The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 8c1b0e9c48c015121156375ac8bbf56a4759e15c $
19 * @file src/process/tacacs/base.c
20 * @brief TACACS+ handler.
21 * @author Jorge Pereira <jpereira@freeradius.org>
22 *
23 * @copyright 2020 The FreeRADIUS server project.
24 * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25 */
26
27
28#include <freeradius-devel/io/listen.h>
29#include <freeradius-devel/io/master.h>
30#include <freeradius-devel/server/main_config.h>
31#include <freeradius-devel/server/protocol.h>
32#include <freeradius-devel/server/state.h>
33#include <freeradius-devel/tacacs/tacacs.h>
34#include <freeradius-devel/unlang/call.h>
35#include <freeradius-devel/util/debug.h>
36
37#include <freeradius-devel/protocol/tacacs/tacacs.h>
38
39static fr_dict_t const *dict_freeradius;
40static fr_dict_t const *dict_tacacs;
41
42extern fr_dict_autoload_t process_tacacs_dict[];
43fr_dict_autoload_t process_tacacs_dict[] = {
44 { .out = &dict_freeradius, .proto = "freeradius" },
45 { .out = &dict_tacacs, .proto = "tacacs" },
46 { NULL }
47};
48
49static fr_dict_attr_t const *attr_auth_type;
50static fr_dict_attr_t const *attr_module_failure_message;
51static fr_dict_attr_t const *attr_module_success_message;
52static fr_dict_attr_t const *attr_stripped_user_name;
53static fr_dict_attr_t const *attr_packet_type;
54
55static fr_dict_attr_t const *attr_tacacs_action;
56static fr_dict_attr_t const *attr_tacacs_authentication_action;
57static fr_dict_attr_t const *attr_tacacs_authentication_flags;
58static fr_dict_attr_t const *attr_tacacs_authentication_type;
59static fr_dict_attr_t const *attr_tacacs_authentication_service;
60static fr_dict_attr_t const *attr_tacacs_authentication_status;
61
62static fr_dict_attr_t const *attr_tacacs_authorization_status;
63static fr_dict_attr_t const *attr_tacacs_accounting_status;
64static fr_dict_attr_t const *attr_tacacs_accounting_flags;
65
66static fr_dict_attr_t const *attr_tacacs_client_port;
67static fr_dict_attr_t const *attr_tacacs_data;
68static fr_dict_attr_t const *attr_tacacs_privilege_level;
69static fr_dict_attr_t const *attr_tacacs_remote_address;
70static fr_dict_attr_t const *attr_tacacs_server_message;
71static fr_dict_attr_t const *attr_tacacs_session_id;
72static fr_dict_attr_t const *attr_tacacs_sequence_number;
73static fr_dict_attr_t const *attr_tacacs_state;
74static fr_dict_attr_t const *attr_tacacs_user_message;
75
76static fr_dict_attr_t const *attr_user_name;
77static fr_dict_attr_t const *attr_user_password;
78static fr_dict_attr_t const *attr_chap_password;
79
80extern fr_dict_attr_autoload_t process_tacacs_dict_attr[];
81fr_dict_attr_autoload_t process_tacacs_dict_attr[] = {
82 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
83 { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
84 { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
85 { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
86 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
87
88 { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
89 { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90 { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
91 { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
92
93 { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
94 { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
95
96 { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
97 { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
98
99 { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
100 { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
101 { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
102 { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
103 { .out = &attr_tacacs_authentication_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
104 { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
105 { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
106 { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
107 { .out = &attr_tacacs_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
108 { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
109
110 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
111 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
112 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
113
114 { NULL }
115};
116
117static fr_value_box_t const *enum_auth_type_accept;
118static fr_value_box_t const *enum_auth_type_reject;
119static fr_value_box_t const *enum_auth_flags_noecho;
120static fr_value_box_t const *enum_tacacs_auth_type_ascii;
121
122extern fr_dict_enum_autoload_t process_tacacs_dict_enum[];
123fr_dict_enum_autoload_t process_tacacs_dict_enum[] = {
124 { .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
125 { .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
126 { .out = &enum_auth_flags_noecho, .name = "No-Echo", .attr = &attr_tacacs_authentication_flags },
127 { .out = &enum_tacacs_auth_type_ascii, .name = "ASCII", .attr = &attr_tacacs_authentication_type },
128 { NULL }
129};
130
131
163
164typedef struct {
165 fr_time_delta_t session_timeout; //!< Maximum time between the last response and next request.
166 uint32_t max_session; //!< Maximum ongoing session allowed.
167
168 uint32_t max_rounds; //!< maximum number of authentication rounds allowed
169
170 uint8_t state_server_id; //!< Sets a specific byte in the state to allow the
171 //!< authenticating server to be identified in packet
172 //!<captures.
173
174 fr_state_tree_t *state_tree; //!< State tree to link multiple requests/responses.
175} process_tacacs_auth_t;
176
177typedef struct {
178 CONF_SECTION *server_cs; //!< Our virtual server.
179
180 uint32_t session_id; //!< current session ID
181
182 process_tacacs_sections_t sections; //!< Pointers to various config sections
183 ///< we need to execute
184
185 process_tacacs_auth_t auth; //!< Authentication configuration.
186} process_tacacs_t;
187
188typedef struct {
189 uint32_t rounds; //!< how many rounds were taken
190 uint32_t reply; //!< for multiround state machine
191 uint8_t seq_no; //!< sequence number of last request.
192 fr_pair_list_t list; //!< copied from the request
193} process_tacacs_session_t;
194
195
196#define PROCESS_PACKET_TYPE fr_tacacs_packet_code_t
197#define PROCESS_CODE_MAX FR_TACACS_CODE_MAX
198#define PROCESS_CODE_DO_NOT_RESPOND FR_TACACS_CODE_DO_NOT_RESPOND
199#define PROCESS_PACKET_CODE_VALID FR_TACACS_PACKET_CODE_VALID
200#define PROCESS_INST process_tacacs_t
201#define PROCESS_CODE_DYNAMIC_CLIENT FR_TACACS_CODE_AUTH_PASS
202
203#include <freeradius-devel/server/process.h>
204
205static const conf_parser_t session_config[] = {
206 { FR_CONF_OFFSET("timeout", process_tacacs_auth_t, session_timeout), .dflt = "15" },
207 { FR_CONF_OFFSET("max", process_tacacs_auth_t, max_session), .dflt = "4096" },
208 { FR_CONF_OFFSET("max_rounds", process_tacacs_auth_t, max_rounds), .dflt = "4" },
209 { FR_CONF_OFFSET("state_server_id", process_tacacs_auth_t, state_server_id) },
210
211 CONF_PARSER_TERMINATOR
212};
213
214static const conf_parser_t auth_config[] = {
215 { FR_CONF_POINTER("session", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) session_config },
216
217 CONF_PARSER_TERMINATOR
218};
219
220static const conf_parser_t config[] = {
221 { FR_CONF_POINTER("Authentication", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config,
222 .offset = offsetof(process_tacacs_t, auth), },
223
224 CONF_PARSER_TERMINATOR
225};
226
227
228/*
229 * Synthesize a State attribute from connection && session information.
230 */
231static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
232{
233 uint8_t buffer[12];
234 uint32_t hash;
235 fr_pair_t *vp;
236
237 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_session_id);
238 if (!vp) return -1;
239
240 fr_nbo_from_uint32(buffer, vp->vp_uint32);
241
242 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_sequence_number);
243 if (!vp) return -1;
244
245 /*
246 * Requests have odd sequence numbers, and replies have even sequence numbers.
247 * So if we want to synthesize a state in a reply which gets matched with the next
248 * request, we have to add 2 to it.
249 */
250 hash = vp->vp_uint8 + ((int) reply << 1);
251
252 fr_nbo_from_uint32(buffer + 4, hash);
253
254 /*
255 * Hash in the listener. For now, we don't allow internally proxied requests.
256 */
257 fr_assert(request->async != NULL);
258 fr_assert(request->async->listen != NULL);
259 hash = fr_hash(&request->async->listen, sizeof(request->async->listen));
260
261 fr_nbo_from_uint32(buffer + 8, hash);
262
263 vp = fr_pair_afrom_da(ctx, attr_tacacs_state);
264 if (!vp) return -1;
265
266 (void) fr_pair_value_memdup(vp, buffer, 12, false);
267
268 fr_pair_append(out, vp);
269
270 return 0;
271}
272
273/** Try and determine what the response packet type should be
274 *
275 * We check three sources:
276 * - reply.``<status_attr>``
277 * - reply.Packet-Type
278 * - State machine packet type assignments for the section rcode
279 *
280 * @param[in] request The current request.
281 * @param[in] status_da Specialised status attribute.
282 * @param[in] status2code Mapping table of *packet* status types to rcodes.
283 * @param[in] state Mappings for process state machine
284 * @param[in] process_rcode Mappings for Auth-Type / Acct-Type, which don't use the process state machine
285 * @param[in] rcode The last section rcode.
286 * @return
287 * - >0 if we determined a reply code.
288 * - 0 if we couldn't - Usually indicates additional sections should be run.
289 */
290static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da,
291 uint32_t const status2code[static UINT8_MAX + 1],
292 fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
293{
294 fr_pair_t *vp;
295 uint32_t code;
296
297 /*
298 * First check the protocol attribute for this packet type.
299 *
300 * Should be one of:
301 * - Authentication-Status
302 * - Authorization-Status
303 * - Accounting-Status
304 */
305 fr_assert(status_da->type == FR_TYPE_UINT8);
306
307 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, status_da);
308 if (vp) {
309 code = status2code[vp->vp_uint8];
310 if (FR_TACACS_PACKET_CODE_VALID(code)) {
311 RDEBUG("Setting reply Packet-Type from %pP", vp);
312 return code;
313 }
314 REDEBUG("Ignoring invalid status %pP", vp);
315 }
316
317 if (state) {
318 code = state->packet_type[rcode];
319 if (FR_TACACS_PACKET_CODE_VALID(code)) return code;
320 }
321
322 if (process_rcode) {
323 code = process_rcode[rcode];
324 if (FR_TACACS_PACKET_CODE_VALID(code)) return code;
325 }
326
327 /*
328 * Otherwise use Packet-Type (if set)
329 */
330 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
331 if (vp && FR_TACACS_PACKET_CODE_VALID(vp->vp_uint32)) {
332 RDEBUG("Setting reply Packet-Type from %pV", &vp->data);
333 return vp->vp_uint32;
334 }
335
336 return 0;
337}
338
339RECV(auth_start)
340{
341 fr_process_state_t const *state;
342 fr_pair_t *vp;
343
344 /*
345 * Only "Login" is supported. The others are "change password" and "sendauth", which aren't
346 * used.
347 */
348 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_action);
349 if (!vp) {
350 fail:
351 request->reply->code = FR_TACACS_CODE_AUTH_ERROR;
352 UPDATE_STATE(reply);
353
354 fr_assert(state->send != NULL);
355 return CALL_SEND_STATE(state);
356 }
357
358 if (vp->vp_uint8 != FR_ACTION_VALUE_LOGIN) {
359 RDEBUG("Invalid authentication action %u", vp->vp_uint8);
360 goto fail;
361 }
362
363 /*
364 * There is no state to restore, so we just run the section as normal.
365 */
366
367 return CALL_RECV(generic);
368}
369
370RESUME(auth_type);
371
381
382RESUME(auth_start)
383{
384 rlm_rcode_t rcode = *p_result;
385 fr_pair_t *vp;
386 CONF_SECTION *cs;
387 fr_dict_enum_value_t const *dv;
388 fr_process_state_t const *state;
389 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
390
391 PROCESS_TRACE;
392
393 fr_assert(rcode < RLM_MODULE_NUMCODES);
394
395 /*
396 * See if the return code from "recv" which says we reject, or continue.
397 */
398 UPDATE_STATE(packet);
399
400 /*
401 * Nothing set the reply, so let's see if we need to do so.
402 *
403 * If the admin didn't set authentication-status, just
404 * use the defaults from the state machine.
405 */
406 if (!request->reply->code) {
407 request->reply->code = reply_code(request,
408 attr_tacacs_authentication_status,
409 authen_status_to_packet_code, state, NULL, rcode);
410 } else {
411 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
412 }
413
414 /*
415 * Check for multi-round authentication.
416 *
417 * We only run the automatic state machine (start -> getuser -> getpass -> pass/fail)
418 * when the admin does NOT set any reply type, or any reply authentication status.
419 *
420 * However, do DO always save and restore the attributes from the start packet, so that they are
421 * visible in a later packet.
422 */
423 if (!request->reply->code) {
424 process_tacacs_session_t *session;
425 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
426
427 session = request_data_reference(request, inst, 0);
428 if (!session) {
429 /*
430 * This function is called for resuming both "start" and "continue" packets, so
431 * we have to check for "start" here.
432 *
433 * We only do multi-round authentication for the ASCII authentication type.
434 * Other authentication types are defined to be one request/reply only.
435 */
436 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
437 if (!packet_is_authen_start_request(packet) ||
438 (vp && (fr_value_box_cmp(&vp->data, enum_tacacs_auth_type_ascii) != 0))) {
439 goto auth_type;
440 }
441
442 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
443 if (!vp) {
444 RDEBUG("No User-Name, replying with Authentication-GetUser");
445 request->reply->code = FR_TACACS_CODE_AUTH_GETUSER;
446 } else {
447 RDEBUG("User-Name = %pV, replying with Authentication-GetPass", &vp->data);
448 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
449 goto add_auth_flags;
450 }
451
452 goto send_reply;
453 }
454
455 /*
456 * Last reply was "get username", we now get the password.
457 */
458 if (session->reply == FR_TACACS_CODE_AUTH_GETUSER) {
459 RDEBUG("No User-Password, replying with Authentication-GetPass");
460 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
461
462 /*
463 * Pre-set the authentication flags reply to No-Echo
464 * RFC 8907 says this should be set when the data being
465 * requested is sensitive and should not be echoed to the
466 * user as it is being entered.
467 */
468 add_auth_flags:
469 MEM(pair_append_reply(&vp, attr_tacacs_authentication_flags) >= 0);
470 (void) fr_value_box_copy(vp, &vp->data, enum_auth_flags_noecho);
471 vp->data.enumv = attr_tacacs_authentication_flags;
472 goto send_reply;
473 }
474
475 /*
476 * We either have a password, or the admin screwed up the configuration somehow. Just go
477 * run "Auth-Type foo".
478 */
479 goto auth_type;
480 }
481
482 /*
483 * Something set the reply code, skip
484 * the normal auth flow and respond immediately.
485 */
486 if (request->reply->code) {
487 switch (request->reply->code) {
488 case FR_TACACS_CODE_AUTH_FAIL:
489 RDEBUG("The 'recv Authentication-Start' section returned %s - rejecting the request",
490 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
491 break;
492
493 default:
494 RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
495 break;
496 }
497
498 send_reply:
499 UPDATE_STATE(reply);
500
501 fr_assert(state->send != NULL);
502 return CALL_SEND_STATE(state);
503 }
504
505 /*
506 * Run authenticate foo { ... }
507 *
508 * If we can't find Auth-Type, OR if we can't find Auth-Type = foo, then it's a reject.
509 *
510 * We prefer the local Auth-Type to the Authentication-Type in the packet. But if there's no
511 * Auth-Type set by the admin, then we use what's in the packet.
512 */
513 auth_type:
514 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
515 if (!vp) vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
516 if (!vp) {
517 RDEBUG("No 'Auth-Type' or 'Authentication-Type' attribute found, "
518 "cannot authenticate the user - rejecting the request");
519
520 reject:
521 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
522 goto send_reply;
523 }
524
525 dv = fr_dict_enum_by_value(vp->da, &vp->data);
526 if (!dv) {
527 RDEBUG("Invalid value for '%s' attribute, cannot authenticate the user - rejecting the request",
528 vp->da->name);
529
530 goto reject;
531 }
532
533 /*
534 * The magic Auth-Type Accept value which means skip the authenticate section.
535 *
536 * And Reject means always reject. Tho the admin should just return "reject" from the section.
537 */
538 if (vp->da == attr_auth_type) {
539 if (fr_value_box_cmp(enum_auth_type_accept, dv->value) == 0) {
540 request->reply->code = FR_TACACS_CODE_AUTH_PASS;
541 goto send_reply;
542
543 } else if (fr_value_box_cmp(enum_auth_type_reject, dv->value) == 0) {
544 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
545 goto send_reply;
546 }
547 }
548
549 cs = cf_section_find(inst->server_cs, "authenticate", dv->name);
550 if (!cs) {
551 RDEBUG2("No 'authenticate %s { ... }' section found - rejecting the request", dv->name);
552 goto reject;
553 }
554
555 /*
556 * Run the "authenticate foo { ... }" section.
557 *
558 * And continue with sending the generic reply.
559 */
560 RDEBUG("Running 'authenticate %s' from file %s", cf_section_name2(cs), cf_filename(cs));
561 return unlang_module_yield_to_section(p_result, request,
562 cs, RLM_MODULE_NOOP, resume_auth_type,
563 NULL, 0, mctx->rctx);
564}
565
566RESUME(auth_type)
567{
568 static const fr_process_rcode_t auth_type_rcode = {
569 [RLM_MODULE_OK] = FR_TACACS_CODE_AUTH_PASS,
570 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
571 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
572 [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTH_FAIL,
573 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
574 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
575 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTH_FAIL,
576 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
577 };
578
579 rlm_rcode_t rcode = *p_result;
580 fr_process_state_t const *state;
581 fr_pair_t *vp;
582
583 PROCESS_TRACE;
584
585 fr_assert(rcode < RLM_MODULE_NUMCODES);
586
587 /*
588 * If nothing set the reply code, then try to set it from various other things.
589 *
590 * The user could have set Authentication-Status
591 * or Packet-Type to something other than
592 * pass...
593 */
594 if (!request->reply->code) {
595 request->reply->code = reply_code(request,
596 attr_tacacs_authentication_status,
597 authen_status_to_packet_code, NULL, auth_type_rcode, rcode);
598 } else {
599 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
600 }
601
602 switch (request->reply->code) {
603 case 0:
604 RDEBUG("No reply code was set. Forcing to Authentication-Fail");
605 fail:
606 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
607 FALL_THROUGH;
608
609 /*
610 * Print complaints before running "send Access-Reject"
611 */
612 case FR_TACACS_CODE_AUTH_FAIL:
613 RDEBUG2("Failed to authenticate the user");
614 break;
615
616 case FR_TACACS_CODE_AUTH_GETDATA:
617 case FR_TACACS_CODE_AUTH_GETUSER:
618 case FR_TACACS_CODE_AUTH_GETPASS:
619 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
620 if (vp && (vp->vp_uint32 != FR_AUTHENTICATION_TYPE_VALUE_ASCII)) {
621 RDEBUG2("Cannot send challenges for %pP", vp);
622 goto fail;
623 }
624 break;
625
626 default:
627 break;
628
629 }
630 UPDATE_STATE(reply);
631
632 fr_assert(state->send != NULL);
633 return state->send(p_result, mctx, request);
634}
635
636RESUME(auth_pass)
637{
638 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
639
640 PROCESS_TRACE;
641
642 // @todo - worry about user identity existing?
643
644 fr_state_discard(inst->auth.state_tree, request);
645 RETURN_MODULE_TRANSPARENT;
646}
647
648RESUME(auth_fail)
649{
650 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
651
652 PROCESS_TRACE;
653
654 // @todo - insert server message saying "failed"
655 // and also for FAIL
656
657 fr_state_discard(inst->auth.state_tree, request);
658 RETURN_MODULE_TRANSPARENT;
659}
660
661RESUME(auth_restart)
662{
663 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
664
665 PROCESS_TRACE;
666
667 fr_state_discard(inst->auth.state_tree, request);
668 RETURN_MODULE_TRANSPARENT;
669}
670
671RESUME(auth_get)
672{
673 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
674 process_tacacs_session_t *session;
675 fr_pair_t *vp, *copy;
676
677 PROCESS_TRACE;
678
679 /*
680 * Track multi-round authentication flows. Note that they can only start with an
681 * "Authentication-Start" packet, but they can continue with an "Authentication-Continue" packet.
682 *
683 * If there's no session being tracked, then we create one for a start packet.
684 */
685 session = request_data_reference(request, inst, 0);
686 if (!session) {
687 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
688
689 if (!packet_is_authen_start_request(packet)) goto send_reply;
690
691 MEM(session = talloc_zero(NULL, process_tacacs_session_t));
692 if (request_data_talloc_add(request, inst, 0, process_tacacs_session_t, session, true, true, true) < 0) {
693 talloc_free(session);
694 goto send_reply;
695 }
696
697 /*
698 * These are the only things which saved. The rest of the fields are either static (and statically
699 * known), or are irrelevant.
700 */
701 fr_pair_list_init(&session->list);
702#undef COPY
703#define COPY(_attr) do { \
704 vp = fr_pair_find_by_da(&request->request_pairs, NULL, _attr); \
705 if (!vp) break; \
706 MEM(copy = fr_pair_copy(session, vp)); \
707 fr_pair_append(&session->list, copy); \
708 RDEBUG2("%pP", copy); \
709} while (0)
710
711 RDEBUG2("Caching session attributes:");
712 RINDENT();
713 COPY(attr_user_name);
714 COPY(attr_tacacs_client_port);
715 COPY(attr_tacacs_remote_address);
716 COPY(attr_tacacs_privilege_level);
717 COPY(attr_tacacs_authentication_type);
718 REXDENT();
719
720 } else {
721 session->rounds++;
722
723 if (session->rounds > inst->auth.max_rounds) {
724 REDEBUG("Too many rounds of authentication - failing the session");
725 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_FAIL);
726 }
727
728 /*
729 * It is possible that the user name or password are added on subsequent Authentication-Continue
730 * packets following replies with Authentication-GetUser or Authentication-GetPass.
731 * Check if they are already in the session cache, and if not, add them.
732 */
733#define COPY_MISSING(_attr) do { \
734 vp = fr_pair_find_by_da(&session->list, NULL, _attr); \
735 if (vp) break; \
736 COPY(_attr); \
737} while (0)
738
739 RDEBUG2("Caching additional session attributes:");
740 RINDENT();
741 COPY_MISSING(attr_user_name);
742 COPY_MISSING(attr_user_password);
743 REXDENT();
744 }
745 session->reply = request->reply->code;
746 session->seq_no = request->packet->data[2];
747
748send_reply:
749 /*
750 * Cache the session state context.
751 */
752 if ((state_create(request->reply_ctx, &request->reply_pairs, request, true) < 0) ||
753 (fr_request_to_state(inst->auth.state_tree, request) < 0)) {
754 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
755 }
756
757 RETURN_MODULE_TRANSPARENT;
758}
759
760RECV(auth_cont)
761{
762 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
763 process_tacacs_session_t *session;
764
765 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
766 (fr_state_to_request(inst->auth.state_tree, request) < 0)) {
767 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
768 }
769
770 /*
771 * Restore key fields from the original Authentication-Start packet.
772 */
773 session = request_data_reference(request, inst, 0);
774 if (session) {
775 fr_pair_t *vp = NULL, *copy;
776
777 if (request->packet->data[2] <= session->seq_no) {
778 REDEBUG("Client sent invalid sequence number %02x, expected >%02x", request->packet->data[2], session->seq_no);
779 error:
780 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
781 }
782
783 if (fr_debug_lvl >= L_DBG_LVL_2) {
784 RDEBUG2("Restoring session attributes:");
785 RINDENT();
786 while ((vp = fr_pair_list_next(&session->list, vp))) {
787 RDEBUG2("%pP", vp);
788 }
789 REXDENT();
790 }
791 if (fr_pair_list_copy(request->request_ctx, &request->request_pairs, &session->list) < 0) goto error;
792
793 /*
794 * Copy the returned user_message into the attribute we requested.
795 */
796#define EXTRACT(_attr) \
797 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_user_message); \
798 if (!vp) break; \
799 fr_value_box_set_secret(&vp->data, _attr->flags.secret); \
800 if (pair_append_request(&copy, _attr) < 0) break; \
801 if (fr_pair_value_copy(copy, vp) < 0) { \
802 fr_pair_remove(&request->request_pairs, copy); \
803 talloc_free(copy); \
804 break; \
805 } \
806 RDEBUG2("Populated %pP from user_message", copy)
807
808 switch (session->reply) {
809 case FR_TACACS_CODE_AUTH_GETUSER:
810 EXTRACT(attr_user_name);
811 break;
812
813 case FR_TACACS_CODE_AUTH_GETPASS:
814 EXTRACT(attr_user_password);
815 break;
816
817 default:
818 break;
819 }
820 }
821
822 return CALL_RECV(generic);
823}
824
825/*
826 * The client aborted the session. The reply should be RESTART or FAIL.
827 */
828RECV(auth_cont_abort)
829{
830 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
831
832 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
833 (fr_state_to_request(inst->auth.state_tree, request) < 0)) {
834 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
835 }
836
837 return CALL_RECV(generic);
838}
839
840RESUME(auth_cont_abort)
841{
842 fr_process_state_t const *state;
843
844 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTH_RESTART;
845
846 UPDATE_STATE(reply);
847
848 fr_assert(state->send != NULL);
849 return CALL_SEND_STATE(state);
850}
851
852
859
860
861RESUME(autz_request)
862{
863 rlm_rcode_t rcode = *p_result;
864 fr_process_state_t const *state;
865
866 PROCESS_TRACE;
867
868 fr_assert(rcode < RLM_MODULE_NUMCODES);
869
870 /*
871 * See if the return code from "recv" which says we reject, or continue.
872 */
873 UPDATE_STATE(packet);
874
875 /*
876 * Nothing set the reply, so let's see if we need to do so.
877 *
878 * If the admin didn't set authorization-status, just
879 * use the defaults from the state machine.
880 */
881 if (!request->reply->code) {
882 request->reply->code = reply_code(request, attr_tacacs_authorization_status,
883 author_status_to_packet_code, state, NULL, rcode);
884 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTZ_ERROR;
885
886 } else {
887 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
888 }
889
890 RDEBUG("Reply packet type set to %s", fr_tacacs_packet_names[request->reply->code]);
891
892 UPDATE_STATE(reply);
893
894 fr_assert(state->send != NULL);
895 return CALL_SEND_STATE(state);
896}
897
902
903RESUME(acct_type)
904{
905 static const fr_process_rcode_t acct_type_rcode = {
906 [RLM_MODULE_OK] = FR_TACACS_CODE_ACCT_SUCCESS,
907 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_ACCT_SUCCESS,
908 [RLM_MODULE_NOOP] = FR_TACACS_CODE_ACCT_ERROR,
909 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
910 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
911 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
912 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
913 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
914 };
915
916 rlm_rcode_t rcode = *p_result;
917 fr_process_state_t const *state;
918
919 PROCESS_TRACE;
920
921 /*
922 * One more chance to override
923 */
924 if (!request->reply->code) {
925 request->reply->code = reply_code(request, attr_tacacs_accounting_status, acct_status_to_packet_code,
926 NULL, acct_type_rcode, rcode);
927 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
928 } else {
929 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
930 }
931
932 UPDATE_STATE(reply);
933
934 fr_assert(state->send != NULL);
935 return state->send(p_result, mctx, request);
936}
937
938static const bool acct_flag_valid[8] = {
939 false, true, true, false, /* invalid, start, stop, invalid */
940 true, true, false, false, /* watchdog - no update, watchdog - update, invalid, invalid */
941};
942
943RECV(accounting_request)
944{
945 fr_pair_t *vp;
946
947 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
948
949 /*
950 * RFC 8907 Section 7.2
951 */
952 if (vp && !acct_flag_valid[(vp->vp_uint8 & 0x0e) >> 1]) {
953 RWDEBUG("Invalid accounting request flag field %02x", vp->vp_uint8);
954 return CALL_SEND_TYPE(FR_TACACS_CODE_ACCT_ERROR);
955 }
956
957 return CALL_RECV(generic);
958}
959
960RESUME(accounting_request)
961{
962 rlm_rcode_t rcode = *p_result;
963 fr_pair_t *vp;
964 CONF_SECTION *cs;
965 fr_dict_enum_value_t const *dv;
966 fr_process_state_t const *state;
967 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
968
969 PROCESS_TRACE;
970
971 fr_assert(rcode < RLM_MODULE_NUMCODES);
972
973 UPDATE_STATE(packet);
974
975 /*
976 * Nothing set the reply, so let's see if we need to do so.
977 *
978 * If the admin didn't set accounting-status, just
979 * use the defaults from the state machine.
980 */
981 if (!request->reply->code) {
982 request->reply->code = reply_code(request, attr_tacacs_accounting_status,
983 acct_status_to_packet_code, state, NULL, rcode);
984 } else {
985 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
986 }
987
988 /*
989 * Something set the reply code, so we reply and don't run "accounting foo { ... }"
990 */
991 if (request->reply->code) {
992 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
993
994 RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
995
996 UPDATE_STATE(reply);
997
998 fr_assert(state->send != NULL);
999 return CALL_SEND_STATE(state);
1000 }
1001
1002 /*
1003 * Run accounting foo { ... }
1004 */
1005 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
1006 if (!vp) {
1007 fail:
1008 request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
1009 UPDATE_STATE(reply);
1010 fr_assert(state->send != NULL);
1011 return CALL_SEND_STATE(state);
1012 }
1013
1014 dv = fr_dict_enum_by_value(vp->da, &vp->data);
1015 if (!dv) goto fail;
1016
1017 cs = cf_section_find(inst->server_cs, "accounting", dv->name);
1018 if (!cs) {
1019 RDEBUG2("No 'accounting %s { ... }' section found - skipping...", dv->name);
1020 goto fail;
1021 }
1022
1023 /*
1024 * Run the "accounting foo { ... }" section.
1025 *
1026 * And continue with sending the generic reply.
1027 */
1028 return unlang_module_yield_to_section(p_result, request,
1029 cs, RLM_MODULE_NOOP, resume_acct_type,
1030 NULL, 0, mctx->rctx);
1031}
1032
1033static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
1034{
1035 fr_process_state_t const *state;
1036
1037 PROCESS_TRACE;
1038
1039 (void)talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
1040 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
1041
1042 request->component = "tacacs";
1043 request->module = NULL;
1044 fr_assert(request->proto_dict == dict_tacacs);
1045
1046 UPDATE_STATE(packet);
1047
1048 if (!state->recv) {
1049 REDEBUG("Invalid packet type (%u)", request->packet->code);
1050 RETURN_MODULE_FAIL;
1051 }
1052
1053 // @todo - debug stuff!
1054// tacacs_packet_debug(request, request->packet, &request->request_pairs, true);
1055
1056 if (unlikely(request_is_dynamic_client(request))) {
1057 return new_client(p_result, mctx, request);
1058 }
1059
1060 return state->recv(p_result, mctx, request);
1061}
1062
1063static int mod_instantiate(module_inst_ctx_t const *mctx)
1064{
1065 process_tacacs_t *inst = talloc_get_type_abort(mctx->mi->data, process_tacacs_t);
1066
1067 inst->server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1068
1069 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.max_rounds, >=, 1);
1070 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.max_rounds, <=, 8);
1071
1072 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.max_session, >=, 64);
1073 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.max_session, <=, (1 << 18));
1074
1075 inst->auth.state_tree = fr_state_tree_init(inst, attr_tacacs_state, main_config->spawn_workers, inst->auth.max_session,
1076 inst->auth.session_timeout, inst->auth.state_server_id,
1077 fr_hash_string(cf_section_name2(inst->server_cs)));
1078 return 0;
1079}
1080
1081static int mod_bootstrap(module_inst_ctx_t const *mctx)
1082{
1083 CONF_SECTION *server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1084
1085 if (virtual_server_section_attribute_define(server_cs, "authenticate", attr_auth_type) < 0) return -1;
1086
1087 return 0;
1088}
1089
1090/*
1091 * rcodes not listed under a packet_type
1092 * mean that the packet code will not be
1093 * changed.
1094 */
1095static fr_process_state_t const process_state[] = {
1096 /*
1097 * Authentication
1098 */
1099 [ FR_TACACS_CODE_AUTH_START ] = {
1100 .packet_type = {
1101 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1102 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1103 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1104 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1105 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1106 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1107 },
1108 .rcode = RLM_MODULE_NOOP,
1109 .recv = recv_auth_start,
1110 .resume = resume_auth_start,
1111 .section_offset = offsetof(process_tacacs_sections_t, auth_start),
1112 },
1113 [ FR_TACACS_CODE_AUTH_PASS ] = {
1114 .packet_type = {
1115 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1116 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1117 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1118 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1119 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1120 },
1121 .rcode = RLM_MODULE_NOOP,
1122 .send = send_generic,
1123 .resume = resume_auth_pass,
1124 .section_offset = offsetof(process_tacacs_sections_t, auth_pass),
1125 },
1126 [ FR_TACACS_CODE_AUTH_FAIL ] = {
1127 .packet_type = {
1128 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1129 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1130 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1131 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1132 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1133 },
1134 .rcode = RLM_MODULE_NOOP,
1135 .send = send_generic,
1136 .resume = resume_auth_fail,
1137 .section_offset = offsetof(process_tacacs_sections_t, auth_fail),
1138 },
1139 [ FR_TACACS_CODE_AUTH_GETDATA ] = {
1140 .packet_type = {
1141 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1142 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1143 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1144 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1145 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1146 },
1147 .rcode = RLM_MODULE_NOOP,
1148 .send = send_generic,
1149 .resume = resume_auth_get,
1150 .section_offset = offsetof(process_tacacs_sections_t, auth_getdata),
1151 },
1152 [ FR_TACACS_CODE_AUTH_GETPASS ] = {
1153 .packet_type = {
1154 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1155 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1156 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1157 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1158 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1159 },
1160 .rcode = RLM_MODULE_NOOP,
1161 .send = send_generic,
1162 .resume = resume_auth_get,
1163 .section_offset = offsetof(process_tacacs_sections_t, auth_getpass),
1164 },
1165 [ FR_TACACS_CODE_AUTH_GETUSER ] = {
1166 .packet_type = {
1167 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1168 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1169 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1170 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1171 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1172 },
1173 .rcode = RLM_MODULE_NOOP,
1174 .send = send_generic,
1175 .resume = resume_auth_get,
1176 .section_offset = offsetof(process_tacacs_sections_t, auth_getuser),
1177 },
1178 [ FR_TACACS_CODE_AUTH_RESTART ] = {
1179 .packet_type = {
1180 },
1181 .rcode = RLM_MODULE_NOOP,
1182 .send = send_generic,
1183 .resume = resume_auth_restart,
1184 .section_offset = offsetof(process_tacacs_sections_t, auth_restart),
1185 },
1186 [ FR_TACACS_CODE_AUTH_ERROR ] = {
1187 .packet_type = {
1188 },
1189 .rcode = RLM_MODULE_NOOP,
1190 .send = send_generic,
1191 .resume = resume_auth_restart,
1192 .section_offset = offsetof(process_tacacs_sections_t, auth_error),
1193 },
1194
1195 [ FR_TACACS_CODE_AUTH_CONT ] = {
1196 .packet_type = {
1197 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1198 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1199 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1200 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1201 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1202 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1203 },
1204 .rcode = RLM_MODULE_NOOP,
1205 .recv = recv_auth_cont,
1206 .resume = resume_auth_start, /* we go back to running 'authenticate', etc. */
1207 .section_offset = offsetof(process_tacacs_sections_t, auth_cont),
1208 },
1209 [ FR_TACACS_CODE_AUTH_CONT_ABORT ] = {
1210 .packet_type = {
1211 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1212 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1213 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1214 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1215 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1216 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1217 },
1218 .rcode = RLM_MODULE_NOOP,
1219 .recv = recv_auth_cont_abort,
1220 .resume = resume_auth_cont_abort,
1221 .section_offset = offsetof(process_tacacs_sections_t, auth_cont_abort),
1222 },
1223
1224 /*
1225 * Authorization
1226 */
1227 [ FR_TACACS_CODE_AUTZ_REQUEST ] = {
1228 .packet_type = {
1229 [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1230 [RLM_MODULE_OK] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1231 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1232 [RLM_MODULE_HANDLED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1233
1234 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1235 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1236 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1237 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1238 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1239 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1240 },
1241 .rcode = RLM_MODULE_NOOP,
1242 .recv = recv_generic,
1243 .resume = resume_autz_request,
1244 .section_offset = offsetof(process_tacacs_sections_t, autz_request),
1245 },
1246 [ FR_TACACS_CODE_AUTZ_PASS_ADD ] = {
1247 .packet_type = {
1248 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1249 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1250 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1251 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1252 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1253 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1254 },
1255 .rcode = RLM_MODULE_NOOP,
1256 .send = send_generic,
1257 .resume = resume_send_generic,
1258 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_add),
1259 },
1260 [ FR_TACACS_CODE_AUTZ_PASS_REPLACE ] = {
1261 .packet_type = {
1262 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1263 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1264 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1265 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1266 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1267 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1268 },
1269 .rcode = RLM_MODULE_NOOP,
1270 .send = send_generic,
1271 .resume = resume_send_generic,
1272 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_replace),
1273 },
1274 [ FR_TACACS_CODE_AUTZ_FAIL ] = {
1275 .packet_type = {
1276 },
1277 .rcode = RLM_MODULE_NOOP,
1278 .send = send_generic,
1279 .resume = resume_send_generic,
1280 .section_offset = offsetof(process_tacacs_sections_t, autz_fail),
1281 },
1282 [ FR_TACACS_CODE_AUTZ_ERROR ] = {
1283 .packet_type = {
1284 },
1285 .rcode = RLM_MODULE_NOOP,
1286 .send = send_generic,
1287 .resume = resume_send_generic,
1288 .section_offset = offsetof(process_tacacs_sections_t, autz_error),
1289 },
1290
1291 /*
1292 * Accounting
1293 */
1294 [ FR_TACACS_CODE_ACCT_REQUEST ] = {
1295 .packet_type = {
1296 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1297 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1298 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1299 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1300 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1301 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1302 },
1303 .rcode = RLM_MODULE_NOOP,
1304 .recv = recv_accounting_request,
1305 .resume = resume_accounting_request,
1306 .section_offset = offsetof(process_tacacs_sections_t, acct_request),
1307 },
1308 [ FR_TACACS_CODE_ACCT_SUCCESS ] = {
1309 .packet_type = {
1310 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1311 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1312 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1313 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1314 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1315 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1316 },
1317 .rcode = RLM_MODULE_NOOP,
1318 .send = send_generic,
1319 .resume = resume_send_generic,
1320 .section_offset = offsetof(process_tacacs_sections_t, acct_success),
1321 },
1322 [ FR_TACACS_CODE_ACCT_ERROR ] = {
1323 .packet_type = {
1324 },
1325 .rcode = RLM_MODULE_NOOP,
1326 .send = send_generic,
1327 .resume = resume_send_generic,
1328 .section_offset = offsetof(process_tacacs_sections_t, acct_error),
1329 },
1330 [ FR_TACACS_CODE_DO_NOT_RESPOND ] = {
1331 .packet_type = {
1332 [RLM_MODULE_NOOP] = FR_TACACS_CODE_DO_NOT_RESPOND,
1333 [RLM_MODULE_OK] = FR_TACACS_CODE_DO_NOT_RESPOND,
1334 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_DO_NOT_RESPOND,
1335 [RLM_MODULE_HANDLED] = FR_TACACS_CODE_DO_NOT_RESPOND,
1336
1337 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_DO_NOT_RESPOND,
1338 [RLM_MODULE_FAIL] = FR_TACACS_CODE_DO_NOT_RESPOND,
1339 [RLM_MODULE_INVALID] = FR_TACACS_CODE_DO_NOT_RESPOND,
1340 [RLM_MODULE_REJECT] = FR_TACACS_CODE_DO_NOT_RESPOND,
1341 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_DO_NOT_RESPOND,
1342 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1343 },
1344 .rcode = RLM_MODULE_NOOP,
1345 .send = send_generic,
1346 .resume = resume_send_generic,
1347 .section_offset = offsetof(process_tacacs_sections_t, do_not_respond),
1348 }
1349};
1350
1351
1352static virtual_server_compile_t compile_list[] = {
1353 /**
1354 * Basically, the TACACS+ protocol use same type "authenticate" to handle
1355 * Start and Continue requests. (yep, you're right. it's horrible)
1356 * Therefore, we split the same "auth" type into two different sections just
1357 * to allow the user to have different logic for that.
1358 *
1359 * If you want to cry, just take a look at
1360 *
1361 * https://tools.ietf.org/html/rfc8907 Section 4.
1362 *
1363 * This should be an abject lesson in how NOT to design a
1364 * protocol. Pretty much everything they did was wrong.
1365 */
1366 {
1367 .section = SECTION_NAME("recv", "Authentication-Start"),
1368 .actions = &mod_actions_authenticate,
1369 .offset = PROCESS_CONF_OFFSET(auth_start),
1370 },
1371 {
1372 .section = SECTION_NAME("send", "Authentication-Pass"),
1373 .actions = &mod_actions_postauth,
1374 .offset = PROCESS_CONF_OFFSET(auth_pass),
1375 },
1376 {
1377 .section = SECTION_NAME("send", "Authentication-Fail"),
1378 .actions = &mod_actions_postauth,
1379 .offset = PROCESS_CONF_OFFSET(auth_fail),
1380 },
1381 {
1382 .section = SECTION_NAME("send", "Authentication-GetData"),
1383 .actions = &mod_actions_postauth,
1384 .offset = PROCESS_CONF_OFFSET(auth_getdata),
1385 },
1386 {
1387 .section = SECTION_NAME("send", "Authentication-GetUser"),
1388 .actions = &mod_actions_postauth,
1389 .offset = PROCESS_CONF_OFFSET(auth_getuser),
1390 },
1391 {
1392 .section = SECTION_NAME("send", "Authentication-GetPass"),
1393 .actions = &mod_actions_postauth,
1394 .offset = PROCESS_CONF_OFFSET(auth_getpass),
1395 },
1396 {
1397 .section = SECTION_NAME("send", "Authentication-Restart"),
1398 .actions = &mod_actions_postauth,
1399 .offset = PROCESS_CONF_OFFSET(auth_restart),
1400 },
1401 {
1402 .section = SECTION_NAME("send", "Authentication-Error"),
1403 .actions = &mod_actions_postauth,
1404 .offset = PROCESS_CONF_OFFSET(auth_error),
1405 },
1406 {
1407 .section = SECTION_NAME("recv", "Authentication-Continue"),
1408 .actions = &mod_actions_authenticate,
1409 .offset = PROCESS_CONF_OFFSET(auth_cont),
1410 },
1411 {
1412 .section = SECTION_NAME("recv", "Authentication-Continue-Abort"),
1413 .actions = &mod_actions_authenticate,
1414 .offset = PROCESS_CONF_OFFSET(auth_cont_abort),
1415 },
1416
1417 {
1418 .section = SECTION_NAME("authenticate", CF_IDENT_ANY),
1419 .actions = &mod_actions_authenticate,
1420 },
1421
1422 /* authorization */
1423
1424 {
1425 .section = SECTION_NAME("recv", "Authorization-Request"),
1426 .actions = &mod_actions_authorize,
1427 .offset = PROCESS_CONF_OFFSET(autz_request),
1428 },
1429 {
1430 .section = SECTION_NAME("send", "Authorization-Pass-Add"),
1431 .actions = &mod_actions_postauth,
1432 .offset = PROCESS_CONF_OFFSET(autz_pass_add),
1433 },
1434 {
1435 .section = SECTION_NAME("send", "Authorization-Pass-Replace"),
1436 .actions = &mod_actions_postauth,
1437 .offset = PROCESS_CONF_OFFSET(autz_pass_replace),
1438 },
1439 {
1440 .section = SECTION_NAME("send", "Authorization-Fail"),
1441 .actions = &mod_actions_postauth,
1442 .offset = PROCESS_CONF_OFFSET(autz_fail),
1443 },
1444 {
1445 .section = SECTION_NAME("send", "Authorization-Error"),
1446 .actions = &mod_actions_postauth,
1447 .offset = PROCESS_CONF_OFFSET(autz_error),
1448 },
1449
1450 /* accounting */
1451
1452 {
1453 .section = SECTION_NAME("recv", "Accounting-Request"),
1454 .actions = &mod_actions_accounting,
1455 .offset = PROCESS_CONF_OFFSET(acct_request),
1456 },
1457 {
1458 .section = SECTION_NAME("send", "Accounting-Success"),
1459 .actions = &mod_actions_postauth,
1460 .offset = PROCESS_CONF_OFFSET(acct_success),
1461 },
1462 {
1463 .section = SECTION_NAME("send", "Accounting-Error"),
1464 .actions = &mod_actions_postauth,
1465 .offset = PROCESS_CONF_OFFSET(acct_error),
1466 },
1467
1468 {
1469 .section = SECTION_NAME("accounting", CF_IDENT_ANY),
1470 .actions = &mod_actions_accounting,
1471 },
1472
1473 {
1474 .section = SECTION_NAME("send", "Do-Not-Respond"),
1475 .actions = &mod_actions_postauth,
1476 .offset = PROCESS_CONF_OFFSET(do_not_respond),
1477 },
1478
1479 DYNAMIC_CLIENT_SECTIONS,
1480
1481 COMPILE_TERMINATOR
1482};
1483
1484
1485extern fr_process_module_t process_tacacs;
1486fr_process_module_t process_tacacs = {
1487 .common = {
1488 .magic = MODULE_MAGIC_INIT,
1489 .name = "tacacs",
1490 .config = config,
1491 .inst_size = sizeof(process_tacacs_t),
1492 .bootstrap = mod_bootstrap,
1493 .instantiate = mod_instantiate
1494 },
1495 .process = mod_process,
1496 .compile_list = compile_list,
1497 .dict = &dict_tacacs,
1498 .packet_type = &attr_packet_type
1499};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
buffer
static int const char char buffer[256]
Definition acutest.h:576
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
unlikely
#define unlikely(_x)
Definition build.h:383
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:658
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:518
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:339
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:428
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:595
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_name2
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:101
cf_filename
#define cf_filename(_cf)
Definition cf_util.h:107
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
MEM
#define MEM(x)
Definition debug.h:36
fr_dict_enum_autoload_t::out
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:262
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:273
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:286
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:236
fr_dict_enum_by_value
fr_dict_enum_value_t const * fr_dict_enum_by_value(fr_dict_attr_t const *da, fr_value_box_t const *value)
Lookup the structure representing an enum value in a fr_dict_attr_t.
Definition dict_util.c:3393
fr_dict_enum_value_t::name
char const * name
Enum name.
Definition dict.h:233
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:272
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:285
fr_dict_enum_autoload_t
Specifies a value which must be present for the module to function.
Definition dict.h:261
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:232
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
fr_hash
uint32_t fr_hash(void const *data, size_t size)
Definition hash.c:812
fr_hash_string
uint32_t fr_hash_string(char const *p)
Definition hash.c:865
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition base.c:37
attr_packet_type
fr_dict_attr_t const * attr_packet_type
Definition base.c:93
attr_user_name
fr_dict_attr_t const * attr_user_name
Definition base.c:104
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:443
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:361
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:430
talloc_free
talloc_free(reap)
fr_debug_lvl
int fr_debug_lvl
Definition log.c:40
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:71
main_config
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
main_config_s::spawn_workers
bool spawn_workers
Should the server spawn threads.
Definition main_config.h:58
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition merged_model.c:32
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_value_box_t
Definition merged_model.c:136
request_t
Definition merged_model.c:210
mod_actions_authenticate
unlang_mod_actions_t const mod_actions_authenticate
Definition mod_action.c:29
mod_actions_accounting
unlang_mod_actions_t const mod_actions_accounting
Definition mod_action.c:77
mod_actions_authorize
unlang_mod_actions_t const mod_actions_authorize
Definition mod_action.c:45
mod_actions_postauth
unlang_mod_actions_t const mod_actions_postauth
Definition mod_action.c:92
unlang_mod_actions_t::actions
unlang_mod_action_t actions[RLM_MODULE_NUMCODES]
Definition mod_action.h:62
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
fr_nbo_from_uint32
static void fr_nbo_from_uint32(uint8_t out[static sizeof(uint32_t)], uint32_t num)
Write out an unsigned 32bit integer in wire format (big endian)
Definition nbo.h:61
fr_pair_list_copy
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition pair.c:2320
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2936
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:774
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:697
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1342
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
mod_process
static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition base.c:184
compile_list
static const virtual_server_compile_t compile_list[]
Definition base.c:210
process_state
static fr_process_state_t const process_state[]
Definition base.c:68
attr_module_failure_message
static fr_dict_attr_t const * attr_module_failure_message
Definition base.c:36
attr_module_success_message
static fr_dict_attr_t const * attr_module_success_message
Definition base.c:37
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition base.c:745
RECV
RECV(for_any_server)
Validate a solicit/rebind/confirm message.
Definition base.c:401
attr_user_password
static fr_dict_attr_t const * attr_user_password
Definition base.c:65
attr_stripped_user_name
static fr_dict_attr_t const * attr_stripped_user_name
Definition base.c:58
session_config
static const conf_parser_t session_config[]
Definition base.c:169
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition base.c:893
attr_auth_type
static fr_dict_attr_t const * attr_auth_type
Definition base.c:55
enum_auth_type_reject
static fr_value_box_t const * enum_auth_type_reject
Definition base.c:93
auth_config
static const conf_parser_t auth_config[]
Definition base.c:177
enum_auth_type_accept
static fr_value_box_t const * enum_auth_type_accept
Definition base.c:92
config
static const conf_parser_t config[]
Definition base.c:183
process_tacacs
fr_process_module_t process_tacacs
Definition base.c:1486
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:57
process_tacacs_sections_t::autz_pass_add
CONF_SECTION * autz_pass_add
Definition base.c:148
process_tacacs_session_t::list
fr_pair_list_t list
copied from the request
Definition base.c:192
process_tacacs_sections_t::new_client
CONF_SECTION * new_client
Definition base.c:159
enum_tacacs_auth_type_ascii
static fr_value_box_t const * enum_tacacs_auth_type_ascii
Definition base.c:120
process_tacacs_sections_t::add_client
CONF_SECTION * add_client
Definition base.c:160
process_tacacs_sections_t::auth_pass
CONF_SECTION * auth_pass
Definition base.c:136
process_tacacs_sections_t::auth_start
CONF_SECTION * auth_start
Definition base.c:135
process_tacacs_sections_t::acct_success
CONF_SECTION * acct_success
Definition base.c:154
process_tacacs_sections_t::auth_error
CONF_SECTION * auth_error
Definition base.c:142
process_tacacs_sections_t::acct_request
CONF_SECTION * acct_request
Definition base.c:153
process_tacacs_sections_t::auth_cont_abort
CONF_SECTION * auth_cont_abort
Definition base.c:145
process_tacacs_dict_attr
fr_dict_attr_autoload_t process_tacacs_dict_attr[]
Definition base.c:81
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:74
process_tacacs_t::server_cs
CONF_SECTION * server_cs
Our virtual server.
Definition base.c:178
attr_chap_password
static fr_dict_attr_t const * attr_chap_password
Definition base.c:78
process_tacacs_sections_t::auth_cont
CONF_SECTION * auth_cont
Definition base.c:144
acct_status_to_packet_code
static const uint32_t acct_status_to_packet_code[UINT8_MAX+1]
Definition base.c:898
process_tacacs_sections_t::auth_restart
CONF_SECTION * auth_restart
Definition base.c:141
authen_status_to_packet_code
static const uint32_t authen_status_to_packet_code[UINT8_MAX+1]
Definition base.c:372
process_tacacs_t::sections
process_tacacs_sections_t sections
Pointers to various config sections we need to execute.
Definition base.c:182
reply_code
static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da, uint32_t const status2code[static UINT8_MAX+1], fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
Try and determine what the response packet type should be.
Definition base.c:290
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition base.c:40
process_tacacs_auth_t::session_timeout
fr_time_delta_t session_timeout
Maximum time between the last response and next request.
Definition base.c:165
process_tacacs_session_t::rounds
uint32_t rounds
how many rounds were taken
Definition base.c:189
process_tacacs_dict_enum
fr_dict_enum_autoload_t process_tacacs_dict_enum[]
Definition base.c:123
COPY_MISSING
#define COPY_MISSING(_attr)
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:71
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:70
process_tacacs_sections_t::autz_error
CONF_SECTION * autz_error
Definition base.c:151
process_tacacs_sections_t::do_not_respond
CONF_SECTION * do_not_respond
Definition base.c:157
author_status_to_packet_code
static const uint32_t author_status_to_packet_code[UINT8_MAX+1]
Definition base.c:853
enum_auth_flags_noecho
static fr_value_box_t const * enum_auth_flags_noecho
Definition base.c:119
process_tacacs_auth_t::state_server_id
uint8_t state_server_id
Sets a specific byte in the state to allow the authenticating server to be identified in packet captu...
Definition base.c:170
process_tacacs_sections_t::autz_pass_replace
CONF_SECTION * autz_pass_replace
Definition base.c:149
process_tacacs_session_t::reply
uint32_t reply
for multiround state machine
Definition base.c:190
EXTRACT
#define EXTRACT(_attr)
process_tacacs_sections_t::auth_getuser
CONF_SECTION * auth_getuser
Definition base.c:139
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:68
process_tacacs_sections_t::auth_getdata
CONF_SECTION * auth_getdata
Definition base.c:138
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:58
process_tacacs_sections_t::acct_error
CONF_SECTION * acct_error
Definition base.c:155
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:63
process_tacacs_sections_t::autz_request
CONF_SECTION * autz_request
Definition base.c:147
process_tacacs_auth_t::max_session
uint32_t max_session
Maximum ongoing session allowed.
Definition base.c:166
acct_flag_valid
static const bool acct_flag_valid[8]
Definition base.c:938
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:59
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:60
process_tacacs_sections_t::deny_client
CONF_SECTION * deny_client
Definition base.c:161
process_tacacs_sections_t::auth_fail
CONF_SECTION * auth_fail
Definition base.c:137
attr_tacacs_authentication_action
static fr_dict_attr_t const * attr_tacacs_authentication_action
Definition base.c:56
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:66
process_tacacs_t::auth
process_tacacs_auth_t auth
Authentication configuration.
Definition base.c:185
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:69
process_tacacs_session_t::seq_no
uint8_t seq_no
sequence number of last request.
Definition base.c:191
process_tacacs_auth_t::state_tree
fr_state_tree_t * state_tree
State tree to link multiple requests/responses.
Definition base.c:174
COPY
#define COPY(_attr)
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:55
attr_tacacs_sequence_number
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition base.c:72
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:62
process_tacacs_sections_t::autz_fail
CONF_SECTION * autz_fail
Definition base.c:150
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:64
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:67
attr_tacacs_state
static fr_dict_attr_t const * attr_tacacs_state
Definition base.c:73
process_tacacs_auth_t::max_rounds
uint32_t max_rounds
maximum number of authentication rounds allowed
Definition base.c:168
process_tacacs_t::session_id
uint32_t session_id
current session ID
Definition base.c:180
process_tacacs_sections_t::auth_getpass
CONF_SECTION * auth_getpass
Definition base.c:140
process_tacacs_dict
fr_dict_autoload_t process_tacacs_dict[]
Definition base.c:43
state_create
static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
Definition base.c:231
process_tacacs_auth_t
Definition base.c:164
process_tacacs_sections_t
Definition base.c:132
process_tacacs_session_t
Definition base.c:188
process_tacacs_t
Definition base.c:177
PROCESS_TRACE
#define PROCESS_TRACE
Trace each state function as it's entered.
Definition process.h:66
fr_process_module_s::common
module_t common
Common fields for all loadable modules.
Definition process.h:55
fr_process_module_s
Common public symbol definition for all process modules.
Definition process.h:54
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:119
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient.h:53
send_reply
static void send_reply(int sockfd, fr_channel_data_t *reply)
Definition radius1_test.c:190
rcode_table
fr_table_num_sorted_t const rcode_table[]
Definition rcode.c:35
RETURN_MODULE_TRANSPARENT
#define RETURN_MODULE_TRANSPARENT
Don't modify the current rcode.
Definition rcode.h:70
RETURN_MODULE_FAIL
#define RETURN_MODULE_FAIL
Definition rcode.h:57
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
RLM_MODULE_INVALID
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:45
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:43
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:42
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:46
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:41
RLM_MODULE_TIMEOUT
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:50
RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:47
RLM_MODULE_UPDATED
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:49
RLM_MODULE_NOOP
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:48
RLM_MODULE_NUMCODES
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition rcode.h:51
RLM_MODULE_HANDLED
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:44
request_is_dynamic_client
#define request_is_dynamic_client(_x)
Definition request.h:188
request_data_reference
void * request_data_reference(request_t *request, void const *unique_ptr, int unique_int)
Get opaque data from a request without removing it.
Definition request_data.c:339
request_data_talloc_add
#define request_data_talloc_add(_request, _unique_ptr, _unique_int, _type, _opaque, _free_on_replace, _free_on_parent, _persist)
Add opaque data to a request_t.
Definition request_data.h:86
process_rcode
static unlang_action_t process_rcode(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_peap.c:107
hash
static unsigned int hash(char const *username, unsigned int tablesize)
Definition rlm_passwd.c:132
instantiate
static int instantiate(module_inst_ctx_t const *mctx)
Definition rlm_rest.c:1313
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:330
module_instance_s::data
void * data
Module's instance data.
Definition module.h:272
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:198
pair_append_reply
#define pair_append_reply(_attr, _da)
Allocate and append a fr_pair_t to reply list.
Definition pair.h:47
fr_state_tree_init
fr_state_tree_t * fr_state_tree_init(TALLOC_CTX *ctx, fr_dict_attr_t const *da, bool thread_safe, uint32_t max_sessions, fr_time_delta_t timeout, uint8_t server_id, uint32_t context_id)
Initialise a new state tree.
Definition state.c:220
fr_state_discard
void fr_state_discard(fr_state_tree_t *state, request_t *request)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition state.c:605
fr_request_to_state
int fr_request_to_state(fr_state_tree_t *state, request_t *request)
Transfer ownership of the state fr_pair_ts and ctx, back to a state entry.
Definition state.c:736
fr_state_to_request
int fr_state_to_request(fr_state_tree_t *state, request_t *request)
Copy a pointer to the head of the list of state fr_pair_ts (and their ctx) into the request.
Definition state.c:659
fr_state_tree_s
Definition state.c:143
unlang_module_yield_to_section
unlang_action_t unlang_module_yield_to_section(rlm_rcode_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:247
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620
RESUME
#define RESUME(_x)
Definition state_machine.c:51
vp
fr_pair_t * vp
Definition state_machine.c:2262
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
Definition tacacs.h:211
FR_TAC_PLUS_AUTHOR_STATUS_ERROR
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition tacacs.h:214
FR_TAC_PLUS_AUTHOR_STATUS_FAIL
@ FR_TAC_PLUS_AUTHOR_STATUS_FAIL
Definition tacacs.h:213
FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
Definition tacacs.h:212
FR_TACACS_PACKET_CODE_VALID
#define FR_TACACS_PACKET_CODE_VALID(_code)
Definition tacacs.h:322
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
FR_TACACS_CODE_ACCT_ERROR
@ FR_TACACS_CODE_ACCT_ERROR
Definition tacacs.h:315
FR_TACACS_CODE_DO_NOT_RESPOND
@ FR_TACACS_CODE_DO_NOT_RESPOND
Definition tacacs.h:318
FR_TACACS_CODE_ACCT_REQUEST
@ FR_TACACS_CODE_ACCT_REQUEST
Definition tacacs.h:313
FR_TACACS_CODE_AUTZ_REQUEST
@ FR_TACACS_CODE_AUTZ_REQUEST
Definition tacacs.h:307
FR_TACACS_CODE_AUTH_GETDATA
@ FR_TACACS_CODE_AUTH_GETDATA
Definition tacacs.h:298
FR_TACACS_CODE_AUTH_RESTART
@ FR_TACACS_CODE_AUTH_RESTART
Definition tacacs.h:301
FR_TACACS_CODE_AUTZ_PASS_REPLACE
@ FR_TACACS_CODE_AUTZ_PASS_REPLACE
Definition tacacs.h:309
FR_TACACS_CODE_AUTH_GETUSER
@ FR_TACACS_CODE_AUTH_GETUSER
Definition tacacs.h:299
FR_TACACS_CODE_AUTH_GETPASS
@ FR_TACACS_CODE_AUTH_GETPASS
Definition tacacs.h:300
FR_TACACS_CODE_AUTZ_FAIL
@ FR_TACACS_CODE_AUTZ_FAIL
Definition tacacs.h:310
FR_TACACS_CODE_AUTH_CONT_ABORT
@ FR_TACACS_CODE_AUTH_CONT_ABORT
Definition tacacs.h:305
FR_TACACS_CODE_AUTH_PASS
@ FR_TACACS_CODE_AUTH_PASS
Definition tacacs.h:296
FR_TACACS_CODE_AUTH_CONT
@ FR_TACACS_CODE_AUTH_CONT
Definition tacacs.h:304
FR_TACACS_CODE_AUTZ_PASS_ADD
@ FR_TACACS_CODE_AUTZ_PASS_ADD
Definition tacacs.h:308
FR_TACACS_CODE_AUTH_START
@ FR_TACACS_CODE_AUTH_START
Definition tacacs.h:295
FR_TACACS_CODE_AUTH_FAIL
@ FR_TACACS_CODE_AUTH_FAIL
Definition tacacs.h:297
FR_TACACS_CODE_AUTH_ERROR
@ FR_TACACS_CODE_AUTH_ERROR
Definition tacacs.h:302
FR_TACACS_CODE_AUTZ_ERROR
@ FR_TACACS_CODE_AUTZ_ERROR
Definition tacacs.h:311
FR_TACACS_CODE_ACCT_SUCCESS
@ FR_TACACS_CODE_ACCT_SUCCESS
Definition tacacs.h:314
FR_TAC_PLUS_ACCT_STATUS_SUCCESS
@ FR_TAC_PLUS_ACCT_STATUS_SUCCESS
Definition tacacs.h:255
FR_TAC_PLUS_ACCT_STATUS_ERROR
@ FR_TAC_PLUS_ACCT_STATUS_ERROR
Definition tacacs.h:256
FR_TAC_PLUS_AUTHEN_STATUS_PASS
@ FR_TAC_PLUS_AUTHEN_STATUS_PASS
Definition tacacs.h:151
FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
@ FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
Definition tacacs.h:153
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition tacacs.h:157
FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
@ FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
Definition tacacs.h:154
FR_TAC_PLUS_AUTHEN_STATUS_FAIL
@ FR_TAC_PLUS_AUTHEN_STATUS_FAIL
Definition tacacs.h:152
FR_TAC_PLUS_AUTHEN_STATUS_RESTART
@ FR_TAC_PLUS_AUTHEN_STATUS_RESTART
Definition tacacs.h:156
FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
@ FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
Definition tacacs.h:155
fr_tacacs_packet_t
Definition tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:287
fr_time_delta_s
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
fr_value_box_cmp
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:722
fr_value_box_copy
int fr_value_box_copy(TALLOC_CTX *ctx, fr_value_box_t *dst, const fr_value_box_t *src)
Copy value data verbatim duplicating any buffers.
Definition value.c:3962
out
static size_t char ** out
Definition value.h:1020
virtual_server_section_attribute_define
int virtual_server_section_attribute_define(CONF_SECTION *server_cs, char const *subcs_name, fr_dict_attr_t const *da)
Define a values for Auth-Type attributes by the sections present in a virtual-server.
Definition virtual_servers.c:1401
virtual_server_compile_s::section
section_name_t const * section
Identifier for the section.
Definition virtual_servers.h:103
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition virtual_servers.h:113
virtual_server_compile_s
Processing sections which are allowed in this virtual server.
Definition virtual_servers.h:102
Generated by   doxygen 1.9.8