From: Alan T. DeKok Date: Fri, 21 Jul 2023 17:36:26 +0000 (-0400) Subject: add secret flag to dictionaries and value-boxes X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5acaafadf9a1eb5705063ece3d2bd844970f030;p=thirdparty%2Ffreeradius-server.git add secret flag to dictionaries and value-boxes parse the "secret" flag in dictionaries. RADIUS sets the "secret" flag for encrypted attributes --- diff --git a/src/lib/util/dict.h b/src/lib/util/dict.h index 075895a8bbe..11071bb7344 100644 --- a/src/lib/util/dict.h +++ b/src/lib/util/dict.h @@ -97,6 +97,8 @@ typedef struct { unsigned int name_only : 1; //!< this attribute should always be referred to by name, not by number + unsigned int secret : 1; //!< this attribute should be omitted in debug mode + /* * @todo - if we want to clean these fields up, make * "subtype" and "type_size" both 4-bit bitfields. That diff --git a/src/lib/util/dict_tokenize.c b/src/lib/util/dict_tokenize.c index fddcac55ce6..00f1e074761 100644 --- a/src/lib/util/dict_tokenize.c +++ b/src/lib/util/dict_tokenize.c @@ -384,6 +384,9 @@ static int dict_process_flag_field(dict_tokenize_ctx_t *ctx, char *name, fr_type } else if (strcmp(key, "virtual") == 0) { flags->virtual = 1; + } else if (strcmp(key, "secret") == 0) { + flags->secret = 1; + } else if (strcmp(key, "offset") == 0) { int offset; diff --git a/src/lib/util/value.c b/src/lib/util/value.c index 12f683b26ee..ba53c00c214 100644 --- a/src/lib/util/value.c +++ b/src/lib/util/value.c @@ -601,6 +601,7 @@ static inline void fr_value_box_copy_meta(fr_value_box_t *dst, fr_value_box_t co dst->enumv = src->enumv; dst->type = src->type; dst->tainted = src->tainted; + dst->secret = src->secret; dst->safe = src->safe; fr_value_box_list_entry_init(dst); } diff --git a/src/lib/util/value.h b/src/lib/util/value.h index df9e7aa5378..39cf43df315 100644 --- a/src/lib/util/value.h +++ b/src/lib/util/value.h @@ -154,7 +154,8 @@ struct value_box_s { /** Type and flags should appear together for packing efficiency */ fr_type_t _CONST type; //!< Type of this value-box, at the start, see pair.h - bool tainted; //!< i.e. did it come from an untrusted source + unsigned int tainted : 1; //!< i.e. did it come from an untrusted source + unsigned int secret : 1; //!< Same as #fr_dict_attr_flags_t secret uint16_t _CONST safe; //!< more detailed safety fr_value_box_entry_t entry; //!< Doubly linked list entry. diff --git a/src/protocols/radius/base.c b/src/protocols/radius/base.c index 1392a99781a..a3067ac9a77 100644 --- a/src/protocols/radius/base.c +++ b/src/protocols/radius/base.c @@ -1103,6 +1103,13 @@ static bool attr_valid(UNUSED fr_dict_t *dict, fr_dict_attr_t const *parent, return false; } + /* + * Secret things are secret. + */ + if (flags->subtype > FLAG_TAGGED_TUNNEL_PASSWORD) { + flags->secret = true; + } + if (flag_concat(flags)) { if (!parent->flags.is_root) { fr_strerror_const("Attributes with the 'concat' flag MUST be at the root of the dictionary");