The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
proto_tacacs_tcp.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 63d41e38a0506af8bfd75f1bb9707e108402156d $
19  * @file proto_tacacs_tcp.c
20  * @brief TACACS+ handler for TCP.
21  * @author Jorge Pereira <jpereira@freeradius.org>
22  *
23  * @copyright 2020 The FreeRADIUS server project.
24  * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25  */
26 
27 #include <netdb.h>
28 #include <freeradius-devel/server/protocol.h>
29 #include <freeradius-devel/util/trie.h>
30 #include <freeradius-devel/io/application.h>
31 #include <freeradius-devel/io/listen.h>
32 #include <freeradius-devel/io/schedule.h>
33 #include "proto_tacacs.h"
34 
35 extern fr_app_io_t proto_tacacs_tcp;
36 
37 #define TACACS_MAX_ATTRIBUTES 256
38 
39 typedef struct {
40  char const *name; //!< socket name
41  int sockfd;
42 
43  fr_io_address_t *connection; //!< for connected sockets.
44 
45  fr_stats_t stats; //!< statistics for this socket
46 } proto_tacacs_tcp_thread_t;
47 
48 typedef struct {
49  CONF_SECTION *cs; //!< our configuration
50 
51  fr_ipaddr_t ipaddr; //!< IP address to listen on.
52 
53  char const *interface; //!< Interface to bind to.
54  char const *port_name; //!< Name of the port for getservent().
55 
56  uint32_t recv_buff; //!< How big the kernel's receive buffer should be.
57 
58  uint32_t max_packet_size; //!< for message ring buffer.
59  uint32_t max_attributes; //!< Limit maximum decodable attributes.
60 
61  uint16_t port; //!< Port to listen on.
62 
63  bool recv_buff_is_set; //!< Whether we were provided with a recv_buff
64  bool dynamic_clients; //!< whether we have dynamic clients
65 
66  fr_client_list_t *clients; //!< local clients
67 
68  fr_trie_t *trie; //!< for parsed networks
69  fr_ipaddr_t *allow; //!< allowed networks for dynamic clients
70  fr_ipaddr_t *deny; //!< denied networks for dynamic clients
71 } proto_tacacs_tcp_t;
72 
73 static const conf_parser_t networks_config[] = {
74  { FR_CONF_OFFSET_TYPE_FLAGS("allow", FR_TYPE_COMBO_IP_PREFIX , CONF_FLAG_MULTI, proto_tacacs_tcp_t, allow) },
75  { FR_CONF_OFFSET_TYPE_FLAGS("deny", FR_TYPE_COMBO_IP_PREFIX , CONF_FLAG_MULTI, proto_tacacs_tcp_t, deny) },
76 
77  CONF_PARSER_TERMINATOR
78 };
79 
80 static const conf_parser_t tcp_listen_config[] = {
81  { FR_CONF_OFFSET_TYPE_FLAGS("ipaddr", FR_TYPE_COMBO_IP_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
82  { FR_CONF_OFFSET_TYPE_FLAGS("ipv4addr", FR_TYPE_IPV4_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
83  { FR_CONF_OFFSET_TYPE_FLAGS("ipv6addr", FR_TYPE_IPV6_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
84 
85  { FR_CONF_OFFSET("interface", proto_tacacs_tcp_t, interface) },
86  { FR_CONF_OFFSET("port_name", proto_tacacs_tcp_t, port_name) },
87 
88  { FR_CONF_OFFSET("port", proto_tacacs_tcp_t, port), .dflt = "49" },
89  { FR_CONF_OFFSET_IS_SET("recv_buff", FR_TYPE_UINT32, 0, proto_tacacs_tcp_t, recv_buff) },
90 
91  { FR_CONF_OFFSET("dynamic_clients", proto_tacacs_tcp_t, dynamic_clients) } ,
92  { FR_CONF_POINTER("networks", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) networks_config },
93 
94  { FR_CONF_OFFSET("max_packet_size", proto_tacacs_tcp_t, max_packet_size), .dflt = "4096" } ,
95  { FR_CONF_OFFSET("max_attributes", proto_tacacs_tcp_t, max_attributes), .dflt = STRINGIFY(TACACS_MAX_ATTRIBUTES) } ,
96 
97  CONF_PARSER_TERMINATOR
98 };
99 
100 static const char *packet_name[] = {
101  [FR_TAC_PLUS_AUTHEN] = "Authentication",
102  [FR_TAC_PLUS_AUTHOR] = "Authorization",
103  [FR_TAC_PLUS_ACCT] = "Accounting",
104 };
105 
106 /** Read TACACS data from a TCP connection
107  *
108  * @param[in] li representing a client connection.
109  * @param[in] packet_ctx UNUSED.
110  * @param[out] recv_time_p When we read the packet.
111  * For some protocols we get this for free (but not here).
112  * @param[out] buffer to read into.
113  * @param[in] buffer_len Maximum length of the buffer.
114  * @param[in,out] leftover If the previous read didn't yield a complete packet
115  * we will have written how many bytes we read in leftover
116  * and returned 0. On the next call, we use the
117  * value of leftover to offset the position we start
118  * writing into the buffer.
119  * *leftover must be subtracted from buffer_len when
120  * calculating free space in the buffer.
121  * @return
122  * - >0 when a packet was read successfully.
123  * - 0 when we read a partial packet.
124  * - <0 on error (socket should be closed).
125  */
126 static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p,
127  uint8_t *buffer, size_t buffer_len, size_t *leftover)
128 {
129  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
130  ssize_t data_size, packet_len;
131  size_t in_buffer;
132 
133  /*
134  * We may have read multiple packets in the previous read. In which case the buffer may already
135  * have packets remaining. In that case, we can return packets directly from the buffer, and
136  * skip the read().
137  */
138  if (*leftover >= FR_HEADER_LENGTH) {
139  packet_len = fr_tacacs_length(buffer, *leftover);
140  if (packet_len < 0) goto invalid;
141 
142  if (packet_len <= ((ssize_t) *leftover)) {
143  data_size = 0;
144  goto have_packet;
145  }
146 
147  /*
148  * Else we don't have a full packet, try to read more data from the network.
149  */
150  }
151 
152  /*
153  * Read data into the buffer.
154  */
155  data_size = read(thread->sockfd, buffer + (*leftover), buffer_len - (*leftover));
156  if (data_size < 0) {
157  switch (errno) {
158 #if defined(EWOULDBLOCK) && (EWOULDBLOCK != EAGAIN)
159  case EWOULDBLOCK:
160 #endif
161  case EAGAIN:
162  /*
163  * We didn't read any data leave the buffers alone.
164  *
165  * i.e. if we had a partial packet in the buffer and we didn't read any data,
166  * then the partial packet is still left in the buffer.
167  */
168  return 0;
169 
170  default:
171  break;
172  }
173 
174  ERROR("proto_tacacs_tcp got read error (%zd) - %s", data_size, fr_syserror(errno));
175  return data_size;
176  }
177 
178  /*
179  * Note that we return ERROR for all bad packets, as
180  * there's no point in reading TACACS+ packets from a TCP
181  * connection which isn't sending us TACACS+ packets.
182  */
183 
184  /*
185  * TCP read of zero means the socket is dead.
186  */
187  if (!data_size) {
188  DEBUG2("proto_tacacs_tcp - other side closed the socket.");
189  return -1;
190  }
191 
192 have_packet:
193  /*
194  * Represents all the data we've read since we last
195  * decoded a complete packet.
196  */
197  in_buffer = *leftover + data_size;
198 
199  /*
200  * Figure out how big the complete TACACS packet should be.
201  * If we don't have enough data it'll likely come
202  * through in the next fragment.
203  */
204  packet_len = fr_tacacs_length(buffer, in_buffer);
205  if (packet_len < 0) {
206  invalid:
207  PERROR("Invalid TACACS packet");
208  return -1; /* Malformed, close the socket */
209  }
210 
211  /*
212  * We don't have a complete TACACS+ packet. Tell the
213  * caller that we need to read more, but record
214  * how much we read in leftover.
215  */
216  if (in_buffer < (size_t) packet_len) {
217  DEBUG3("proto_tacacs_tcp - Received packet fragment of %zu bytes (%zu bytes now pending)",
218  packet_len, *leftover);
219  *leftover = in_buffer;
220  return 0;
221  }
222 
223  /*
224  * We've read at least one packet. Tell the caller that
225  * there's more data available, and return only one packet.
226  */
227  *leftover = in_buffer - packet_len;
228 
229  *recv_time_p = fr_time();
230  thread->stats.total_requests++;
231 
232  /*
233  * proto_tacacs sets the priority
234  */
235 
236  /*
237  * Print out what we received.
238  */
239  FR_PROTO_HEX_DUMP(buffer, packet_len, "tacacs_tcp_recv");
240 
241  DEBUG2("proto_tacacs_tcp - Received %s seq_no %d length %d %s",
242  packet_name[buffer[1]], buffer[2],
243  (int) packet_len, thread->name);
244 
245  return packet_len;
246 }
247 
248 static ssize_t mod_write(fr_listen_t *li, UNUSED void *packet_ctx, UNUSED fr_time_t request_time,
249  uint8_t *buffer, size_t buffer_len, size_t written)
250 {
251  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
252  ssize_t data_size;
253 
254  /*
255  * We only write TACACS packets.
256  *
257  * @todo - if buffer_len ==1, it means "do not respond".
258  * Which should be suppressed somewhere. Maybe here...
259  */
260  fr_assert(buffer_len >= sizeof(fr_tacacs_packet_hdr_t));
261  fr_assert(written < buffer_len);
262 
263  /*
264  * @todo - share a stats interface with the parent? or
265  * put the stats in the listener, so that proto_tacacs
266  * can update them, too.. <sigh>
267  */
268  if (written == 0) {
269  thread->stats.total_responses++;
270  }
271 
272  /*
273  * Only write replies if they're TACACS+ packets.
274  * sometimes we want to NOT send a reply...
275  */
276  data_size = write(thread->sockfd, buffer + written, buffer_len - written);
277  if (data_size <= 0) return data_size;
278 
279  /*
280  * If we're supposed to close the socket, then go do that.
281  */
282  if ((data_size + written) == buffer_len) {
283  fr_tacacs_packet_t const *pkt = (fr_tacacs_packet_t const *) buffer;
284 
285  switch (pkt->hdr.type) {
286  case FR_TAC_PLUS_AUTHEN:
287  if (pkt->authen_reply.status == FR_TAC_PLUS_AUTHEN_STATUS_ERROR) goto close_it;
288  break;
289 
290 
291  case FR_TAC_PLUS_AUTHOR:
292  if (pkt->author_reply.status == FR_TAC_PLUS_AUTHOR_STATUS_ERROR) {
293  close_it:
294  DEBUG("Closing connection due to unrecoverable server error response");
295  return 0;
296  }
297  break;
298 
299  default:
300  break;
301  }
302  }
303 
304  /*
305  * Return the packet we wrote, plus any bytes previously
306  * left over from previous packets.
307  */
308  return data_size + written;
309 }
310 
311 static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
312 {
313  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
314 
315  thread->connection = connection;
316 
317  return 0;
318 }
319 
320 static void mod_network_get(void *instance, int *ipproto, bool *dynamic_clients, fr_trie_t const **trie)
321 {
322  proto_tacacs_tcp_t *inst = talloc_get_type_abort(instance, proto_tacacs_tcp_t);
323 
324  *ipproto = IPPROTO_TCP;
325  *dynamic_clients = inst->dynamic_clients;
326  *trie = inst->trie;
327 }
328 
329 /** Open a TCP listener for TACACS+
330  *
331  */
332 static int mod_open(fr_listen_t *li)
333 {
334  proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
335  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
336 
337  int sockfd;
338  fr_ipaddr_t ipaddr = inst->ipaddr;
339  uint16_t port = inst->port;
340 
341  fr_assert(!thread->connection);
342 
343  li->fd = sockfd = fr_socket_server_tcp(&inst->ipaddr, &port, inst->port_name, true);
344  if (sockfd < 0) {
345  PERROR("Failed opening TCP socket");
346  error:
347  return -1;
348  }
349 
350  (void) fr_nonblock(sockfd);
351 
352  if (fr_socket_bind(sockfd, inst->interface, &ipaddr, &port) < 0) {
353  close(sockfd);
354  PERROR("Failed binding socket");
355  goto error;
356  }
357 
358  if (listen(sockfd, 8) < 0) {
359  close(sockfd);
360  PERROR("Failed listening on socket");
361  goto error;
362  }
363 
364  thread->sockfd = sockfd;
365 
366  fr_assert((cf_parent(inst->cs) != NULL) && (cf_parent(cf_parent(inst->cs)) != NULL)); /* listen { ... } */
367 
368  thread->name = fr_app_io_socket_name(thread, &proto_tacacs_tcp,
369  NULL, 0,
370  &inst->ipaddr, inst->port,
371  inst->interface);
372 
373  return 0;
374 }
375 
376 
377 /** Set the file descriptor for this socket.
378  */
379 static int mod_fd_set(fr_listen_t *li, int fd)
380 {
381  proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
382  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
383 
384  thread->sockfd = fd;
385 
386  thread->name = fr_app_io_socket_name(thread, &proto_tacacs_tcp,
387  &thread->connection->socket.inet.src_ipaddr, thread->connection->socket.inet.src_port,
388  &inst->ipaddr, inst->port,
389  inst->interface);
390 
391  return 0;
392 }
393 
394 static char const *mod_name(fr_listen_t *li)
395 {
396  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
397 
398  return thread->name;
399 }
400 
401 static int mod_bootstrap(module_inst_ctx_t const *mctx)
402 {
403  proto_tacacs_tcp_t *inst = talloc_get_type_abort(mctx->inst->data, proto_tacacs_tcp_t);
404  CONF_SECTION *conf = mctx->inst->conf;
405  size_t num;
406  CONF_ITEM *ci;
407  CONF_SECTION *server_cs;
408 
409  inst->cs = conf;
410 
411  /*
412  * Complain if no "ipaddr" is set.
413  */
414  if (inst->ipaddr.af == AF_UNSPEC) {
415  cf_log_err(conf, "No 'ipaddr' was specified in the 'tcp' section");
416  return -1;
417  }
418 
419  if (inst->recv_buff_is_set) {
420  FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, >=, 32);
421  FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, <=, INT_MAX);
422  }
423 
424  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 20);
425  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65536);
426 
427  if (!inst->port) {
428  struct servent *s;
429 
430  if (!inst->port_name) {
431  cf_log_err(conf, "No 'port' was specified in the 'tcp' section");
432  return -1;
433  }
434 
435  s = getservbyname(inst->port_name, "tcp");
436  if (!s) {
437  cf_log_err(conf, "Unknown value for 'port_name = %s", inst->port_name);
438  return -1;
439  }
440 
441  inst->port = ntohl(s->s_port);
442  }
443 
444  /*
445  * Parse and create the trie for dynamic clients, even if
446  * there's no dynamic clients.
447  */
448  num = talloc_array_length(inst->allow);
449  if (!num) {
450  if (inst->dynamic_clients) {
451  cf_log_err(conf, "The 'allow' subsection MUST contain at least one 'network' entry when 'dynamic_clients = true'.");
452  return -1;
453  }
454  } else {
455  inst->trie = fr_master_io_network(inst, inst->ipaddr.af, inst->allow, inst->deny);
456  if (!inst->trie) {
457  cf_log_perr(conf, "Failed creating list of networks");
458  return -1;
459  }
460  }
461 
462  ci = cf_parent(inst->cs); /* listen { ... } */
463  fr_assert(ci != NULL);
464  ci = cf_parent(ci);
465  fr_assert(ci != NULL);
466 
467  server_cs = cf_item_to_section(ci);
468 
469  /*
470  * Look up local clients, if they exist.
471  *
472  * @todo - ensure that we only parse clients which are
473  * for IPPROTO_TCP, and require a "secret".
474  */
475  if (cf_section_find_next(server_cs, NULL, "client", CF_IDENT_ANY)) {
476  inst->clients = client_list_parse_section(server_cs, IPPROTO_TCP, false);
477  if (!inst->clients) {
478  cf_log_err(conf, "Failed creating local clients");
479  return -1;
480  }
481  }
482 
483  return 0;
484 }
485 
486 static fr_client_t *mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
487 {
488  proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
489 
490  /*
491  * Prefer local clients.
492  */
493  if (inst->clients) {
494  fr_client_t *client;
495 
496  client = client_find(inst->clients, ipaddr, ipproto);
497  if (client) return client;
498  }
499 
500  return client_find(NULL, ipaddr, ipproto);
501 }
502 
503 fr_app_io_t proto_tacacs_tcp = {
504  .common = {
505  .magic = MODULE_MAGIC_INIT,
506  .name = "tacacs_tcp",
507  .config = tcp_listen_config,
508  .inst_size = sizeof(proto_tacacs_tcp_t),
509  .thread_inst_size = sizeof(proto_tacacs_tcp_thread_t),
510  .bootstrap = mod_bootstrap,
511  },
512  .default_message_size = 4096,
513  .track_duplicates = false,
514 
515  .open = mod_open,
516  .read = mod_read,
517  .write = mod_write,
518  .fd_set = mod_fd_set,
519  .connection_set = mod_connection_set,
520  .network_get = mod_network_get,
521  .client_find = mod_client_find,
522  .get_name = mod_name,
523 };
buffer
static int const char char buffer[256]
Definition: acutest.h:574
fr_app_io_socket_name
char const * fr_app_io_socket_name(TALLOC_CTX *ctx, fr_app_io_t const *app_io, fr_ipaddr_t const *src_ipaddr, int src_port, fr_ipaddr_t const *dst_ipaddr, int dst_port, char const *interface)
Definition: app_io.c:32
fr_app_io_t::common
module_t common
Common fields to all loadable modules.
Definition: app_io.h:34
fr_app_io_t
Public structure describing an I/O path for a protocol.
Definition: app_io.h:33
STRINGIFY
#define STRINGIFY(x)
Definition: build.h:195
UNUSED
#define UNUSED
Definition: build.h:313
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:626
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition: cf_parse.h:486
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition: cf_parse.h:310
FR_CONF_OFFSET_IS_SET
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition: cf_parse.h:282
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition: cf_parse.h:420
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition: cf_parse.h:400
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:241
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:563
cf_item
Common header for all CONF_* types.
Definition: cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition: cf_priv.h:89
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition: cf_util.c:649
cf_section_find_next
CONF_SECTION * cf_section_find_next(CONF_SECTION const *cs, CONF_SECTION const *prev, char const *name1, char const *name2)
Return the next matching section.
Definition: cf_util.c:991
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition: cf_util.h:265
cf_parent
#define cf_parent(_cf)
Definition: cf_util.h:98
cf_log_perr
#define cf_log_perr(_cf, _fmt,...)
Definition: cf_util.h:272
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition: cf_util.h:78
ERROR
#define ERROR(fmt,...)
Definition: dhcpclient.c:41
sockfd
static int sockfd
Definition: dhcpclient.c:56
DEBUG
#define DEBUG(fmt,...)
Definition: dhcpclient.c:39
dl_module_instance_s::data
void *_CONST data
Module instance's parsed configuration.
Definition: dl_module.h:165
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:65
dl_module_instance_s::conf
CONF_SECTION *_CONST conf
Module's instance configuration.
Definition: dl_module.h:166
fr_ipaddr_t
IPv4/6 prefix.
Definition: merged_model.c:272
fr_io_address_t::socket
fr_socket_t socket
src/dst ip and port.
Definition: base.h:336
fr_io_address_t
Definition: base.h:335
fr_listen::app_io_instance
void const * app_io_instance
I/O path configuration context.
Definition: listen.h:32
fr_listen::thread_instance
void * thread_instance
thread / socket context
Definition: listen.h:33
fr_listen::fd
int fd
file descriptor for this socket - set by open
Definition: listen.h:28
fr_listen
Definition: listen.h:25
fr_client_s
Describes a host allowed to send packets to the server.
Definition: client.h:77
PERROR
#define PERROR(_fmt,...)
Definition: log.h:228
DEBUG3
#define DEBUG3(_fmt,...)
Definition: log.h:266
fr_master_io_network
fr_trie_t * fr_master_io_network(TALLOC_CTX *ctx, int af, fr_ipaddr_t *allow, fr_ipaddr_t *deny)
Create a trie from arrays of allow / deny IP addresses.
Definition: master.c:2744
uint16_t
unsigned short uint16_t
Definition: merged_model.c:31
FR_TYPE_IPV4_ADDR
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition: merged_model.c:86
FR_TYPE_COMBO_IP_PREFIX
@ FR_TYPE_COMBO_IP_PREFIX
IPv4 or IPv6 address prefix depending on length.
Definition: merged_model.c:92
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition: merged_model.c:99
FR_TYPE_IPV6_ADDR
@ FR_TYPE_IPV6_ADDR
128 Bit IPv6 Address.
Definition: merged_model.c:88
FR_TYPE_COMBO_IP_ADDR
@ FR_TYPE_COMBO_IP_ADDR
IPv4 or IPv6 address depending on length.
Definition: merged_model.c:91
uint32_t
unsigned int uint32_t
Definition: merged_model.c:33
ssize_t
long int ssize_t
Definition: merged_model.c:24
uint8_t
unsigned char uint8_t
Definition: merged_model.c:30
fr_nonblock
int fr_nonblock(UNUSED int fd)
Definition: misc.c:284
module_inst_ctx_t::inst
dl_module_inst_t const * inst
Dynamic loader API handle for the module.
Definition: module_ctx.h:52
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:51
proto_tacacs.h
proto_tacacs_tcp_t::trie
fr_trie_t * trie
for parsed networks
Definition: proto_tacacs_tcp.c:68
proto_tacacs_tcp_t::deny
fr_ipaddr_t * deny
denied networks for dynamic clients
Definition: proto_tacacs_tcp.c:70
mod_client_find
static fr_client_t * mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
Definition: proto_tacacs_tcp.c:486
proto_tacacs_tcp_t::cs
CONF_SECTION * cs
our configuration
Definition: proto_tacacs_tcp.c:49
TACACS_MAX_ATTRIBUTES
#define TACACS_MAX_ATTRIBUTES
Definition: proto_tacacs_tcp.c:37
proto_tacacs_tcp_t::dynamic_clients
bool dynamic_clients
whether we have dynamic clients
Definition: proto_tacacs_tcp.c:64
proto_tacacs_tcp_t::recv_buff_is_set
bool recv_buff_is_set
Whether we were provided with a recv_buff.
Definition: proto_tacacs_tcp.c:63
proto_tacacs_tcp_thread_t::sockfd
int sockfd
Definition: proto_tacacs_tcp.c:41
packet_name
static const char * packet_name[]
Definition: proto_tacacs_tcp.c:100
proto_tacacs_tcp_t::ipaddr
fr_ipaddr_t ipaddr
IP address to listen on.
Definition: proto_tacacs_tcp.c:51
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition: proto_tacacs_tcp.c:401
proto_tacacs_tcp_t::clients
fr_client_list_t * clients
local clients
Definition: proto_tacacs_tcp.c:66
proto_tacacs_tcp_t::interface
char const * interface
Interface to bind to.
Definition: proto_tacacs_tcp.c:53
mod_open
static int mod_open(fr_listen_t *li)
Open a TCP listener for TACACS+.
Definition: proto_tacacs_tcp.c:332
proto_tacacs_tcp_thread_t::connection
fr_io_address_t * connection
for connected sockets.
Definition: proto_tacacs_tcp.c:43
mod_name
static char const * mod_name(fr_listen_t *li)
Definition: proto_tacacs_tcp.c:394
networks_config
static const conf_parser_t networks_config[]
Definition: proto_tacacs_tcp.c:73
proto_tacacs_tcp_t::max_attributes
uint32_t max_attributes
Limit maximum decodable attributes.
Definition: proto_tacacs_tcp.c:59
proto_tacacs_tcp_t::max_packet_size
uint32_t max_packet_size
for message ring buffer.
Definition: proto_tacacs_tcp.c:58
mod_read
static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover)
Read TACACS data from a TCP connection.
Definition: proto_tacacs_tcp.c:126
proto_tacacs_tcp
fr_app_io_t proto_tacacs_tcp
Definition: proto_tacacs_tcp.c:503
proto_tacacs_tcp_thread_t::stats
fr_stats_t stats
statistics for this socket
Definition: proto_tacacs_tcp.c:45
proto_tacacs_tcp_t::allow
fr_ipaddr_t * allow
allowed networks for dynamic clients
Definition: proto_tacacs_tcp.c:69
mod_network_get
static void mod_network_get(void *instance, int *ipproto, bool *dynamic_clients, fr_trie_t const **trie)
Definition: proto_tacacs_tcp.c:320
mod_write
static ssize_t mod_write(fr_listen_t *li, UNUSED void *packet_ctx, UNUSED fr_time_t request_time, uint8_t *buffer, size_t buffer_len, size_t written)
Definition: proto_tacacs_tcp.c:248
proto_tacacs_tcp_t::port_name
char const * port_name
Name of the port for getservent().
Definition: proto_tacacs_tcp.c:54
mod_connection_set
static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
Definition: proto_tacacs_tcp.c:311
proto_tacacs_tcp_thread_t::name
char const * name
socket name
Definition: proto_tacacs_tcp.c:40
proto_tacacs_tcp_t::port
uint16_t port
Port to listen on.
Definition: proto_tacacs_tcp.c:61
mod_fd_set
static int mod_fd_set(fr_listen_t *li, int fd)
Set the file descriptor for this socket.
Definition: proto_tacacs_tcp.c:379
proto_tacacs_tcp_t::recv_buff
uint32_t recv_buff
How big the kernel's receive buffer should be.
Definition: proto_tacacs_tcp.c:56
tcp_listen_config
static const conf_parser_t tcp_listen_config[]
Definition: proto_tacacs_tcp.c:80
proto_tacacs_tcp_t
Definition: proto_tacacs_tcp.c:48
proto_tacacs_tcp_thread_t
Definition: proto_tacacs_tcp.c:39
fr_tacacs_length
ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
Definition: base.c:242
ipproto
static int ipproto
Definition: radclient-ng.c:94
DEBUG2
#define DEBUG2(fmt,...)
Definition: radclient.h:43
conf
static rs_t * conf
Definition: radsniff.c:53
fr_stats_t::total_responses
fr_uint_t total_responses
Definition: stats.h:43
fr_stats_t::total_requests
fr_uint_t total_requests
Definition: stats.h:40
fr_stats_t
Definition: stats.h:39
fr_socket_server_tcp
int fr_socket_server_tcp(fr_ipaddr_t const *src_ipaddr, uint16_t *src_port, char const *port_name, bool async)
Open an IPv4/IPv6 TCP socket.
Definition: socket.c:969
fr_socket_bind
int fr_socket_bind(int sockfd, char const *ifname, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Bind a UDP/TCP v4/v6 socket to a given ipaddr src port, and interface.
Definition: socket.c:229
client_find
fr_client_t * client_find(fr_client_list_t const *clients, fr_ipaddr_t const *ipaddr, int proto)
Definition: client.c:375
client_list_parse_section
fr_client_list_t * client_list_parse_section(CONF_SECTION *section, int proto, TLS_UNUSED bool tls_required)
Definition: client.c:467
fr_client_list_s
Group of clients.
Definition: client.c:52
fr_assert
fr_assert(0)
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3633
fr_time
#define fr_time()
Allow us to arbitrarily manipulate time.
Definition: state_test.c:8
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition: syserror.c:243
FR_HEADER_LENGTH
#define FR_HEADER_LENGTH
Definition: tacacs.h:26
FR_TAC_PLUS_AUTHOR_STATUS_ERROR
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition: tacacs.h:214
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition: tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition: tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition: tacacs.h:66
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition: tacacs.h:277
fr_tacacs_packet_hdr_t::type
fr_tacacs_type_t type
Definition: tacacs.h:97
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition: tacacs.h:157
fr_tacacs_packet_hdr_t
Definition: tacacs.h:84
fr_tacacs_packet_t
Definition: tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition: talloc.h:270
fr_time_s
"server local" time.
Definition: time.h:69
fr_trie_s
Definition: trie.c:486
close
close(uq->fd)
FR_PROTO_HEX_DUMP
#define FR_PROTO_HEX_DUMP(_data, _data_len, _fmt,...)
Definition: proto.h:41
Generated by   doxygen 1.9.1