From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 30 Dec 2025 16:54:33 +0000 (-0500)
Subject: automatically add ref=@.OID-Tree to types with oid_and_value
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=005a8a34cf56608c4d25a85a8ce6ce87bb455e09;p=thirdparty%2Ffreeradius-server.git

automatically add ref=@.OID-Tree to types with oid_and_value

so that we don't have to litter it all through the code
---

diff --git a/share/dictionary/der/dictionary.common b/share/dictionary/der/dictionary.common
index 088cd19a107..58f3915cff3 100644
--- a/share/dictionary/der/dictionary.common
+++ b/share/dictionary/der/dictionary.common
@@ -11,7 +11,7 @@
 #
 DEFINE	RelativeDistinguishedName			set set_of=sequence,size=1..
 BEGIN RelativeDistinguishedName
-DEFINE	AttributeTypeAndValue				sequence sequence_of=oid_and_value,ref=@.OID-Tree
+DEFINE	AttributeTypeAndValue				sequence sequence_of=oid_and_value
 END RelativeDistinguishedName
 
 DEFINE	GeneralName					choice
diff --git a/share/dictionary/der/dictionary.extensions b/share/dictionary/der/dictionary.extensions
index 90b36fbedd0..bf4632221e5 100644
--- a/share/dictionary/der/dictionary.extensions
+++ b/share/dictionary/der/dictionary.extensions
@@ -2,7 +2,7 @@
 # Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com)
 # This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0
 # Version $Id$
-DEFINE	Critical					sequence sequence_of=oid_and_value,ref=@.OID-Tree
+DEFINE	Critical					sequence sequence_of=oid_and_value
 
 ATTRIBUTE	authorityInfoAccess			1.3.6.1.5.5.7.1.1	sequence        sequence_of=sequence,leaf
 BEGIN 1.3.6.1.5.5.7.1.1
@@ -65,7 +65,7 @@ DEFINE	policyIdentifier				oid
 
 DEFINE	policyQualifiers				sequence        sequence_of=sequence,size=1..,optional
 BEGIN policyQualifiers
-DEFINE	policyQualifierInfo				sequence	sequence_of=oid_and_value,ref=@.OID-Tree
+DEFINE	policyQualifierInfo				sequence	sequence_of=oid_and_value
 END policyQualifiers
 
 END policyInformation
diff --git a/share/dictionary/der/dictionary.rfc2986 b/share/dictionary/der/dictionary.rfc2986
index 5c8c08d3ae7..8e38668862a 100644
--- a/share/dictionary/der/dictionary.rfc2986
+++ b/share/dictionary/der/dictionary.rfc2986
@@ -33,7 +33,7 @@ BEGIN Attributes
 DEFINE	Attribute					sequence
 BEGIN Attribute
 DEFINE	OID						oid
-DEFINE	Extensions					set set_of=oid_and_value,ref=@.OID-Tree,is_extensions
+DEFINE	Extensions					set set_of=oid_and_value,is_extensions
 END Attribute
 END Attributes
 
diff --git a/share/dictionary/der/dictionary.rfc5280 b/share/dictionary/der/dictionary.rfc5280
index 54778254800..2848daf6b4c 100644
--- a/share/dictionary/der/dictionary.rfc5280
+++ b/share/dictionary/der/dictionary.rfc5280
@@ -12,7 +12,7 @@ BEGIN version
 DEFINE	number						integer
 END version
 DEFINE	serialNumber					octets der_type=integer
-DEFINE	signature					sequence sequence_of=oid_and_value,ref=@.OID-Tree
+DEFINE	signature					sequence sequence_of=oid_and_value
 
 DEFINE	issuer						sequence sequence_of=set
 BEGIN issuer
@@ -32,18 +32,18 @@ END subject
 
 DEFINE	subjectPublicKeyInfo				sequence
 BEGIN subjectPublicKeyInfo
-DEFINE	algorithm					sequence sequence_of=oid_and_value,ref=@.OID-Tree
+DEFINE	algorithm					sequence sequence_of=oid_and_value
 DEFINE	subjectPublicKey				bitstring
 END subjectPublicKeyInfo
 
 DEFINE issuerUniqueID					octetstring option=1,optional
 DEFINE subjectUniqueID					octetstring option=2,optional
 
-DEFINE	extensions					x509_extensions ref=@.OID-Tree,size=1..,option=3,optional
+DEFINE	extensions					x509_extensions size=1..,option=3,optional
 
 END tbsCertificate
 
-DEFINE	signatureAlgorithm				sequence sequence_of=oid_and_value,ref=@.OID-Tree
+DEFINE	signatureAlgorithm				sequence sequence_of=oid_and_value
 
 DEFINE	signature					bitstring
 END Certificate
diff --git a/src/lib/util/dict.h b/src/lib/util/dict.h
index 349a2539743..77d228d766d 100644
--- a/src/lib/util/dict.h
+++ b/src/lib/util/dict.h
@@ -566,7 +566,7 @@ int			fr_dict_str_to_argv(char *str, char **argv, int max_argc);
 
 int			fr_dict_attr_acopy_local(fr_dict_attr_t const *dst, fr_dict_attr_t const *src) CC_HINT(nonnull);
 
-int			fr_dict_attr_set_group(fr_dict_attr_t **da_p) CC_HINT(nonnull);
+int			fr_dict_attr_set_group(fr_dict_attr_t **da_p, fr_dict_attr_t const *ref) CC_HINT(nonnull);
 /** @} */
 
 /** @name Dict accessors
diff --git a/src/lib/util/dict_util.c b/src/lib/util/dict_util.c
index c2769cab414..9dd9014d421 100644
--- a/src/lib/util/dict_util.c
+++ b/src/lib/util/dict_util.c
@@ -5316,7 +5316,7 @@ fr_dict_t const	*fr_dict_proto_dict(fr_dict_t const *dict)
 	return dict;
 }
 
-int fr_dict_attr_set_group(fr_dict_attr_t **da_p)
+int fr_dict_attr_set_group(fr_dict_attr_t **da_p, fr_dict_attr_t const *ref)
 {
 	if ((*da_p)->type == FR_TYPE_GROUP) {
 		fr_assert(fr_dict_attr_ext(*da_p, FR_DICT_ATTR_EXT_REF) != NULL);
@@ -5327,9 +5327,5 @@ int fr_dict_attr_set_group(fr_dict_attr_t **da_p)
 
 	fr_assert(fr_dict_attr_ext(*da_p, FR_DICT_ATTR_EXT_REF) == NULL);
 
-	if (!dict_attr_ext_alloc(da_p, FR_DICT_ATTR_EXT_REF)) {
-		return -1;
-	}
-
-	return 0;
+	return dict_attr_ref_aset(da_p, ref, FR_DICT_ATTR_REF_ALIAS);
 }
diff --git a/src/protocols/der/base.c b/src/protocols/der/base.c
index 6d24ba3ab00..4d341c28b04 100644
--- a/src/protocols/der/base.c
+++ b/src/protocols/der/base.c
@@ -317,6 +317,27 @@ static int dict_flag_der_type(fr_dict_attr_t **da_p, char const *value, UNUSED f
 	return 0;
 }
 
+static int dict_flag_set_oid_and_value(fr_dict_attr_t **da_p, fr_der_attr_flags_t *flags)
+{
+	flags->is_oid_and_value = true;
+	flags->is_sequence_of = true;
+	flags->sequence_of = FR_DER_TAG_SEQUENCE;
+
+	/*
+	 *	The dict autoload things aren't set until after we load all of the dictionary entries.  So we
+	 *	just manually set it here for laziness.
+	 */
+	if (!attr_oid_tree) {
+		attr_oid_tree = fr_dict_attr_by_name(NULL, fr_dict_root((*da_p)->dict), "OID-Tree");
+		if (!attr_oid_tree) return -1;
+	}
+
+	if (fr_dict_attr_set_group(da_p, attr_oid_tree) < 0) return -1;
+
+	(*da_p)->flags.allow_flat = !flags->is_extensions;
+	return 0;
+}
+
 static int dict_flag_sequence_of(fr_dict_attr_t **da_p, char const *value, UNUSED fr_dict_flag_parser_rule_t const *rules)
 {
 	fr_der_attr_flags_t *flags = fr_dict_attr_ext(*da_p, FR_DICT_ATTR_EXT_PROTOCOL_SPECIFIC);
@@ -333,13 +354,7 @@ static int dict_flag_sequence_of(fr_dict_attr_t **da_p, char const *value, UNUSE
 	}
 
 	if (strcmp(value, "oid_and_value") == 0) {
-		flags->is_oid_and_value = true;
-		flags->is_sequence_of = true;
-		flags->sequence_of = FR_DER_TAG_SEQUENCE;
-		if (fr_dict_attr_set_group(da_p) < 0) return -1;
-
-		(*da_p)->flags.allow_flat = 1;
-		return 0;
+		return dict_flag_set_oid_and_value(da_p, flags);
 	}
 
 	type = fr_table_value_by_str(tag_name_to_number, value, FR_DER_TAG_INVALID);
@@ -370,13 +385,7 @@ static int dict_flag_set_of(fr_dict_attr_t **da_p, char const *value, UNUSED fr_
 	}
 
 	if (strcmp(value, "oid_and_value") == 0) {
-		flags->is_oid_and_value = true;
-		flags->is_sequence_of = true;
-		flags->sequence_of = FR_DER_TAG_SEQUENCE;
-		if (fr_dict_attr_set_group(da_p) < 0) return -1;
-
-		(*da_p)->flags.allow_flat = 1;
-		return 0;
+		return dict_flag_set_oid_and_value(da_p, flags);
 	}
 
 	type = fr_table_value_by_str(tag_name_to_number, value, FR_DER_TAG_INVALID);
@@ -801,8 +810,7 @@ static bool type_parse(fr_type_t *type_p,fr_dict_attr_t **da_p, char const *name
 		flags->option = 3;
 		flags->is_option = true;
 
-		flags->is_sequence_of = true;
-		flags->sequence_of = FR_DER_TAG_SEQUENCE;
+		if (dict_flag_set_oid_and_value(da_p, flags) < 0) return false;
 	}
 
 	/*
@@ -859,26 +867,6 @@ static bool attr_valid(fr_dict_attr_t *da)
 		da->flags.length = 0;
 	}
 
-	/*
-	 *	sequence_of=oid_and_value has to have a reference to the OID tree.
-	 *
-	 *	Group refs are added as unresolved refs, see dict_flag_ref(), and are resolved later
-	 *	in dict_fixup_group_apply().
-	 *
-	 *	@todo - have a function called from dict_attr_finalize() ?
-	 */
-#if 0
-	if (flags->is_oid_and_value) {
-		fr_dict_attr_t const *ref;
-
-		fr_assert(da->type == FR_TYPE_GROUP);
-
-		if (!fr_dict_attr_ref(da)) {
-			(void) dict_attr_ref_set(da, attr_oid_tree, FR_DICT_ATTR_REF_ALIAS);
-		}
-	}
-#endif
-
 	if (flags->is_choice && unlikely(!fr_type_is_tlv(da->type))) {
 		fr_strerror_printf("Attribute %s of type %s is not allowed represent a collection of choices.",
 				   da->name, fr_type_to_str(da->type));
diff --git a/src/tests/unit/protocols/der/dictionary.test b/src/tests/unit/protocols/der/dictionary.test
index 88669c845ce..244b12d8f31 100644
--- a/src/tests/unit/protocols/der/dictionary.test
+++ b/src/tests/unit/protocols/der/dictionary.test
@@ -2,7 +2,7 @@
 # Copyright (C) 2025 The FreeRADIUS Server project and contributors
 # This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0
 # Version $Id$
-DEFINE	Certificate-Extensions				x509_extensions ref=@.OID-Tree
+DEFINE	Certificate-Extensions				x509_extensions
 
 DEFINE Test-GeneralNames				group sequence_of=choice,ref=@.GeneralName