File 0004-hide-secrets-in-debug-log-bsc-1221194.patch of Package wicked.33325
From 4e71bade4efa1eb62468a715b973d8b77daf59b1 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Tue, 19 Mar 2024 11:01:32 +0100
Subject: [PATCH 1/5] xml: add xml_node_hide_cdata utility function
---
include/wicked/xml.h | 18 +++----
src/xml.c | 113 ++++++++++++++++++++++++++++++++++++++++---
2 files changed, 115 insertions(+), 16 deletions(-)
diff --git a/include/wicked/xml.h b/include/wicked/xml.h
index dbf3a80e..8acf24b2 100644
--- a/include/wicked/xml.h
+++ b/include/wicked/xml.h
@@ -3,7 +3,8 @@
* This basically parses tags, attributes and CDATA, and that's
* just about it.
*
- * Copyright (C) 2009-2012 Olaf Kirch <okir@suse.de>
+ * Copyright (C) 2009-2012 Olaf Kirch <okir@suse.de>
+ * Copyright (C) 2009-2024 SUSE LLC
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -15,15 +16,11 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, see <http://www.gnu.org/licenses/> or write
- * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
- * Boston, MA 02110-1301 USA.
- *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-
-#ifndef __WICKED_XML_H__
-#define __WICKED_XML_H__
+#ifndef NI_WICKED_XML_H
+#define NI_WICKED_XML_H
#include <stdio.h>
#include <wicked/util.h>
@@ -109,6 +106,7 @@ extern int xml_node_uuid(const xml_node_t *, unsigned int, const ni_uuid_t *, n
extern int xml_node_content_uuid(const xml_node_t *, unsigned int, const ni_uuid_t *, ni_uuid_t *);
extern int xml_node_print_fn(const xml_node_t *, void (*)(const char *, void *), void *);
extern int xml_node_print_debug(const xml_node_t *, unsigned int facility);
+extern void xml_node_hide_cdata(xml_node_t *, const char * const [], const char *);
extern xml_node_t * xml_node_scan(FILE *fp, const char *location);
extern void xml_node_set_cdata(xml_node_t *, const char *);
extern void xml_node_set_int(xml_node_t *, int);
@@ -185,4 +183,4 @@ xml_document_is_empty(const xml_document_t *doc)
return (!doc || xml_node_is_empty(doc->root));
}
-#endif /* __WICKED_XML_H__ */
+#endif /* NI_WICKED_XML_H */
diff --git a/src/xml.c b/src/xml.c
index 59c31924..a55af56f 100644
--- a/src/xml.c
+++ b/src/xml.c
@@ -1,7 +1,8 @@
/*
* XML objects - document and node
*
- * Copyright (C) 2009-2012 Olaf Kirch <okir@suse.de>
+ * Copyright (C) 2009-2012 Olaf Kirch <okir@suse.de>
+ * Copyright (C) 2009-2024 SUSE LLC
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -13,11 +14,8 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, see <http://www.gnu.org/licenses/> or write
- * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
- * Boston, MA 02110-1301 USA.
- *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -26,6 +24,7 @@
#include <wicked/xml.h>
#include <wicked/logging.h>
#include "util_priv.h"
+#include "slist_priv.h"
#include <inttypes.h>
#define XML_DOCUMENTARRAY_CHUNK 1
@@ -863,3 +862,105 @@ xml_node_dict_set(xml_node_t *parent, const char *name, const char *value)
child = xml_node_create(parent, name);
xml_node_set_cdata(child, value);
}
+
+typedef struct xml_node_name_path xml_node_name_path_t;
+
+struct xml_node_name_path {
+ xml_node_name_path_t * next;
+ ni_string_array_t path;
+};
+
+static xml_node_name_path_t *
+xml_node_name_path_new(void)
+{
+ return calloc(1, sizeof(xml_node_name_path_t));
+}
+
+static void
+xml_node_name_path_free(xml_node_name_path_t *item)
+{
+ if (item) {
+ ni_string_array_destroy(&item->path);
+ free(item);
+ }
+}
+
+static inline ni_bool_t
+xml_node_name_path_match(xml_node_t *node, const ni_string_array_t *path)
+{
+ ni_bool_t ret = FALSE;
+ const char *name;
+ unsigned int i;
+
+ if (!node || !path)
+ return FALSE;
+
+ for (i = 0; i < path->count; ++i) {
+ name = path->data[i];
+
+ if (!node || !ni_string_eq(node->name, name))
+ return FALSE;
+
+ node = node->parent;
+ ret = TRUE;
+ }
+ return ret;
+}
+
+static ni_define_slist_destroy(xml_node_name_path);
+static ni_define_slist_append(xml_node_name_path);
+
+static ni_bool_t
+xml_node_name_path_list_create(xml_node_name_path_t **list, const char * const npaths[])
+{
+ xml_node_name_path_t *item;
+ const char * const *nptr;
+
+ if (!list || !npaths)
+ return FALSE;
+
+ for (nptr = npaths; *nptr; ++nptr) {
+ if (!(item = xml_node_name_path_new())) {
+ xml_node_name_path_list_destroy(list);
+ return FALSE;
+ }
+ if (!ni_string_split(&item->path, *nptr, "/", 0))
+ xml_node_name_path_free(item);
+ else
+ xml_node_name_path_list_append(list, item);
+ }
+ return TRUE;
+}
+
+static void
+xml_node_name_path_list_hide_cdata(xml_node_t *node,
+ const xml_node_name_path_t *list, const char *hidden)
+{
+ const xml_node_name_path_t *item;
+ xml_node_t *child;
+
+ ni_slist_foreach(list, item) {
+ if (!xml_node_name_path_match(node, &item->path))
+ continue;
+
+ xml_node_set_cdata(node, hidden);
+ }
+
+ for (child = node->children; child; child = child->next)
+ xml_node_name_path_list_hide_cdata(child, list, hidden);
+}
+
+extern void
+xml_node_hide_cdata(xml_node_t *node, const char * const npaths[], const char *hidden)
+{
+ xml_node_name_path_t *list = NULL;
+
+ if (!node || !npaths)
+ return;
+
+ if (!xml_node_name_path_list_create(&list, npaths) || !list)
+ return;
+
+ xml_node_name_path_list_hide_cdata(node, list, hidden);
+ xml_node_name_path_list_destroy(&list);
+}
--
2.35.3
From 6b57f56261bc576aadaaf8c898931ba0170c2171 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Tue, 19 Mar 2024 11:01:32 +0100
Subject: [PATCH 2/5] logging: add ni_debug_(verbose_)config_xml utility
Replaces cdata in a copy of a config node and it's
children that contain passwords before logging it.
---
include/wicked/logging.h | 6 ++++++
src/logging.c | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/include/wicked/logging.h b/include/wicked/logging.h
index 4938450e..a260a2c6 100644
--- a/include/wicked/logging.h
+++ b/include/wicked/logging.h
@@ -18,6 +18,9 @@ extern void ni_error(const char *, ...) ni__printf(1, 2);
extern void ni_error_extra(const char *, ...) ni__printf(1, 2);
extern void ni_trace(const char *, ...) ni__printf(1, 2);
extern void ni_fatal(const char *, ...) ni__printf(1, 2) ni__noreturn;
+extern void ni_debug_verbose_config_xml(const xml_node_t *,
+ unsigned int, unsigned int,
+ const char *, ...) ni__printf(4, 5);
extern int ni_enable_debug(const char *);
extern int ni_debug_set_default(const char *);
@@ -117,6 +120,9 @@ extern unsigned int ni_log_level;
} \
} while (0)
+#define ni_debug_config_xml(xml_node, level, fmt, args...) \
+ ni_debug_verbose_config_xml(xml_node, level, NI_TRACE_WICKED_XML, fmt, ##args)
+
#define ni_debug_none(fmt, args...) do { } while (0)
#define ni_debug_verbose(level, facility, fmt, args...) \
diff --git a/src/logging.c b/src/logging.c
index 42e9f5e5..ce3a1623 100644
--- a/src/logging.c
+++ b/src/logging.c
@@ -18,6 +18,7 @@
#include <wicked/logging.h>
#include <wicked/util.h>
+#include <wicked/xml.h>
#include "util_priv.h"
#define NI_LOG_PID (1 << 0)
@@ -624,3 +625,39 @@ ni_fatal(const char *fmt, ...)
exit(1);
}
+void
+ni_debug_verbose_config_xml(const xml_node_t *node,
+ unsigned int level, unsigned int facility,
+ const char *fmt, ...)
+{
+ static const char *hidden = "***";
+ static const char * const npaths[] = {
+ "client-key-passwd",
+ "passphrase",
+ "password",
+ "modem-pin",
+ "wep/key",
+ NULL
+ };
+ xml_node_t *clone;
+ va_list ap;
+
+ if (!node || !ni_debug_guard(level, facility))
+ return;
+
+ if (!(clone = xml_node_clone(node, NULL)))
+ return;
+
+ xml_node_hide_cdata(clone, npaths, hidden);
+
+ va_start(ap, fmt);
+ if (!ni_log_syslog)
+ __ni_log_stderr("::: ", fmt, ap, "");
+ else
+ vsyslog(level, fmt, ap);
+
+ va_end(ap);
+
+ xml_node_print_debug(clone, facility);
+ xml_node_free(clone);
+}
--
2.35.3
From fb46cbdb2a200515bdc839dfaeaaf0ec9d0ee78c Mon Sep 17 00:00:00 2001
From: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
Date: Tue, 19 Mar 2024 11:01:32 +0100
Subject: [PATCH 3/5] wpa-supplicant: hide private_key_passwd from log
---
src/wpa-supplicant.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/wpa-supplicant.c b/src/wpa-supplicant.c
index 15a62b33..097f3036 100644
--- a/src/wpa-supplicant.c
+++ b/src/wpa-supplicant.c
@@ -1224,7 +1224,9 @@ ni_debug_escape_net_property(const char *prop_name)
NI_WPA_NET_PROPERTY_WEP_KEY1,
NI_WPA_NET_PROPERTY_WEP_KEY2,
NI_WPA_NET_PROPERTY_WEP_KEY3,
- NI_WPA_NET_PROPERTY_PASSWORD
+ NI_WPA_NET_PROPERTY_PASSWORD,
+ NI_WPA_NET_PROPERTY_PRIVATE_KEY,
+ NI_WPA_NET_PROPERTY_PRIVATE_KEY_PASSWD
};
if (!ni_wpa_net_property_type(prop_name, &type))
--
2.35.3
From 8b1e2826556a4c58a3c63bf41d1a7c2352ac44af Mon Sep 17 00:00:00 2001
From: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
Date: Tue, 19 Mar 2024 11:01:32 +0100
Subject: [PATCH 4/5] nanny: use ni_debug_config_xml for config dump
---
nanny/device.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/nanny/device.c b/nanny/device.c
index d769cf24..890f479d 100644
--- a/nanny/device.c
+++ b/nanny/device.c
@@ -205,8 +205,8 @@ ni_factory_device_apply_policy(ni_fsm_t *fsm, ni_ifworker_t *w, ni_managed_polic
w->name, type_name);
return -1;
}
- ni_debug_nanny("%s: using device config", w->name);
- xml_node_print_debug(config, 0);
+
+ ni_debug_config_xml(config, NI_LOG_DEBUG, "%s: using device config", w->name);
ni_ifworker_set_config(w, config, ni_fsm_policy_origin(policy));
xml_node_free(config);
@@ -269,8 +269,7 @@ ni_managed_device_apply_policy(ni_managed_device_t *mdev, ni_managed_policy_t *m
ni_error("%s: error when applying policy to %s document", w->name, type_name);
return -1;
}
- ni_debug_nanny("%s: using device config", w->name);
- xml_node_print_debug(config, 0);
+ ni_debug_config_xml(config, NI_LOG_DEBUG, "%s: using device config", w->name);
ni_managed_device_set_policy(mdev, mpolicy, config);
xml_node_free(config);
--
2.35.3
From 909ee2f91299c8660c675df1170a100c5eb00a89 Mon Sep 17 00:00:00 2001
From: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
Date: Tue, 19 Mar 2024 11:01:32 +0100
Subject: [PATCH 5/5] firmware: use ni_debug_config_xml for config dump
---
src/firmware.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/firmware.c b/src/firmware.c
index 2842664b..517bc266 100644
--- a/src/firmware.c
+++ b/src/firmware.c
@@ -158,8 +158,8 @@ ni_netif_firmware_discovery_script_ifconfig(xml_document_t **doc,
xml_document_free(*doc);
*doc = NULL;
} else if (ni_log_level_at(NI_LOG_DEBUG2)) {
- ni_debug_ifconfig("%s discovery script xml output:", type);
- xml_node_print_debug(xml_document_root(*doc), NI_TRACE_IFCONFIG);
+ ni_debug_verbose_config_xml(xml_document_root(*doc), NI_LOG_DEBUG2,
+ NI_TRACE_IFCONFIG, "%s discovery script xml output:", type);
}
}
ni_buffer_destroy(&buf);
--
2.35.3
