The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
proto_tacacs.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: dc789dcfebdafb05eff6da881877e4b75891e583 $
19  * @file proto_tacacs.c
20  * @brief TACACS+ module.
21  *
22  * @copyright 2020 The FreeRADIUS server project.
23  * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
24  */
25 
26 #include <freeradius-devel/io/listen.h>
27 #include <freeradius-devel/io/master.h>
28 #include <freeradius-devel/util/debug.h>
29 
30 #include <freeradius-devel/tacacs/tacacs.h>
31 
32 #include "proto_tacacs.h"
33 
34 extern fr_app_t proto_tacacs;
35 
36 static int type_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule);
37 static int transport_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
38 
39 static conf_parser_t const limit_config[] = {
40  { FR_CONF_OFFSET("idle_timeout", proto_tacacs_t, io.idle_timeout), .dflt = "30.0" } ,
41 
42  { FR_CONF_OFFSET("max_connections", proto_tacacs_t, io.max_connections), .dflt = "1024" } ,
43 
44  /*
45  * For performance tweaking. NOT for normal humans.
46  */
47  { FR_CONF_OFFSET("max_packet_size", proto_tacacs_t, max_packet_size) } ,
48  { FR_CONF_OFFSET("num_messages", proto_tacacs_t, num_messages) } ,
49 
50  CONF_PARSER_TERMINATOR
51 };
52 
53 static const conf_parser_t priority_config[] = {
54  { FR_CONF_OFFSET("Authentication-Start", proto_tacacs_t, priorities[FR_TAC_PLUS_AUTHEN]),
55  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "high" },
56  { FR_CONF_OFFSET("Authentication-Continue", proto_tacacs_t, priorities[FR_TAC_PLUS_AUTHEN]),
57  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "high" },
58  { FR_CONF_OFFSET("Authorization-Request", proto_tacacs_t, priorities[FR_TAC_PLUS_AUTHOR]),
59  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "normal" },
60  { FR_CONF_OFFSET("Accounting-Request", proto_tacacs_t, priorities[FR_TAC_PLUS_ACCT]),
61  .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "low" },
62 
63  CONF_PARSER_TERMINATOR
64 };
65 
66 static const conf_parser_t proto_tacacs_config[] = {
67  { FR_CONF_OFFSET_FLAGS("type", CONF_FLAG_NOT_EMPTY, proto_tacacs_t, allowed_types), .func = type_parse },
68  { FR_CONF_OFFSET_TYPE_FLAGS("transport", FR_TYPE_VOID, 0, proto_tacacs_t, io.submodule), .func = transport_parse },
69 
70  { FR_CONF_POINTER("limit", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) limit_config },
71  { FR_CONF_POINTER("priority", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) priority_config },
72 
73  CONF_PARSER_TERMINATOR
74 };
75 
76 static fr_dict_t const *dict_tacacs;
77 
78 extern fr_dict_autoload_t proto_tacacs_dict[];
79 fr_dict_autoload_t proto_tacacs_dict[] = {
80  { .out = &dict_tacacs, .proto = "tacacs" },
81  { NULL }
82 };
83 
84 
85 static fr_dict_attr_t const *attr_packet_type;
86 static fr_dict_attr_t const *attr_tacacs_user_name;
87 
88 extern fr_dict_attr_autoload_t proto_tacacs_dict_attr[];
89 fr_dict_attr_autoload_t proto_tacacs_dict_attr[] = {
90  { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs},
91  { .out = &attr_tacacs_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
92  { NULL }
93 };
94 
95 /** Wrapper around dl_instance which translates the packet-type into a submodule name
96  *
97  * If we found a Packet-Type = Authentication-Start CONF_PAIR for example, here's we'd load
98  * the proto_tacacs_auth module.
99  *
100  * @param[in] ctx to allocate data in (instance of proto_tacacs).
101  * @param[out] out Where to write a dl_module_inst_t containing the module handle and instance.
102  * @param[in] parent Base structure address.
103  * @param[in] ci #CONF_PAIR specifying the name of the type module.
104  * @param[in] rule unused.
105  * @return
106  * - 0 on success.
107  * - -1 on failure.
108  */
109 static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
110 {
111  proto_tacacs_t *inst = talloc_get_type_abort(parent, proto_tacacs_t);
112  fr_dict_enum_value_t *dv;
113  CONF_PAIR *cp;
114  char const *value;
115 
116  cp = cf_item_to_pair(ci);
117  value = cf_pair_value(cp);
118 
119  dv = fr_dict_enum_by_name(attr_packet_type, value, -1);
120  if (!dv || !FR_TACACS_PACKET_CODE_VALID(dv->value->vb_uint32)) {
121  cf_log_err(ci, "Unknown TACACS+ packet type '%s'", value);
122  return -1;
123  }
124 
125  inst->allowed[dv->value->vb_uint32] = true;
126  *((char const **) out) = value;
127 
128  return 0;
129 }
130 
131 /** Wrapper around dl_instance
132  *
133  * @param[in] ctx to allocate data in (instance of proto_tacacs).
134  * @param[out] out Where to write a dl_module_inst_t containing the module handle and instance.
135  * @param[in] parent Base structure address.
136  * @param[in] ci #CONF_PAIR specifying the name of the type module.
137  * @param[in] rule unused.
138  * @return
139  * - 0 on success.
140  * - -1 on failure.
141  */
142 static int transport_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
143 {
144  char const *name = cf_pair_value(cf_item_to_pair(ci));
145  dl_module_inst_t *parent_inst;
146  proto_tacacs_t *inst;
147  CONF_SECTION *listen_cs = cf_item_to_section(cf_parent(ci));
148  CONF_SECTION *transport_cs;
149  dl_module_inst_t *dl_mod_inst;
150 
151  transport_cs = cf_section_find(listen_cs, name, NULL);
152 
153  parent_inst = cf_data_value(cf_data_find(listen_cs, dl_module_inst_t, "proto_tacacs"));
154  fr_assert(parent_inst);
155 
156  /*
157  * Set the allowed codes so that we can compile them as
158  * necessary.
159  */
160  inst = talloc_get_type_abort(parent_inst->data, proto_tacacs_t);
161  inst->io.transport = name;
162 
163  /*
164  * Allocate an empty section if one doesn't exist
165  * this is so defaults get parsed.
166  */
167  if (!transport_cs) {
168  transport_cs = cf_section_alloc(listen_cs, listen_cs, name, NULL);
169  inst->io.app_io_conf = transport_cs;
170  }
171 
172  if (dl_module_instance(ctx, &dl_mod_inst, parent_inst,
173  DL_MODULE_TYPE_SUBMODULE, name, dl_module_inst_name_from_conf(transport_cs)) < 0) return -1;
174  if (dl_module_conf_parse(dl_mod_inst, transport_cs) < 0) {
175  talloc_free(dl_mod_inst);
176  return -1;
177  }
178  *((dl_module_inst_t **)out) = dl_mod_inst;
179 
180  return 0;
181 }
182 
183 /** Decode the packet
184  *
185  */
186 static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *const data, size_t data_len)
187 {
188  fr_io_track_t const *track = talloc_get_type_abort_const(request->async->packet_ctx, fr_io_track_t);
189  fr_io_address_t const *address = track->address;
190  fr_client_t const *client;
191  int code = -1;
192  fr_tacacs_packet_t const *pkt = (fr_tacacs_packet_t const *)data;
193  char const *secret;
194  size_t secretlen = 0;
195  fr_dict_attr_t const *dv = NULL;
196 
197  RHEXDUMP3(data, data_len, "proto_tacacs decode packet");
198 
199  /*
200  * Set the request dictionary so that we can do
201  * generic->protocol attribute conversions as
202  * the request runs through the server.
203  */
204  request->dict = dict_tacacs;
205 
206  client = address->radclient;
207 
208  /*
209  * Clients start at ID 1, and go up by 2.
210  */
211  if ((data[2] & 0x01) != 0x01) {
212  REDEBUG("Invalid sequence number %02x", data[2]);
213  return -1;
214  }
215 
216  request->packet->id = data[2]; // seq_no
217  request->reply->id = data[2] + 1; // seq_no, but requests are odd, replies are even! */
218 
219  request->packet->data = talloc_memdup(request->packet, data, data_len);
220  request->packet->data_len = data_len;
221 
222  secret = client->secret;
223  if (secret) {
224  if (!packet_is_encrypted((fr_tacacs_packet_t const *) data)) {
225  REDEBUG("Expected to see encrypted packet, got unencrypted packet!");
226  return -1;
227  }
228  secretlen = talloc_array_length(client->secret) - 1;
229  }
230 
231  /*
232  * See if there's a client-specific vendor in the "nas_type" field.
233  *
234  * If there's no such vendor, too bad for you.
235  */
236  if (client->nas_type) {
237  dv = fr_dict_attr_by_name(NULL, fr_dict_root(dict_tacacs), client->nas_type);
238  }
239 
240  /*
241  * Note that we don't set a limit on max_attributes here.
242  * That MUST be set and checked in the underlying
243  * transport, via a call to ???
244  */
245  if (fr_tacacs_decode(request->request_ctx, &request->request_pairs, dv,
246  request->packet->data, request->packet->data_len,
247  NULL, secret, secretlen, &code) < 0) {
248  RPEDEBUG("Failed decoding packet");
249  return -1;
250  }
251 
252  request->packet->code = code;
253 
254  /*
255  * RFC 8907 Section 3.6 says:
256  *
257  * If an error occurs but the type of the incoming packet cannot be determined, a packet with the
258  * identical cleartext header but with a sequence number incremented by one and the length set to
259  * zero MUST be returned to indicate an error.
260  *
261  * This is substantially retarded. It should instead just close the connection.
262  */
263 
264 
265  /*
266  * Set the rest of the fields.
267  */
268  request->client = UNCONST(fr_client_t *, client);
269 
270  request->packet->socket = address->socket;
271  fr_socket_addr_swap(&request->reply->socket, &address->socket);
272 
273  REQUEST_VERIFY(request);
274 
275  /*
276  * If we're defining a dynamic client, this packet is
277  * fake. We don't have a secret, so we mash all of the
278  * encrypted attributes to sane (i.e. non-hurtful)
279  * values.
280  */
281  if (!client->active) {
282  fr_pair_t *vp;
283 
284  fr_assert(client->dynamic);
285 
286  for (vp = fr_pair_list_head(&request->request_pairs);
287  vp != NULL;
288  vp = fr_pair_list_next(&request->request_pairs, vp)) {
289  if (!vp->da->flags.subtype) {
290  switch (vp->vp_type) {
291  default:
292  break;
293 
294  case FR_TYPE_UINT32:
295  vp->vp_uint32 = 0;
296  break;
297 
298  case FR_TYPE_IPV4_ADDR:
299  vp->vp_ipv4addr = INADDR_ANY;
300  break;
301 
302  case FR_TYPE_OCTETS:
303  fr_pair_value_memdup(vp, (uint8_t const *) "", 1, true);
304  break;
305 
306  case FR_TYPE_STRING:
307  fr_pair_value_strdup(vp, "", true);
308  break;
309  }
310  }
311  }
312  }
313 
314  if (RDEBUG_ENABLED) {
315  fr_pair_t *vp;
316 
317  RDEBUG("Received %s ID %i from %pV:%i to %pV:%i length %zu via socket %s",
318  fr_tacacs_packet_names[request->packet->code],
319  request->packet->id,
320  fr_box_ipaddr(request->packet->socket.inet.src_ipaddr),
321  request->packet->socket.inet.src_port,
322  fr_box_ipaddr(request->packet->socket.inet.dst_ipaddr),
323  request->packet->socket.inet.dst_port,
324  request->packet->data_len,
325  request->async->listen->name);
326 
327  log_request_pair_list(L_DBG_LVL_1, request, NULL, &request->request_pairs, NULL);
328 
329  /*
330  * Maybe the shared secret is wrong?
331  */
332  if (client->active &&
333  ((pkt->hdr.flags & FR_FLAGS_VALUE_UNENCRYPTED) == 0) &&
334  RDEBUG_ENABLED2 &&
335  ((vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_user_name)) != NULL) &&
336  (fr_utf8_str((uint8_t const *) vp->vp_strvalue, vp->vp_length) < 0)) {
337  RWDEBUG("Unprintable characters in the %s. "
338  "Double-check the shared secret on the server "
339  "and the TACACS+ Client!", attr_tacacs_user_name->name);
340  }
341  }
342 
343  if (fr_packet_pairs_from_packet(request->request_ctx, &request->request_pairs, request->packet) < 0) {
344  RPEDEBUG("Failed decoding 'Net.*' packet");
345  return -1;
346  }
347 
348  return 0;
349 }
350 
351 static ssize_t mod_encode(UNUSED void const *instance, request_t *request, uint8_t *buffer, size_t buffer_len)
352 {
353  fr_io_track_t *track = talloc_get_type_abort(request->async->packet_ctx, fr_io_track_t);
354  fr_io_address_t const *address = track->address;
355  ssize_t data_len;
356  fr_client_t const *client;
357  char const *secret;
358  size_t secretlen = 0;
359 
360  /*
361  * @todo - RFC 8907 Section 4.4. says:
362  *
363  * When the session is complete, the TCP connection should be handled as follows, according to
364  * whether Single Connection Mode was negotiated:
365  *
366  * * If Single Connection Mode was not negotiated, then the connection should be closed.
367  *
368  * * If Single Connection Mode was enabled, then the connection SHOULD be left open (see
369  * "Single Connection Mode" (Section 4.3)) but may still be closed after a timeout period to
370  * preserve deployment resources.
371  *
372  * * If Single Connection Mode was enabled, but an ERROR occurred due to connection issues
373  * (such as an incorrect secret (see Section 4.5)), then any further new sessions MUST NOT be
374  * accepted on the connection. If there are any sessions that have already been established,
375  * then they MAY be completed. Once all active sessions are completed, then the connection
376  * MUST be closed.
377  */
378 
379  /*
380  * Process layer NAK, or "Do not respond".
381  */
382  if ((buffer_len == 1) ||
383  !FR_TACACS_PACKET_CODE_VALID(request->reply->code)) {
384  track->do_not_respond = true;
385  return 1;
386  }
387 
388  client = address->radclient;
389  fr_assert(client);
390 
391  /*
392  * Dynamic client stuff
393  */
394  if (client->dynamic && !client->active) {
395  fr_client_t *new_client;
396 
397  fr_assert(buffer_len >= sizeof(client));
398 
399  /*
400  * Allocate the client. If that fails, send back a NAK.
401  *
402  * @todo - deal with NUMA zones? Or just deal with this
403  * client being in different memory.
404  *
405  * Maybe we should create a CONF_SECTION from the client,
406  * and pass *that* back to mod_write(), which can then
407  * parse it to create the actual client....
408  */
409  new_client = client_afrom_request(NULL, request);
410  if (!new_client) {
411  PERROR("Failed creating new client");
412  buffer[0] = true;
413  return 1;
414  }
415 
416  memcpy(buffer, &new_client, sizeof(new_client));
417  return sizeof(new_client);
418  }
419 
420  secret = client->secret;
421  if (secret) secretlen = talloc_array_length(client->secret) - 1;
422 
423  data_len = fr_tacacs_encode(&FR_DBUFF_TMP(buffer, buffer_len), request->packet->data,
424  secret, secretlen,
425  request->reply->code, &request->reply_pairs);
426  if (data_len < 0) {
427  RPEDEBUG("Failed encoding TACACS+ reply");
428  return -1;
429  }
430 
431  if (RDEBUG_ENABLED) {
432  RDEBUG("Sending %s ID %i from %pV:%i to %pV:%i length %zu via socket %s",
433  fr_tacacs_packet_names[request->reply->code],
434  request->reply->id,
435  fr_box_ipaddr(request->reply->socket.inet.src_ipaddr),
436  request->reply->socket.inet.src_port,
437  fr_box_ipaddr(request->reply->socket.inet.dst_ipaddr),
438  request->reply->socket.inet.dst_port,
439  data_len,
440  request->async->listen->name);
441 
442  log_request_pair_list(L_DBG_LVL_1, request, NULL, &request->reply_pairs, NULL);
443  }
444 
445  RHEXDUMP3(buffer, data_len, "proto_tacacs encode packet");
446 
447  return data_len;
448 }
449 
450 static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED size_t buflen)
451 {
452  proto_tacacs_t const *inst = talloc_get_type_abort_const(instance, proto_tacacs_t);
453 
454  fr_assert(FR_TACACS_PACKET_CODE_VALID(buffer[1]));
455 
456  /*
457  * Disallowed packet
458  */
459  if (!inst->priorities[buffer[1]]) return 0;
460 
461  /*
462  * @todo - if we cared, we could also return -1 for "this
463  * is a bad packet". But that's really only for
464  * mod_inject, as we assume that app_io->read() always
465  * returns good packets.
466  */
467 
468  /*
469  * Return the configured priority.
470  */
471  return inst->priorities[buffer[1]];
472 }
473 
474 /** Open listen sockets/connect to external event source
475  *
476  * @param[in] instance Ctx data for this application.
477  * @param[in] sc to add our file descriptor to.
478  * @param[in] conf Listen section parsed to give us instance.
479  * @return
480  * - 0 on success.
481  * - -1 on failure.
482  */
483 static int mod_open(void *instance, fr_schedule_t *sc, UNUSED CONF_SECTION *conf)
484 {
485  proto_tacacs_t *inst = talloc_get_type_abort(instance, proto_tacacs_t);
486 
487  inst->io.app = &proto_tacacs;
488  inst->io.app_instance = instance;
489 
490  /*
491  * io.app_io should already be set
492  */
493  return fr_master_io_listen(inst, &inst->io, sc, inst->max_packet_size, inst->num_messages);
494 }
495 
496 /** Instantiate the application
497  *
498  * Instantiate I/O and type submodules.
499  *
500  * @return
501  * - 0 on success.
502  * - -1 on failure.
503  */
504 static int mod_instantiate(module_inst_ctx_t const *mctx)
505 {
506  proto_tacacs_t *inst = talloc_get_type_abort(mctx->inst->data, proto_tacacs_t);
507 
508  /*
509  * No IO module, it's an empty listener.
510  */
511  if (!inst->io.submodule) return 0;
512 
513  /*
514  * These configuration items are not printed by default,
515  * because normal people shouldn't be touching them.
516  */
517  if (!inst->max_packet_size && inst->io.app_io) inst->max_packet_size = inst->io.app_io->default_message_size;
518 
519  if (!inst->num_messages) inst->num_messages = 256;
520 
521  FR_INTEGER_BOUND_CHECK("num_messages", inst->num_messages, >=, 32);
522  FR_INTEGER_BOUND_CHECK("num_messages", inst->num_messages, <=, 65535);
523 
524  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 1024);
525  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65535);
526 
527  /*
528  * Instantiate the master io submodule
529  */
530  return fr_master_app_io.common.instantiate(MODULE_INST_CTX(inst->io.dl_inst));
531 }
532 
533 
534 /** Bootstrap the application
535  *
536  * Bootstrap I/O and type submodules.
537  *
538  * @return
539  * - 0 on success.
540  * - -1 on failure.
541  */
542 static int mod_bootstrap(module_inst_ctx_t const *mctx)
543 {
544  proto_tacacs_t *inst = talloc_get_type_abort(mctx->inst->data, proto_tacacs_t);
545 
546  /*
547  * Ensure that the server CONF_SECTION is always set.
548  */
549  inst->io.server_cs = cf_item_to_section(cf_parent(mctx->inst->conf));
550 
551  fr_assert(dict_tacacs != NULL);
552 
553  /*
554  * No IO module, it's an empty listener.
555  */
556  if (!inst->io.submodule) return 0;
557 
558  /*
559  * These timers are usually protocol specific.
560  */
561  FR_TIME_DELTA_BOUND_CHECK("idle_timeout", inst->io.idle_timeout, >=, fr_time_delta_from_sec(1));
562  FR_TIME_DELTA_BOUND_CHECK("idle_timeout", inst->io.idle_timeout, <=, fr_time_delta_from_sec(600));
563 
564  FR_TIME_DELTA_BOUND_CHECK("nak_lifetime", inst->io.nak_lifetime, >=, fr_time_delta_from_sec(1));
565  FR_TIME_DELTA_BOUND_CHECK("nak_lifetime", inst->io.nak_lifetime, <=, fr_time_delta_from_sec(600));
566 
567  /*
568  * Tell the master handler about the main protocol instance.
569  */
570  inst->io.app = &proto_tacacs;
571  inst->io.app_instance = inst;
572 
573  /*
574  * We will need this for dynamic clients and connected sockets.
575  */
576  inst->io.dl_inst = dl_module_instance_by_data(inst);
577  fr_assert(inst != NULL);
578 
579  /*
580  * Bootstrap the master IO handler.
581  */
582  return fr_master_app_io.common.bootstrap(MODULE_INST_CTX(inst->io.dl_inst));
583 }
584 
585 static int mod_load(void)
586 {
587  if (fr_tacacs_global_init() < 0) {
588  PERROR("Failed initialising tacacs");
589  return -1;
590  }
591 
592  return 0;
593 }
594 
595 static void mod_unload(void)
596 {
597  fr_tacacs_global_free();
598 }
599 
600 fr_app_t proto_tacacs = {
601  .common = {
602  .magic = MODULE_MAGIC_INIT,
603  .name = "tacacs",
604  .config = proto_tacacs_config,
605  .inst_size = sizeof(proto_tacacs_t),
606 
607  .onload = mod_load,
608  .unload = mod_unload,
609  .bootstrap = mod_bootstrap,
610  .instantiate = mod_instantiate
611  },
612  .dict = &dict_tacacs,
613  .open = mod_open,
614  .decode = mod_decode,
615  .encode = mod_encode,
616  .priority = mod_priority_set
617 };
buffer
static int const char char buffer[256]
Definition: acutest.h:574
fr_app_io_t::common
module_t common
Common fields to all loadable modules.
Definition: app_io.h:34
fr_app_t::common
module_t common
Common fields provided by all modules.
Definition: application.h:72
fr_app_t
Describes a new application (protocol)
Definition: application.h:71
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition: build.h:165
UNUSED
#define UNUSED
Definition: build.h:313
cf_table_parse_int
int cf_table_parse_int(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic function for parsing conf pair values as int.
Definition: cf_parse.c:1474
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:626
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition: cf_parse.h:486
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition: cf_parse.h:310
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:256
FR_TIME_DELTA_BOUND_CHECK
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
Definition: cf_parse.h:497
CONF_FLAG_NOT_EMPTY
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition: cf_parse.h:421
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition: cf_parse.h:400
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:241
cf_table_parse_ctx_t
Definition: cf_parse.h:621
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:563
cf_item
Common header for all CONF_* types.
Definition: cf_priv.h:49
cf_pair
Configuration AVP similar to a fr_pair_t.
Definition: cf_priv.h:70
cf_section
A section grouping multiple CONF_PAIR.
Definition: cf_priv.h:89
cf_item_to_pair
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition: cf_util.c:629
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition: cf_util.c:970
cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition: cf_util.c:1511
cf_data_value
void * cf_data_value(CONF_DATA const *cd)
Return the user assigned value of CONF_DATA.
Definition: cf_util.c:1680
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition: cf_util.c:649
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition: cf_util.h:265
cf_data_find
#define cf_data_find(_cf, _type, _name)
Definition: cf_util.h:220
cf_parent
#define cf_parent(_cf)
Definition: cf_util.h:98
cf_section_alloc
#define cf_section_alloc(_ctx, _parent, _name1, _name2)
Definition: cf_util.h:137
channel_packet_priority_len
size_t channel_packet_priority_len
Definition: channel.c:170
channel_packet_priority
fr_table_num_sorted_t const channel_packet_priority[]
Definition: channel.c:164
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition: dbuff.h:509
fr_dict_attr_by_name
fr_dict_attr_t const * fr_dict_attr_by_name(fr_dict_attr_err_t *err, fr_dict_attr_t const *parent, char const *attr))
Locate a fr_dict_attr_t by its name.
Definition: dict_util.c:2860
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition: dict.h:250
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition: dict.h:263
fr_dict_root
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition: dict_util.c:1997
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition: dict.h:213
fr_dict_enum_by_name
fr_dict_enum_value_t * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition: dict_util.c:2992
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition: dict.h:249
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition: dict.h:262
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition: dict.h:209
value
Test enumeration values.
Definition: dict_test.h:92
dl_module_instance
int dl_module_instance(TALLOC_CTX *ctx, dl_module_inst_t **out, dl_module_inst_t const *parent, dl_module_type_t type, char const *mod_name, char const *inst_name)
Load a module and parse its CONF_SECTION in one operation.
Definition: dl_module.c:552
dl_module_inst_name_from_conf
char const * dl_module_inst_name_from_conf(CONF_SECTION *conf)
Avoid boilerplate when setting the module instance name.
Definition: dl_module.c:584
dl_module_instance_by_data
dl_module_inst_t const * dl_module_instance_by_data(void const *data)
Lookup a dl_module_inst_t via instance data.
Definition: dl_module.c:215
dl_module_conf_parse
int dl_module_conf_parse(dl_module_inst_t *dl_inst, CONF_SECTION *conf)
Definition: dl_module.c:594
DL_MODULE_TYPE_SUBMODULE
@ DL_MODULE_TYPE_SUBMODULE
Driver (or method in the case of EAP)
Definition: dl_module.h:71
dl_module_instance_s::data
void *_CONST data
Module instance's parsed configuration.
Definition: dl_module.h:165
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:65
dl_module_instance_s::conf
CONF_SECTION *_CONST conf
Module's instance configuration.
Definition: dl_module.h:166
dl_module_instance_s
A module/inst tuple.
Definition: dl_module.h:162
fr_io_address_t::socket
fr_socket_t socket
src/dst ip and port.
Definition: base.h:336
fr_io_address_t::radclient
fr_client_t const * radclient
old-style client definition
Definition: base.h:338
fr_io_address_t
Definition: base.h:335
fr_client_s::secret
char const * secret
Secret PSK.
Definition: client.h:87
fr_client_s::active
bool active
for dynamic clients
Definition: client.h:91
fr_client_s::nas_type
char const * nas_type
Type of client (arbitrary).
Definition: client.h:99
fr_client_s::dynamic
bool dynamic
Whether the client was dynamically defined.
Definition: client.h:90
fr_client_s
Describes a host allowed to send packets to the server.
Definition: client.h:77
log_request_pair_list
void log_request_pair_list(fr_log_lvl_t lvl, request_t *request, fr_pair_t const *parent, fr_pair_list_t const *vps, char const *prefix)
Print a fr_pair_list_t.
Definition: log.c:821
PERROR
#define PERROR(_fmt,...)
Definition: log.h:228
RWDEBUG
#define RWDEBUG(fmt,...)
Definition: log.h:361
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition: log.h:376
RHEXDUMP3
#define RHEXDUMP3(_data, _len, _fmt,...)
Definition: log.h:705
fr_packet_pairs_from_packet
int fr_packet_pairs_from_packet(TALLOC_CTX *ctx, fr_pair_list_t *list, fr_packet_t const *packet)
Allocate a "Net." struct with src/dst host and port.
Definition: packet.c:86
talloc_free
talloc_free(reap)
L_DBG_LVL_1
@ L_DBG_LVL_1
Highest priority debug messages (-x).
Definition: log.h:70
fr_master_app_io
fr_app_io_t fr_master_app_io
Definition: master.c:3131
fr_master_io_listen
int fr_master_io_listen(TALLOC_CTX *ctx, fr_io_instance_t *inst, fr_schedule_t *sc, size_t default_message_size, size_t num_messages)
Definition: master.c:2923
fr_io_track_s::address
fr_io_address_t const * address
of this packet.. shared between multiple packets
Definition: master.h:54
fr_io_track_s::do_not_respond
bool do_not_respond
don't respond
Definition: master.h:50
fr_io_track_s
Definition: master.h:40
FR_TYPE_IPV4_ADDR
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition: merged_model.c:86
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition: merged_model.c:83
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition: merged_model.c:99
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition: merged_model.c:127
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition: merged_model.c:84
ssize_t
long int ssize_t
Definition: merged_model.c:24
uint8_t
unsigned char uint8_t
Definition: merged_model.c:30
fr_dict_attr_t
Definition: merged_model.c:133
fr_dict_t
Definition: merged_model.c:198
request_t
Definition: merged_model.c:210
MODULE_INST_CTX
#define MODULE_INST_CTX(_dl_inst)
Wrapper to create a module_inst_ctx_t as a compound literal.
Definition: module_ctx.h:153
module_inst_ctx_t::inst
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Definition: module_ctx.h:52
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:51
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition: pair.c:688
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition: pair.c:2978
fr_pair_value_strdup
int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted)
Copy data into an "string" data type.
Definition: pair.c:2631
fr_utf8_str
ssize_t fr_utf8_str(uint8_t const *str, ssize_t inlen)
Validate a complete UTF8 string.
Definition: print.c:145
mod_load
static int mod_load(void)
Definition: proto_tacacs.c:585
attr_packet_type
static fr_dict_attr_t const * attr_packet_type
Definition: proto_tacacs.c:85
mod_encode
static ssize_t mod_encode(UNUSED void const *instance, request_t *request, uint8_t *buffer, size_t buffer_len)
Definition: proto_tacacs.c:351
proto_tacacs_config
static const conf_parser_t proto_tacacs_config[]
Definition: proto_tacacs.c:66
proto_tacacs_dict_attr
fr_dict_attr_autoload_t proto_tacacs_dict_attr[]
Definition: proto_tacacs.c:89
limit_config
static conf_parser_t const limit_config[]
Definition: proto_tacacs.c:39
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition: proto_tacacs.c:76
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Bootstrap the application.
Definition: proto_tacacs.c:542
mod_unload
static void mod_unload(void)
Definition: proto_tacacs.c:595
type_parse
static int type_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
mod_decode
static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *const data, size_t data_len)
Decode the packet.
Definition: proto_tacacs.c:186
proto_tacacs_dict
fr_dict_autoload_t proto_tacacs_dict[]
Definition: proto_tacacs.c:79
priority_config
static const conf_parser_t priority_config[]
Definition: proto_tacacs.c:53
proto_tacacs
fr_app_t proto_tacacs
Definition: proto_tacacs.c:600
attr_tacacs_user_name
static fr_dict_attr_t const * attr_tacacs_user_name
Definition: proto_tacacs.c:86
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Instantiate the application.
Definition: proto_tacacs.c:504
mod_open
static int mod_open(void *instance, fr_schedule_t *sc, UNUSED CONF_SECTION *conf)
Open listen sockets/connect to external event source.
Definition: proto_tacacs.c:483
mod_priority_set
static int mod_priority_set(void const *instance, uint8_t const *buffer, UNUSED size_t buflen)
Definition: proto_tacacs.c:450
transport_parse
static int transport_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
proto_tacacs.h
proto_tacacs_t
An instance of a proto_tacacs listen section.
Definition: proto_tacacs.h:32
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition: base.c:119
fr_tacacs_global_free
void fr_tacacs_global_free(void)
Definition: base.c:167
fr_tacacs_global_init
int fr_tacacs_global_init(void)
Definition: base.c:144
fr_tacacs_decode
ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_t const *vendor, uint8_t const *buffer, size_t buffer_len, const uint8_t *original, char const *const secret, size_t secret_len, int *code)
Decode a TACACS+ packet.
Definition: decode.c:409
fr_tacacs_encode
ssize_t fr_tacacs_encode(fr_dbuff_t *dbuff, uint8_t const *original_packet, char const *secret, size_t secret_len, unsigned int code, fr_pair_list_t *vps)
Encode VPS into a raw TACACS packet.
Definition: encode.c:363
secret
static char * secret
Definition: radclient-ng.c:69
REDEBUG
#define REDEBUG(fmt,...)
Definition: radclient.h:52
RDEBUG_ENABLED2
#define RDEBUG_ENABLED2()
Definition: radclient.h:50
RDEBUG
#define RDEBUG(fmt,...)
Definition: radclient.h:53
RDEBUG_ENABLED
#define RDEBUG_ENABLED()
Definition: radclient.h:49
conf
static rs_t * conf
Definition: radsniff.c:53
REQUEST_VERIFY
#define REQUEST_VERIFY(_x)
Definition: request.h:275
name
static char const * name
Definition: rlm_redis_ippool_tool.c:156
instantiate
static int instantiate(module_inst_ctx_t const *mctx)
Definition: rlm_rest.c:1312
fr_schedule_s
The scheduler.
Definition: schedule.c:125
module_s::instantiate
module_instantiate_t instantiate
Definition: module.h:146
module_s::bootstrap
module_instantiate_t bootstrap
Definition: module.h:145
sc
static const uchar sc[16]
Definition: smbdes.c:115
client_afrom_request
fr_client_t * client_afrom_request(TALLOC_CTX *ctx, request_t *request)
Create a new client, consuming all attributes in the control list of the request.
Definition: client.c:915
fr_assert
fr_assert(0)
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3633
vp
fr_pair_t * vp
Definition: state_machine.c:2271
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition: pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition: pair.h:69
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition: tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition: tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition: tacacs.h:66
packet_is_encrypted
#define packet_is_encrypted(p)
Definition: tacacs.h:61
FR_TACACS_PACKET_CODE_VALID
#define FR_TACACS_PACKET_CODE_VALID(_code)
Definition: tacacs.h:321
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition: tacacs.h:277
fr_tacacs_packet_hdr_t::flags
fr_tacacs_flags_t flags
Definition: tacacs.h:99
fr_tacacs_packet_t
Definition: tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition: talloc.h:270
fr_time_delta_from_sec
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition: time.h:588
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition: pair_inline.c:43
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition: pair_inline.c:70
parent
static fr_slen_t parent
Definition: pair.h:844
fr_socket_addr_swap
static void fr_socket_addr_swap(fr_socket_t *dst, fr_socket_t const *src)
Swap src/dst information of a fr_socket_t.
Definition: socket.h:121
fr_box_ipaddr
#define fr_box_ipaddr(_val)
Definition: value.h:287
data
static fr_slen_t data
Definition: value.h:1259
out
static size_t char ** out
Definition: value.h:984
Generated by   doxygen 1.9.1