Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
freeradius-server.27107
logfile_secrets.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File logfile_secrets.patch of Package freeradius-server.27107
commit 7728fc683d9f6fb114ac7b321c55d268bddef199 Author: Alan T. DeKok <aland@freeradius.org> Date: Mon Mar 22 15:39:33 2021 -0400 add "secret" flag to attribute so we can not print it. Sometimes. Maybe. commit bd1169c834583e3987de469eb2feef9cf3fe4a77 Author: Alan T. DeKok <aland@freeradius.org> Date: Mon Mar 22 15:53:55 2021 -0400 add and check for "suppress_secrets" so that debug output contains fewer secrets commit 72c1f718f0059e8af04937b2a88b94e60dd046cb Author: Alan T. DeKok <aland@freeradius.org> Date: Mon Mar 22 15:57:17 2021 -0400 suppress secrets here, too commit a0895291c74cab4a01f069ec576dd232950c6bcd Author: Alan T. DeKok <aland@freeradius.org> Date: Mon Mar 22 16:08:42 2021 -0400 use prefix, too commit 752bc011a860da7e443a1b16a10ff4a028138e3b Author: Alan T. DeKok <aland@freeradius.org> Date: Wed Mar 24 08:22:49 2021 -0400 typo commit e66f45b122e9a65e4a88947d14f84cda3ff83a49 Author: Alan T. DeKok <aland@freeradius.org> Date: Wed Mar 24 10:20:06 2021 -0400 suppress more secrets commit 4141a0573beee5d594f237d23c9efffbd4216c89 Author: Alan T. DeKok <aland@freeradius.org> Date: Wed Mar 24 10:22:47 2021 -0400 mark more attributes "secret" commit efc9c8d1d5b66d4090fd90d89f74e11896aa4864 Author: Alan T. DeKok <aland@freeradius.org> Date: Fri Apr 2 06:13:46 2021 -0400 document suppress_secrets commit 99877d5cee396d2e6939067f946111ff65cf0457 Author: Alan T. DeKok <aland@freeradius.org> Date: Mon May 3 14:18:19 2021 -0400 'octets' can be secret, too Index: freeradius-server-3.0.21/src/include/libradius.h =================================================================== --- freeradius-server-3.0.21.orig/src/include/libradius.h +++ freeradius-server-3.0.21/src/include/libradius.h @@ -189,6 +189,8 @@ typedef struct attr_flags { unsigned int compare : 1; //!< has a paircompare registered + unsigned int secret : 1; //!< is a secret thingy + uint8_t encrypt; //!< Ecryption method. uint8_t length; } ATTR_FLAGS; Index: freeradius-server-3.0.21/src/lib/dict.c =================================================================== --- freeradius-server-3.0.21.orig/src/lib/dict.c +++ freeradius-server-3.0.21/src/lib/dict.c @@ -882,6 +882,8 @@ int dict_addattr(char const *name, int a return -1; } + if (flags.encrypt) flags.secret = 1; + if (flags.length && (type != PW_TYPE_OCTETS)) { fr_strerror_printf("The \"length\" flag can only be set for attributes of type \"octets\""); return -1; @@ -1742,6 +1744,10 @@ static int process_attribute(char const* "\"encrypt=3\" flag set", fn, line); return -1; } + flags.secret = 1; + + } else if (strncmp(key, "secret", 6) == 0) { + flags.secret = 1; } else if (strncmp(key, "array", 6) == 0) { flags.array = 1; Index: freeradius-server-3.0.21/src/include/radiusd.h =================================================================== --- freeradius-server-3.0.21.orig/src/include/radiusd.h +++ freeradius-server-3.0.21/src/include/radiusd.h @@ -175,6 +175,7 @@ typedef struct main_config { #ifdef ENABLE_OPENSSL_VERSION_CHECK char const *allow_vulnerable_openssl; //!< The CVE number of the last security issue acknowledged. #endif + bool suppress_secrets; //!< for debug levels < 3 } main_config_t; #if defined(WITH_VERIFY_PTR) @@ -313,7 +314,8 @@ struct rad_request { #define RAD_REQUEST_LVL_DEBUG4 (4) #define RAD_REQUEST_OPTION_COA (1 << 0) -#define RAD_REQUEST_OPTION_CTX (1 << 1) +#define RAD_REQUEST_OPTION_CTX (1 << 1) +#define RAD_REQUEST_OPTION_CANCELLED (1 << 2) #define SECONDS_PER_DAY 86400 #define MAX_REQUEST_TIME 30 Index: freeradius-server-3.0.21/src/main/mainconfig.c =================================================================== --- freeradius-server-3.0.21.orig/src/main/mainconfig.c +++ freeradius-server-3.0.21/src/main/mainconfig.c @@ -148,6 +148,7 @@ static const CONF_PARSER log_config[] = { "colourise",FR_CONF_POINTER(PW_TYPE_BOOLEAN, &do_colourise), NULL }, { "use_utc", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_dates_utc), NULL }, { "msg_denied", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.denied_msg), "You are already logged in - access denied" }, + { "suppress_secrets", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.suppress_secrets), NULL }, CONF_PARSER_TERMINATOR }; Index: freeradius-server-3.0.21/src/main/pair.c =================================================================== --- freeradius-server-3.0.21.orig/src/main/pair.c +++ freeradius-server-3.0.21/src/main/pair.c @@ -734,6 +734,11 @@ void rdebug_pair(log_lvl_t level, REQUES if (!radlog_debug_enabled(L_DBG, level, request)) return; + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUGX(level, "%s%s = <<< secret >>>", prefix ? prefix : "", vp->da->name); + return; + } + vp_prints(buffer, sizeof(buffer), vp); RDEBUGX(level, "%s%s", prefix ? prefix : "", buffer); } @@ -759,6 +764,11 @@ void rdebug_pair_list(log_lvl_t level, R vp = fr_cursor_next(&cursor)) { VERIFY_VP(vp); + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUGX(level, "%s%s = <<< secret >>>", prefix ? prefix : "", vp->da->name); + continue; + } + vp_prints(buffer, sizeof(buffer), vp); RDEBUGX(level, "%s%s", prefix ? prefix : "", buffer); } @@ -786,6 +796,12 @@ void rdebug_proto_pair_list(log_lvl_t le VERIFY_VP(vp); if ((vp->da->vendor == 0) && ((vp->da->attr & 0xFFFF) > 0xff)) continue; + + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUGX(level, "%s = <<< secret >>>", vp->da->name); + continue; + } + vp_prints(buffer, sizeof(buffer), vp); RDEBUGX(level, "%s", buffer); } Index: freeradius-server-3.0.21/src/modules/rlm_perl/rlm_perl.c =================================================================== --- freeradius-server-3.0.21.orig/src/modules/rlm_perl/rlm_perl.c +++ freeradius-server-3.0.21/src/modules/rlm_perl/rlm_perl.c @@ -630,15 +630,25 @@ static void perl_vp_to_svpvn_element(REQ switch (vp->da->type) { case PW_TYPE_STRING: - RDEBUG("$%s{'%s'}[%i] = &%s:%s -> '%s'", hash_name, vp->da->name, *i, - list_name, vp->da->name, vp->vp_strvalue); + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUG("$%s{'%s'}[%i] = &%s:%s -> <<< secret >>>", hash_name, vp->da->name, *i, + list_name, vp->da->name); + } else { + RDEBUG("$%s{'%s'}[%i] = &%s:%s -> '%s'", hash_name, vp->da->name, *i, + list_name, vp->da->name, vp->vp_strvalue); + } sv = newSVpvn(vp->vp_strvalue, vp->vp_length); break; default: len = vp_prints_value(buffer, sizeof(buffer), vp, 0); - RDEBUG("$%s{'%s'}[%i] = &%s:%s -> '%s'", hash_name, vp->da->name, *i, - list_name, vp->da->name, buffer); + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUG("$%s{'%s'}[%i] = &%s:%s -> <<< secret >>>", hash_name, vp->da->name, *i, + list_name, vp->da->name); + } else { + RDEBUG("$%s{'%s'}[%i] = &%s:%s -> '%s'", hash_name, vp->da->name, *i, + list_name, vp->da->name, buffer); + } sv = newSVpvn(buffer, truncate_len(len, sizeof(buffer))); break; } @@ -725,15 +735,25 @@ static void perl_store_vps(UNUSED TALLOC */ switch (vp->da->type) { case PW_TYPE_STRING: - RDEBUG("$%s{'%s'} = &%s:%s -> '%s'", hash_name, vp->da->name, list_name, - vp->da->name, vp->vp_strvalue); + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUG("$%s{'%s'} = &%s:%s -> <<< secret >>>", hash_name, vp->da->name, list_name, + vp->da->name); + } else { + RDEBUG("$%s{'%s'} = &%s:%s -> '%s'", hash_name, vp->da->name, list_name, + vp->da->name, vp->vp_strvalue); + } (void)hv_store(rad_hv, name, strlen(name), newSVpvn(vp->vp_strvalue, vp->vp_length), 0); break; default: len = vp_prints_value(tbuff, tbufflen, vp, 0); - RDEBUG("$%s{'%s'} = &%s:%s -> '%s'", hash_name, vp->da->name, - list_name, vp->da->name, tbuff); + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + RDEBUG("$%s{'%s'} = &%s:%s -> <<< secret >>>", hash_name, vp->da->name, list_name, + vp->da->name); + } else { + RDEBUG("$%s{'%s'} = &%s:%s -> '%s'", hash_name, vp->da->name, + list_name, vp->da->name, tbuff); + } (void)hv_store(rad_hv, name, strlen(name), newSVpvn(tbuff, truncate_len(len, tbufflen)), 0); break; @@ -753,7 +773,7 @@ static void perl_store_vps(UNUSED TALLOC static void pairadd_sv(TALLOC_CTX *ctx, REQUEST *request, VALUE_PAIR **vps, char *key, SV *sv, FR_TOKEN op, const char *hash_name, const char *list_name) { - char *val = NULL; + char const *val = NULL; VALUE_PAIR *vp; STRLEN len; @@ -784,6 +804,10 @@ static void pairadd_sv(TALLOC_CTX *ctx, if (fr_pair_value_from_str(vp, val, len) < 0) goto fail; } + if (vp->da->flags.secret && request->root->suppress_secrets && (rad_debug_lvl < 3)) { + val = "<<< secret >>>"; + } + RDEBUG("&%s:%s %s $%s{'%s'} -> '%s'", list_name, key, fr_int2str(fr_tokens, op, "<INVALID>"), hash_name, key, val); } Index: freeradius-server-3.0.21/share/dictionary.freeradius.internal =================================================================== --- freeradius-server-3.0.21.orig/share/dictionary.freeradius.internal +++ freeradius-server-3.0.21/share/dictionary.freeradius.internal @@ -148,7 +148,7 @@ VALUE EAP-IKEv2-IDType DER_ASN1_GN 10 VALUE EAP-IKEv2-IDType KEY_ID 11 ATTRIBUTE EAP-IKEv2-ID 1104 string -ATTRIBUTE EAP-IKEv2-Secret 1105 string +ATTRIBUTE EAP-IKEv2-Secret 1105 string secret ATTRIBUTE EAP-IKEv2-AuthType 1106 integer VALUE EAP-IKEv2-AuthType none 0 @@ -196,7 +196,7 @@ ATTRIBUTE FreeRADIUS-Client-Require-MA VALUE FreeRADIUS-Client-Require-MA no 0 VALUE FreeRADIUS-Client-Require-MA yes 1 -ATTRIBUTE FreeRADIUS-Client-Secret 1123 string +ATTRIBUTE FreeRADIUS-Client-Secret 1123 string secret ATTRIBUTE FreeRADIUS-Client-Shortname 1124 string ATTRIBUTE FreeRADIUS-Client-NAS-Type 1125 string ATTRIBUTE FreeRADIUS-Client-Virtual-Server 1126 string Index: freeradius-server-3.0.21/raddb/radiusd.conf.in =================================================================== --- freeradius-server-3.0.21.orig/raddb/radiusd.conf.in +++ freeradius-server-3.0.21/raddb/radiusd.conf.in @@ -377,6 +377,25 @@ log { # The message when the user exceeds the Simultaneous-Use limit. # msg_denied = "You are already logged in - access denied" + + # Suppress "secret" attributes when printing them in debug mode. + # + # Secrets are NOT tracked across xlat expansions. If your + # configuration puts secrets into other strings, they will + # still get printed. + # + # Setting this to "yes" means that the server prints + # + # <<< secret >>> + # + # instead of the value, for attriburtes which contain secret + # information. e.g. User-Name, Tunnel-Password, etc. + # + # This configuration is disabled by default. It is extremely + # important for administrators to be able to debug user logins + # by seeing what is actually being sent. + # +# suppress_secrets = no } # The program to execute to do concurrency checks.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor