add and check for "suppress_secrets"

so that debug output contains fewer secrets

diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index b2a0a0f6424f73d9f5c0bc5032ae4ee3a64b65bc..028202fe2cc8eff66a5b1a126b17aeac7b496b86 100644 (file)
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -114,6 +114,7 @@ typedef struct main_config {
        fr_ipaddr_t     myip;                           //!< IP to bind to. Set on command line.
        uint16_t        port;                           //!< Port to bind to. Set on command line.
 
+       bool            suppress_secrets;               //!< for debug levels < 3
        bool            log_auth;                       //!< Log all authentication attempts.
        bool            log_accept;                     //!< Log Access-Accept
        bool            log_reject;                     //!< Log Access-Reject
@@ -312,8 +313,9 @@ struct rad_request {
 #define RAD_REQUEST_LVL_DEBUG3 (3)
 #define RAD_REQUEST_LVL_DEBUG4 (4)
 
-#define RAD_REQUEST_OPTION_COA (1 << 0)
-#define RAD_REQUEST_OPTION_CTX (1 << 1)
+#define RAD_REQUEST_OPTION_COA         (1 << 0)
+#define RAD_REQUEST_OPTION_CTX                 (1 << 1)
+#define RAD_REQUEST_OPTION_CANCELLED   (1 << 2)
 
 #define SECONDS_PER_DAY                86400
 #define MAX_REQUEST_TIME       30

diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 1601ea1c8dbb9a296a2869ee589aa948eeb20de6..db110ed6f54e9231e5dfd25d90a612d5af92c171 100644 (file)
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -148,6 +148,7 @@ static const CONF_PARSER log_config[] = {
        { "colourise",FR_CONF_POINTER(PW_TYPE_BOOLEAN, &do_colourise), NULL },
        { "use_utc", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_dates_utc), NULL },
        { "msg_denied", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.denied_msg), "You are already logged in - access denied" },
+       { "suppress_secrets", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.suppress_secrets), NULL },
        CONF_PARSER_TERMINATOR
 };
 

diff --git a/src/main/pair.c b/src/main/pair.c
index 91d265935b9725d3000113640cd546dab85eaee3..d1596b913252014c4ac33b2753d11432fce6f199 100644 (file)
--- a/src/main/pair.c
+++ b/src/main/pair.c
@@ -742,6 +742,11 @@ void rdebug_pair(log_lvl_t level, REQUEST *request, VALUE_PAIR *vp, char const *
 
        if (!radlog_debug_enabled(L_DBG, level, request)) return;
 
+       if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) {
+               RDEBUGX(level, "%s%s = <<< secret >>>", prefix ? prefix : "", vp->da->name);
+               return;
+       }
+
        vp_prints(buffer, sizeof(buffer), vp);
        RDEBUGX(level, "%s%s", prefix ? prefix : "",  buffer);
 }
@@ -767,6 +772,11 @@ void rdebug_pair_list(log_lvl_t level, REQUEST *request, VALUE_PAIR *vp, char co
             vp = fr_cursor_next(&cursor)) {
                VERIFY_VP(vp);
 
+               if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) {
+                       RDEBUGX(level, "%s = <<< secret >>>", vp->da->name);
+                       continue;
+               }
+
                vp_prints(buffer, sizeof(buffer), vp);
                RDEBUGX(level, "%s%s", prefix ? prefix : "",  buffer);
        }
@@ -794,6 +804,12 @@ void rdebug_proto_pair_list(log_lvl_t level, REQUEST *request, VALUE_PAIR *vp)
                VERIFY_VP(vp);
                if ((vp->da->vendor == 0) &&
                    ((vp->da->attr & 0xFFFF) > 0xff)) continue;
+
+               if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) {
+                       RDEBUGX(level, "%s = <<< secret >>>", vp->da->name);
+                       continue;
+               }
+
                vp_prints(buffer, sizeof(buffer), vp);
                RDEBUGX(level, "%s", buffer);
        }