+SHA224 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = bff72b4fcb7d75e5632900ac5f90d219e05e97a7bde72e740db393d9
+SHA224 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = b50aecbe4e9bb0b57bc5f3ae760a8e01db24f203fb3cdcd13148046e
+SHA224 (one million 'a' characters) = 20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67
+SHA256 ("") = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+SHA256 ("a") = ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
+SHA256 ("abc") = ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad
+SHA256 ("message digest") = f7846f55cf23e14eebeab5b4e1550cad5b509e3348fbc4efa3a1413d393cb650
+SHA256 ("abcdefghijklmnopqrstuvwxyz") = 71c480df93d6ae2f1efad1447c66c9525e316218cf51fc8d9ed832f2daf18b73
+SHA256 ("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq") = 248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1
+SHA256 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = db4bfcbd4da0cd85a60c3c37d3fbd8805c77f15fc6b1fdfe614ee0a7c8fdb4c0
+SHA256 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = f371bc4a311f2b009eef952dd83ca80e2b60026c8e935592d0f9c308453c813e
+SHA256 (one million 'a' characters) = cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0
+SHA384 ("") = 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
+SHA384 ("a") = 54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31
+SHA384 ("abc") = cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7
+SHA384 ("message digest") = 473ed35167ec1f5d8e550368a3db39be54639f828868e9454c239fc8b52e3c61dbd0d8b4de1390c256dcbb5d5fd99cd5
+SHA384 ("abcdefghijklmnopqrstuvwxyz") = feb67349df3db6f5924815d6c3dc133f091809213731fe5c7b5f4999e463479ff2877f5f2936fa63bb43784b12f3ebb4
+SHA384 ("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq") = 3391fdddfc8dc7393707a65b1b4709397cf8b1d162af05abfe8f450de5f36bc6b0455a8520bc4e6f5fe95b1fe3c8452b
+SHA384 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 1761336e3f7cbfe51deb137f026f89e01a448e3b1fafa64039c1464ee8732f11a5341a6f41e0c202294736ed64db1a84
+SHA384 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = b12932b0627d1c060942f5447764155655bd4da0c9afa6dd9b9ef53129af1b8fb0195996d2de9ca0df9d821ffee67026
+SHA384 (one million 'a' characters) = 9d0e1809716474cb086e834e310a4a1ced149e9c00f248527972cec5704c2a5b07b8b3dc38ecc4ebae97ddd87f3d8985
+SHA512 ("") = cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
+SHA512 ("a") = 1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75
+SHA512 ("abc") = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f
+SHA512 ("message digest") = 107dbf389d9e9f71a3a95f6c055b9251bc5268c2be16d6c13492ea45b0199f3309e16455ab1e96118e8a905d5597b72038ddb372a89826046de66687bb420e7c
+SHA512 ("abcdefghijklmnopqrstuvwxyz") = 4dbff86cc2ca1bae1e16468a05cb9881c97f1753bce3619034898faa1aabe429955a1bf8ec483d7421fe3c1646613a59ed5441fb0f321389f77f48a879c7b1f1
+SHA512 ("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq") = 204a8fc6dda82f0a0ced7beb8e08a41657c16ef468b228a8279be331a703c33596fd15c13b1b07f9aa1d3bea57789ca031ad85c7a71dd70354ec631238ca3445
+SHA512 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = 1e07be23c26a86ea37ea810c8ec7809352515a970e9253c26f536cfc7a9996c45c8370583e0a78fa4a90041d71a4ceab7423f19c71b9d5a3e01249f0bebd5894
+SHA512 ("12345678901234567890123456789012345678901234567890123456789012345678901234567890") = 72ec1ef1124a45b047e8b7c75a932195135bb61de24ec0d1914042246e0aec3a2354e093d76f3048b456764346900cb130d2a4fd5dd16abb5e30bcb850dee843
+SHA512 (one million 'a' characters) = e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973ebde0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b

plugins/sudoers/sha2.h

@@ -49,13 +49,9 @@ typedef struct {
 
 void SHA224Init(SHA2_CTX *ctx);
 void SHA224Pad(SHA2_CTX *ctx);
-void SHA224Transform(uint32_t state[8], const uint8_t buffer[SHA224_BLOCK_LENGTH])
+void SHA224Transform(uint32_t state[8], const uint8_t buffer[SHA224_BLOCK_LENGTH]);
-	__attribute__((__bounded__(__minbytes__,1,32)))
+void SHA224Update(SHA2_CTX *ctx, const uint8_t *data, size_t len);
-	__attribute__((__bounded__(__minbytes__,2,SHA224_BLOCK_LENGTH)));
+void SHA224Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *ctx);
-void SHA224Update(SHA2_CTX *ctx, const uint8_t *data, size_t len)
-	__attribute__((__bounded__(__string__,2,3)));
-void SHA224Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *ctx)
-	__attribute__((__bounded__(__minbytes__,1,SHA224_DIGEST_LENGTH)));
 
 void SHA256Init(SHA2_CTX *ctx);
 void SHA256Pad(SHA2_CTX *ctx);

plugins/sudoers/sssd.c

@@ -774,7 +774,7 @@ sudo_sss_check_command(struct sudo_sss_handle *handle,
 	    *allowed_args++ = '\0';
 
 	/* check the command like normal */
-	if (command_matches(allowed_cmnd, allowed_args)) {
+	if (command_matches(allowed_cmnd, allowed_args, NULL)) {
 	    /*
 	     * If allowed (no bang) set ret but keep on checking.
 	     * If disallowed (bang), exit loop.

plugins/sudoers/toke.l

@@ -530,6 +530,7 @@ ALL {
 			}
 
 <GOTDEFS>({PATH}|sudoedit) {
+			    /* XXX - no way to specify digest for command */
 			    /* no command args allowed for Defaults!/path */
 			    if (!fill_cmnd(sudoerstext, sudoersleng))
 				yyterminate();
@@ -537,6 +538,26 @@ ALL {
 			    LEXRETURN(COMMAND);
 			}
 
+sha224			{
+			    LEXTRACE("SHA224 ");
+			    LEXRETURN(SHA224);
+			}
+
+sha256			{
+			    LEXTRACE("SHA256 ");
+			    LEXRETURN(SHA256);
+			}
+
+sha384			{
+			    LEXTRACE("SHA384 ");
+			    LEXRETURN(SHA384);
+			}
+
+sha512			{
+			    LEXTRACE("SHA512 ");
+			    LEXRETURN(SHA512);
+			}
+
 sudoedit		{
 			    BEGIN GOTCMND;
 			    LEXTRACE("COMMAND ");

plugins/sudoers/toke_util.c

@@ -57,51 +57,6 @@
 static int arg_len = 0;
 static int arg_size = 0;
 
-static int
-hexchar(const char *s)
-{
-    int i, result = 0;
-    debug_decl(hexchar, SUDO_DEBUG_PARSER)
-
-    s += 2; /* skip \\x */
-    for (i = 0; i < 2; i++) {
-	switch (*s) {
-	case 'A':
-	case 'a':
-	    result += 10;
-	    break;
-	case 'B':
-	case 'b':
-	    result += 11;
-	    break;
-	case 'C':
-	case 'c':
-	    result += 12;
-	    break;
-	case 'D':
-	case 'd':
-	    result += 13;
-	    break;
-	case 'E':
-	case 'e':
-	    result += 14;
-	    break;
-	case 'F':
-	case 'f':
-	    result += 15;
-	    break;
-	default:
-	    result += *s - '0';
-	    break;
-	}
-	if (i == 0) {
-	    result *= 16;
-	    s++;
-	}
-    }
-    debug_return_int(result);
-}
-
 bool
 fill_txt(const char *src, int len, int olen)
 {
@@ -123,7 +78,7 @@ fill_txt(const char *src, int len, int olen)
 	    if (src[1] == 'x' && len >= 3 && 
 		isxdigit((unsigned char) src[2]) &&
 		isxdigit((unsigned char) src[3])) {
-		*dst++ = hexchar(src);
+		*dst++ = hexchar(src + 2);
 		src += 4;
 		len -= 3;
 	    } else {