From bd1169c834583e3987de469eb2feef9cf3fe4a77 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Mon, 22 Mar 2021 15:53:55 -0400 Subject: [PATCH] add and check for "suppress_secrets" so that debug output contains fewer secrets --- src/include/radiusd.h | 6 ++++-- src/main/mainconfig.c | 1 + src/main/pair.c | 16 ++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/include/radiusd.h b/src/include/radiusd.h index b2a0a0f642..028202fe2c 100644 --- a/src/include/radiusd.h +++ b/src/include/radiusd.h @@ -114,6 +114,7 @@ typedef struct main_config { fr_ipaddr_t myip; //!< IP to bind to. Set on command line. uint16_t port; //!< Port to bind to. Set on command line. + bool suppress_secrets; //!< for debug levels < 3 bool log_auth; //!< Log all authentication attempts. bool log_accept; //!< Log Access-Accept bool log_reject; //!< Log Access-Reject @@ -312,8 +313,9 @@ struct rad_request { #define RAD_REQUEST_LVL_DEBUG3 (3) #define RAD_REQUEST_LVL_DEBUG4 (4) -#define RAD_REQUEST_OPTION_COA (1 << 0) -#define RAD_REQUEST_OPTION_CTX (1 << 1) +#define RAD_REQUEST_OPTION_COA (1 << 0) +#define RAD_REQUEST_OPTION_CTX (1 << 1) +#define RAD_REQUEST_OPTION_CANCELLED (1 << 2) #define SECONDS_PER_DAY 86400 #define MAX_REQUEST_TIME 30 diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c index 1601ea1c8d..db110ed6f5 100644 --- a/src/main/mainconfig.c +++ b/src/main/mainconfig.c @@ -148,6 +148,7 @@ static const CONF_PARSER log_config[] = { { "colourise",FR_CONF_POINTER(PW_TYPE_BOOLEAN, &do_colourise), NULL }, { "use_utc", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_dates_utc), NULL }, { "msg_denied", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.denied_msg), "You are already logged in - access denied" }, + { "suppress_secrets", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.suppress_secrets), NULL }, CONF_PARSER_TERMINATOR }; diff --git a/src/main/pair.c b/src/main/pair.c index 91d265935b..d1596b9132 100644 --- a/src/main/pair.c +++ b/src/main/pair.c @@ -742,6 +742,11 @@ void rdebug_pair(log_lvl_t level, REQUEST *request, VALUE_PAIR *vp, char const * if (!radlog_debug_enabled(L_DBG, level, request)) return; + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUGX(level, "%s%s = <<< secret >>>", prefix ? prefix : "", vp->da->name); + return; + } + vp_prints(buffer, sizeof(buffer), vp); RDEBUGX(level, "%s%s", prefix ? prefix : "", buffer); } @@ -767,6 +772,11 @@ void rdebug_pair_list(log_lvl_t level, REQUEST *request, VALUE_PAIR *vp, char co vp = fr_cursor_next(&cursor)) { VERIFY_VP(vp); + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUGX(level, "%s = <<< secret >>>", vp->da->name); + continue; + } + vp_prints(buffer, sizeof(buffer), vp); RDEBUGX(level, "%s%s", prefix ? prefix : "", buffer); } @@ -794,6 +804,12 @@ void rdebug_proto_pair_list(log_lvl_t level, REQUEST *request, VALUE_PAIR *vp) VERIFY_VP(vp); if ((vp->da->vendor == 0) && ((vp->da->attr & 0xFFFF) > 0xff)) continue; + + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUGX(level, "%s = <<< secret >>>", vp->da->name); + continue; + } + vp_prints(buffer, sizeof(buffer), vp); RDEBUGX(level, "%s", buffer); } -- 2.47.2