Alan T. DeKok [Mon, 7 Aug 2023 13:10:21 +0000 (09:10 -0400)]
add and use fr_pair_list_print()
so that we can hoist the "nested or not" debug printing into
this function. Which also lets this function peek ahead, and
print attributes as if they were nested when they really aren't
These are in calc_{string, octet}(), where coercion results stored
in locals must be cleared before returning. Currently coverity claims
that the value box's type is not set. One would think that modeling
fr_value_box_cast() to say it writes the destination on success would
suffice, but that might not be the case, so we will initialize the
value boxes just as we have done with some local buffers used in
sbuffs.
James Jones [Fri, 28 Jul 2023 19:02:13 +0000 (14:02 -0500)]
Help coverity recognize the range check (CID #1503921) (#5125)
The code checks that offset is in [12, start - packet), and
coverity recognizes the lower bound check as constraining
offset, but doesn't recognze the upper bound check, hence the
TAINTED_SCALAR defect. We rewrite the check in an equivalent
form with offset by itself on one side of the relational
operator.
James Jones [Fri, 28 Jul 2023 14:15:29 +0000 (09:15 -0500)]
Keep too-long lines from overwriting output_buffer (#5093)
This came up because of CID #1533664, but almost certainly won't
placate coverity. It just makes sure that it won't ask for more
than will fit in output_buff, at the extremely rare cost of not
printing all of the remaining part of the line.
This should quiet coverity while we figure out why the
sbuff function models don't communicate to coverity that
on success, they really do write to the output sbuff.
James Jones [Thu, 27 Jul 2023 15:58:36 +0000 (10:58 -0500)]
Check sbuff returns in header_source() (CIDs #150424, #150280) (#5116)
It's seriously unlikely, since conf_buffer can use all the
memory there is, but in theory the generation of the SMTP header
*could* fail, and that's enough to make coverity kvetch.
James Jones [Thu, 27 Jul 2023 15:58:12 +0000 (10:58 -0500)]
Make clear to fr_radius_ok() that totallen is validated (CID #1455247) (#5109)
Coverity thinks that calculating totallen via byte-swapping taints
the buffer holding the packet to be decoded. Modeling fr_radius_ok()
doesn't seem to have worked, so we'll try making it clear to coverity
that we validate totallen.
Alan T. DeKok [Fri, 21 Jul 2023 18:40:14 +0000 (14:40 -0400)]
add and support suppress_secrets
the default is to not suppress secrets. Printing secrets is
suppressed if it's running as "-X" AND the configuration file
says to suppress them. Otherwise the secrets are printed.
this behavior means that for most configurations, administrators
can see (and compare) the user passwords. However, if the admins
want to suppress secrets, they can do so in their local
configuration.
Alan T. DeKok [Fri, 21 Jul 2023 17:41:54 +0000 (13:41 -0400)]
define and use fr_vasprintf_secure()
which escapes / omits the contents of any value-box which is
marked "secret".
Note that we _cannot_ do this omission in fr_value_box_print(),
as that function may be used multiple times internally. For example,
converting a clear-text password to CHAP via an MD5 xlat. Those
values should be passed through unchanged.
As a result, we can only omit secrets in a new function, which can
then be used in debug / log functions which are known to be sent
to the admin.
There are still some pieces missing.
%pM prints a value-box list, and the fr_value_box_list_aprint()
function does not take a flag for printing secrets (or not).
%pP prints a pair, and the fr_pair_aprint() function also does not
take a flag for printing secrets.
The configuration files store data in CONF_PAIRs, which don't use
value-boxes. So any shared secret is still printed in debug mode.
Alan T. DeKok [Thu, 20 Jul 2023 13:17:01 +0000 (09:17 -0400)]
add and use "safe" fields for LDAP and SQL
which means that if we escape data once, it is not escaped again.
For SQL, the escape function is tracked per driver. So you can't
escape something for MySQL, and then later use it for PostgreSQL
without that _also_ being escaped.
Alan T. DeKok [Thu, 20 Jul 2023 12:39:50 +0000 (08:39 -0400)]
"safe" values can still be tainted.
Users of that data who understand this particular value of the "safe"
flagmar can then ignore the "tainted" flag, and use the value as if it
was untainted. Every other user of the data must still treat it as
tainted.
Alan T. DeKok [Thu, 20 Jul 2023 12:13:03 +0000 (08:13 -0400)]
fr_value_box_alloc() does not need to take a "tainted" flag
a bare box is not tainted. In the few cases where the data is
tainted, it is copied from a tainted source via fr_value_box_copy(),
which also copies the tainted flag
Alan T. DeKok [Thu, 20 Jul 2023 11:49:41 +0000 (07:49 -0400)]
add fr_box() generic
which only works for some leaf types, as there string / octets
types need also to deal with length and talloc issues. Other types
like ipaddr need to check the contents of the source.
Alan T. DeKok [Mon, 17 Jul 2023 18:13:16 +0000 (14:13 -0400)]
change vp->da->type to vp->vp_type
not only is it friendlier to cache locality, it's more correct
because of things like FR_TYPE_COMBO_IPADDR, where the realized
vp->vp_type is different from the theoretical da->type
projects / thirdparty / freeradius-server.git / log
