From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 17 Feb 2025 13:11:51 +0000 (-0500)
Subject: use DER names in dictionaries
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f372e61d590379aafdd2751a7296ddba9feea2d3;p=thirdparty%2Ffreeradius-server.git

use DER names in dictionaries

and forbid more FreeRADIUS types earlier in the parsing process,
with better error messages.
---

diff --git a/share/dictionary/der/dictionary.oids b/share/dictionary/der/dictionary.oids
index 948acc5c3fc..042787375a4 100644
--- a/share/dictionary/der/dictionary.oids
+++ b/share/dictionary/der/dictionary.oids
@@ -2,39 +2,39 @@
 # Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com)
 # This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0
 # Version $Id$
-DEFINE	OID-Tree					tlv
+DEFINE	OID-Tree					sequence
 BEGIN OID-Tree
-ATTRIBUTE	iso					1	tlv
-ATTRIBUTE	member-body				1.2	tlv
-ATTRIBUTE	us					1.2.840	tlv
-ATTRIBUTE	ansi-x962				1.2.840.10045	tlv
-ATTRIBUTE	keyType					1.2.840.10045.2	tlv
+ATTRIBUTE	iso					1	sequence
+ATTRIBUTE	member-body				1.2	sequence
+ATTRIBUTE	us					1.2.840	sequence
+ATTRIBUTE	ansi-x962				1.2.840.10045	sequence
+ATTRIBUTE	keyType					1.2.840.10045.2	sequence
 ATTRIBUTE	ecPublicKey				1.2.840.10045.2.1	oid     is_oid_leaf
 
-ATTRIBUTE	signatures				1.2.840.10045.4	tlv
-ATTRIBUTE	ecdsa-with-SHA2				1.2.840.10045.4.3	tlv
+ATTRIBUTE	signatures				1.2.840.10045.4	sequence
+ATTRIBUTE	ecdsa-with-SHA2				1.2.840.10045.4.3	sequence
 ATTRIBUTE	ecdsa-with-SHA384			1.2.840.10045.4.3.3	bool     is_oid_leaf,has_default
 VALUE 1.2.840.10045.4.3.3       DEFAULT false
 
-ATTRIBUTE	rsadsi					1.2.840.113549	tlv
-ATTRIBUTE	pkcs					1.2.840.113549.1	tlv
-ATTRIBUTE	pkcs-1					1.2.840.113549.1.1	tlv
+ATTRIBUTE	rsadsi					1.2.840.113549	sequence
+ATTRIBUTE	pkcs					1.2.840.113549.1	sequence
+ATTRIBUTE	pkcs-1					1.2.840.113549.1.1	sequence
 ATTRIBUTE	rsaEncryption				1.2.840.113549.1.1.1	null    is_oid_leaf
 
 ATTRIBUTE	sha256WithRSAEncryption			1.2.840.113549.1.1.11	null    is_oid_leaf
 
-ATTRIBUTE	identified-organization			1.3	tlv
-ATTRIBUTE	dod					1.3.6	tlv
-ATTRIBUTE	internet				1.3.6.1	tlv
-ATTRIBUTE	security				1.3.6.1.5	tlv
-ATTRIBUTE	mechanisms				1.3.6.1.5.5	tlv
-ATTRIBUTE	pkix					1.3.6.1.5.5.7	tlv
-ATTRIBUTE	pe					1.3.6.1.5.5.7.1	tlv
+ATTRIBUTE	identified-organization			1.3	sequence
+ATTRIBUTE	dod					1.3.6	sequence
+ATTRIBUTE	internet				1.3.6.1	sequence
+ATTRIBUTE	security				1.3.6.1.5	sequence
+ATTRIBUTE	mechanisms				1.3.6.1.5.5	sequence
+ATTRIBUTE	pkix					1.3.6.1.5.5.7	sequence
+ATTRIBUTE	pe					1.3.6.1.5.5.7.1	sequence
 
-ATTRIBUTE	joint-iso-itu-t				2	tlv
-ATTRIBUTE	ds					2.5	tlv
+ATTRIBUTE	joint-iso-itu-t				2	sequence
+ATTRIBUTE	ds					2.5	sequence
 
-ATTRIBUTE	attributeType				2.5.4	tlv
+ATTRIBUTE	attributeType				2.5.4	sequence
 ATTRIBUTE	commonName				2.5.4.3	printablestring is_oid_leaf
 ATTRIBUTE	countryName				2.5.4.6	string[2]       der_type=printablestring,is_oid_leaf
 ATTRIBUTE	serialNumber				2.5.4.5	printablestring is_oid_leaf
@@ -42,7 +42,7 @@ ATTRIBUTE	localityName				2.5.4.7	string  is_oid_leaf
 ATTRIBUTE	stateOrProvinceName			2.5.4.8	string  is_oid_leaf
 ATTRIBUTE	organizationName			2.5.4.10	printablestring is_oid_leaf
 
-ATTRIBUTE	certificateExtension			2.5.29	tlv
+ATTRIBUTE	certificateExtension			2.5.29	sequence
 
 $INCLUDE dictionary.extensions
 
diff --git a/share/dictionary/der/dictionary.rfc2986 b/share/dictionary/der/dictionary.rfc2986
index 674a7c49c4c..8f36bdf1424 100644
--- a/share/dictionary/der/dictionary.rfc2986
+++ b/share/dictionary/der/dictionary.rfc2986
@@ -2,18 +2,18 @@
 # Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com)
 # This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0
 # Version $Id$
-DEFINE	CertificateRequest				tlv
+DEFINE	CertificateRequest				sequence
 BEGIN CertificateRequest
 
-DEFINE	certificationRequestInfo			tlv
+DEFINE	certificationRequestInfo			sequence
 BEGIN certificationRequestInfo
 DEFINE	version						integer
 
-DEFINE	subject						tlv
+DEFINE	subject						sequence
 BEGIN subject
 DEFINE	RelativeDistinguishedName			set
 BEGIN RelativeDistinguishedName
-DEFINE	AttributeTypeandValue				tlv
+DEFINE	AttributeTypeandValue				sequence
 BEGIN AttributeTypeAndValue
 DEFINE	OID						oid
 DEFINE	Value-Thing					utf8string
@@ -21,9 +21,9 @@ END AttributeTypeAndValue
 END RelativeDistinguishedName
 END subject
 
-DEFINE	subjectPublicKeyInfo				tlv
+DEFINE	subjectPublicKeyInfo				sequence
 BEGIN subjectPublicKeyInfo
-DEFINE	algorithm					tlv
+DEFINE	algorithm					sequence
 BEGIN algorithm
 DEFINE	OID						oid
 END algorithm
@@ -32,7 +32,7 @@ END subjectPublicKeyInfo
 
 DEFINE	Attributes					sequence option=0
 BEGIN Attributes
-DEFINE	Attribute-thing					tlv
+DEFINE	Attribute-thing					sequence
 BEGIN Attribute-thing
 DEFINE	OID						oid
 DEFINE	Extensions					group ref=OID-Tree,der_type=set,is_extensions
@@ -41,7 +41,7 @@ END Attributes
 
 END certificationRequestInfo
 
-DEFINE	signatureAlgorithm				tlv
+DEFINE	signatureAlgorithm				sequence
 BEGIN signatureAlgorithm
 DEFINE	OID						oid
 END signatureAlgorithm
diff --git a/share/dictionary/der/dictionary.rfc5280 b/share/dictionary/der/dictionary.rfc5280
index 95f1f7c3d46..f62e94fb44a 100644
--- a/share/dictionary/der/dictionary.rfc5280
+++ b/share/dictionary/der/dictionary.rfc5280
@@ -2,10 +2,10 @@
 # Copyright (C) 2025 Network RADIUS SAS (legal@networkradius.com)
 # This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0
 # Version $Id$
-DEFINE	Certificate					tlv
+DEFINE	Certificate					sequence
 BEGIN Certificate
 
-DEFINE	tbsCertificate					tlv
+DEFINE	tbsCertificate					sequence
 BEGIN tbsCertificate
 DEFINE	version						sequence option=0
 BEGIN version
@@ -14,7 +14,7 @@ END version
 DEFINE	serialNumber					octets der_type=integer
 DEFINE	signature					group ref=OID-Tree,is_pair
 
-DEFINE	issuer						sequence sequence_of=set,is_pairs
+DEFINE	issuer						sequence sequence_of=set
 BEGIN issuer
 DEFINE	RelativeDistinguishedName			set
 BEGIN RelativeDistinguishedName
@@ -22,13 +22,13 @@ DEFINE	AttributeTypeAndValue				group ref=OID-Tree,is_pair
 END RelativeDistinguishedName
 END issuer
 
-DEFINE	validity					tlv
+DEFINE	validity					sequence
 BEGIN validity
 DEFINE	notBefore					utctime
 DEFINE	notAfter					utctime
 END validity
 
-DEFINE	subject						tlv sequence_of=set,is_pairs
+DEFINE	subject						sequence sequence_of=set
 BEGIN subject
 DEFINE	RelativeDistinguishedName			set
 BEGIN RelativeDistinguishedName
@@ -36,7 +36,7 @@ DEFINE	AttributeTypeandValue				group ref=OID-Tree,is_pair
 END RelativeDistinguishedName
 END subject
 
-DEFINE	subjectPublicKeyInfo				tlv
+DEFINE	subjectPublicKeyInfo				sequence
 BEGIN subjectPublicKeyInfo
 DEFINE	algorithm					group ref=OID-Tree,is_pair
 DEFINE	subjectPublicKey				bitstring
diff --git a/src/protocols/der/base.c b/src/protocols/der/base.c
index e30e4c14721..d39751509a9 100644
--- a/src/protocols/der/base.c
+++ b/src/protocols/der/base.c
@@ -483,6 +483,45 @@ static bool type_parse(fr_type_t *type_p,fr_dict_attr_t **da_p, char const *name
 	fr_der_tag_t	der_type;
 	fr_type_t		fr_type;
 
+	/*
+	 *	To avoid confusion, we want to use the DER names where
+	 *	possible.
+	 *
+	 *	We only use the FreeRADIUS names where we don't have a
+	 *	choice. :(
+	 */
+	switch (*type_p) {
+	case FR_TYPE_TLV:
+		fr_strerror_const("Cannot use 'tlv' in DER.  Please use 'sequence'");
+		return false;
+
+	case FR_TYPE_IPV4_ADDR:
+	case FR_TYPE_IPV4_PREFIX:
+	case FR_TYPE_IPV6_ADDR:
+	case FR_TYPE_IPV6_PREFIX:
+	case FR_TYPE_IFID:
+	case FR_TYPE_COMBO_IP_ADDR:
+	case FR_TYPE_COMBO_IP_PREFIX:
+	case FR_TYPE_ETHERNET:
+	case FR_TYPE_FLOAT32:
+	case FR_TYPE_FLOAT64:
+	case FR_TYPE_VSA:
+	case FR_TYPE_VENDOR:
+	case FR_TYPE_VALUE_BOX:
+	case FR_TYPE_VOID:
+	case FR_TYPE_MAX:
+		fr_strerror_printf("Cannot use type '%s' in the DER dictionaries",
+				   fr_type_to_str(*type_p));
+		return false;
+
+		/*
+		 *	We allow integers for now.  They may be
+		 *	internal, or they may be inside of a struct.
+		 */
+	default:
+		break;
+	}
+
 	/*
 	 *	Convert the DER data type to the underlying FreeRADIUS
 	 *	data type.
@@ -605,7 +644,9 @@ static bool attr_valid(fr_dict_attr_t *da)
 	 *	in structs, because the struct encoder/decoder takes
 	 *	care of those.
 	 */
-	if (fr_type_is_integer_except_bool(da->type) && (da->type != FR_TYPE_INT64) &&
+	if (fr_type_is_integer_except_bool(da->type) &&
+	    !da->flags.internal &&
+	    (da->type != FR_TYPE_INT64) &&
 	    (da->type != FR_TYPE_DATE) && (da->type != FR_TYPE_TIME_DELTA) &&
 	    (da->parent->type != FR_TYPE_STRUCT)) {
 		fr_strerror_printf("All integers in DER must be 'int64', and not '%s'",
diff --git a/src/tests/unit/protocols/der/dictionary.test b/src/tests/unit/protocols/der/dictionary.test
index e13e4c27c79..17e1ce159d3 100644
--- a/src/tests/unit/protocols/der/dictionary.test
+++ b/src/tests/unit/protocols/der/dictionary.test
@@ -94,11 +94,11 @@ MEMBER		Test-Integer				integer
 MEMBER		Test-Null				null
 END Seq-Integer-Null
 
-DEFINE	Test-Oid					string der_type=oid
+DEFINE	Test-Oid					oid
 
 DEFINE	Seq-Oid						struct der_type=sequence
 BEGIN Seq-Oid
-MEMBER		Test-Oid				string der_type=oid
+MEMBER		Test-Oid				oid
 END Seq-Oid
 
 DEFINE	Test-Enumerated					enumerated