From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 10 Jan 2025 21:44:23 +0000 (-0500)
Subject: set "yes" to "1" and "auto" to "2"
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=527fd6a536ac81bcc74b2c326a642f2764756467;p=thirdparty%2Ffreeradius-server.git

set "yes" to "1" and "auto" to "2"

The configuration file parsing code parses things before it knows
their data types. Which means that "yes" gets parsed as data type
"bool", with value "1".  It then gets cast to "uint8_t" when
processing the require-ma attribute.  Which just happens to have
"auto" as "1", and "yes" as "2".

Rather than redoing all of the parsing code, we just set "yes"
to "1", which is much safer.
---

diff --git a/share/dictionary/freeradius/dictionary.freeradius.internal b/share/dictionary/freeradius/dictionary.freeradius.internal
index a2c76b1f22..0bebfaa297 100644
--- a/share/dictionary/freeradius/dictionary.freeradius.internal
+++ b/share/dictionary/freeradius/dictionary.freeradius.internal
@@ -157,15 +157,15 @@ ATTRIBUTE	FreeRADIUS-Client-Require-MA		1122	uint8
 
 # Ordering is important here, as the values are a bitmask.
 VALUE	FreeRADIUS-Client-Require-MA		No			0
-VALUE	FreeRADIUS-Client-Require-MA		Auto			1
-VALUE	FreeRADIUS-Client-Require-MA		Yes			2
+VALUE	FreeRADIUS-Client-Require-MA		Yes			1
+VALUE	FreeRADIUS-Client-Require-MA		Auto			2
 
 ATTRIBUTE	FreeRADIUS-Client-Limit-Proxy-State	1123	uint8
 
 # Ordering is important here, as the values are a bitmask.
 VALUE	FreeRADIUS-Client-Limit-Proxy-State	No			0
-VALUE	FreeRADIUS-Client-Limit-Proxy-State	Auto			1
-VALUE	FreeRADIUS-Client-Limit-Proxy-State	Yes			2
+VALUE	FreeRADIUS-Client-Limit-Proxy-State	Yes			1
+VALUE	FreeRADIUS-Client-Limit-Proxy-State	Auto			2
 
 ATTRIBUTE	FreeRADIUS-Client-Secret		1124	string
 ATTRIBUTE	FreeRADIUS-Client-Shortname		1125	string
diff --git a/src/protocols/radius/base.c b/src/protocols/radius/base.c
index 22440fec03..b07964d38e 100644
--- a/src/protocols/radius/base.c
+++ b/src/protocols/radius/base.c
@@ -82,19 +82,19 @@ fr_dict_attr_autoload_t libfreeradius_radius_dict_attr[] = {
 
 fr_table_num_sorted_t const fr_radius_require_ma_table[] = {
 	{ L("auto"),		FR_RADIUS_REQUIRE_MA_AUTO		},
-	{ L("no"),		FR_RADIUS_REQUIRE_MA_NO			},
-	{ L("yes"),		FR_RADIUS_REQUIRE_MA_YES		},
 	{ L("false"),		FR_RADIUS_REQUIRE_MA_NO			},
+	{ L("no"),		FR_RADIUS_REQUIRE_MA_NO			},
 	{ L("true"),		FR_RADIUS_REQUIRE_MA_YES		},
+	{ L("yes"),		FR_RADIUS_REQUIRE_MA_YES		},
 };
 size_t fr_radius_require_ma_table_len = NUM_ELEMENTS(fr_radius_require_ma_table);
 
 fr_table_num_sorted_t const fr_radius_limit_proxy_state_table[] = {
 	{ L("auto"),		FR_RADIUS_LIMIT_PROXY_STATE_AUTO	},
-	{ L("no"),		FR_RADIUS_LIMIT_PROXY_STATE_NO		},
-	{ L("yes"),		FR_RADIUS_LIMIT_PROXY_STATE_YES		},
 	{ L("false"),		FR_RADIUS_LIMIT_PROXY_STATE_NO		},
+	{ L("no"),		FR_RADIUS_LIMIT_PROXY_STATE_NO		},
 	{ L("true"),		FR_RADIUS_LIMIT_PROXY_STATE_YES		},
+	{ L("yes"),		FR_RADIUS_LIMIT_PROXY_STATE_YES		},
 };
 size_t fr_radius_limit_proxy_state_table_len = NUM_ELEMENTS(fr_radius_limit_proxy_state_table);
 
diff --git a/src/protocols/radius/radius.h b/src/protocols/radius/radius.h
index d9d4676f0b..768657b934 100644
--- a/src/protocols/radius/radius.h
+++ b/src/protocols/radius/radius.h
@@ -61,11 +61,11 @@
  */
 typedef enum {
 	FR_RADIUS_REQUIRE_MA_NO			= 0x00,		//!< Do not require Message-Authenticator
-	FR_RADIUS_REQUIRE_MA_AUTO		= 0x01,		//!< Only require Message-Authenticator if we've previously
+	FR_RADIUS_REQUIRE_MA_YES		= 0x01,		//!< Require Message-Authenticator
+	FR_RADIUS_REQUIRE_MA_AUTO		= 0x02,		//!< Only require Message-Authenticator if we've previously
 								///< received a packet from this client with Message-Authenticator.
 								///< @note This isn't used by the radius protocol code, but may be used
 								///< to drive logic in modules.
-	FR_RADIUS_REQUIRE_MA_YES		= 0x02		//!< Require Message-Authenticator
 
 } fr_radius_require_ma_t;
 
@@ -76,14 +76,14 @@ typedef enum {
 typedef enum {
 	FR_RADIUS_LIMIT_PROXY_STATE_NO		= 0x00,		//!< Do not limit Proxy-State.  Allow proxy-state to be sent in
 								///< all packets.
-	FR_RADIUS_LIMIT_PROXY_STATE_AUTO	= 0x01,		//!< Do not allow Proxy-State unless:
+	FR_RADIUS_LIMIT_PROXY_STATE_YES		= 0x01,		//!< Limit Proxy-State.  Do not allow Proxy-State to be sent in
+								///< packets which do not have a Message-Authenticator attribute.
+
+	FR_RADIUS_LIMIT_PROXY_STATE_AUTO	= 0x02,		//!< Do not allow Proxy-State unless:
 								///< - All packets received from a client have containted proxy state.
 								///< - The client has sent a packet with a Message-Authenticator.
 								///< @note This isn't used by the radius protocol code, but may be used
 								///< to drive logic in modules.
-	FR_RADIUS_LIMIT_PROXY_STATE_YES		= 0x02,		//!< Limit Proxy-State.  Do not allow Proxy-State to be sent in
-								///< packets which do not have a Message-Authenticator attribute.
-
 } fr_radius_limit_proxy_state_t;
 
 typedef struct {