From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Sun, 28 Oct 2012 11:47:46 +0000 (+0000)
Subject: Add tag matching to pairdelete and paircopy2
X-Git-Tag: release_3_0_0_beta1~1637
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2703e303a414110be12cd3e772f3cbef082110ab;p=thirdparty%2Ffreeradius-server.git

Add tag matching to pairdelete and paircopy2
---

diff --git a/src/include/libradius.h b/src/include/libradius.h
index fc95c95477b..f536003e351 100644
--- a/src/include/libradius.h
+++ b/src/include/libradius.h
@@ -421,13 +421,13 @@ VALUE_PAIR	*paircreate(int attr, int vendor, int type);
 void		pairfree(VALUE_PAIR **);
 void            pairbasicfree(VALUE_PAIR *pair);
 VALUE_PAIR	*pairfind(VALUE_PAIR *, unsigned int attr, unsigned int vendor);
-void		pairdelete(VALUE_PAIR **, unsigned int attr, unsigned int vendor);
+void		pairdelete(VALUE_PAIR **, unsigned int attr, unsigned int vendor, int8_t tag);
 void		pairadd(VALUE_PAIR **, VALUE_PAIR *);
 void            pairreplace(VALUE_PAIR **first, VALUE_PAIR *add);
 int		paircmp(VALUE_PAIR *check, VALUE_PAIR *data);
 VALUE_PAIR	*paircopyvp(const VALUE_PAIR *vp);
 VALUE_PAIR	*paircopy(VALUE_PAIR *vp);
-VALUE_PAIR	*paircopy2(VALUE_PAIR *vp, unsigned int attr, unsigned int vendor);
+VALUE_PAIR	*paircopy2(VALUE_PAIR *vp, unsigned int attr, unsigned int vendor, int8_t tag);
 void		pairmove(VALUE_PAIR **to, VALUE_PAIR **from);
 void		pairmove2(VALUE_PAIR **to, VALUE_PAIR **from, unsigned int attr, unsigned int vendor);
 VALUE_PAIR	*pairparsevalue(VALUE_PAIR *vp, const char *value);
diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c
index 57ace38a8c9..9b067a7c661 100644
--- a/src/lib/valuepair.c
+++ b/src/lib/valuepair.c
@@ -247,17 +247,26 @@ VALUE_PAIR * pairfind(VALUE_PAIR *first, unsigned int attr, unsigned int vendor)
 }
 
 
-/*
- *	Delete the pair(s) with the matching attribute
+/** Delete matching pairs
+ *
+ * Delete matching pairs from the attribute list.
+ * 
+ * @param[in+out] vp which is head of the list.
+ * @param[in] attr to match.
+ * @param[in] vendor to match.
+ * @param[in] tag to match, only used if > 0.
  */
-void pairdelete(VALUE_PAIR **first, unsigned int attr, unsigned int vendor)
+void pairdelete(VALUE_PAIR **first, unsigned int attr, unsigned int vendor,
+		int8_t tag)
 {
 	VALUE_PAIR *i, *next;
 	VALUE_PAIR **last = first;
 
 	for(i = *first; i; i = next) {
 		next = i->next;
-		if ((i->attribute == attr) && (i->vendor == vendor)) {
+		if ((i->attribute == attr) && (i->vendor == vendor) &&
+		    ((tag < 0) ||
+		     (i->flags.has_tag && (i->flags.tag == tag)))) {
 			*last = next;
 			pairbasicfree(i);
 		} else {
@@ -375,10 +384,20 @@ VALUE_PAIR *paircopyvp(const VALUE_PAIR *vp)
 }
 
 
-/*
- *	Copy just a certain type of pairs.
+/** Copy matching pairs
+ *
+ * Copy pairs of a matching attribute number, vendor number and tag from the
+ * the input list to a new list, and return the head of this list.
+ * 
+ * @param[in] vp which is head of the input list.
+ * @param[in] attr to match, if 0 input list will not be filtered by attr.
+ * @param[in] vendor to match
+ * @param[in] tag to match, if < 0 input list will not be filtered by vendor,
+ *	      if >= 0 only attributes with that tag value will be copied.
+ * @return the head of the new VALUE_PAIR list.
  */
-VALUE_PAIR *paircopy2(VALUE_PAIR *vp, unsigned int attr, unsigned int vendor)
+VALUE_PAIR *paircopy2(VALUE_PAIR *vp, unsigned int attr, unsigned int vendor,
+		      int8_t tag)
 {
 	VALUE_PAIR	*first, *n, **last;
 
@@ -387,17 +406,25 @@ VALUE_PAIR *paircopy2(VALUE_PAIR *vp, unsigned int attr, unsigned int vendor)
 
 	while (vp) {
 		if ((attr > 0) &&
-		    !((vp->attribute == attr) && (vp->vendor == vendor))) {
-			vp = vp->next;
-			continue;
-		}
+		    ((vp->attribute != attr) || (vp->vendor != vendor)))
+			goto skip;
+			
+		if ((tag >= 0) && vp->flags.has_tag && (vp->flags.tag != tag))
+			goto skip;
 
 		n = paircopyvp(vp);
 		if (!n) return first;
+		
 		*last = n;
 		last = &n->next;
 		vp = vp->next;
+		
+		continue;
+		
+		skip:
+		vp = vp->next;
 	}
+	
 	return first;
 }
 
@@ -407,7 +434,7 @@ VALUE_PAIR *paircopy2(VALUE_PAIR *vp, unsigned int attr, unsigned int vendor)
  */
 VALUE_PAIR *paircopy(VALUE_PAIR *vp)
 {
-	return paircopy2(vp, 0, 0);
+	return paircopy2(vp, 0, 0, -1);
 }
 
 
@@ -496,7 +523,7 @@ void pairmove(VALUE_PAIR **to, VALUE_PAIR **from)
 					if (!i->vp_strvalue[0] ||
 					    (strcmp((char *)found->vp_strvalue,
 						    (char *)i->vp_strvalue) == 0)){
-						pairdelete(to, found->attribute, found->vendor);
+						pairdelete(to, found->attribute, found->vendor, found->flags.tag);
 
 						/*
 						 *	'tailto' may have been
@@ -547,7 +574,7 @@ void pairmove(VALUE_PAIR **to, VALUE_PAIR **from)
 					memcpy(found, i, sizeof(*found));
 					found->next = mynext;
 
-					pairdelete(&found->next, found->attribute, found->vendor);
+					pairdelete(&found->next, found->attribute, found->vendor, found->flags.tag);
 
 					/*
 					 *	'tailto' may have been
diff --git a/src/main/acct.c b/src/main/acct.c
index baeb686877b..e0ead2905c8 100644
--- a/src/main/acct.c
+++ b/src/main/acct.c
@@ -133,7 +133,7 @@ int rad_accounting(REQUEST *request)
 			realm = realm_find2(vp->vp_strvalue);
 			if (realm && !realm->acct_pool) {
 				DEBUG("rad_accounting: Cancelling proxy to realm %s, as it is a LOCAL realm.", realm->name);
-				pairdelete(&request->config_items, PW_PROXY_TO_REALM, 0);
+				pairdelete(&request->config_items, PW_PROXY_TO_REALM, 0, -1);
 			} else {
 				/*
 				 *	Don't reply to the NAS now because
diff --git a/src/main/auth.c b/src/main/auth.c
index 34bd56d448a..99c3d5a6484 100644
--- a/src/main/auth.c
+++ b/src/main/auth.c
@@ -689,7 +689,7 @@ int rad_virtual_server(REQUEST *request)
 	result = rad_authenticate(request);
 
         if (request->reply->code == PW_AUTHENTICATION_REJECT) {
-                pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0);
+                pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, -1);
                 vp = radius_pairmake(request, &request->config_items,
                                      "Post-Auth-Type", "Reject",
                                      T_OP_SET);
diff --git a/src/main/dhcpd.c b/src/main/dhcpd.c
index 33134ba2f12..6c28fd2d98e 100644
--- a/src/main/dhcpd.c
+++ b/src/main/dhcpd.c
@@ -320,7 +320,7 @@ static int dhcp_process(REQUEST *request)
 		 *	server.  So we must be the destination of the
 		 *	giaddr field.
 		 */
-		pairdelete(&request->packet->vps, 266, DHCP_MAGIC_VENDOR);
+		pairdelete(&request->packet->vps, 266, DHCP_MAGIC_VENDOR, -1);
 
 		/*
 		 *	Search for client IP address.
diff --git a/src/main/listen.c b/src/main/listen.c
index 2624f424636..c0e1bcda897 100644
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -1649,7 +1649,7 @@ static int rad_coa_recv(REQUEST *request)
 	 *	Copy State from the request to the reply.
 	 *	See RFC 5176 Section 3.3.
 	 */
-	vp = paircopy2(request->packet->vps, PW_STATE, 0);
+	vp = paircopy2(request->packet->vps, PW_STATE, 0, -1);
 	if (vp) pairadd(&request->reply->vps, vp);
 
 	/*
diff --git a/src/main/process.c b/src/main/process.c
index ebeb1a11ab7..2bbd05633ea 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -1097,7 +1097,7 @@ STATE_MACHINE_DECL(request_finish)
 	/*
 	 *	Copy Proxy-State from the request to the reply.
 	 */
-	vp = paircopy2(request->packet->vps, PW_PROXY_STATE, 0);
+	vp = paircopy2(request->packet->vps, PW_PROXY_STATE, 0, -1);
 	if (vp) pairadd(&request->reply->vps, vp);
 
 	/*
@@ -1106,7 +1106,7 @@ STATE_MACHINE_DECL(request_finish)
 	 *	Post-Auth-Type = Reject
 	 */
 	if (request->reply->code == PW_AUTHENTICATION_REJECT) {
-		pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0);
+		pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, -1);
 		vp = radius_pairmake(request, &request->config_items,
 				     "Post-Auth-Type", "Reject",
 				     T_OP_SET);
@@ -1809,7 +1809,7 @@ static int process_proxy_reply(REQUEST *request)
 		 *	the reply.  These include Proxy-State
 		 *	attributes from us and remote server.
 		 */
-		pairdelete(&request->proxy_reply->vps, PW_PROXY_STATE, 0);
+		pairdelete(&request->proxy_reply->vps, PW_PROXY_STATE, 0, -1);
 		
 		/*
 		 *	Add the attributes left in the proxy
@@ -1991,7 +1991,7 @@ static int setup_post_proxy_fail(REQUEST *request)
 	
 	if (!dval) {
 		DEBUG("No Post-Proxy-Type Fail: ignoring");
-		pairdelete(&request->config_items, PW_POST_PROXY_TYPE, 0);
+		pairdelete(&request->config_items, PW_POST_PROXY_TYPE, 0, -1);
 		request_cleanup_delay_init(request, NULL);
 		return 0;
 	}
diff --git a/src/main/tls.c b/src/main/tls.c
index 3ae54143d72..7873f5a1ae3 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2468,13 +2468,13 @@ int tls_success(tls_session_t *ssn, REQUEST *request)
 
 		fr_bin2hex(ssn->ssl->session->session_id, buffer, size);
 
-		vp = paircopy2(request->reply->vps, PW_USER_NAME, 0);
+		vp = paircopy2(request->reply->vps, PW_USER_NAME, 0, -1);
 		if (vp) pairadd(&vps, vp);
 		
-		vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME, 0);
+		vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME, 0, -1);
 		if (vp) pairadd(&vps, vp);
 		
-		vp = paircopy2(request->reply->vps, PW_CACHED_SESSION_POLICY, 0);
+		vp = paircopy2(request->reply->vps, PW_CACHED_SESSION_POLICY, 0, -1);
 		if (vp) pairadd(&vps, vp);
 
 		certs = (VALUE_PAIR **)SSL_get_ex_data(ssn->ssl, FR_TLS_EX_INDEX_CERTS);
diff --git a/src/main/valuepair.c b/src/main/valuepair.c
index f21ea120129..f1b6f994db0 100644
--- a/src/main/valuepair.c
+++ b/src/main/valuepair.c
@@ -697,7 +697,8 @@ void pairxlatmove(REQUEST *req, VALUE_PAIR **to, VALUE_PAIR **from)
 				    	    (strcmp((char *)found->vp_strvalue,
 					    	    (char *)i->vp_strvalue) == 0)) {
 				  		pairdelete(to, found->attribute,
-				  			found->vendor);
+				  			found->vendor,
+				  			found->flags.tag);
 
 					/*
 					 *	'tailto' may have been
diff --git a/src/modules/rlm_dbm/rlm_dbm.c b/src/modules/rlm_dbm/rlm_dbm.c
index 5cc83831271..53c2a4d7413 100644
--- a/src/modules/rlm_dbm/rlm_dbm.c
+++ b/src/modules/rlm_dbm/rlm_dbm.c
@@ -240,7 +240,7 @@ static int sm_parse_user(DBM *pdb, const char * username, REQUEST *req,
 							}
 							join_attr = join_attr -> next;
    	 					}
-						pairdelete(&vp,SM_JOIN_ATTR, 0);
+						pairdelete(&vp,SM_JOIN_ATTR, 0, -1);
 						if ( parse_state != SMP_ERROR ) {
 							if ( ! isfallthrough(vp) ) {
 							  continue_search = 0;
diff --git a/src/modules/rlm_eap/eap.c b/src/modules/rlm_eap/eap.c
index d83fb2f3151..048e32634c0 100644
--- a/src/modules/rlm_eap/eap.c
+++ b/src/modules/rlm_eap/eap.c
@@ -826,8 +826,8 @@ void eap_fail(EAP_HANDLER *handler)
 	/*
 	 *	Delete any previous replies.
 	 */
-	pairdelete(&handler->request->reply->vps, PW_EAP_MESSAGE, 0);
-	pairdelete(&handler->request->reply->vps, PW_STATE, 0);
+	pairdelete(&handler->request->reply->vps, PW_EAP_MESSAGE, 0, -1);
+	pairdelete(&handler->request->reply->vps, PW_STATE, 0, -1);
 
 	eap_packet_free(&handler->eap_ds->request);
 	handler->eap_ds->request = eap_packet_alloc();
diff --git a/src/modules/rlm_eap/libeap/eapcommon.c b/src/modules/rlm_eap/libeap/eapcommon.c
index 47bdbd3794b..ac83b0c5938 100644
--- a/src/modules/rlm_eap/libeap/eapcommon.c
+++ b/src/modules/rlm_eap/libeap/eapcommon.c
@@ -261,7 +261,7 @@ int eap_basic_compose(RADIUS_PACKET *packet, EAP_PACKET *reply)
 	}
 	eap_packet = (eap_packet_t *)reply->packet;
 
-	pairdelete(&(packet->vps), PW_EAP_MESSAGE, 0);
+	pairdelete(&(packet->vps), PW_EAP_MESSAGE, 0, -1);
 
 	vp = eap_packet2vp(eap_packet);
 	if (!vp) return RLM_MODULE_INVALID;
diff --git a/src/modules/rlm_eap/radeapclient.c b/src/modules/rlm_eap/radeapclient.c
index 8406f179cfe..1faaac75e21 100644
--- a/src/modules/rlm_eap/radeapclient.c
+++ b/src/modules/rlm_eap/radeapclient.c
@@ -300,8 +300,8 @@ static void cleanresp(RADIUS_PACKET *resp)
 	 * maybe should just copy things we care about, or keep
 	 * a copy of the original input and start from there again?
 	 */
-	pairdelete(&resp->vps, PW_EAP_MESSAGE, 0);
-	pairdelete(&resp->vps, ATTRIBUTE_EAP_BASE+PW_EAP_IDENTITY, 0);
+	pairdelete(&resp->vps, PW_EAP_MESSAGE, 0, -1);
+	pairdelete(&resp->vps, ATTRIBUTE_EAP_BASE+PW_EAP_IDENTITY, 0, -1);
 
 	last = &resp->vps;
 	for(vp = *last; vp != NULL; vp = vpnext)
@@ -673,12 +673,12 @@ static int respond_eap_sim(RADIUS_PACKET *req,
 	VALUE_PAIR *vp, *statevp, *radstate, *eapid;
 	char statenamebuf[32], subtypenamebuf[32];
 
-	if ((radstate = paircopy2(req->vps, PW_STATE, 0)) == NULL)
+	if ((radstate = paircopy2(req->vps, PW_STATE, 0, -1)) == NULL)
 	{
 		return 0;
 	}
 
-	if ((eapid = paircopy2(req->vps, ATTRIBUTE_EAP_ID, 0)) == NULL)
+	if ((eapid = paircopy2(req->vps, ATTRIBUTE_EAP_ID, 0, -1)) == NULL)
 	{
 		return 0;
 	}
@@ -782,13 +782,13 @@ static int respond_eap_md5(RADIUS_PACKET *req,
 
 	cleanresp(rep);
 
-	if ((state = paircopy2(req->vps, PW_STATE, 0)) == NULL)
+	if ((state = paircopy2(req->vps, PW_STATE, 0, -1)) == NULL)
 	{
 		fprintf(stderr, "radeapclient: no state attribute found\n");
 		return 0;
 	}
 
-	if ((id = paircopy2(req->vps, ATTRIBUTE_EAP_ID, 0)) == NULL)
+	if ((id = paircopy2(req->vps, ATTRIBUTE_EAP_ID, 0, -1)) == NULL)
 	{
 		fprintf(stderr, "radeapclient: no EAP-ID attribute found\n");
 		return 0;
@@ -1309,7 +1309,7 @@ static void map_eap_types(RADIUS_PACKET *req)
 		 */
 
 		/* nuke any existing EAP-Messages */
-		pairdelete(&req->vps, PW_EAP_MESSAGE, 0);
+		pairdelete(&req->vps, PW_EAP_MESSAGE, 0, -1);
 
 		memset(&ep, 0, sizeof(ep));
 		ep.code = eapcode;
@@ -1493,7 +1493,7 @@ main(int argc, char *argv[])
 		}
 
 		/* find the EAP-Message, copy it to req2 */
-		vp = paircopy2(req->vps, PW_EAP_MESSAGE);
+		vp = paircopy2(req->vps, PW_EAP_MESSAGE, 0, -1);
 
 		if(vp == NULL) continue;
 
diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index 542202f7dc7..7ac922b8b36 100644
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -390,7 +390,7 @@ static int eap_authenticate(void *instance, REQUEST *request)
 		 *	set to 127.0.0.1 for tunneled requests, and
 		 *	we don't want to tell the world that...
 		 */
-		pairdelete(&request->proxy->vps, PW_FREERADIUS_PROXIED_TO, VENDORPEC_FREERADIUS);
+		pairdelete(&request->proxy->vps, PW_FREERADIUS_PROXIED_TO, VENDORPEC_FREERADIUS, -1);
 
 		RDEBUG2("  Tunneled session will be proxied.  Not doing EAP.");
 		return RLM_MODULE_HANDLED;
diff --git a/src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c b/src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c
index fd6ec41c5b5..0d00c0501f7 100644
--- a/src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c
+++ b/src/modules/rlm_eap/types/rlm_eap_gtc/rlm_eap_gtc.c
@@ -226,7 +226,7 @@ static int gtc_authenticate(void *type_data, EAP_HANDLER *handler)
 		 *	If there was a User-Password in the request,
 		 *	why the heck are they using EAP-GTC?
 		 */
-		pairdelete(&handler->request->packet->vps, PW_USER_PASSWORD, 0);
+		pairdelete(&handler->request->packet->vps, PW_USER_PASSWORD, 0, -1);
 
 		vp = pairmake("User-Password", "", T_OP_EQ);
 		if (!vp) {
diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
index 8580d88e947..5ba8adf9b48 100644
--- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
+++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
@@ -683,7 +683,7 @@ packet_ready:
 		 *	the State attribute back, before passing
 		 *	the handler & request back into the tunnel.
 		 */
-		pairdelete(&handler->request->packet->vps, PW_STATE, 0);
+		pairdelete(&handler->request->packet->vps, PW_STATE, 0, -1);
 
 		/*
 		 *	Fix the User-Name when proxying, to strip off
diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
index 52260516ce9..c4382b2a775 100644
--- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
@@ -448,18 +448,18 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
 			/*
 			 *	Clean up the tunneled reply.
 			 */
-			pairdelete(&reply->vps, PW_PROXY_STATE, 0);
-			pairdelete(&reply->vps, PW_EAP_MESSAGE, 0);
-			pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR, 0);
+			pairdelete(&reply->vps, PW_PROXY_STATE, 0, -1);
+			pairdelete(&reply->vps, PW_EAP_MESSAGE, 0, -1);
+			pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR, 0, -1);
 
 			/*
 			 *	Delete MPPE keys & encryption policy.  We don't
 			 *	want these here.
 			 */
-			pairdelete(&reply->vps, 7, VENDORPEC_MICROSOFT);
-			pairdelete(&reply->vps, 8, VENDORPEC_MICROSOFT);
-			pairdelete(&reply->vps, 16, VENDORPEC_MICROSOFT);
-			pairdelete(&reply->vps, 17, VENDORPEC_MICROSOFT);
+			pairdelete(&reply->vps, 7, VENDORPEC_MICROSOFT, -1);
+			pairdelete(&reply->vps, 8, VENDORPEC_MICROSOFT, -1);
+			pairdelete(&reply->vps, 16, VENDORPEC_MICROSOFT, -1);
+			pairdelete(&reply->vps, 17, VENDORPEC_MICROSOFT, -1);
 
 			t->accept_vps = reply->vps;
 			reply->vps = NULL;
@@ -505,8 +505,8 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
 			/*
 			 *	Clean up the tunneled reply.
 			 */
-			pairdelete(&reply->vps, PW_PROXY_STATE, 0);
-			pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR, 0);
+			pairdelete(&reply->vps, PW_PROXY_STATE, 0, -1);
+			pairdelete(&reply->vps, PW_MESSAGE_AUTHENTICATOR, 0, -1);
 
 			t->accept_vps = reply->vps;
 			reply->vps = NULL;
@@ -1114,7 +1114,7 @@ int eappeap_process(EAP_HANDLER *handler, tls_session_t *tls_session)
 				 *	of attributes.
 				 */
 				pairdelete(&fake->packet->vps,
-					   PW_EAP_MESSAGE, 0);
+					   PW_EAP_MESSAGE, 0, -1);
 			}
 
 			DEBUG2("  PEAP: Tunneled authentication will be proxied to %s", vp->vp_strvalue);
@@ -1309,7 +1309,7 @@ static int setup_fake_request(REQUEST *request, REQUEST *fake, peap_tunnel_t *t)
 			 *	Don't copy from the head, we've already
 			 *	checked it.
 			 */
-			copy = paircopy2(vp, vp->attribute, vp->vendor);
+			copy = paircopy2(vp, vp->attribute, vp->vendor, -1);
 			pairadd(&fake->packet->vps, copy);
 		}
 	}
diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index 272e9985547..6c9bd13dc62 100644
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -698,10 +698,10 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
 			 *	Delete MPPE keys & encryption policy.  We don't
 			 *	want these here.
 			 */
-			pairdelete(&reply->vps, 7, VENDORPEC_MICROSOFT);
-			pairdelete(&reply->vps, 8, VENDORPEC_MICROSOFT);
-			pairdelete(&reply->vps, 16, VENDORPEC_MICROSOFT);
-			pairdelete(&reply->vps, 17, VENDORPEC_MICROSOFT);
+			pairdelete(&reply->vps, 7, VENDORPEC_MICROSOFT, -1);
+			pairdelete(&reply->vps, 8, VENDORPEC_MICROSOFT, -1);
+			pairdelete(&reply->vps, 16, VENDORPEC_MICROSOFT, -1);
+			pairdelete(&reply->vps, 17, VENDORPEC_MICROSOFT, -1);
 
 			/*
 			 *	Use the tunneled reply, but not now.
@@ -742,7 +742,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
 		 *	tunneled user!
 		 */
 		if (t->use_tunneled_reply) {
-			pairdelete(&reply->vps, PW_PROXY_STATE, 0);
+			pairdelete(&reply->vps, PW_PROXY_STATE, 0, -1);
 			pairadd(&request->reply->vps, reply->vps);
 			reply->vps = NULL;
 		}
@@ -1181,7 +1181,7 @@ int eapttls_process(EAP_HANDLER *handler, tls_session_t *tls_session)
 			 *	Don't copy from the head, we've already
 			 *	checked it.
 			 */
-			copy = paircopy2(vp, vp->attribute, vp->vendor);
+			copy = paircopy2(vp, vp->attribute, vp->vendor, -1);
 			pairadd(&fake->packet->vps, copy);
 		}
 	}
diff --git a/src/modules/rlm_eap2/rlm_eap2.c b/src/modules/rlm_eap2/rlm_eap2.c
index 671dd77d299..d784ef5a548 100644
--- a/src/modules/rlm_eap2/rlm_eap2.c
+++ b/src/modules/rlm_eap2/rlm_eap2.c
@@ -683,7 +683,7 @@ static int eap_req2vp(EAP_HANDLER *handler)
 		total -= size;
 	} while (total > 0);
 
-	pairdelete(&handler->request->reply->vps, PW_EAP_MESSAGE);
+	pairdelete(&handler->request->reply->vps, PW_EAP_MESSAGE, -1);
 	pairadd(&handler->request->reply->vps, head);
 
 	return encoded;
diff --git a/src/modules/rlm_fastusers/rlm_fastusers.c b/src/modules/rlm_fastusers/rlm_fastusers.c
index edfd57b0438..fc55db30cca 100644
--- a/src/modules/rlm_fastusers/rlm_fastusers.c
+++ b/src/modules/rlm_fastusers/rlm_fastusers.c
@@ -595,7 +595,7 @@ static int fastuser_authorize(void *instance, REQUEST *request)
 		pairfree(&reply_tmp);
 
 		if(!fallthrough(user->reply)) {
-			pairdelete(&request->reply->vps, PW_FALL_THROUGH, 0);
+			pairdelete(&request->reply->vps, PW_FALL_THROUGH, 0, -1);
 			return(rad_check_return(user->check));
 		} else {
 			user=user->next;
@@ -659,7 +659,7 @@ static int fastuser_authorize(void *instance, REQUEST *request)
 			pairfree(&reply_tmp);
 
 			if(!fallthrough(user->reply)) {
-				pairdelete(&request->reply->vps, PW_FALL_THROUGH, 0);
+				pairdelete(&request->reply->vps, PW_FALL_THROUGH, 0, -1);
 				return(rad_check_return(user->check));
 			}
 
@@ -675,7 +675,7 @@ static int fastuser_authorize(void *instance, REQUEST *request)
 	}
 
 	if(userfound || defaultfound) {
-		pairdelete(&request->reply->vps, PW_FALL_THROUGH, 0);
+		pairdelete(&request->reply->vps, PW_FALL_THROUGH, 0, -1);
 		return(rad_check_return(request->config_items));
 	} else {
 		DEBUG2("rlm_fastusers:  user not found");
diff --git a/src/modules/rlm_files/rlm_files.c b/src/modules/rlm_files/rlm_files.c
index b44b686fceb..9b4e75df8d9 100644
--- a/src/modules/rlm_files/rlm_files.c
+++ b/src/modules/rlm_files/rlm_files.c
@@ -494,7 +494,7 @@ static int file_common(struct file_instance *inst, REQUEST *request,
 	/*
 	 *	Remove server internal parameters.
 	 */
-	pairdelete(reply_pairs, PW_FALL_THROUGH, 0);
+	pairdelete(reply_pairs, PW_FALL_THROUGH, 0, -1);
 
 	/*
 	 *	See if we succeeded.
diff --git a/src/modules/rlm_ippool/rlm_ippool.c b/src/modules/rlm_ippool/rlm_ippool.c
index cedf923dbc9..51eb1408ccf 100644
--- a/src/modules/rlm_ippool/rlm_ippool.c
+++ b/src/modules/rlm_ippool/rlm_ippool.c
@@ -588,7 +588,7 @@ static int ippool_postauth(void *instance, REQUEST *request)
 		if (data->override)
 		{
 			RDEBUG("Override supplied IP address");
-			pairdelete(&request->reply->vps, attr_ipaddr, vendor_ipaddr);
+			pairdelete(&request->reply->vps, attr_ipaddr, vendor_ipaddr, -1);
 		} else {
 			/* Abort */
 			RDEBUG("override is set to no. Return NOOP.");
@@ -755,7 +755,7 @@ static int ippool_postauth(void *instance, REQUEST *request)
 		                vp = radius_paircreate(request, &request->reply->vps,
 						       PW_DHCP_IP_ADDRESS_LEASE_TIME, DHCP_MAGIC_VENDOR, PW_TYPE_INTEGER);
 				vp->vp_integer = entry.timeout;
-				pairdelete(&request->reply->vps, PW_SESSION_TIMEOUT, 0);
+				pairdelete(&request->reply->vps, PW_SESSION_TIMEOUT, 0, -1);
                         }
 #endif
 		} else {
diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 82a03c7d70b..c9402a5dd4f 100644
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -2841,7 +2841,7 @@ static VALUE_PAIR *ldap_pairget(LDAP *ld, LDAPMessage *entry,
 				 *	Add the pair into the packet.
 				 */
 				if (!vals_idx){
-				  pairdelete(pairs, newpair->attribute, newpair->vendor);
+					pairdelete(pairs, newpair->attribute, newpair->vendor, newpair->flags.tag);
 				}
 				pairadd(&pairlist, newpair);
 			}
diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c
index 6de22053b96..aec3f465280 100644
--- a/src/modules/rlm_perl/rlm_perl.c
+++ b/src/modules/rlm_perl/rlm_perl.c
@@ -562,7 +562,7 @@ static void perl_store_vps(VALUE_PAIR *vp, HV *rad_hv)
 		name = nvp->name;
 		attr = nvp->attribute;
 		vendor = nvp->vendor;
-		vpa = paircopy2(nvp, attr, vendor);
+		vpa = paircopy2(nvp, attr, vendor, -1);
 
 		if (vpa->next) {
 			av = newAV();
@@ -592,7 +592,7 @@ static void perl_store_vps(VALUE_PAIR *vp, HV *rad_hv)
 		pairfree(&vpa);
 		vpa = nvp; while ((vpa != NULL) && (vpa->attribute == attr) && (vpa->vendor == vendor))
 			vpa = vpa->next;
-		pairdelete(&nvp, attr, vendor);
+		pairdelete(&nvp, attr, vendor, -1);
 		nvp = vpa;
 	}
 }
diff --git a/src/modules/rlm_preprocess/rlm_preprocess.c b/src/modules/rlm_preprocess/rlm_preprocess.c
index 584fa8c41b8..50da773b115 100644
--- a/src/modules/rlm_preprocess/rlm_preprocess.c
+++ b/src/modules/rlm_preprocess/rlm_preprocess.c
@@ -422,8 +422,8 @@ static int hints_setup(PAIR_LIST *hints, REQUEST *request)
 			 */
 			add = paircopy(i->reply);
 			ft = fallthrough(add);
-			pairdelete(&add, PW_STRIP_USER_NAME, 0);
-			pairdelete(&add, PW_FALL_THROUGH, 0);
+			pairdelete(&add, PW_STRIP_USER_NAME, 0, -1);
+			pairdelete(&add, PW_FALL_THROUGH, 0, -1);
 			pairxlatmove(request, &request->packet->vps, &add);
 			pairfree(&add);
 			updated = 1;
diff --git a/src/modules/rlm_smsotp/rlm_smsotp.c b/src/modules/rlm_smsotp/rlm_smsotp.c
index eb440f47213..9b9132047c8 100644
--- a/src/modules/rlm_smsotp/rlm_smsotp.c
+++ b/src/modules/rlm_smsotp/rlm_smsotp.c
@@ -220,7 +220,7 @@ static int smsotp_authorize(void *instance, REQUEST *request)
 	if (state != NULL) {
 		DEBUG("rlm_smsotp: Found reply to access challenge (AUTZ), Adding Auth-Type '%s'",opt->smsotp_authtype);
 		
-		pairdelete(&request->config_items, PW_AUTH_TYPE, 0); /* delete old auth-type */
+		pairdelete(&request->config_items, PW_AUTH_TYPE, 0, -1); /* delete old auth-type */
 		pairadd(&request->config_items, pairmake("Auth-Type", opt->smsotp_authtype, T_OP_SET));
 	}
 
diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c
index b927d6052b0..cf711f22401 100644
--- a/src/modules/rlm_sql/rlm_sql.c
+++ b/src/modules/rlm_sql/rlm_sql.c
@@ -465,7 +465,7 @@ int sql_set_user(SQL_INST *inst, REQUEST *request, char *sqlusername, const char
 	sqlusername[0]= '\0';
 
 	/* Remove any user attr we added previously */
-	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
+	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0, -1);
 
 	if (username != NULL) {
 		strlcpy(tmpuser, username, sizeof(tmpuser));
@@ -596,7 +596,7 @@ static int sql_groupcmp(void *instance, REQUEST *request, VALUE_PAIR *request_vp
 	sqlsocket = sql_get_socket(inst);
 	if (sqlsocket == NULL) {
 		/* Remove the username we (maybe) added above */
-		pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
+		pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0, -1);
 		return 1;
 	}
 
@@ -607,7 +607,7 @@ static int sql_groupcmp(void *instance, REQUEST *request, VALUE_PAIR *request_vp
 		radlog_request(L_ERR, 0, request,
 			       "Error getting group membership");
 		/* Remove the username we (maybe) added above */
-		pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
+		pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0, -1);
 		sql_release_socket(inst, sqlsocket);
 		return 1;
 	}
@@ -619,7 +619,7 @@ static int sql_groupcmp(void *instance, REQUEST *request, VALUE_PAIR *request_vp
 			/* Free the grouplist */
 			sql_grouplist_free(&group_list);
 			/* Remove the username we (maybe) added above */
-			pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
+			pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0, -1);
 			sql_release_socket(inst, sqlsocket);
 			return 0;
 		}
@@ -628,7 +628,7 @@ static int sql_groupcmp(void *instance, REQUEST *request, VALUE_PAIR *request_vp
 	/* Free the grouplist */
 	sql_grouplist_free(&group_list);
 	/* Remove the username we (maybe) added above */
-	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
+	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0, -1);
 	sql_release_socket(inst,sqlsocket);
 
 	RDEBUG("sql_groupcmp finished: User is NOT a member of group %s",
@@ -674,7 +674,7 @@ static int rlm_sql_process_groups(SQL_INST *inst, REQUEST *request, SQLSOCK *sql
 			radlog_request(L_ERR, 0, request,
 				       "Error generating query; rejecting user");
 			/* Remove the grouup we added above */
-			pairdelete(&request->packet->vps, PW_SQL_GROUP, 0);
+			pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, -1);
 			sql_grouplist_free(&group_list);
 			return -1;
 		}
@@ -683,7 +683,7 @@ static int rlm_sql_process_groups(SQL_INST *inst, REQUEST *request, SQLSOCK *sql
 			radlog_request(L_ERR, 0, request, "Error retrieving check pairs for group %s",
 			       group_list_tmp->groupname);
 			/* Remove the grouup we added above */
-			pairdelete(&request->packet->vps, PW_SQL_GROUP, 0);
+			pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, -1);
 			pairfree(&check_tmp);
 			sql_grouplist_free(&group_list);
 			return -1;
@@ -701,7 +701,7 @@ static int rlm_sql_process_groups(SQL_INST *inst, REQUEST *request, SQLSOCK *sql
 				if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query, request, sql_escape_func, inst)) {
 					radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
 					/* Remove the grouup we added above */
-					pairdelete(&request->packet->vps, PW_SQL_GROUP, 0);
+					pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, -1);
 					pairfree(&check_tmp);
 					sql_grouplist_free(&group_list);
 					return -1;
@@ -710,7 +710,7 @@ static int rlm_sql_process_groups(SQL_INST *inst, REQUEST *request, SQLSOCK *sql
 					radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s",
 					       group_list_tmp->groupname);
 					/* Remove the grouup we added above */
-					pairdelete(&request->packet->vps, PW_SQL_GROUP, 0);
+					pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, -1);
 					pairfree(&check_tmp);
 					pairfree(&reply_tmp);
 					sql_grouplist_free(&group_list);
@@ -736,7 +736,7 @@ static int rlm_sql_process_groups(SQL_INST *inst, REQUEST *request, SQLSOCK *sql
 			if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query, request, sql_escape_func, inst)) {
 				radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
 				/* Remove the grouup we added above */
-				pairdelete(&request->packet->vps, PW_SQL_GROUP, 0);
+				pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, -1);
 				pairfree(&check_tmp);
 				sql_grouplist_free(&group_list);
 				return -1;
@@ -745,7 +745,7 @@ static int rlm_sql_process_groups(SQL_INST *inst, REQUEST *request, SQLSOCK *sql
 				radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s",
 				       group_list_tmp->groupname);
 				/* Remove the grouup we added above */
-				pairdelete(&request->packet->vps, PW_SQL_GROUP, 0);
+				pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, -1);
 				pairfree(&check_tmp);
 				pairfree(&reply_tmp);
 				sql_grouplist_free(&group_list);
@@ -760,7 +760,7 @@ static int rlm_sql_process_groups(SQL_INST *inst, REQUEST *request, SQLSOCK *sql
 		 * Delete the Sql-Group we added above
 		 * And clear out the pairlists
 		 */
-		pairdelete(&request->packet->vps, PW_SQL_GROUP, 0);
+		pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, -1);
 		pairfree(&check_tmp);
 		pairfree(&reply_tmp);
 	}
@@ -1185,7 +1185,7 @@ static int rlm_sql_authorize(void *instance, REQUEST * request)
 	sql_release_socket(inst, sqlsocket);
 
 	/* Remove the username we (maybe) added above */
-	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
+	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0, -1);
 		
 	pairfree(&check_tmp);
 	pairfree(&reply_tmp);
@@ -1329,7 +1329,7 @@ static int rlm_sql_redundant(SQL_INST *inst, REQUEST *request,
 	release:
 		
 	/* Remove the username we (maybe) added above */
-	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
+	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0, -1);
 	
 	sql_release_socket(inst, sqlsocket);
 
diff --git a/src/modules/rlm_sql_log/rlm_sql_log.c b/src/modules/rlm_sql_log/rlm_sql_log.c
index 12ca7ad827c..0adcaec750e 100644
--- a/src/modules/rlm_sql_log/rlm_sql_log.c
+++ b/src/modules/rlm_sql_log/rlm_sql_log.c
@@ -276,7 +276,7 @@ static int sql_set_user(rlm_sql_log_t *inst, REQUEST *request, char *sqlusername
 	rad_assert(request->packet != NULL);
 
 	/* Remove any user attr we added previously */
-	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
+	pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0, -1);
 
 	if (username != NULL) {
 		strlcpy(tmpuser, username, MAX_STRING_LEN);
diff --git a/src/modules/rlm_wimax/rlm_wimax.c b/src/modules/rlm_wimax/rlm_wimax.c
index 6e7e1b96fe1..0d7ad4d1693 100644
--- a/src/modules/rlm_wimax/rlm_wimax.c
+++ b/src/modules/rlm_wimax/rlm_wimax.c
@@ -190,8 +190,8 @@ static int wimax_postauth(void *instance, REQUEST *request)
 	 *	the WiMAX-MSK so that the client has a key available.
 	 */
 	if (inst->delete_mppe_keys) {
-		pairdelete(&request->reply->vps, 16, VENDORPEC_MICROSOFT);
-		pairdelete(&request->reply->vps, 17, VENDORPEC_MICROSOFT);
+		pairdelete(&request->reply->vps, 16, VENDORPEC_MICROSOFT, -1);
+		pairdelete(&request->reply->vps, 17, VENDORPEC_MICROSOFT, -1);
 
 		vp = radius_pairmake(request, &request->reply->vps, "WiMAX-MSK", "0x00", T_OP_EQ);
 		if (vp) {