From: Arran Cudbard-Bell Date: Thu, 21 Sep 2023 20:31:37 +0000 (-0400) Subject: xlat: Switch base64 functions to final form X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b80abd7bf0d0fd861c49151c8cddac29b761806;p=thirdparty%2Ffreeradius-server.git xlat: Switch base64 functions to final form --- diff --git a/doc/antora/modules/raddb/pages/mods-available/cipher.adoc b/doc/antora/modules/raddb/pages/mods-available/cipher.adoc index b636dc3af87..f4208615904 100644 --- a/doc/antora/modules/raddb/pages/mods-available/cipher.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/cipher.adoc @@ -23,13 +23,13 @@ Registers the following expansions: |=== NOTE: `` and `` are ingested and excreted to in their raw form. -You should use armouring expansions i.e. `%{base64_encode:}`, `%{base64_decode:}` if the values +You should use armouring expansions i.e. `%(base64.encode:)`, `%(base64.decode:)` if the values are to be passed outside of FreeRADIUS. e.g: - %{base64_encode:%{cipher_encrypt:}} - %{cipher_decrypt:%{base64_decode:<ciphertext>}} + %(base64.encode:%(cipher_encrypt:<plaintext>)) + %{cipher_decrypt:%(base64.decode:<ciphertext>)} NOTE: The supported versions are determined _entirely_ by the version of OpenSSL used, we pass the name of the digest off to OpenSSL and it tells _us_ whether it's valid/supported diff --git a/doc/antora/modules/reference/pages/xlat/builtin.adoc b/doc/antora/modules/reference/pages/xlat/builtin.adoc index ab1b2c39e4b..1c189b3be02 100644 --- a/doc/antora/modules/reference/pages/xlat/builtin.adoc +++ b/doc/antora/modules/reference/pages/xlat/builtin.adoc @@ -601,7 +601,7 @@ toupper of caipirinha is CAIPIRINHA == String Conversion -=== %{base64: ... } +=== %(base64.encode: ... ) Encode a string using Base64. @@ -615,7 +615,7 @@ update control { &Tmp-String-0 := "Caipirinha" } update reply { - &Reply-Message := "The base64 of %{control.Tmp-String-0} is %{base64:%{control.Tmp-String-0}}" + &Reply-Message := "The base64 of %{control.Tmp-String-0} is %(base64.encode:%{control.Tmp-String-0})" } ---- @@ -625,7 +625,7 @@ update reply { The base64 of foo is Q2FpcGlyaW5oYQ== ``` -=== %{base64decode: ... } +=== %(base64.decode: ... ) Decode a string previously encoded using Base64. @@ -639,14 +639,14 @@ update control { &Tmp-String-0 := "Q2FpcGlyaW5oYQ==" } update reply { - &Reply-Message := "The base64decode of %{control.Tmp-String-0} is %{base64decode:%{control.Tmp-String-0}}" + &Reply-Message := "The base64.decode of %{control.Tmp-String-0} is %(base64.decode:%{control.Tmp-String-0})" } ---- .Output ``` -The base64decode of Q2FpcGlyaW5oYQ== is Caipirinha +The base64.decode of Q2FpcGlyaW5oYQ== is Caipirinha ``` === %{bin: ... } diff --git a/man/man5/unlang.5 b/man/man5/unlang.5 index c0d9fed1bac..7e6edaa62b0 100644 --- a/man/man5/unlang.5 +++ b/man/man5/unlang.5 @@ -881,10 +881,10 @@ with a separator e.g. "%(concat:%(pairs:request.[*]) ', ')" == "User-Name = 'foo', User-Password = 'bar', ..." -.IP %{base64:<string>} +.IP %(base64.encoded:<string>) Encode string as base64. -e.g. "%{base64:foo}" == "Zm9v" +e.g. "%(base64.encode:foo)" == "Zm9v" .IP %(explode:&<value_ref>\ <delim>) Split an attribute into multiple new attributes based on a delimiter diff --git a/raddb/mods-available/cipher b/raddb/mods-available/cipher index c2d4b1dafa5..2408216dea6 100644 --- a/raddb/mods-available/cipher +++ b/raddb/mods-available/cipher @@ -26,13 +26,13 @@ # |=== # # NOTE: `<ciphertext>` and `<signature>` are ingested and excreted to in their raw form. -# You should use armouring expansions i.e. `%{base64_encode:}`, `%{base64_decode:}` if the values +# You should use armouring expansions i.e. `%(base64.encode:)`, `%(base64.decode:)` if the values # are to be passed outside of FreeRADIUS. # # e.g: # -# %{base64_encode:%{cipher_encrypt:<plaintext>}} -# %{cipher_decrypt:%{base64_decode:<ciphertext>}} +# %(base64.encode:%{cipher_encrypt:<plaintext>}) +# %{cipher_decrypt:%(base64.decode:<ciphertext>}) # # NOTE: The supported versions are determined _entirely_ by the version of OpenSSL used, we # pass the name of the digest off to OpenSSL and it tells _us_ whether it's valid/supported diff --git a/src/lib/unlang/xlat_builtin.c b/src/lib/unlang/xlat_builtin.c index 109a5bf914d..d1d0a214569 100644 --- a/src/lib/unlang/xlat_builtin.c +++ b/src/lib/unlang/xlat_builtin.c @@ -1178,7 +1178,7 @@ static xlat_arg_parser_t const xlat_func_base64_encode_arg[] = { * * Example: @verbatim -"%{base64:foo}" == "Zm9v" +"%(base64.encode:foo)" == "Zm9v" @endverbatim * * @ingroup xlat_functions @@ -1227,7 +1227,7 @@ static xlat_arg_parser_t const xlat_func_base64_decode_arg[] = { * * Example: @verbatim -"%{base64decode:Zm9v}" == "foo" +"%(base64.decode:Zm9v)" == "foo" @endverbatim * * @ingroup xlat_functions @@ -3298,6 +3298,8 @@ do { \ XLAT_REGISTER_ARGS("subst", xlat_func_subst, FR_TYPE_STRING, xlat_func_subst_args); XLAT_REGISTER_ARGS("time", xlat_func_time, FR_TYPE_VOID, xlat_func_time_args); XLAT_REGISTER_ARGS("trigger", trigger_xlat, FR_TYPE_STRING, trigger_xlat_args); + XLAT_REGISTER_ARGS("base64.encode", xlat_func_base64_encode, FR_TYPE_STRING, xlat_func_base64_encode_arg); + XLAT_REGISTER_ARGS("base64.decode", xlat_func_base64_decode, FR_TYPE_OCTETS, xlat_func_base64_decode_arg); if (unlikely((xlat = xlat_func_register(ctx, "untaint", xlat_func_untaint, FR_TYPE_VOID)) == NULL)) return -1; xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_INTERNAL); @@ -3315,8 +3317,7 @@ do { \ xlat_func_flags_set(xlat, XLAT_FUNC_FLAG_PURE | XLAT_FUNC_FLAG_INTERNAL); \ } while (0) - XLAT_REGISTER_MONO("base64", xlat_func_base64_encode, FR_TYPE_STRING, xlat_func_base64_encode_arg); - XLAT_REGISTER_MONO("base64decode", xlat_func_base64_decode, FR_TYPE_OCTETS, xlat_func_base64_decode_arg); + XLAT_REGISTER_MONO("bin", xlat_func_bin, FR_TYPE_OCTETS, xlat_func_bin_arg); XLAT_REGISTER_MONO("hex", xlat_func_hex, FR_TYPE_STRING, xlat_func_hex_arg); XLAT_REGISTER_MONO("map", xlat_func_map, FR_TYPE_INT8, xlat_func_map_arg); diff --git a/src/lib/util/base_16_32_64_tests.c b/src/lib/util/base_16_32_64_tests.c index 6d072a16ae5..bfcfe931d23 100644 --- a/src/lib/util/base_16_32_64_tests.c +++ b/src/lib/util/base_16_32_64_tests.c @@ -252,7 +252,7 @@ TEST_LIST = { { "base32_hex_encode", test_base32_hex_encode }, { "base32_hex_decode", test_base32_hex_decode }, - { "base64_encode", test_base64_encode }, - { "base64_decode", test_base64_decode }, + { "base64.encode", test_base64_encode }, + { "base64.decode", test_base64_decode }, { NULL } }; diff --git a/src/modules/rlm_cipher/rlm_cipher.c b/src/modules/rlm_cipher/rlm_cipher.c index f003bd241fa..6db7e87d1fd 100644 --- a/src/modules/rlm_cipher/rlm_cipher.c +++ b/src/modules/rlm_cipher/rlm_cipher.c @@ -809,7 +809,7 @@ static xlat_action_t cipher_rsa_verify_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, */ if (in_head->type != FR_TYPE_OCTETS) { REDEBUG("Signature argument wrong type, expected %s, got %s. " - "Use %%{base64_decode:<text>} or %%{hex_decode:<text>} if signature is armoured", + "Use %%(base64.decode:<text>) or %%{hex_decode:<text>} if signature is armoured", fr_type_to_str(FR_TYPE_OCTETS), fr_type_to_str(in_head->type)); return XLAT_ACTION_FAIL; diff --git a/src/tests/keywords/base64 b/src/tests/keywords/base64 index c3346c34009..d284c01cd0f 100644 --- a/src/tests/keywords/base64 +++ b/src/tests/keywords/base64 @@ -19,14 +19,14 @@ ok &request <= { - &Tmp-String-0 = "%{base64:%{Tmp-String-0}}" - &Tmp-String-1 = "%{base64:%{Tmp-Octets-0}}" - &Tmp-String-2 = "%{base64:%{Tmp-IP-Address-0}}" - &Tmp-String-4 = "%{base64:%{Tmp-Integer-0}}" - &Tmp-String-6 = "%{base64:%{Tmp-Cast-Ifid}}" - &Tmp-String-7 = "%{base64:%{Tmp-Cast-IPv6Addr}}" - &Tmp-String-8 = "%{base64:%{Tmp-Cast-IPv6Prefix}}" - &Tmp-String-9 = "%{base64:%{Tmp-Cast-Byte}}" + &Tmp-String-0 = "%(base64.encode:%{Tmp-String-0})" + &Tmp-String-1 = "%(base64.encode:%{Tmp-Octets-0})" + &Tmp-String-2 = "%(base64.encode:%{Tmp-IP-Address-0})" + &Tmp-String-4 = "%(base64.encode:%{Tmp-Integer-0})" + &Tmp-String-6 = "%(base64.encode:%{Tmp-Cast-Ifid})" + &Tmp-String-7 = "%(base64.encode:%{Tmp-Cast-IPv6Addr})" + &Tmp-String-8 = "%(base64.encode:%{Tmp-Cast-IPv6Prefix})" + &Tmp-String-9 = "%(base64.encode:%{Tmp-Cast-Byte})" } # String - bin 0x39383730 @@ -70,10 +70,10 @@ if (!(&Tmp-String-9[0] == 'Og==')) { } &request <= { - &Tmp-String-0 = "%{base64:%{Tmp-Cast-Short}}" - &Tmp-String-1 = "%{base64:%{Tmp-Cast-Ether}}" - &Tmp-String-2 = "%{base64:%{Tmp-Cast-Integer64}}" - &Tmp-String-3 = "%{base64:%{Tmp-Cast-IPv4Prefix}}" + &Tmp-String-0 = "%(base64.encode:%{Tmp-Cast-Short})" + &Tmp-String-1 = "%(base64.encode:%{Tmp-Cast-Ether})" + &Tmp-String-2 = "%(base64.encode:%{Tmp-Cast-Integer64})" + &Tmp-String-3 = "%(base64.encode:%{Tmp-Cast-IPv4Prefix})" } # short - bin 0x373b @@ -97,8 +97,8 @@ if (!(&Tmp-String-3[0] == 'IDk4Nz4=')) { } &request <= { - &Tmp-Octets-0 = "%{base64decode:Zm9v}" - &Tmp-Octets-1 = "%{base64decode:AIAAAAAAAAAAAAAAAAA5ODc5}" + &Tmp-Octets-0 = "%(base64.decode:Zm9v)" + &Tmp-Octets-1 = "%(base64.decode:AIAAAAAAAAAAAAAAAAA5ODc5)" } if (!(&Tmp-Octets-0 == "foo")) { @@ -112,14 +112,14 @@ if (!(&Tmp-Octets-1 == 0x008000000000000000000000000039383739)) { # Regression tests &request -= &Tmp-Octets-0[*] -&Tmp-Octets-0 := %{base64decode:5RNqNl8iYLbkCc7JhR8as4TtDDCX6otuuWtcja8rITUyx9zrnHSe9tTHGmKK} +&Tmp-Octets-0 := %(base64.decode:5RNqNl8iYLbkCc7JhR8as4TtDDCX6otuuWtcja8rITUyx9zrnHSe9tTHGmKK) if (!(&Tmp-Octets-0 == 0xe5136a365f2260b6e409cec9851f1ab384ed0c3097ea8b6eb96b5c8daf2b213532c7dceb9c749ef6d4c71a628a)) { test_fail } &request -= &Tmp-Octets-0[*] -&Tmp-Octets-0 = "%{base64decode:eHfXPKZ+2iv9cnMV1MOmE/moYYA1Uk5xTmw4aVlMYmtDYzdKaFI4YXM0VHRERENYNm90dXVXdGNqYThySVRVeXg5enJuSFNlOXRUSEdtS0s=}" +&Tmp-Octets-0 = "%(base64.decode:eHfXPKZ+2iv9cnMV1MOmE/moYYA1Uk5xTmw4aVlMYmtDYzdKaFI4YXM0VHRERENYNm90dXVXdGNqYThySVRVeXg5enJuSFNlOXRUSEdtS0s=)" if (!(&Tmp-Octets-0 == 0x7877d73ca67eda2bfd727315d4c3a613f9a8618035524e714e6c3869594c626b4363374a685238617334547444444358366f7475755774636a6138724954557978397a726e48536539745448476d4b4b)) { test_fail diff --git a/src/tests/keywords/pap b/src/tests/keywords/pap index 71946c4597d..ed6d1473145 100644 --- a/src/tests/keywords/pap +++ b/src/tests/keywords/pap @@ -24,7 +24,7 @@ if (reject) { # &Tmp-String-1 := "{clear}%{User-Password}" &control := { - &Password.With-Header = "%{base64:%{Tmp-String-1}}" + &Password.With-Header = "%(base64.encode:%{Tmp-String-1})" } pap.authorize @@ -61,7 +61,7 @@ if (reject) { &control.Tmp-Octets-0 := "%{bin:%{control.Tmp-String-1}}" # To Base64 -&control.Tmp-String-1 := "%{base64:%{control.Tmp-Octets-0}}" +&control.Tmp-String-1 := "%(base64.encode:%{control.Tmp-Octets-0})" &control.Password.With-Header := "{ssha}%{control.Tmp-String-1}" pap.authorize @@ -83,8 +83,8 @@ if (reject) { &control.Tmp-Octets-0 := "%{bin:%{control.Tmp-String-1}}" # To Base64 -&control.Tmp-String-1 := "{ssha}%{base64:%{control.Tmp-Octets-0}}" -&control.Password.With-Header := "%{base64:%{control.Tmp-String-1}}" +&control.Tmp-String-1 := "{ssha}%(base64.encode:%{control.Tmp-Octets-0})" +&control.Password.With-Header := "%(base64.encode:%{control.Tmp-String-1})" pap.authorize pap.authenticate { diff --git a/src/tests/keywords/pap-ssha2 b/src/tests/keywords/pap-ssha2 index 104c2b909c9..9dd85ca050e 100644 --- a/src/tests/keywords/pap-ssha2 +++ b/src/tests/keywords/pap-ssha2 @@ -43,7 +43,7 @@ if (reject) { &control.Tmp-Octets-0 := "%{bin:%{control.Tmp-String-1}}" # To Base64 -&control.Tmp-String-1 := "%{base64:%{control.Tmp-Octets-0}}" +&control.Tmp-String-1 := "%(base64.encode:%{control.Tmp-Octets-0})" &control += { &Password.With-Header = "{ssha512}%{control.Tmp-String-1}" @@ -68,10 +68,10 @@ if (reject) { &control.Tmp-Octets-0 := "%{bin:%{control.Tmp-String-1}}" # To Base64 -&control.Tmp-String-1 := "{ssha512}%{base64:%{control.Tmp-Octets-0}}" +&control.Tmp-String-1 := "{ssha512}%(base64.encode:%{control.Tmp-Octets-0})" &control += { - &Password.With-Header = "%{base64:%{control.Tmp-String-1}}" + &Password.With-Header = "%(base64.encode:%{control.Tmp-String-1})" } pap.authorize diff --git a/src/tests/modules/ldap/xlat_profile.unlang b/src/tests/modules/ldap/xlat_profile.unlang index a79cadee341..58486e2ddc5 100644 --- a/src/tests/modules/ldap/xlat_profile.unlang +++ b/src/tests/modules/ldap/xlat_profile.unlang @@ -10,8 +10,6 @@ if (!((&reply.Framed-IP-Netmask == 255.255.0.0) && \ test_fail } -if (!%(ldap.profile:cn=suspended,ou=profiles,dc=example,dc=com)) { +if (!%(ldap.profile:%{taint:cn=suspended,ou=profiles,dc=example,dc=com})) { test_fail } - -test_pass