The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: b7c4f255767bdd35547c10e7cd73010c9f5a48cc $
19 * @file src/process/tacacs/base.c
20 * @brief TACACS+ handler.
21 * @author Jorge Pereira <jpereira@freeradius.org>
22 *
23 * @copyright 2020 The FreeRADIUS server project.
24 * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25 */
26#include <freeradius-devel/io/listen.h>
27#include <freeradius-devel/io/master.h>
28#include <freeradius-devel/server/main_config.h>
29#include <freeradius-devel/server/protocol.h>
30#include <freeradius-devel/server/state.h>
31#include <freeradius-devel/server/rcode.h>
32#include <freeradius-devel/tacacs/tacacs.h>
33#include <freeradius-devel/unlang/call.h>
34#include <freeradius-devel/util/debug.h>
35
36#include <freeradius-devel/protocol/tacacs/tacacs.h>
37
39static fr_dict_t const *dict_tacacs;
40
43 { .out = &dict_freeradius, .proto = "freeradius" },
44 { .out = &dict_tacacs, .proto = "tacacs" },
45 { NULL }
46};
47
53
60
64
74
78
81 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
82 { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
83 { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
84 { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
85 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
86
87 { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
88 { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
89 { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90 { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
91
92 { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
93 { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
94
95 { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
96 { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
97
98 { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
99 { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
100 { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
101 { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
102 { .out = &attr_tacacs_authentication_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
103 { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
104 { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
105 { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
106 { .out = &attr_tacacs_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
107 { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
108
109 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
110 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
111 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
112
113 { NULL }
114};
115
120
123 { .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
124 { .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
125 { .out = &enum_auth_flags_noecho, .name = "No-Echo", .attr = &attr_tacacs_authentication_flags },
126 { .out = &enum_tacacs_auth_type_ascii, .name = "ASCII", .attr = &attr_tacacs_authentication_type },
127 { NULL }
128};
129
130
162
163typedef struct {
164 fr_time_delta_t session_timeout; //!< Maximum time between the last response and next request.
165 uint32_t max_session; //!< Maximum ongoing session allowed.
166
167 uint32_t max_rounds; //!< maximum number of authentication rounds allowed
168
169 uint8_t state_server_id; //!< Sets a specific byte in the state to allow the
170 //!< authenticating server to be identified in packet
171 //!<captures.
172
173 fr_state_tree_t *state_tree; //!< State tree to link multiple requests/responses.
175
176typedef struct {
177 CONF_SECTION *server_cs; //!< Our virtual server.
178
179 uint32_t session_id; //!< current session ID
180
181 process_tacacs_sections_t sections; //!< Pointers to various config sections
182 ///< we need to execute
183
184 process_tacacs_auth_t auth; //!< Authentication configuration.
185
186
188
189typedef struct {
190 uint32_t rounds; //!< how many rounds were taken
191 uint32_t reply; //!< for multiround state machine
192 uint8_t seq_no; //!< sequence number of last request.
193 fr_pair_list_t list; //!< copied from the request
195
196
197#define PROCESS_PACKET_TYPE fr_tacacs_packet_code_t
198#define PROCESS_CODE_MAX FR_TACACS_CODE_MAX
199#define PROCESS_CODE_DO_NOT_RESPOND FR_TACACS_CODE_DO_NOT_RESPOND
200#define PROCESS_PACKET_CODE_VALID FR_TACACS_PACKET_CODE_VALID
201#define PROCESS_INST process_tacacs_t
202#define PROCESS_CODE_DYNAMIC_CLIENT FR_TACACS_CODE_AUTH_PASS
203
204#include <freeradius-devel/server/process.h>
205
207 { FR_CONF_OFFSET("timeout", process_tacacs_auth_t, session_timeout), .dflt = "15" },
208 { FR_CONF_OFFSET("max", process_tacacs_auth_t, max_session), .dflt = "4096" },
209 { FR_CONF_OFFSET("max_rounds", process_tacacs_auth_t, max_rounds), .dflt = "4" },
210 { FR_CONF_OFFSET("state_server_id", process_tacacs_auth_t, state_server_id) },
211
213};
214
215static const conf_parser_t auth_config[] = {
216 { FR_CONF_POINTER("session", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) session_config },
217
219};
220
221static const conf_parser_t config[] = {
222 { FR_CONF_POINTER("Authentication", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config,
223 .offset = offsetof(process_tacacs_t, auth), },
224
226};
227
228
229/*
230 * Synthesize a State attribute from connection && session information.
231 */
232static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
233{
234 uint8_t buffer[12];
236 fr_pair_t *vp;
237
238 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_session_id);
239 if (!vp) return -1;
240
241 fr_nbo_from_uint32(buffer, vp->vp_uint32);
242
243 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_sequence_number);
244 if (!vp) return -1;
245
246 /*
247 * Requests have odd sequence numbers, and replies have even sequence numbers.
248 * So if we want to synthesize a state in a reply which gets matched with the next
249 * request, we have to add 2 to it.
250 */
251 hash = vp->vp_uint8 + ((int) reply << 1);
252
254
255 /*
256 * Hash in the listener. For now, we don't allow internally proxied requests.
257 */
258 fr_assert(request->async != NULL);
259 fr_assert(request->async->listen != NULL);
260 hash = fr_hash(&request->async->listen, sizeof(request->async->listen));
261
263
265 if (!vp) return -1;
266
267 (void) fr_pair_value_memdup(vp, buffer, 12, false);
268
270
271 return 0;
272}
273
274/** Try and determine what the response packet type should be
275 *
276 * We check three sources:
277 * - reply.``<status_attr>``
278 * - reply.Packet-Type
279 * - State machine packet type assignments for the section rcode
280 *
281 * @param[in] request The current request.
282 * @param[in] status_da Specialised status attribute.
283 * @param[in] status2code Mapping table of *packet* status types to rcodes.
284 * @param[in] state Mappings for process state machine
285 * @param[in] process_rcode Mappings for Auth-Type / Acct-Type, which don't use the process state machine
286 * @param[in] rcode The last section rcode.
287 * @return
288 * - >0 if we determined a reply code.
289 * - 0 if we couldn't - Usually indicates additional sections should be run.
290 */
291static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da,
292 uint32_t const status2code[static UINT8_MAX + 1],
293 fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
294{
295 fr_pair_t *vp;
296 uint32_t code;
297
298 /*
299 * First check the protocol attribute for this packet type.
300 *
301 * Should be one of:
302 * - Authentication-Status
303 * - Authorization-Status
304 * - Accounting-Status
305 */
306 fr_assert(status_da->type == FR_TYPE_UINT8);
307
308 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, status_da);
309 if (vp) {
310 code = status2code[vp->vp_uint8];
311 if (FR_TACACS_PACKET_CODE_VALID(code)) {
312 RDEBUG("Setting reply Packet-Type from %pP", vp);
313 return code;
314 }
315 REDEBUG("Ignoring invalid status %pP", vp);
316 }
317
318 if (state) {
319 code = state->packet_type[rcode];
320 if (FR_TACACS_PACKET_CODE_VALID(code)) return code;
321 }
322
323 if (process_rcode) {
324 code = process_rcode[rcode];
325 if (FR_TACACS_PACKET_CODE_VALID(code)) return code;
326 }
327
328 /*
329 * Otherwise use Packet-Type (if set)
330 */
331 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
332 if (vp && FR_TACACS_PACKET_CODE_VALID(vp->vp_uint32)) {
333 RDEBUG("Setting reply Packet-Type from %pV", &vp->data);
334 return vp->vp_uint32;
335 }
336
337 return 0;
338}
339
340RECV(auth_start)
341{
342 fr_process_state_t const *state;
343 fr_pair_t *vp;
344
345 /*
346 * Only "Login" is supported. The others are "change password" and "sendauth", which aren't
347 * used.
348 */
349 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_action);
350 if (!vp) {
351 fail:
352 request->reply->code = FR_TACACS_CODE_AUTH_ERROR;
353 UPDATE_STATE(reply);
354
355 fr_assert(state->send != NULL);
356 return CALL_SEND_STATE(state);
357 }
358
359 if (vp->vp_uint8 != FR_ACTION_VALUE_LOGIN) {
360 RDEBUG("Invalid authentication action %u", vp->vp_uint8);
361 goto fail;
362 }
363
364 /*
365 * There is no state to restore, so we just run the section as normal.
366 */
367
368 return CALL_RECV(generic);
369}
370
371RESUME(auth_type);
372
382
383RESUME(auth_start)
384{
385 rlm_rcode_t rcode = RESULT_RCODE;
386 fr_pair_t *vp;
387 CONF_SECTION *cs;
388 fr_dict_enum_value_t const *dv;
389 fr_process_state_t const *state;
391
393
395
396 /*
397 * See if the return code from "recv" which says we reject, or continue.
398 */
399 UPDATE_STATE(packet);
400
401 /*
402 * Nothing set the reply, so let's see if we need to do so.
403 *
404 * If the admin didn't set authentication-status, just
405 * use the defaults from the state machine.
406 */
407 if (!request->reply->code) {
408 request->reply->code = reply_code(request,
410 authen_status_to_packet_code, state, NULL, rcode);
411 } else {
412 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
413 }
414
415 /*
416 * Check for multi-round authentication.
417 *
418 * We only run the automatic state machine (start -> getuser -> getpass -> pass/fail)
419 * when the admin does NOT set any reply type, or any reply authentication status.
420 *
421 * However, do DO always save and restore the attributes from the start packet, so that they are
422 * visible in a later packet.
423 */
424 if (!request->reply->code) {
426 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
427
428 session = request_data_reference(request, inst, 0);
429 if (!session) {
430 /*
431 * This function is called for resuming both "start" and "continue" packets, so
432 * we have to check for "start" here.
433 *
434 * We only do multi-round authentication for the ASCII authentication type.
435 * Other authentication types are defined to be one request/reply only.
436 */
437 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
438 if (!packet_is_authen_start_request(packet) ||
439 (vp && (fr_value_box_cmp(&vp->data, enum_tacacs_auth_type_ascii) != 0))) {
440 goto auth_type;
441 }
442
443 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
444 if (!vp) {
445 RDEBUG("No User-Name, replying with Authentication-GetUser");
446 request->reply->code = FR_TACACS_CODE_AUTH_GETUSER;
447 } else {
448 RDEBUG("User-Name = %pV, replying with Authentication-GetPass", &vp->data);
449 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
450 goto add_auth_flags;
451 }
452
453 goto send_reply;
454 }
455
456 /*
457 * Last reply was "get username", we now get the password.
458 */
459 if (session->reply == FR_TACACS_CODE_AUTH_GETUSER) {
460 RDEBUG("No User-Password, replying with Authentication-GetPass");
461 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
462
463 /*
464 * Pre-set the authentication flags reply to No-Echo
465 * RFC 8907 says this should be set when the data being
466 * requested is sensitive and should not be echoed to the
467 * user as it is being entered.
468 */
469 add_auth_flags:
473 goto send_reply;
474 }
475
476 /*
477 * We either have a password, or the admin screwed up the configuration somehow. Just go
478 * run "Auth-Type foo".
479 */
480 goto auth_type;
481 }
482
483 /*
484 * Something set the reply code, skip
485 * the normal auth flow and respond immediately.
486 */
487 if (request->reply->code) {
488 switch (request->reply->code) {
490 RDEBUG("The 'recv Authentication-Start' section returned %s - rejecting the request",
491 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
492 break;
493
494 default:
495 RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
496 break;
497 }
498
500 UPDATE_STATE(reply);
501
502 fr_assert(state->send != NULL);
503 return CALL_SEND_STATE(state);
504 }
505
506 /*
507 * Run authenticate foo { ... }
508 *
509 * If we can't find Auth-Type, OR if we can't find Auth-Type = foo, then it's a reject.
510 *
511 * We prefer the local Auth-Type to the Authentication-Type in the packet. But if there's no
512 * Auth-Type set by the admin, then we use what's in the packet.
513 */
514 auth_type:
515 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
516 if (!vp) vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
517 if (!vp) {
518 RDEBUG("No 'Auth-Type' or 'Authentication-Type' attribute found, "
519 "cannot authenticate the user - rejecting the request");
520
521 reject:
522 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
523 goto send_reply;
524 }
525
526 dv = fr_dict_enum_by_value(vp->da, &vp->data);
527 if (!dv) {
528 RDEBUG("Invalid value for '%s' attribute, cannot authenticate the user - rejecting the request",
529 vp->da->name);
530
531 goto reject;
532 }
533
534 /*
535 * The magic Auth-Type Accept value which means skip the authenticate section.
536 *
537 * And Reject means always reject. Tho the admin should just return "reject" from the section.
538 */
539 if (vp->da == attr_auth_type) {
541 request->reply->code = FR_TACACS_CODE_AUTH_PASS;
542 goto send_reply;
543
544 } else if (fr_value_box_cmp(enum_auth_type_reject, dv->value) == 0) {
545 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
546 goto send_reply;
547 }
548 }
549
550 cs = cf_section_find(inst->server_cs, "authenticate", dv->name);
551 if (!cs) {
552 RDEBUG2("No 'authenticate %s { ... }' section found - rejecting the request", dv->name);
553 goto reject;
554 }
555
556 /*
557 * Run the "authenticate foo { ... }" section.
558 *
559 * And continue with sending the generic reply.
560 */
561 RDEBUG("Running 'authenticate %s' from file %s", cf_section_name2(cs), cf_filename(cs));
562 return unlang_module_yield_to_section(RESULT_P, request,
563 cs, RLM_MODULE_NOOP, resume_auth_type,
564 NULL, 0, mctx->rctx);
565}
566
567RESUME(auth_type)
568{
569 static const fr_process_rcode_t auth_type_rcode = {
578 };
579
580 rlm_rcode_t rcode = RESULT_RCODE;
581 fr_process_state_t const *state;
582 fr_pair_t *vp;
583
585
587
588 /*
589 * If nothing set the reply code, then try to set it from various other things.
590 *
591 * The user could have set Authentication-Status
592 * or Packet-Type to something other than
593 * pass...
594 */
595 if (!request->reply->code) {
596 request->reply->code = reply_code(request,
598 authen_status_to_packet_code, NULL, auth_type_rcode, rcode);
599 } else {
600 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
601 }
602
603 switch (request->reply->code) {
604 case 0:
605 RDEBUG("No reply code was set. Forcing to Authentication-Fail");
606 fail:
607 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
609
610 /*
611 * Print complaints before running "send Access-Reject"
612 */
614 RDEBUG2("Failed to authenticate the user");
615 break;
616
620 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
621 if (vp && (vp->vp_uint32 != FR_AUTHENTICATION_TYPE_VALUE_ASCII)) {
622 RDEBUG2("Cannot send challenges for %pP", vp);
623 goto fail;
624 }
625 break;
626
627 default:
628 break;
629
630 }
631 UPDATE_STATE(reply);
632
633 fr_assert(state->send != NULL);
634 return state->send(p_result, mctx, request);
635}
636
637RESUME_FLAG(auth_pass, UNUSED,)
638{
640
642
643 // @todo - worry about user identity existing?
644
645 fr_state_discard(inst->auth.state_tree, request);
647}
648
649RESUME_FLAG(auth_fail, UNUSED,)
650{
652
654
655 // @todo - insert server message saying "failed"
656 // and also for FAIL
657
658 fr_state_discard(inst->auth.state_tree, request);
660}
661
662RESUME_FLAG(auth_restart, UNUSED,)
663{
665
667
668 fr_state_discard(inst->auth.state_tree, request);
670}
671
672RESUME(auth_get)
673{
676 fr_pair_t *vp, *copy;
677
679
680 /*
681 * Track multi-round authentication flows. Note that they can only start with an
682 * "Authentication-Start" packet, but they can continue with an "Authentication-Continue" packet.
683 *
684 * If there's no session being tracked, then we create one for a start packet.
685 */
686 session = request_data_reference(request, inst, 0);
687 if (!session) {
688 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
689
691
692 MEM(session = talloc_zero(NULL, process_tacacs_session_t));
693 if (request_data_talloc_add(request, inst, 0, process_tacacs_session_t, session, true, true, true) < 0) {
694 talloc_free(session);
695 goto send_reply;
696 }
697
698 /*
699 * These are the only things which saved. The rest of the fields are either static (and statically
700 * known), or are irrelevant.
701 */
702 fr_pair_list_init(&session->list);
703#undef COPY
704#define COPY(_attr) do { \
705 vp = fr_pair_find_by_da(&request->request_pairs, NULL, _attr); \
706 if (!vp) break; \
707 MEM(copy = fr_pair_copy(session, vp)); \
708 fr_pair_append(&session->list, copy); \
709 RDEBUG2("%pP", copy); \
710} while (0)
711
712 RDEBUG2("Caching session attributes:");
713 RINDENT();
719 REXDENT();
720
721 } else {
722 session->rounds++;
723
724 if (session->rounds > inst->auth.max_rounds) {
725 REDEBUG("Too many rounds of authentication - failing the session");
726 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_FAIL);
727 }
728
729 /*
730 * It is possible that the user name or password are added on subsequent Authentication-Continue
731 * packets following replies with Authentication-GetUser or Authentication-GetPass.
732 * Check if they are already in the session cache, and if not, add them.
733 */
734#define COPY_MISSING(_attr) do { \
735 vp = fr_pair_find_by_da(&session->list, NULL, _attr); \
736 if (vp) break; \
737 COPY(_attr); \
738} while (0)
739
740 RDEBUG2("Caching additional session attributes:");
741 RINDENT();
744 REXDENT();
745 }
746 session->reply = request->reply->code;
747 session->seq_no = request->packet->data[2];
748
750 /*
751 * Cache the session state context.
752 */
753 if ((state_create(request->reply_ctx, &request->reply_pairs, request, true) < 0) ||
754 (fr_request_to_state(inst->auth.state_tree, request) < 0)) {
755 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
756 }
757
759}
760
761RECV(auth_cont)
762{
765
766 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
767 (fr_state_to_request(inst->auth.state_tree, request) < 0)) {
768 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
769 }
770
771 /*
772 * Restore key fields from the original Authentication-Start packet.
773 */
774 session = request_data_reference(request, inst, 0);
775 if (session) {
776 fr_pair_t *vp = NULL, *copy;
777
778 if (request->packet->data[2] <= session->seq_no) {
779 REDEBUG("Client sent invalid sequence number %02x, expected >%02x", request->packet->data[2], session->seq_no);
780 error:
781 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
782 }
783
784 if (fr_debug_lvl >= L_DBG_LVL_2) {
785 RDEBUG2("Restoring session attributes:");
786 RINDENT();
787 while ((vp = fr_pair_list_next(&session->list, vp))) {
788 RDEBUG2("%pP", vp);
789 }
790 REXDENT();
791 }
792 if (fr_pair_list_copy(request->request_ctx, &request->request_pairs, &session->list) < 0) goto error;
793
794 /*
795 * Copy the returned user_message into the attribute we requested.
796 */
797#define EXTRACT(_attr) \
798 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_user_message); \
799 if (!vp) break; \
800 fr_value_box_set_secret(&vp->data, _attr->flags.secret); \
801 if (pair_append_request(&copy, _attr) < 0) break; \
802 if (fr_pair_value_copy(copy, vp) < 0) { \
803 fr_pair_remove(&request->request_pairs, copy); \
804 talloc_free(copy); \
805 break; \
806 } \
807 RDEBUG2("Populated %pP from user_message", copy)
808
809 switch (session->reply) {
812 break;
813
816 break;
817
818 default:
819 break;
820 }
821 }
822
823 return CALL_RECV(generic);
824}
825
826/*
827 * The client aborted the session. The reply should be RESTART or FAIL.
828 */
829RECV(auth_cont_abort)
830{
832
833 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
834 (fr_state_to_request(inst->auth.state_tree, request) < 0)) {
835 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
836 }
837
838 return CALL_RECV(generic);
839}
840
841RESUME(auth_cont_abort)
842{
843 fr_process_state_t const *state;
844
845 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTH_RESTART;
846
847 UPDATE_STATE(reply);
848
849 fr_assert(state->send != NULL);
850 return CALL_SEND_STATE(state);
851}
852
853
860
861
862RESUME(autz_request)
863{
864 rlm_rcode_t rcode = RESULT_RCODE;
865 fr_process_state_t const *state;
866
868
870
871 /*
872 * See if the return code from "recv" which says we reject, or continue.
873 */
874 UPDATE_STATE(packet);
875
876 /*
877 * Nothing set the reply, so let's see if we need to do so.
878 *
879 * If the admin didn't set authorization-status, just
880 * use the defaults from the state machine.
881 */
882 if (!request->reply->code) {
883 request->reply->code = reply_code(request, attr_tacacs_authorization_status,
884 author_status_to_packet_code, state, NULL, rcode);
885 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTZ_ERROR;
886
887 } else {
888 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
889 }
890
891 RDEBUG("Reply packet type set to %s", fr_tacacs_packet_names[request->reply->code]);
892
893 UPDATE_STATE(reply);
894
895 fr_assert(state->send != NULL);
896 return CALL_SEND_STATE(state);
897}
898
903
904RESUME(acct_type)
905{
906 static const fr_process_rcode_t acct_type_rcode = {
915 };
916
917 rlm_rcode_t rcode = RESULT_RCODE;
918 fr_process_state_t const *state;
919
921
922 /*
923 * One more chance to override
924 */
925 if (!request->reply->code) {
927 NULL, acct_type_rcode, rcode);
928 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
929 } else {
930 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
931 }
932
933 UPDATE_STATE(reply);
934
935 fr_assert(state->send != NULL);
936 return state->send(p_result, mctx, request);
937}
938
939static const bool acct_flag_valid[8] = {
940 false, true, true, false, /* invalid, start, stop, invalid */
941 true, true, false, false, /* watchdog - no update, watchdog - update, invalid, invalid */
942};
943
944RECV(accounting_request)
945{
946 fr_pair_t *vp;
947
948 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
949
950 /*
951 * RFC 8907 Section 7.2
952 */
953 if (vp && !acct_flag_valid[(vp->vp_uint8 & 0x0e) >> 1]) {
954 RWDEBUG("Invalid accounting request flag field %02x", vp->vp_uint8);
955 return CALL_SEND_TYPE(FR_TACACS_CODE_ACCT_ERROR);
956 }
957
958 return CALL_RECV(generic);
959}
960
961RESUME(accounting_request)
962{
963 rlm_rcode_t rcode = RESULT_RCODE;
964 fr_pair_t *vp;
965 CONF_SECTION *cs;
966 fr_dict_enum_value_t const *dv;
967 fr_process_state_t const *state;
969
971
973
974 UPDATE_STATE(packet);
975
976 /*
977 * Nothing set the reply, so let's see if we need to do so.
978 *
979 * If the admin didn't set accounting-status, just
980 * use the defaults from the state machine.
981 */
982 if (!request->reply->code) {
983 request->reply->code = reply_code(request, attr_tacacs_accounting_status,
984 acct_status_to_packet_code, state, NULL, rcode);
985 } else {
986 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
987 }
988
989 /*
990 * Something set the reply code, so we reply and don't run "accounting foo { ... }"
991 */
992 if (request->reply->code) {
993 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
994
995 RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
996
997 UPDATE_STATE(reply);
998
999 fr_assert(state->send != NULL);
1000 return CALL_SEND_STATE(state);
1001 }
1002
1003 /*
1004 * Run accounting foo { ... }
1005 */
1006 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
1007 if (!vp) {
1008 fail:
1009 request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
1010 UPDATE_STATE(reply);
1011 fr_assert(state->send != NULL);
1012 return CALL_SEND_STATE(state);
1013 }
1014
1015 dv = fr_dict_enum_by_value(vp->da, &vp->data);
1016 if (!dv) goto fail;
1017
1018 cs = cf_section_find(inst->server_cs, "accounting", dv->name);
1019 if (!cs) {
1020 RDEBUG2("No 'accounting %s { ... }' section found - skipping...", dv->name);
1021 goto fail;
1022 }
1023
1024 /*
1025 * Run the "accounting foo { ... }" section.
1026 *
1027 * And continue with sending the generic reply.
1028 */
1029 return unlang_module_yield_to_section(RESULT_P, request,
1030 cs, RLM_MODULE_NOOP, resume_acct_type,
1031 NULL, 0, mctx->rctx);
1032}
1033
1034static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1035{
1036 fr_process_state_t const *state;
1037
1039
1041 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
1042
1043 request->component = "tacacs";
1044 request->module = NULL;
1045 fr_assert(request->proto_dict == dict_tacacs);
1046
1047 UPDATE_STATE(packet);
1048
1049 if (!state->recv) {
1050 REDEBUG("Invalid packet type (%u)", request->packet->code);
1052 }
1053
1054 // @todo - debug stuff!
1055// tacacs_packet_debug(request, request->packet, &request->request_pairs, true);
1056
1057 if (unlikely(request_is_dynamic_client(request))) {
1058 return new_client(p_result, mctx, request);
1059 }
1060
1061 return state->recv(p_result, mctx, request);
1062}
1063
1064static int mod_instantiate(module_inst_ctx_t const *mctx)
1065{
1066 process_tacacs_t *inst = talloc_get_type_abort(mctx->mi->data, process_tacacs_t);
1067
1068 inst->server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1069
1070 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.max_rounds, >=, 1);
1071 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.max_rounds, <=, 8);
1072
1073 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.max_session, >=, 64);
1074 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.max_session, <=, (1 << 18));
1075
1076 inst->auth.state_tree = fr_state_tree_init(inst, attr_tacacs_state, main_config->spawn_workers, inst->auth.max_session,
1077 inst->auth.session_timeout, inst->auth.state_server_id,
1078 fr_hash_string(cf_section_name2(inst->server_cs)));
1079 return 0;
1080}
1081
1082static int mod_bootstrap(module_inst_ctx_t const *mctx)
1083{
1084 CONF_SECTION *server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1085
1086 if (virtual_server_section_attribute_define(server_cs, "authenticate", attr_auth_type) < 0) return -1;
1087
1088 return 0;
1089}
1090
1091/*
1092 * rcodes not listed under a packet_type
1093 * mean that the packet code will not be
1094 * changed.
1095 */
1096static fr_process_state_t const process_state[] = {
1097 /*
1098 * Authentication
1099 */
1101 .packet_type = {
1108 },
1109 .default_rcode = RLM_MODULE_NOOP,
1110 .recv = recv_auth_start,
1111 .resume = resume_auth_start,
1112 .section_offset = offsetof(process_tacacs_sections_t, auth_start),
1113 },
1115 .packet_type = {
1121 },
1122 .default_rcode = RLM_MODULE_NOOP,
1123 .result_rcode = RLM_MODULE_OK,
1124 .send = send_generic,
1125 .resume = resume_auth_pass,
1126 .section_offset = offsetof(process_tacacs_sections_t, auth_pass),
1127 },
1129 .packet_type = {
1135 },
1136 .default_rcode = RLM_MODULE_NOOP,
1137 .result_rcode = RLM_MODULE_REJECT,
1138 .send = send_generic,
1139 .resume = resume_auth_fail,
1140 .section_offset = offsetof(process_tacacs_sections_t, auth_fail),
1141 },
1143 .packet_type = {
1149 },
1150 .default_rcode = RLM_MODULE_NOOP,
1151 .result_rcode = RLM_MODULE_OK,
1152 .send = send_generic,
1153 .resume = resume_auth_get,
1154 .section_offset = offsetof(process_tacacs_sections_t, auth_getdata),
1155 },
1157 .packet_type = {
1163 },
1164 .default_rcode = RLM_MODULE_NOOP,
1165 .result_rcode = RLM_MODULE_OK,
1166 .send = send_generic,
1167 .resume = resume_auth_get,
1168 .section_offset = offsetof(process_tacacs_sections_t, auth_getpass),
1169 },
1171 .packet_type = {
1177 },
1178 .default_rcode = RLM_MODULE_NOOP,
1179 .result_rcode = RLM_MODULE_OK,
1180 .send = send_generic,
1181 .resume = resume_auth_get,
1182 .section_offset = offsetof(process_tacacs_sections_t, auth_getuser),
1183 },
1185 .packet_type = {
1186 },
1187 .default_rcode = RLM_MODULE_NOOP,
1188 .result_rcode = RLM_MODULE_OK,
1189 .send = send_generic,
1190 .resume = resume_auth_restart,
1191 .section_offset = offsetof(process_tacacs_sections_t, auth_restart),
1192 },
1194 .packet_type = {
1195 },
1196 .default_rcode = RLM_MODULE_NOOP,
1197 .result_rcode = RLM_MODULE_REJECT,
1198 .send = send_generic,
1199 .resume = resume_auth_restart,
1200 .section_offset = offsetof(process_tacacs_sections_t, auth_error),
1201 },
1202
1204 .packet_type = {
1211 },
1212 .default_rcode = RLM_MODULE_NOOP,
1213 .result_rcode = RLM_MODULE_OK,
1214 .recv = recv_auth_cont,
1215 .resume = resume_auth_start, /* we go back to running 'authenticate', etc. */
1216 .section_offset = offsetof(process_tacacs_sections_t, auth_cont),
1217 },
1219 .packet_type = {
1226 },
1227 .default_rcode = RLM_MODULE_NOOP,
1228 .result_rcode = RLM_MODULE_REJECT,
1229 .recv = recv_auth_cont_abort,
1230 .resume = resume_auth_cont_abort,
1231 .section_offset = offsetof(process_tacacs_sections_t, auth_cont_abort),
1232 },
1233
1234 /*
1235 * Authorization
1236 */
1238 .packet_type = {
1243
1250 },
1251 .default_rcode = RLM_MODULE_NOOP,
1252 .recv = recv_generic,
1253 .resume = resume_autz_request,
1254 .section_offset = offsetof(process_tacacs_sections_t, autz_request),
1255 },
1257 .packet_type = {
1264 },
1265 .default_rcode = RLM_MODULE_NOOP,
1266 .result_rcode = RLM_MODULE_OK,
1267 .send = send_generic,
1268 .resume = resume_send_generic,
1269 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_add),
1270 },
1272 .packet_type = {
1279 },
1280 .default_rcode = RLM_MODULE_NOOP,
1281 .result_rcode = RLM_MODULE_OK,
1282 .send = send_generic,
1283 .resume = resume_send_generic,
1284 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_replace),
1285 },
1287 .packet_type = {
1288 },
1289 .default_rcode = RLM_MODULE_NOOP,
1290 .result_rcode = RLM_MODULE_REJECT,
1291 .send = send_generic,
1292 .resume = resume_send_generic,
1293 .section_offset = offsetof(process_tacacs_sections_t, autz_fail),
1294 },
1296 .packet_type = {
1297 },
1298 .default_rcode = RLM_MODULE_NOOP,
1299 .result_rcode = RLM_MODULE_REJECT,
1300 .send = send_generic,
1301 .resume = resume_send_generic,
1302 .section_offset = offsetof(process_tacacs_sections_t, autz_error),
1303 },
1304
1305 /*
1306 * Accounting
1307 */
1309 .packet_type = {
1316 },
1317 .default_rcode = RLM_MODULE_NOOP,
1318 .recv = recv_accounting_request,
1319 .resume = resume_accounting_request,
1320 .section_offset = offsetof(process_tacacs_sections_t, acct_request),
1321 },
1323 .packet_type = {
1330 },
1331 .default_rcode = RLM_MODULE_NOOP,
1332 .result_rcode = RLM_MODULE_OK,
1333 .send = send_generic,
1334 .resume = resume_send_generic,
1335 .section_offset = offsetof(process_tacacs_sections_t, acct_success),
1336 },
1338 .packet_type = {
1339 },
1340 .default_rcode = RLM_MODULE_NOOP,
1341 .result_rcode = RLM_MODULE_FAIL,
1342 .send = send_generic,
1343 .resume = resume_send_generic,
1344 .section_offset = offsetof(process_tacacs_sections_t, acct_error),
1345 },
1347 .packet_type = {
1352
1359 },
1360 .default_rcode = RLM_MODULE_NOOP,
1361 .result_rcode = RLM_MODULE_HANDLED,
1362 .send = send_generic,
1363 .resume = resume_send_generic,
1364 .section_offset = offsetof(process_tacacs_sections_t, do_not_respond),
1365 }
1366};
1367
1368
1370 /**
1371 * Basically, the TACACS+ protocol use same type "authenticate" to handle
1372 * Start and Continue requests. (yep, you're right. it's horrible)
1373 * Therefore, we split the same "auth" type into two different sections just
1374 * to allow the user to have different logic for that.
1375 *
1376 * If you want to cry, just take a look at
1377 *
1378 * https://tools.ietf.org/html/rfc8907 Section 4.
1379 *
1380 * This should be an abject lesson in how NOT to design a
1381 * protocol. Pretty much everything they did was wrong.
1382 */
1383 {
1384 .section = SECTION_NAME("recv", "Authentication-Start"),
1385 .actions = &mod_actions_authenticate,
1386 .offset = PROCESS_CONF_OFFSET(auth_start),
1387 },
1388 {
1389 .section = SECTION_NAME("send", "Authentication-Pass"),
1391 .offset = PROCESS_CONF_OFFSET(auth_pass),
1392 },
1393 {
1394 .section = SECTION_NAME("send", "Authentication-Fail"),
1396 .offset = PROCESS_CONF_OFFSET(auth_fail),
1397 },
1398 {
1399 .section = SECTION_NAME("send", "Authentication-GetData"),
1401 .offset = PROCESS_CONF_OFFSET(auth_getdata),
1402 },
1403 {
1404 .section = SECTION_NAME("send", "Authentication-GetUser"),
1406 .offset = PROCESS_CONF_OFFSET(auth_getuser),
1407 },
1408 {
1409 .section = SECTION_NAME("send", "Authentication-GetPass"),
1411 .offset = PROCESS_CONF_OFFSET(auth_getpass),
1412 },
1413 {
1414 .section = SECTION_NAME("send", "Authentication-Restart"),
1416 .offset = PROCESS_CONF_OFFSET(auth_restart),
1417 },
1418 {
1419 .section = SECTION_NAME("send", "Authentication-Error"),
1421 .offset = PROCESS_CONF_OFFSET(auth_error),
1422 },
1423 {
1424 .section = SECTION_NAME("recv", "Authentication-Continue"),
1426 .offset = PROCESS_CONF_OFFSET(auth_cont),
1427 },
1428 {
1429 .section = SECTION_NAME("recv", "Authentication-Continue-Abort"),
1431 .offset = PROCESS_CONF_OFFSET(auth_cont_abort),
1432 },
1433
1434 {
1435 .section = SECTION_NAME("authenticate", CF_IDENT_ANY),
1437 },
1438
1439 /* authorization */
1440
1441 {
1442 .section = SECTION_NAME("recv", "Authorization-Request"),
1444 .offset = PROCESS_CONF_OFFSET(autz_request),
1445 },
1446 {
1447 .section = SECTION_NAME("send", "Authorization-Pass-Add"),
1449 .offset = PROCESS_CONF_OFFSET(autz_pass_add),
1450 },
1451 {
1452 .section = SECTION_NAME("send", "Authorization-Pass-Replace"),
1454 .offset = PROCESS_CONF_OFFSET(autz_pass_replace),
1455 },
1456 {
1457 .section = SECTION_NAME("send", "Authorization-Fail"),
1459 .offset = PROCESS_CONF_OFFSET(autz_fail),
1460 },
1461 {
1462 .section = SECTION_NAME("send", "Authorization-Error"),
1464 .offset = PROCESS_CONF_OFFSET(autz_error),
1465 },
1466
1467 /* accounting */
1468
1469 {
1470 .section = SECTION_NAME("recv", "Accounting-Request"),
1472 .offset = PROCESS_CONF_OFFSET(acct_request),
1473 },
1474 {
1475 .section = SECTION_NAME("send", "Accounting-Success"),
1477 .offset = PROCESS_CONF_OFFSET(acct_success),
1478 },
1479 {
1480 .section = SECTION_NAME("send", "Accounting-Error"),
1482 .offset = PROCESS_CONF_OFFSET(acct_error),
1483 },
1484
1485 {
1486 .section = SECTION_NAME("accounting", CF_IDENT_ANY),
1488 },
1489
1490 {
1491 .section = SECTION_NAME("send", "Do-Not-Respond"),
1493 .offset = PROCESS_CONF_OFFSET(do_not_respond),
1494 },
1495
1496 DYNAMIC_CLIENT_SECTIONS,
1497
1499};
1500
1501
1504 .common = {
1505 .magic = MODULE_MAGIC_INIT,
1506 .name = "tacacs",
1507 .config = config,
1509 MODULE_RCTX(process_rctx_t),
1510 .bootstrap = mod_bootstrap,
1511 .instantiate = mod_instantiate
1512 },
1513 .process = mod_process,
1514 .compile_list = compile_list,
1515 .dict = &dict_tacacs,
1516 .packet_type = &attr_packet_type
1517};
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
static int const char char buffer[256]
Definition acutest.h:576
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:658
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:518
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:339
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:428
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:595
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
#define cf_parent(_cf)
Definition cf_util.h:101
#define cf_filename(_cf)
Definition cf_util.h:107
#define CF_IDENT_ANY
Definition cf_util.h:78
#define MEM(x)
Definition debug.h:36
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:263
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:274
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:287
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:237
fr_dict_enum_value_t const * fr_dict_enum_by_value(fr_dict_attr_t const *da, fr_value_box_t const *value)
Lookup the structure representing an enum value in a fr_dict_attr_t.
Definition dict_util.c:3393
char const * name
Enum name.
Definition dict.h:234
Specifies an attribute which must be present for the module to function.
Definition dict.h:273
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:286
Specifies a value which must be present for the module to function.
Definition dict.h:262
Value of an enumerated attribute.
Definition dict.h:233
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
uint32_t fr_hash(void const *data, size_t size)
Definition hash.c:812
uint32_t fr_hash_string(char const *p)
Definition hash.c:865
static fr_dict_t const * dict_freeradius
Definition base.c:37
fr_dict_attr_t const * attr_packet_type
Definition base.c:93
fr_dict_attr_t const * attr_user_name
Definition base.c:104
static fr_dict_attr_t const * attr_module_failure_message
Definition log.c:206
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:443
#define RWDEBUG(fmt,...)
Definition log.h:361
#define RINDENT()
Indent R* messages by one level.
Definition log.h:430
talloc_free(reap)
int fr_debug_lvl
Definition log.c:40
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:71
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
bool spawn_workers
Should the server spawn threads.
Definition main_config.h:58
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT8
8 Bit unsigned integer.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_OCTETS
Raw octets.
unsigned int uint32_t
unsigned char uint8_t
#define UINT8_MAX
unlang_mod_actions_t const mod_actions_authenticate
Definition mod_action.c:30
unlang_mod_actions_t const mod_actions_accounting
Definition mod_action.c:78
unlang_mod_actions_t const mod_actions_authorize
Definition mod_action.c:46
unlang_mod_actions_t const mod_actions_postauth
Definition mod_action.c:93
unlang_mod_action_t actions[RLM_MODULE_NUMCODES]
Definition mod_action.h:64
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
static void fr_nbo_from_uint32(uint8_t out[static sizeof(uint32_t)], uint32_t num)
Write out an unsigned 32bit integer in wire format (big endian)
Definition nbo.h:61
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition pair.c:2320
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2936
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:774
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:697
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1342
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition base.c:188
static const virtual_server_compile_t compile_list[]
Definition base.c:214
static fr_process_state_t const process_state[]
Definition base.c:69
RESUME_FLAG(recv_bfd, UNUSED,)
Definition base.c:119
static fr_dict_attr_t const * attr_module_success_message
Definition base.c:37
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition base.c:743
RECV(for_any_server)
Validate a solicit/rebind/confirm message.
Definition base.c:401
static fr_dict_attr_t const * attr_user_password
Definition base.c:66
static fr_dict_attr_t const * attr_stripped_user_name
Definition base.c:59
static const conf_parser_t session_config[]
Definition base.c:172
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition base.c:883
static fr_dict_attr_t const * attr_auth_type
Definition base.c:56
static fr_value_box_t const * enum_auth_type_reject
Definition base.c:94
static const conf_parser_t auth_config[]
Definition base.c:180
static fr_value_box_t const * enum_auth_type_accept
Definition base.c:93
static const conf_parser_t config[]
Definition base.c:186
fr_process_module_t process_tacacs
Definition base.c:1503
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:56
CONF_SECTION * autz_pass_add
Definition base.c:147
fr_pair_list_t list
copied from the request
Definition base.c:193
CONF_SECTION * new_client
Definition base.c:158
static fr_value_box_t const * enum_tacacs_auth_type_ascii
Definition base.c:119
CONF_SECTION * add_client
Definition base.c:159
CONF_SECTION * auth_pass
Definition base.c:135
CONF_SECTION * auth_start
Definition base.c:134
CONF_SECTION * acct_success
Definition base.c:153
CONF_SECTION * auth_error
Definition base.c:141
CONF_SECTION * acct_request
Definition base.c:152
CONF_SECTION * auth_cont_abort
Definition base.c:144
fr_dict_attr_autoload_t process_tacacs_dict_attr[]
Definition base.c:80
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:73
CONF_SECTION * server_cs
Our virtual server.
Definition base.c:177
static fr_dict_attr_t const * attr_chap_password
Definition base.c:77
CONF_SECTION * auth_cont
Definition base.c:143
static const uint32_t acct_status_to_packet_code[UINT8_MAX+1]
Definition base.c:899
CONF_SECTION * auth_restart
Definition base.c:140
static const uint32_t authen_status_to_packet_code[UINT8_MAX+1]
Definition base.c:373
process_tacacs_sections_t sections
Pointers to various config sections we need to execute.
Definition base.c:181
static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da, uint32_t const status2code[static UINT8_MAX+1], fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
Try and determine what the response packet type should be.
Definition base.c:291
static fr_dict_t const * dict_tacacs
Definition base.c:39
fr_time_delta_t session_timeout
Maximum time between the last response and next request.
Definition base.c:164
uint32_t rounds
how many rounds were taken
Definition base.c:190
fr_dict_enum_autoload_t process_tacacs_dict_enum[]
Definition base.c:122
#define COPY_MISSING(_attr)
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:70
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:69
CONF_SECTION * autz_error
Definition base.c:150
CONF_SECTION * do_not_respond
Definition base.c:156
static const uint32_t author_status_to_packet_code[UINT8_MAX+1]
Definition base.c:854
static fr_value_box_t const * enum_auth_flags_noecho
Definition base.c:118
uint8_t state_server_id
Sets a specific byte in the state to allow the authenticating server to be identified in packet captu...
Definition base.c:169
CONF_SECTION * autz_pass_replace
Definition base.c:148
uint32_t reply
for multiround state machine
Definition base.c:191
#define EXTRACT(_attr)
CONF_SECTION * auth_getuser
Definition base.c:138
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:67
CONF_SECTION * auth_getdata
Definition base.c:137
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:57
CONF_SECTION * acct_error
Definition base.c:154
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:62
CONF_SECTION * autz_request
Definition base.c:146
uint32_t max_session
Maximum ongoing session allowed.
Definition base.c:165
static const bool acct_flag_valid[8]
Definition base.c:939
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:58
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:59
CONF_SECTION * deny_client
Definition base.c:160
CONF_SECTION * auth_fail
Definition base.c:136
static fr_dict_attr_t const * attr_tacacs_authentication_action
Definition base.c:55
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:65
process_tacacs_auth_t auth
Authentication configuration.
Definition base.c:184
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:68
uint8_t seq_no
sequence number of last request.
Definition base.c:192
fr_state_tree_t * state_tree
State tree to link multiple requests/responses.
Definition base.c:173
#define COPY(_attr)
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:54
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition base.c:71
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:61
CONF_SECTION * autz_fail
Definition base.c:149
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:63
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:66
static fr_dict_attr_t const * attr_tacacs_state
Definition base.c:72
uint32_t max_rounds
maximum number of authentication rounds allowed
Definition base.c:167
uint32_t session_id
current session ID
Definition base.c:179
CONF_SECTION * auth_getpass
Definition base.c:139
fr_dict_autoload_t process_tacacs_dict[]
Definition base.c:42
static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
Definition base.c:232
#define PROCESS_TRACE
Trace each state function as it's entered.
Definition process.h:55
#define PROCESS_CONF_OFFSET(_x)
Definition process.h:79
module_t common
Common fields for all loadable modules.
Common public symbol definition for all process modules.
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:119
#define fr_assert(_expr)
Definition rad_assert.h:38
#define REDEBUG(fmt,...)
Definition radclient.h:52
#define RDEBUG2(fmt,...)
Definition radclient.h:54
#define RDEBUG(fmt,...)
Definition radclient.h:53
static void send_reply(int sockfd, fr_channel_data_t *reply)
fr_table_num_sorted_t const rcode_table[]
Definition rcode.c:35
#define RETURN_UNLANG_FAIL
Definition rcode.h:57
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:45
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:43
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:42
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:46
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:41
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:50
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:47
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:49
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:48
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition rcode.h:51
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:44
#define request_is_dynamic_client(_x)
Definition request.h:188
void * request_data_reference(request_t *request, void const *unique_ptr, int unique_int)
Get opaque data from a request without removing it.
#define request_data_talloc_add(_request, _unique_ptr, _unique_int, _type, _opaque, _free_on_replace, _free_on_parent, _persist)
Add opaque data to a request_t.
static unlang_action_t process_rcode(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
static unsigned int hash(char const *username, unsigned int tablesize)
Definition rlm_passwd.c:132
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
void * data
Module's instance data.
Definition module.h:291
#define MODULE_RCTX(_ctype)
Definition module.h:257
#define MODULE_INST(_ctype)
Definition module.h:255
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
#define pair_append_reply(_attr, _da)
Allocate and append a fr_pair_t to reply list.
Definition pair.h:47
fr_state_tree_t * fr_state_tree_init(TALLOC_CTX *ctx, fr_dict_attr_t const *da, bool thread_safe, uint32_t max_sessions, fr_time_delta_t timeout, uint8_t server_id, uint32_t context_id)
Initialise a new state tree.
Definition state.c:220
void fr_state_discard(fr_state_tree_t *state, request_t *request)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition state.c:605
int fr_request_to_state(fr_state_tree_t *state, request_t *request)
Transfer ownership of the state fr_pair_ts and ctx, back to a state entry.
Definition state.c:736
int fr_state_to_request(fr_state_tree_t *state, request_t *request)
Copy a pointer to the head of the list of state fr_pair_ts (and their ctx) into the request.
Definition state.c:659
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:249
eap_aka_sim_process_conf_t * inst
#define RESUME(_x)
fr_pair_t * vp
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
Definition tacacs.h:211
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition tacacs.h:214
@ FR_TAC_PLUS_AUTHOR_STATUS_FAIL
Definition tacacs.h:213
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
Definition tacacs.h:212
#define FR_TACACS_PACKET_CODE_VALID(_code)
Definition tacacs.h:322
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
@ FR_TACACS_CODE_ACCT_ERROR
Definition tacacs.h:315
@ FR_TACACS_CODE_DO_NOT_RESPOND
Definition tacacs.h:318
@ FR_TACACS_CODE_ACCT_REQUEST
Definition tacacs.h:313
@ FR_TACACS_CODE_AUTZ_REQUEST
Definition tacacs.h:307
@ FR_TACACS_CODE_AUTH_GETDATA
Definition tacacs.h:298
@ FR_TACACS_CODE_AUTH_RESTART
Definition tacacs.h:301
@ FR_TACACS_CODE_AUTZ_PASS_REPLACE
Definition tacacs.h:309
@ FR_TACACS_CODE_AUTH_GETUSER
Definition tacacs.h:299
@ FR_TACACS_CODE_AUTH_GETPASS
Definition tacacs.h:300
@ FR_TACACS_CODE_AUTZ_FAIL
Definition tacacs.h:310
@ FR_TACACS_CODE_AUTH_CONT_ABORT
Definition tacacs.h:305
@ FR_TACACS_CODE_AUTH_PASS
Definition tacacs.h:296
@ FR_TACACS_CODE_AUTH_CONT
Definition tacacs.h:304
@ FR_TACACS_CODE_AUTZ_PASS_ADD
Definition tacacs.h:308
@ FR_TACACS_CODE_AUTH_START
Definition tacacs.h:295
@ FR_TACACS_CODE_AUTH_FAIL
Definition tacacs.h:297
@ FR_TACACS_CODE_AUTH_ERROR
Definition tacacs.h:302
@ FR_TACACS_CODE_AUTZ_ERROR
Definition tacacs.h:311
@ FR_TACACS_CODE_ACCT_SUCCESS
Definition tacacs.h:314
@ FR_TAC_PLUS_ACCT_STATUS_SUCCESS
Definition tacacs.h:255
@ FR_TAC_PLUS_ACCT_STATUS_ERROR
Definition tacacs.h:256
@ FR_TAC_PLUS_AUTHEN_STATUS_PASS
Definition tacacs.h:151
@ FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
Definition tacacs.h:153
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition tacacs.h:157
@ FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
Definition tacacs.h:154
@ FR_TAC_PLUS_AUTHEN_STATUS_FAIL
Definition tacacs.h:152
@ FR_TAC_PLUS_AUTHEN_STATUS_RESTART
Definition tacacs.h:156
@ FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
Definition tacacs.h:155
#define talloc_get_type_abort_const
Definition talloc.h:287
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:722
int fr_value_box_copy(TALLOC_CTX *ctx, fr_value_box_t *dst, const fr_value_box_t *src)
Copy value data verbatim duplicating any buffers.
Definition value.c:3962
static size_t char ** out
Definition value.h:1020
int virtual_server_section_attribute_define(CONF_SECTION *server_cs, char const *subcs_name, fr_dict_attr_t const *da)
Define a values for Auth-Type attributes by the sections present in a virtual-server.
section_name_t const * section
Identifier for the section.
#define COMPILE_TERMINATOR
Processing sections which are allowed in this virtual server.