The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 98866516843443f96008ba5bf8f339e945ca3328 $
19 * @file src/process/tacacs/base.c
20 * @brief TACACS+ handler.
21 * @author Jorge Pereira <jpereira@freeradius.org>
22 *
23 * @copyright 2020 The FreeRADIUS server project.
24 * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25 */
26#include <freeradius-devel/io/listen.h>
27#include <freeradius-devel/io/master.h>
28#include <freeradius-devel/server/main_config.h>
29#include <freeradius-devel/server/protocol.h>
30#include <freeradius-devel/server/state.h>
31#include <freeradius-devel/server/rcode.h>
32#include <freeradius-devel/tacacs/tacacs.h>
33#include <freeradius-devel/unlang/call.h>
34#include <freeradius-devel/util/debug.h>
35
36#include <freeradius-devel/protocol/tacacs/tacacs.h>
37
38static fr_dict_t const *dict_freeradius;
39static fr_dict_t const *dict_tacacs;
40
41extern fr_dict_autoload_t process_tacacs_dict[];
42fr_dict_autoload_t process_tacacs_dict[] = {
43 { .out = &dict_freeradius, .proto = "freeradius" },
44 { .out = &dict_tacacs, .proto = "tacacs" },
45 DICT_AUTOLOAD_TERMINATOR
46};
47
48static fr_dict_attr_t const *attr_auth_type;
49static fr_dict_attr_t const *attr_module_failure_message;
50static fr_dict_attr_t const *attr_module_success_message;
51static fr_dict_attr_t const *attr_stripped_user_name;
52static fr_dict_attr_t const *attr_packet_type;
53
54static fr_dict_attr_t const *attr_tacacs_action;
55static fr_dict_attr_t const *attr_tacacs_authentication_action;
56static fr_dict_attr_t const *attr_tacacs_authentication_flags;
57static fr_dict_attr_t const *attr_tacacs_authentication_type;
58static fr_dict_attr_t const *attr_tacacs_authentication_service;
59static fr_dict_attr_t const *attr_tacacs_authentication_status;
60
61static fr_dict_attr_t const *attr_tacacs_authorization_status;
62static fr_dict_attr_t const *attr_tacacs_accounting_status;
63static fr_dict_attr_t const *attr_tacacs_accounting_flags;
64
65static fr_dict_attr_t const *attr_tacacs_client_port;
66static fr_dict_attr_t const *attr_tacacs_data;
67static fr_dict_attr_t const *attr_tacacs_privilege_level;
68static fr_dict_attr_t const *attr_tacacs_remote_address;
69static fr_dict_attr_t const *attr_tacacs_server_message;
70static fr_dict_attr_t const *attr_tacacs_session_id;
71static fr_dict_attr_t const *attr_tacacs_sequence_number;
72static fr_dict_attr_t const *attr_tacacs_state;
73static fr_dict_attr_t const *attr_tacacs_user_message;
74
75static fr_dict_attr_t const *attr_user_name;
76static fr_dict_attr_t const *attr_user_password;
77static fr_dict_attr_t const *attr_chap_password;
78
79extern fr_dict_attr_autoload_t process_tacacs_dict_attr[];
80fr_dict_attr_autoload_t process_tacacs_dict_attr[] = {
81 { .out = &attr_auth_type, .name = "Auth-Type", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
82 { .out = &attr_module_failure_message, .name = "Module-Failure-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
83 { .out = &attr_module_success_message, .name = "Module-Success-Message", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
84 { .out = &attr_stripped_user_name, .name = "Stripped-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
85 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
86
87 { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
88 { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
89 { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90 { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
91
92 { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
93 { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
94
95 { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
96 { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
97
98 { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
99 { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
100 { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
101 { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
102 { .out = &attr_tacacs_authentication_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
103 { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
104 { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
105 { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
106 { .out = &attr_tacacs_state, .name = "State", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
107 { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
108
109 { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
110 { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
111 { .out = &attr_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
112
113 DICT_AUTOLOAD_TERMINATOR
114};
115
116static fr_value_box_t const *enum_auth_type_accept;
117static fr_value_box_t const *enum_auth_type_reject;
118static fr_value_box_t const *enum_auth_flags_noecho;
119static fr_value_box_t const *enum_tacacs_auth_type_ascii;
120
121extern fr_dict_enum_autoload_t process_tacacs_dict_enum[];
122fr_dict_enum_autoload_t process_tacacs_dict_enum[] = {
123 { .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
124 { .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
125 { .out = &enum_auth_flags_noecho, .name = "No-Echo", .attr = &attr_tacacs_authentication_flags },
126 { .out = &enum_tacacs_auth_type_ascii, .name = "ASCII", .attr = &attr_tacacs_authentication_type },
127 DICT_AUTOLOAD_TERMINATOR
128};
129
130
162
163typedef struct {
164 fr_state_config_t session; //!< track state session information.
165 fr_state_tree_t *state_tree; //!< State tree to link multiple requests/responses.
166} process_tacacs_auth_t;
167
168typedef struct {
169 CONF_SECTION *server_cs; //!< Our virtual server.
170
171 uint32_t session_id; //!< current session ID
172
173 process_tacacs_sections_t sections; //!< Pointers to various config sections
174 ///< we need to execute
175
176 process_tacacs_auth_t auth; //!< Authentication configuration.
177
178
179} process_tacacs_t;
180
181typedef struct {
182 uint32_t reply; //!< for multiround state machine
183 uint8_t seq_no; //!< sequence number of last request.
184 fr_pair_list_t list; //!< copied from the request
185} process_tacacs_session_t;
186
187
188#define PROCESS_PACKET_TYPE fr_tacacs_packet_code_t
189#define PROCESS_CODE_MAX FR_TACACS_CODE_MAX
190#define PROCESS_CODE_DO_NOT_RESPOND FR_TACACS_CODE_DO_NOT_RESPOND
191#define PROCESS_PACKET_CODE_VALID FR_TACACS_PACKET_CODE_VALID
192#define PROCESS_INST process_tacacs_t
193#define PROCESS_CODE_DYNAMIC_CLIENT FR_TACACS_CODE_AUTH_PASS
194
195#include <freeradius-devel/server/process.h>
196
197static const conf_parser_t auth_config[] = {
198 { FR_CONF_POINTER("session", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) state_session_config },
199
200 CONF_PARSER_TERMINATOR
201};
202
203static const conf_parser_t config[] = {
204 { FR_CONF_POINTER("Authentication", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) auth_config,
205 .offset = offsetof(process_tacacs_t, auth), },
206
207 CONF_PARSER_TERMINATOR
208};
209
210
211/*
212 * Synthesize a State attribute from connection && session information.
213 */
214static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
215{
216 uint64_t hash;
217 uint32_t sequence;
218 fr_pair_t *vp;
219
220 if (!request->async->listen) return -1;
221
222 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_session_id);
223 if (!vp) return -1;
224
225 hash = fr_hash64(&vp->vp_uint32, sizeof(vp->vp_uint32));
226
227 vp = fr_pair_find_by_da_nested(&request->request_pairs, NULL, attr_tacacs_sequence_number);
228 if (!vp) return -1;
229
230 /*
231 * Requests have odd sequence numbers, and replies have even sequence numbers.
232 * So if we want to synthesize a state in a reply which gets matched with the next
233 * request, we have to add 2 to it.
234 */
235 sequence = vp->vp_uint8 + ((int) reply << 1);
236 hash = fr_hash64_update(&sequence, sizeof(sequence), hash);
237
238 hash = fr_hash64_update(&request->async->listen, sizeof(request->async->listen), hash);
239
240 vp = fr_pair_afrom_da(ctx, attr_tacacs_state);
241 if (!vp) return -1;
242
243 (void) fr_pair_value_memdup(vp, (uint8_t const *) &hash, sizeof(hash), false);
244
245 fr_pair_append(out, vp);
246
247 return 0;
248}
249
250/** Try and determine what the response packet type should be
251 *
252 * We check three sources:
253 * - reply.``<status_attr>``
254 * - reply.Packet-Type
255 * - State machine packet type assignments for the section rcode
256 *
257 * @param[in] request The current request.
258 * @param[in] status_da Specialised status attribute.
259 * @param[in] status2code Mapping table of *packet* status types to rcodes.
260 * @param[in] state Mappings for process state machine
261 * @param[in] process_rcode Mappings for Auth-Type / Acct-Type, which don't use the process state machine
262 * @param[in] rcode The last section rcode.
263 * @return
264 * - >0 if we determined a reply code.
265 * - 0 if we couldn't - Usually indicates additional sections should be run.
266 */
267static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da,
268 uint32_t const status2code[static UINT8_MAX + 1],
269 fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
270{
271 fr_pair_t *vp;
272 uint32_t code;
273
274 /*
275 * First check the protocol attribute for this packet type.
276 *
277 * Should be one of:
278 * - Authentication-Status
279 * - Authorization-Status
280 * - Accounting-Status
281 */
282 fr_assert(status_da->type == FR_TYPE_UINT8);
283
284 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, status_da);
285 if (vp) {
286 code = status2code[vp->vp_uint8];
287 if (FR_TACACS_PACKET_CODE_VALID(code)) {
288 RDEBUG("Setting reply Packet-Type from %pP", vp);
289 return code;
290 }
291
292 REDEBUG("Ignoring invalid status %pP", vp);
293 }
294
295 if (state) {
296 code = state->packet_type[rcode];
297 if (FR_TACACS_PACKET_CODE_VALID(code) || (code == FR_TACACS_CODE_DO_NOT_RESPOND)) return code;
298 }
299
300 if (process_rcode) {
301 code = process_rcode[rcode];
302 if (FR_TACACS_PACKET_CODE_VALID(code) || (code == FR_TACACS_CODE_DO_NOT_RESPOND)) return code;
303 }
304
305 /*
306 * Otherwise use Packet-Type (if set)
307 */
308 vp = fr_pair_find_by_da(&request->reply_pairs, NULL, attr_packet_type);
309 if (vp && (FR_TACACS_PACKET_CODE_VALID(vp->vp_uint32) || (vp->vp_uint32 == FR_TACACS_CODE_DO_NOT_RESPOND))) {
310 RDEBUG("Setting reply Packet-Type from %pV", &vp->data);
311 return vp->vp_uint32;
312 }
313
314 return 0;
315}
316
317RECV(auth_start)
318{
319 fr_process_state_t const *state;
320 fr_pair_t *vp;
321
322 /*
323 * Only "Login" is supported. The others are "change password" and "sendauth", which aren't
324 * used.
325 */
326 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_action);
327 if (!vp) {
328 fail:
329 request->reply->code = FR_TACACS_CODE_AUTH_ERROR;
330 UPDATE_STATE(reply);
331
332 fr_assert(state->send != NULL);
333 return CALL_SEND_STATE(state);
334 }
335
336 if (vp->vp_uint8 != FR_ACTION_VALUE_LOGIN) {
337 RDEBUG("Invalid authentication action %u", vp->vp_uint8);
338 goto fail;
339 }
340
341 /*
342 * There is no state to restore, so we just run the section as normal.
343 */
344
345 return CALL_RECV(generic);
346}
347
348RESUME(auth_type);
349
359
360RESUME(auth_start)
361{
362 rlm_rcode_t rcode = RESULT_RCODE;
363 fr_pair_t *vp;
364 CONF_SECTION *cs;
365 fr_dict_enum_value_t const *dv;
366 fr_process_state_t const *state;
367 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
368
369 PROCESS_TRACE;
370
371 fr_assert(rcode < RLM_MODULE_NUMCODES);
372
373 /*
374 * See if the return code from "recv" which says we reject, or continue.
375 */
376 UPDATE_STATE(packet);
377
378 /*
379 * Nothing set the reply, so let's see if we need to do so.
380 *
381 * If the admin didn't set authentication-status, just
382 * use the defaults from the state machine.
383 */
384 if (!request->reply->code) {
385 request->reply->code = reply_code(request,
386 attr_tacacs_authentication_status,
387 authen_status_to_packet_code, state, NULL, rcode);
388 } else {
389 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
390 }
391
392 /*
393 * Check for multi-round authentication.
394 *
395 * We only run the automatic state machine (start -> getuser -> getpass -> pass/fail)
396 * when the admin does NOT set any reply type, or any reply authentication status.
397 *
398 * However, do DO always save and restore the attributes from the start packet, so that they are
399 * visible in a later packet.
400 */
401 if (!request->reply->code) {
402 process_tacacs_session_t *session;
403 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
404
405 session = request_data_reference(request, inst, 0);
406 if (!session) {
407 /*
408 * This function is called for resuming both "start" and "continue" packets, so
409 * we have to check for "start" here.
410 *
411 * We only do multi-round authentication for the ASCII authentication type.
412 * Other authentication types are defined to be one request/reply only.
413 */
414 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
415 if (!packet_is_authen_start_request(packet) ||
416 (vp && (fr_value_box_cmp(&vp->data, enum_tacacs_auth_type_ascii) != 0))) {
417 goto auth_type;
418 }
419
420 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
421 if (!vp) {
422 RDEBUG("No User-Name, replying with Authentication-GetUser");
423 request->reply->code = FR_TACACS_CODE_AUTH_GETUSER;
424 } else {
425 RDEBUG("User-Name = %pV, replying with Authentication-GetPass", &vp->data);
426 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
427 goto add_auth_flags;
428 }
429
430 goto send_reply;
431 }
432
433 /*
434 * Last reply was "get username", we now get the password.
435 */
436 if (session->reply == FR_TACACS_CODE_AUTH_GETUSER) {
437 RDEBUG("No User-Password, replying with Authentication-GetPass");
438 request->reply->code = FR_TACACS_CODE_AUTH_GETPASS;
439
440 /*
441 * Pre-set the authentication flags reply to No-Echo
442 * RFC 8907 says this should be set when the data being
443 * requested is sensitive and should not be echoed to the
444 * user as it is being entered.
445 */
446 add_auth_flags:
447 MEM(pair_append_reply(&vp, attr_tacacs_authentication_flags) >= 0);
448 if (unlikely(fr_value_box_copy(vp, &vp->data, enum_auth_flags_noecho) < 0)) {
449 RPEDEBUG("Failed creating Authentication-Flags attribute with No-Echo flag");
450 pair_delete_reply(vp);
451 goto reject;
452 }
453 vp->data.enumv = attr_tacacs_authentication_flags;
454 goto send_reply;
455 }
456
457 /*
458 * We either have a password, or the admin screwed up the configuration somehow. Just go
459 * run "Auth-Type foo".
460 */
461 goto auth_type;
462 }
463
464 /*
465 * Something set the reply code, skip
466 * the normal auth flow and respond immediately.
467 */
468 if (request->reply->code) {
469 switch (request->reply->code) {
470 case FR_TACACS_CODE_AUTH_FAIL:
471 RDEBUG("The 'recv Authentication-Start' section returned %s - failing the request",
472 fr_table_str_by_value(rcode_table, rcode, "<INVALID>"));
473 break;
474
475 case FR_TACACS_CODE_DO_NOT_RESPOND:
476 RDEBUG("Reply packet type was set to Do-Not-Respond");
477 break;
478
479 default:
480 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
481 RDEBUG("Reply packet type was set to %s", fr_tacacs_packet_names[request->reply->code]);
482 break;
483 }
484
485 send_reply:
486 UPDATE_STATE(reply);
487
488 fr_assert(state->send != NULL);
489 return CALL_SEND_STATE(state);
490 }
491
492 /*
493 * Run authenticate foo { ... }
494 *
495 * If we can't find Auth-Type, OR if we can't find Auth-Type = foo, then it's a reject.
496 *
497 * We prefer the local Auth-Type to the Authentication-Type in the packet. But if there's no
498 * Auth-Type set by the admin, then we use what's in the packet.
499 */
500 auth_type:
501 vp = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
502 if (!vp) vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
503 if (!vp) {
504 RDEBUG("No 'Auth-Type' or 'Authentication-Type' attribute found, "
505 "cannot authenticate the user - rejecting the request");
506
507 reject:
508 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
509 goto send_reply;
510 }
511
512 dv = fr_dict_enum_by_value(vp->da, &vp->data);
513 if (!dv) {
514 RDEBUG("Invalid value for '%s' attribute, cannot authenticate the user - rejecting the request",
515 vp->da->name);
516
517 goto reject;
518 }
519
520 /*
521 * The magic Auth-Type Accept value which means skip the authenticate section.
522 *
523 * And Reject means always reject. Tho the admin should just return "reject" from the section.
524 */
525 if (vp->da == attr_auth_type) {
526 if (fr_value_box_cmp(enum_auth_type_accept, dv->value) == 0) {
527 request->reply->code = FR_TACACS_CODE_AUTH_PASS;
528 goto send_reply;
529
530 } else if (fr_value_box_cmp(enum_auth_type_reject, dv->value) == 0) {
531 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
532 goto send_reply;
533 }
534 }
535
536 cs = cf_section_find(inst->server_cs, "authenticate", dv->name);
537 if (!cs) {
538 RDEBUG2("No 'authenticate %s { ... }' section found - rejecting the request", dv->name);
539 goto reject;
540 }
541
542 /*
543 * Run the "authenticate foo { ... }" section.
544 *
545 * And continue with sending the generic reply.
546 */
547 RDEBUG("Running 'authenticate %s' from file %s", cf_section_name2(cs), cf_filename(cs));
548 return unlang_module_yield_to_section(RESULT_P, request,
549 cs, RLM_MODULE_NOOP, resume_auth_type,
550 NULL, 0, mctx->rctx);
551}
552
553RESUME(auth_type)
554{
555 static const fr_process_rcode_t auth_type_rcode = {
556 [RLM_MODULE_OK] = FR_TACACS_CODE_AUTH_PASS,
557 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
558 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
559 [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTH_FAIL,
560 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
561 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
562 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTH_PASS,
563 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
564 };
565
566 rlm_rcode_t rcode = RESULT_RCODE;
567 fr_process_state_t const *state;
568 fr_pair_t *vp;
569
570 PROCESS_TRACE;
571
572 fr_assert(rcode < RLM_MODULE_NUMCODES);
573
574 /*
575 * If nothing set the reply code, then try to set it from various other things.
576 *
577 * The user could have set Authentication-Status
578 * or Packet-Type to something other than
579 * pass...
580 */
581 if (!request->reply->code) {
582 request->reply->code = reply_code(request,
583 attr_tacacs_authentication_status,
584 authen_status_to_packet_code, NULL, auth_type_rcode, rcode);
585 } else {
586 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
587 }
588
589 switch (request->reply->code) {
590 case 0:
591 RDEBUG("No reply code was set. Forcing to Authentication-Fail");
592 fail:
593 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
594 FALL_THROUGH;
595
596 /*
597 * Print complaints before running "send Access-Reject"
598 */
599 case FR_TACACS_CODE_AUTH_FAIL:
600 RDEBUG2("Failed to authenticate the user");
601 break;
602
603 case FR_TACACS_CODE_AUTH_GETDATA:
604 case FR_TACACS_CODE_AUTH_GETUSER:
605 case FR_TACACS_CODE_AUTH_GETPASS:
606 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
607 if (vp && (vp->vp_uint8 != FR_AUTHENTICATION_TYPE_VALUE_ASCII)) {
608 RDEBUG2("Cannot send challenges for %pP", vp);
609 goto fail;
610 }
611 break;
612
613 default:
614 break;
615
616 }
617 UPDATE_STATE(reply);
618
619 fr_assert(state->send != NULL);
620 return state->send(p_result, mctx, request);
621}
622
623RESUME_FLAG(auth_pass, UNUSED,)
624{
625 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
626
627 PROCESS_TRACE;
628
629 // @todo - worry about user identity existing?
630
631 fr_state_discard(inst->auth.state_tree, request);
632 return UNLANG_ACTION_CALCULATE_RESULT;
633}
634
635RESUME_FLAG(auth_fail, UNUSED,)
636{
637 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
638
639 PROCESS_TRACE;
640
641 // @todo - insert server message saying "failed"
642 // and also for FAIL
643
644 fr_state_discard(inst->auth.state_tree, request);
645 return UNLANG_ACTION_CALCULATE_RESULT;
646}
647
648RESUME_FLAG(auth_restart, UNUSED,)
649{
650 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
651
652 PROCESS_TRACE;
653
654 fr_state_discard(inst->auth.state_tree, request);
655 return UNLANG_ACTION_CALCULATE_RESULT;
656}
657
658RESUME(auth_get)
659{
660 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
661 process_tacacs_session_t *session;
662 fr_pair_t *vp, *copy;
663
664 PROCESS_TRACE;
665
666 /*
667 * Track multi-round authentication flows. Note that they can only start with an
668 * "Authentication-Start" packet, but they can continue with an "Authentication-Continue" packet.
669 *
670 * If there's no session being tracked, then we create one for a start packet.
671 */
672 session = request_data_reference(request, inst, 0);
673 if (!session) {
674 fr_tacacs_packet_t const *packet = (fr_tacacs_packet_t const *) request->packet->data;
675
676 if (!packet_is_authen_start_request(packet)) goto send_reply;
677
678 MEM(session = talloc_zero(NULL, process_tacacs_session_t));
679 if (request_data_talloc_add(request, inst, 0, process_tacacs_session_t, session, true, true, true) < 0) {
680 talloc_free(session);
681 goto send_reply;
682 }
683
684 /*
685 * These are the only things which saved. The rest of the fields are either static (and statically
686 * known), or are irrelevant.
687 */
688 fr_pair_list_init(&session->list);
689#undef COPY
690#define COPY(_attr) do { \
691 vp = fr_pair_find_by_da(&request->request_pairs, NULL, _attr); \
692 if (!vp) break; \
693 MEM(copy = fr_pair_copy(session, vp)); \
694 fr_pair_append(&session->list, copy); \
695 RDEBUG2("%pP", copy); \
696} while (0)
697
698 RDEBUG2("Caching session attributes:");
699 RINDENT();
700 COPY(attr_user_name);
701 COPY(attr_tacacs_client_port);
702 COPY(attr_tacacs_remote_address);
703 COPY(attr_tacacs_privilege_level);
704 COPY(attr_tacacs_authentication_type);
705 REXDENT();
706
707 } else {
708 /*
709 * It is possible that the user name or password are added on subsequent Authentication-Continue
710 * packets following replies with Authentication-GetUser or Authentication-GetPass.
711 * Check if they are already in the session cache, and if not, add them.
712 */
713#define COPY_MISSING(_attr) do { \
714 vp = fr_pair_find_by_da(&session->list, NULL, _attr); \
715 if (vp) break; \
716 COPY(_attr); \
717} while (0)
718
719 RDEBUG2("Caching additional session attributes:");
720 RINDENT();
721 COPY_MISSING(attr_user_name);
722 COPY_MISSING(attr_user_password);
723 REXDENT();
724 }
725 session->reply = request->reply->code;
726 session->seq_no = request->packet->data[2];
727
728send_reply:
729 /*
730 * Cache the session state context.
731 */
732 if ((state_create(request->reply_ctx, &request->reply_pairs, request, true) < 0) ||
733 (fr_state_store(inst->auth.state_tree, request) < 0)) {
734 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
735 }
736
737 return UNLANG_ACTION_CALCULATE_RESULT;
738}
739
740RECV(auth_cont)
741{
742 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
743 process_tacacs_session_t *session;
744
745 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
746 (fr_state_restore(inst->auth.state_tree, request) < 0)) {
747 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
748 }
749
750 /*
751 * Restore key fields from the original Authentication-Start packet.
752 */
753 session = request_data_reference(request, inst, 0);
754 if (session) {
755 fr_pair_t *vp = NULL, *copy;
756
757 if (request->packet->data[2] <= session->seq_no) {
758 REDEBUG("Client sent invalid sequence number %02x, expected >%02x", request->packet->data[2], session->seq_no);
759 error:
760 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
761 }
762
763 if (fr_debug_lvl >= L_DBG_LVL_2) {
764 RDEBUG2("Restoring session attributes:");
765 RINDENT();
766 while ((vp = fr_pair_list_next(&session->list, vp))) {
767 RDEBUG2("%pP", vp);
768 }
769 REXDENT();
770 }
771 if (fr_pair_list_copy(request->request_ctx, &request->request_pairs, &session->list) < 0) goto error;
772
773 /*
774 * Copy the returned user_message into the attribute we requested.
775 */
776#define EXTRACT(_attr) \
777 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_user_message); \
778 if (!vp) break; \
779 fr_value_box_set_secret(&vp->data, _attr->flags.secret); \
780 if (pair_append_request(&copy, _attr) < 0) break; \
781 if (fr_pair_value_copy(copy, vp) < 0) { \
782 fr_pair_remove(&request->request_pairs, copy); \
783 talloc_free(copy); \
784 break; \
785 } \
786 RDEBUG2("Populated %pP from user_message", copy)
787
788 switch (session->reply) {
789 case FR_TACACS_CODE_AUTH_GETUSER:
790 EXTRACT(attr_user_name);
791 break;
792
793 case FR_TACACS_CODE_AUTH_GETPASS:
794 EXTRACT(attr_user_password);
795 break;
796
797 default:
798 break;
799 }
800 }
801
802 return CALL_RECV(generic);
803}
804
805/*
806 * The client aborted the session. The reply should be RESTART or FAIL.
807 */
808RECV(auth_cont_abort)
809{
810 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
811
812 if ((state_create(request->request_ctx, &request->request_pairs, request, false) < 0) ||
813 (fr_state_restore(inst->auth.state_tree, request) < 0)) {
814 return CALL_SEND_TYPE(FR_TACACS_CODE_AUTH_ERROR);
815 }
816
817 return CALL_RECV(generic);
818}
819
820RESUME(auth_cont_abort)
821{
822 rlm_rcode_t rcode = RESULT_RCODE;
823 fr_process_state_t const *state;
824
825 UPDATE_STATE(packet);
826
827 if (!request->reply->code) {
828 switch (rcode) {
829 case RLM_MODULE_OK:
830 case RLM_MODULE_UPDATED:
831 request->reply->code = FR_TACACS_CODE_AUTH_RESTART;
832 break;
833
834 default:
835 request->reply->code = FR_TACACS_CODE_AUTH_FAIL;
836 break;
837 }
838
839 } else {
840 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
841 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
842 }
843
844 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
845
846 UPDATE_STATE(reply);
847
848 fr_assert(state->send != NULL);
849 return CALL_SEND_STATE(state);
850}
851
852
859
860
861RESUME(autz_request)
862{
863 rlm_rcode_t rcode = RESULT_RCODE;
864 fr_process_state_t const *state;
865
866 PROCESS_TRACE;
867
868 fr_assert(rcode < RLM_MODULE_NUMCODES);
869
870 /*
871 * See if the return code from "recv" which says we reject, or continue.
872 */
873 UPDATE_STATE(packet);
874
875 /*
876 * Nothing set the reply, so let's see if we need to do so.
877 *
878 * If the admin didn't set authorization-status, just
879 * use the defaults from the state machine.
880 */
881 if (!request->reply->code) {
882 request->reply->code = reply_code(request, attr_tacacs_authorization_status,
883 author_status_to_packet_code, state, NULL, rcode);
884 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_AUTZ_ERROR;
885
886 }
887 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
888 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
889
890 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
891
892 UPDATE_STATE(reply);
893
894 fr_assert(state->send != NULL);
895 return CALL_SEND_STATE(state);
896}
897
902
903RESUME(acct_type)
904{
905 static const fr_process_rcode_t acct_type_rcode = {
906 [RLM_MODULE_OK] = FR_TACACS_CODE_ACCT_SUCCESS,
907 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_ACCT_SUCCESS,
908 [RLM_MODULE_NOOP] = FR_TACACS_CODE_ACCT_ERROR,
909 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
910 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
911 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
912 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
913 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
914 };
915
916 rlm_rcode_t rcode = RESULT_RCODE;
917 fr_process_state_t const *state;
918
919 PROCESS_TRACE;
920
921 /*
922 * One more chance to override
923 */
924 if (!request->reply->code) {
925 request->reply->code = reply_code(request, attr_tacacs_accounting_status, acct_status_to_packet_code,
926 NULL, acct_type_rcode, rcode);
927 if (!request->reply->code) request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
928 } else {
929 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
930 }
931
932 UPDATE_STATE(reply);
933
934 fr_assert(state->send != NULL);
935 return state->send(p_result, mctx, request);
936}
937
938static const bool acct_flag_valid[8] = {
939 false, true, true, false, /* invalid, start, stop, invalid */
940 true, true, false, false, /* watchdog - no update, watchdog - update, invalid, invalid */
941};
942
943RECV(accounting_request)
944{
945 fr_pair_t *vp;
946
947 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
948
949 /*
950 * RFC 8907 Section 7.2
951 */
952 if (vp && !acct_flag_valid[(vp->vp_uint8 & 0x0e) >> 1]) {
953 RWDEBUG("Invalid accounting request flag field %02x", vp->vp_uint8);
954 return CALL_SEND_TYPE(FR_TACACS_CODE_ACCT_ERROR);
955 }
956
957 return CALL_RECV(generic);
958}
959
960RESUME(accounting_request)
961{
962 rlm_rcode_t rcode = RESULT_RCODE;
963 fr_pair_t *vp;
964 CONF_SECTION *cs;
965 fr_dict_enum_value_t const *dv;
966 fr_process_state_t const *state;
967 process_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
968
969 PROCESS_TRACE;
970
971 fr_assert(rcode < RLM_MODULE_NUMCODES);
972
973 UPDATE_STATE(packet);
974
975 /*
976 * Nothing set the reply, so let's see if we need to do so.
977 *
978 * If the admin didn't set accounting-status, just
979 * use the defaults from the state machine.
980 */
981 if (!request->reply->code) {
982 request->reply->code = reply_code(request, attr_tacacs_accounting_status,
983 acct_status_to_packet_code, state, NULL, rcode);
984 } else {
985 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code));
986 }
987
988 /*
989 * Something set the reply code, so we reply and don't run "accounting foo { ... }"
990 */
991 if (request->reply->code) {
992 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->reply->code) ||
993 (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND));
994
995 RDEBUG("Reply packet type set to %s", (request->reply->code == FR_TACACS_CODE_DO_NOT_RESPOND) ? "Do-Not-Respond" : fr_tacacs_packet_names[request->reply->code]);
996
997 UPDATE_STATE(reply);
998
999 fr_assert(state->send != NULL);
1000 return CALL_SEND_STATE(state);
1001 }
1002
1003 /*
1004 * Run accounting foo { ... }
1005 */
1006 vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_accounting_flags);
1007 if (!vp) {
1008 fail:
1009 request->reply->code = FR_TACACS_CODE_ACCT_ERROR;
1010 UPDATE_STATE(reply);
1011 fr_assert(state->send != NULL);
1012 return CALL_SEND_STATE(state);
1013 }
1014
1015 dv = fr_dict_enum_by_value(vp->da, &vp->data);
1016 if (!dv) goto fail;
1017
1018 cs = cf_section_find(inst->server_cs, "accounting", dv->name);
1019 if (!cs) {
1020 RDEBUG2("No 'accounting %s { ... }' section found - skipping...", dv->name);
1021 goto fail;
1022 }
1023
1024 /*
1025 * Run the "accounting foo { ... }" section.
1026 *
1027 * And continue with sending the generic reply.
1028 */
1029 return unlang_module_yield_to_section(RESULT_P, request,
1030 cs, RLM_MODULE_NOOP, resume_acct_type,
1031 NULL, 0, mctx->rctx);
1032}
1033
1034static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1035{
1036 fr_process_state_t const *state;
1037
1038 PROCESS_TRACE;
1039
1040 (void)talloc_get_type_abort_const(mctx->mi->data, process_tacacs_t);
1041 fr_assert(FR_TACACS_PACKET_CODE_VALID(request->packet->code));
1042
1043 request->component = "tacacs";
1044 request->module = NULL;
1045 fr_assert(request->proto_dict == dict_tacacs);
1046
1047 UPDATE_STATE(packet);
1048
1049 if (!state->recv) {
1050 REDEBUG("Invalid packet type (%u)", request->packet->code);
1051 RETURN_UNLANG_FAIL;
1052 }
1053
1054 // @todo - debug stuff!
1055// tacacs_packet_debug(request, request->packet, &request->request_pairs, true);
1056
1057 if (unlikely(request_is_dynamic_client(request))) {
1058 return new_client(p_result, mctx, request);
1059 }
1060
1061 return state->recv(p_result, mctx, request);
1062}
1063
1064static int mod_instantiate(module_inst_ctx_t const *mctx)
1065{
1066 process_tacacs_t *inst = talloc_get_type_abort(mctx->mi->data, process_tacacs_t);
1067
1068 inst->server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1069
1070 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.session.max_rounds, >=, 1);
1071 FR_INTEGER_BOUND_CHECK("session.max_rounds", inst->auth.session.max_rounds, <=, 8);
1072
1073 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.session.max_sessions, >=, 64);
1074 FR_INTEGER_BOUND_CHECK("session.max", inst->auth.session.max_sessions, <=, (1 << 18));
1075
1076 inst->auth.session.thread_safe = main_config->spawn_workers;
1077 inst->auth.session.context_id = fr_hash_string(cf_section_name2(inst->server_cs));
1078
1079 MEM(inst->auth.state_tree = fr_state_tree_init(inst, attr_tacacs_state, &inst->auth.session));
1080
1081 return 0;
1082}
1083
1084static int mod_bootstrap(module_inst_ctx_t const *mctx)
1085{
1086 CONF_SECTION *server_cs = cf_item_to_section(cf_parent(mctx->mi->conf));
1087
1088 if (virtual_server_section_attribute_define(server_cs, "authenticate", attr_auth_type) < 0) return -1;
1089
1090 return 0;
1091}
1092
1093/*
1094 * rcodes not listed under a packet_type
1095 * mean that the packet code will not be
1096 * changed.
1097 */
1098static fr_process_state_t const process_state[] = {
1099 /*
1100 * Authentication
1101 */
1102 [ FR_TACACS_CODE_AUTH_START ] = {
1103 .packet_type = {
1104 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1105 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1106 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1107 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1108 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1109 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1110 },
1111 .default_rcode = RLM_MODULE_NOOP,
1112 .recv = recv_auth_start,
1113 .resume = resume_auth_start,
1114 .section_offset = offsetof(process_tacacs_sections_t, auth_start),
1115 },
1116 [ FR_TACACS_CODE_AUTH_PASS ] = {
1117 .packet_type = {
1118 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1119 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1120 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1121 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1122 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1123 },
1124 .default_rcode = RLM_MODULE_NOOP,
1125 .result_rcode = RLM_MODULE_OK,
1126 .send = send_generic,
1127 .resume = resume_auth_pass,
1128 .section_offset = offsetof(process_tacacs_sections_t, auth_pass),
1129 },
1130 [ FR_TACACS_CODE_AUTH_FAIL ] = {
1131 .packet_type = {
1132 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1133 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1134 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1135 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1136 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1137 },
1138 .default_rcode = RLM_MODULE_NOOP,
1139 .result_rcode = RLM_MODULE_REJECT,
1140 .send = send_generic,
1141 .resume = resume_auth_fail,
1142 .section_offset = offsetof(process_tacacs_sections_t, auth_fail),
1143 },
1144 [ FR_TACACS_CODE_AUTH_GETDATA ] = {
1145 .packet_type = {
1146 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1147 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1148 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1149 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1150 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1151 },
1152 .default_rcode = RLM_MODULE_NOOP,
1153 .result_rcode = RLM_MODULE_OK,
1154 .send = send_generic,
1155 .resume = resume_auth_get,
1156 .section_offset = offsetof(process_tacacs_sections_t, auth_getdata),
1157 },
1158 [ FR_TACACS_CODE_AUTH_GETPASS ] = {
1159 .packet_type = {
1160 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1161 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1162 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1163 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1164 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1165 },
1166 .default_rcode = RLM_MODULE_NOOP,
1167 .result_rcode = RLM_MODULE_OK,
1168 .send = send_generic,
1169 .resume = resume_auth_get,
1170 .section_offset = offsetof(process_tacacs_sections_t, auth_getpass),
1171 },
1172 [ FR_TACACS_CODE_AUTH_GETUSER ] = {
1173 .packet_type = {
1174 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1175 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1176 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1177 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1178 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1179 },
1180 .default_rcode = RLM_MODULE_NOOP,
1181 .result_rcode = RLM_MODULE_OK,
1182 .send = send_generic,
1183 .resume = resume_auth_get,
1184 .section_offset = offsetof(process_tacacs_sections_t, auth_getuser),
1185 },
1186 [ FR_TACACS_CODE_AUTH_RESTART ] = {
1187 .packet_type = {
1188 },
1189 .default_rcode = RLM_MODULE_NOOP,
1190 .result_rcode = RLM_MODULE_OK,
1191 .send = send_generic,
1192 .resume = resume_auth_restart,
1193 .section_offset = offsetof(process_tacacs_sections_t, auth_restart),
1194 },
1195 [ FR_TACACS_CODE_AUTH_ERROR ] = {
1196 .packet_type = {
1197 },
1198 .default_rcode = RLM_MODULE_NOOP,
1199 .result_rcode = RLM_MODULE_REJECT,
1200 .send = send_generic,
1201 .resume = resume_auth_restart,
1202 .section_offset = offsetof(process_tacacs_sections_t, auth_error),
1203 },
1204
1205 [ FR_TACACS_CODE_AUTH_CONT ] = {
1206 .packet_type = {
1207 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1208 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1209 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1210 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1211 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1212 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1213 },
1214 .default_rcode = RLM_MODULE_NOOP,
1215 .result_rcode = RLM_MODULE_OK,
1216 .recv = recv_auth_cont,
1217 .resume = resume_auth_start, /* we go back to running 'authenticate', etc. */
1218 .section_offset = offsetof(process_tacacs_sections_t, auth_cont),
1219 },
1220 [ FR_TACACS_CODE_AUTH_CONT_ABORT ] = {
1221 .packet_type = {
1222 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTH_FAIL,
1223 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTH_FAIL,
1224 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTH_FAIL,
1225 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTH_FAIL,
1226 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTH_FAIL,
1227 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1228 },
1229 .default_rcode = RLM_MODULE_NOOP,
1230 .result_rcode = RLM_MODULE_REJECT,
1231 .recv = recv_auth_cont_abort,
1232 .resume = resume_auth_cont_abort,
1233 .section_offset = offsetof(process_tacacs_sections_t, auth_cont_abort),
1234 },
1235
1236 /*
1237 * Authorization
1238 */
1239 [ FR_TACACS_CODE_AUTZ_REQUEST ] = {
1240 .packet_type = {
1241 [RLM_MODULE_NOOP] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1242 [RLM_MODULE_OK] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1243 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1244 [RLM_MODULE_HANDLED] = FR_TACACS_CODE_AUTZ_PASS_ADD,
1245
1246 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1247 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1248 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1249 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1250 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1251 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1252 },
1253 .default_rcode = RLM_MODULE_NOOP,
1254 .recv = recv_generic,
1255 .resume = resume_autz_request,
1256 .section_offset = offsetof(process_tacacs_sections_t, autz_request),
1257 },
1258 [ FR_TACACS_CODE_AUTZ_PASS_ADD ] = {
1259 .packet_type = {
1260 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1261 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1262 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1263 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1264 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1265 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1266 },
1267 .default_rcode = RLM_MODULE_NOOP,
1268 .result_rcode = RLM_MODULE_OK,
1269 .send = send_generic,
1270 .resume = resume_send_generic,
1271 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_add),
1272 },
1273 [ FR_TACACS_CODE_AUTZ_PASS_REPLACE ] = {
1274 .packet_type = {
1275 [RLM_MODULE_FAIL] = FR_TACACS_CODE_AUTZ_FAIL,
1276 [RLM_MODULE_INVALID] = FR_TACACS_CODE_AUTZ_FAIL,
1277 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_AUTZ_FAIL,
1278 [RLM_MODULE_REJECT] = FR_TACACS_CODE_AUTZ_FAIL,
1279 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_AUTZ_FAIL,
1280 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1281 },
1282 .default_rcode = RLM_MODULE_NOOP,
1283 .result_rcode = RLM_MODULE_OK,
1284 .send = send_generic,
1285 .resume = resume_send_generic,
1286 .section_offset = offsetof(process_tacacs_sections_t, autz_pass_replace),
1287 },
1288 [ FR_TACACS_CODE_AUTZ_FAIL ] = {
1289 .packet_type = {
1290 },
1291 .default_rcode = RLM_MODULE_NOOP,
1292 .result_rcode = RLM_MODULE_REJECT,
1293 .send = send_generic,
1294 .resume = resume_send_generic,
1295 .section_offset = offsetof(process_tacacs_sections_t, autz_fail),
1296 },
1297 [ FR_TACACS_CODE_AUTZ_ERROR ] = {
1298 .packet_type = {
1299 },
1300 .default_rcode = RLM_MODULE_NOOP,
1301 .result_rcode = RLM_MODULE_REJECT,
1302 .send = send_generic,
1303 .resume = resume_send_generic,
1304 .section_offset = offsetof(process_tacacs_sections_t, autz_error),
1305 },
1306
1307 /*
1308 * Accounting
1309 */
1310 [ FR_TACACS_CODE_ACCT_REQUEST ] = {
1311 .packet_type = {
1312 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1313 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1314 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1315 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1316 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1317 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1318 },
1319 .default_rcode = RLM_MODULE_NOOP,
1320 .recv = recv_accounting_request,
1321 .resume = resume_accounting_request,
1322 .section_offset = offsetof(process_tacacs_sections_t, acct_request),
1323 },
1324 [ FR_TACACS_CODE_ACCT_SUCCESS ] = {
1325 .packet_type = {
1326 [RLM_MODULE_FAIL] = FR_TACACS_CODE_ACCT_ERROR,
1327 [RLM_MODULE_INVALID] = FR_TACACS_CODE_ACCT_ERROR,
1328 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_ACCT_ERROR,
1329 [RLM_MODULE_REJECT] = FR_TACACS_CODE_ACCT_ERROR,
1330 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_ACCT_ERROR,
1331 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1332 },
1333 .default_rcode = RLM_MODULE_NOOP,
1334 .result_rcode = RLM_MODULE_OK,
1335 .send = send_generic,
1336 .resume = resume_send_generic,
1337 .section_offset = offsetof(process_tacacs_sections_t, acct_success),
1338 },
1339 [ FR_TACACS_CODE_ACCT_ERROR ] = {
1340 .packet_type = {
1341 },
1342 .default_rcode = RLM_MODULE_NOOP,
1343 .result_rcode = RLM_MODULE_FAIL,
1344 .send = send_generic,
1345 .resume = resume_send_generic,
1346 .section_offset = offsetof(process_tacacs_sections_t, acct_error),
1347 },
1348 [ FR_TACACS_CODE_DO_NOT_RESPOND ] = {
1349 .packet_type = {
1350 [RLM_MODULE_NOOP] = FR_TACACS_CODE_DO_NOT_RESPOND,
1351 [RLM_MODULE_OK] = FR_TACACS_CODE_DO_NOT_RESPOND,
1352 [RLM_MODULE_UPDATED] = FR_TACACS_CODE_DO_NOT_RESPOND,
1353 [RLM_MODULE_HANDLED] = FR_TACACS_CODE_DO_NOT_RESPOND,
1354
1355 [RLM_MODULE_NOTFOUND] = FR_TACACS_CODE_DO_NOT_RESPOND,
1356 [RLM_MODULE_FAIL] = FR_TACACS_CODE_DO_NOT_RESPOND,
1357 [RLM_MODULE_INVALID] = FR_TACACS_CODE_DO_NOT_RESPOND,
1358 [RLM_MODULE_REJECT] = FR_TACACS_CODE_DO_NOT_RESPOND,
1359 [RLM_MODULE_DISALLOW] = FR_TACACS_CODE_DO_NOT_RESPOND,
1360 [RLM_MODULE_TIMEOUT] = FR_TACACS_CODE_DO_NOT_RESPOND
1361 },
1362 .default_rcode = RLM_MODULE_NOOP,
1363 .result_rcode = RLM_MODULE_HANDLED,
1364 .send = send_generic,
1365 .resume = resume_send_generic,
1366 .section_offset = offsetof(process_tacacs_sections_t, do_not_respond),
1367 }
1368};
1369
1370
1371static virtual_server_compile_t compile_list[] = {
1372 /**
1373 * Basically, the TACACS+ protocol use same type "authenticate" to handle
1374 * Start and Continue requests. (yep, you're right. it's horrible)
1375 * Therefore, we split the same "auth" type into two different sections just
1376 * to allow the user to have different logic for that.
1377 *
1378 * If you want to cry, just take a look at
1379 *
1380 * https://tools.ietf.org/html/rfc8907 Section 4.
1381 *
1382 * This should be an abject lesson in how NOT to design a
1383 * protocol. Pretty much everything they did was wrong.
1384 */
1385 {
1386 .section = SECTION_NAME("recv", "Authentication-Start"),
1387 .actions = &mod_actions_authenticate,
1388 .offset = PROCESS_CONF_OFFSET(auth_start),
1389 },
1390 {
1391 .section = SECTION_NAME("send", "Authentication-Pass"),
1392 .actions = &mod_actions_postauth,
1393 .offset = PROCESS_CONF_OFFSET(auth_pass),
1394 },
1395 {
1396 .section = SECTION_NAME("send", "Authentication-Fail"),
1397 .actions = &mod_actions_postauth,
1398 .offset = PROCESS_CONF_OFFSET(auth_fail),
1399 },
1400 {
1401 .section = SECTION_NAME("send", "Authentication-GetData"),
1402 .actions = &mod_actions_postauth,
1403 .offset = PROCESS_CONF_OFFSET(auth_getdata),
1404 },
1405 {
1406 .section = SECTION_NAME("send", "Authentication-GetUser"),
1407 .actions = &mod_actions_postauth,
1408 .offset = PROCESS_CONF_OFFSET(auth_getuser),
1409 },
1410 {
1411 .section = SECTION_NAME("send", "Authentication-GetPass"),
1412 .actions = &mod_actions_postauth,
1413 .offset = PROCESS_CONF_OFFSET(auth_getpass),
1414 },
1415 {
1416 .section = SECTION_NAME("send", "Authentication-Restart"),
1417 .actions = &mod_actions_postauth,
1418 .offset = PROCESS_CONF_OFFSET(auth_restart),
1419 },
1420 {
1421 .section = SECTION_NAME("send", "Authentication-Error"),
1422 .actions = &mod_actions_postauth,
1423 .offset = PROCESS_CONF_OFFSET(auth_error),
1424 },
1425 {
1426 .section = SECTION_NAME("recv", "Authentication-Continue"),
1427 .actions = &mod_actions_authenticate,
1428 .offset = PROCESS_CONF_OFFSET(auth_cont),
1429 },
1430 {
1431 .section = SECTION_NAME("recv", "Authentication-Continue-Abort"),
1432 .actions = &mod_actions_authenticate,
1433 .offset = PROCESS_CONF_OFFSET(auth_cont_abort),
1434 },
1435
1436 {
1437 .section = SECTION_NAME("authenticate", CF_IDENT_ANY),
1438 .actions = &mod_actions_authenticate,
1439 },
1440
1441 /* authorization */
1442
1443 {
1444 .section = SECTION_NAME("recv", "Authorization-Request"),
1445 .actions = &mod_actions_authorize,
1446 .offset = PROCESS_CONF_OFFSET(autz_request),
1447 },
1448 {
1449 .section = SECTION_NAME("send", "Authorization-Pass-Add"),
1450 .actions = &mod_actions_postauth,
1451 .offset = PROCESS_CONF_OFFSET(autz_pass_add),
1452 },
1453 {
1454 .section = SECTION_NAME("send", "Authorization-Pass-Replace"),
1455 .actions = &mod_actions_postauth,
1456 .offset = PROCESS_CONF_OFFSET(autz_pass_replace),
1457 },
1458 {
1459 .section = SECTION_NAME("send", "Authorization-Fail"),
1460 .actions = &mod_actions_postauth,
1461 .offset = PROCESS_CONF_OFFSET(autz_fail),
1462 },
1463 {
1464 .section = SECTION_NAME("send", "Authorization-Error"),
1465 .actions = &mod_actions_postauth,
1466 .offset = PROCESS_CONF_OFFSET(autz_error),
1467 },
1468
1469 /* accounting */
1470
1471 {
1472 .section = SECTION_NAME("recv", "Accounting-Request"),
1473 .actions = &mod_actions_accounting,
1474 .offset = PROCESS_CONF_OFFSET(acct_request),
1475 },
1476 {
1477 .section = SECTION_NAME("send", "Accounting-Success"),
1478 .actions = &mod_actions_postauth,
1479 .offset = PROCESS_CONF_OFFSET(acct_success),
1480 },
1481 {
1482 .section = SECTION_NAME("send", "Accounting-Error"),
1483 .actions = &mod_actions_postauth,
1484 .offset = PROCESS_CONF_OFFSET(acct_error),
1485 },
1486
1487 {
1488 .section = SECTION_NAME("accounting", CF_IDENT_ANY),
1489 .actions = &mod_actions_accounting,
1490 },
1491
1492 {
1493 .section = SECTION_NAME("send", "Do-Not-Respond"),
1494 .actions = &mod_actions_postauth,
1495 .offset = PROCESS_CONF_OFFSET(do_not_respond),
1496 },
1497
1498 DYNAMIC_CLIENT_SECTIONS,
1499
1500 COMPILE_TERMINATOR
1501};
1502
1503
1504extern fr_process_module_t process_tacacs;
1505fr_process_module_t process_tacacs = {
1506 .common = {
1507 .magic = MODULE_MAGIC_INIT,
1508 .name = "tacacs",
1509 .config = config,
1510 MODULE_INST(process_tacacs_t),
1511 MODULE_RCTX(process_rctx_t),
1512 .bootstrap = mod_bootstrap,
1513 .instantiate = mod_instantiate
1514 },
1515 .process = mod_process,
1516 .compile_list = compile_list,
1517 .dict = &dict_tacacs,
1518 .packet_type = &attr_packet_type
1519};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_CALCULATE_RESULT
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
unlikely
#define unlikely(_x)
Definition build.h:383
UNUSED
#define UNUSED
Definition build.h:317
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:660
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:520
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:337
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:426
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:597
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_name2
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
cf_section_find
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:101
cf_filename
#define cf_filename(_cf)
Definition cf_util.h:107
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
MEM
#define MEM(x)
Definition debug.h:36
fr_dict_enum_autoload_t::out
fr_value_box_t const ** out
Enumeration value.
Definition dict.h:283
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:294
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:307
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:259
fr_dict_enum_by_value
fr_dict_enum_value_t const * fr_dict_enum_by_value(fr_dict_attr_t const *da, fr_value_box_t const *value)
Lookup the structure representing an enum value in a fr_dict_attr_t.
Definition dict_util.c:3660
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:313
fr_dict_enum_value_t::name
char const * name
Enum name.
Definition dict.h:256
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:293
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:306
fr_dict_enum_autoload_t
Specifies a value which must be present for the module to function.
Definition dict.h:282
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:255
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
fr_hash64
uint64_t fr_hash64(void const *data, size_t size)
Definition hash.c:909
fr_hash_string
uint32_t fr_hash_string(char const *p)
Definition hash.c:869
fr_hash64_update
uint64_t fr_hash64_update(void const *data, size_t size, uint64_t hash)
Definition hash.c:937
talloc_free
talloc_free(hp)
unlang_result_t
Definition interpret.h:133
dict_freeradius
static fr_dict_t const * dict_freeradius
Definition base.c:37
attr_packet_type
fr_dict_attr_t const * attr_packet_type
Definition base.c:93
attr_user_name
fr_dict_attr_t const * attr_user_name
Definition base.c:104
attr_module_failure_message
static fr_dict_attr_t const * attr_module_failure_message
Definition log.c:206
REXDENT
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:455
RWDEBUG
#define RWDEBUG(fmt,...)
Definition log.h:373
RPEDEBUG
#define RPEDEBUG(fmt,...)
Definition log.h:388
RINDENT
#define RINDENT()
Indent R* messages by one level.
Definition log.h:442
fr_debug_lvl
int fr_debug_lvl
Definition log.c:40
L_DBG_LVL_2
@ L_DBG_LVL_2
2nd highest priority debug messages (-xx | -X).
Definition log.h:71
main_config
main_config_t const * main_config
Main server configuration.
Definition main_config.c:58
main_config_s::spawn_workers
bool spawn_workers
Should the server spawn threads.
Definition main_config.h:58
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition merged_model.c:32
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_value_box_t
Definition merged_model.c:136
request_t
Definition merged_model.c:210
mod_actions_authenticate
unlang_mod_actions_t const mod_actions_authenticate
Definition mod_action.c:30
mod_actions_accounting
unlang_mod_actions_t const mod_actions_accounting
Definition mod_action.c:78
mod_actions_authorize
unlang_mod_actions_t const mod_actions_authorize
Definition mod_action.c:46
mod_actions_postauth
unlang_mod_actions_t const mod_actions_postauth
Definition mod_action.c:93
unlang_mod_actions_t::actions
unlang_mod_action_t actions[RLM_MODULE_NUMCODES]
Definition mod_action.h:69
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
fr_pair_list_copy
int fr_pair_list_copy(TALLOC_CTX *ctx, fr_pair_list_t *to, fr_pair_list_t const *from)
Duplicate a list of pairs.
Definition pair.c:2328
fr_pair_value_memdup
int fr_pair_value_memdup(fr_pair_t *vp, uint8_t const *src, size_t len, bool tainted)
Copy data into an "octets" data type.
Definition pair.c:2946
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:782
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:705
fr_pair_append
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1350
fr_pair_afrom_da
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:290
fr_pair_list_init
void fr_pair_list_init(fr_pair_list_t *list)
Initialise a pair list header.
Definition pair.c:46
mod_process
static unlang_action_t mod_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition base.c:188
compile_list
static const virtual_server_compile_t compile_list[]
Definition base.c:214
process_state
static fr_process_state_t const process_state[]
Definition base.c:69
RESUME_FLAG
RESUME_FLAG(recv_bfd, UNUSED,)
Definition base.c:119
attr_module_success_message
static fr_dict_attr_t const * attr_module_success_message
Definition base.c:37
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition base.c:752
RECV
RECV(for_any_server)
Validate a solicit/rebind/confirm message.
Definition base.c:400
attr_user_password
static fr_dict_attr_t const * attr_user_password
Definition base.c:66
attr_stripped_user_name
static fr_dict_attr_t const * attr_stripped_user_name
Definition base.c:59
mod_bootstrap
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition base.c:854
attr_auth_type
static fr_dict_attr_t const * attr_auth_type
Definition base.c:56
enum_auth_type_reject
static fr_value_box_t const * enum_auth_type_reject
Definition base.c:91
auth_config
static const conf_parser_t auth_config[]
Definition base.c:163
enum_auth_type_accept
static fr_value_box_t const * enum_auth_type_accept
Definition base.c:90
config
static const conf_parser_t config[]
Definition base.c:169
process_tacacs
fr_process_module_t process_tacacs
Definition base.c:1505
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:56
process_tacacs_sections_t::autz_pass_add
CONF_SECTION * autz_pass_add
Definition base.c:147
process_tacacs_session_t::list
fr_pair_list_t list
copied from the request
Definition base.c:184
process_tacacs_sections_t::new_client
CONF_SECTION * new_client
Definition base.c:158
enum_tacacs_auth_type_ascii
static fr_value_box_t const * enum_tacacs_auth_type_ascii
Definition base.c:119
process_tacacs_sections_t::add_client
CONF_SECTION * add_client
Definition base.c:159
process_tacacs_sections_t::auth_pass
CONF_SECTION * auth_pass
Definition base.c:135
process_tacacs_sections_t::auth_start
CONF_SECTION * auth_start
Definition base.c:134
process_tacacs_sections_t::acct_success
CONF_SECTION * acct_success
Definition base.c:153
process_tacacs_sections_t::auth_error
CONF_SECTION * auth_error
Definition base.c:141
process_tacacs_sections_t::acct_request
CONF_SECTION * acct_request
Definition base.c:152
process_tacacs_sections_t::auth_cont_abort
CONF_SECTION * auth_cont_abort
Definition base.c:144
process_tacacs_dict_attr
fr_dict_attr_autoload_t process_tacacs_dict_attr[]
Definition base.c:80
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:73
process_tacacs_t::server_cs
CONF_SECTION * server_cs
Our virtual server.
Definition base.c:169
attr_chap_password
static fr_dict_attr_t const * attr_chap_password
Definition base.c:77
process_tacacs_sections_t::auth_cont
CONF_SECTION * auth_cont
Definition base.c:143
acct_status_to_packet_code
static const uint32_t acct_status_to_packet_code[UINT8_MAX+1]
Definition base.c:898
process_tacacs_sections_t::auth_restart
CONF_SECTION * auth_restart
Definition base.c:140
authen_status_to_packet_code
static const uint32_t authen_status_to_packet_code[UINT8_MAX+1]
Definition base.c:350
process_tacacs_t::sections
process_tacacs_sections_t sections
Pointers to various config sections we need to execute.
Definition base.c:173
reply_code
static uint32_t reply_code(request_t *request, fr_dict_attr_t const *status_da, uint32_t const status2code[static UINT8_MAX+1], fr_process_state_t const *state, fr_process_rcode_t const process_rcode, rlm_rcode_t rcode)
Try and determine what the response packet type should be.
Definition base.c:267
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition base.c:39
process_tacacs_dict_enum
fr_dict_enum_autoload_t process_tacacs_dict_enum[]
Definition base.c:122
COPY_MISSING
#define COPY_MISSING(_attr)
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:70
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:69
process_tacacs_sections_t::autz_error
CONF_SECTION * autz_error
Definition base.c:150
process_tacacs_sections_t::do_not_respond
CONF_SECTION * do_not_respond
Definition base.c:156
author_status_to_packet_code
static const uint32_t author_status_to_packet_code[UINT8_MAX+1]
Definition base.c:853
enum_auth_flags_noecho
static fr_value_box_t const * enum_auth_flags_noecho
Definition base.c:118
process_tacacs_sections_t::autz_pass_replace
CONF_SECTION * autz_pass_replace
Definition base.c:148
process_tacacs_session_t::reply
uint32_t reply
for multiround state machine
Definition base.c:182
EXTRACT
#define EXTRACT(_attr)
process_tacacs_sections_t::auth_getuser
CONF_SECTION * auth_getuser
Definition base.c:138
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:67
process_tacacs_sections_t::auth_getdata
CONF_SECTION * auth_getdata
Definition base.c:137
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:57
process_tacacs_sections_t::acct_error
CONF_SECTION * acct_error
Definition base.c:154
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:62
process_tacacs_sections_t::autz_request
CONF_SECTION * autz_request
Definition base.c:146
process_tacacs_auth_t::session
fr_state_config_t session
track state session information.
Definition base.c:164
acct_flag_valid
static const bool acct_flag_valid[8]
Definition base.c:938
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:58
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:59
process_tacacs_sections_t::deny_client
CONF_SECTION * deny_client
Definition base.c:160
process_tacacs_sections_t::auth_fail
CONF_SECTION * auth_fail
Definition base.c:136
attr_tacacs_authentication_action
static fr_dict_attr_t const * attr_tacacs_authentication_action
Definition base.c:55
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:65
process_tacacs_t::auth
process_tacacs_auth_t auth
Authentication configuration.
Definition base.c:176
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:68
process_tacacs_session_t::seq_no
uint8_t seq_no
sequence number of last request.
Definition base.c:183
process_tacacs_auth_t::state_tree
fr_state_tree_t * state_tree
State tree to link multiple requests/responses.
Definition base.c:165
COPY
#define COPY(_attr)
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:54
attr_tacacs_sequence_number
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition base.c:71
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:61
process_tacacs_sections_t::autz_fail
CONF_SECTION * autz_fail
Definition base.c:149
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:63
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:66
attr_tacacs_state
static fr_dict_attr_t const * attr_tacacs_state
Definition base.c:72
process_tacacs_t::session_id
uint32_t session_id
current session ID
Definition base.c:171
process_tacacs_sections_t::auth_getpass
CONF_SECTION * auth_getpass
Definition base.c:139
process_tacacs_dict
fr_dict_autoload_t process_tacacs_dict[]
Definition base.c:42
state_create
static int state_create(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, bool reply)
Definition base.c:214
process_tacacs_auth_t
Definition base.c:163
process_tacacs_sections_t
Definition base.c:131
process_tacacs_session_t
Definition base.c:181
process_tacacs_t
Definition base.c:168
PROCESS_TRACE
#define PROCESS_TRACE
Trace each state function as it's entered.
Definition process.h:55
PROCESS_CONF_OFFSET
#define PROCESS_CONF_OFFSET(_x)
Definition process.h:79
fr_process_module_t::common
module_t common
Common fields for all loadable modules.
Definition process_types.h:39
fr_process_module_t
Common public symbol definition for all process modules.
Definition process_types.h:38
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:119
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient-ng.h:52
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient-ng.h:54
RDEBUG
#define RDEBUG(fmt,...)
Definition radclient-ng.h:53
send_reply
static void send_reply(int sockfd, fr_channel_data_t *reply)
Definition radius1_test.c:190
rcode_table
fr_table_num_sorted_t const rcode_table[]
Definition rcode.c:35
RETURN_UNLANG_FAIL
#define RETURN_UNLANG_FAIL
Definition rcode.h:63
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:44
RLM_MODULE_INVALID
@ RLM_MODULE_INVALID
The module considers the request invalid.
Definition rcode.h:51
RLM_MODULE_OK
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:49
RLM_MODULE_FAIL
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:48
RLM_MODULE_DISALLOW
@ RLM_MODULE_DISALLOW
Reject the request (user is locked out).
Definition rcode.h:52
RLM_MODULE_REJECT
@ RLM_MODULE_REJECT
Immediately reject the request.
Definition rcode.h:47
RLM_MODULE_TIMEOUT
@ RLM_MODULE_TIMEOUT
Module (or section) timed out.
Definition rcode.h:56
RLM_MODULE_NOTFOUND
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:53
RLM_MODULE_UPDATED
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:55
RLM_MODULE_NOOP
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:54
RLM_MODULE_NUMCODES
@ RLM_MODULE_NUMCODES
How many valid return codes there are.
Definition rcode.h:57
RLM_MODULE_HANDLED
@ RLM_MODULE_HANDLED
The module handled the request, so stop.
Definition rcode.h:50
request_is_dynamic_client
#define request_is_dynamic_client(_x)
Definition request.h:188
request_data_reference
void * request_data_reference(request_t *request, void const *unique_ptr, int unique_int)
Get opaque data from a request without removing it.
Definition request_data.c:339
request_data_talloc_add
#define request_data_talloc_add(_request, _unique_ptr, _unique_int, _type, _opaque, _free_on_replace, _free_on_parent, _persist)
Add opaque data to a request_t.
Definition request_data.h:86
process_rcode
static unlang_action_t process_rcode(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_eap_peap.c:739
hash
static unsigned int hash(char const *username, unsigned int tablesize)
Definition rlm_passwd.c:132
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
module_instance_s::data
void * data
Module's instance data.
Definition module.h:291
MODULE_RCTX
#define MODULE_RCTX(_ctype)
Definition module.h:257
MODULE_INST
#define MODULE_INST(_ctype)
Definition module.h:255
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
pair_delete_reply
#define pair_delete_reply(_pair_or_da)
Delete a fr_pair_t in the reply list.
Definition pair.h:181
pair_append_reply
#define pair_append_reply(_attr, _da)
Allocate and append a fr_pair_t to reply list.
Definition pair.h:47
fr_state_restore
int fr_state_restore(fr_state_tree_t *state, request_t *request)
Copy a pointer to the head of the list of state fr_pair_ts (and their ctx) into the request.
Definition state.c:741
fr_state_discard
void fr_state_discard(fr_state_tree_t *state, request_t *request)
Called when sending an Access-Accept/Access-Reject to discard state information.
Definition state.c:687
fr_state_store
int fr_state_store(fr_state_tree_t *state, request_t *request)
Transfer ownership of the state fr_pair_ts and ctx, back to a state entry.
Definition state.c:817
state_session_config
const conf_parser_t state_session_config[]
Definition state.c:59
fr_state_tree_init
fr_state_tree_t * fr_state_tree_init(TALLOC_CTX *ctx, fr_dict_attr_t const *da, fr_state_config_t const *config)
Initialise a new state tree.
Definition state.c:232
fr_state_tree_s
Definition state.c:155
unlang_module_yield_to_section
unlang_action_t unlang_module_yield_to_section(unlang_result_t *p_result, request_t *request, CONF_SECTION *subcs, rlm_rcode_t default_rcode, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Definition module.c:236
fr_state_config_t
Definition state.h:40
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3653
RESUME
#define RESUME(_x)
Definition state_machine.c:52
vp
fr_pair_t * vp
Definition state_machine.c:2295
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
fr_table_str_by_value
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
Definition tacacs.h:211
FR_TAC_PLUS_AUTHOR_STATUS_ERROR
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition tacacs.h:214
FR_TAC_PLUS_AUTHOR_STATUS_FAIL
@ FR_TAC_PLUS_AUTHOR_STATUS_FAIL
Definition tacacs.h:213
FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
Definition tacacs.h:212
FR_TACACS_PACKET_CODE_VALID
#define FR_TACACS_PACKET_CODE_VALID(_code)
Definition tacacs.h:322
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
FR_TACACS_CODE_ACCT_ERROR
@ FR_TACACS_CODE_ACCT_ERROR
Definition tacacs.h:315
FR_TACACS_CODE_DO_NOT_RESPOND
@ FR_TACACS_CODE_DO_NOT_RESPOND
Definition tacacs.h:318
FR_TACACS_CODE_ACCT_REQUEST
@ FR_TACACS_CODE_ACCT_REQUEST
Definition tacacs.h:313
FR_TACACS_CODE_AUTZ_REQUEST
@ FR_TACACS_CODE_AUTZ_REQUEST
Definition tacacs.h:307
FR_TACACS_CODE_AUTH_GETDATA
@ FR_TACACS_CODE_AUTH_GETDATA
Definition tacacs.h:298
FR_TACACS_CODE_AUTH_RESTART
@ FR_TACACS_CODE_AUTH_RESTART
Definition tacacs.h:301
FR_TACACS_CODE_AUTZ_PASS_REPLACE
@ FR_TACACS_CODE_AUTZ_PASS_REPLACE
Definition tacacs.h:309
FR_TACACS_CODE_AUTH_GETUSER
@ FR_TACACS_CODE_AUTH_GETUSER
Definition tacacs.h:299
FR_TACACS_CODE_AUTH_GETPASS
@ FR_TACACS_CODE_AUTH_GETPASS
Definition tacacs.h:300
FR_TACACS_CODE_AUTZ_FAIL
@ FR_TACACS_CODE_AUTZ_FAIL
Definition tacacs.h:310
FR_TACACS_CODE_AUTH_CONT_ABORT
@ FR_TACACS_CODE_AUTH_CONT_ABORT
Definition tacacs.h:305
FR_TACACS_CODE_AUTH_PASS
@ FR_TACACS_CODE_AUTH_PASS
Definition tacacs.h:296
FR_TACACS_CODE_AUTH_CONT
@ FR_TACACS_CODE_AUTH_CONT
Definition tacacs.h:304
FR_TACACS_CODE_AUTZ_PASS_ADD
@ FR_TACACS_CODE_AUTZ_PASS_ADD
Definition tacacs.h:308
FR_TACACS_CODE_AUTH_START
@ FR_TACACS_CODE_AUTH_START
Definition tacacs.h:295
FR_TACACS_CODE_AUTH_FAIL
@ FR_TACACS_CODE_AUTH_FAIL
Definition tacacs.h:297
FR_TACACS_CODE_AUTH_ERROR
@ FR_TACACS_CODE_AUTH_ERROR
Definition tacacs.h:302
FR_TACACS_CODE_AUTZ_ERROR
@ FR_TACACS_CODE_AUTZ_ERROR
Definition tacacs.h:311
FR_TACACS_CODE_ACCT_SUCCESS
@ FR_TACACS_CODE_ACCT_SUCCESS
Definition tacacs.h:314
FR_TAC_PLUS_ACCT_STATUS_SUCCESS
@ FR_TAC_PLUS_ACCT_STATUS_SUCCESS
Definition tacacs.h:255
FR_TAC_PLUS_ACCT_STATUS_ERROR
@ FR_TAC_PLUS_ACCT_STATUS_ERROR
Definition tacacs.h:256
FR_TAC_PLUS_AUTHEN_STATUS_PASS
@ FR_TAC_PLUS_AUTHEN_STATUS_PASS
Definition tacacs.h:151
FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
@ FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
Definition tacacs.h:153
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition tacacs.h:157
FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
@ FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
Definition tacacs.h:154
FR_TAC_PLUS_AUTHEN_STATUS_FAIL
@ FR_TAC_PLUS_AUTHEN_STATUS_FAIL
Definition tacacs.h:152
FR_TAC_PLUS_AUTHEN_STATUS_RESTART
@ FR_TAC_PLUS_AUTHEN_STATUS_RESTART
Definition tacacs.h:156
FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
@ FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
Definition tacacs.h:155
fr_tacacs_packet_t
Definition tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:245
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
fr_value_box_cmp
int8_t fr_value_box_cmp(fr_value_box_t const *a, fr_value_box_t const *b)
Compare two values.
Definition value.c:749
fr_value_box_copy
int fr_value_box_copy(TALLOC_CTX *ctx, fr_value_box_t *dst, const fr_value_box_t *src)
Copy value data verbatim duplicating any buffers.
Definition value.c:4409
out
static size_t char ** out
Definition value.h:1024
virtual_server_section_attribute_define
int virtual_server_section_attribute_define(CONF_SECTION *server_cs, char const *subcs_name, fr_dict_attr_t const *da)
Define a values for Auth-Type attributes by the sections present in a virtual-server.
Definition virtual_servers.c:1565
virtual_server_compile_s::section
section_name_t const * section
Identifier for the section.
Definition virtual_servers.h:135
COMPILE_TERMINATOR
#define COMPILE_TERMINATOR
Definition virtual_servers.h:145
virtual_server_compile_s
Processing sections which are allowed in this virtual server.
Definition virtual_servers.h:134
Generated by   doxygen 1.9.8