Rework flag, ref, and alias parsing

Move duplicates to aliases, and disallow duplicate attribute names and numbers

share/dictionary/bfd/dictionary.rfc5880

@@ -23,9 +23,9 @@ MEMBER		detect-multi				uint8
 MEMBER		length					uint8
 MEMBER		my-discriminator			uint32
 MEMBER		your-discriminator			uint32
-MEMBER		desired-min-tx-interval			time_delta uint32,microseconds
-MEMBER		required-min-tx-interval		time_delta uint32,microseconds
-MEMBER		required-min-echo-interval		time_delta uint32,microseconds
+MEMBER		desired-min-tx-interval			time_delta subtype=uint32,precision=microseconds
+MEMBER		required-min-tx-interval		time_delta subtype=uint32,precision=microseconds
+MEMBER		required-min-echo-interval		time_delta subtype=uint32,precision=microseconds
 MEMBER		auth-type				uint8	key
 
 VALUE	diagnostic			none			0
@@ -71,4 +71,3 @@ MEMBER		key-id					uint8
 MEMBER		reserved				uint8
 MEMBER		sequence-number				uint32
 MEMBER		digest					octets[20]
-

share/dictionary/dns/dictionary.rfc1034

@@ -168,4 +168,4 @@ ATTRIBUTE	Padding					.12	octets
 ATTRIBUTE	Name-Server				4	struct	clone=Resource-Record
 
 #  additional "glue" RR, or OPT RR for peer signalling
-ATTRIBUTE	Additional-Record			4	struct	clone=Resource-Record
+ATTRIBUTE	Additional-Record			5	struct	clone=Resource-Record

share/dictionary/freeradius/dictionary.freeradius.internal

@@ -500,17 +500,17 @@ ATTRIBUTE	TLS-Session-Cipher-Suite		1948	string
 #
 #  Attributes for casting
 #
-ATTRIBUTE	Cast-Time-Res-Sec			1950	time_delta	seconds
-ATTRIBUTE	Cast-Time-Res-Min			1951	time_delta	minutes
-ATTRIBUTE	Cast-Time-Res-Hour			1952	time_delta	hours
-ATTRIBUTE	Cast-Time-Res-Day			1953	time_delta	days
-ATTRIBUTE	Cast-Time-Res-Week			1954	time_delta	weeks
-ATTRIBUTE	Cast-Time-Res-Month			1955	time_delta	months
-ATTRIBUTE	Cast-Time-Res-Year			1956	time_delta	years
-ATTRIBUTE	Cast-Time-Res-Centi-Sec			1957	time_delta	centiseconds
-ATTRIBUTE	Cast-Time-Res-Milli-Sec			1958	time_delta	milliseconds
-ATTRIBUTE	Cast-Time-Res-Micro-Sec			1959	time_delta	microseconds
-ATTRIBUTE	Cast-Time-Res-Nano-Sec			1960	time_delta	nanoseconds
+ATTRIBUTE	Cast-Time-Res-Sec			1950	time_delta	precision=seconds
+ATTRIBUTE	Cast-Time-Res-Min			1951	time_delta	precision=minutes
+ATTRIBUTE	Cast-Time-Res-Hour			1952	time_delta	precision=hours
+ATTRIBUTE	Cast-Time-Res-Day			1953	time_delta	precision=days
+ATTRIBUTE	Cast-Time-Res-Week			1954	time_delta	precision=weeks
+ATTRIBUTE	Cast-Time-Res-Month			1955	time_delta	precision=months
+ATTRIBUTE	Cast-Time-Res-Year			1956	time_delta	precision=years
+ATTRIBUTE	Cast-Time-Res-Centi-Sec			1957	time_delta	precision=centiseconds
+ATTRIBUTE	Cast-Time-Res-Milli-Sec			1958	time_delta	precision=milliseconds
+ATTRIBUTE	Cast-Time-Res-Micro-Sec			1959	time_delta	precision=microseconds
+ATTRIBUTE	Cast-Time-Res-Nano-Sec			1960	time_delta	precision=nanoseconds
 
 #
 #	Range:	1951-2199

share/dictionary/radius/dictionary

@@ -8,9 +8,7 @@ PROTOCOL	RADIUS		1	verify=lib
 BEGIN-PROTOCOL	RADIUS
 
 #
-#	Include compatibility dictionary for older users file. Move
-#	this directive to the end of this file if you want to see the
-#	old names in the logfiles, instead of the new names.
+#	These are mostly ALIASes
 #
 $INCLUDE dictionary.compat
 

share/dictionary/radius/dictionary.alvarion

@@ -298,17 +298,17 @@ ATTRIBUTE	VSA-255					255	string
 #	And these are what the above attributes should get mapped to,
 #	once we get around to caring.
 #
-ATTRIBUTE	Breezecom-Attr1				1	string
-ATTRIBUTE	Breezecom-Attr2				2	string
-ATTRIBUTE	Breezecom-Attr3				3	string
-ATTRIBUTE	Breezecom-Attr4				4	string
-ATTRIBUTE	Breezecom-Attr5				5	string
-ATTRIBUTE	Breezecom-Attr6				6	string
-ATTRIBUTE	Breezecom-Attr7				7	string
-ATTRIBUTE	Breezecom-Attr8				8	string
-ATTRIBUTE	Breezecom-Attr9				9	string
-ATTRIBUTE	Breezecom-Attr10			10	string
-ATTRIBUTE	Breezecom-Attr11			11	string
+ALIAS	Breezecom-Attr1				.VSA-1
+ALIAS	Breezecom-Attr2				.VSA-2
+ALIAS	Breezecom-Attr3				.VSA-3
+ALIAS	Breezecom-Attr4				.VSA-4
+ALIAS	Breezecom-Attr5				.VSA-5
+ALIAS	Breezecom-Attr6				.VSA-6
+ALIAS	Breezecom-Attr7				.VSA-7
+ALIAS	Breezecom-Attr8				.VSA-8
+ALIAS	Breezecom-Attr9				.VSA-9
+ALIAS	Breezecom-Attr10			.VSA-10
+ALIAS	Breezecom-Attr11			.VSA-11
 
 END-VENDOR	Alvarion
 ALIAS		Alvarion				Vendor-Specific.Alvarion

share/dictionary/radius/dictionary.cisco.asa

@@ -69,7 +69,7 @@ ATTRIBUTE	WebVPN-HTML-Filter			70	integer
 ATTRIBUTE	WebVPN-URL-List				71	string
 ATTRIBUTE	WebVPN-Port-Forwarding-List		72	string
 ATTRIBUTE	WebVPN-Access-List			73	string
-ATTRIBUTE	WebVPNACL				73	string
+ALIAS		WebVPNACL			.WebVPN-Access-List
 ATTRIBUTE	WebVPN-HTTP-Proxy-IP-Address		74	string
 ATTRIBUTE	Cisco-LEAP-Bypass			75	integer
 ATTRIBUTE	WebVPN-Default-Homepage			76	string
@@ -101,14 +101,18 @@ ATTRIBUTE	WebVPN-Apply-ACL			102	integer
 ATTRIBUTE	WebVPN-SSL-VPN-Client-Enable		103	integer
 ATTRIBUTE	WebVPN-SSL-VPN-Client-Required		104	integer
 ATTRIBUTE	WebVPN-SSL-VPN-Client-Keep-Installation	105	integer
-ATTRIBUTE	SVC-Keepalive				107	integer
 ATTRIBUTE	WebVPN-SVC-Keepalive-Frequency		107	integer
-ATTRIBUTE	SVC-DPD-Interval-Client			108	integer
+ALIAS		SVC-Keepalive				.WebVPN-SVC-Keepalive-Frequency
+
 ATTRIBUTE	WebVPN-SVC-Client-DPD-Frequency		108	integer
-ATTRIBUTE	SVC-DPD-Interval-Gateway		109	integer
+ALIAS		SVC-DPD-Interval-Client			.WebVPN-SVC-Client-DPD-Frequency
+
 ATTRIBUTE	WebVPN-SVC-Gateway-DPD-Frequency	109	integer
-ATTRIBUTE	SVC-Rekey-Time				110	integer
+ALIAS		SVC-DPD-Interval-Gateway		.WebVPN-SVC-Gateway-DPD-Frequency
+
 ATTRIBUTE	WebVPN-SVC-Rekey-Time			110	integer
+ALIAS		SVC-Rekey-Time				.WebVPN-SVC-Rekey-Time
+
 ATTRIBUTE	WebVPN-SVC-Rekey-Method			111	integer
 ATTRIBUTE	WebVPN-SVC-Compression			112	integer
 ATTRIBUTE	WebVPN-Customization			113	string
@@ -117,25 +121,34 @@ ATTRIBUTE	WebVPN-Deny-Message			116	string
 ATTRIBUTE	WebVPN-HTTP-Compression			120	integer
 ATTRIBUTE	WebVPN-Keepalive-Ignore			121	integer
 ATTRIBUTE	Extended-Authentication-On-Rekey	122	integer
-ATTRIBUTE	SVC-DTLS				123	integer
+
 ATTRIBUTE	WebVPN-SVC-DTLS-Enable			123	integer
+ALIAS		SVC-DTLS-Enable				.WebVPN-SVC-DTLS-Enable
+
 ATTRIBUTE	WebVPN-Auto-HTTP-Signon			124	string
-ATTRIBUTE	SVC-MTU					125	integer
+
 ATTRIBUTE	WebVPN-SVC-DTLS-MTU			125	integer
+ALIAS		SVC-MTU					.WebVPN-SVC-DTLS-MTU
+
 ATTRIBUTE	WebVPN-Hidden-Shares			126	integer
 ATTRIBUTE	SVC-Modules				127	string
 ATTRIBUTE	SVC-Profiles				128	string
 ATTRIBUTE	SVC-Ask					131	integer
 ATTRIBUTE	SVC-Ask-Timeout				132	integer
 ATTRIBUTE	IE-Proxy-PAC-URL			133	string
 ATTRIBUTE	Strip-Realm				135	integer
-ATTRIBUTE	Smart-Tunnel				136	string
+
 ATTRIBUTE	WebVPN-Smart-Tunnel			136	string
+ALIAS		Smart-Tunnel				.WebVPN-Smart-Tunnel
+
 ATTRIBUTE	WebVPN-ActiveX-Relay			137	integer
-ATTRIBUTE	Smart-Tunnel-Auto			138	integer
+
 ATTRIBUTE	WebVPN-Smart-Tunnel-Auto-Start		138	integer
-ATTRIBUTE	Smart-Tunnel-Auto-Signon-Enable		139	string
+ALIAS		Smart-Tunnel-Auto-Start			.WebVPN-Smart-Tunnel-Auto-Start
+
 ATTRIBUTE	WebVPN-Smart-Tunnel-Auto-Sign-On	139	string
+ALIAS		Smart-Tunnel-Auto-Signon-Enable		.WebVPN-Smart-Tunnel-Auto-Sign-On
+
 ATTRIBUTE	VLAN					140	integer
 ATTRIBUTE	NAC-Settings				141	string
 ATTRIBUTE	Member-Of				145	string
@@ -290,9 +303,9 @@ VALUE	SessionType			IKEv1-LAN-to-LAN	6
 VALUE	SessionType			IKEv2-LAN-to-LAN	7
 VALUE	SessionType			VPN-Load-Balancing	8
 
-VALUE	Smart-Tunnel-Auto		Disabled		0
-VALUE	Smart-Tunnel-Auto		Enabled			1
-VALUE	Smart-Tunnel-Auto		AutoStart		2
+VALUE	Smart-Tunnel-Auto-Start		Disabled		0
+VALUE	Smart-Tunnel-Auto-Start		Enabled			1
+VALUE	Smart-Tunnel-Auto-Start		AutoStart		2
 
 VALUE	Strip-Realm			Disabled		0
 VALUE	Strip-Realm			Enabled			1
@@ -302,9 +315,6 @@ VALUE	SVC-Ask				Enabled			1
 VALUE	SVC-Ask				Enable-Default-Service	3
 VALUE	SVC-Ask				Enable-Default-Clientless 5
 
-VALUE	SVC-DTLS			FALSE			0
-VALUE	SVC-DTLS			TRUE			1
-
 VALUE	Use-Client-Address		Disabled		0
 VALUE	Use-Client-Address		Enabled			1
 

share/dictionary/radius/dictionary.compat

@@ -10,25 +10,23 @@
 
 #  This has been removed.  Too many people get it wrong.
 #ATTRIBUTE	Password				2	string	encrypt=1
-ATTRIBUTE	Client-Id				4	ipaddr
-ATTRIBUTE	Client-Port-Id				5	integer
-ATTRIBUTE	User-Service-Type			6	integer
-ATTRIBUTE	Framed-Address				8	ipaddr
-ATTRIBUTE	Framed-Netmask				9	ipaddr
-ATTRIBUTE	Framed-Filter-Id			11	string
-ATTRIBUTE	Login-Host				14	ipaddr
-ATTRIBUTE	Login-Port				16	integer
+ALIAS		Client-Id				NAS-IP-Address
+ALIAS		Client-Port-Id				NAS-Port
+ALIAS		Framed-Address				Framed-IP-Address
+ALIAS		Framed-Netmask				Framed-IP-Netmask
+ALIAS		Framed-Filter-Id			Filter-ID
+ALIAS		Login-Host				Login-IP-Host
+ALIAS		Login-Port				Login-TCP-Port
 ATTRIBUTE	Old-Password				17	string
-ATTRIBUTE	Port-Message				18	string
-ATTRIBUTE	Dialback-No				19	string
-ATTRIBUTE	Dialback-Name				20	string
-ATTRIBUTE	Challenge-State				24	octets
+ALIAS		Port-Message				Reply-Message
+ALIAS		Dialback-No				Callback-Number
+ALIAS		Dialback-Name				Callback-Id
+ALIAS		Challenge-State				State
 
-ATTRIBUTE	Framed-Compression			13	integer
+# Other enumeration names for hte same integers
 VALUE	Framed-Compression		Van-Jacobsen-TCP-IP	1
 VALUE	Framed-Compression		VJ-TCP-IP		1
 
-ATTRIBUTE	Service-Type				6	integer
 VALUE	Service-Type			Shell-User		6
 VALUE	Service-Type			Dialback-Login-User	3
 VALUE	Service-Type			Dialback-Framed-User	4
@@ -37,14 +35,17 @@ VALUE	Service-Type			Dialout-Framed-User	5
 #
 #	For compatibility with MERIT users files.
 #
-ATTRIBUTE	Login-Callback-Number			19	string
-ATTRIBUTE	Framed-Callback-Id			20	string
-ATTRIBUTE	Client-Port-DNIS			30	string
-ATTRIBUTE	Caller-ID				31	string
+ALIAS	Login-Callback-Number				Callback-Number
+ALIAS	Framed-Callback-Id				Callback-Id
+ALIAS	Client-Port-DNIS				Called-Station-ID
+ALIAS	Caller-ID					Calling-Station-Id
+
 VALUE	Service-Type			Login			1
 VALUE	Service-Type			Framed			2
 VALUE	Service-Type			Callback-Login		3
 VALUE	Service-Type			Callback-Framed		4
 VALUE	Service-Type			Exec-User		7
 
 VALUE	Acct-Status-Type		Alive			3
+
+ALIAS	User-Service-Type			Service-Type

share/dictionary/radius/dictionary.foundry

@@ -26,11 +26,11 @@ ATTRIBUTE	INM-Role-Aor-List			9	string
 ATTRIBUTE	SI-Context-Role				10	string
 # COA-Command appears to stomp on SI-Context-Role (different departments)
 # https://www.brocade.com/content/html/en/fastiron-os/08-0-60/fastiron-08060-securityguide/GUID-A3193D90-3FF4-4B04-8C6D-084743FDE91C.html
-ATTRIBUTE	COA-Command				10	string
+ALIAS		COA-Command				.SI-Context-Role
 ATTRIBUTE	SI-Role-Template			11	string
 # Voice-Phone-Config appears to stomp on SI-Role-Template (different departments)
 # http://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-7E649B6D-A80B-40FD-A19A-478ED22C3E2A.html
-ATTRIBUTE	Voice-Phone-Config			11	string
+ALIAS		Voice-Phone-Config			.SI-Role-Template
 
 VALUE	INM-Privilege			AAA_pri_0		0
 VALUE	INM-Privilege			AAA_pri_1		1

share/dictionary/radius/dictionary.hp

@@ -54,7 +54,7 @@ ATTRIBUTE	CPPM-Secondary-Role			28	string
 ATTRIBUTE	Port-Priority-Regeneration-Table	40	string
 
 # Access control
-ATTRIBUTE	Cos					40	string
+ALIAS		Cos					.Port-Priority-Regeneration-Table
 #ATTRIBUTE	Rate-Limit				46	integer
 
 ATTRIBUTE	Bandwidth-Max-Ingress			46	integer
@@ -63,7 +63,7 @@ ATTRIBUTE	Bandwidth-Max-Egress			48	integer
 ATTRIBUTE	Ip-Filter-Raw				61	string
 
 # Client ACL attributes
-ATTRIBUTE	Nas-Filter-Rule				61	string
+ALIAS		Nas-Filter-Rule				.Ip-Filter-Raw
 ATTRIBUTE	Access-Profile				62	string
 ATTRIBUTE	Nas-Rules-IPv6				63	integer
 

share/dictionary/radius/dictionary.microsoft

@@ -25,7 +25,7 @@ VALUE	MPPE-Encryption-Policy		Encryption-Required	2
 # This is referred to as both singular and plural in the RFC.
 # Plural seems to make more sense.
 ATTRIBUTE	MPPE-Encryption-Type			8	integer
-ATTRIBUTE	MPPE-Encryption-Types			8	integer
+ALIAS		MPPE-Encryption-Types			.MPPE-Encryption-Type
 
 VALUE	MPPE-Encryption-Types		RC4-40bit-Allowed	1
 VALUE	MPPE-Encryption-Types		RC4-128bit-Allowed	2
@@ -171,4 +171,3 @@ VALUE	Extended-Quarantine-State	No-Data			4
 END-VENDOR Microsoft
 
 ALIAS		Microsoft				Vendor-Specific.Microsoft
-

share/dictionary/radius/dictionary.nomadix

@@ -23,7 +23,7 @@ ATTRIBUTE	Subnet					6	string
 ATTRIBUTE	MaxBytesUp				7	integer
 ATTRIBUTE	MaxBytesDown				8	integer
 ATTRIBUTE	EndofSession				9	integer
-ATTRIBUTE	Session-Terminate-End-Of-Day		9	integer
+ALIAS		Session-Terminate-End-Of-Day		.EndofSession
 ATTRIBUTE	Logoff-URL				10	string
 ATTRIBUTE	Net-VLAN				11	integer
 ATTRIBUTE	Config-URL				12	string

share/dictionary/radius/dictionary.sonicwall

@@ -13,8 +13,6 @@ VENDOR		SonicWall			8741
 #  Backwards compatibility.
 BEGIN-VENDOR	SonicWall
 
-ATTRIBUTE	SS3-Firewall-User-Privilege		1	integer
-
 #  New names.
 ATTRIBUTE	User-Privilege				1	integer
 VALUE	User-Privilege			Remote-Access		1 # deprecated
@@ -27,6 +25,9 @@ VALUE	User-Privilege			Wireless-Guest		7 # standard
 VALUE	User-Privilege			Wireless-Add-ACL	8
 VALUE	User-Privilege			Internet-Access		9 # standard
 
+
+ALIAS	SS3-Firewall-User-Privilege		.User-Privilege
+
 # Those values indicated as "standard" are applicable only on a SonicWall
 # firewall running standard firmware and not on one running enhanced firmware.
 

share/dictionary/tacacs/dictionary.rfc8907

@@ -22,8 +22,8 @@ DEFINE	inacl						string
 DEFINE	outacl						string
 DEFINE	addr						ipv4addr
 DEFINE	addr-pool					string
-DEFINE	timeout						time_delta minutes
-DEFINE	idletime					time_delta minutes
+DEFINE	timeout						time_delta precision=minutes
+DEFINE	idletime					time_delta precision=minutes
 DEFINE	autocmd						string
 DEFINE	noescape					bool
 DEFINE	nohangup					bool

src/lib/util/dict_ext.c

@@ -24,6 +24,7 @@
 RCSID("$Id$")
 
 #include <freeradius-devel/util/dict_priv.h>
+#include <freeradius-devel/util/dict_ext_priv.h>
 
 static fr_table_num_ordered_t const dict_attr_ext_table[] = {
 	{ L("name"),			FR_DICT_ATTR_EXT_NAME			},

src/lib/util/dict_ext.h

@@ -54,11 +54,31 @@ typedef struct {
 	fr_dict_attr_t const	**children;			//!< Children of this attribute.
 } fr_dict_attr_ext_children_t;
 
+DIAG_OFF(attributes)
+typedef enum CC_HINT(flag_enum) {
+	FR_DICT_ATTR_REF_NONE		= 0x00,			//!< No ref set.
+	FR_DICT_ATTR_REF_ALIAS		= 0x01,			//!< The attribute is an alias for another attribute.
+								///< Either a straight ALIAS, or a reference into another
+								///< dictionary.
+	FR_DICT_ATTR_REF_CLONE		= 0x02,			//!< The attribute is a "copy" of another attribute.
+	FR_DICT_ATTR_REF_ENUM		= 0x04,			//!< The attribute is an enumeration value.
+	FR_DICT_ATTR_REF_UNRESOLVED	= 0x10			//!< This flag is combined with the other states to indicate
+								///< that the reference is unresolved.
+} fr_dict_attr_ref_type_t;
+DIAG_ON(attributes)
+
+#define fr_dict_attr_ref_is_unresolved(_type)	((_type) & FR_DICT_ATTR_REF_UNRESOLVED)
+#define fr_dict_attr_ref_type(_type)		((_type) & ~FR_DICT_ATTR_REF_UNRESOLVED)
+
 /** Attribute extension - Holds a reference to an attribute in another dictionary
  *
  */
 typedef struct {
-	fr_dict_attr_t const	*ref;				//!< reference, only for #FR_TYPE_GROUP
+	fr_dict_attr_ref_type_t type;				//!< The state of the reference.
+	union {
+		fr_dict_attr_t const	*ref;			//!< A resolved pointer to the referenced attribute.
+		char			*unresolved;		//!< An unresolved reference (will need resolving later).
+	};
 } fr_dict_attr_ext_ref_t;
 
 /** Attribute extension - Cached vendor pointer
@@ -168,6 +188,16 @@ static inline fr_dict_attr_t const *fr_dict_attr_ref(fr_dict_attr_t const *da)
 	ext = fr_dict_attr_ext(da, FR_DICT_ATTR_EXT_REF);
 	if (!ext) return NULL;
 
+	/*
+	 *	Unresolve refs aren't valid refs...
+	 */
+	if (fr_dict_attr_ref_is_unresolved(ext->type)) return NULL;
+
+	/*
+	 *	Temporary backwards compatibility...
+	 */
+	if (ext->type != FR_DICT_ATTR_REF_ALIAS) return NULL;
+
 	return ext->ref;
 }