The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 498889a31cd7e124169ba3051ccc052fd62e95d7 $
19 * @file src/process/tacacs/base.c
20 * @brief TACACS+ handler.
21 * @author Jorge Pereira <jpereira@freeradius.org>
22 *
23 * @copyright 2020 The FreeRADIUS server project.
24 * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25 */
26#include <freeradius-devel/io/listen.h>
27#include <freeradius-devel/io/master.h>
28#include <freeradius-devel/tacacs/tacacs.h>
29#include <freeradius-devel/unlang/call.h>
30#include <freeradius-devel/unlang/xlat_func.h>
31#include <freeradius-devel/util/debug.h>
32
33#include <freeradius-devel/protocol/tacacs/tacacs.h>
34
35static fr_dict_t const *dict_freeradius;
36static fr_dict_t const *dict_tacacs;
37
38extern fr_dict_autoload_t process_tacacs_dict[];
39fr_dict_autoload_t process_tacacs_dict[] = {
40 { .out = &dict_freeradius, .proto = "freeradius" },
41 { .out = &dict_tacacs, .proto = "tacacs" },
42 DICT_AUTOLOAD_TERMINATOR
43};
44
45static fr_dict_attr_t const *attr_auth_type;
46static fr_dict_attr_t const *attr_module_failure_message;
47static fr_dict_attr_t const *attr_module_success_message;
48static fr_dict_attr_t const *attr_stripped_user_name;
49static fr_dict_attr_t const *attr_packet_type;
50
51static fr_dict_attr_t const *attr_tacacs_action;
52static fr_dict_attr_t const *attr_tacacs_authentication_action;
53static fr_dict_attr_t const *attr_tacacs_authentication_flags;
54static fr_dict_attr_t const *attr_tacacs_authentication_type;
55static fr_dict_attr_t const *attr_tacacs_authentication_service;
56static fr_dict_attr_t const *attr_tacacs_authentication_status;
57
58static fr_dict_attr_t const *attr_tacacs_authorization_status;
59static fr_dict_attr_t const *attr_tacacs_accounting_status;
60static fr_dict_attr_t const *attr_tacacs_accounting_flags;
61
62static fr_dict_attr_t const *attr_tacacs_client_port;
63static fr_dict_attr_t const *attr_tacacs_data;
64static fr_dict_attr_t const *attr_tacacs_privilege_level;
65static fr_dict_attr_t const *attr_tacacs_remote_address;
66static fr_dict_attr_t const *attr_tacacs_server_message;
67static fr_dict_attr_t const *attr_tacacs_session_id;
68static fr_dict_attr_t const *attr_tacacs_sequence_number;
69static fr_dict_attr_t const *attr_tacacs_state;
70static fr_dict_attr_t const *attr_tacacs_user_message;
71
72static fr_dict_attr_t const *attr_user_name;
73static fr_dict_attr_t const *attr_user_password;
74static fr_dict_attr_t const *attr_chap_password;
75
76extern fr_dict_attr_autoload_t process_tacacs_dict_attr[];
77fr_dict_attr_autoload_t process_tacacs_dict_attr[] = {
78 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
79 { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
80 { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
81 { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
82 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
83
84 { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
85 { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
86 { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
87 { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
88
89 { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90 { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
91
92 { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
93 { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
94
95 { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
96 { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
97 { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
98 { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
99 { .out = &attr_tacacs_authentication_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
100 { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
101 { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
102 { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
103 { .out = &attr_tacacs_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
104 { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
105
106 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
107 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
108 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
109
110 DICT_AUTOLOAD_TERMINATOR
111};
112
113static fr_value_box_t const *enum_auth_type_accept;
114static fr_value_box_t const *enum_auth_type_reject;
115static fr_value_box_t const *enum_auth_flags_noecho;
116static fr_value_box_t const *enum_tacacs_auth_type_ascii;
117
118extern fr_dict_enum_autoload_t process_tacacs_dict_enum[];
119fr_dict_enum_autoload_t process_tacacs_dict_enum[] = {
120 { .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
121 { .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
122 { .out = &enum_auth_flags_noecho, .name = "No-Echo", .attr = &attr_tacacs_authentication_flags },
123 { .out = &enum_tacacs_auth_type_ascii, .name = "ASCII", .attr = &attr_tacacs_authentication_type },
124 DICT_AUTOLOAD_TERMINATOR
125};
126
127
159
160typedef struct {
161 fr_state_config_t session; //!< track state session information.
162 fr_state_tree_t *state_tree; //!< State tree to link multiple requests/responses.
163} process_tacacs_auth_t;
164
165typedef struct {
166 CONF_SECTION *server_cs; //!< Our virtual server.
167
168 uint32_t session_id; //!< current session ID
169
170 process_tacacs_sections_t sections; //!< Pointers to various config sections
171 ///< we need to execute
172
173 process_tacacs_auth_t auth; //!< Authentication configuration.
174
175
176} process_tacacs_t;
177
178typedef struct {
179 uint32_t reply; //!< for multiround state machine
180 uint8_t seq_no; //!< sequence number of last request.
181 fr_pair_list_t list; //!< copied from the request
182} process_tacacs_session_t;
183
184
185#define PROCESS_PACKET_TYPE fr_tacacs_packet_code_t
186#define PROCESS_CODE_MAX FR_TACACS_CODE_MAX
187#define PROCESS_CODE_DO_NOT_RESPOND FR_TACACS_CODE_DO_NOT_RESPOND
188#define PROCESS_PACKET_CODE_VALID FR_TACACS_PACKET_CODE_VALID
189#define PROCESS_INST process_tacacs_t
190#define PROCESS_CODE_DYNAMIC_CLIENT FR_TACACS_CODE_AUTH_PASS
191
192#include <freeradius-devel/server/process.h>
193
194static const conf_parser_t auth_config[] = {
195 { FR_CONF_POINTER("session", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) state_session_config },
196
197 CONF_PARSER_TERMINATOR
198};
199
200static const conf_parser_t config[] = {
201 { FR_CONF_POINTER("Authentication", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config,
202 .offset = offsetof(process_tacacs_t, auth), },
203
204 CONF_PARSER_TERMINATOR
205};
206
207
208/*
209 * Synthesize a State attribute from connection && session information.
210 */
211static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
212{
213 uint64_t hash;
214 uint32_t sequence;
215 fr_pair_t *vp;
216
217 if (!request->async->listen) return -1;
218
219 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_session_id);
220 if (!vp) return -1;
221
222 hash = fr_hash64(&vp->vp_uint32, sizeof(vp->vp_uint32));
223
224 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_sequence_number);
225 if (!vp) return -1;
226
227 /*
228 * Requests have odd sequence numbers, and replies have even sequence numbers.
229 * So if we want to synthesize a state in a reply which gets matched with the next
230 * request, we have to add 2 to it.
231 */
232 sequence = vp->vp_uint8 + ((int) reply << 1);
233 hash = fr_hash64_update(&sequence, sizeof(sequence), hash);
234
235 hash = fr_hash64_update(&request->async->listen, sizeof(request->async->listen), hash);
236
237 vp = fr_pair_afrom_da(ctx, attr_tacacs_state);
238 if (!vp) return -1;
239
240 (void) fr_pair_value_memdup(vp, (uint8_t const *) &hash, sizeof(hash), false);
241
242 fr_pair_append(out, vp);
243
244 return 0;
245}
246
247/** Try and determine what the response packet type should be
248 *
249 * We check three sources:
250 * - reply.``<status_attr>``
251 * - reply.Packet-Type
252 * - State machine packet type assignments for the section rcode
253 *
254 * @param[in] request The current request.
255 * @param[in] status_da Specialised status attribute.
256 * @param[in] status2code Mapping table of *packet* status types to rcodes.
257 * @param[in] state Mappings for process state machine
258 * @param[in] process_rcode Mappings for Auth-Type / Acct-Type, which don't use the process state machine
259 * @param[in] rcode The last section rcode.
260 * @return
261 * - >0 if we determined a reply code.
262 * - 0 if we couldn't - Usually indicates additional sections should be run.
263 */
264static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da,
265 uint32_t const status2code[static UINT8_MAX + 1],
266 fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
267{
268 fr_pair_t *vp;
269 uint32_t code;
270
271 /*
272 * First check the protocol attribute for this packet type.
273 *
274 * Should be one of:
275 * - Authentication-Status
276 * - Authorization-Status
277 * - Accounting-Status
278 */
279 fr_assert(status_da->type == FR_TYPE_UINT8);
280
281 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, status_da);
282 if (vp) {
283 code = status2code[vp->vp_uint8];
284 if (FR_TACACS_PACKET_CODE_VALID(code)) {
285 RDEBUG("Setting reply Packet-Type from %pP", vp);
286 return code;
287 }
288
289 REDEBUG("Ignoring invalid status %pP", vp);
290 }
291
292 if (state) {
293 code = state->packet_type[rcode];
294 if (FR_TACACS_PACKET_CODE_VALID(code) || (code == FR_TACACS_CODE_DO_NOT_RESPOND)) return code;
295 }
296
297 if (process_rcode) {
298 code = process_rcode[rcode];
299 if (FR_TACACS_PACKET_CODE_VALID(code) || (code == FR_TACACS_CODE_DO_NOT_RESPOND)) return code;
300 }
301
302 /*
303 * Otherwise use Packet-Type (if set)
304 */
305 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
306 if (vp && (FR_TACACS_PACKET_CODE_VALID(vp->vp_uint32) || (vp->vp_uint32 == FR_TACACS_CODE_DO_NOT_RESPOND))) {
307 RDEBUG("Setting reply Packet-Type from %pV", &vp->data);
308 return vp->vp_uint32;
309 }
310
311 return 0;
312}
313
314RECV(auth_start)
315{
316 fr_process_state_t const *state;
317 fr_pair_t *vp;
318
319 /*
320 * Only "Login" is supported. The others are "change password" and "sendauth", which aren't
321 * used.
322 */
323 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_action);
324 if (!vp) {
325 fail:
326 request->reply->code = FR_TACACS_CODE_AUTH_ERROR;
327 UPDATE_STATE(reply);
328
329 fr_assert(state->send != NULL);
330 return CALL_SEND_STATE(state);
331 }
332
333 if (vp->vp_uint8 != FR_ACTION_VALUE_LOGIN) {
334 RDEBUG("Invalid authentication action %u", vp->vp_uint8);
335 goto fail;
336 }
337
338 /*
339 * There is no state to restore, so we just run the section as normal.
340 */
341
342 return CALL_RECV(generic);
343}
344
345RESUME(auth_type);
346
356
357RESUME(auth_start)
358{
359 rlm_rcode_t rcode = RESULT_RCODE;
360 fr_pair_t *vp;
361 CONF_SECTION *cs;
362 fr_dict_enum_value_t const *dv;
363 fr_process_state_t const *state;
364 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
365
366 PROCESS_TRACE;
367
368 fr_assert(rcode < RLM_MODULE_NUMCODES);
369
370 /*
371 * See if the return code from "recv" which says we reject, or continue.
372 */
373 UPDATE_STATE(packet);
374
375 /*
376 * Nothing set the reply, so let's see if we need to do so.
377 *
378 * If the admin didn't set authentication-status, just
379 * use the defaults from the state machine.
380 */
381 if (!request->reply->code) {
382 request->reply->code = reply_code(request,
383 attr_tacacs_authentication_status,
384 authen_status_to_packet_code, state, NULL, rcode);
385 } else {
386 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
387 }
388
389 /*
390 * Check for multi-round authentication.
391 *
392 * We only run the automatic state machine (start -> getuser -> getpass -> pass/fail)
393 * when the admin does NOT set any reply type, or any reply authentication status.
394 *
395 * However, do DO always save and restore the attributes from the start packet, so that they are
396 * visible in a later packet.
397 */
398 if (!request->reply->code) {
399 process_tacacs_session_t *session;
400 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
401
402 session = request_data_reference(request, inst, 0);
403 if (!session) {
404 /*
405 * This function is called for resuming both "start" and "continue" packets, so
406 * we have to check for "start" here.
407 *
408 * We only do multi-round authentication for the ASCII authentication type.
409 * Other authentication types are defined to be one request/reply only.
410 */
411 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
412 if (!packet_is_authen_start_request(packet) ||
413 (vp && (fr_value_box_cmp(&vp->data, enum_tacacs_auth_type_ascii) != 0))) {
414 goto auth_type;
415 }
416
417 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
418 if (!vp) {
419 RDEBUG("No User-Name, replying with Authentication-GetUser");
420 request->reply->code = FR_TACACS_CODE_AUTH_GETUSER;
421 } else {
422 RDEBUG("User-Name = %pV, replying with Authentication-GetPass", &vp->data);
423 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
424 goto add_auth_flags;
425 }
426
427 goto send_reply;
428 }
429
430 /*
431 * Last reply was "get username", we now get the password.
432 */
433 if (session->reply == FR_TACACS_CODE_AUTH_GETUSER) {
434 RDEBUG("No User-Password, replying with Authentication-GetPass");
435 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
436
437 /*
438 * Pre-set the authentication flags reply to No-Echo
439 * RFC 8907 says this should be set when the data being
440 * requested is sensitive and should not be echoed to the
441 * user as it is being entered.
442 */
443 add_auth_flags:
444 MEM(pair_append_reply(&vp, attr_tacacs_authentication_flags) >= 0);
445 if (unlikely(fr_value_box_copy(vp, &vp->data, enum_auth_flags_noecho) < 0)) {
446 RPEDEBUG("Failed creating Authentication-Flags attribute with No-Echo flag");
447 pair_delete_reply(vp);
448 goto reject;
449 }
450 vp->data.enumv = attr_tacacs_authentication_flags;
451 goto send_reply;
452 }
453
454 /*
455 * We either have a password, or the admin screwed up the configuration somehow. Just go
456 * run "Auth-Type foo".
457 */
458 goto auth_type;
459 }
460
461 /*
462 * Something set the reply code, skip
463 * the normal auth flow and respond immediately.
464 */
465 if (request->reply->code) {
466 switch (request->reply->code) {
467 case FR_TACACS_CODE_AUTH_FAIL:
468 RDEBUG("The 'recv Authentication-Start' section returned %s - failing the request",
469 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
470 break;
471
472 case FR_TACACS_CODE_DO_NOT_RESPOND:
473 RDEBUG("Reply packet type was set to Do-Not-Respond");
474 break;
475
476 default:
477 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
478 RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
479 break;
480 }
481
482 send_reply:
483 UPDATE_STATE(reply);
484
485 fr_assert(state->send != NULL);
486 return CALL_SEND_STATE(state);
487 }
488
489 /*
490 * Run authenticate foo { ... }
491 *
492 * If we can't find Auth-Type, OR if we can't find Auth-Type = foo, then it's a reject.
493 *
494 * We prefer the local Auth-Type to the Authentication-Type in the packet. But if there's no
495 * Auth-Type set by the admin, then we use what's in the packet.
496 */
497 auth_type:
498 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
499 if (!vp) vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
500 if (!vp) {
501 RDEBUG("No 'Auth-Type' or 'Authentication-Type' attribute found, "
502 "cannot authenticate the user - rejecting the request");
503
504 reject:
505 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
506 goto send_reply;
507 }
508
509 dv = fr_dict_enum_by_value(vp->da, &vp->data);
510 if (!dv) {
511 RDEBUG("Invalid value for '%s' attribute, cannot authenticate the user - rejecting the request",
512 vp->da->name);
513
514 goto reject;
515 }
516
517 /*
518 * The magic Auth-Type Accept value which means skip the authenticate section.
519 *
520 * And Reject means always reject. Tho the admin should just return "reject" from the section.
521 */
522 if (vp->da == attr_auth_type) {
523 if (fr_value_box_cmp(enum_auth_type_accept, dv->value) == 0) {
524 request->reply->code = FR_TACACS_CODE_AUTH_PASS;
525 goto send_reply;
526
527 } else if (fr_value_box_cmp(enum_auth_type_reject, dv->value) == 0) {
528 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
529 goto send_reply;
530 }
531 }
532
533 cs = cf_section_find(inst->server_cs, "authenticate", dv->name);
534 if (!cs) {
535 RDEBUG2("No 'authenticate %s { ... }' section found - rejecting the request", dv->name);
536 goto reject;
537 }
538
539 /*
540 * Run the "authenticate foo { ... }" section.
541 *
542 * And continue with sending the generic reply.
543 */
544 RDEBUG("Running 'authenticate %s' from file %s", cf_section_name2(cs), cf_filename(cs));
545 return unlang_module_yield_to_section(RESULT_P, request,
546 cs, RLM_MODULE_NOOP, resume_auth_type,
547 NULL, 0, mctx->rctx);
548}
549
550RESUME(auth_type)
551{
552 static const fr_process_rcode_t auth_type_rcode = {
553 [RLM_MODULE_OK] = FR_TACACS_CODE_AUTH_PASS,
554 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
555 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
556 [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTH_FAIL,
557 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
558 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
559 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTH_PASS,
560 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
561 };
562
563 rlm_rcode_t rcode = RESULT_RCODE;
564 fr_process_state_t const *state;
565 fr_pair_t *vp;
566
567 PROCESS_TRACE;
568
569 fr_assert(rcode < RLM_MODULE_NUMCODES);
570
571 /*
572 * If nothing set the reply code, then try to set it from various other things.
573 *
574 * The user could have set Authentication-Status
575 * or Packet-Type to something other than
576 * pass...
577 */
578 if (!request->reply->code) {
579 request->reply->code = reply_code(request,
580 attr_tacacs_authentication_status,
581 authen_status_to_packet_code, NULL, auth_type_rcode, rcode);
582 } else {
583 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
584 }
585
586 switch (request->reply->code) {
587 case 0:
588 RDEBUG("No reply code was set. Forcing to Authentication-Fail");
589 fail:
590 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
591 FALL_THROUGH;
592
593 /*
594 * Print complaints before running "send Access-Reject"
595 */
596 case FR_TACACS_CODE_AUTH_FAIL:
597 RDEBUG2("Failed to authenticate the user");
598 break;
599
600 case FR_TACACS_CODE_AUTH_GETDATA:
601 case FR_TACACS_CODE_AUTH_GETUSER:
602 case FR_TACACS_CODE_AUTH_GETPASS:
603 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
604 if (vp && (vp->vp_uint8 != FR_AUTHENTICATION_TYPE_VALUE_ASCII)) {
605 RDEBUG2("Cannot send challenges for %pP", vp);
606 goto fail;
607 }
608 break;
609
610 default:
611 break;
612
613 }
614 UPDATE_STATE(reply);
615
616 fr_assert(state->send != NULL);
617 return state->send(p_result, mctx, request);
618}
619
620RESUME_FLAG(auth_pass, UNUSED,)
621{
622 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
623
624 PROCESS_TRACE;
625
626 // @todo - worry about user identity existing?
627
628 fr_state_discard(inst->auth.state_tree, request);
629 return UNLANG_ACTION_CALCULATE_RESULT;
630}
631
632RESUME_FLAG(auth_fail, UNUSED,)
633{
634 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
635
636 PROCESS_TRACE;
637
638 // @todo - insert server message saying "failed"
639 // and also for FAIL
640
641 fr_state_discard(inst->auth.state_tree, request);
642 return UNLANG_ACTION_CALCULATE_RESULT;
643}
644
645RESUME_FLAG(auth_restart, UNUSED,)
646{
647 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
648
649 PROCESS_TRACE;
650
651 fr_state_discard(inst->auth.state_tree, request);
652 return UNLANG_ACTION_CALCULATE_RESULT;
653}
654
655RESUME(auth_get)
656{
657 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
658 process_tacacs_session_t *session;
659 fr_pair_t *vp, *copy;
660
661 PROCESS_TRACE;
662
663 /*
664 * Track multi-round authentication flows. Note that they can only start with an
665 * "Authentication-Start" packet, but they can continue with an "Authentication-Continue" packet.
666 *
667 * If there's no session being tracked, then we create one for a start packet.
668 */
669 session = request_data_reference(request, inst, 0);
670 if (!session) {
671 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
672
673 if (!packet_is_authen_start_request(packet)) goto send_reply;
674
675 MEM(session = talloc_zero(NULL, process_tacacs_session_t));
676 if (request_data_talloc_add(request, inst, 0, process_tacacs_session_t, session, true, true, true) < 0) {
677 talloc_free(session);
678 goto send_reply;
679 }
680
681 /*
682 * These are the only things which saved. The rest of the fields are either static (and statically
683 * known), or are irrelevant.
684 */
685 fr_pair_list_init(&session->list);
686#undef COPY
687#define COPY(_attr) do { \
688 vp = fr_pair_find_by_da(&request->request_pairs, NULL, _attr); \
689 if (!vp) break; \
690 MEM(copy = fr_pair_copy(session, vp)); \
691 fr_pair_append(&session->list, copy); \
692 RDEBUG2("%pP", copy); \
693} while (0)
694
695 RDEBUG2("Caching session attributes:");
696 RINDENT();
697 COPY(attr_user_name);
698 COPY(attr_tacacs_client_port);
699 COPY(attr_tacacs_remote_address);
700 COPY(attr_tacacs_privilege_level);
701 COPY(attr_tacacs_authentication_type);
702 REXDENT();
703
704 } else {
705 /*
706 * It is possible that the user name or password are added on subsequent Authentication-Continue
707 * packets following replies with Authentication-GetUser or Authentication-GetPass.
708 * Check if they are already in the session cache, and if not, add them.
709 */
710#define COPY_MISSING(_attr) do { \
711 vp = fr_pair_find_by_da(&session->list, NULL, _attr); \
712 if (vp) break; \
713 COPY(_attr); \
714} while (0)
715
716 RDEBUG2("Caching additional session attributes:");
717 RINDENT();
718 COPY_MISSING(attr_user_name);
719 COPY_MISSING(attr_user_password);
720 REXDENT();
721 }
722 session->reply = request->reply->code;
723 session->seq_no = request->packet->data[2];
724
725send_reply:
726 /*
727 * Cache the session state context.
728 */
729 if ((state_create(request->reply_ctx, &request->reply_pairs, request, true) < 0) ||
730 (fr_state_store(inst->auth.state_tree, request) < 0)) {
731 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
732 }
733
734 return UNLANG_ACTION_CALCULATE_RESULT;
735}
736
737RECV(auth_cont)
738{
739 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
740 process_tacacs_session_t *session;
741
742 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
743 (fr_state_restore(inst->auth.state_tree, request) < 0)) {
744 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
745 }
746
747 /*
748 * Restore key fields from the original Authentication-Start packet.
749 */
750 session = request_data_reference(request, inst, 0);
751 if (session) {
752 fr_pair_t *vp = NULL, *copy;
753
754 if (request->packet->data[2] <= session->seq_no) {
755 REDEBUG("Client sent invalid sequence number %02x, expected >%02x", request->packet->data[2], session->seq_no);
756 error:
757 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
758 }
759
760 if (fr_debug_lvl >= L_DBG_LVL_2) {
761 RDEBUG2("Restoring session attributes:");
762 RINDENT();
763 while ((vp = fr_pair_list_next(&session->list, vp))) {
764 RDEBUG2("%pP", vp);
765 }
766 REXDENT();
767 }
768 if (fr_pair_list_copy(request->request_ctx, &request->request_pairs, &session->list) < 0) goto error;
769
770 /*
771 * Copy the returned user_message into the attribute we requested.
772 */
773#define EXTRACT(_attr) \
774 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_user_message); \
775 if (!vp) break; \
776 fr_value_box_set_secret(&vp->data, _attr->flags.secret); \
777 if (pair_append_request(&copy, _attr) < 0) break; \
778 if (fr_pair_value_copy(copy, vp) < 0) { \
779 fr_pair_remove(&request->request_pairs, copy); \
780 talloc_free(copy); \
781 break; \
782 } \
783 RDEBUG2("Populated %pP from user_message", copy)
784
785 switch (session->reply) {
786 case FR_TACACS_CODE_AUTH_GETUSER:
787 EXTRACT(attr_user_name);
788 break;
789
790 case FR_TACACS_CODE_AUTH_GETPASS:
791 EXTRACT(attr_user_password);
792 break;
793
794 default:
795 break;
796 }
797 }
798
799 return CALL_RECV(generic);
800}
801
802/*
803 * The client aborted the session. The reply should be RESTART or FAIL.
804 */
805RECV(auth_cont_abort)
806{
807 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
808
809 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
810 (fr_state_restore(inst->auth.state_tree, request) < 0)) {
811 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
812 }
813
814 return CALL_RECV(generic);
815}
816
817RESUME(auth_cont_abort)
818{
819 rlm_rcode_t rcode = RESULT_RCODE;
820 fr_process_state_t const *state;
821
822 UPDATE_STATE(packet);
823
824 if (!request->reply->code) {
825 switch (rcode) {
826 case RLM_MODULE_OK:
827 case RLM_MODULE_UPDATED:
828 request->reply->code = FR_TACACS_CODE_AUTH_RESTART;
829 break;
830
831 default:
832 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
833 break;
834 }
835
836 } else {
837 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
838 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
839 }
840
841 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
842
843 UPDATE_STATE(reply);
844
845 fr_assert(state->send != NULL);
846 return CALL_SEND_STATE(state);
847}
848
849
856
857
858RESUME(autz_request)
859{
860 rlm_rcode_t rcode = RESULT_RCODE;
861 fr_process_state_t const *state;
862
863 PROCESS_TRACE;
864
865 fr_assert(rcode < RLM_MODULE_NUMCODES);
866
867 /*
868 * See if the return code from "recv" which says we reject, or continue.
869 */
870 UPDATE_STATE(packet);
871
872 /*
873 * Nothing set the reply, so let's see if we need to do so.
874 *
875 * If the admin didn't set authorization-status, just
876 * use the defaults from the state machine.
877 */
878 if (!request->reply->code) {
879 request->reply->code = reply_code(request, attr_tacacs_authorization_status,
880 author_status_to_packet_code, state, NULL, rcode);
881 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTZ_ERROR;
882
883 }
884 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
885 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
886
887 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
888
889 UPDATE_STATE(reply);
890
891 fr_assert(state->send != NULL);
892 return CALL_SEND_STATE(state);
893}
894
899
900RESUME(acct_type)
901{
902 static const fr_process_rcode_t acct_type_rcode = {
903 [RLM_MODULE_OK] = FR_TACACS_CODE_ACCT_SUCCESS,
904 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_ACCT_SUCCESS,
905 [RLM_MODULE_NOOP] = FR_TACACS_CODE_ACCT_ERROR,
906 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
907 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
908 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
909 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
910 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
911 };
912
913 rlm_rcode_t rcode = RESULT_RCODE;
914 fr_process_state_t const *state;
915
916 PROCESS_TRACE;
917
918 /*
919 * One more chance to override
920 */
921 if (!request->reply->code) {
922 request->reply->code = reply_code(request, attr_tacacs_accounting_status, acct_status_to_packet_code,
923 NULL, acct_type_rcode, rcode);
924 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
925 } else {
926 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
927 }
928
929 UPDATE_STATE(reply);
930
931 fr_assert(state->send != NULL);
932 return state->send(p_result, mctx, request);
933}
934
935static const bool acct_flag_valid[8] = {
936 false, true, true, false, /* invalid, start, stop, invalid */
937 true, true, false, false, /* watchdog - no update, watchdog - update, invalid, invalid */
938};
939
940RECV(accounting_request)
941{
942 fr_pair_t *vp;
943
944 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
945
946 /*
947 * RFC 8907 Section 7.2
948 */
949 if (vp && !acct_flag_valid[(vp->vp_uint8 & 0x0e) >> 1]) {
950 RWDEBUG("Invalid accounting request flag field %02x", vp->vp_uint8);
951 return CALL_SEND_TYPE(FR_TACACS_CODE_ACCT_ERROR);
952 }
953
954 return CALL_RECV(generic);
955}
956
957RESUME(accounting_request)
958{
959 rlm_rcode_t rcode = RESULT_RCODE;
960 fr_pair_t *vp;
961 CONF_SECTION *cs;
962 fr_dict_enum_value_t const *dv;
963 fr_process_state_t const *state;
964 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
965
966 PROCESS_TRACE;
967
968 fr_assert(rcode < RLM_MODULE_NUMCODES);
969
970 UPDATE_STATE(packet);
971
972 /*
973 * Nothing set the reply, so let's see if we need to do so.
974 *
975 * If the admin didn't set accounting-status, just
976 * use the defaults from the state machine.
977 */
978 if (!request->reply->code) {
979 request->reply->code = reply_code(request, attr_tacacs_accounting_status,
980 acct_status_to_packet_code, state, NULL, rcode);
981 } else {
982 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
983 }
984
985 /*
986 * Something set the reply code, so we reply and don't run "accounting foo { ... }"
987 */
988 if (request->reply->code) {
989 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
990 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
991
992 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
993
994 UPDATE_STATE(reply);
995
996 fr_assert(state->send != NULL);
997 return CALL_SEND_STATE(state);
998 }
999
1000 /*
1001 * Run accounting foo { ... }
1002 */
1003 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
1004 if (!vp) {
1005 fail:
1006 request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
1007 UPDATE_STATE(reply);
1008 fr_assert(state->send != NULL);
1009 return CALL_SEND_STATE(state);
1010 }
1011
1012 dv = fr_dict_enum_by_value(vp->da, &vp->data);
1013 if (!dv) goto fail;
1014
1015 cs = cf_section_find(inst->server_cs, "accounting", dv->name);
1016 if (!cs) {
1017 RDEBUG2("No 'accounting %s { ... }' section found - skipping...", dv->name);
1018 goto fail;
1019 }
1020
1021 /*
1022 * Run the "accounting foo { ... }" section.
1023 *
1024 * And continue with sending the generic reply.
1025 */
1026 return unlang_module_yield_to_section(RESULT_P, request,
1027 cs, RLM_MODULE_NOOP, resume_acct_type,
1028 NULL, 0, mctx->rctx);
1029}
1030
1031static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1032{
1033 fr_process_state_t const *state;
1034
1035 PROCESS_TRACE;
1036
1037 (void)talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
1038 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
1039
1040 request->component = "tacacs";
1041 request->module = NULL;
1042 fr_assert(request->proto_dict == dict_tacacs);
1043
1044 UPDATE_STATE(packet);
1045
1046 if (!state->recv) {
1047 REDEBUG("Invalid packet type (%u)", request->packet->code);
1048 RETURN_UNLANG_FAIL;
1049 }
1050
1051 // @todo - debug stuff!
1052// tacacs_packet_debug(request, request->packet, &request->request_pairs, true);
1053
1054 if (unlikely(request_is_dynamic_client(request))) {
1055 return new_client(p_result, mctx, request);
1056 }
1057
1058 return state->recv(p_result, mctx, request);
1059}
1060
1061static xlat_arg_parser_t const xlat_func_tacacs_secret_verify_args[] = {
1062 { .required = true, .single = true, .type = FR_TYPE_OCTETS },
1063 XLAT_ARG_PARSER_TERMINATOR
1064};
1065
1066/** Validates a request against a known shared secret
1067 *
1068 * Designed for the specific purpose of verifying dynamic clients
1069 * against a known shared secret in a `new client` section.
1070 *
1071 * Example:
1072@verbatim
1073%tacacs.secret.verify(<secret>)
1074@endverbatim
1075 *
1076 * @ingroup xlat_functions
1077 */
1078static xlat_action_t xlat_func_tacacs_secret_verify(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx,
1079 request_t *request, fr_value_box_list_t *args)
1080{
1081 fr_value_box_t *secret, *vb;
1082 int ret;
1083 TALLOC_CTX *local = talloc_new(NULL);
1084 fr_pair_list_t list;
1085
1086 XLAT_ARGS(args, &secret);
1087
1088 if (request->proto_dict != dict_tacacs) return XLAT_ACTION_FAIL;
1089
1090 MEM(vb = fr_value_box_alloc(ctx, FR_TYPE_BOOL, NULL));
1091
1092 /*
1093 * Attempt to decode the packet using the supplied secret.
1094 * If the decoding fails then the secret is wrong.
1095 */
1096 fr_pair_list_init(&list);
1097 ret = fr_tacacs_decode(local, &list, NULL, request->packet->data, request->packet->data_len, NULL,
1098 secret->vb_strvalue, secret->vb_length, NULL);
1099 talloc_free(local);
1100
1101 if (ret < 0) {
1102 RPEDEBUG("Failed to verify the TACACS secret");
1103 vb->vb_bool = false;
1104 } else {
1105 vb->vb_bool = true;
1106 }
1107 fr_dcursor_append(out, vb);
1108
1109 return XLAT_ACTION_DONE;
1110}
1111
1112static int mod_instantiate(module_inst_ctx_t const *mctx)
1113{
1114 process_tacacs_t *inst = talloc_get_type_abort(mctx->mi->data, process_tacacs_t);
1115
1116 inst->server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1117
1118 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.session.max_rounds, >=, 1);
1119 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.session.max_rounds, <=, 8);
1120
1121 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.session.max_sessions, >=, 64);
1122 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.session.max_sessions, <=, (1 << 18));
1123
1124 inst->auth.session.thread_safe = main_config->spawn_workers;
1125 inst->auth.session.context_id = fr_hash_string(cf_section_name2(inst->server_cs));
1126
1127 MEM(inst->auth.state_tree = fr_state_tree_init(inst, attr_tacacs_state, &inst->auth.session));
1128
1129 return 0;
1130}
1131
1132static int mod_bootstrap(module_inst_ctx_t const *mctx)
1133{
1134 CONF_SECTION *server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1135
1136 if (virtual_server_section_attribute_define(server_cs, "authenticate", attr_auth_type) < 0) return -1;
1137
1138 return 0;
1139}
1140
1141static int mod_load(void)
1142{
1143 xlat_t *xlat;
1144
1145 if (unlikely(!(xlat = xlat_func_register(NULL, "tacacs.secret.verify", xlat_func_tacacs_secret_verify,
1146 FR_TYPE_BOOL)))) return -1;
1147
1148 xlat_func_args_set(xlat, xlat_func_tacacs_secret_verify_args);
1149
1150 return 0;
1151}
1152
1153static void mod_unload(void)
1154{
1155 xlat_func_unregister("tacacs.secret.verify");
1156}
1157
1158/*
1159 * rcodes not listed under a packet_type
1160 * mean that the packet code will not be
1161 * changed.
1162 */
1163static fr_process_state_t const process_state[] = {
1164 /*
1165 * Authentication
1166 */
1167 [ FR_TACACS_CODE_AUTH_START ] = {
1168 .packet_type = {
1169 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1170 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1171 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1172 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1173 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1174 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1175 },
1176 .default_rcode = RLM_MODULE_NOOP,
1177 .recv = recv_auth_start,
1178 .resume = resume_auth_start,
1179 .section_offset = offsetof(process_tacacs_sections_t, auth_start),
1180 },
1181 [ FR_TACACS_CODE_AUTH_PASS ] = {
1182 .packet_type = {
1183 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1184 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1185 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1186 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1187 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1188 },
1189 .default_rcode = RLM_MODULE_NOOP,
1190 .result_rcode = RLM_MODULE_OK,
1191 .send = send_generic,
1192 .resume = resume_auth_pass,
1193 .section_offset = offsetof(process_tacacs_sections_t, auth_pass),
1194 },
1195 [ FR_TACACS_CODE_AUTH_FAIL ] = {
1196 .packet_type = {
1197 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1198 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1199 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1200 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1201 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1202 },
1203 .default_rcode = RLM_MODULE_NOOP,
1204 .result_rcode = RLM_MODULE_REJECT,
1205 .send = send_generic,
1206 .resume = resume_auth_fail,
1207 .section_offset = offsetof(process_tacacs_sections_t, auth_fail),
1208 },
1209 [ FR_TACACS_CODE_AUTH_GETDATA ] = {
1210 .packet_type = {
1211 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1212 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1213 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1214 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1215 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1216 },
1217 .default_rcode = RLM_MODULE_NOOP,
1218 .result_rcode = RLM_MODULE_OK,
1219 .send = send_generic,
1220 .resume = resume_auth_get,
1221 .section_offset = offsetof(process_tacacs_sections_t, auth_getdata),
1222 },
1223 [ FR_TACACS_CODE_AUTH_GETPASS ] = {
1224 .packet_type = {
1225 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1226 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1227 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1228 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1229 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1230 },
1231 .default_rcode = RLM_MODULE_NOOP,
1232 .result_rcode = RLM_MODULE_OK,
1233 .send = send_generic,
1234 .resume = resume_auth_get,
1235 .section_offset = offsetof(process_tacacs_sections_t, auth_getpass),
1236 },
1237 [ FR_TACACS_CODE_AUTH_GETUSER ] = {
1238 .packet_type = {
1239 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1240 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1241 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1242 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1243 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1244 },
1245 .default_rcode = RLM_MODULE_NOOP,
1246 .result_rcode = RLM_MODULE_OK,
1247 .send = send_generic,
1248 .resume = resume_auth_get,
1249 .section_offset = offsetof(process_tacacs_sections_t, auth_getuser),
1250 },
1251 [ FR_TACACS_CODE_AUTH_RESTART ] = {
1252 .packet_type = {
1253 },
1254 .default_rcode = RLM_MODULE_NOOP,
1255 .result_rcode = RLM_MODULE_OK,
1256 .send = send_generic,
1257 .resume = resume_auth_restart,
1258 .section_offset = offsetof(process_tacacs_sections_t, auth_restart),
1259 },
1260 [ FR_TACACS_CODE_AUTH_ERROR ] = {
1261 .packet_type = {
1262 },
1263 .default_rcode = RLM_MODULE_NOOP,
1264 .result_rcode = RLM_MODULE_REJECT,
1265 .send = send_generic,
1266 .resume = resume_auth_restart,
1267 .section_offset = offsetof(process_tacacs_sections_t, auth_error),
1268 },
1269
1270 [ FR_TACACS_CODE_AUTH_CONT ] = {
1271 .packet_type = {
1272 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1273 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1274 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1275 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1276 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1277 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1278 },
1279 .default_rcode = RLM_MODULE_NOOP,
1280 .result_rcode = RLM_MODULE_OK,
1281 .recv = recv_auth_cont,
1282 .resume = resume_auth_start, /* we go back to running 'authenticate', etc. */
1283 .section_offset = offsetof(process_tacacs_sections_t, auth_cont),
1284 },
1285 [ FR_TACACS_CODE_AUTH_CONT_ABORT ] = {
1286 .packet_type = {
1287 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1288 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1289 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1290 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1291 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1292 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1293 },
1294 .default_rcode = RLM_MODULE_NOOP,
1295 .result_rcode = RLM_MODULE_REJECT,
1296 .recv = recv_auth_cont_abort,
1297 .resume = resume_auth_cont_abort,
1298 .section_offset = offsetof(process_tacacs_sections_t, auth_cont_abort),
1299 },
1300
1301 /*
1302 * Authorization
1303 */
1304 [ FR_TACACS_CODE_AUTZ_REQUEST ] = {
1305 .packet_type = {
1306 [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1307 [RLM_MODULE_OK] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1308 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1309 [RLM_MODULE_HANDLED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1310
1311 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1312 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1313 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1314 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1315 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1316 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1317 },
1318 .default_rcode = RLM_MODULE_NOOP,
1319 .recv = recv_generic,
1320 .resume = resume_autz_request,
1321 .section_offset = offsetof(process_tacacs_sections_t, autz_request),
1322 },
1323 [ FR_TACACS_CODE_AUTZ_PASS_ADD ] = {
1324 .packet_type = {
1325 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1326 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1327 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1328 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1329 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1330 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1331 },
1332 .default_rcode = RLM_MODULE_NOOP,
1333 .result_rcode = RLM_MODULE_OK,
1334 .send = send_generic,
1335 .resume = resume_send_generic,
1336 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_add),
1337 },
1338 [ FR_TACACS_CODE_AUTZ_PASS_REPLACE ] = {
1339 .packet_type = {
1340 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1341 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1342 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1343 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1344 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1345 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1346 },
1347 .default_rcode = RLM_MODULE_NOOP,
1348 .result_rcode = RLM_MODULE_OK,
1349 .send = send_generic,
1350 .resume = resume_send_generic,
1351 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_replace),
1352 },
1353 [ FR_TACACS_CODE_AUTZ_FAIL ] = {
1354 .packet_type = {
1355 },
1356 .default_rcode = RLM_MODULE_NOOP,
1357 .result_rcode = RLM_MODULE_REJECT,
1358 .send = send_generic,
1359 .resume = resume_send_generic,
1360 .section_offset = offsetof(process_tacacs_sections_t, autz_fail),
1361 },
1362 [ FR_TACACS_CODE_AUTZ_ERROR ] = {
1363 .packet_type = {
1364 },
1365 .default_rcode = RLM_MODULE_NOOP,
1366 .result_rcode = RLM_MODULE_REJECT,
1367 .send = send_generic,
1368 .resume = resume_send_generic,
1369 .section_offset = offsetof(process_tacacs_sections_t, autz_error),
1370 },
1371
1372 /*
1373 * Accounting
1374 */
1375 [ FR_TACACS_CODE_ACCT_REQUEST ] = {
1376 .packet_type = {
1377 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1378 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1379 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1380 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1381 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1382 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1383 },
1384 .default_rcode = RLM_MODULE_NOOP,
1385 .recv = recv_accounting_request,
1386 .resume = resume_accounting_request,
1387 .section_offset = offsetof(process_tacacs_sections_t, acct_request),
1388 },
1389 [ FR_TACACS_CODE_ACCT_SUCCESS ] = {
1390 .packet_type = {
1391 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1392 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1393 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1394 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1395 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1396 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1397 },
1398 .default_rcode = RLM_MODULE_NOOP,
1399 .result_rcode = RLM_MODULE_OK,
1400 .send = send_generic,
1401 .resume = resume_send_generic,
1402 .section_offset = offsetof(process_tacacs_sections_t, acct_success),
1403 },
1404 [ FR_TACACS_CODE_ACCT_ERROR ] = {
1405 .packet_type = {
1406 },
1407 .default_rcode = RLM_MODULE_NOOP,
1408 .result_rcode = RLM_MODULE_FAIL,
1409 .send = send_generic,
1410 .resume = resume_send_generic,
1411 .section_offset = offsetof(process_tacacs_sections_t, acct_error),
1412 },
1413 [ FR_TACACS_CODE_DO_NOT_RESPOND ] = {
1414 .packet_type = {
1415 [RLM_MODULE_NOOP] = FR_TACACS_CODE_DO_NOT_RESPOND,
1416 [RLM_MODULE_OK] = FR_TACACS_CODE_DO_NOT_RESPOND,
1417 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_DO_NOT_RESPOND,
1418 [RLM_MODULE_HANDLED] = FR_TACACS_CODE_DO_NOT_RESPOND,
1419
1420 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_DO_NOT_RESPOND,
1421 [RLM_MODULE_FAIL] = FR_TACACS_CODE_DO_NOT_RESPOND,
1422 [RLM_MODULE_INVALID] = FR_TACACS_CODE_DO_NOT_RESPOND,
1423 [RLM_MODULE_REJECT] = FR_TACACS_CODE_DO_NOT_RESPOND,
1424 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_DO_NOT_RESPOND,
1425 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1426 },
1427 .default_rcode = RLM_MODULE_NOOP,
1428 .result_rcode = RLM_MODULE_HANDLED,
1429 .send = send_generic,
1430 .resume = resume_send_generic,
1431 .section_offset = offsetof(process_tacacs_sections_t, do_not_respond),
1432 }
1433};
1434
1435
1436static virtual_server_compile_t compile_list[] = {
1437 /**
1438 * Basically, the TACACS+ protocol use same type "authenticate" to handle
1439 * Start and Continue requests. (yep, you're right. it's horrible)
1440 * Therefore, we split the same "auth" type into two different sections just
1441 * to allow the user to have different logic for that.
1442 *
1443 * If you want to cry, just take a look at
1444 *
1445 * https://tools.ietf.org/html/rfc8907 Section 4.
1446 *
1447 * This should be an abject lesson in how NOT to design a
1448 * protocol. Pretty much everything they did was wrong.
1449 */
1450 {
1451 .section = SECTION_NAME("recv", "Authentication-Start"),
1452 .actions = &mod_actions_authenticate,
1453 .offset = PROCESS_CONF_OFFSET(auth_start),
1454 },
1455 {
1456 .section = SECTION_NAME("send", "Authentication-Pass"),
1457 .actions = &mod_actions_postauth,
1458 .offset = PROCESS_CONF_OFFSET(auth_pass),
1459 },
1460 {
1461 .section = SECTION_NAME("send", "Authentication-Fail"),
1462 .actions = &mod_actions_postauth,
1463 .offset = PROCESS_CONF_OFFSET(auth_fail),
1464 },
1465 {
1466 .section = SECTION_NAME("send", "Authentication-GetData"),
1467 .actions = &mod_actions_postauth,
1468 .offset = PROCESS_CONF_OFFSET(auth_getdata),
1469 },
1470 {
1471 .section = SECTION_NAME("send", "Authentication-GetUser"),
1472 .actions = &mod_actions_postauth,
1473 .offset = PROCESS_CONF_OFFSET(auth_getuser),
1474 },
1475 {
1476 .section = SECTION_NAME("send", "Authentication-GetPass"),
1477 .actions = &mod_actions_postauth,
1478 .offset = PROCESS_CONF_OFFSET(auth_getpass),
1479 },
1480 {
1481 .section = SECTION_NAME("send", "Authentication-Restart"),
1482 .actions = &mod_actions_postauth,
1483 .offset = PROCESS_CONF_OFFSET(auth_restart),
1484 },
1485 {
1486 .section = SECTION_NAME("send", "Authentication-Error"),
1487 .actions = &mod_actions_postauth,
1488 .offset = PROCESS_CONF_OFFSET(auth_error),
1489 },
1490 {
1491 .section = SECTION_NAME("recv", "Authentication-Continue"),
1492 .actions = &mod_actions_authenticate,
1493 .offset = PROCESS_CONF_OFFSET(auth_cont),
1494 },
1495 {
1496 .section = SECTION_NAME("recv", "Authentication-Continue-Abort"),
1497 .actions = &mod_actions_authenticate,
1498 .offset = PROCESS_CONF_OFFSET(auth_cont_abort),
1499 },
1500
1501 {
1502 .section = SECTION_NAME("authenticate", CF_IDENT_ANY),
1503 .actions = &mod_actions_authenticate,
1504 },
1505
1506 /* authorization */
1507
1508 {
1509 .section = SECTION_NAME("recv", "Authorization-Request"),
1510 .actions = &mod_actions_authorize,
1511 .offset = PROCESS_CONF_OFFSET(autz_request),
1512 },
1513 {
1514 .section = SECTION_NAME("send", "Authorization-Pass-Add"),
1515 .actions = &mod_actions_postauth,
1516 .offset = PROCESS_CONF_OFFSET(autz_pass_add),
1517 },
1518 {
1519 .section = SECTION_NAME("send", "Authorization-Pass-Replace"),
1520 .actions = &mod_actions_postauth,
1521 .offset = PROCESS_CONF_OFFSET(autz_pass_replace),
1522 },
1523 {
1524 .section = SECTION_NAME("send", "Authorization-Fail"),
1525 .actions = &mod_actions_postauth,
1526 .offset = PROCESS_CONF_OFFSET(autz_fail),
1527 },
1528 {
1529 .section = SECTION_NAME("send", "Authorization-Error"),
1530 .actions = &mod_actions_postauth,
1531 .offset = PROCESS_CONF_OFFSET(autz_error),
1532 },
1533
1534 /* accounting */
1535
1536 {
1537 .section = SECTION_NAME("recv", "Accounting-Request"),
1538 .actions = &mod_actions_accounting,
1539 .offset = PROCESS_CONF_OFFSET(acct_request),
1540 },
1541 {
1542 .section = SECTION_NAME("send", "Accounting-Success"),
1543 .actions = &mod_actions_postauth,
1544 .offset = PROCESS_CONF_OFFSET(acct_success),
1545 },
1546 {
1547 .section = SECTION_NAME("send", "Accounting-Error"),
1548 .actions = &mod_actions_postauth,
1549 .offset = PROCESS_CONF_OFFSET(acct_error),
1550 },
1551
1552 {
1553 .section = SECTION_NAME("accounting", CF_IDENT_ANY),
1554 .actions = &mod_actions_accounting,
1555 },
1556
1557 {
1558 .section = SECTION_NAME("send", "Do-Not-Respond"),
1559 .actions = &mod_actions_postauth,
1560 .offset = PROCESS_CONF_OFFSET(do_not_respond),
1561 },
1562
1563 DYNAMIC_CLIENT_SECTIONS,
1564
1565 COMPILE_TERMINATOR
1566};
1567
1568
1569extern fr_process_module_t process_tacacs;
1570fr_process_module_t process_tacacs = {
1571 .common = {
1572 .magic = MODULE_MAGIC_INIT,
1573 .name = "tacacs",
1574 .config = config,
1575 MODULE_INST(process_tacacs_t),
1576 MODULE_RCTX(process_rctx_t),
1577 .onload = mod_load,
1578 .unload = mod_unload,
1579 .bootstrap = mod_bootstrap,
1580 .instantiate = mod_instantiate
1581 },
1582 .process = mod_process,
1583 .compile_list = compile_list,
1584 .dict = &dict_tacacs,
1585 .packet_type = &attr_packet_type
1586};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
args
va_list args
Definition acutest.h:770
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:343
unlikely
#define unlikely(_x)
Definition build.h:407
UNUSED
#define UNUSED
Definition build.h:336
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:657
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:517
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:334
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:423
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:594
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_name2
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1187
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1029
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:685
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:98
cf_filename
#define cf_filename(_cf)
Definition cf_util.h:104
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:75
fr_dcursor_append
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:406
fr_dcursor_s
Definition dcursor.h:91
MEM
#define MEM(x)
Definition debug.h:46
fr_dict_enum_autoload_t::out
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:281
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:292
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:305
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:257
fr_dict_enum_by_value
fr_dict_enum_value_t const * fr_dict_enum_by_value(fr_dict_attr_t const *da, fr_value_box_t const *value)
Lookup the structure representing an enum value in a fr_dict_attr_t.
Definition dict_util.c:3655
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:311
fr_dict_enum_value_t::name
char const * name
Enum name.
Definition dict.h:254
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:291
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:304
fr_dict_enum_autoload_t
Specifies a value which must be present for the module to function.
Definition dict.h:280
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:253
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
xlat_func_tacacs_secret_verify
static xlat_action_t xlat_func_tacacs_secret_verify(TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
Validates a request against a known shared secret.
Definition base.c:1078
fr_hash64
uint64_t fr_hash64(void const *data, size_t size)
Definition hash.c:940
fr_hash_string
uint32_t fr_hash_string(char const *p)
Definition hash.c:900
fr_hash64_update
uint64_t fr_hash64_update(void const *data, size_t size, uint64_t hash)
Definition hash.c:968
talloc_free
talloc_free(hp)
unlang_result_t
Definition interpret.h:133
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition base.c:37
attr_packet_type
fr_dict_attr_t const * attr_packet_type
Definition base.c:91
attr_user_name
fr_dict_attr_t const * attr_user_name
Definition base.c:102
attr_module_failure_message
static fr_dict_attr_t const * attr_module_failure_message
Definition log.c:206
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:455
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:373
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition log.h:388
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:442
fr_debug_lvl
int fr_debug_lvl
Definition log.c:40
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:68
main_config
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
main_config_s::spawn_workers
bool spawn_workers
Should the server spawn threads.
Definition main_config.h:58
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition master.c:2898
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_BOOL
@ FR_TYPE_BOOL
A truth value.
Definition merged_model.c:95
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition merged_model.c:32
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_value_box_t
Definition merged_model.c:136
request_t
Definition merged_model.c:210
mod_actions_authenticate
unlang_mod_actions_t const mod_actions_authenticate
Definition mod_action.c:29
mod_actions_accounting
unlang_mod_actions_t const mod_actions_accounting
Definition mod_action.c:77
mod_actions_authorize
unlang_mod_actions_t const mod_actions_authorize
Definition mod_action.c:45
mod_actions_postauth
unlang_mod_actions_t const mod_actions_postauth
Definition mod_action.c:92
unlang_mod_actions_t::actions
unlang_mod_action_t actions[RLM_MODULE_NUMCODES]
Definition mod_action.h:69
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
fr_pair_list_copy
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition pair.c:2326
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2962
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:784
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:707
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1352
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:290
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
mod_process
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition base.c:188
compile_list
static const virtual_server_compile_t compile_list[]
Definition base.c:214
process_state
static fr_process_state_t const process_state[]
Definition base.c:69
RESUME_FLAG
RESUME_FLAG(recv_bfd, UNUSED,)
Definition base.c:119
attr_module_success_message
static fr_dict_attr_t const * attr_module_success_message
Definition base.c:37
RECV
RECV(for_any_server)
Validate a solicit/rebind/confirm message.
Definition base.c:400
mod_load
static int mod_load(void)
Definition base.c:228
mod_unload
static void mod_unload(void)
Definition base.c:237
attr_user_password
static fr_dict_attr_t const * attr_user_password
Definition base.c:60
attr_stripped_user_name
static fr_dict_attr_t const * attr_stripped_user_name
Definition base.c:53
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition base.c:848
attr_auth_type
static fr_dict_attr_t const * attr_auth_type
Definition base.c:50
enum_auth_type_reject
static fr_value_box_t const * enum_auth_type_reject
Definition base.c:85
auth_config
static const conf_parser_t auth_config[]
Definition base.c:157
enum_auth_type_accept
static fr_value_box_t const * enum_auth_type_accept
Definition base.c:84
config
static const conf_parser_t config[]
Definition base.c:163
process_tacacs
fr_process_module_t process_tacacs
Definition base.c:1570
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:53
process_tacacs_sections_t::autz_pass_add
CONF_SECTION * autz_pass_add
Definition base.c:144
process_tacacs_session_t::list
fr_pair_list_t list
copied from the request
Definition base.c:181
process_tacacs_sections_t::new_client
CONF_SECTION * new_client
Definition base.c:155
enum_tacacs_auth_type_ascii
static fr_value_box_t const * enum_tacacs_auth_type_ascii
Definition base.c:116
process_tacacs_sections_t::add_client
CONF_SECTION * add_client
Definition base.c:156
process_tacacs_sections_t::auth_pass
CONF_SECTION * auth_pass
Definition base.c:132
process_tacacs_sections_t::auth_start
CONF_SECTION * auth_start
Definition base.c:131
process_tacacs_sections_t::acct_success
CONF_SECTION * acct_success
Definition base.c:150
process_tacacs_sections_t::auth_error
CONF_SECTION * auth_error
Definition base.c:138
process_tacacs_sections_t::acct_request
CONF_SECTION * acct_request
Definition base.c:149
process_tacacs_sections_t::auth_cont_abort
CONF_SECTION * auth_cont_abort
Definition base.c:141
process_tacacs_dict_attr
fr_dict_attr_autoload_t process_tacacs_dict_attr[]
Definition base.c:77
xlat_func_tacacs_secret_verify_args
static xlat_arg_parser_t const xlat_func_tacacs_secret_verify_args[]
Definition base.c:1061
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:70
process_tacacs_t::server_cs
CONF_SECTION * server_cs
Our virtual server.
Definition base.c:166
attr_chap_password
static fr_dict_attr_t const * attr_chap_password
Definition base.c:74
process_tacacs_sections_t::auth_cont
CONF_SECTION * auth_cont
Definition base.c:140
acct_status_to_packet_code
static const uint32_t acct_status_to_packet_code[UINT8_MAX+1]
Definition base.c:895
process_tacacs_sections_t::auth_restart
CONF_SECTION * auth_restart
Definition base.c:137
authen_status_to_packet_code
static const uint32_t authen_status_to_packet_code[UINT8_MAX+1]
Definition base.c:347
process_tacacs_t::sections
process_tacacs_sections_t sections
Pointers to various config sections we need to execute.
Definition base.c:170
reply_code
static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da, uint32_t const status2code[static UINT8_MAX+1], fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
Try and determine what the response packet type should be.
Definition base.c:264
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition base.c:36
process_tacacs_dict_enum
fr_dict_enum_autoload_t process_tacacs_dict_enum[]
Definition base.c:119
COPY_MISSING
#define COPY_MISSING(_attr)
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:67
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:66
process_tacacs_sections_t::autz_error
CONF_SECTION * autz_error
Definition base.c:147
process_tacacs_sections_t::do_not_respond
CONF_SECTION * do_not_respond
Definition base.c:153
author_status_to_packet_code
static const uint32_t author_status_to_packet_code[UINT8_MAX+1]
Definition base.c:850
enum_auth_flags_noecho
static fr_value_box_t const * enum_auth_flags_noecho
Definition base.c:115
process_tacacs_sections_t::autz_pass_replace
CONF_SECTION * autz_pass_replace
Definition base.c:145
process_tacacs_session_t::reply
uint32_t reply
for multiround state machine
Definition base.c:179
EXTRACT
#define EXTRACT(_attr)
process_tacacs_sections_t::auth_getuser
CONF_SECTION * auth_getuser
Definition base.c:135
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:64
process_tacacs_sections_t::auth_getdata
CONF_SECTION * auth_getdata
Definition base.c:134
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:54
process_tacacs_sections_t::acct_error
CONF_SECTION * acct_error
Definition base.c:151
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:59
process_tacacs_sections_t::autz_request
CONF_SECTION * autz_request
Definition base.c:143
process_tacacs_auth_t::session
fr_state_config_t session
track state session information.
Definition base.c:161
acct_flag_valid
static const bool acct_flag_valid[8]
Definition base.c:935
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:55
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:56
process_tacacs_sections_t::deny_client
CONF_SECTION * deny_client
Definition base.c:157
process_tacacs_sections_t::auth_fail
CONF_SECTION * auth_fail
Definition base.c:133
attr_tacacs_authentication_action
static fr_dict_attr_t const * attr_tacacs_authentication_action
Definition base.c:52
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:62
process_tacacs_t::auth
process_tacacs_auth_t auth
Authentication configuration.
Definition base.c:173
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:65
process_tacacs_session_t::seq_no
uint8_t seq_no
sequence number of last request.
Definition base.c:180
process_tacacs_auth_t::state_tree
fr_state_tree_t * state_tree
State tree to link multiple requests/responses.
Definition base.c:162
COPY
#define COPY(_attr)
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:51
attr_tacacs_sequence_number
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition base.c:68
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:58
process_tacacs_sections_t::autz_fail
CONF_SECTION * autz_fail
Definition base.c:146
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:60
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:63
attr_tacacs_state
static fr_dict_attr_t const * attr_tacacs_state
Definition base.c:69
process_tacacs_t::session_id
uint32_t session_id
current session ID
Definition base.c:168
process_tacacs_sections_t::auth_getpass
CONF_SECTION * auth_getpass
Definition base.c:136
process_tacacs_dict
fr_dict_autoload_t process_tacacs_dict[]
Definition base.c:39
state_create
static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
Definition base.c:211
process_tacacs_auth_t
Definition base.c:160
process_tacacs_sections_t
Definition base.c:128
process_tacacs_session_t
Definition base.c:178
process_tacacs_t
Definition base.c:165
PROCESS_TRACE
#define PROCESS_TRACE
Trace each state function as it's entered.
Definition process.h:55
PROCESS_CONF_OFFSET
#define PROCESS_CONF_OFFSET(_x)
Definition process.h:79
fr_process_module_t::common
module_t common
Common fields for all loadable modules.
Definition process_types.h:39
fr_process_module_t
Common public symbol definition for all process modules.
Definition process_types.h:38
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:119
fr_tacacs_decode
ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_t const *vendor, uint8_t const *buffer, size_t buffer_len, const uint8_t *original, char const *const secret, size_t secret_len, int *code)
Decode a TACACS+ packet.
Definition decode.c:415
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:37
secret
static char * secret
Definition radclient-ng.c:68
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient-ng.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient-ng.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient-ng.h:53
send_reply
static void send_reply(int sockfd, fr_channel_data_t *reply)
Definition radius1_test.c:186
rcode_table
fr_table_num_sorted_t const rcode_table[]
Definition rcode.c:35
RETURN_UNLANG_FAIL
#define RETURN_UNLANG_FAIL
Definition rcode.h:63
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:44
RLM_MODULE_INVALID
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:51
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:49
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:48
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:52
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:47
RLM_MODULE_TIMEOUT
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:56
RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:53
RLM_MODULE_UPDATED
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:55
RLM_MODULE_NOOP
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:54
RLM_MODULE_NUMCODES
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition rcode.h:57
RLM_MODULE_HANDLED
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:50
request_is_dynamic_client
#define request_is_dynamic_client(_x)
Definition request.h:188
request_data_reference
void * request_data_reference(request_t *request, void const *unique_ptr, int unique_int)
Get opaque data from a request without removing it.
Definition request_data.c:339
request_data_talloc_add
#define request_data_talloc_add(_request, _unique_ptr, _unique_int, _type, _opaque, _free_on_replace, _free_on_parent, _persist)
Add opaque data to a request_t.
Definition request_data.h:86
process_rcode
static unlang_action_t process_rcode(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_peap.c:741
hash
static unsigned int hash(char const *username, unsigned int tablesize)
Definition rlm_passwd.c:132
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:39
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:351
module_instance_s::data
void * data
Module's instance data.
Definition module.h:293
MODULE_RCTX
#define MODULE_RCTX(_ctype)
Definition module.h:259
MODULE_INST
#define MODULE_INST(_ctype)
Definition module.h:257
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
pair_delete_reply
#define pair_delete_reply(_pair_or_da)
Delete a fr_pair_t in the reply list.
Definition pair.h:181
pair_append_reply
#define pair_append_reply(_attr, _da)
Allocate and append a fr_pair_t to reply list.
Definition pair.h:47
fr_state_restore
int fr_state_restore(fr_state_tree_t *state, request_t *request)
Copy a pointer to the head of the list of state fr_pair_ts (and their ctx) into the request.
Definition state.c:735
fr_state_discard
void fr_state_discard(fr_state_tree_t *state, request_t *request)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition state.c:681
fr_state_store
int fr_state_store(fr_state_tree_t *state, request_t *request)
Transfer ownership of the state fr_pair_ts and ctx, back to a state entry.
Definition state.c:811
state_session_config
const conf_parser_t state_session_config[]
Definition state.c:59
fr_state_tree_init
fr_state_tree_t * fr_state_tree_init(TALLOC_CTX *ctx, fr_dict_attr_t const *da, fr_state_config_t const *config)
Initialise a new state tree.
Definition state.c:232
fr_state_tree_s
Definition state.c:155
unlang_module_yield_to_section
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:236
fr_state_config_t
Definition state.h:40
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3645
RESUME
#define RESUME(_x)
Definition state_machine.c:50
vp
fr_pair_t * vp
Definition state_machine.c:2287
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
Definition tacacs.h:211
FR_TAC_PLUS_AUTHOR_STATUS_ERROR
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition tacacs.h:214
FR_TAC_PLUS_AUTHOR_STATUS_FAIL
@ FR_TAC_PLUS_AUTHOR_STATUS_FAIL
Definition tacacs.h:213
FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
Definition tacacs.h:212
FR_TACACS_PACKET_CODE_VALID
#define FR_TACACS_PACKET_CODE_VALID(_code)
Definition tacacs.h:322
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
FR_TACACS_CODE_ACCT_ERROR
@ FR_TACACS_CODE_ACCT_ERROR
Definition tacacs.h:315
FR_TACACS_CODE_DO_NOT_RESPOND
@ FR_TACACS_CODE_DO_NOT_RESPOND
Definition tacacs.h:318
FR_TACACS_CODE_ACCT_REQUEST
@ FR_TACACS_CODE_ACCT_REQUEST
Definition tacacs.h:313
FR_TACACS_CODE_AUTZ_REQUEST
@ FR_TACACS_CODE_AUTZ_REQUEST
Definition tacacs.h:307
FR_TACACS_CODE_AUTH_GETDATA
@ FR_TACACS_CODE_AUTH_GETDATA
Definition tacacs.h:298
FR_TACACS_CODE_AUTH_RESTART
@ FR_TACACS_CODE_AUTH_RESTART
Definition tacacs.h:301
FR_TACACS_CODE_AUTZ_PASS_REPLACE
@ FR_TACACS_CODE_AUTZ_PASS_REPLACE
Definition tacacs.h:309
FR_TACACS_CODE_AUTH_GETUSER
@ FR_TACACS_CODE_AUTH_GETUSER
Definition tacacs.h:299
FR_TACACS_CODE_AUTH_GETPASS
@ FR_TACACS_CODE_AUTH_GETPASS
Definition tacacs.h:300
FR_TACACS_CODE_AUTZ_FAIL
@ FR_TACACS_CODE_AUTZ_FAIL
Definition tacacs.h:310
FR_TACACS_CODE_AUTH_CONT_ABORT
@ FR_TACACS_CODE_AUTH_CONT_ABORT
Definition tacacs.h:305
FR_TACACS_CODE_AUTH_PASS
@ FR_TACACS_CODE_AUTH_PASS
Definition tacacs.h:296
FR_TACACS_CODE_AUTH_CONT
@ FR_TACACS_CODE_AUTH_CONT
Definition tacacs.h:304
FR_TACACS_CODE_AUTZ_PASS_ADD
@ FR_TACACS_CODE_AUTZ_PASS_ADD
Definition tacacs.h:308
FR_TACACS_CODE_AUTH_START
@ FR_TACACS_CODE_AUTH_START
Definition tacacs.h:295
FR_TACACS_CODE_AUTH_FAIL
@ FR_TACACS_CODE_AUTH_FAIL
Definition tacacs.h:297
FR_TACACS_CODE_AUTH_ERROR
@ FR_TACACS_CODE_AUTH_ERROR
Definition tacacs.h:302
FR_TACACS_CODE_AUTZ_ERROR
@ FR_TACACS_CODE_AUTZ_ERROR
Definition tacacs.h:311
FR_TACACS_CODE_ACCT_SUCCESS
@ FR_TACACS_CODE_ACCT_SUCCESS
Definition tacacs.h:314
FR_TAC_PLUS_ACCT_STATUS_SUCCESS
@ FR_TAC_PLUS_ACCT_STATUS_SUCCESS
Definition tacacs.h:255
FR_TAC_PLUS_ACCT_STATUS_ERROR
@ FR_TAC_PLUS_ACCT_STATUS_ERROR
Definition tacacs.h:256
FR_TAC_PLUS_AUTHEN_STATUS_PASS
@ FR_TAC_PLUS_AUTHEN_STATUS_PASS
Definition tacacs.h:151
FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
@ FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
Definition tacacs.h:153
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition tacacs.h:157
FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
@ FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
Definition tacacs.h:154
FR_TAC_PLUS_AUTHEN_STATUS_FAIL
@ FR_TAC_PLUS_AUTHEN_STATUS_FAIL
Definition tacacs.h:152
FR_TAC_PLUS_AUTHEN_STATUS_RESTART
@ FR_TAC_PLUS_AUTHEN_STATUS_RESTART
Definition tacacs.h:156
FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
@ FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
Definition tacacs.h:155
fr_tacacs_packet_t
Definition tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:110
XLAT_ARGS
#define XLAT_ARGS(_list,...)
Populate local variables with value boxes from the input list.
Definition xlat.h:383
xlat_arg_parser_t::required
unsigned int required
Argument must be present, and non-empty.
Definition xlat.h:146
XLAT_ARG_PARSER_TERMINATOR
#define XLAT_ARG_PARSER_TERMINATOR
Definition xlat.h:170
xlat_action_t
xlat_action_t
Definition xlat.h:37
XLAT_ACTION_FAIL
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
XLAT_ACTION_DONE
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
xlat_arg_parser_t
Definition for a single argument consumed by an xlat function.
Definition xlat.h:145
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
fr_value_box_cmp
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:748
fr_value_box_copy
int fr_value_box_copy(TALLOC_CTX *ctx, fr_value_box_t *dst, const fr_value_box_t *src)
Copy value data verbatim duplicating any buffers.
Definition value.c:4379
fr_value_box_alloc
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
Definition value.h:644
out
static size_t char ** out
Definition value.h:1030
virtual_server_section_attribute_define
int virtual_server_section_attribute_define(CONF_SECTION *server_cs, char const *subcs_name, fr_dict_attr_t const *da)
Define a values for Auth-Type attributes by the sections present in a virtual-server.
Definition virtual_servers.c:1562
virtual_server_compile_s::section
section_name_t const * section
Identifier for the section.
Definition virtual_servers.h:135
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition virtual_servers.h:145
virtual_server_compile_s
Processing sections which are allowed in this virtual server.
Definition virtual_servers.h:134
xlat_ctx_s
An xlat calling ctx.
Definition xlat_ctx.h:49
xlat_func_args_set
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:363
xlat_func_register
xlat_t * xlat_func_register(TALLOC_CTX *ctx, char const *name, xlat_func_t func, fr_type_t return_type)
Register an xlat function.
Definition xlat_func.c:216
xlat_func_unregister
void xlat_func_unregister(char const *name)
Unregister an xlat function.
Definition xlat_func.c:516
xlat_s
Definition xlat_priv.h:59
Generated by   doxygen 1.9.8