The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
base.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 6f36a73888e56e8cc0d7104edff8391b818c10e6 $
19  * @file src/process/tacacs/base.c
20  * @brief TACACS+ handler.
21  * @author Jorge Pereira <jpereira@freeradius.org>
22  *
23  * @copyright 2020 The FreeRADIUS server project.
24  * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25  */
26 
27 
28 #include <freeradius-devel/io/listen.h>
29 #include <freeradius-devel/io/master.h>
30 #include <freeradius-devel/server/main_config.h>
31 #include <freeradius-devel/server/protocol.h>
32 #include <freeradius-devel/server/state.h>
33 #include <freeradius-devel/tacacs/tacacs.h>
34 #include <freeradius-devel/unlang/call.h>
35 #include <freeradius-devel/util/debug.h>
36 
37 #include <freeradius-devel/protocol/tacacs/tacacs.h>
38 
39 static fr_dict_t const *dict_freeradius;
40 static fr_dict_t const *dict_tacacs;
41 
42 extern fr_dict_autoload_t process_tacacs_dict[];
43 fr_dict_autoload_t process_tacacs_dict[] = {
44  { .out = &dict_freeradius, .proto = "freeradius" },
45  { .out = &dict_tacacs, .proto = "tacacs" },
46  { NULL }
47 };
48 
49 static fr_dict_attr_t const *attr_auth_type;
50 static fr_dict_attr_t const *attr_module_failure_message;
51 static fr_dict_attr_t const *attr_module_success_message;
52 static fr_dict_attr_t const *attr_stripped_user_name;
53 static fr_dict_attr_t const *attr_packet_type;
54 
55 static fr_dict_attr_t const *attr_tacacs_action;
56 static fr_dict_attr_t const *attr_tacacs_authentication_action;
57 static fr_dict_attr_t const *attr_tacacs_authentication_flags;
58 static fr_dict_attr_t const *attr_tacacs_authentication_type;
59 static fr_dict_attr_t const *attr_tacacs_authentication_service;
60 static fr_dict_attr_t const *attr_tacacs_authentication_status;
61 
62 static fr_dict_attr_t const *attr_tacacs_authorization_status;
63 static fr_dict_attr_t const *attr_tacacs_accounting_status;
64 static fr_dict_attr_t const *attr_tacacs_accounting_flags;
65 
66 static fr_dict_attr_t const *attr_tacacs_client_port;
67 static fr_dict_attr_t const *attr_tacacs_data;
68 static fr_dict_attr_t const *attr_tacacs_privilege_level;
69 static fr_dict_attr_t const *attr_tacacs_remote_address;
70 static fr_dict_attr_t const *attr_tacacs_server_message;
71 static fr_dict_attr_t const *attr_tacacs_session_id;
72 static fr_dict_attr_t const *attr_tacacs_sequence_number;
73 static fr_dict_attr_t const *attr_tacacs_state;
74 static fr_dict_attr_t const *attr_tacacs_user_message;
75 
76 static fr_dict_attr_t const *attr_user_name;
77 static fr_dict_attr_t const *attr_user_password;
78 static fr_dict_attr_t const *attr_chap_password;
79 
80 extern fr_dict_attr_autoload_t process_tacacs_dict_attr[];
81 fr_dict_attr_autoload_t process_tacacs_dict_attr[] = {
82  { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
83  { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
84  { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
85  { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
86  { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
87 
88  { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
89  { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90  { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
91  { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
92 
93  { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
94  { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
95 
96  { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
97  { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
98 
99  { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
100  { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
101  { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
102  { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
103  { .out = &attr_tacacs_authentication_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
104  { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
105  { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
106  { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
107  { .out = &attr_tacacs_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
108  { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
109 
110  { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
111  { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
112  { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
113 
114  { NULL }
115 };
116 
117 static fr_value_box_t const *enum_auth_type_accept;
118 static fr_value_box_t const *enum_auth_type_reject;
119 static fr_value_box_t const *enum_auth_flags_noecho;
120 static fr_value_box_t const *enum_tacacs_auth_type_ascii;
121 
122 extern fr_dict_enum_autoload_t process_tacacs_dict_enum[];
123 fr_dict_enum_autoload_t process_tacacs_dict_enum[] = {
124  { .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
125  { .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
126  { .out = &enum_auth_flags_noecho, .name = "No-Echo", .attr = &attr_tacacs_authentication_flags },
127  { .out = &enum_tacacs_auth_type_ascii, .name = "ASCII", .attr = &attr_tacacs_authentication_type },
128  { NULL }
129 };
130 
131 
132 typedef struct {
133  uint64_t nothing; // so that the next field isn't at offset 0
134 
135  CONF_SECTION *auth_start;
136  CONF_SECTION *auth_pass;
137  CONF_SECTION *auth_fail;
138  CONF_SECTION *auth_getdata;
139  CONF_SECTION *auth_getuser;
140  CONF_SECTION *auth_getpass;
141  CONF_SECTION *auth_restart;
142  CONF_SECTION *auth_error;
143 
144  CONF_SECTION *auth_cont;
145  CONF_SECTION *auth_cont_abort;
146 
147  CONF_SECTION *autz_request;
148  CONF_SECTION *autz_pass_add;
149  CONF_SECTION *autz_pass_replace;
150  CONF_SECTION *autz_fail;
151  CONF_SECTION *autz_error;
152 
153  CONF_SECTION *acct_request;
154  CONF_SECTION *acct_success;
155  CONF_SECTION *acct_error;
156 
157  CONF_SECTION *do_not_respond;
158 } process_tacacs_sections_t;
159 
160 typedef struct {
161  fr_time_delta_t session_timeout; //!< Maximum time between the last response and next request.
162  uint32_t max_session; //!< Maximum ongoing session allowed.
163 
164  uint32_t max_rounds; //!< maximum number of authentication rounds allowed
165 
166  uint8_t state_server_id; //!< Sets a specific byte in the state to allow the
167  //!< authenticating server to be identified in packet
168  //!<captures.
169 
170  fr_state_tree_t *state_tree; //!< State tree to link multiple requests/responses.
171 } process_tacacs_auth_t;
172 
173 typedef struct {
174  CONF_SECTION *server_cs; //!< Our virtual server.
175 
176  uint32_t session_id; //!< current session ID
177 
178  process_tacacs_sections_t sections; //!< Pointers to various config sections
179  ///< we need to execute
180 
181  process_tacacs_auth_t auth; //!< Authentication configuration.
182 } process_tacacs_t;
183 
184 typedef struct {
185  uint32_t rounds; //!< how many rounds were taken
186  uint32_t reply; //!< for multiround state machine
187  uint8_t seq_no; //!< sequence number of last request.
188  fr_pair_list_t list; //!< copied from the request
189 } process_tacacs_session_t;
190 
191 
192 #define PROCESS_PACKET_TYPE fr_tacacs_packet_code_t
193 #define PROCESS_CODE_MAX FR_TACACS_CODE_MAX
194 #define PROCESS_PACKET_CODE_VALID FR_TACACS_PACKET_CODE_VALID
195 #define PROCESS_INST process_tacacs_t
196 
197 #include <freeradius-devel/server/process.h>
198 
199 static const conf_parser_t session_config[] = {
200  { FR_CONF_OFFSET("timeout", process_tacacs_auth_t, session_timeout), .dflt = "15" },
201  { FR_CONF_OFFSET("max", process_tacacs_auth_t, max_session), .dflt = "4096" },
202  { FR_CONF_OFFSET("max_rounds", process_tacacs_auth_t, max_rounds), .dflt = "4" },
203  { FR_CONF_OFFSET("state_server_id", process_tacacs_auth_t, state_server_id) },
204 
205  CONF_PARSER_TERMINATOR
206 };
207 
208 static const conf_parser_t auth_config[] = {
209  { FR_CONF_POINTER("session", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) session_config },
210 
211  CONF_PARSER_TERMINATOR
212 };
213 
214 static const conf_parser_t config[] = {
215  { FR_CONF_POINTER("Authentication", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config,
216  .offset = offsetof(process_tacacs_t, auth), },
217 
218  CONF_PARSER_TERMINATOR
219 };
220 
221 
222 /*
223  * Synthesize a State attribute from connection && session information.
224  */
225 static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
226 {
227  uint8_t buffer[12];
228  uint32_t hash;
229  fr_pair_t *vp;
230 
231  vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_session_id);
232  if (!vp) return -1;
233 
234  fr_nbo_from_uint32(buffer, vp->vp_uint32);
235 
236  vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_sequence_number);
237  if (!vp) return -1;
238 
239  /*
240  * Requests have odd sequence numbers, and replies have even sequence numbers.
241  * So if we want to synthesize a state in a reply which gets matched with the next
242  * request, we have to add 2 to it.
243  */
244  hash = vp->vp_uint8 + ((int) reply << 1);
245 
246  fr_nbo_from_uint32(buffer + 4, hash);
247 
248  /*
249  * Hash in the listener. For now, we don't allow internally proxied requests.
250  */
251  fr_assert(request->async != NULL);
252  fr_assert(request->async->listen != NULL);
253  hash = fr_hash(&request->async->listen, sizeof(request->async->listen));
254 
255  fr_nbo_from_uint32(buffer + 8, hash);
256 
257  vp = fr_pair_afrom_da(ctx, attr_tacacs_state);
258  if (!vp) return -1;
259 
260  (void) fr_pair_value_memdup(vp, buffer, 12, false);
261 
262  fr_pair_append(out, vp);
263 
264  return 0;
265 }
266 
267 /** Try and determine what the response packet type should be
268  *
269  * We check three sources:
270  * - reply.``<status_attr>``
271  * - reply.Packet-Type
272  * - State machine packet type assignments for the section rcode
273  *
274  * @param[in] request The current request.
275  * @param[in] status_da Specialised status attribute.
276  * @param[in] status2code Mapping table of *packet* status types to rcodes.
277  * @param[in] state Mappings for process state machine
278  * @param[in] process_rcode Mappings for Auth-Type / Acct-Type, which don't use the process state machine
279  * @param[in] rcode The last section rcode.
280  * @return
281  * - >0 if we determined a reply code.
282  * - 0 if we couldn't - Usually indicates additional sections should be run.
283  */
284 static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da,
285  uint32_t const status2code[static UINT8_MAX + 1],
286  fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
287 {
288  fr_pair_t *vp;
289  uint32_t code;
290 
291  /*
292  * First check the protocol attribute for this packet type.
293  *
294  * Should be one of:
295  * - Authentication-Status
296  * - Authorization-Status
297  * - Accounting-Status
298  */
299  fr_assert(status_da->type == FR_TYPE_UINT8);
300 
301  vp = fr_pair_find_by_da(&request->reply_pairs, NULL, status_da);
302  if (vp) {
303  code = status2code[vp->vp_uint8];
304  if (FR_TACACS_PACKET_CODE_VALID(code)) {
305  RDEBUG("Setting reply Packet-Type from %pP", vp);
306  return code;
307  }
308  REDEBUG("Ignoring invalid status %pP", vp);
309  }
310 
311  if (state) {
312  code = state->packet_type[rcode];
313  if (FR_TACACS_PACKET_CODE_VALID(code)) return code;
314  }
315 
316  if (process_rcode) {
317  code = process_rcode[rcode];
318  if (FR_TACACS_PACKET_CODE_VALID(code)) return code;
319  }
320 
321  /*
322  * Otherwise use Packet-Type (if set)
323  */
324  vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
325  if (vp && FR_TACACS_PACKET_CODE_VALID(vp->vp_uint32)) {
326  RDEBUG("Setting reply Packet-Type from %pV", &vp->data);
327  return vp->vp_uint32;
328  }
329 
330  return 0;
331 }
332 
333 RECV(auth_start)
334 {
335  fr_process_state_t const *state;
336  fr_pair_t *vp;
337 
338  /*
339  * Only "Login" is supported. The others are "change password" and "sendauth", which aren't
340  * used.
341  */
342  vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_action);
343  if (!vp) {
344  fail:
345  request->reply->code = FR_TACACS_CODE_AUTH_ERROR;
346  UPDATE_STATE(reply);
347 
348  fr_assert(state->send != NULL);
349  return CALL_SEND_STATE(state);
350  }
351 
352  if (vp->vp_uint8 != FR_ACTION_VALUE_LOGIN) {
353  RDEBUG("Invalid authentication action %u", vp->vp_uint8);
354  goto fail;
355  }
356 
357  /*
358  * There is no state to restore, so we just run the section as normal.
359  */
360 
361  return CALL_RECV(generic);
362 }
363 
364 RESUME(auth_type);
365 
366 static const uint32_t authen_status_to_packet_code[UINT8_MAX + 1] = {
367  [FR_TAC_PLUS_AUTHEN_STATUS_PASS] = FR_TACACS_CODE_AUTH_PASS,
368  [FR_TAC_PLUS_AUTHEN_STATUS_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
369  [FR_TAC_PLUS_AUTHEN_STATUS_GETDATA] = FR_TACACS_CODE_AUTH_GETDATA,
370  [FR_TAC_PLUS_AUTHEN_STATUS_GETUSER] = FR_TACACS_CODE_AUTH_GETUSER,
371  [FR_TAC_PLUS_AUTHEN_STATUS_GETPASS] = FR_TACACS_CODE_AUTH_GETPASS,
372  [FR_TAC_PLUS_AUTHEN_STATUS_RESTART] = FR_TACACS_CODE_AUTH_RESTART,
373  [FR_TAC_PLUS_AUTHEN_STATUS_ERROR] = FR_TACACS_CODE_AUTH_ERROR,
374 };
375 
376 RESUME(auth_start)
377 {
378  rlm_rcode_t rcode = *p_result;
379  fr_pair_t *vp;
380  CONF_SECTION *cs;
381  fr_dict_enum_value_t const *dv;
382  fr_process_state_t const *state;
383  process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
384 
385  PROCESS_TRACE;
386 
387  fr_assert(rcode < RLM_MODULE_NUMCODES);
388 
389  /*
390  * See if the return code from "recv" which says we reject, or continue.
391  */
392  UPDATE_STATE(packet);
393 
394  /*
395  * Nothing set the reply, so let's see if we need to do so.
396  *
397  * If the admin didn't set authentication-status, just
398  * use the defaults from the state machine.
399  */
400  if (!request->reply->code) {
401  request->reply->code = reply_code(request,
402  attr_tacacs_authentication_status,
403  authen_status_to_packet_code, state, NULL, rcode);
404  } else {
405  fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
406  }
407 
408  /*
409  * Check for multi-round authentication.
410  *
411  * We only run the automatic state machine (start -> getuser -> getpass -> pass/fail)
412  * when the admin does NOT set any reply type, or any reply authentication status.
413  *
414  * However, do DO always save and restore the attributes from the start packet, so that they are
415  * visible in a later packet.
416  */
417  if (!request->reply->code) {
418  process_tacacs_session_t *session;
419  fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
420 
421  session = request_data_reference(request, inst, 0);
422  if (!session) {
423  /*
424  * This function is called for resuming both "start" and "continue" packets, so
425  * we have to check for "start" here.
426  *
427  * We only do multi-round authentication for the ASCII authentication type.
428  * Other authentication types are defined to be one request/reply only.
429  */
430  vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
431  if (!packet_is_authen_start_request(packet) ||
432  (vp && (fr_value_box_cmp(&vp->data, enum_tacacs_auth_type_ascii) != 0))) {
433  goto auth_type;
434  }
435 
436  vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
437  if (!vp) {
438  RDEBUG("No User-Name, replying with Authentication-GetUser");
439  request->reply->code = FR_TACACS_CODE_AUTH_GETUSER;
440  } else {
441  RDEBUG("User-Name = %pV, replying with Authentication-GetPass", &vp->data);
442  request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
443  goto add_auth_flags;
444  }
445 
446  goto send_reply;
447  }
448 
449  /*
450  * Last reply was "get username", we now get the password.
451  */
452  if (session->reply == FR_TACACS_CODE_AUTH_GETUSER) {
453  RDEBUG("No User-Password, replying with Authentication-GetPass");
454  request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
455 
456  /*
457  * Pre-set the authentication flags reply to No-Echo
458  * RFC 8907 says this should be set when the data being
459  * requested is sensitive and should not be echoed to the
460  * user as it is being entered.
461  */
462  add_auth_flags:
463  MEM(pair_append_reply(&vp, attr_tacacs_authentication_flags) >= 0);
464  (void) fr_value_box_copy(vp, &vp->data, enum_auth_flags_noecho);
465  vp->data.enumv = attr_tacacs_authentication_flags;
466  goto send_reply;
467  }
468 
469  /*
470  * We either have a password, or the admin screwed up the configuration somehow. Just go
471  * run "Auth-Type foo".
472  */
473  goto auth_type;
474  }
475 
476  /*
477  * Something set the reply code, skip
478  * the normal auth flow and respond immediately.
479  */
480  if (request->reply->code) {
481  switch (request->reply->code) {
482  case FR_TACACS_CODE_AUTH_FAIL:
483  RDEBUG("The 'recv Authentication-Start' section returned %s - rejecting the request",
484  fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
485  break;
486 
487  default:
488  RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
489  break;
490  }
491 
492  send_reply:
493  UPDATE_STATE(reply);
494 
495  fr_assert(state->send != NULL);
496  return CALL_SEND_STATE(state);
497  }
498 
499  /*
500  * Run authenticate foo { ... }
501  *
502  * If we can't find Auth-Type, OR if we can't find Auth-Type = foo, then it's a reject.
503  *
504  * We prefer the local Auth-Type to the Authentication-Type in the packet. But if there's no
505  * Auth-Type set by the admin, then we use what's in the packet.
506  */
507  auth_type:
508  vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
509  if (!vp) vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
510  if (!vp) {
511  RDEBUG("No 'Auth-Type' or 'Authentication-Type' attribute found, "
512  "cannot authenticate the user - rejecting the request");
513 
514  reject:
515  request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
516  goto send_reply;
517  }
518 
519  dv = fr_dict_enum_by_value(vp->da, &vp->data);
520  if (!dv) {
521  RDEBUG("Invalid value for '%s' attribute, cannot authenticate the user - rejecting the request",
522  vp->da->name);
523 
524  goto reject;
525  }
526 
527  /*
528  * The magic Auth-Type Accept value which means skip the authenticate section.
529  *
530  * And Reject means always reject. Tho the admin should just return "reject" from the section.
531  */
532  if (vp->da == attr_auth_type) {
533  if (fr_value_box_cmp(enum_auth_type_accept, dv->value) == 0) {
534  request->reply->code = FR_TACACS_CODE_AUTH_PASS;
535  goto send_reply;
536 
537  } else if (fr_value_box_cmp(enum_auth_type_reject, dv->value) == 0) {
538  request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
539  goto send_reply;
540  }
541  }
542 
543  cs = cf_section_find(inst->server_cs, "authenticate", dv->name);
544  if (!cs) {
545  RDEBUG2("No 'authenticate %s { ... }' section found - rejecting the request", dv->name);
546  goto reject;
547  }
548 
549  /*
550  * Run the "authenticate foo { ... }" section.
551  *
552  * And continue with sending the generic reply.
553  */
554  RDEBUG("Running 'authenticate %s' from file %s", cf_section_name2(cs), cf_filename(cs));
555  return unlang_module_yield_to_section(p_result, request,
556  cs, RLM_MODULE_NOOP, resume_auth_type,
557  NULL, 0, mctx->rctx);
558 }
559 
560 RESUME(auth_type)
561 {
562  static const fr_process_rcode_t auth_type_rcode = {
563  [RLM_MODULE_OK] = FR_TACACS_CODE_AUTH_PASS,
564  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
565  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
566  [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTH_FAIL,
567  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
568  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
569  [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTH_FAIL,
570  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
571  };
572 
573  rlm_rcode_t rcode = *p_result;
574  fr_process_state_t const *state;
575  fr_pair_t *vp;
576 
577  PROCESS_TRACE;
578 
579  fr_assert(rcode < RLM_MODULE_NUMCODES);
580 
581  /*
582  * If nothing set the reply code, then try to set it from various other things.
583  *
584  * The user could have set Authentication-Status
585  * or Packet-Type to something other than
586  * pass...
587  */
588  if (!request->reply->code) {
589  request->reply->code = reply_code(request,
590  attr_tacacs_authentication_status,
591  authen_status_to_packet_code, NULL, auth_type_rcode, rcode);
592  } else {
593  fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
594  }
595 
596  switch (request->reply->code) {
597  case 0:
598  RDEBUG("No reply code was set. Forcing to Authentication-Fail");
599  fail:
600  request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
601  FALL_THROUGH;
602 
603  /*
604  * Print complaints before running "send Access-Reject"
605  */
606  case FR_TACACS_CODE_AUTH_FAIL:
607  RDEBUG2("Failed to authenticate the user");
608  break;
609 
610  case FR_TACACS_CODE_AUTH_GETDATA:
611  case FR_TACACS_CODE_AUTH_GETUSER:
612  case FR_TACACS_CODE_AUTH_GETPASS:
613  vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
614  if (vp && (vp->vp_uint32 != FR_AUTHENTICATION_TYPE_VALUE_ASCII)) {
615  RDEBUG2("Cannot send challenges for %pP", vp);
616  goto fail;
617  }
618  break;
619 
620  default:
621  break;
622 
623  }
624  UPDATE_STATE(reply);
625 
626  fr_assert(state->send != NULL);
627  return state->send(p_result, mctx, request);
628 }
629 
630 RESUME(auth_pass)
631 {
632  process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
633 
634  PROCESS_TRACE;
635 
636  // @todo - worry about user identity existing?
637 
638  fr_state_discard(inst->auth.state_tree, request);
639  RETURN_MODULE_OK;
640 }
641 
642 RESUME(auth_fail)
643 {
644  process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
645 
646  PROCESS_TRACE;
647 
648  // @todo - insert server message saying "failed"
649  // and also for FAIL
650 
651  fr_state_discard(inst->auth.state_tree, request);
652  RETURN_MODULE_OK;
653 }
654 
655 RESUME(auth_restart)
656 {
657  process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
658 
659  PROCESS_TRACE;
660 
661  fr_state_discard(inst->auth.state_tree, request);
662  RETURN_MODULE_OK;
663 }
664 
665 RESUME(auth_get)
666 {
667  process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
668  process_tacacs_session_t *session;
669  fr_pair_t *vp, *copy;
670 
671  PROCESS_TRACE;
672 
673  /*
674  * Track multi-round authentication flows. Note that they can only start with an
675  * "Authentication-Start" packet, but they can continue with an "Authentication-Continue" packet.
676  *
677  * If there's no session being tracked, then we create one for a start packet.
678  */
679  session = request_data_reference(request, inst, 0);
680  if (!session) {
681  fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
682 
683  if (!packet_is_authen_start_request(packet)) goto send_reply;
684 
685  MEM(session = talloc_zero(NULL, process_tacacs_session_t));
686  if (request_data_talloc_add(request, inst, 0, process_tacacs_session_t, session, true, true, true) < 0) {
687  talloc_free(session);
688  goto send_reply;
689  }
690 
691  /*
692  * These are the only things which saved. The rest of the fields are either static (and statically
693  * known), or are irrelevant.
694  */
695  fr_pair_list_init(&session->list);
696 #undef COPY
697 #define COPY(_attr) do { \
698  vp = fr_pair_find_by_da(&request->request_pairs, NULL, _attr); \
699  if (!vp) break; \
700  MEM(copy = fr_pair_copy(session, vp)); \
701  fr_pair_append(&session->list, copy); \
702  RDEBUG2("%pP", copy); \
703 } while (0)
704 
705  RDEBUG2("Caching session attributes:");
706  RINDENT();
707  COPY(attr_user_name);
708  COPY(attr_tacacs_client_port);
709  COPY(attr_tacacs_remote_address);
710  COPY(attr_tacacs_privilege_level);
711  COPY(attr_tacacs_authentication_type);
712  REXDENT();
713 
714  } else {
715  session->rounds++;
716 
717  if (session->rounds > inst->auth.max_rounds) {
718  REDEBUG("Too many rounds of authentication - failing the session");
719  return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_FAIL);
720  }
721 
722  /*
723  * It is possible that the user name or password are added on subsequent Authentication-Continue
724  * packets following replies with Authentication-GetUser or Authentication-GetPass.
725  * Check if they are already in the session cache, and if not, add them.
726  */
727 #define COPY_MISSING(_attr) do { \
728  vp = fr_pair_find_by_da(&session->list, NULL, _attr); \
729  if (vp) break; \
730  COPY(_attr); \
731 } while (0)
732 
733  RDEBUG2("Caching additional session attributes:");
734  RINDENT();
735  COPY_MISSING(attr_user_name);
736  COPY_MISSING(attr_user_password);
737  REXDENT();
738  }
739  session->reply = request->reply->code;
740  session->seq_no = request->packet->data[2];
741 
742 send_reply:
743  /*
744  * Cache the session state context.
745  */
746  if ((state_create(request->reply_ctx, &request->reply_pairs, request, true) < 0) ||
747  (fr_request_to_state(inst->auth.state_tree, request) < 0)) {
748  return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
749  }
750 
751  RETURN_MODULE_OK;
752 }
753 
754 RECV(auth_cont)
755 {
756  process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
757  process_tacacs_session_t *session;
758 
759  if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
760  (fr_state_to_request(inst->auth.state_tree, request) < 0)) {
761  return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
762  }
763 
764  /*
765  * Restore key fields from the original Authentication-Start packet.
766  */
767  session = request_data_reference(request, inst, 0);
768  if (session) {
769  fr_pair_t *vp = NULL, *copy;
770 
771  if (request->packet->data[2] <= session->seq_no) {
772  REDEBUG("Client sent invalid sequence number %02x, expected >%02x", request->packet->data[2], session->seq_no);
773  error:
774  return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
775  }
776 
777  if (fr_debug_lvl >= L_DBG_LVL_2) {
778  RDEBUG2("Restoring session attributes:");
779  RINDENT();
780  while ((vp = fr_pair_list_next(&session->list, vp))) {
781  RDEBUG2("%pP", vp);
782  }
783  REXDENT();
784  }
785  if (fr_pair_list_copy(request->request_ctx, &request->request_pairs, &session->list) < 0) goto error;
786 
787  /*
788  * Copy the returned user_message into the attribute we requested.
789  */
790 #define EXTRACT(_attr) \
791  vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_user_message); \
792  if (!vp) break; \
793  fr_value_box_set_secret(&vp->data, _attr->flags.secret); \
794  if (pair_append_request(&copy, _attr) < 0) break; \
795  if (fr_pair_value_copy(copy, vp) < 0) { \
796  fr_pair_remove(&request->request_pairs, copy); \
797  talloc_free(copy); \
798  break; \
799  } \
800  RDEBUG2("Populated %pP from user_message", copy)
801 
802  switch (session->reply) {
803  case FR_TACACS_CODE_AUTH_GETUSER:
804  EXTRACT(attr_user_name);
805  break;
806 
807  case FR_TACACS_CODE_AUTH_GETPASS:
808  EXTRACT(attr_user_password);
809  break;
810 
811  default:
812  break;
813  }
814  }
815 
816  return CALL_RECV(generic);
817 }
818 
819 /*
820  * The client aborted the session. The reply should be RESTART or FAIL.
821  */
822 RECV(auth_cont_abort)
823 {
824  process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
825 
826  if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
827  (fr_state_to_request(inst->auth.state_tree, request) < 0)) {
828  return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
829  }
830 
831  return CALL_RECV(generic);
832 }
833 
834 RESUME(auth_cont_abort)
835 {
836  fr_process_state_t const *state;
837 
838  if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTH_RESTART;
839 
840  UPDATE_STATE(reply);
841 
842  fr_assert(state->send != NULL);
843  return CALL_SEND_STATE(state);
844 }
845 
846 
847 static const uint32_t author_status_to_packet_code[UINT8_MAX + 1] = {
848  [FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD] = FR_TACACS_CODE_AUTZ_PASS_ADD,
849  [FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL] = FR_TACACS_CODE_AUTZ_PASS_REPLACE,
850  [FR_TAC_PLUS_AUTHOR_STATUS_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
851  [FR_TAC_PLUS_AUTHOR_STATUS_ERROR] = FR_TACACS_CODE_AUTZ_ERROR,
852 };
853 
854 
855 RESUME(autz_request)
856 {
857  rlm_rcode_t rcode = *p_result;
858  fr_process_state_t const *state;
859 
860  PROCESS_TRACE;
861 
862  fr_assert(rcode < RLM_MODULE_NUMCODES);
863 
864  /*
865  * See if the return code from "recv" which says we reject, or continue.
866  */
867  UPDATE_STATE(packet);
868 
869  /*
870  * Nothing set the reply, so let's see if we need to do so.
871  *
872  * If the admin didn't set authorization-status, just
873  * use the defaults from the state machine.
874  */
875  if (!request->reply->code) {
876  request->reply->code = reply_code(request, attr_tacacs_authorization_status,
877  author_status_to_packet_code, state, NULL, rcode);
878  if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTZ_ERROR;
879 
880  } else {
881  fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
882  }
883 
884  RDEBUG("Reply packet type set to %s", fr_tacacs_packet_names[request->reply->code]);
885 
886  UPDATE_STATE(reply);
887 
888  fr_assert(state->send != NULL);
889  return CALL_SEND_STATE(state);
890 }
891 
892 static const uint32_t acct_status_to_packet_code[UINT8_MAX + 1] = {
893  [FR_TAC_PLUS_ACCT_STATUS_SUCCESS] = FR_TACACS_CODE_ACCT_SUCCESS,
894  [FR_TAC_PLUS_ACCT_STATUS_ERROR] = FR_TACACS_CODE_ACCT_ERROR,
895 };
896 
897 RESUME(acct_type)
898 {
899  static const fr_process_rcode_t acct_type_rcode = {
900  [RLM_MODULE_OK] = FR_TACACS_CODE_ACCT_SUCCESS,
901  [RLM_MODULE_UPDATED] = FR_TACACS_CODE_ACCT_SUCCESS,
902  [RLM_MODULE_NOOP] = FR_TACACS_CODE_ACCT_ERROR,
903  [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
904  [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
905  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
906  [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
907  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
908  };
909 
910  rlm_rcode_t rcode = *p_result;
911  fr_process_state_t const *state;
912 
913  PROCESS_TRACE;
914 
915  /*
916  * One more chance to override
917  */
918  if (!request->reply->code) {
919  request->reply->code = reply_code(request, attr_tacacs_accounting_status, acct_status_to_packet_code,
920  NULL, acct_type_rcode, rcode);
921  if (!request->reply->code) request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
922  } else {
923  fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
924  }
925 
926  UPDATE_STATE(reply);
927 
928  fr_assert(state->send != NULL);
929  return state->send(p_result, mctx, request);
930 }
931 
932 static const bool acct_flag_valid[8] = {
933  false, true, true, false, /* invalid, start, stop, invalid */
934  true, true, false, false, /* watchdog - no update, watchdog - update, invalid, invalid */
935 };
936 
937 RECV(accounting_request)
938 {
939  fr_pair_t *vp;
940 
941  vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
942 
943  /*
944  * RFC 8907 Section 7.2
945  */
946  if (vp && !acct_flag_valid[(vp->vp_uint8 & 0x0e) >> 1]) {
947  RWDEBUG("Invalid accounting request flag field %02x", vp->vp_uint8);
948  return CALL_SEND_TYPE(FR_TACACS_CODE_ACCT_ERROR);
949  }
950 
951  return CALL_RECV(generic);
952 }
953 
954 RESUME(accounting_request)
955 {
956  rlm_rcode_t rcode = *p_result;
957  fr_pair_t *vp;
958  CONF_SECTION *cs;
959  fr_dict_enum_value_t const *dv;
960  fr_process_state_t const *state;
961  process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
962 
963  PROCESS_TRACE;
964 
965  fr_assert(rcode < RLM_MODULE_NUMCODES);
966 
967  UPDATE_STATE(packet);
968 
969  /*
970  * Nothing set the reply, so let's see if we need to do so.
971  *
972  * If the admin didn't set accounting-status, just
973  * use the defaults from the state machine.
974  */
975  if (!request->reply->code) {
976  request->reply->code = reply_code(request, attr_tacacs_accounting_status,
977  acct_status_to_packet_code, state, NULL, rcode);
978  } else {
979  fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
980  }
981 
982  /*
983  * Something set the reply code, so we reply and don't run "accounting foo { ... }"
984  */
985  if (request->reply->code) {
986  fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
987 
988  RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
989 
990  UPDATE_STATE(reply);
991 
992  fr_assert(state->send != NULL);
993  return CALL_SEND_STATE(state);
994  }
995 
996  /*
997  * Run accounting foo { ... }
998  */
999  vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
1000  if (!vp) {
1001  fail:
1002  request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
1003  UPDATE_STATE(reply);
1004  fr_assert(state->send != NULL);
1005  return CALL_SEND_STATE(state);
1006  }
1007 
1008  dv = fr_dict_enum_by_value(vp->da, &vp->data);
1009  if (!dv) goto fail;
1010 
1011  cs = cf_section_find(inst->server_cs, "accounting", dv->name);
1012  if (!cs) {
1013  RDEBUG2("No 'accounting %s { ... }' section found - skipping...", dv->name);
1014  goto fail;
1015  }
1016 
1017  /*
1018  * Run the "accounting foo { ... }" section.
1019  *
1020  * And continue with sending the generic reply.
1021  */
1022  return unlang_module_yield_to_section(p_result, request,
1023  cs, RLM_MODULE_NOOP, resume_acct_type,
1024  NULL, 0, mctx->rctx);
1025 }
1026 
1027 static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
1028 {
1029  fr_process_state_t const *state;
1030 
1031  PROCESS_TRACE;
1032 
1033  (void)talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
1034  fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
1035 
1036  request->component = "tacacs";
1037  request->module = NULL;
1038  fr_assert(request->dict == dict_tacacs);
1039 
1040  UPDATE_STATE(packet);
1041 
1042  if (!state->recv) {
1043  REDEBUG("Invalid packet type (%u)", request->packet->code);
1044  RETURN_MODULE_FAIL;
1045  }
1046 
1047  // @todo - debug stuff!
1048 // tacacs_packet_debug(request, request->packet, &request->request_pairs, true);
1049 
1050  return state->recv(p_result, mctx, request);
1051 }
1052 
1053 static int mod_instantiate(module_inst_ctx_t const *mctx)
1054 {
1055  process_tacacs_t *inst = talloc_get_type_abort(mctx->mi->data, process_tacacs_t);
1056 
1057  inst->server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1058 
1059  FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.max_rounds, >=, 1);
1060  FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.max_rounds, <=, 8);
1061 
1062  FR_INTEGER_BOUND_CHECK("session.max", inst->auth.max_session, >=, 64);
1063  FR_INTEGER_BOUND_CHECK("session.max", inst->auth.max_session, <=, (1 << 18));
1064 
1065  inst->auth.state_tree = fr_state_tree_init(inst, attr_tacacs_state, main_config->spawn_workers, inst->auth.max_session,
1066  inst->auth.session_timeout, inst->auth.state_server_id,
1067  fr_hash_string(cf_section_name2(inst->server_cs)));
1068  return 0;
1069 }
1070 
1071 static int mod_bootstrap(module_inst_ctx_t const *mctx)
1072 {
1073  CONF_SECTION *server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1074 
1075  if (virtual_server_section_attribute_define(server_cs, "authenticate", attr_auth_type) < 0) return -1;
1076 
1077  return 0;
1078 }
1079 
1080 /*
1081  * rcodes not listed under a packet_type
1082  * mean that the packet code will not be
1083  * changed.
1084  */
1085 static fr_process_state_t const process_state[] = {
1086  /*
1087  * Authentication
1088  */
1089  [ FR_TACACS_CODE_AUTH_START ] = {
1090  .packet_type = {
1091  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1092  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1093  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1094  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1095  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL
1096  },
1097  .rcode = RLM_MODULE_NOOP,
1098  .recv = recv_auth_start,
1099  .resume = resume_auth_start,
1100  .section_offset = offsetof(process_tacacs_sections_t, auth_start),
1101  },
1102  [ FR_TACACS_CODE_AUTH_PASS ] = {
1103  .packet_type = {
1104  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1105  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1106  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1107  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL
1108  },
1109  .rcode = RLM_MODULE_NOOP,
1110  .send = send_generic,
1111  .resume = resume_auth_pass,
1112  .section_offset = offsetof(process_tacacs_sections_t, auth_pass),
1113  },
1114  [ FR_TACACS_CODE_AUTH_FAIL ] = {
1115  .packet_type = {
1116  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1117  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1118  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1119  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL
1120  },
1121  .rcode = RLM_MODULE_NOOP,
1122  .send = send_generic,
1123  .resume = resume_auth_fail,
1124  .section_offset = offsetof(process_tacacs_sections_t, auth_fail),
1125  },
1126  [ FR_TACACS_CODE_AUTH_GETDATA ] = {
1127  .packet_type = {
1128  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1129  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1130  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1131  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL
1132  },
1133  .rcode = RLM_MODULE_NOOP,
1134  .send = send_generic,
1135  .resume = resume_auth_get,
1136  .section_offset = offsetof(process_tacacs_sections_t, auth_getdata),
1137  },
1138  [ FR_TACACS_CODE_AUTH_GETPASS ] = {
1139  .packet_type = {
1140  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1141  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1142  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1143  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL
1144  },
1145  .rcode = RLM_MODULE_NOOP,
1146  .send = send_generic,
1147  .resume = resume_auth_get,
1148  .section_offset = offsetof(process_tacacs_sections_t, auth_getpass),
1149  },
1150  [ FR_TACACS_CODE_AUTH_GETUSER ] = {
1151  .packet_type = {
1152  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1153  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1154  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1155  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL
1156  },
1157  .rcode = RLM_MODULE_NOOP,
1158  .send = send_generic,
1159  .resume = resume_auth_get,
1160  .section_offset = offsetof(process_tacacs_sections_t, auth_getuser),
1161  },
1162  [ FR_TACACS_CODE_AUTH_RESTART ] = {
1163  .packet_type = {
1164  },
1165  .rcode = RLM_MODULE_NOOP,
1166  .send = send_generic,
1167  .resume = resume_auth_restart,
1168  .section_offset = offsetof(process_tacacs_sections_t, auth_restart),
1169  },
1170  [ FR_TACACS_CODE_AUTH_ERROR ] = {
1171  .packet_type = {
1172  },
1173  .rcode = RLM_MODULE_NOOP,
1174  .send = send_generic,
1175  .resume = resume_auth_restart,
1176  .section_offset = offsetof(process_tacacs_sections_t, auth_error),
1177  },
1178 
1179  [ FR_TACACS_CODE_AUTH_CONT ] = {
1180  .packet_type = {
1181  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1182  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1183  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1184  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1185  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL
1186  },
1187  .rcode = RLM_MODULE_NOOP,
1188  .recv = recv_auth_cont,
1189  .resume = resume_auth_start, /* we go back to running 'authenticate', etc. */
1190  .section_offset = offsetof(process_tacacs_sections_t, auth_cont),
1191  },
1192  [ FR_TACACS_CODE_AUTH_CONT_ABORT ] = {
1193  .packet_type = {
1194  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1195  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1196  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1197  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1198  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL
1199  },
1200  .rcode = RLM_MODULE_NOOP,
1201  .recv = recv_auth_cont_abort,
1202  .resume = resume_auth_cont_abort,
1203  .section_offset = offsetof(process_tacacs_sections_t, auth_cont_abort),
1204  },
1205 
1206  /*
1207  * Authorization
1208  */
1209  [ FR_TACACS_CODE_AUTZ_REQUEST ] = {
1210  .packet_type = {
1211  [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1212  [RLM_MODULE_OK] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1213  [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1214  [RLM_MODULE_HANDLED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1215 
1216  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1217  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1218  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1219  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1220  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1221  },
1222  .rcode = RLM_MODULE_NOOP,
1223  .recv = recv_generic,
1224  .resume = resume_autz_request,
1225  .section_offset = offsetof(process_tacacs_sections_t, autz_request),
1226  },
1227  [ FR_TACACS_CODE_AUTZ_PASS_ADD ] = {
1228  .packet_type = {
1229  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1230  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1231  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1232  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1233  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1234  },
1235  .rcode = RLM_MODULE_NOOP,
1236  .send = send_generic,
1237  .resume = resume_send_generic,
1238  .section_offset = offsetof(process_tacacs_sections_t, autz_pass_add),
1239  },
1240  [ FR_TACACS_CODE_AUTZ_PASS_REPLACE ] = {
1241  .packet_type = {
1242  [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1243  [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1244  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1245  [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1246  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1247  },
1248  .rcode = RLM_MODULE_NOOP,
1249  .send = send_generic,
1250  .resume = resume_send_generic,
1251  .section_offset = offsetof(process_tacacs_sections_t, autz_pass_replace),
1252  },
1253  [ FR_TACACS_CODE_AUTZ_FAIL ] = {
1254  .packet_type = {
1255  },
1256  .rcode = RLM_MODULE_NOOP,
1257  .send = send_generic,
1258  .resume = resume_send_generic,
1259  .section_offset = offsetof(process_tacacs_sections_t, autz_fail),
1260  },
1261  [ FR_TACACS_CODE_AUTZ_ERROR ] = {
1262  .packet_type = {
1263  },
1264  .rcode = RLM_MODULE_NOOP,
1265  .send = send_generic,
1266  .resume = resume_send_generic,
1267  .section_offset = offsetof(process_tacacs_sections_t, autz_error),
1268  },
1269 
1270  /*
1271  * Accounting
1272  */
1273  [ FR_TACACS_CODE_ACCT_REQUEST ] = {
1274  .packet_type = {
1275  [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1276  [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1277  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1278  [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1279  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1280  },
1281  .rcode = RLM_MODULE_NOOP,
1282  .recv = recv_accounting_request,
1283  .resume = resume_accounting_request,
1284  .section_offset = offsetof(process_tacacs_sections_t, acct_request),
1285  },
1286  [ FR_TACACS_CODE_ACCT_SUCCESS ] = {
1287  .packet_type = {
1288  [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1289  [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1290  [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1291  [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1292  [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR
1293  },
1294  .rcode = RLM_MODULE_NOOP,
1295  .send = send_generic,
1296  .resume = resume_send_generic,
1297  .section_offset = offsetof(process_tacacs_sections_t, acct_success),
1298  },
1299  [ FR_TACACS_CODE_ACCT_ERROR ] = {
1300  .packet_type = {
1301  },
1302  .rcode = RLM_MODULE_NOOP,
1303  .send = send_generic,
1304  .resume = resume_send_generic,
1305  .section_offset = offsetof(process_tacacs_sections_t, acct_error),
1306  },
1307 };
1308 
1309 
1310 static virtual_server_compile_t compile_list[] = {
1311  /**
1312  * Basically, the TACACS+ protocol use same type "authenticate" to handle
1313  * Start and Continue requests. (yep, you're right. it's horrible)
1314  * Therefore, we split the same "auth" type into two different sections just
1315  * to allow the user to have different logic for that.
1316  *
1317  * If you want to cry, just take a look at
1318  *
1319  * https://tools.ietf.org/html/rfc8907 Section 4.
1320  *
1321  * This should be an abject lesson in how NOT to design a
1322  * protocol. Pretty much everything they did was wrong.
1323  */
1324  {
1325  .section = SECTION_NAME("recv", "Authentication-Start"),
1326  .actions = &mod_actions_authenticate,
1327  .offset = PROCESS_CONF_OFFSET(auth_start),
1328  },
1329  {
1330  .section = SECTION_NAME("send", "Authentication-Pass"),
1331  .actions = &mod_actions_postauth,
1332  .offset = PROCESS_CONF_OFFSET(auth_pass),
1333  },
1334  {
1335  .section = SECTION_NAME("send", "Authentication-Fail"),
1336  .actions = &mod_actions_postauth,
1337  .offset = PROCESS_CONF_OFFSET(auth_fail),
1338  },
1339  {
1340  .section = SECTION_NAME("send", "Authentication-GetData"),
1341  .actions = &mod_actions_postauth,
1342  .offset = PROCESS_CONF_OFFSET(auth_getdata),
1343  },
1344  {
1345  .section = SECTION_NAME("send", "Authentication-GetUser"),
1346  .actions = &mod_actions_postauth,
1347  .offset = PROCESS_CONF_OFFSET(auth_getuser),
1348  },
1349  {
1350  .section = SECTION_NAME("send", "Authentication-GetPass"),
1351  .actions = &mod_actions_postauth,
1352  .offset = PROCESS_CONF_OFFSET(auth_getpass),
1353  },
1354  {
1355  .section = SECTION_NAME("send", "Authentication-Restart"),
1356  .actions = &mod_actions_postauth,
1357  .offset = PROCESS_CONF_OFFSET(auth_restart),
1358  },
1359  {
1360  .section = SECTION_NAME("send", "Authentication-Error"),
1361  .actions = &mod_actions_postauth,
1362  .offset = PROCESS_CONF_OFFSET(auth_error),
1363  },
1364  {
1365  .section = SECTION_NAME("recv", "Authentication-Continue"),
1366  .actions = &mod_actions_authenticate,
1367  .offset = PROCESS_CONF_OFFSET(auth_cont),
1368  },
1369  {
1370  .section = SECTION_NAME("recv", "Authentication-Continue-Abort"),
1371  .actions = &mod_actions_authenticate,
1372  .offset = PROCESS_CONF_OFFSET(auth_cont_abort),
1373  },
1374 
1375  {
1376  .section = SECTION_NAME("authenticate", CF_IDENT_ANY),
1377  .actions = &mod_actions_authenticate,
1378  },
1379 
1380  /* authorization */
1381 
1382  {
1383  .section = SECTION_NAME("recv", "Authorization-Request"),
1384  .actions = &mod_actions_authorize,
1385  .offset = PROCESS_CONF_OFFSET(autz_request),
1386  },
1387  {
1388  .section = SECTION_NAME("send", "Authorization-Pass-Add"),
1389  .actions = &mod_actions_postauth,
1390  .offset = PROCESS_CONF_OFFSET(autz_pass_add),
1391  },
1392  {
1393  .section = SECTION_NAME("send", "Authorization-Pass-Replace"),
1394  .actions = &mod_actions_postauth,
1395  .offset = PROCESS_CONF_OFFSET(autz_pass_replace),
1396  },
1397  {
1398  .section = SECTION_NAME("send", "Authorization-Fail"),
1399  .actions = &mod_actions_postauth,
1400  .offset = PROCESS_CONF_OFFSET(autz_fail),
1401  },
1402  {
1403  .section = SECTION_NAME("send", "Authorization-Error"),
1404  .actions = &mod_actions_postauth,
1405  .offset = PROCESS_CONF_OFFSET(autz_error),
1406  },
1407 
1408  /* accounting */
1409 
1410  {
1411  .section = SECTION_NAME("recv", "Accounting-Request"),
1412  .actions = &mod_actions_accounting,
1413  .offset = PROCESS_CONF_OFFSET(acct_request),
1414  },
1415  {
1416  .section = SECTION_NAME("send", "Accounting-Success"),
1417  .actions = &mod_actions_postauth,
1418  .offset = PROCESS_CONF_OFFSET(acct_success),
1419  },
1420  {
1421  .section = SECTION_NAME("send", "Accounting-Error"),
1422  .actions = &mod_actions_postauth,
1423  .offset = PROCESS_CONF_OFFSET(acct_error),
1424  },
1425 
1426  {
1427  .section = SECTION_NAME("accounting", CF_IDENT_ANY),
1428  .actions = &mod_actions_accounting,
1429  },
1430 
1431  {
1432  .section = SECTION_NAME("send", "Do-Not-Respond"),
1433  .actions = &mod_actions_postauth,
1434  .offset = PROCESS_CONF_OFFSET(do_not_respond),
1435  },
1436 
1437  COMPILE_TERMINATOR
1438 };
1439 
1440 
1441 extern fr_process_module_t process_tacacs;
1442 fr_process_module_t process_tacacs = {
1443  .common = {
1444  .magic = MODULE_MAGIC_INIT,
1445  .name = "tacacs",
1446  .config = config,
1447  .inst_size = sizeof(process_tacacs_t),
1448  .bootstrap = mod_bootstrap,
1449  .instantiate = mod_instantiate
1450  },
1451  .process = mod_process,
1452  .compile_list = compile_list,
1453  .dict = &dict_tacacs,
1454 };
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition: action.h:35
buffer
static int const char char buffer[256]
Definition: acutest.h:574
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition: build.h:320
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:627
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition: cf_parse.h:487
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition: cf_parse.h:310
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition: cf_parse.h:399
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:564
cf_section
A section grouping multiple CONF_PAIR.
Definition: cf_priv.h:101
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition: cf_util.c:1028
cf_section_name2
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition: cf_util.c:1185
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition: cf_util.c:684
cf_parent
#define cf_parent(_cf)
Definition: cf_util.h:101
cf_filename
#define cf_filename(_cf)
Definition: cf_util.h:107
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition: cf_util.h:78
fr_dict_enum_autoload_t::out
fr_value_box_t const ** out
Enumeration value.
Definition: dict.h:256
fr_dict_enum_by_value
fr_dict_enum_value_t * fr_dict_enum_by_value(fr_dict_attr_t const *da, fr_value_box_t const *value)
Lookup the structure representing an enum value in a fr_dict_attr_t.
Definition: dict_util.c:3349
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition: dict.h:267
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition: dict.h:280
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition: dict.h:230
fr_dict_enum_value_t::name
char const * name
Enum name.
Definition: dict.h:227
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition: dict.h:266
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition: dict.h:279
fr_dict_enum_autoload_t
Specifies a value which must be present for the module to function.
Definition: dict.h:255
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition: dict.h:226
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:63
if
if(rcode > 0)
Definition: fd_read.h:9
fr_hash
uint32_t fr_hash(void const *data, size_t size)
Definition: hash.c:812
fr_hash_string
uint32_t fr_hash_string(char const *p)
Definition: hash.c:865
attr_packet_type
fr_dict_attr_t const * attr_packet_type
Definition: base.c:91
dict_freeradius
fr_dict_t const * dict_freeradius
Definition: base.c:77
attr_user_name
fr_dict_attr_t const * attr_user_name
Definition: base.c:102
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition: log.h:443
RWDEBUG
#define RWDEBUG(fmt,...)
Definition: log.h:361
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition: log.h:430
talloc_free
talloc_free(reap)
fr_debug_lvl
int fr_debug_lvl
Definition: log.c:43
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition: log.h:71
main_config
main_config_t const * main_config
Main server configuration.
Definition: main_config.c:69
main_config_s::spawn_workers
bool spawn_workers
Should the server spawn threads.
Definition: main_config.h:58
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition: merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition: merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition: merged_model.c:99
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition: merged_model.c:84
uint32_t
unsigned int uint32_t
Definition: merged_model.c:33
uint8_t
unsigned char uint8_t
Definition: merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition: merged_model.c:32
fr_dict_attr_t
Definition: merged_model.c:133
fr_dict_t
Definition: merged_model.c:198
fr_value_box_t
Definition: merged_model.c:136
request_t
Definition: merged_model.c:210
mod_actions_authenticate
unlang_mod_actions_t const mod_actions_authenticate
Definition: mod_action.c:29
mod_actions_accounting
unlang_mod_actions_t const mod_actions_accounting
Definition: mod_action.c:74
mod_actions_authorize
unlang_mod_actions_t const mod_actions_authorize
Definition: mod_action.c:44
mod_actions_postauth
unlang_mod_actions_t const mod_actions_postauth
Definition: mod_action.c:88
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition: module_ctx.h:42
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition: module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition: module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:50
fr_nbo_from_uint32
static void fr_nbo_from_uint32(uint8_t out[static sizeof(uint32_t)], uint32_t num)
Write out an unsigned 32bit integer in wire format (big endian)
Definition: nbo.h:61
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition: pair.c:693
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition: pair.c:283
fr_pair_list_copy
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition: pair.c:2319
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition: pair.c:2981
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition: pair.c:1345
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition: pair.c:46
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition: pair.c:770
RESUME
RESUME(check_yiaddr)
Definition: base.c:133
RECV
RECV(for_any_server)
Validate a solicit/rebind/confirm message.
Definition: base.c:401
process_tacacs
fr_process_module_t process_tacacs
Definition: base.c:1442
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition: base.c:57
process_tacacs_sections_t::autz_pass_add
CONF_SECTION * autz_pass_add
Definition: base.c:148
process_tacacs_session_t::list
fr_pair_list_t list
copied from the request
Definition: base.c:188
attr_user_password
static fr_dict_attr_t const * attr_user_password
Definition: base.c:77
compile_list
static virtual_server_compile_t compile_list[]
Definition: base.c:1310
attr_module_failure_message
static fr_dict_attr_t const * attr_module_failure_message
Definition: base.c:50
mod_process
static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition: base.c:1027
enum_tacacs_auth_type_ascii
static fr_value_box_t const * enum_tacacs_auth_type_ascii
Definition: base.c:120
process_tacacs_sections_t::auth_pass
CONF_SECTION * auth_pass
Definition: base.c:136
process_tacacs_sections_t::auth_start
CONF_SECTION * auth_start
Definition: base.c:135
process_tacacs_sections_t::acct_success
CONF_SECTION * acct_success
Definition: base.c:154
attr_stripped_user_name
static fr_dict_attr_t const * attr_stripped_user_name
Definition: base.c:52
process_tacacs_sections_t::auth_error
CONF_SECTION * auth_error
Definition: base.c:142
process_tacacs_sections_t::acct_request
CONF_SECTION * acct_request
Definition: base.c:153
process_tacacs_sections_t::auth_cont_abort
CONF_SECTION * auth_cont_abort
Definition: base.c:145
process_tacacs_dict_attr
fr_dict_attr_autoload_t process_tacacs_dict_attr[]
Definition: base.c:81
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition: base.c:74
process_tacacs_t::server_cs
CONF_SECTION * server_cs
Our virtual server.
Definition: base.c:174
attr_chap_password
static fr_dict_attr_t const * attr_chap_password
Definition: base.c:78
session_config
static const conf_parser_t session_config[]
Definition: base.c:199
process_tacacs_sections_t::auth_cont
CONF_SECTION * auth_cont
Definition: base.c:144
acct_status_to_packet_code
static const uint32_t acct_status_to_packet_code[UINT8_MAX+1]
Definition: base.c:892
process_tacacs_sections_t::auth_restart
CONF_SECTION * auth_restart
Definition: base.c:141
authen_status_to_packet_code
static const uint32_t authen_status_to_packet_code[UINT8_MAX+1]
Definition: base.c:366
process_tacacs_t::sections
process_tacacs_sections_t sections
Pointers to various config sections we need to execute.
Definition: base.c:178
reply_code
static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da, uint32_t const status2code[static UINT8_MAX+1], fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
Try and determine what the response packet type should be.
Definition: base.c:284
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition: base.c:40
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition: base.c:1071
process_tacacs_auth_t::session_timeout
fr_time_delta_t session_timeout
Maximum time between the last response and next request.
Definition: base.c:161
process_tacacs_session_t::rounds
uint32_t rounds
how many rounds were taken
Definition: base.c:185
attr_auth_type
static fr_dict_attr_t const * attr_auth_type
Definition: base.c:49
process_tacacs_dict_enum
fr_dict_enum_autoload_t process_tacacs_dict_enum[]
Definition: base.c:123
COPY_MISSING
#define COPY_MISSING(_attr)
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition: base.c:71
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition: base.c:70
process_tacacs_sections_t::autz_error
CONF_SECTION * autz_error
Definition: base.c:151
process_tacacs_sections_t::do_not_respond
CONF_SECTION * do_not_respond
Definition: base.c:157
enum_auth_type_reject
static fr_value_box_t const * enum_auth_type_reject
Definition: base.c:118
auth_config
static const conf_parser_t auth_config[]
Definition: base.c:208
author_status_to_packet_code
static const uint32_t author_status_to_packet_code[UINT8_MAX+1]
Definition: base.c:847
process_state
static fr_process_state_t const process_state[]
Definition: base.c:1085
enum_auth_flags_noecho
static fr_value_box_t const * enum_auth_flags_noecho
Definition: base.c:119
process_tacacs_auth_t::state_server_id
uint8_t state_server_id
Sets a specific byte in the state to allow the authenticating server to be identified in packet captu...
Definition: base.c:166
process_tacacs_sections_t::autz_pass_replace
CONF_SECTION * autz_pass_replace
Definition: base.c:149
process_tacacs_session_t::reply
uint32_t reply
for multiround state machine
Definition: base.c:186
EXTRACT
#define EXTRACT(_attr)
enum_auth_type_accept
static fr_value_box_t const * enum_auth_type_accept
Definition: base.c:117
process_tacacs_sections_t::auth_getuser
CONF_SECTION * auth_getuser
Definition: base.c:139
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition: base.c:68
process_tacacs_sections_t::auth_getdata
CONF_SECTION * auth_getdata
Definition: base.c:138
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition: base.c:58
process_tacacs_sections_t::acct_error
CONF_SECTION * acct_error
Definition: base.c:155
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition: base.c:63
process_tacacs_sections_t::autz_request
CONF_SECTION * autz_request
Definition: base.c:147
process_tacacs_auth_t::max_session
uint32_t max_session
Maximum ongoing session allowed.
Definition: base.c:162
acct_flag_valid
static const bool acct_flag_valid[8]
Definition: base.c:932
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition: base.c:59
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition: base.c:60
process_tacacs_sections_t::auth_fail
CONF_SECTION * auth_fail
Definition: base.c:137
attr_tacacs_authentication_action
static fr_dict_attr_t const * attr_tacacs_authentication_action
Definition: base.c:56
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition: base.c:66
process_tacacs_t::auth
process_tacacs_auth_t auth
Authentication configuration.
Definition: base.c:181
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition: base.c:69
process_tacacs_session_t::seq_no
uint8_t seq_no
sequence number of last request.
Definition: base.c:187
process_tacacs_auth_t::state_tree
fr_state_tree_t * state_tree
State tree to link multiple requests/responses.
Definition: base.c:170
COPY
#define COPY(_attr)
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition: base.c:55
config
static const conf_parser_t config[]
Definition: base.c:214
attr_tacacs_sequence_number
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition: base.c:72
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition: base.c:62
process_tacacs_sections_t::autz_fail
CONF_SECTION * autz_fail
Definition: base.c:150
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition: base.c:64
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition: base.c:67
attr_tacacs_state
static fr_dict_attr_t const * attr_tacacs_state
Definition: base.c:73
process_tacacs_auth_t::max_rounds
uint32_t max_rounds
maximum number of authentication rounds allowed
Definition: base.c:164
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition: base.c:1053
attr_module_success_message
static fr_dict_attr_t const * attr_module_success_message
Definition: base.c:51
process_tacacs_t::session_id
uint32_t session_id
current session ID
Definition: base.c:176
process_tacacs_sections_t::auth_getpass
CONF_SECTION * auth_getpass
Definition: base.c:140
process_tacacs_dict
fr_dict_autoload_t process_tacacs_dict[]
Definition: base.c:43
state_create
static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
Definition: base.c:225
process_tacacs_auth_t
Definition: base.c:160
process_tacacs_sections_t
Definition: base.c:132
process_tacacs_session_t
Definition: base.c:184
process_tacacs_t
Definition: base.c:173
PROCESS_TRACE
#define PROCESS_TRACE
Trace each state function as it's entered.
Definition: process.h:65
fr_process_module_s::common
module_t common
Common fields for all loadable modules.
Definition: process.h:55
fr_process_module_s
Common public symbol definition for all process modules.
Definition: process.h:54
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition: base.c:119
REDEBUG
#define REDEBUG(fmt,...)
Definition: radclient.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition: radclient.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition: radclient.h:53
send_reply
static void send_reply(int sockfd, fr_channel_data_t *reply)
Definition: radius1_test.c:190
rcode_table
fr_table_num_sorted_t const rcode_table[]
Definition: rcode.c:35
RETURN_MODULE_OK
#define RETURN_MODULE_OK
Definition: rcode.h:57
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition: rcode.h:40
RLM_MODULE_INVALID
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition: rcode.h:45
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition: rcode.h:43
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition: rcode.h:42
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition: rcode.h:46
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition: rcode.h:41
RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition: rcode.h:47
RLM_MODULE_UPDATED
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition: rcode.h:49
RLM_MODULE_NOOP
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition: rcode.h:48
RLM_MODULE_NUMCODES
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition: rcode.h:50
RLM_MODULE_HANDLED
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition: rcode.h:44
request_data_reference
void * request_data_reference(request_t *request, void const *unique_ptr, int unique_int)
Get opaque data from a request without removing it.
Definition: request_data.c:339
request_data_talloc_add
#define request_data_talloc_add(_request, _unique_ptr, _unique_int, _type, _opaque, _free_on_replace, _free_on_parent, _persist)
Add opaque data to a request_t.
Definition: request_data.h:86
process_rcode
static unlang_action_t process_rcode(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition: rlm_eap_peap.c:107
hash
static unsigned int hash(char const *username, unsigned int tablesize)
Definition: rlm_passwd.c:132
instantiate
static int instantiate(module_inst_ctx_t const *mctx)
Definition: rlm_rest.c:1302
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition: section.h:40
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition: module.h:329
module_instance_s::data
void * data
Module's instance data.
Definition: module.h:271
pair_append_reply
#define pair_append_reply(_attr, _da)
Allocate and append a fr_pair_t to reply list.
Definition: pair.h:47
fr_state_tree_init
fr_state_tree_t * fr_state_tree_init(TALLOC_CTX *ctx, fr_dict_attr_t const *da, bool thread_safe, uint32_t max_sessions, fr_time_delta_t timeout, uint8_t server_id, uint32_t context_id)
Initialise a new state tree.
Definition: state.c:222
fr_state_discard
void fr_state_discard(fr_state_tree_t *state, request_t *request)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition: state.c:606
fr_request_to_state
int fr_request_to_state(fr_state_tree_t *state, request_t *request)
Transfer ownership of the state fr_pair_ts and ctx, back to a state entry.
Definition: state.c:737
fr_state_to_request
int fr_state_to_request(fr_state_tree_t *state, request_t *request)
Copy a pointer to the head of the list of state fr_pair_ts (and their ctx) into the request.
Definition: state.c:660
fr_state_tree_s
Definition: state.c:145
unlang_module_yield_to_section
unlang_action_t unlang_module_yield_to_section(rlm_rcode_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition: module.c:248
RETURN_MODULE_FAIL
RETURN_MODULE_FAIL
Definition: state_machine.c:1215
fr_assert
fr_assert(0)
MEM
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3620
vp
fr_pair_t * vp
Definition: state_machine.c:2262
pair_list_s
Definition: pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition: pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition: pair.h:69
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition: table.h:772
FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
Definition: tacacs.h:211
FR_TAC_PLUS_AUTHOR_STATUS_ERROR
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition: tacacs.h:214
FR_TAC_PLUS_AUTHOR_STATUS_FAIL
@ FR_TAC_PLUS_AUTHOR_STATUS_FAIL
Definition: tacacs.h:213
FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
Definition: tacacs.h:212
FR_TACACS_PACKET_CODE_VALID
#define FR_TACACS_PACKET_CODE_VALID(_code)
Definition: tacacs.h:321
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition: tacacs.h:49
FR_TACACS_CODE_ACCT_ERROR
@ FR_TACACS_CODE_ACCT_ERROR
Definition: tacacs.h:315
FR_TACACS_CODE_ACCT_REQUEST
@ FR_TACACS_CODE_ACCT_REQUEST
Definition: tacacs.h:313
FR_TACACS_CODE_AUTZ_REQUEST
@ FR_TACACS_CODE_AUTZ_REQUEST
Definition: tacacs.h:307
FR_TACACS_CODE_AUTH_GETDATA
@ FR_TACACS_CODE_AUTH_GETDATA
Definition: tacacs.h:298
FR_TACACS_CODE_AUTH_RESTART
@ FR_TACACS_CODE_AUTH_RESTART
Definition: tacacs.h:301
FR_TACACS_CODE_AUTZ_PASS_REPLACE
@ FR_TACACS_CODE_AUTZ_PASS_REPLACE
Definition: tacacs.h:309
FR_TACACS_CODE_AUTH_GETUSER
@ FR_TACACS_CODE_AUTH_GETUSER
Definition: tacacs.h:299
FR_TACACS_CODE_AUTH_GETPASS
@ FR_TACACS_CODE_AUTH_GETPASS
Definition: tacacs.h:300
FR_TACACS_CODE_AUTZ_FAIL
@ FR_TACACS_CODE_AUTZ_FAIL
Definition: tacacs.h:310
FR_TACACS_CODE_AUTH_CONT_ABORT
@ FR_TACACS_CODE_AUTH_CONT_ABORT
Definition: tacacs.h:305
FR_TACACS_CODE_AUTH_PASS
@ FR_TACACS_CODE_AUTH_PASS
Definition: tacacs.h:296
FR_TACACS_CODE_AUTH_CONT
@ FR_TACACS_CODE_AUTH_CONT
Definition: tacacs.h:304
FR_TACACS_CODE_AUTZ_PASS_ADD
@ FR_TACACS_CODE_AUTZ_PASS_ADD
Definition: tacacs.h:308
FR_TACACS_CODE_AUTH_START
@ FR_TACACS_CODE_AUTH_START
Definition: tacacs.h:295
FR_TACACS_CODE_AUTH_FAIL
@ FR_TACACS_CODE_AUTH_FAIL
Definition: tacacs.h:297
FR_TACACS_CODE_AUTH_ERROR
@ FR_TACACS_CODE_AUTH_ERROR
Definition: tacacs.h:302
FR_TACACS_CODE_AUTZ_ERROR
@ FR_TACACS_CODE_AUTZ_ERROR
Definition: tacacs.h:311
FR_TACACS_CODE_ACCT_SUCCESS
@ FR_TACACS_CODE_ACCT_SUCCESS
Definition: tacacs.h:314
FR_TAC_PLUS_ACCT_STATUS_SUCCESS
@ FR_TAC_PLUS_ACCT_STATUS_SUCCESS
Definition: tacacs.h:255
FR_TAC_PLUS_ACCT_STATUS_ERROR
@ FR_TAC_PLUS_ACCT_STATUS_ERROR
Definition: tacacs.h:256
FR_TAC_PLUS_AUTHEN_STATUS_PASS
@ FR_TAC_PLUS_AUTHEN_STATUS_PASS
Definition: tacacs.h:151
FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
@ FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
Definition: tacacs.h:153
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition: tacacs.h:157
FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
@ FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
Definition: tacacs.h:154
FR_TAC_PLUS_AUTHEN_STATUS_FAIL
@ FR_TAC_PLUS_AUTHEN_STATUS_FAIL
Definition: tacacs.h:152
FR_TAC_PLUS_AUTHEN_STATUS_RESTART
@ FR_TAC_PLUS_AUTHEN_STATUS_RESTART
Definition: tacacs.h:156
FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
@ FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
Definition: tacacs.h:155
fr_tacacs_packet_t
Definition: tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition: talloc.h:282
fr_time_delta_s
A time delta, a difference in time measured in nanoseconds.
Definition: time.h:80
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition: pair_inline.c:70
fr_value_box_cmp
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition: value.c:676
fr_value_box_copy
int fr_value_box_copy(TALLOC_CTX *ctx, fr_value_box_t *dst, const fr_value_box_t *src)
Copy value data verbatim duplicating any buffers.
Definition: value.c:3740
out
static size_t char ** out
Definition: value.h:997
virtual_server_section_attribute_define
int virtual_server_section_attribute_define(CONF_SECTION *server_cs, char const *subcs_name, fr_dict_attr_t const *da)
Define a values for Auth-Type attributes by the sections present in a virtual-server.
Definition: virtual_servers.c:1176
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition: virtual_servers.h:111
virtual_server_compile_t::section
section_name_t const * section
Identifier for the section.
Definition: virtual_servers.h:101
virtual_server_compile_t
Processing sections which are allowed in this virtual server.
Definition: virtual_servers.h:100
Generated by   doxygen 1.9.1