The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
proto_tacacs_tcp.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: ef1188cc295aba40c929fa28449fcc7694e02376 $
19 * @file proto_tacacs_tcp.c
20 * @brief TACACS+ handler for TCP.
21 * @author Jorge Pereira <jpereira@freeradius.org>
22 *
23 * @copyright 2020 The FreeRADIUS server project.
24 * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)
25 */
26
27#include <netdb.h>
28#include <freeradius-devel/server/protocol.h>
29#include <freeradius-devel/util/trie.h>
30#include <freeradius-devel/io/application.h>
31#include <freeradius-devel/io/listen.h>
32#include <freeradius-devel/io/schedule.h>
33#include "proto_tacacs.h"
34
35extern fr_app_io_t proto_tacacs_tcp;
36
37#define TACACS_MAX_ATTRIBUTES 256
38
39typedef struct {
40 char const *name; //!< socket name
41 int sockfd;
42
43 fr_io_address_t *connection; //!< for connected sockets.
44
45 fr_stats_t stats; //!< statistics for this socket
46} proto_tacacs_tcp_thread_t;
47
48typedef struct {
49 CONF_SECTION *cs; //!< our configuration
50
51 fr_ipaddr_t ipaddr; //!< IP address to listen on.
52
53 char const *interface; //!< Interface to bind to.
54 char const *port_name; //!< Name of the port for getservent().
55
56 uint32_t recv_buff; //!< How big the kernel's receive buffer should be.
57
58 uint32_t max_packet_size; //!< for message ring buffer.
59 uint32_t max_attributes; //!< Limit maximum decodable attributes.
60
61 uint16_t port; //!< Port to listen on.
62
63 bool recv_buff_is_set; //!< Whether we were provided with a recv_buff
64 bool dynamic_clients; //!< whether we have dynamic clients
65
66 fr_client_list_t *clients; //!< local clients
67
68 fr_trie_t *trie; //!< for parsed networks
69 fr_ipaddr_t *allow; //!< allowed networks for dynamic clients
70 fr_ipaddr_t *deny; //!< denied networks for dynamic clients
71
72 bool read_hexdump; //!< Do we debug hexdump read packets.
73 bool write_hexdump; //!< Do we debug hexdump write packets.
74} proto_tacacs_tcp_t;
75
82
83static const conf_parser_t tcp_listen_config[] = {
84 { FR_CONF_OFFSET_TYPE_FLAGS("ipaddr", FR_TYPE_COMBO_IP_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
85 { FR_CONF_OFFSET_TYPE_FLAGS("ipv4addr", FR_TYPE_IPV4_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
86 { FR_CONF_OFFSET_TYPE_FLAGS("ipv6addr", FR_TYPE_IPV6_ADDR, 0, proto_tacacs_tcp_t, ipaddr) },
87
88 { FR_CONF_OFFSET("interface", proto_tacacs_tcp_t, interface) },
89 { FR_CONF_OFFSET("port_name", proto_tacacs_tcp_t, port_name) },
90
91 { FR_CONF_OFFSET("port", proto_tacacs_tcp_t, port), .dflt = "49" },
92 { FR_CONF_OFFSET_IS_SET("recv_buff", FR_TYPE_UINT32, 0, proto_tacacs_tcp_t, recv_buff) },
93
94 { FR_CONF_OFFSET("dynamic_clients", proto_tacacs_tcp_t, dynamic_clients) } ,
95 { FR_CONF_POINTER("networks", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) networks_config },
96
97 { FR_CONF_OFFSET("max_packet_size", proto_tacacs_tcp_t, max_packet_size), .dflt = "4096" } ,
98 { FR_CONF_OFFSET("max_attributes", proto_tacacs_tcp_t, max_attributes), .dflt = STRINGIFY(TACACS_MAX_ATTRIBUTES) } ,
99
100 { FR_CONF_OFFSET("read_hexdump", proto_tacacs_tcp_t, read_hexdump) },
101 { FR_CONF_OFFSET("write_hexdump", proto_tacacs_tcp_t, write_hexdump) },
102
103 CONF_PARSER_TERMINATOR
104};
105
106static const char *packet_name[] = {
107 [FR_TAC_PLUS_AUTHEN] = "Authentication",
108 [FR_TAC_PLUS_AUTHOR] = "Authorization",
109 [FR_TAC_PLUS_ACCT] = "Accounting",
110};
111
112/** Read TACACS data from a TCP connection
113 *
114 * @param[in] li representing a client connection.
115 * @param[in] packet_ctx UNUSED.
116 * @param[out] recv_time_p When we read the packet.
117 * For some protocols we get this for free (but not here).
118 * @param[out] buffer to read into.
119 * @param[in] buffer_len Maximum length of the buffer.
120 * @param[in,out] leftover If the previous read didn't yield a complete packet
121 * we will have written how many bytes we read in leftover
122 * and returned 0. On the next call, we use the
123 * value of leftover to offset the position we start
124 * writing into the buffer.
125 * *leftover must be subtracted from buffer_len when
126 * calculating free space in the buffer.
127 * @return
128 * - >0 when a packet was read successfully.
129 * - 0 when we read a partial packet.
130 * - <0 on error (socket should be closed).
131 */
132static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p,
133 uint8_t *buffer, size_t buffer_len, size_t *leftover)
134{
135 proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
136 ssize_t data_size, packet_len;
137 size_t in_buffer;
138
139 /*
140 * We may have read multiple packets in the previous read. In which case the buffer may already
141 * have packets remaining. In that case, we can return packets directly from the buffer, and
142 * skip the read().
143 */
144 if (*leftover >= FR_HEADER_LENGTH) {
145 packet_len = fr_tacacs_length(buffer, *leftover);
146 if (packet_len < 0) goto invalid;
147
148 if (packet_len <= ((ssize_t) *leftover)) {
149 data_size = 0;
150 goto have_packet;
151 }
152
153 /*
154 * Else we don't have a full packet, try to read more data from the network.
155 */
156 }
157
158 /*
159 * Read data into the buffer.
160 */
161 data_size = read(thread->sockfd, buffer + (*leftover), buffer_len - (*leftover));
162 if (data_size < 0) {
163 switch (errno) {
164#if defined(EWOULDBLOCK) && (EWOULDBLOCK != EAGAIN)
165 case EWOULDBLOCK:
166#endif
167 case EAGAIN:
168 /*
169 * We didn't read any data leave the buffers alone.
170 *
171 * i.e. if we had a partial packet in the buffer and we didn't read any data,
172 * then the partial packet is still left in the buffer.
173 */
174 return 0;
175
176 default:
177 break;
178 }
179
180 ERROR("proto_tacacs_tcp got read error (%zd) - %s", data_size, fr_syserror(errno));
181 return data_size;
182 }
183
184 /*
185 * Note that we return ERROR for all bad packets, as
186 * there's no point in reading TACACS+ packets from a TCP
187 * connection which isn't sending us TACACS+ packets.
188 */
189
190 /*
191 * TCP read of zero means the socket is dead.
192 */
193 if (!data_size) {
194 DEBUG2("proto_tacacs_tcp - other side closed the socket.");
195 return -1;
196 }
197
198have_packet:
199 /*
200 * Represents all the data we've read since we last
201 * decoded a complete packet.
202 */
203 in_buffer = *leftover + data_size;
204
205 /*
206 * Figure out how big the complete TACACS packet should be.
207 * If we don't have enough data it'll likely come
208 * through in the next fragment.
209 */
210 packet_len = fr_tacacs_length(buffer, in_buffer);
211 if (packet_len < 0) {
212 invalid:
213 PERROR("Invalid TACACS packet");
214 return -1; /* Malformed, close the socket */
215 }
216
217 /*
218 * We don't have a complete TACACS+ packet. Tell the
219 * caller that we need to read more, but record
220 * how much we read in leftover.
221 */
222 if (in_buffer < (size_t) packet_len) {
223 DEBUG3("proto_tacacs_tcp - Received packet fragment of %zu bytes (%zu bytes now pending)",
224 packet_len, *leftover);
225 *leftover = in_buffer;
226 return 0;
227 }
228
229 /*
230 * We've read at least one packet. Tell the caller that
231 * there's more data available, and return only one packet.
232 */
233 *leftover = in_buffer - packet_len;
234
235 *recv_time_p = fr_time();
236 thread->stats.total_requests++;
237
238 /*
239 * proto_tacacs sets the priority
240 */
241
242 /*
243 * Print out what we received.
244 */
245 FR_PROTO_HEX_DUMP(buffer, packet_len, "tacacs_tcp_recv");
246
247 if (DEBUG_ENABLED2) {
248 char bogus_type[4];
249 char const *type;
250
251 if (buffer[1] && buffer[1] <= FR_TAC_PLUS_ACCT) type = packet_name[buffer[1]];
252 else {
253 snprintf(bogus_type, sizeof(bogus_type), "%d", buffer[1]);
254 type = bogus_type;
255 }
256 DEBUG2("proto_tacacs_tcp - Received %s seq_no %d length %zd %s",
257 type, buffer[2],
258 packet_len, thread->name);
259 }
260
261 return packet_len;
262}
263
264static ssize_t mod_write(fr_listen_t *li, UNUSED void *packet_ctx, UNUSED fr_time_t request_time,
265 uint8_t *buffer, size_t buffer_len, size_t written)
266{
267 proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
268 ssize_t data_size;
269
270 /*
271 * We only write TACACS packets.
272 *
273 * @todo - if buffer_len ==1, it means "do not respond".
274 * Which should be suppressed somewhere. Maybe here...
275 */
276 fr_assert(buffer_len >= sizeof(fr_tacacs_packet_hdr_t));
277 fr_assert(written < buffer_len);
278 fr_assert(buffer_len < (1 << 20)); /* shut up coverity */
279
280 /*
281 * @todo - share a stats interface with the parent? or
282 * put the stats in the listener, so that proto_tacacs
283 * can update them, too.. <sigh>
284 */
285 if (written == 0) {
286 thread->stats.total_responses++;
287 }
288
289 /*
290 * Only write replies if they're TACACS+ packets.
291 * sometimes we want to NOT send a reply...
292 */
293 data_size = write(thread->sockfd, buffer + written, buffer_len - written);
294 if (data_size <= 0) return data_size;
295
296 fr_assert((size_t) data_size <= buffer_len); /* shut up coverity */
297
298 /*
299 * If we're supposed to close the socket, then go do that.
300 */
301 if ((data_size + written) == buffer_len) {
302 fr_tacacs_packet_t const *pkt = (fr_tacacs_packet_t const *) buffer;
303
304 switch (pkt->hdr.type) {
305 case FR_TAC_PLUS_AUTHEN:
306 if (pkt->authen_reply.status == FR_TAC_PLUS_AUTHEN_STATUS_ERROR) goto close_it;
307 break;
308
309
310 case FR_TAC_PLUS_AUTHOR:
311 if (pkt->author_reply.status == FR_TAC_PLUS_AUTHOR_STATUS_ERROR) {
312 close_it:
313 ERROR("tavacs %s - Closing connection due to unrecoverable server error response",
314 thread->name);
315 errno = ECONNRESET;
316 return -1;
317 }
318 break;
319
320 default:
321 break;
322 }
323 }
324
325 /*
326 * Return the packet we wrote, plus any bytes previously
327 * left over from previous packets.
328 */
329 /* coverity[return_overflow] */
330 return data_size + written;
331}
332
333static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
334{
335 proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
336
337 thread->connection = connection;
338
339 return 0;
340}
341
342static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
343{
344 proto_tacacs_tcp_t *inst = talloc_get_type_abort(instance, proto_tacacs_tcp_t);
345
346 *ipproto = IPPROTO_TCP;
347 *dynamic_clients = inst->dynamic_clients;
348 *trie = inst->trie;
349}
350
351/** Open a TCP listener for TACACS+
352 *
353 */
354static int mod_open(fr_listen_t *li)
355{
356 proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
357 proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
358
359 int sockfd;
360 fr_ipaddr_t ipaddr = inst->ipaddr;
361 uint16_t port = inst->port;
362
363 fr_assert(!thread->connection);
364
365 li->fd = sockfd = fr_socket_server_tcp(&inst->ipaddr, &port, inst->port_name, true);
366 if (sockfd < 0) {
367 PERROR("Failed opening TCP socket");
368 error:
369 return -1;
370 }
371
372 (void) fr_nonblock(sockfd);
373
374 if (fr_socket_bind(sockfd, inst->interface, &ipaddr, &port) < 0) {
375 close(sockfd);
376 PERROR("Failed binding socket");
377 goto error;
378 }
379
380 if (listen(sockfd, 8) < 0) {
381 close(sockfd);
382 PERROR("Failed listening on socket");
383 goto error;
384 }
385
386 thread->sockfd = sockfd;
387
388 fr_assert((cf_parent(inst->cs) != NULL) && (cf_parent(cf_parent(inst->cs)) != NULL)); /* listen { ... } */
389
390 thread->name = fr_app_io_socket_name(thread, &proto_tacacs_tcp,
391 NULL, 0,
392 &inst->ipaddr, inst->port,
393 inst->interface);
394
395 return 0;
396}
397
398
399/** Set the file descriptor for this socket.
400 */
401static int mod_fd_set(fr_listen_t *li, int fd)
402{
403 proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
404 proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
405
406 thread->sockfd = fd;
407
408 thread->name = fr_app_io_socket_name(thread, &proto_tacacs_tcp,
409 &thread->connection->socket.inet.src_ipaddr, thread->connection->socket.inet.src_port,
410 &inst->ipaddr, inst->port,
411 inst->interface);
412
413 return 0;
414}
415
416static char const *mod_name(fr_listen_t *li)
417{
418 proto_tacacs_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_tacacs_tcp_thread_t);
419
420 return thread->name;
421}
422
423static void mod_hexdump_set(fr_listen_t *li, void *data)
424{
425 proto_tacacs_tcp_t *inst = talloc_get_type_abort(data, proto_tacacs_tcp_t);
426 li->read_hexdump = inst->read_hexdump;
427 li->write_hexdump = inst->write_hexdump;
428}
429
430static int mod_instantiate(module_inst_ctx_t const *mctx)
431{
432 proto_tacacs_tcp_t *inst = talloc_get_type_abort(mctx->mi->data, proto_tacacs_tcp_t);
433 CONF_SECTION *conf = mctx->mi->conf;
434 size_t num;
435 CONF_ITEM *ci;
436 CONF_SECTION *server_cs;
437
438 inst->cs = conf;
439
440 /*
441 * Complain if no "ipaddr" is set.
442 */
443 if (inst->ipaddr.af == AF_UNSPEC) {
444 cf_log_err(conf, "No 'ipaddr' was specified in the 'tcp' section");
445 return -1;
446 }
447
448 if (inst->recv_buff_is_set) {
449 FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, >=, 32);
450 FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, <=, INT_MAX);
451 }
452
453 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 20);
454 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65536);
455
456 if (!inst->port) {
457 struct servent *s;
458
459 if (!inst->port_name) {
460 cf_log_err(conf, "No 'port' was specified in the 'tcp' section");
461 return -1;
462 }
463
464 s = getservbyname(inst->port_name, "tcp");
465 if (!s) {
466 cf_log_err(conf, "Unknown value for 'port_name = %s", inst->port_name);
467 return -1;
468 }
469
470 inst->port = ntohl(s->s_port);
471 }
472
473 /*
474 * Parse and create the trie for dynamic clients, even if
475 * there's no dynamic clients.
476 */
477 num = talloc_array_length(inst->allow);
478 if (!num) {
479 if (inst->dynamic_clients) {
480 cf_log_err(conf, "The 'allow' subsection MUST contain at least one 'network' entry when 'dynamic_clients = true'.");
481 return -1;
482 }
483 } else {
484 inst->trie = fr_master_io_network(inst, inst->ipaddr.af, inst->allow, inst->deny);
485 if (!inst->trie) {
486 cf_log_perr(conf, "Failed creating list of networks");
487 return -1;
488 }
489 }
490
491 ci = cf_section_to_item(mctx->mi->parent->conf); /* listen { ... } */
492 fr_assert(ci != NULL);
493 ci = cf_parent(ci);
494 fr_assert(ci != NULL);
495
496 server_cs = cf_item_to_section(ci);
497
498 /*
499 * Look up local clients, if they exist.
500 *
501 * @todo - ensure that we only parse clients which are
502 * for IPPROTO_TCP, and require a "secret".
503 */
504 if (cf_section_find_next(server_cs, NULL, "client", CF_IDENT_ANY)) {
505 inst->clients = client_list_parse_section(server_cs, IPPROTO_TCP, false);
506 if (!inst->clients) {
507 cf_log_err(conf, "Failed creating local clients");
508 return -1;
509 }
510 }
511
512 return 0;
513}
514
515static fr_client_t *mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
516{
517 proto_tacacs_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_tacacs_tcp_t);
518
519 /*
520 * Prefer local clients.
521 */
522 if (inst->clients) {
523 fr_client_t *client;
524
525 client = client_find(inst->clients, ipaddr, ipproto);
526 if (client) return client;
527 }
528
529 return client_find(NULL, ipaddr, ipproto);
530}
531
532fr_app_io_t proto_tacacs_tcp = {
533 .common = {
534 .magic = MODULE_MAGIC_INIT,
535 .name = "tacacs_tcp",
536 .config = tcp_listen_config,
537 .inst_size = sizeof(proto_tacacs_tcp_t),
538 .thread_inst_size = sizeof(proto_tacacs_tcp_thread_t),
539 .instantiate = mod_instantiate,
540 },
541 .default_message_size = 4096,
542 .track_duplicates = false,
543
544 .open = mod_open,
545 .read = mod_read,
546 .write = mod_write,
547 .fd_set = mod_fd_set,
548 .connection_set = mod_connection_set,
549 .network_get = mod_network_get,
550 .client_find = mod_client_find,
551 .get_name = mod_name,
552 .hexdump_set = mod_hexdump_set,
553};
buffer
static int const char char buffer[256]
Definition acutest.h:578
fr_app_io_socket_name
char const * fr_app_io_socket_name(TALLOC_CTX *ctx, fr_app_io_t const *app_io, fr_ipaddr_t const *src_ipaddr, int src_port, fr_ipaddr_t const *dst_ipaddr, int dst_port, char const *interface)
Definition app_io.c:32
fr_app_io_t::common
module_t common
Common fields to all loadable modules.
Definition app_io.h:34
fr_app_io_t
Public structure describing an I/O path for a protocol.
Definition app_io.h:33
STRINGIFY
#define STRINGIFY(x)
Definition build.h:197
UNUSED
#define UNUSED
Definition build.h:317
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:660
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:520
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:283
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:337
FR_CONF_OFFSET_IS_SET
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition cf_parse.h:297
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:449
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:426
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:597
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_to_item
CONF_ITEM * cf_section_to_item(CONF_SECTION const *cs)
Cast a CONF_SECTION to a CONF_ITEM.
Definition cf_util.c:737
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
cf_section_find_next
CONF_SECTION * cf_section_find_next(CONF_SECTION const *cs, CONF_SECTION const *prev, char const *name1, char const *name2)
Return the next matching section.
Definition cf_util.c:1048
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:286
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:101
cf_log_perr
#define cf_log_perr(_cf, _fmt,...)
Definition cf_util.h:293
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
sockfd
static int sockfd
Definition dhcpclient.c:56
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
fr_ipaddr_t
IPv4/6 prefix.
Definition merged_model.c:266
fr_io_address_t::socket
fr_socket_t socket
src/dst ip and port.
Definition base.h:336
fr_io_address_t
Definition base.h:335
fr_listen::read_hexdump
bool read_hexdump
Do we debug hexdump packets as they're read.
Definition listen.h:52
fr_listen::write_hexdump
bool write_hexdump
Do we debug hexdump packets as they're written.
Definition listen.h:53
fr_listen::app_io_instance
void const * app_io_instance
I/O path configuration context.
Definition listen.h:33
fr_listen::thread_instance
void * thread_instance
thread / socket context
Definition listen.h:34
fr_listen::fd
int fd
file descriptor for this socket - set by open
Definition listen.h:28
fr_listen
Definition listen.h:25
fr_client_s
Describes a host allowed to send packets to the server.
Definition client.h:80
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
DEBUG_ENABLED2
#define DEBUG_ENABLED2
True if global debug level 1-2 messages are enabled.
Definition log.h:258
DEBUG3
#define DEBUG3(_fmt,...)
Definition log.h:266
fr_master_io_network
fr_trie_t * fr_master_io_network(TALLOC_CTX *ctx, int af, fr_ipaddr_t *allow, fr_ipaddr_t *deny)
Create a trie from arrays of allow / deny IP addresses.
Definition master.c:2912
uint16_t
unsigned short uint16_t
Definition merged_model.c:31
FR_TYPE_IPV4_ADDR
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition merged_model.c:86
FR_TYPE_COMBO_IP_PREFIX
@ FR_TYPE_COMBO_IP_PREFIX
IPv4 or IPv6 address prefix depending on length.
Definition merged_model.c:92
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_IPV6_ADDR
@ FR_TYPE_IPV6_ADDR
128 Bit IPv6 Address.
Definition merged_model.c:88
FR_TYPE_COMBO_IP_ADDR
@ FR_TYPE_COMBO_IP_ADDR
IPv4 or IPv6 address depending on length.
Definition merged_model.c:91
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_nonblock
int fr_nonblock(UNUSED int fd)
Definition misc.c:294
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
proto_tacacs.h
proto_tacacs_tcp_t::trie
fr_trie_t * trie
for parsed networks
Definition proto_tacacs_tcp.c:68
proto_tacacs_tcp_t::deny
fr_ipaddr_t * deny
denied networks for dynamic clients
Definition proto_tacacs_tcp.c:70
proto_tacacs_tcp_t::cs
CONF_SECTION * cs
our configuration
Definition proto_tacacs_tcp.c:49
TACACS_MAX_ATTRIBUTES
#define TACACS_MAX_ATTRIBUTES
Definition proto_tacacs_tcp.c:37
proto_tacacs_tcp_t::dynamic_clients
bool dynamic_clients
whether we have dynamic clients
Definition proto_tacacs_tcp.c:64
proto_tacacs_tcp_t::read_hexdump
bool read_hexdump
Do we debug hexdump read packets.
Definition proto_tacacs_tcp.c:72
proto_tacacs_tcp_t::recv_buff_is_set
bool recv_buff_is_set
Whether we were provided with a recv_buff.
Definition proto_tacacs_tcp.c:63
mod_hexdump_set
static void mod_hexdump_set(fr_listen_t *li, void *data)
Definition proto_tacacs_tcp.c:423
proto_tacacs_tcp_thread_t::sockfd
int sockfd
Definition proto_tacacs_tcp.c:41
packet_name
static const char * packet_name[]
Definition proto_tacacs_tcp.c:106
proto_tacacs_tcp_t::ipaddr
fr_ipaddr_t ipaddr
IP address to listen on.
Definition proto_tacacs_tcp.c:51
proto_tacacs_tcp_t::clients
fr_client_list_t * clients
local clients
Definition proto_tacacs_tcp.c:66
proto_tacacs_tcp_t::interface
char const * interface
Interface to bind to.
Definition proto_tacacs_tcp.c:53
mod_client_find
static fr_client_t * mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
Definition proto_tacacs_tcp.c:515
mod_open
static int mod_open(fr_listen_t *li)
Open a TCP listener for TACACS+.
Definition proto_tacacs_tcp.c:354
proto_tacacs_tcp_t::write_hexdump
bool write_hexdump
Do we debug hexdump write packets.
Definition proto_tacacs_tcp.c:73
mod_network_get
static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
Definition proto_tacacs_tcp.c:342
proto_tacacs_tcp_thread_t::connection
fr_io_address_t * connection
for connected sockets.
Definition proto_tacacs_tcp.c:43
networks_config
static const conf_parser_t networks_config[]
Definition proto_tacacs_tcp.c:76
proto_tacacs_tcp_t::max_attributes
uint32_t max_attributes
Limit maximum decodable attributes.
Definition proto_tacacs_tcp.c:59
proto_tacacs_tcp_t::max_packet_size
uint32_t max_packet_size
for message ring buffer.
Definition proto_tacacs_tcp.c:58
mod_read
static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover)
Read TACACS data from a TCP connection.
Definition proto_tacacs_tcp.c:132
proto_tacacs_tcp
fr_app_io_t proto_tacacs_tcp
Definition proto_tacacs_tcp.c:532
proto_tacacs_tcp_thread_t::stats
fr_stats_t stats
statistics for this socket
Definition proto_tacacs_tcp.c:45
proto_tacacs_tcp_t::allow
fr_ipaddr_t * allow
allowed networks for dynamic clients
Definition proto_tacacs_tcp.c:69
mod_write
static ssize_t mod_write(fr_listen_t *li, UNUSED void *packet_ctx, UNUSED fr_time_t request_time, uint8_t *buffer, size_t buffer_len, size_t written)
Definition proto_tacacs_tcp.c:264
proto_tacacs_tcp_t::port_name
char const * port_name
Name of the port for getservent().
Definition proto_tacacs_tcp.c:54
mod_connection_set
static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
Definition proto_tacacs_tcp.c:333
proto_tacacs_tcp_thread_t::name
char const * name
socket name
Definition proto_tacacs_tcp.c:40
proto_tacacs_tcp_t::port
uint16_t port
Port to listen on.
Definition proto_tacacs_tcp.c:61
mod_fd_set
static int mod_fd_set(fr_listen_t *li, int fd)
Set the file descriptor for this socket.
Definition proto_tacacs_tcp.c:401
proto_tacacs_tcp_t::recv_buff
uint32_t recv_buff
How big the kernel's receive buffer should be.
Definition proto_tacacs_tcp.c:56
mod_name
static char const * mod_name(fr_listen_t *li)
Definition proto_tacacs_tcp.c:416
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition proto_tacacs_tcp.c:430
tcp_listen_config
static const conf_parser_t tcp_listen_config[]
Definition proto_tacacs_tcp.c:83
proto_tacacs_tcp_t
Definition proto_tacacs_tcp.c:48
proto_tacacs_tcp_thread_t
Definition proto_tacacs_tcp.c:39
fr_tacacs_length
ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
Definition base.c:211
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
ipproto
static int ipproto
Definition radclient-ng.c:92
DEBUG2
#define DEBUG2(fmt,...)
Definition radclient.h:43
conf
static rs_t * conf
Definition radsniff.c:53
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
module_instance_s::data
void * data
Module's instance data.
Definition module.h:291
module_instance_s::parent
module_instance_t const * parent
Parent module's instance (if any).
Definition module.h:357
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
fr_stats_t::total_responses
uint64_t total_responses
Definition stats.h:38
fr_stats_t::total_requests
uint64_t total_requests
Definition stats.h:35
fr_stats_t
Definition stats.h:34
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
fr_socket_server_tcp
int fr_socket_server_tcp(fr_ipaddr_t const *src_ipaddr, uint16_t *src_port, char const *port_name, bool async)
Open an IPv4/IPv6 TCP socket.
Definition socket.c:975
fr_socket_bind
int fr_socket_bind(int sockfd, char const *ifname, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Bind a UDP/TCP v4/v6 socket to a given ipaddr src port, and interface.
Definition socket.c:227
client_find
fr_client_t * client_find(fr_client_list_t const *clients, fr_ipaddr_t const *ipaddr, int proto)
Definition client.c:373
client_list_parse_section
fr_client_list_t * client_list_parse_section(CONF_SECTION *section, int proto, TLS_UNUSED bool tls_required)
Definition client.c:471
fr_client_list_s
Group of clients.
Definition client.c:50
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3651
type
fr_aka_sim_id_type_t type
Definition state_machine.c:3654
fr_time
#define fr_time()
Allow us to arbitrarily manipulate time.
Definition state_test.c:8
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
FR_HEADER_LENGTH
#define FR_HEADER_LENGTH
Definition tacacs.h:26
FR_TAC_PLUS_AUTHOR_STATUS_ERROR
@ FR_TAC_PLUS_AUTHOR_STATUS_ERROR
Definition tacacs.h:214
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition tacacs.h:66
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition tacacs.h:277
fr_tacacs_packet_hdr_t::type
fr_tacacs_type_t type
Definition tacacs.h:97
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition tacacs.h:157
fr_tacacs_packet_hdr_t
Definition tacacs.h:84
fr_tacacs_packet_t
Definition tacacs.h:276
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:244
fr_time_s
"server local" time.
Definition time.h:69
fr_trie_s
Definition trie.c:484
close
close(uq->fd)
FR_PROTO_HEX_DUMP
#define FR_PROTO_HEX_DUMP(_data, _data_len, _fmt,...)
Definition proto.h:42
data
static fr_slen_t data
Definition value.h:1319
Generated by   doxygen 1.9.8