The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 473dad06bf48e3838391ce7b9099e19bbd03a036 $
19 * @file src/process/tacacs/base.c
20 * @brief TACACS+ handler.
21 * @author Jorge Pereira <jpereira@freeradius.org>
22 *
23 * @copyright 2020 The FreeRADIUS server project.
24 * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25 */
26#include <freeradius-devel/io/listen.h>
27#include <freeradius-devel/io/master.h>
28#include <freeradius-devel/tacacs/tacacs.h>
29#include <freeradius-devel/unlang/call.h>
30#include <freeradius-devel/util/debug.h>
31
32#include <freeradius-devel/protocol/tacacs/tacacs.h>
33
34static fr_dict_t const *dict_freeradius;
35static fr_dict_t const *dict_tacacs;
36
37extern fr_dict_autoload_t process_tacacs_dict[];
38fr_dict_autoload_t process_tacacs_dict[] = {
39 { .out = &dict_freeradius, .proto = "freeradius" },
40 { .out = &dict_tacacs, .proto = "tacacs" },
41 DICT_AUTOLOAD_TERMINATOR
42};
43
44static fr_dict_attr_t const *attr_auth_type;
45static fr_dict_attr_t const *attr_module_failure_message;
46static fr_dict_attr_t const *attr_module_success_message;
47static fr_dict_attr_t const *attr_stripped_user_name;
48static fr_dict_attr_t const *attr_packet_type;
49
50static fr_dict_attr_t const *attr_tacacs_action;
51static fr_dict_attr_t const *attr_tacacs_authentication_action;
52static fr_dict_attr_t const *attr_tacacs_authentication_flags;
53static fr_dict_attr_t const *attr_tacacs_authentication_type;
54static fr_dict_attr_t const *attr_tacacs_authentication_service;
55static fr_dict_attr_t const *attr_tacacs_authentication_status;
56
57static fr_dict_attr_t const *attr_tacacs_authorization_status;
58static fr_dict_attr_t const *attr_tacacs_accounting_status;
59static fr_dict_attr_t const *attr_tacacs_accounting_flags;
60
61static fr_dict_attr_t const *attr_tacacs_client_port;
62static fr_dict_attr_t const *attr_tacacs_data;
63static fr_dict_attr_t const *attr_tacacs_privilege_level;
64static fr_dict_attr_t const *attr_tacacs_remote_address;
65static fr_dict_attr_t const *attr_tacacs_server_message;
66static fr_dict_attr_t const *attr_tacacs_session_id;
67static fr_dict_attr_t const *attr_tacacs_sequence_number;
68static fr_dict_attr_t const *attr_tacacs_state;
69static fr_dict_attr_t const *attr_tacacs_user_message;
70
71static fr_dict_attr_t const *attr_user_name;
72static fr_dict_attr_t const *attr_user_password;
73static fr_dict_attr_t const *attr_chap_password;
74
75extern fr_dict_attr_autoload_t process_tacacs_dict_attr[];
76fr_dict_attr_autoload_t process_tacacs_dict_attr[] = {
77 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
78 { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
79 { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
80 { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
81 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
82
83 { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
84 { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
85 { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
86 { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
87
88 { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
89 { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90
91 { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
92 { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
93
94 { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
95 { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
96 { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
97 { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
98 { .out = &attr_tacacs_authentication_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
99 { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
100 { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
101 { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
102 { .out = &attr_tacacs_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
103 { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
104
105 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
106 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
107 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
108
109 DICT_AUTOLOAD_TERMINATOR
110};
111
112static fr_value_box_t const *enum_auth_type_accept;
113static fr_value_box_t const *enum_auth_type_reject;
114static fr_value_box_t const *enum_auth_flags_noecho;
115static fr_value_box_t const *enum_tacacs_auth_type_ascii;
116
117extern fr_dict_enum_autoload_t process_tacacs_dict_enum[];
118fr_dict_enum_autoload_t process_tacacs_dict_enum[] = {
119 { .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
120 { .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
121 { .out = &enum_auth_flags_noecho, .name = "No-Echo", .attr = &attr_tacacs_authentication_flags },
122 { .out = &enum_tacacs_auth_type_ascii, .name = "ASCII", .attr = &attr_tacacs_authentication_type },
123 DICT_AUTOLOAD_TERMINATOR
124};
125
126
158
159typedef struct {
160 fr_state_config_t session; //!< track state session information.
161 fr_state_tree_t *state_tree; //!< State tree to link multiple requests/responses.
162} process_tacacs_auth_t;
163
164typedef struct {
165 CONF_SECTION *server_cs; //!< Our virtual server.
166
167 uint32_t session_id; //!< current session ID
168
169 process_tacacs_sections_t sections; //!< Pointers to various config sections
170 ///< we need to execute
171
172 process_tacacs_auth_t auth; //!< Authentication configuration.
173
174
175} process_tacacs_t;
176
177typedef struct {
178 uint32_t reply; //!< for multiround state machine
179 uint8_t seq_no; //!< sequence number of last request.
180 fr_pair_list_t list; //!< copied from the request
181} process_tacacs_session_t;
182
183
184#define PROCESS_PACKET_TYPE fr_tacacs_packet_code_t
185#define PROCESS_CODE_MAX FR_TACACS_CODE_MAX
186#define PROCESS_CODE_DO_NOT_RESPOND FR_TACACS_CODE_DO_NOT_RESPOND
187#define PROCESS_PACKET_CODE_VALID FR_TACACS_PACKET_CODE_VALID
188#define PROCESS_INST process_tacacs_t
189#define PROCESS_CODE_DYNAMIC_CLIENT FR_TACACS_CODE_AUTH_PASS
190
191#include <freeradius-devel/server/process.h>
192
193static const conf_parser_t auth_config[] = {
194 { FR_CONF_POINTER("session", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) state_session_config },
195
196 CONF_PARSER_TERMINATOR
197};
198
199static const conf_parser_t config[] = {
200 { FR_CONF_POINTER("Authentication", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config,
201 .offset = offsetof(process_tacacs_t, auth), },
202
203 CONF_PARSER_TERMINATOR
204};
205
206
207/*
208 * Synthesize a State attribute from connection && session information.
209 */
210static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
211{
212 uint64_t hash;
213 uint32_t sequence;
214 fr_pair_t *vp;
215
216 if (!request->async->listen) return -1;
217
218 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_session_id);
219 if (!vp) return -1;
220
221 hash = fr_hash64(&vp->vp_uint32, sizeof(vp->vp_uint32));
222
223 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_sequence_number);
224 if (!vp) return -1;
225
226 /*
227 * Requests have odd sequence numbers, and replies have even sequence numbers.
228 * So if we want to synthesize a state in a reply which gets matched with the next
229 * request, we have to add 2 to it.
230 */
231 sequence = vp->vp_uint8 + ((int) reply << 1);
232 hash = fr_hash64_update(&sequence, sizeof(sequence), hash);
233
234 hash = fr_hash64_update(&request->async->listen, sizeof(request->async->listen), hash);
235
236 vp = fr_pair_afrom_da(ctx, attr_tacacs_state);
237 if (!vp) return -1;
238
239 (void) fr_pair_value_memdup(vp, (uint8_t const *) &hash, sizeof(hash), false);
240
241 fr_pair_append(out, vp);
242
243 return 0;
244}
245
246/** Try and determine what the response packet type should be
247 *
248 * We check three sources:
249 * - reply.``<status_attr>``
250 * - reply.Packet-Type
251 * - State machine packet type assignments for the section rcode
252 *
253 * @param[in] request The current request.
254 * @param[in] status_da Specialised status attribute.
255 * @param[in] status2code Mapping table of *packet* status types to rcodes.
256 * @param[in] state Mappings for process state machine
257 * @param[in] process_rcode Mappings for Auth-Type / Acct-Type, which don't use the process state machine
258 * @param[in] rcode The last section rcode.
259 * @return
260 * - >0 if we determined a reply code.
261 * - 0 if we couldn't - Usually indicates additional sections should be run.
262 */
263static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da,
264 uint32_t const status2code[static UINT8_MAX + 1],
265 fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
266{
267 fr_pair_t *vp;
268 uint32_t code;
269
270 /*
271 * First check the protocol attribute for this packet type.
272 *
273 * Should be one of:
274 * - Authentication-Status
275 * - Authorization-Status
276 * - Accounting-Status
277 */
278 fr_assert(status_da->type == FR_TYPE_UINT8);
279
280 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, status_da);
281 if (vp) {
282 code = status2code[vp->vp_uint8];
283 if (FR_TACACS_PACKET_CODE_VALID(code)) {
284 RDEBUG("Setting reply Packet-Type from %pP", vp);
285 return code;
286 }
287
288 REDEBUG("Ignoring invalid status %pP", vp);
289 }
290
291 if (state) {
292 code = state->packet_type[rcode];
293 if (FR_TACACS_PACKET_CODE_VALID(code) || (code == FR_TACACS_CODE_DO_NOT_RESPOND)) return code;
294 }
295
296 if (process_rcode) {
297 code = process_rcode[rcode];
298 if (FR_TACACS_PACKET_CODE_VALID(code) || (code == FR_TACACS_CODE_DO_NOT_RESPOND)) return code;
299 }
300
301 /*
302 * Otherwise use Packet-Type (if set)
303 */
304 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
305 if (vp && (FR_TACACS_PACKET_CODE_VALID(vp->vp_uint32) || (vp->vp_uint32 == FR_TACACS_CODE_DO_NOT_RESPOND))) {
306 RDEBUG("Setting reply Packet-Type from %pV", &vp->data);
307 return vp->vp_uint32;
308 }
309
310 return 0;
311}
312
313RECV(auth_start)
314{
315 fr_process_state_t const *state;
316 fr_pair_t *vp;
317
318 /*
319 * Only "Login" is supported. The others are "change password" and "sendauth", which aren't
320 * used.
321 */
322 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_action);
323 if (!vp) {
324 fail:
325 request->reply->code = FR_TACACS_CODE_AUTH_ERROR;
326 UPDATE_STATE(reply);
327
328 fr_assert(state->send != NULL);
329 return CALL_SEND_STATE(state);
330 }
331
332 if (vp->vp_uint8 != FR_ACTION_VALUE_LOGIN) {
333 RDEBUG("Invalid authentication action %u", vp->vp_uint8);
334 goto fail;
335 }
336
337 /*
338 * There is no state to restore, so we just run the section as normal.
339 */
340
341 return CALL_RECV(generic);
342}
343
344RESUME(auth_type);
345
355
356RESUME(auth_start)
357{
358 rlm_rcode_t rcode = RESULT_RCODE;
359 fr_pair_t *vp;
360 CONF_SECTION *cs;
361 fr_dict_enum_value_t const *dv;
362 fr_process_state_t const *state;
363 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
364
365 PROCESS_TRACE;
366
367 fr_assert(rcode < RLM_MODULE_NUMCODES);
368
369 /*
370 * See if the return code from "recv" which says we reject, or continue.
371 */
372 UPDATE_STATE(packet);
373
374 /*
375 * Nothing set the reply, so let's see if we need to do so.
376 *
377 * If the admin didn't set authentication-status, just
378 * use the defaults from the state machine.
379 */
380 if (!request->reply->code) {
381 request->reply->code = reply_code(request,
382 attr_tacacs_authentication_status,
383 authen_status_to_packet_code, state, NULL, rcode);
384 } else {
385 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
386 }
387
388 /*
389 * Check for multi-round authentication.
390 *
391 * We only run the automatic state machine (start -> getuser -> getpass -> pass/fail)
392 * when the admin does NOT set any reply type, or any reply authentication status.
393 *
394 * However, do DO always save and restore the attributes from the start packet, so that they are
395 * visible in a later packet.
396 */
397 if (!request->reply->code) {
398 process_tacacs_session_t *session;
399 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
400
401 session = request_data_reference(request, inst, 0);
402 if (!session) {
403 /*
404 * This function is called for resuming both "start" and "continue" packets, so
405 * we have to check for "start" here.
406 *
407 * We only do multi-round authentication for the ASCII authentication type.
408 * Other authentication types are defined to be one request/reply only.
409 */
410 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
411 if (!packet_is_authen_start_request(packet) ||
412 (vp && (fr_value_box_cmp(&vp->data, enum_tacacs_auth_type_ascii) != 0))) {
413 goto auth_type;
414 }
415
416 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
417 if (!vp) {
418 RDEBUG("No User-Name, replying with Authentication-GetUser");
419 request->reply->code = FR_TACACS_CODE_AUTH_GETUSER;
420 } else {
421 RDEBUG("User-Name = %pV, replying with Authentication-GetPass", &vp->data);
422 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
423 goto add_auth_flags;
424 }
425
426 goto send_reply;
427 }
428
429 /*
430 * Last reply was "get username", we now get the password.
431 */
432 if (session->reply == FR_TACACS_CODE_AUTH_GETUSER) {
433 RDEBUG("No User-Password, replying with Authentication-GetPass");
434 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
435
436 /*
437 * Pre-set the authentication flags reply to No-Echo
438 * RFC 8907 says this should be set when the data being
439 * requested is sensitive and should not be echoed to the
440 * user as it is being entered.
441 */
442 add_auth_flags:
443 MEM(pair_append_reply(&vp, attr_tacacs_authentication_flags) >= 0);
444 if (unlikely(fr_value_box_copy(vp, &vp->data, enum_auth_flags_noecho) < 0)) {
445 RPEDEBUG("Failed creating Authentication-Flags attribute with No-Echo flag");
446 pair_delete_reply(vp);
447 goto reject;
448 }
449 vp->data.enumv = attr_tacacs_authentication_flags;
450 goto send_reply;
451 }
452
453 /*
454 * We either have a password, or the admin screwed up the configuration somehow. Just go
455 * run "Auth-Type foo".
456 */
457 goto auth_type;
458 }
459
460 /*
461 * Something set the reply code, skip
462 * the normal auth flow and respond immediately.
463 */
464 if (request->reply->code) {
465 switch (request->reply->code) {
466 case FR_TACACS_CODE_AUTH_FAIL:
467 RDEBUG("The 'recv Authentication-Start' section returned %s - failing the request",
468 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
469 break;
470
471 case FR_TACACS_CODE_DO_NOT_RESPOND:
472 RDEBUG("Reply packet type was set to Do-Not-Respond");
473 break;
474
475 default:
476 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
477 RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
478 break;
479 }
480
481 send_reply:
482 UPDATE_STATE(reply);
483
484 fr_assert(state->send != NULL);
485 return CALL_SEND_STATE(state);
486 }
487
488 /*
489 * Run authenticate foo { ... }
490 *
491 * If we can't find Auth-Type, OR if we can't find Auth-Type = foo, then it's a reject.
492 *
493 * We prefer the local Auth-Type to the Authentication-Type in the packet. But if there's no
494 * Auth-Type set by the admin, then we use what's in the packet.
495 */
496 auth_type:
497 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
498 if (!vp) vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
499 if (!vp) {
500 RDEBUG("No 'Auth-Type' or 'Authentication-Type' attribute found, "
501 "cannot authenticate the user - rejecting the request");
502
503 reject:
504 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
505 goto send_reply;
506 }
507
508 dv = fr_dict_enum_by_value(vp->da, &vp->data);
509 if (!dv) {
510 RDEBUG("Invalid value for '%s' attribute, cannot authenticate the user - rejecting the request",
511 vp->da->name);
512
513 goto reject;
514 }
515
516 /*
517 * The magic Auth-Type Accept value which means skip the authenticate section.
518 *
519 * And Reject means always reject. Tho the admin should just return "reject" from the section.
520 */
521 if (vp->da == attr_auth_type) {
522 if (fr_value_box_cmp(enum_auth_type_accept, dv->value) == 0) {
523 request->reply->code = FR_TACACS_CODE_AUTH_PASS;
524 goto send_reply;
525
526 } else if (fr_value_box_cmp(enum_auth_type_reject, dv->value) == 0) {
527 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
528 goto send_reply;
529 }
530 }
531
532 cs = cf_section_find(inst->server_cs, "authenticate", dv->name);
533 if (!cs) {
534 RDEBUG2("No 'authenticate %s { ... }' section found - rejecting the request", dv->name);
535 goto reject;
536 }
537
538 /*
539 * Run the "authenticate foo { ... }" section.
540 *
541 * And continue with sending the generic reply.
542 */
543 RDEBUG("Running 'authenticate %s' from file %s", cf_section_name2(cs), cf_filename(cs));
544 return unlang_module_yield_to_section(RESULT_P, request,
545 cs, RLM_MODULE_NOOP, resume_auth_type,
546 NULL, 0, mctx->rctx);
547}
548
549RESUME(auth_type)
550{
551 static const fr_process_rcode_t auth_type_rcode = {
552 [RLM_MODULE_OK] = FR_TACACS_CODE_AUTH_PASS,
553 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
554 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
555 [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTH_FAIL,
556 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
557 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
558 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTH_PASS,
559 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
560 };
561
562 rlm_rcode_t rcode = RESULT_RCODE;
563 fr_process_state_t const *state;
564 fr_pair_t *vp;
565
566 PROCESS_TRACE;
567
568 fr_assert(rcode < RLM_MODULE_NUMCODES);
569
570 /*
571 * If nothing set the reply code, then try to set it from various other things.
572 *
573 * The user could have set Authentication-Status
574 * or Packet-Type to something other than
575 * pass...
576 */
577 if (!request->reply->code) {
578 request->reply->code = reply_code(request,
579 attr_tacacs_authentication_status,
580 authen_status_to_packet_code, NULL, auth_type_rcode, rcode);
581 } else {
582 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
583 }
584
585 switch (request->reply->code) {
586 case 0:
587 RDEBUG("No reply code was set. Forcing to Authentication-Fail");
588 fail:
589 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
590 FALL_THROUGH;
591
592 /*
593 * Print complaints before running "send Access-Reject"
594 */
595 case FR_TACACS_CODE_AUTH_FAIL:
596 RDEBUG2("Failed to authenticate the user");
597 break;
598
599 case FR_TACACS_CODE_AUTH_GETDATA:
600 case FR_TACACS_CODE_AUTH_GETUSER:
601 case FR_TACACS_CODE_AUTH_GETPASS:
602 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
603 if (vp && (vp->vp_uint8 != FR_AUTHENTICATION_TYPE_VALUE_ASCII)) {
604 RDEBUG2("Cannot send challenges for %pP", vp);
605 goto fail;
606 }
607 break;
608
609 default:
610 break;
611
612 }
613 UPDATE_STATE(reply);
614
615 fr_assert(state->send != NULL);
616 return state->send(p_result, mctx, request);
617}
618
619RESUME_FLAG(auth_pass, UNUSED,)
620{
621 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
622
623 PROCESS_TRACE;
624
625 // @todo - worry about user identity existing?
626
627 fr_state_discard(inst->auth.state_tree, request);
628 return UNLANG_ACTION_CALCULATE_RESULT;
629}
630
631RESUME_FLAG(auth_fail, UNUSED,)
632{
633 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
634
635 PROCESS_TRACE;
636
637 // @todo - insert server message saying "failed"
638 // and also for FAIL
639
640 fr_state_discard(inst->auth.state_tree, request);
641 return UNLANG_ACTION_CALCULATE_RESULT;
642}
643
644RESUME_FLAG(auth_restart, UNUSED,)
645{
646 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
647
648 PROCESS_TRACE;
649
650 fr_state_discard(inst->auth.state_tree, request);
651 return UNLANG_ACTION_CALCULATE_RESULT;
652}
653
654RESUME(auth_get)
655{
656 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
657 process_tacacs_session_t *session;
658 fr_pair_t *vp, *copy;
659
660 PROCESS_TRACE;
661
662 /*
663 * Track multi-round authentication flows. Note that they can only start with an
664 * "Authentication-Start" packet, but they can continue with an "Authentication-Continue" packet.
665 *
666 * If there's no session being tracked, then we create one for a start packet.
667 */
668 session = request_data_reference(request, inst, 0);
669 if (!session) {
670 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
671
672 if (!packet_is_authen_start_request(packet)) goto send_reply;
673
674 MEM(session = talloc_zero(NULL, process_tacacs_session_t));
675 if (request_data_talloc_add(request, inst, 0, process_tacacs_session_t, session, true, true, true) < 0) {
676 talloc_free(session);
677 goto send_reply;
678 }
679
680 /*
681 * These are the only things which saved. The rest of the fields are either static (and statically
682 * known), or are irrelevant.
683 */
684 fr_pair_list_init(&session->list);
685#undef COPY
686#define COPY(_attr) do { \
687 vp = fr_pair_find_by_da(&request->request_pairs, NULL, _attr); \
688 if (!vp) break; \
689 MEM(copy = fr_pair_copy(session, vp)); \
690 fr_pair_append(&session->list, copy); \
691 RDEBUG2("%pP", copy); \
692} while (0)
693
694 RDEBUG2("Caching session attributes:");
695 RINDENT();
696 COPY(attr_user_name);
697 COPY(attr_tacacs_client_port);
698 COPY(attr_tacacs_remote_address);
699 COPY(attr_tacacs_privilege_level);
700 COPY(attr_tacacs_authentication_type);
701 REXDENT();
702
703 } else {
704 /*
705 * It is possible that the user name or password are added on subsequent Authentication-Continue
706 * packets following replies with Authentication-GetUser or Authentication-GetPass.
707 * Check if they are already in the session cache, and if not, add them.
708 */
709#define COPY_MISSING(_attr) do { \
710 vp = fr_pair_find_by_da(&session->list, NULL, _attr); \
711 if (vp) break; \
712 COPY(_attr); \
713} while (0)
714
715 RDEBUG2("Caching additional session attributes:");
716 RINDENT();
717 COPY_MISSING(attr_user_name);
718 COPY_MISSING(attr_user_password);
719 REXDENT();
720 }
721 session->reply = request->reply->code;
722 session->seq_no = request->packet->data[2];
723
724send_reply:
725 /*
726 * Cache the session state context.
727 */
728 if ((state_create(request->reply_ctx, &request->reply_pairs, request, true) < 0) ||
729 (fr_state_store(inst->auth.state_tree, request) < 0)) {
730 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
731 }
732
733 return UNLANG_ACTION_CALCULATE_RESULT;
734}
735
736RECV(auth_cont)
737{
738 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
739 process_tacacs_session_t *session;
740
741 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
742 (fr_state_restore(inst->auth.state_tree, request) < 0)) {
743 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
744 }
745
746 /*
747 * Restore key fields from the original Authentication-Start packet.
748 */
749 session = request_data_reference(request, inst, 0);
750 if (session) {
751 fr_pair_t *vp = NULL, *copy;
752
753 if (request->packet->data[2] <= session->seq_no) {
754 REDEBUG("Client sent invalid sequence number %02x, expected >%02x", request->packet->data[2], session->seq_no);
755 error:
756 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
757 }
758
759 if (fr_debug_lvl >= L_DBG_LVL_2) {
760 RDEBUG2("Restoring session attributes:");
761 RINDENT();
762 while ((vp = fr_pair_list_next(&session->list, vp))) {
763 RDEBUG2("%pP", vp);
764 }
765 REXDENT();
766 }
767 if (fr_pair_list_copy(request->request_ctx, &request->request_pairs, &session->list) < 0) goto error;
768
769 /*
770 * Copy the returned user_message into the attribute we requested.
771 */
772#define EXTRACT(_attr) \
773 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_user_message); \
774 if (!vp) break; \
775 fr_value_box_set_secret(&vp->data, _attr->flags.secret); \
776 if (pair_append_request(&copy, _attr) < 0) break; \
777 if (fr_pair_value_copy(copy, vp) < 0) { \
778 fr_pair_remove(&request->request_pairs, copy); \
779 talloc_free(copy); \
780 break; \
781 } \
782 RDEBUG2("Populated %pP from user_message", copy)
783
784 switch (session->reply) {
785 case FR_TACACS_CODE_AUTH_GETUSER:
786 EXTRACT(attr_user_name);
787 break;
788
789 case FR_TACACS_CODE_AUTH_GETPASS:
790 EXTRACT(attr_user_password);
791 break;
792
793 default:
794 break;
795 }
796 }
797
798 return CALL_RECV(generic);
799}
800
801/*
802 * The client aborted the session. The reply should be RESTART or FAIL.
803 */
804RECV(auth_cont_abort)
805{
806 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
807
808 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
809 (fr_state_restore(inst->auth.state_tree, request) < 0)) {
810 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
811 }
812
813 return CALL_RECV(generic);
814}
815
816RESUME(auth_cont_abort)
817{
818 rlm_rcode_t rcode = RESULT_RCODE;
819 fr_process_state_t const *state;
820
821 UPDATE_STATE(packet);
822
823 if (!request->reply->code) {
824 switch (rcode) {
825 case RLM_MODULE_OK:
826 case RLM_MODULE_UPDATED:
827 request->reply->code = FR_TACACS_CODE_AUTH_RESTART;
828 break;
829
830 default:
831 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
832 break;
833 }
834
835 } else {
836 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
837 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
838 }
839
840 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
841
842 UPDATE_STATE(reply);
843
844 fr_assert(state->send != NULL);
845 return CALL_SEND_STATE(state);
846}
847
848
855
856
857RESUME(autz_request)
858{
859 rlm_rcode_t rcode = RESULT_RCODE;
860 fr_process_state_t const *state;
861
862 PROCESS_TRACE;
863
864 fr_assert(rcode < RLM_MODULE_NUMCODES);
865
866 /*
867 * See if the return code from "recv" which says we reject, or continue.
868 */
869 UPDATE_STATE(packet);
870
871 /*
872 * Nothing set the reply, so let's see if we need to do so.
873 *
874 * If the admin didn't set authorization-status, just
875 * use the defaults from the state machine.
876 */
877 if (!request->reply->code) {
878 request->reply->code = reply_code(request, attr_tacacs_authorization_status,
879 author_status_to_packet_code, state, NULL, rcode);
880 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTZ_ERROR;
881
882 }
883 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
884 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
885
886 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
887
888 UPDATE_STATE(reply);
889
890 fr_assert(state->send != NULL);
891 return CALL_SEND_STATE(state);
892}
893
898
899RESUME(acct_type)
900{
901 static const fr_process_rcode_t acct_type_rcode = {
902 [RLM_MODULE_OK] = FR_TACACS_CODE_ACCT_SUCCESS,
903 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_ACCT_SUCCESS,
904 [RLM_MODULE_NOOP] = FR_TACACS_CODE_ACCT_ERROR,
905 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
906 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
907 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
908 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
909 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
910 };
911
912 rlm_rcode_t rcode = RESULT_RCODE;
913 fr_process_state_t const *state;
914
915 PROCESS_TRACE;
916
917 /*
918 * One more chance to override
919 */
920 if (!request->reply->code) {
921 request->reply->code = reply_code(request, attr_tacacs_accounting_status, acct_status_to_packet_code,
922 NULL, acct_type_rcode, rcode);
923 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
924 } else {
925 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
926 }
927
928 UPDATE_STATE(reply);
929
930 fr_assert(state->send != NULL);
931 return state->send(p_result, mctx, request);
932}
933
934static const bool acct_flag_valid[8] = {
935 false, true, true, false, /* invalid, start, stop, invalid */
936 true, true, false, false, /* watchdog - no update, watchdog - update, invalid, invalid */
937};
938
939RECV(accounting_request)
940{
941 fr_pair_t *vp;
942
943 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
944
945 /*
946 * RFC 8907 Section 7.2
947 */
948 if (vp && !acct_flag_valid[(vp->vp_uint8 & 0x0e) >> 1]) {
949 RWDEBUG("Invalid accounting request flag field %02x", vp->vp_uint8);
950 return CALL_SEND_TYPE(FR_TACACS_CODE_ACCT_ERROR);
951 }
952
953 return CALL_RECV(generic);
954}
955
956RESUME(accounting_request)
957{
958 rlm_rcode_t rcode = RESULT_RCODE;
959 fr_pair_t *vp;
960 CONF_SECTION *cs;
961 fr_dict_enum_value_t const *dv;
962 fr_process_state_t const *state;
963 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
964
965 PROCESS_TRACE;
966
967 fr_assert(rcode < RLM_MODULE_NUMCODES);
968
969 UPDATE_STATE(packet);
970
971 /*
972 * Nothing set the reply, so let's see if we need to do so.
973 *
974 * If the admin didn't set accounting-status, just
975 * use the defaults from the state machine.
976 */
977 if (!request->reply->code) {
978 request->reply->code = reply_code(request, attr_tacacs_accounting_status,
979 acct_status_to_packet_code, state, NULL, rcode);
980 } else {
981 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
982 }
983
984 /*
985 * Something set the reply code, so we reply and don't run "accounting foo { ... }"
986 */
987 if (request->reply->code) {
988 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
989 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
990
991 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
992
993 UPDATE_STATE(reply);
994
995 fr_assert(state->send != NULL);
996 return CALL_SEND_STATE(state);
997 }
998
999 /*
1000 * Run accounting foo { ... }
1001 */
1002 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
1003 if (!vp) {
1004 fail:
1005 request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
1006 UPDATE_STATE(reply);
1007 fr_assert(state->send != NULL);
1008 return CALL_SEND_STATE(state);
1009 }
1010
1011 dv = fr_dict_enum_by_value(vp->da, &vp->data);
1012 if (!dv) goto fail;
1013
1014 cs = cf_section_find(inst->server_cs, "accounting", dv->name);
1015 if (!cs) {
1016 RDEBUG2("No 'accounting %s { ... }' section found - skipping...", dv->name);
1017 goto fail;
1018 }
1019
1020 /*
1021 * Run the "accounting foo { ... }" section.
1022 *
1023 * And continue with sending the generic reply.
1024 */
1025 return unlang_module_yield_to_section(RESULT_P, request,
1026 cs, RLM_MODULE_NOOP, resume_acct_type,
1027 NULL, 0, mctx->rctx);
1028}
1029
1030static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1031{
1032 fr_process_state_t const *state;
1033
1034 PROCESS_TRACE;
1035
1036 (void)talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
1037 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
1038
1039 request->component = "tacacs";
1040 request->module = NULL;
1041 fr_assert(request->proto_dict == dict_tacacs);
1042
1043 UPDATE_STATE(packet);
1044
1045 if (!state->recv) {
1046 REDEBUG("Invalid packet type (%u)", request->packet->code);
1047 RETURN_UNLANG_FAIL;
1048 }
1049
1050 // @todo - debug stuff!
1051// tacacs_packet_debug(request, request->packet, &request->request_pairs, true);
1052
1053 if (unlikely(request_is_dynamic_client(request))) {
1054 return new_client(p_result, mctx, request);
1055 }
1056
1057 return state->recv(p_result, mctx, request);
1058}
1059
1060static int mod_instantiate(module_inst_ctx_t const *mctx)
1061{
1062 process_tacacs_t *inst = talloc_get_type_abort(mctx->mi->data, process_tacacs_t);
1063
1064 inst->server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1065
1066 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.session.max_rounds, >=, 1);
1067 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.session.max_rounds, <=, 8);
1068
1069 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.session.max_sessions, >=, 64);
1070 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.session.max_sessions, <=, (1 << 18));
1071
1072 inst->auth.session.thread_safe = main_config->spawn_workers;
1073 inst->auth.session.context_id = fr_hash_string(cf_section_name2(inst->server_cs));
1074
1075 MEM(inst->auth.state_tree = fr_state_tree_init(inst, attr_tacacs_state, &inst->auth.session));
1076
1077 return 0;
1078}
1079
1080static int mod_bootstrap(module_inst_ctx_t const *mctx)
1081{
1082 CONF_SECTION *server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1083
1084 if (virtual_server_section_attribute_define(server_cs, "authenticate", attr_auth_type) < 0) return -1;
1085
1086 return 0;
1087}
1088
1089/*
1090 * rcodes not listed under a packet_type
1091 * mean that the packet code will not be
1092 * changed.
1093 */
1094static fr_process_state_t const process_state[] = {
1095 /*
1096 * Authentication
1097 */
1098 [ FR_TACACS_CODE_AUTH_START ] = {
1099 .packet_type = {
1100 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1101 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1102 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1103 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1104 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1105 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1106 },
1107 .default_rcode = RLM_MODULE_NOOP,
1108 .recv = recv_auth_start,
1109 .resume = resume_auth_start,
1110 .section_offset = offsetof(process_tacacs_sections_t, auth_start),
1111 },
1112 [ FR_TACACS_CODE_AUTH_PASS ] = {
1113 .packet_type = {
1114 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1115 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1116 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1117 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1118 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1119 },
1120 .default_rcode = RLM_MODULE_NOOP,
1121 .result_rcode = RLM_MODULE_OK,
1122 .send = send_generic,
1123 .resume = resume_auth_pass,
1124 .section_offset = offsetof(process_tacacs_sections_t, auth_pass),
1125 },
1126 [ FR_TACACS_CODE_AUTH_FAIL ] = {
1127 .packet_type = {
1128 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1129 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1130 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1131 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1132 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1133 },
1134 .default_rcode = RLM_MODULE_NOOP,
1135 .result_rcode = RLM_MODULE_REJECT,
1136 .send = send_generic,
1137 .resume = resume_auth_fail,
1138 .section_offset = offsetof(process_tacacs_sections_t, auth_fail),
1139 },
1140 [ FR_TACACS_CODE_AUTH_GETDATA ] = {
1141 .packet_type = {
1142 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1143 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1144 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1145 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1146 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1147 },
1148 .default_rcode = RLM_MODULE_NOOP,
1149 .result_rcode = RLM_MODULE_OK,
1150 .send = send_generic,
1151 .resume = resume_auth_get,
1152 .section_offset = offsetof(process_tacacs_sections_t, auth_getdata),
1153 },
1154 [ FR_TACACS_CODE_AUTH_GETPASS ] = {
1155 .packet_type = {
1156 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1157 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1158 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1159 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1160 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1161 },
1162 .default_rcode = RLM_MODULE_NOOP,
1163 .result_rcode = RLM_MODULE_OK,
1164 .send = send_generic,
1165 .resume = resume_auth_get,
1166 .section_offset = offsetof(process_tacacs_sections_t, auth_getpass),
1167 },
1168 [ FR_TACACS_CODE_AUTH_GETUSER ] = {
1169 .packet_type = {
1170 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1171 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1172 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1173 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1174 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1175 },
1176 .default_rcode = RLM_MODULE_NOOP,
1177 .result_rcode = RLM_MODULE_OK,
1178 .send = send_generic,
1179 .resume = resume_auth_get,
1180 .section_offset = offsetof(process_tacacs_sections_t, auth_getuser),
1181 },
1182 [ FR_TACACS_CODE_AUTH_RESTART ] = {
1183 .packet_type = {
1184 },
1185 .default_rcode = RLM_MODULE_NOOP,
1186 .result_rcode = RLM_MODULE_OK,
1187 .send = send_generic,
1188 .resume = resume_auth_restart,
1189 .section_offset = offsetof(process_tacacs_sections_t, auth_restart),
1190 },
1191 [ FR_TACACS_CODE_AUTH_ERROR ] = {
1192 .packet_type = {
1193 },
1194 .default_rcode = RLM_MODULE_NOOP,
1195 .result_rcode = RLM_MODULE_REJECT,
1196 .send = send_generic,
1197 .resume = resume_auth_restart,
1198 .section_offset = offsetof(process_tacacs_sections_t, auth_error),
1199 },
1200
1201 [ FR_TACACS_CODE_AUTH_CONT ] = {
1202 .packet_type = {
1203 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1204 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1205 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1206 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1207 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1208 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1209 },
1210 .default_rcode = RLM_MODULE_NOOP,
1211 .result_rcode = RLM_MODULE_OK,
1212 .recv = recv_auth_cont,
1213 .resume = resume_auth_start, /* we go back to running 'authenticate', etc. */
1214 .section_offset = offsetof(process_tacacs_sections_t, auth_cont),
1215 },
1216 [ FR_TACACS_CODE_AUTH_CONT_ABORT ] = {
1217 .packet_type = {
1218 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1219 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1220 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1221 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1222 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1223 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1224 },
1225 .default_rcode = RLM_MODULE_NOOP,
1226 .result_rcode = RLM_MODULE_REJECT,
1227 .recv = recv_auth_cont_abort,
1228 .resume = resume_auth_cont_abort,
1229 .section_offset = offsetof(process_tacacs_sections_t, auth_cont_abort),
1230 },
1231
1232 /*
1233 * Authorization
1234 */
1235 [ FR_TACACS_CODE_AUTZ_REQUEST ] = {
1236 .packet_type = {
1237 [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1238 [RLM_MODULE_OK] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1239 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1240 [RLM_MODULE_HANDLED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1241
1242 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1243 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1244 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1245 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1246 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1247 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1248 },
1249 .default_rcode = RLM_MODULE_NOOP,
1250 .recv = recv_generic,
1251 .resume = resume_autz_request,
1252 .section_offset = offsetof(process_tacacs_sections_t, autz_request),
1253 },
1254 [ FR_TACACS_CODE_AUTZ_PASS_ADD ] = {
1255 .packet_type = {
1256 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1257 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1258 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1259 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1260 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1261 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1262 },
1263 .default_rcode = RLM_MODULE_NOOP,
1264 .result_rcode = RLM_MODULE_OK,
1265 .send = send_generic,
1266 .resume = resume_send_generic,
1267 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_add),
1268 },
1269 [ FR_TACACS_CODE_AUTZ_PASS_REPLACE ] = {
1270 .packet_type = {
1271 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1272 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1273 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1274 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1275 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1276 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1277 },
1278 .default_rcode = RLM_MODULE_NOOP,
1279 .result_rcode = RLM_MODULE_OK,
1280 .send = send_generic,
1281 .resume = resume_send_generic,
1282 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_replace),
1283 },
1284 [ FR_TACACS_CODE_AUTZ_FAIL ] = {
1285 .packet_type = {
1286 },
1287 .default_rcode = RLM_MODULE_NOOP,
1288 .result_rcode = RLM_MODULE_REJECT,
1289 .send = send_generic,
1290 .resume = resume_send_generic,
1291 .section_offset = offsetof(process_tacacs_sections_t, autz_fail),
1292 },
1293 [ FR_TACACS_CODE_AUTZ_ERROR ] = {
1294 .packet_type = {
1295 },
1296 .default_rcode = RLM_MODULE_NOOP,
1297 .result_rcode = RLM_MODULE_REJECT,
1298 .send = send_generic,
1299 .resume = resume_send_generic,
1300 .section_offset = offsetof(process_tacacs_sections_t, autz_error),
1301 },
1302
1303 /*
1304 * Accounting
1305 */
1306 [ FR_TACACS_CODE_ACCT_REQUEST ] = {
1307 .packet_type = {
1308 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1309 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1310 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1311 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1312 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1313 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1314 },
1315 .default_rcode = RLM_MODULE_NOOP,
1316 .recv = recv_accounting_request,
1317 .resume = resume_accounting_request,
1318 .section_offset = offsetof(process_tacacs_sections_t, acct_request),
1319 },
1320 [ FR_TACACS_CODE_ACCT_SUCCESS ] = {
1321 .packet_type = {
1322 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1323 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1324 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1325 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1326 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1327 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1328 },
1329 .default_rcode = RLM_MODULE_NOOP,
1330 .result_rcode = RLM_MODULE_OK,
1331 .send = send_generic,
1332 .resume = resume_send_generic,
1333 .section_offset = offsetof(process_tacacs_sections_t, acct_success),
1334 },
1335 [ FR_TACACS_CODE_ACCT_ERROR ] = {
1336 .packet_type = {
1337 },
1338 .default_rcode = RLM_MODULE_NOOP,
1339 .result_rcode = RLM_MODULE_FAIL,
1340 .send = send_generic,
1341 .resume = resume_send_generic,
1342 .section_offset = offsetof(process_tacacs_sections_t, acct_error),
1343 },
1344 [ FR_TACACS_CODE_DO_NOT_RESPOND ] = {
1345 .packet_type = {
1346 [RLM_MODULE_NOOP] = FR_TACACS_CODE_DO_NOT_RESPOND,
1347 [RLM_MODULE_OK] = FR_TACACS_CODE_DO_NOT_RESPOND,
1348 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_DO_NOT_RESPOND,
1349 [RLM_MODULE_HANDLED] = FR_TACACS_CODE_DO_NOT_RESPOND,
1350
1351 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_DO_NOT_RESPOND,
1352 [RLM_MODULE_FAIL] = FR_TACACS_CODE_DO_NOT_RESPOND,
1353 [RLM_MODULE_INVALID] = FR_TACACS_CODE_DO_NOT_RESPOND,
1354 [RLM_MODULE_REJECT] = FR_TACACS_CODE_DO_NOT_RESPOND,
1355 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_DO_NOT_RESPOND,
1356 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1357 },
1358 .default_rcode = RLM_MODULE_NOOP,
1359 .result_rcode = RLM_MODULE_HANDLED,
1360 .send = send_generic,
1361 .resume = resume_send_generic,
1362 .section_offset = offsetof(process_tacacs_sections_t, do_not_respond),
1363 }
1364};
1365
1366
1367static virtual_server_compile_t compile_list[] = {
1368 /**
1369 * Basically, the TACACS+ protocol use same type "authenticate" to handle
1370 * Start and Continue requests. (yep, you're right. it's horrible)
1371 * Therefore, we split the same "auth" type into two different sections just
1372 * to allow the user to have different logic for that.
1373 *
1374 * If you want to cry, just take a look at
1375 *
1376 * https://tools.ietf.org/html/rfc8907 Section 4.
1377 *
1378 * This should be an abject lesson in how NOT to design a
1379 * protocol. Pretty much everything they did was wrong.
1380 */
1381 {
1382 .section = SECTION_NAME("recv", "Authentication-Start"),
1383 .actions = &mod_actions_authenticate,
1384 .offset = PROCESS_CONF_OFFSET(auth_start),
1385 },
1386 {
1387 .section = SECTION_NAME("send", "Authentication-Pass"),
1388 .actions = &mod_actions_postauth,
1389 .offset = PROCESS_CONF_OFFSET(auth_pass),
1390 },
1391 {
1392 .section = SECTION_NAME("send", "Authentication-Fail"),
1393 .actions = &mod_actions_postauth,
1394 .offset = PROCESS_CONF_OFFSET(auth_fail),
1395 },
1396 {
1397 .section = SECTION_NAME("send", "Authentication-GetData"),
1398 .actions = &mod_actions_postauth,
1399 .offset = PROCESS_CONF_OFFSET(auth_getdata),
1400 },
1401 {
1402 .section = SECTION_NAME("send", "Authentication-GetUser"),
1403 .actions = &mod_actions_postauth,
1404 .offset = PROCESS_CONF_OFFSET(auth_getuser),
1405 },
1406 {
1407 .section = SECTION_NAME("send", "Authentication-GetPass"),
1408 .actions = &mod_actions_postauth,
1409 .offset = PROCESS_CONF_OFFSET(auth_getpass),
1410 },
1411 {
1412 .section = SECTION_NAME("send", "Authentication-Restart"),
1413 .actions = &mod_actions_postauth,
1414 .offset = PROCESS_CONF_OFFSET(auth_restart),
1415 },
1416 {
1417 .section = SECTION_NAME("send", "Authentication-Error"),
1418 .actions = &mod_actions_postauth,
1419 .offset = PROCESS_CONF_OFFSET(auth_error),
1420 },
1421 {
1422 .section = SECTION_NAME("recv", "Authentication-Continue"),
1423 .actions = &mod_actions_authenticate,
1424 .offset = PROCESS_CONF_OFFSET(auth_cont),
1425 },
1426 {
1427 .section = SECTION_NAME("recv", "Authentication-Continue-Abort"),
1428 .actions = &mod_actions_authenticate,
1429 .offset = PROCESS_CONF_OFFSET(auth_cont_abort),
1430 },
1431
1432 {
1433 .section = SECTION_NAME("authenticate", CF_IDENT_ANY),
1434 .actions = &mod_actions_authenticate,
1435 },
1436
1437 /* authorization */
1438
1439 {
1440 .section = SECTION_NAME("recv", "Authorization-Request"),
1441 .actions = &mod_actions_authorize,
1442 .offset = PROCESS_CONF_OFFSET(autz_request),
1443 },
1444 {
1445 .section = SECTION_NAME("send", "Authorization-Pass-Add"),
1446 .actions = &mod_actions_postauth,
1447 .offset = PROCESS_CONF_OFFSET(autz_pass_add),
1448 },
1449 {
1450 .section = SECTION_NAME("send", "Authorization-Pass-Replace"),
1451 .actions = &mod_actions_postauth,
1452 .offset = PROCESS_CONF_OFFSET(autz_pass_replace),
1453 },
1454 {
1455 .section = SECTION_NAME("send", "Authorization-Fail"),
1456 .actions = &mod_actions_postauth,
1457 .offset = PROCESS_CONF_OFFSET(autz_fail),
1458 },
1459 {
1460 .section = SECTION_NAME("send", "Authorization-Error"),
1461 .actions = &mod_actions_postauth,
1462 .offset = PROCESS_CONF_OFFSET(autz_error),
1463 },
1464
1465 /* accounting */
1466
1467 {
1468 .section = SECTION_NAME("recv", "Accounting-Request"),
1469 .actions = &mod_actions_accounting,
1470 .offset = PROCESS_CONF_OFFSET(acct_request),
1471 },
1472 {
1473 .section = SECTION_NAME("send", "Accounting-Success"),
1474 .actions = &mod_actions_postauth,
1475 .offset = PROCESS_CONF_OFFSET(acct_success),
1476 },
1477 {
1478 .section = SECTION_NAME("send", "Accounting-Error"),
1479 .actions = &mod_actions_postauth,
1480 .offset = PROCESS_CONF_OFFSET(acct_error),
1481 },
1482
1483 {
1484 .section = SECTION_NAME("accounting", CF_IDENT_ANY),
1485 .actions = &mod_actions_accounting,
1486 },
1487
1488 {
1489 .section = SECTION_NAME("send", "Do-Not-Respond"),
1490 .actions = &mod_actions_postauth,
1491 .offset = PROCESS_CONF_OFFSET(do_not_respond),
1492 },
1493
1494 DYNAMIC_CLIENT_SECTIONS,
1495
1496 COMPILE_TERMINATOR
1497};
1498
1499
1500extern fr_process_module_t process_tacacs;
1501fr_process_module_t process_tacacs = {
1502 .common = {
1503 .magic = MODULE_MAGIC_INIT,
1504 .name = "tacacs",
1505 .config = config,
1506 MODULE_INST(process_tacacs_t),
1507 MODULE_RCTX(process_rctx_t),
1508 .bootstrap = mod_bootstrap,
1509 .instantiate = mod_instantiate
1510 },
1511 .process = mod_process,
1512 .compile_list = compile_list,
1513 .dict = &dict_tacacs,
1514 .packet_type = &attr_packet_type
1515};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:343
unlikely
#define unlikely(_x)
Definition build.h:402
UNUSED
#define UNUSED
Definition build.h:336
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:657
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:517
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:334
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:423
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:594
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_name2
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:98
cf_filename
#define cf_filename(_cf)
Definition cf_util.h:104
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:75
MEM
#define MEM(x)
Definition debug.h:46
fr_dict_enum_autoload_t::out
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:281
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:292
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:305
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:257
fr_dict_enum_by_value
fr_dict_enum_value_t const * fr_dict_enum_by_value(fr_dict_attr_t const *da, fr_value_box_t const *value)
Lookup the structure representing an enum value in a fr_dict_attr_t.
Definition dict_util.c:3655
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:311
fr_dict_enum_value_t::name
char const * name
Enum name.
Definition dict.h:254
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:291
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:304
fr_dict_enum_autoload_t
Specifies a value which must be present for the module to function.
Definition dict.h:280
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:253
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
fr_hash64
uint64_t fr_hash64(void const *data, size_t size)
Definition hash.c:940
fr_hash_string
uint32_t fr_hash_string(char const *p)
Definition hash.c:900
fr_hash64_update
uint64_t fr_hash64_update(void const *data, size_t size, uint64_t hash)
Definition hash.c:968
talloc_free
talloc_free(hp)
unlang_result_t
Definition interpret.h:133
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition base.c:37
attr_packet_type
fr_dict_attr_t const * attr_packet_type
Definition base.c:91
attr_user_name
fr_dict_attr_t const * attr_user_name
Definition base.c:102
attr_module_failure_message
static fr_dict_attr_t const * attr_module_failure_message
Definition log.c:206
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:455
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:373
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition log.h:388
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:442
fr_debug_lvl
int fr_debug_lvl
Definition log.c:40
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:68
main_config
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
main_config_s::spawn_workers
bool spawn_workers
Should the server spawn threads.
Definition main_config.h:58
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition merged_model.c:32
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_value_box_t
Definition merged_model.c:136
request_t
Definition merged_model.c:210
mod_actions_authenticate
unlang_mod_actions_t const mod_actions_authenticate
Definition mod_action.c:29
mod_actions_accounting
unlang_mod_actions_t const mod_actions_accounting
Definition mod_action.c:77
mod_actions_authorize
unlang_mod_actions_t const mod_actions_authorize
Definition mod_action.c:45
mod_actions_postauth
unlang_mod_actions_t const mod_actions_postauth
Definition mod_action.c:92
unlang_mod_actions_t::actions
unlang_mod_action_t actions[RLM_MODULE_NUMCODES]
Definition mod_action.h:69
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
fr_pair_list_copy
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition pair.c:2326
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2962
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:784
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:707
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1352
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:290
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
mod_process
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition base.c:188
compile_list
static const virtual_server_compile_t compile_list[]
Definition base.c:214
process_state
static fr_process_state_t const process_state[]
Definition base.c:69
RESUME_FLAG
RESUME_FLAG(recv_bfd, UNUSED,)
Definition base.c:119
attr_module_success_message
static fr_dict_attr_t const * attr_module_success_message
Definition base.c:37
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition base.c:752
RECV
RECV(for_any_server)
Validate a solicit/rebind/confirm message.
Definition base.c:400
attr_user_password
static fr_dict_attr_t const * attr_user_password
Definition base.c:60
attr_stripped_user_name
static fr_dict_attr_t const * attr_stripped_user_name
Definition base.c:53
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition base.c:848
attr_auth_type
static fr_dict_attr_t const * attr_auth_type
Definition base.c:50
enum_auth_type_reject
static fr_value_box_t const * enum_auth_type_reject
Definition base.c:85
auth_config
static const conf_parser_t auth_config[]
Definition base.c:157
enum_auth_type_accept
static fr_value_box_t const * enum_auth_type_accept
Definition base.c:84
config
static const conf_parser_t config[]
Definition base.c:163
process_tacacs
fr_process_module_t process_tacacs
Definition base.c:1501
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:52
process_tacacs_sections_t::autz_pass_add
CONF_SECTION * autz_pass_add
Definition base.c:143
process_tacacs_session_t::list
fr_pair_list_t list
copied from the request
Definition base.c:180
process_tacacs_sections_t::new_client
CONF_SECTION * new_client
Definition base.c:154
enum_tacacs_auth_type_ascii
static fr_value_box_t const * enum_tacacs_auth_type_ascii
Definition base.c:115
process_tacacs_sections_t::add_client
CONF_SECTION * add_client
Definition base.c:155
process_tacacs_sections_t::auth_pass
CONF_SECTION * auth_pass
Definition base.c:131
process_tacacs_sections_t::auth_start
CONF_SECTION * auth_start
Definition base.c:130
process_tacacs_sections_t::acct_success
CONF_SECTION * acct_success
Definition base.c:149
process_tacacs_sections_t::auth_error
CONF_SECTION * auth_error
Definition base.c:137
process_tacacs_sections_t::acct_request
CONF_SECTION * acct_request
Definition base.c:148
process_tacacs_sections_t::auth_cont_abort
CONF_SECTION * auth_cont_abort
Definition base.c:140
process_tacacs_dict_attr
fr_dict_attr_autoload_t process_tacacs_dict_attr[]
Definition base.c:76
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:69
process_tacacs_t::server_cs
CONF_SECTION * server_cs
Our virtual server.
Definition base.c:165
attr_chap_password
static fr_dict_attr_t const * attr_chap_password
Definition base.c:73
process_tacacs_sections_t::auth_cont
CONF_SECTION * auth_cont
Definition base.c:139
acct_status_to_packet_code
static const uint32_t acct_status_to_packet_code[UINT8_MAX+1]
Definition base.c:894
process_tacacs_sections_t::auth_restart
CONF_SECTION * auth_restart
Definition base.c:136
authen_status_to_packet_code
static const uint32_t authen_status_to_packet_code[UINT8_MAX+1]
Definition base.c:346
process_tacacs_t::sections
process_tacacs_sections_t sections
Pointers to various config sections we need to execute.
Definition base.c:169
reply_code
static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da, uint32_t const status2code[static UINT8_MAX+1], fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
Try and determine what the response packet type should be.
Definition base.c:263
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition base.c:35
process_tacacs_dict_enum
fr_dict_enum_autoload_t process_tacacs_dict_enum[]
Definition base.c:118
COPY_MISSING
#define COPY_MISSING(_attr)
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:66
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:65
process_tacacs_sections_t::autz_error
CONF_SECTION * autz_error
Definition base.c:146
process_tacacs_sections_t::do_not_respond
CONF_SECTION * do_not_respond
Definition base.c:152
author_status_to_packet_code
static const uint32_t author_status_to_packet_code[UINT8_MAX+1]
Definition base.c:849
enum_auth_flags_noecho
static fr_value_box_t const * enum_auth_flags_noecho
Definition base.c:114
process_tacacs_sections_t::autz_pass_replace
CONF_SECTION * autz_pass_replace
Definition base.c:144
process_tacacs_session_t::reply
uint32_t reply
for multiround state machine
Definition base.c:178
EXTRACT
#define EXTRACT(_attr)
process_tacacs_sections_t::auth_getuser
CONF_SECTION * auth_getuser
Definition base.c:134
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:63
process_tacacs_sections_t::auth_getdata
CONF_SECTION * auth_getdata
Definition base.c:133
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:53
process_tacacs_sections_t::acct_error
CONF_SECTION * acct_error
Definition base.c:150
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:58
process_tacacs_sections_t::autz_request
CONF_SECTION * autz_request
Definition base.c:142
process_tacacs_auth_t::session
fr_state_config_t session
track state session information.
Definition base.c:160
acct_flag_valid
static const bool acct_flag_valid[8]
Definition base.c:934
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:54
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:55
process_tacacs_sections_t::deny_client
CONF_SECTION * deny_client
Definition base.c:156
process_tacacs_sections_t::auth_fail
CONF_SECTION * auth_fail
Definition base.c:132
attr_tacacs_authentication_action
static fr_dict_attr_t const * attr_tacacs_authentication_action
Definition base.c:51
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:61
process_tacacs_t::auth
process_tacacs_auth_t auth
Authentication configuration.
Definition base.c:172
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:64
process_tacacs_session_t::seq_no
uint8_t seq_no
sequence number of last request.
Definition base.c:179
process_tacacs_auth_t::state_tree
fr_state_tree_t * state_tree
State tree to link multiple requests/responses.
Definition base.c:161
COPY
#define COPY(_attr)
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:50
attr_tacacs_sequence_number
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition base.c:67
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:57
process_tacacs_sections_t::autz_fail
CONF_SECTION * autz_fail
Definition base.c:145
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:59
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:62
attr_tacacs_state
static fr_dict_attr_t const * attr_tacacs_state
Definition base.c:68
process_tacacs_t::session_id
uint32_t session_id
current session ID
Definition base.c:167
process_tacacs_sections_t::auth_getpass
CONF_SECTION * auth_getpass
Definition base.c:135
process_tacacs_dict
fr_dict_autoload_t process_tacacs_dict[]
Definition base.c:38
state_create
static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
Definition base.c:210
process_tacacs_auth_t
Definition base.c:159
process_tacacs_sections_t
Definition base.c:127
process_tacacs_session_t
Definition base.c:177
process_tacacs_t
Definition base.c:164
PROCESS_TRACE
#define PROCESS_TRACE
Trace each state function as it's entered.
Definition process.h:55
PROCESS_CONF_OFFSET
#define PROCESS_CONF_OFFSET(_x)
Definition process.h:79
fr_process_module_t::common
module_t common
Common fields for all loadable modules.
Definition process_types.h:39
fr_process_module_t
Common public symbol definition for all process modules.
Definition process_types.h:38
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:119
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:37
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient-ng.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient-ng.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient-ng.h:53
send_reply
static void send_reply(int sockfd, fr_channel_data_t *reply)
Definition radius1_test.c:186
rcode_table
fr_table_num_sorted_t const rcode_table[]
Definition rcode.c:35
RETURN_UNLANG_FAIL
#define RETURN_UNLANG_FAIL
Definition rcode.h:63
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:44
RLM_MODULE_INVALID
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:51
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:49
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:48
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:52
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:47
RLM_MODULE_TIMEOUT
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:56
RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:53
RLM_MODULE_UPDATED
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:55
RLM_MODULE_NOOP
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:54
RLM_MODULE_NUMCODES
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition rcode.h:57
RLM_MODULE_HANDLED
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:50
request_is_dynamic_client
#define request_is_dynamic_client(_x)
Definition request.h:188
request_data_reference
void * request_data_reference(request_t *request, void const *unique_ptr, int unique_int)
Get opaque data from a request without removing it.
Definition request_data.c:339
request_data_talloc_add
#define request_data_talloc_add(_request, _unique_ptr, _unique_int, _type, _opaque, _free_on_replace, _free_on_parent, _persist)
Add opaque data to a request_t.
Definition request_data.h:86
process_rcode
static unlang_action_t process_rcode(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_peap.c:741
hash
static unsigned int hash(char const *username, unsigned int tablesize)
Definition rlm_passwd.c:132
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:39
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:351
module_instance_s::data
void * data
Module's instance data.
Definition module.h:293
MODULE_RCTX
#define MODULE_RCTX(_ctype)
Definition module.h:259
MODULE_INST
#define MODULE_INST(_ctype)
Definition module.h:257
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
pair_delete_reply
#define pair_delete_reply(_pair_or_da)
Delete a fr_pair_t in the reply list.
Definition pair.h:181
pair_append_reply
#define pair_append_reply(_attr, _da)
Allocate and append a fr_pair_t to reply list.
Definition pair.h:47
fr_state_restore
int fr_state_restore(fr_state_tree_t *state, request_t *request)
Copy a pointer to the head of the list of state fr_pair_ts (and their ctx) into the request.
Definition state.c:735
fr_state_discard
void fr_state_discard(fr_state_tree_t *state, request_t *request)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition state.c:681
fr_state_store
int fr_state_store(fr_state_tree_t *state, request_t *request)
Transfer ownership of the state fr_pair_ts and ctx, back to a state entry.
Definition state.c:811
state_session_config
const conf_parser_t state_session_config[]
Definition state.c:59
fr_state_tree_init
fr_state_tree_t * fr_state_tree_init(TALLOC_CTX *ctx, fr_dict_attr_t const *da, fr_state_config_t const *config)
Initialise a new state tree.
Definition state.c:232
fr_state_tree_s
Definition state.c:155
unlang_module_yield_to_section
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:236
fr_state_config_t
Definition state.h:40
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3645
RESUME
#define RESUME(_x)
Definition state_machine.c:50
vp
fr_pair_t * vp
Definition state_machine.c:2287
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
Definition tacacs.h:211
FR_TAC_PLUS_AUTHOR_STATUS_ERROR
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition tacacs.h:214
FR_TAC_PLUS_AUTHOR_STATUS_FAIL
@ FR_TAC_PLUS_AUTHOR_STATUS_FAIL
Definition tacacs.h:213
FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
Definition tacacs.h:212
FR_TACACS_PACKET_CODE_VALID
#define FR_TACACS_PACKET_CODE_VALID(_code)
Definition tacacs.h:322
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
FR_TACACS_CODE_ACCT_ERROR
@ FR_TACACS_CODE_ACCT_ERROR
Definition tacacs.h:315
FR_TACACS_CODE_DO_NOT_RESPOND
@ FR_TACACS_CODE_DO_NOT_RESPOND
Definition tacacs.h:318
FR_TACACS_CODE_ACCT_REQUEST
@ FR_TACACS_CODE_ACCT_REQUEST
Definition tacacs.h:313
FR_TACACS_CODE_AUTZ_REQUEST
@ FR_TACACS_CODE_AUTZ_REQUEST
Definition tacacs.h:307
FR_TACACS_CODE_AUTH_GETDATA
@ FR_TACACS_CODE_AUTH_GETDATA
Definition tacacs.h:298
FR_TACACS_CODE_AUTH_RESTART
@ FR_TACACS_CODE_AUTH_RESTART
Definition tacacs.h:301
FR_TACACS_CODE_AUTZ_PASS_REPLACE
@ FR_TACACS_CODE_AUTZ_PASS_REPLACE
Definition tacacs.h:309
FR_TACACS_CODE_AUTH_GETUSER
@ FR_TACACS_CODE_AUTH_GETUSER
Definition tacacs.h:299
FR_TACACS_CODE_AUTH_GETPASS
@ FR_TACACS_CODE_AUTH_GETPASS
Definition tacacs.h:300
FR_TACACS_CODE_AUTZ_FAIL
@ FR_TACACS_CODE_AUTZ_FAIL
Definition tacacs.h:310
FR_TACACS_CODE_AUTH_CONT_ABORT
@ FR_TACACS_CODE_AUTH_CONT_ABORT
Definition tacacs.h:305
FR_TACACS_CODE_AUTH_PASS
@ FR_TACACS_CODE_AUTH_PASS
Definition tacacs.h:296
FR_TACACS_CODE_AUTH_CONT
@ FR_TACACS_CODE_AUTH_CONT
Definition tacacs.h:304
FR_TACACS_CODE_AUTZ_PASS_ADD
@ FR_TACACS_CODE_AUTZ_PASS_ADD
Definition tacacs.h:308
FR_TACACS_CODE_AUTH_START
@ FR_TACACS_CODE_AUTH_START
Definition tacacs.h:295
FR_TACACS_CODE_AUTH_FAIL
@ FR_TACACS_CODE_AUTH_FAIL
Definition tacacs.h:297
FR_TACACS_CODE_AUTH_ERROR
@ FR_TACACS_CODE_AUTH_ERROR
Definition tacacs.h:302
FR_TACACS_CODE_AUTZ_ERROR
@ FR_TACACS_CODE_AUTZ_ERROR
Definition tacacs.h:311
FR_TACACS_CODE_ACCT_SUCCESS
@ FR_TACACS_CODE_ACCT_SUCCESS
Definition tacacs.h:314
FR_TAC_PLUS_ACCT_STATUS_SUCCESS
@ FR_TAC_PLUS_ACCT_STATUS_SUCCESS
Definition tacacs.h:255
FR_TAC_PLUS_ACCT_STATUS_ERROR
@ FR_TAC_PLUS_ACCT_STATUS_ERROR
Definition tacacs.h:256
FR_TAC_PLUS_AUTHEN_STATUS_PASS
@ FR_TAC_PLUS_AUTHEN_STATUS_PASS
Definition tacacs.h:151
FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
@ FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
Definition tacacs.h:153
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition tacacs.h:157
FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
@ FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
Definition tacacs.h:154
FR_TAC_PLUS_AUTHEN_STATUS_FAIL
@ FR_TAC_PLUS_AUTHEN_STATUS_FAIL
Definition tacacs.h:152
FR_TAC_PLUS_AUTHEN_STATUS_RESTART
@ FR_TAC_PLUS_AUTHEN_STATUS_RESTART
Definition tacacs.h:156
FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
@ FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
Definition tacacs.h:155
fr_tacacs_packet_t
Definition tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:110
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
fr_value_box_cmp
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:748
fr_value_box_copy
int fr_value_box_copy(TALLOC_CTX *ctx, fr_value_box_t *dst, const fr_value_box_t *src)
Copy value data verbatim duplicating any buffers.
Definition value.c:4379
out
static size_t char ** out
Definition value.h:1030
virtual_server_section_attribute_define
int virtual_server_section_attribute_define(CONF_SECTION *server_cs, char const *subcs_name, fr_dict_attr_t const *da)
Define a values for Auth-Type attributes by the sections present in a virtual-server.
Definition virtual_servers.c:1562
virtual_server_compile_s::section
section_name_t const * section
Identifier for the section.
Definition virtual_servers.h:135
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition virtual_servers.h:145
virtual_server_compile_s
Processing sections which are allowed in this virtual server.
Definition virtual_servers.h:134
Generated by   doxygen 1.9.8