The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
proto_tacacs_tcp.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 4493e0bfd6060295c1f6b336cd9d395d93311d17 $
19  * @file proto_tacacs_tcp.c
20  * @brief TACACS+ handler for TCP.
21  * @author Jorge Pereira <jpereira@freeradius.org>
22  *
23  * @copyright 2020 The FreeRADIUS server project.
24  * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25  */
26 
27 #include <netdb.h>
28 #include <freeradius-devel/server/protocol.h>
29 #include <freeradius-devel/util/trie.h>
30 #include <freeradius-devel/io/application.h>
31 #include <freeradius-devel/io/listen.h>
32 #include <freeradius-devel/io/schedule.h>
33 #include "proto_tacacs.h"
34 
35 extern fr_app_io_t proto_tacacs_tcp;
36 
37 #define TACACS_MAX_ATTRIBUTES 256
38 
39 typedef struct {
40  char const *name; //!< socket name
41  int sockfd;
42 
43  fr_io_address_t *connection; //!< for connected sockets.
44 
45  fr_stats_t stats; //!< statistics for this socket
46 } proto_tacacs_tcp_thread_t;
47 
48 typedef struct {
49  CONF_SECTION *cs; //!< our configuration
50 
51  fr_ipaddr_t ipaddr; //!< IP address to listen on.
52 
53  char const *interface; //!< Interface to bind to.
54  char const *port_name; //!< Name of the port for getservent().
55 
56  uint32_t recv_buff; //!< How big the kernel's receive buffer should be.
57 
58  uint32_t max_packet_size; //!< for message ring buffer.
59  uint32_t max_attributes; //!< Limit maximum decodable attributes.
60 
61  uint16_t port; //!< Port to listen on.
62 
63  bool recv_buff_is_set; //!< Whether we were provided with a recv_buff
64  bool dynamic_clients; //!< whether we have dynamic clients
65 
66  fr_client_list_t *clients; //!< local clients
67 
68  fr_trie_t *trie; //!< for parsed networks
69  fr_ipaddr_t *allow; //!< allowed networks for dynamic clients
70  fr_ipaddr_t *deny; //!< denied networks for dynamic clients
71 } proto_tacacs_tcp_t;
72 
73 static const conf_parser_t networks_config[] = {
74  { FR_CONF_OFFSET_TYPE_FLAGS("allow", FR_TYPE_COMBO_IP_PREFIX , CONF_FLAG_MULTI, proto_tacacs_tcp_t, allow) },
75  { FR_CONF_OFFSET_TYPE_FLAGS("deny", FR_TYPE_COMBO_IP_PREFIX , CONF_FLAG_MULTI, proto_tacacs_tcp_t, deny) },
76 
77  CONF_PARSER_TERMINATOR
78 };
79 
80 static const conf_parser_t tcp_listen_config[] = {
81  { FR_CONF_OFFSET_TYPE_FLAGS("ipaddr", FR_TYPE_COMBO_IP_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
82  { FR_CONF_OFFSET_TYPE_FLAGS("ipv4addr", FR_TYPE_IPV4_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
83  { FR_CONF_OFFSET_TYPE_FLAGS("ipv6addr", FR_TYPE_IPV6_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
84 
85  { FR_CONF_OFFSET("interface", proto_tacacs_tcp_t, interface) },
86  { FR_CONF_OFFSET("port_name", proto_tacacs_tcp_t, port_name) },
87 
88  { FR_CONF_OFFSET("port", proto_tacacs_tcp_t, port), .dflt = "49" },
89  { FR_CONF_OFFSET_IS_SET("recv_buff", FR_TYPE_UINT32, 0, proto_tacacs_tcp_t, recv_buff) },
90 
91  { FR_CONF_OFFSET("dynamic_clients", proto_tacacs_tcp_t, dynamic_clients) } ,
92  { FR_CONF_POINTER("networks", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) networks_config },
93 
94  { FR_CONF_OFFSET("max_packet_size", proto_tacacs_tcp_t, max_packet_size), .dflt = "4096" } ,
95  { FR_CONF_OFFSET("max_attributes", proto_tacacs_tcp_t, max_attributes), .dflt = STRINGIFY(TACACS_MAX_ATTRIBUTES) } ,
96 
97  CONF_PARSER_TERMINATOR
98 };
99 
100 static const char *packet_name[] = {
101  [FR_TAC_PLUS_AUTHEN] = "Authentication",
102  [FR_TAC_PLUS_AUTHOR] = "Authorization",
103  [FR_TAC_PLUS_ACCT] = "Accounting",
104 };
105 
106 /** Read TACACS data from a TCP connection
107  *
108  * @param[in] li representing a client connection.
109  * @param[in] packet_ctx UNUSED.
110  * @param[out] recv_time_p When we read the packet.
111  * For some protocols we get this for free (but not here).
112  * @param[out] buffer to read into.
113  * @param[in] buffer_len Maximum length of the buffer.
114  * @param[in,out] leftover If the previous read didn't yield a complete packet
115  * we will have written how many bytes we read in leftover
116  * and returned 0. On the next call, we use the
117  * value of leftover to offset the position we start
118  * writing into the buffer.
119  * *leftover must be subtracted from buffer_len when
120  * calculating free space in the buffer.
121  * @return
122  * - >0 when a packet was read successfully.
123  * - 0 when we read a partial packet.
124  * - <0 on error (socket should be closed).
125  */
126 static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p,
127  uint8_t *buffer, size_t buffer_len, size_t *leftover)
128 {
129  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
130  ssize_t data_size, packet_len;
131  size_t in_buffer;
132 
133  /*
134  * We may have read multiple packets in the previous read. In which case the buffer may already
135  * have packets remaining. In that case, we can return packets directly from the buffer, and
136  * skip the read().
137  */
138  if (*leftover >= FR_HEADER_LENGTH) {
139  packet_len = fr_tacacs_length(buffer, *leftover);
140  if (packet_len < 0) goto invalid;
141 
142  if (packet_len <= ((ssize_t) *leftover)) {
143  data_size = 0;
144  goto have_packet;
145  }
146 
147  /*
148  * Else we don't have a full packet, try to read more data from the network.
149  */
150  }
151 
152  /*
153  * Read data into the buffer.
154  */
155  data_size = read(thread->sockfd, buffer + (*leftover), buffer_len - (*leftover));
156  if (data_size < 0) {
157  switch (errno) {
158 #if defined(EWOULDBLOCK) && (EWOULDBLOCK != EAGAIN)
159  case EWOULDBLOCK:
160 #endif
161  case EAGAIN:
162  /*
163  * We didn't read any data leave the buffers alone.
164  *
165  * i.e. if we had a partial packet in the buffer and we didn't read any data,
166  * then the partial packet is still left in the buffer.
167  */
168  return 0;
169 
170  default:
171  break;
172  }
173 
174  ERROR("proto_tacacs_tcp got read error (%zd) - %s", data_size, fr_syserror(errno));
175  return data_size;
176  }
177 
178  /*
179  * Note that we return ERROR for all bad packets, as
180  * there's no point in reading TACACS+ packets from a TCP
181  * connection which isn't sending us TACACS+ packets.
182  */
183 
184  /*
185  * TCP read of zero means the socket is dead.
186  */
187  if (!data_size) {
188  DEBUG2("proto_tacacs_tcp - other side closed the socket.");
189  return -1;
190  }
191 
192 have_packet:
193  /*
194  * Represents all the data we've read since we last
195  * decoded a complete packet.
196  */
197  in_buffer = *leftover + data_size;
198 
199  /*
200  * Figure out how big the complete TACACS packet should be.
201  * If we don't have enough data it'll likely come
202  * through in the next fragment.
203  */
204  packet_len = fr_tacacs_length(buffer, in_buffer);
205  if (packet_len < 0) {
206  invalid:
207  PERROR("Invalid TACACS packet");
208  return -1; /* Malformed, close the socket */
209  }
210 
211  /*
212  * We don't have a complete TACACS+ packet. Tell the
213  * caller that we need to read more, but record
214  * how much we read in leftover.
215  */
216  if (in_buffer < (size_t) packet_len) {
217  DEBUG3("proto_tacacs_tcp - Received packet fragment of %zu bytes (%zu bytes now pending)",
218  packet_len, *leftover);
219  *leftover = in_buffer;
220  return 0;
221  }
222 
223  /*
224  * We've read at least one packet. Tell the caller that
225  * there's more data available, and return only one packet.
226  */
227  *leftover = in_buffer - packet_len;
228 
229  *recv_time_p = fr_time();
230  thread->stats.total_requests++;
231 
232  /*
233  * proto_tacacs sets the priority
234  */
235 
236  /*
237  * Print out what we received.
238  */
239  FR_PROTO_HEX_DUMP(buffer, packet_len, "tacacs_tcp_recv");
240 
241  if (DEBUG_ENABLED2) {
242  char bogus_type[4];
243  char const *type;
244 
245  if (buffer[1] && buffer[1] <= FR_TAC_PLUS_ACCT) type = packet_name[buffer[1]];
246  else {
247  snprintf(bogus_type, sizeof(bogus_type), "%d", buffer[1]);
248  type = bogus_type;
249  }
250  DEBUG2("proto_tacacs_tcp - Received %s seq_no %d length %zd %s",
251  type, buffer[2],
252  packet_len, thread->name);
253  }
254 
255  return packet_len;
256 }
257 
258 static ssize_t mod_write(fr_listen_t *li, UNUSED void *packet_ctx, UNUSED fr_time_t request_time,
259  uint8_t *buffer, size_t buffer_len, size_t written)
260 {
261  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
262  ssize_t data_size;
263 
264  /*
265  * We only write TACACS packets.
266  *
267  * @todo - if buffer_len ==1, it means "do not respond".
268  * Which should be suppressed somewhere. Maybe here...
269  */
270  fr_assert(buffer_len >= sizeof(fr_tacacs_packet_hdr_t));
271  fr_assert(written < buffer_len);
272 
273  /*
274  * @todo - share a stats interface with the parent? or
275  * put the stats in the listener, so that proto_tacacs
276  * can update them, too.. <sigh>
277  */
278  if (written == 0) {
279  thread->stats.total_responses++;
280  }
281 
282  /*
283  * Only write replies if they're TACACS+ packets.
284  * sometimes we want to NOT send a reply...
285  */
286  data_size = write(thread->sockfd, buffer + written, buffer_len - written);
287  if (data_size <= 0) return data_size;
288 
289  /*
290  * If we're supposed to close the socket, then go do that.
291  */
292  if ((data_size + written) == buffer_len) {
293  fr_tacacs_packet_t const *pkt = (fr_tacacs_packet_t const *) buffer;
294 
295  switch (pkt->hdr.type) {
296  case FR_TAC_PLUS_AUTHEN:
297  if (pkt->authen_reply.status == FR_TAC_PLUS_AUTHEN_STATUS_ERROR) goto close_it;
298  break;
299 
300 
301  case FR_TAC_PLUS_AUTHOR:
302  if (pkt->author_reply.status == FR_TAC_PLUS_AUTHOR_STATUS_ERROR) {
303  close_it:
304  DEBUG("Closing connection due to unrecoverable server error response");
305  return 0;
306  }
307  break;
308 
309  default:
310  break;
311  }
312  }
313 
314  /*
315  * Return the packet we wrote, plus any bytes previously
316  * left over from previous packets.
317  */
318  return data_size + written;
319 }
320 
321 static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
322 {
323  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
324 
325  thread->connection = connection;
326 
327  return 0;
328 }
329 
330 static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
331 {
332  proto_tacacs_tcp_t *inst = talloc_get_type_abort(instance, proto_tacacs_tcp_t);
333 
334  *ipproto = IPPROTO_TCP;
335  *dynamic_clients = inst->dynamic_clients;
336  *trie = inst->trie;
337 }
338 
339 /** Open a TCP listener for TACACS+
340  *
341  */
342 static int mod_open(fr_listen_t *li)
343 {
344  proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
345  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
346 
347  int sockfd;
348  fr_ipaddr_t ipaddr = inst->ipaddr;
349  uint16_t port = inst->port;
350 
351  fr_assert(!thread->connection);
352 
353  li->fd = sockfd = fr_socket_server_tcp(&inst->ipaddr, &port, inst->port_name, true);
354  if (sockfd < 0) {
355  PERROR("Failed opening TCP socket");
356  error:
357  return -1;
358  }
359 
360  (void) fr_nonblock(sockfd);
361 
362  if (fr_socket_bind(sockfd, inst->interface, &ipaddr, &port) < 0) {
363  close(sockfd);
364  PERROR("Failed binding socket");
365  goto error;
366  }
367 
368  if (listen(sockfd, 8) < 0) {
369  close(sockfd);
370  PERROR("Failed listening on socket");
371  goto error;
372  }
373 
374  thread->sockfd = sockfd;
375 
376  fr_assert((cf_parent(inst->cs) != NULL) && (cf_parent(cf_parent(inst->cs)) != NULL)); /* listen { ... } */
377 
378  thread->name = fr_app_io_socket_name(thread, &proto_tacacs_tcp,
379  NULL, 0,
380  &inst->ipaddr, inst->port,
381  inst->interface);
382 
383  return 0;
384 }
385 
386 
387 /** Set the file descriptor for this socket.
388  */
389 static int mod_fd_set(fr_listen_t *li, int fd)
390 {
391  proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
392  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
393 
394  thread->sockfd = fd;
395 
396  thread->name = fr_app_io_socket_name(thread, &proto_tacacs_tcp,
397  &thread->connection->socket.inet.src_ipaddr, thread->connection->socket.inet.src_port,
398  &inst->ipaddr, inst->port,
399  inst->interface);
400 
401  return 0;
402 }
403 
404 static char const *mod_name(fr_listen_t *li)
405 {
406  proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
407 
408  return thread->name;
409 }
410 
411 static int mod_instantiate(module_inst_ctx_t const *mctx)
412 {
413  proto_tacacs_tcp_t *inst = talloc_get_type_abort(mctx->mi->data, proto_tacacs_tcp_t);
414  CONF_SECTION *conf = mctx->mi->conf;
415  size_t num;
416  CONF_ITEM *ci;
417  CONF_SECTION *server_cs;
418 
419  inst->cs = conf;
420 
421  /*
422  * Complain if no "ipaddr" is set.
423  */
424  if (inst->ipaddr.af == AF_UNSPEC) {
425  cf_log_err(conf, "No 'ipaddr' was specified in the 'tcp' section");
426  return -1;
427  }
428 
429  if (inst->recv_buff_is_set) {
430  FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, >=, 32);
431  FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, <=, INT_MAX);
432  }
433 
434  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 20);
435  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65536);
436 
437  if (!inst->port) {
438  struct servent *s;
439 
440  if (!inst->port_name) {
441  cf_log_err(conf, "No 'port' was specified in the 'tcp' section");
442  return -1;
443  }
444 
445  s = getservbyname(inst->port_name, "tcp");
446  if (!s) {
447  cf_log_err(conf, "Unknown value for 'port_name = %s", inst->port_name);
448  return -1;
449  }
450 
451  inst->port = ntohl(s->s_port);
452  }
453 
454  /*
455  * Parse and create the trie for dynamic clients, even if
456  * there's no dynamic clients.
457  */
458  num = talloc_array_length(inst->allow);
459  if (!num) {
460  if (inst->dynamic_clients) {
461  cf_log_err(conf, "The 'allow' subsection MUST contain at least one 'network' entry when 'dynamic_clients = true'.");
462  return -1;
463  }
464  } else {
465  inst->trie = fr_master_io_network(inst, inst->ipaddr.af, inst->allow, inst->deny);
466  if (!inst->trie) {
467  cf_log_perr(conf, "Failed creating list of networks");
468  return -1;
469  }
470  }
471 
472  ci = cf_section_to_item(mctx->mi->parent->conf); /* listen { ... } */
473  fr_assert(ci != NULL);
474  ci = cf_parent(ci);
475  fr_assert(ci != NULL);
476 
477  server_cs = cf_item_to_section(ci);
478 
479  /*
480  * Look up local clients, if they exist.
481  *
482  * @todo - ensure that we only parse clients which are
483  * for IPPROTO_TCP, and require a "secret".
484  */
485  if (cf_section_find_next(server_cs, NULL, "client", CF_IDENT_ANY)) {
486  inst->clients = client_list_parse_section(server_cs, IPPROTO_TCP, false);
487  if (!inst->clients) {
488  cf_log_err(conf, "Failed creating local clients");
489  return -1;
490  }
491  }
492 
493  return 0;
494 }
495 
496 static fr_client_t *mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
497 {
498  proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
499 
500  /*
501  * Prefer local clients.
502  */
503  if (inst->clients) {
504  fr_client_t *client;
505 
506  client = client_find(inst->clients, ipaddr, ipproto);
507  if (client) return client;
508  }
509 
510  return client_find(NULL, ipaddr, ipproto);
511 }
512 
513 fr_app_io_t proto_tacacs_tcp = {
514  .common = {
515  .magic = MODULE_MAGIC_INIT,
516  .name = "tacacs_tcp",
517  .config = tcp_listen_config,
518  .inst_size = sizeof(proto_tacacs_tcp_t),
519  .thread_inst_size = sizeof(proto_tacacs_tcp_thread_t),
520  .instantiate = mod_instantiate,
521  },
522  .default_message_size = 4096,
523  .track_duplicates = false,
524 
525  .open = mod_open,
526  .read = mod_read,
527  .write = mod_write,
528  .fd_set = mod_fd_set,
529  .connection_set = mod_connection_set,
530  .network_get = mod_network_get,
531  .client_find = mod_client_find,
532  .get_name = mod_name,
533 };
buffer
static int const char char buffer[256]
Definition: acutest.h:574
fr_app_io_socket_name
char const * fr_app_io_socket_name(TALLOC_CTX *ctx, fr_app_io_t const *app_io, fr_ipaddr_t const *src_ipaddr, int src_port, fr_ipaddr_t const *dst_ipaddr, int dst_port, char const *interface)
Definition: app_io.c:32
fr_app_io_t::common
module_t common
Common fields to all loadable modules.
Definition: app_io.h:34
fr_app_io_t
Public structure describing an I/O path for a protocol.
Definition: app_io.h:33
STRINGIFY
#define STRINGIFY(x)
Definition: build.h:195
UNUSED
#define UNUSED
Definition: build.h:313
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:627
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition: cf_parse.h:487
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition: cf_parse.h:310
FR_CONF_OFFSET_IS_SET
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition: cf_parse.h:282
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition: cf_parse.h:419
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition: cf_parse.h:399
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:241
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:564
cf_item
Common header for all CONF_* types.
Definition: cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition: cf_priv.h:101
cf_section_to_item
CONF_ITEM * cf_section_to_item(CONF_SECTION const *cs)
Cast a CONF_SECTION to a CONF_ITEM.
Definition: cf_util.c:738
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition: cf_util.c:684
cf_section_find_next
CONF_SECTION * cf_section_find_next(CONF_SECTION const *cs, CONF_SECTION const *prev, char const *name1, char const *name2)
Return the next matching section.
Definition: cf_util.c:1049
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition: cf_util.h:289
cf_parent
#define cf_parent(_cf)
Definition: cf_util.h:101
cf_log_perr
#define cf_log_perr(_cf, _fmt,...)
Definition: cf_util.h:296
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition: cf_util.h:78
ERROR
#define ERROR(fmt,...)
Definition: dhcpclient.c:41
sockfd
static int sockfd
Definition: dhcpclient.c:56
DEBUG
#define DEBUG(fmt,...)
Definition: dhcpclient.c:39
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:63
fr_ipaddr_t
IPv4/6 prefix.
Definition: merged_model.c:272
fr_io_address_t::socket
fr_socket_t socket
src/dst ip and port.
Definition: base.h:336
fr_io_address_t
Definition: base.h:335
fr_listen::app_io_instance
void const * app_io_instance
I/O path configuration context.
Definition: listen.h:32
fr_listen::thread_instance
void * thread_instance
thread / socket context
Definition: listen.h:33
fr_listen::fd
int fd
file descriptor for this socket - set by open
Definition: listen.h:28
fr_listen
Definition: listen.h:25
fr_client_s
Describes a host allowed to send packets to the server.
Definition: client.h:80
PERROR
#define PERROR(_fmt,...)
Definition: log.h:228
DEBUG_ENABLED2
#define DEBUG_ENABLED2
True if global debug level 1-2 messages are enabled.
Definition: log.h:258
DEBUG3
#define DEBUG3(_fmt,...)
Definition: log.h:266
fr_master_io_network
fr_trie_t * fr_master_io_network(TALLOC_CTX *ctx, int af, fr_ipaddr_t *allow, fr_ipaddr_t *deny)
Create a trie from arrays of allow / deny IP addresses.
Definition: master.c:2752
uint16_t
unsigned short uint16_t
Definition: merged_model.c:31
FR_TYPE_IPV4_ADDR
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition: merged_model.c:86
FR_TYPE_COMBO_IP_PREFIX
@ FR_TYPE_COMBO_IP_PREFIX
IPv4 or IPv6 address prefix depending on length.
Definition: merged_model.c:92
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition: merged_model.c:99
FR_TYPE_IPV6_ADDR
@ FR_TYPE_IPV6_ADDR
128 Bit IPv6 Address.
Definition: merged_model.c:88
FR_TYPE_COMBO_IP_ADDR
@ FR_TYPE_COMBO_IP_ADDR
IPv4 or IPv6 address depending on length.
Definition: merged_model.c:91
uint32_t
unsigned int uint32_t
Definition: merged_model.c:33
ssize_t
long int ssize_t
Definition: merged_model.c:24
uint8_t
unsigned char uint8_t
Definition: merged_model.c:30
fr_nonblock
int fr_nonblock(UNUSED int fd)
Definition: misc.c:293
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition: module_ctx.h:51
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:50
proto_tacacs.h
proto_tacacs_tcp_t::trie
fr_trie_t * trie
for parsed networks
Definition: proto_tacacs_tcp.c:68
proto_tacacs_tcp_t::deny
fr_ipaddr_t * deny
denied networks for dynamic clients
Definition: proto_tacacs_tcp.c:70
mod_client_find
static fr_client_t * mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
Definition: proto_tacacs_tcp.c:496
proto_tacacs_tcp_t::cs
CONF_SECTION * cs
our configuration
Definition: proto_tacacs_tcp.c:49
TACACS_MAX_ATTRIBUTES
#define TACACS_MAX_ATTRIBUTES
Definition: proto_tacacs_tcp.c:37
proto_tacacs_tcp_t::dynamic_clients
bool dynamic_clients
whether we have dynamic clients
Definition: proto_tacacs_tcp.c:64
proto_tacacs_tcp_t::recv_buff_is_set
bool recv_buff_is_set
Whether we were provided with a recv_buff.
Definition: proto_tacacs_tcp.c:63
proto_tacacs_tcp_thread_t::sockfd
int sockfd
Definition: proto_tacacs_tcp.c:41
packet_name
static const char * packet_name[]
Definition: proto_tacacs_tcp.c:100
proto_tacacs_tcp_t::ipaddr
fr_ipaddr_t ipaddr
IP address to listen on.
Definition: proto_tacacs_tcp.c:51
proto_tacacs_tcp_t::clients
fr_client_list_t * clients
local clients
Definition: proto_tacacs_tcp.c:66
proto_tacacs_tcp_t::interface
char const * interface
Interface to bind to.
Definition: proto_tacacs_tcp.c:53
mod_open
static int mod_open(fr_listen_t *li)
Open a TCP listener for TACACS+.
Definition: proto_tacacs_tcp.c:342
mod_network_get
static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
Definition: proto_tacacs_tcp.c:330
proto_tacacs_tcp_thread_t::connection
fr_io_address_t * connection
for connected sockets.
Definition: proto_tacacs_tcp.c:43
mod_name
static char const * mod_name(fr_listen_t *li)
Definition: proto_tacacs_tcp.c:404
networks_config
static const conf_parser_t networks_config[]
Definition: proto_tacacs_tcp.c:73
proto_tacacs_tcp_t::max_attributes
uint32_t max_attributes
Limit maximum decodable attributes.
Definition: proto_tacacs_tcp.c:59
proto_tacacs_tcp_t::max_packet_size
uint32_t max_packet_size
for message ring buffer.
Definition: proto_tacacs_tcp.c:58
mod_read
static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover)
Read TACACS data from a TCP connection.
Definition: proto_tacacs_tcp.c:126
proto_tacacs_tcp
fr_app_io_t proto_tacacs_tcp
Definition: proto_tacacs_tcp.c:513
proto_tacacs_tcp_thread_t::stats
fr_stats_t stats
statistics for this socket
Definition: proto_tacacs_tcp.c:45
proto_tacacs_tcp_t::allow
fr_ipaddr_t * allow
allowed networks for dynamic clients
Definition: proto_tacacs_tcp.c:69
mod_write
static ssize_t mod_write(fr_listen_t *li, UNUSED void *packet_ctx, UNUSED fr_time_t request_time, uint8_t *buffer, size_t buffer_len, size_t written)
Definition: proto_tacacs_tcp.c:258
proto_tacacs_tcp_t::port_name
char const * port_name
Name of the port for getservent().
Definition: proto_tacacs_tcp.c:54
mod_connection_set
static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
Definition: proto_tacacs_tcp.c:321
proto_tacacs_tcp_thread_t::name
char const * name
socket name
Definition: proto_tacacs_tcp.c:40
proto_tacacs_tcp_t::port
uint16_t port
Port to listen on.
Definition: proto_tacacs_tcp.c:61
mod_fd_set
static int mod_fd_set(fr_listen_t *li, int fd)
Set the file descriptor for this socket.
Definition: proto_tacacs_tcp.c:389
proto_tacacs_tcp_t::recv_buff
uint32_t recv_buff
How big the kernel's receive buffer should be.
Definition: proto_tacacs_tcp.c:56
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition: proto_tacacs_tcp.c:411
tcp_listen_config
static const conf_parser_t tcp_listen_config[]
Definition: proto_tacacs_tcp.c:80
proto_tacacs_tcp_t
Definition: proto_tacacs_tcp.c:48
proto_tacacs_tcp_thread_t
Definition: proto_tacacs_tcp.c:39
fr_tacacs_length
ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
Definition: base.c:242
ipproto
static int ipproto
Definition: radclient-ng.c:92
DEBUG2
#define DEBUG2(fmt,...)
Definition: radclient.h:43
conf
static rs_t * conf
Definition: radsniff.c:53
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition: module.h:329
module_instance_s::data
void * data
Module's instance data.
Definition: module.h:271
module_instance_s::parent
module_instance_t const * parent
Parent module's instance (if any).
Definition: module.h:337
fr_stats_t::total_responses
fr_uint_t total_responses
Definition: stats.h:45
fr_stats_t::total_requests
fr_uint_t total_requests
Definition: stats.h:42
fr_stats_t
Definition: stats.h:41
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition: snprintf.c:689
fr_socket_server_tcp
int fr_socket_server_tcp(fr_ipaddr_t const *src_ipaddr, uint16_t *src_port, char const *port_name, bool async)
Open an IPv4/IPv6 TCP socket.
Definition: socket.c:969
fr_socket_bind
int fr_socket_bind(int sockfd, char const *ifname, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Bind a UDP/TCP v4/v6 socket to a given ipaddr src port, and interface.
Definition: socket.c:229
client_find
fr_client_t * client_find(fr_client_list_t const *clients, fr_ipaddr_t const *ipaddr, int proto)
Definition: client.c:378
client_list_parse_section
fr_client_list_t * client_list_parse_section(CONF_SECTION *section, int proto, TLS_UNUSED bool tls_required)
Definition: client.c:478
fr_client_list_s
Group of clients.
Definition: client.c:55
fr_assert
fr_assert(0)
inst
eap_aka_sim_process_conf_t * inst
Definition: state_machine.c:3620
type
fr_aka_sim_id_type_t type
Definition: state_machine.c:3623
fr_time
#define fr_time()
Allow us to arbitrarily manipulate time.
Definition: state_test.c:8
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition: syserror.c:243
FR_HEADER_LENGTH
#define FR_HEADER_LENGTH
Definition: tacacs.h:26
FR_TAC_PLUS_AUTHOR_STATUS_ERROR
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition: tacacs.h:214
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition: tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition: tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition: tacacs.h:66
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition: tacacs.h:277
fr_tacacs_packet_hdr_t::type
fr_tacacs_type_t type
Definition: tacacs.h:97
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition: tacacs.h:157
fr_tacacs_packet_hdr_t
Definition: tacacs.h:84
fr_tacacs_packet_t
Definition: tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition: talloc.h:282
fr_time_s
"server local" time.
Definition: time.h:69
fr_trie_s
Definition: trie.c:484
close
close(uq->fd)
FR_PROTO_HEX_DUMP
#define FR_PROTO_HEX_DUMP(_data, _data_len, _fmt,...)
Definition: proto.h:41
Generated by   doxygen 1.9.1