Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
wicked.33329
0004-hide-secrets-in-debug-log-bsc-1221194.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0004-hide-secrets-in-debug-log-bsc-1221194.patch of Package wicked.33329
From 4e71bade4efa1eb62468a715b973d8b77daf59b1 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <mt@suse.com> Date: Tue, 19 Mar 2024 11:01:32 +0100 Subject: [PATCH 1/5] xml: add xml_node_hide_cdata utility function --- include/wicked/xml.h | 18 +++---- src/xml.c | 113 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 115 insertions(+), 16 deletions(-) diff --git a/include/wicked/xml.h b/include/wicked/xml.h index dbf3a80e..8acf24b2 100644 --- a/include/wicked/xml.h +++ b/include/wicked/xml.h @@ -3,7 +3,8 @@ * This basically parses tags, attributes and CDATA, and that's * just about it. * - * Copyright (C) 2009-2012 Olaf Kirch <okir@suse.de> + * Copyright (C) 2009-2012 Olaf Kirch <okir@suse.de> + * Copyright (C) 2009-2024 SUSE LLC * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -15,15 +16,11 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, see <http://www.gnu.org/licenses/> or write - * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, - * Boston, MA 02110-1301 USA. - * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. */ - -#ifndef __WICKED_XML_H__ -#define __WICKED_XML_H__ +#ifndef NI_WICKED_XML_H +#define NI_WICKED_XML_H #include <stdio.h> #include <wicked/util.h> @@ -109,6 +106,7 @@ extern int xml_node_uuid(const xml_node_t *, unsigned int, const ni_uuid_t *, n extern int xml_node_content_uuid(const xml_node_t *, unsigned int, const ni_uuid_t *, ni_uuid_t *); extern int xml_node_print_fn(const xml_node_t *, void (*)(const char *, void *), void *); extern int xml_node_print_debug(const xml_node_t *, unsigned int facility); +extern void xml_node_hide_cdata(xml_node_t *, const char * const [], const char *); extern xml_node_t * xml_node_scan(FILE *fp, const char *location); extern void xml_node_set_cdata(xml_node_t *, const char *); extern void xml_node_set_int(xml_node_t *, int); @@ -185,4 +183,4 @@ xml_document_is_empty(const xml_document_t *doc) return (!doc || xml_node_is_empty(doc->root)); } -#endif /* __WICKED_XML_H__ */ +#endif /* NI_WICKED_XML_H */ diff --git a/src/xml.c b/src/xml.c index 59c31924..a55af56f 100644 --- a/src/xml.c +++ b/src/xml.c @@ -1,7 +1,8 @@ /* * XML objects - document and node * - * Copyright (C) 2009-2012 Olaf Kirch <okir@suse.de> + * Copyright (C) 2009-2012 Olaf Kirch <okir@suse.de> + * Copyright (C) 2009-2024 SUSE LLC * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -13,11 +14,8 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, see <http://www.gnu.org/licenses/> or write - * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, - * Boston, MA 02110-1301 USA. - * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. */ #ifdef HAVE_CONFIG_H #include "config.h" @@ -26,6 +24,7 @@ #include <wicked/xml.h> #include <wicked/logging.h> #include "util_priv.h" +#include "slist_priv.h" #include <inttypes.h> #define XML_DOCUMENTARRAY_CHUNK 1 @@ -863,3 +862,105 @@ xml_node_dict_set(xml_node_t *parent, const char *name, const char *value) child = xml_node_create(parent, name); xml_node_set_cdata(child, value); } + +typedef struct xml_node_name_path xml_node_name_path_t; + +struct xml_node_name_path { + xml_node_name_path_t * next; + ni_string_array_t path; +}; + +static xml_node_name_path_t * +xml_node_name_path_new(void) +{ + return calloc(1, sizeof(xml_node_name_path_t)); +} + +static void +xml_node_name_path_free(xml_node_name_path_t *item) +{ + if (item) { + ni_string_array_destroy(&item->path); + free(item); + } +} + +static inline ni_bool_t +xml_node_name_path_match(xml_node_t *node, const ni_string_array_t *path) +{ + ni_bool_t ret = FALSE; + const char *name; + unsigned int i; + + if (!node || !path) + return FALSE; + + for (i = 0; i < path->count; ++i) { + name = path->data[i]; + + if (!node || !ni_string_eq(node->name, name)) + return FALSE; + + node = node->parent; + ret = TRUE; + } + return ret; +} + +static ni_define_slist_destroy(xml_node_name_path); +static ni_define_slist_append(xml_node_name_path); + +static ni_bool_t +xml_node_name_path_list_create(xml_node_name_path_t **list, const char * const npaths[]) +{ + xml_node_name_path_t *item; + const char * const *nptr; + + if (!list || !npaths) + return FALSE; + + for (nptr = npaths; *nptr; ++nptr) { + if (!(item = xml_node_name_path_new())) { + xml_node_name_path_list_destroy(list); + return FALSE; + } + if (!ni_string_split(&item->path, *nptr, "/", 0)) + xml_node_name_path_free(item); + else + xml_node_name_path_list_append(list, item); + } + return TRUE; +} + +static void +xml_node_name_path_list_hide_cdata(xml_node_t *node, + const xml_node_name_path_t *list, const char *hidden) +{ + const xml_node_name_path_t *item; + xml_node_t *child; + + ni_slist_foreach(list, item) { + if (!xml_node_name_path_match(node, &item->path)) + continue; + + xml_node_set_cdata(node, hidden); + } + + for (child = node->children; child; child = child->next) + xml_node_name_path_list_hide_cdata(child, list, hidden); +} + +extern void +xml_node_hide_cdata(xml_node_t *node, const char * const npaths[], const char *hidden) +{ + xml_node_name_path_t *list = NULL; + + if (!node || !npaths) + return; + + if (!xml_node_name_path_list_create(&list, npaths) || !list) + return; + + xml_node_name_path_list_hide_cdata(node, list, hidden); + xml_node_name_path_list_destroy(&list); +} -- 2.35.3 From 6b57f56261bc576aadaaf8c898931ba0170c2171 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <mt@suse.com> Date: Tue, 19 Mar 2024 11:01:32 +0100 Subject: [PATCH 2/5] logging: add ni_debug_(verbose_)config_xml utility Replaces cdata in a copy of a config node and it's children that contain passwords before logging it. --- include/wicked/logging.h | 6 ++++++ src/logging.c | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/include/wicked/logging.h b/include/wicked/logging.h index 4938450e..a260a2c6 100644 --- a/include/wicked/logging.h +++ b/include/wicked/logging.h @@ -18,6 +18,9 @@ extern void ni_error(const char *, ...) ni__printf(1, 2); extern void ni_error_extra(const char *, ...) ni__printf(1, 2); extern void ni_trace(const char *, ...) ni__printf(1, 2); extern void ni_fatal(const char *, ...) ni__printf(1, 2) ni__noreturn; +extern void ni_debug_verbose_config_xml(const xml_node_t *, + unsigned int, unsigned int, + const char *, ...) ni__printf(4, 5); extern int ni_enable_debug(const char *); extern int ni_debug_set_default(const char *); @@ -117,6 +120,9 @@ extern unsigned int ni_log_level; } \ } while (0) +#define ni_debug_config_xml(xml_node, level, fmt, args...) \ + ni_debug_verbose_config_xml(xml_node, level, NI_TRACE_WICKED_XML, fmt, ##args) + #define ni_debug_none(fmt, args...) do { } while (0) #define ni_debug_verbose(level, facility, fmt, args...) \ diff --git a/src/logging.c b/src/logging.c index 42e9f5e5..ce3a1623 100644 --- a/src/logging.c +++ b/src/logging.c @@ -18,6 +18,7 @@ #include <wicked/logging.h> #include <wicked/util.h> +#include <wicked/xml.h> #include "util_priv.h" #define NI_LOG_PID (1 << 0) @@ -624,3 +625,39 @@ ni_fatal(const char *fmt, ...) exit(1); } +void +ni_debug_verbose_config_xml(const xml_node_t *node, + unsigned int level, unsigned int facility, + const char *fmt, ...) +{ + static const char *hidden = "***"; + static const char * const npaths[] = { + "client-key-passwd", + "passphrase", + "password", + "modem-pin", + "wep/key", + NULL + }; + xml_node_t *clone; + va_list ap; + + if (!node || !ni_debug_guard(level, facility)) + return; + + if (!(clone = xml_node_clone(node, NULL))) + return; + + xml_node_hide_cdata(clone, npaths, hidden); + + va_start(ap, fmt); + if (!ni_log_syslog) + __ni_log_stderr("::: ", fmt, ap, ""); + else + vsyslog(level, fmt, ap); + + va_end(ap); + + xml_node_print_debug(clone, facility); + xml_node_free(clone); +} -- 2.35.3 From fb46cbdb2a200515bdc839dfaeaaf0ec9d0ee78c Mon Sep 17 00:00:00 2001 From: Clemens Famulla-Conrad <cfamullaconrad@suse.de> Date: Tue, 19 Mar 2024 11:01:32 +0100 Subject: [PATCH 3/5] wpa-supplicant: hide private_key_passwd from log --- src/wpa-supplicant.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/wpa-supplicant.c b/src/wpa-supplicant.c index 15a62b33..097f3036 100644 --- a/src/wpa-supplicant.c +++ b/src/wpa-supplicant.c @@ -1224,7 +1224,9 @@ ni_debug_escape_net_property(const char *prop_name) NI_WPA_NET_PROPERTY_WEP_KEY1, NI_WPA_NET_PROPERTY_WEP_KEY2, NI_WPA_NET_PROPERTY_WEP_KEY3, - NI_WPA_NET_PROPERTY_PASSWORD + NI_WPA_NET_PROPERTY_PASSWORD, + NI_WPA_NET_PROPERTY_PRIVATE_KEY, + NI_WPA_NET_PROPERTY_PRIVATE_KEY_PASSWD }; if (!ni_wpa_net_property_type(prop_name, &type)) -- 2.35.3 From 8b1e2826556a4c58a3c63bf41d1a7c2352ac44af Mon Sep 17 00:00:00 2001 From: Clemens Famulla-Conrad <cfamullaconrad@suse.de> Date: Tue, 19 Mar 2024 11:01:32 +0100 Subject: [PATCH 4/5] nanny: use ni_debug_config_xml for config dump --- nanny/device.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nanny/device.c b/nanny/device.c index d769cf24..890f479d 100644 --- a/nanny/device.c +++ b/nanny/device.c @@ -205,8 +205,8 @@ ni_factory_device_apply_policy(ni_fsm_t *fsm, ni_ifworker_t *w, ni_managed_polic w->name, type_name); return -1; } - ni_debug_nanny("%s: using device config", w->name); - xml_node_print_debug(config, 0); + + ni_debug_config_xml(config, NI_LOG_DEBUG, "%s: using device config", w->name); ni_ifworker_set_config(w, config, ni_fsm_policy_origin(policy)); xml_node_free(config); @@ -269,8 +269,7 @@ ni_managed_device_apply_policy(ni_managed_device_t *mdev, ni_managed_policy_t *m ni_error("%s: error when applying policy to %s document", w->name, type_name); return -1; } - ni_debug_nanny("%s: using device config", w->name); - xml_node_print_debug(config, 0); + ni_debug_config_xml(config, NI_LOG_DEBUG, "%s: using device config", w->name); ni_managed_device_set_policy(mdev, mpolicy, config); xml_node_free(config); -- 2.35.3 From 909ee2f91299c8660c675df1170a100c5eb00a89 Mon Sep 17 00:00:00 2001 From: Clemens Famulla-Conrad <cfamullaconrad@suse.de> Date: Tue, 19 Mar 2024 11:01:32 +0100 Subject: [PATCH 5/5] firmware: use ni_debug_config_xml for config dump --- src/firmware.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/firmware.c b/src/firmware.c index 2842664b..517bc266 100644 --- a/src/firmware.c +++ b/src/firmware.c @@ -158,8 +158,8 @@ ni_netif_firmware_discovery_script_ifconfig(xml_document_t **doc, xml_document_free(*doc); *doc = NULL; } else if (ni_log_level_at(NI_LOG_DEBUG2)) { - ni_debug_ifconfig("%s discovery script xml output:", type); - xml_node_print_debug(xml_document_root(*doc), NI_TRACE_IFCONFIG); + ni_debug_verbose_config_xml(xml_document_root(*doc), NI_LOG_DEBUG2, + NI_TRACE_IFCONFIG, "%s discovery script xml output:", type); } } ni_buffer_destroy(&buf); -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor