The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This library is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU Lesser General Public
4 * License as published by the Free Software Foundation; either
5 * version 2.1 of the License, or (at your option) any later version.
6 *
7 * This library is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * Lesser General Public License for more details.
11 *
12 * You should have received a copy of the GNU Lesser General Public
13 * License along with this library; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 2cdec93aa29f28a410ede875c312f230cff706bb $
19 *
20 * @file protocols/tacacs/encode.c
21 * @brief Low-Level TACACS+ encode functions
22 *
23 * @copyright 2017 The FreeRADIUS server project
24 * @copyright 2017 Network RADIUS SAS (legal@networkradius.com)
25 */
26#include <freeradius-devel/util/net.h>
27#include <freeradius-devel/util/md5.h>
28#include <freeradius-devel/util/struct.h>
29
30#include "tacacs.h"
31#include "attrs.h"
32
33static uint32_t instance_count = 0;
34static bool instantiated = false;
35
36fr_dict_t const *dict_tacacs;
37
38extern fr_dict_autoload_t libfreeradius_tacacs_dict[];
39fr_dict_autoload_t libfreeradius_tacacs_dict[] = {
40 { .out = &dict_tacacs, .proto = "tacacs" },
41
42 { NULL }
43};
44
45fr_dict_attr_t const *attr_tacacs_accounting_flags;
46fr_dict_attr_t const *attr_tacacs_accounting_status;
47fr_dict_attr_t const *attr_tacacs_action;
48fr_dict_attr_t const *attr_tacacs_authentication_flags;
49fr_dict_attr_t const *attr_tacacs_authentication_continue_flags;
50fr_dict_attr_t const *attr_tacacs_authentication_method;
51fr_dict_attr_t const *attr_tacacs_authentication_service;
52fr_dict_attr_t const *attr_tacacs_authentication_status;
53fr_dict_attr_t const *attr_tacacs_authentication_type;
54fr_dict_attr_t const *attr_tacacs_authorization_status;
55fr_dict_attr_t const *attr_tacacs_argument_list;
56fr_dict_attr_t const *attr_tacacs_client_port;
57fr_dict_attr_t const *attr_tacacs_data;
58fr_dict_attr_t const *attr_tacacs_flags;
59fr_dict_attr_t const *attr_tacacs_length;
60fr_dict_attr_t const *attr_tacacs_packet;
61fr_dict_attr_t const *attr_tacacs_packet_body_type;
62fr_dict_attr_t const *attr_tacacs_packet_type;
63fr_dict_attr_t const *attr_tacacs_privilege_level;
64fr_dict_attr_t const *attr_tacacs_remote_address;
65fr_dict_attr_t const *attr_tacacs_sequence_number;
66fr_dict_attr_t const *attr_tacacs_server_message;
67fr_dict_attr_t const *attr_tacacs_session_id;
68fr_dict_attr_t const *attr_tacacs_user_message;
69fr_dict_attr_t const *attr_tacacs_version_major;
70fr_dict_attr_t const *attr_tacacs_version_minor;
71
72fr_dict_attr_t const *attr_tacacs_user_name;
73fr_dict_attr_t const *attr_tacacs_user_password;
74fr_dict_attr_t const *attr_tacacs_chap_password;
75fr_dict_attr_t const *attr_tacacs_chap_challenge;
76fr_dict_attr_t const *attr_tacacs_mschap_response;
77fr_dict_attr_t const *attr_tacacs_mschap2_response;
78fr_dict_attr_t const *attr_tacacs_mschap_challenge;
79
80extern fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[];
81fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[] = {
82 { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
83 { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
84 { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
85 { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
86 { .out = &attr_tacacs_authentication_continue_flags, .name = "Authentication-Continue-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
87 { .out = &attr_tacacs_authentication_method, .name = "Authentication-Method", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
88 { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
89 { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90 { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
91 { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
92 { .out = &attr_tacacs_argument_list, .name = "Argument-List", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
93 { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
94 { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
95 { .out = &attr_tacacs_flags, .name = "Packet.Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
96 { .out = &attr_tacacs_length, .name = "Packet.Length", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
97 { .out = &attr_tacacs_packet, .name = "Packet", .type = FR_TYPE_STRUCT, .dict = &dict_tacacs },
98 { .out = &attr_tacacs_packet_body_type, .name = "Packet-Body-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
99 { .out = &attr_tacacs_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
100 { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
101 { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
102 { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
103 { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
104 { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
105 { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
106 { .out = &attr_tacacs_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
107 { .out = &attr_tacacs_version_major, .name = "Packet.Version-Major", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
108 { .out = &attr_tacacs_version_minor, .name = "Packet.Version-Minor", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
109
110 { .out = &attr_tacacs_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
111 { .out = &attr_tacacs_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
112 { .out = &attr_tacacs_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
113 { .out = &attr_tacacs_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
114 { .out = &attr_tacacs_mschap_response, .name = "MS-CHAP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
115 { .out = &attr_tacacs_mschap2_response, .name = "MS-CHAP2-Response", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
116 { .out = &attr_tacacs_mschap_challenge, .name = "MS-CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
117 { NULL }
118};
119
120char const *fr_tacacs_packet_names[FR_TACACS_CODE_MAX] = {
121 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_START] = "Authentication-Start",
122 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_PASS] = "Authentication-Pass",
123 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_FAIL] = "Authentication-Fail",
124 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETDATA] = "Authentication-GetData",
125 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETUSER] = "Authentication-GetUser",
126 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETPASS] = "Authentication-GetPass",
127 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_RESTART] = "Authentication-Restart",
128 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_ERROR] = "Authentication-Error",
129
130 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE] = "Authentication-Continue",
131 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE_ABORT] = "Authentication-Continue-Abort",
132
133 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_REQUEST] = "Authorization-Request",
134 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_ADD] = "Authorization-Pass-Add",
135 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_REPLACE] = "Authorization-Pass-Replace",
136 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_FAIL] = "Authorization-Fail",
137 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_ERROR] = "Authorization-Error",
138
139 [FR_PACKET_TYPE_VALUE_ACCOUNTING_REQUEST] = "Accounting-Request",
140 [FR_PACKET_TYPE_VALUE_ACCOUNTING_SUCCESS] = "Accounting-Success",
141 [FR_PACKET_TYPE_VALUE_ACCOUNTING_ERROR] = "Accounting-Error",
142};
143
144
145int fr_tacacs_global_init(void)
146{
147 if (instance_count > 0) {
148 instance_count++;
149 return 0;
150 }
151
152 instance_count++;
153
154 if (fr_dict_autoload(libfreeradius_tacacs_dict) < 0) {
155 fail:
156 instance_count--;
157 return -1;
158 }
159
160 if (fr_dict_attr_autoload(libfreeradius_tacacs_dict_attr) < 0) {
161 fr_dict_autofree(libfreeradius_tacacs_dict);
162 goto fail;
163 }
164
165 instantiated = true;
166 return 0;
167}
168
169void fr_tacacs_global_free(void)
170{
171 if (!instantiated) return;
172
173 fr_assert(instance_count > 0);
174
175 if (--instance_count > 0) return;
176
177 fr_dict_autofree(libfreeradius_tacacs_dict);
178 instantiated = false;
179}
180
181/** XOR the body based on the secret key.
182 *
183 * This function encrypts (or decrypts) TACACS+ packets, and sets the "encrypted" flag.
184 */
185int fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len)
186{
187 uint8_t pad[MD5_DIGEST_LENGTH];
188 uint8_t *buf, *end;
189 int pad_offset;
190
191 /*
192 * Do some basic sanity checks.
193 */
194 if (!secret_len) {
195 fr_strerror_const("Failed to encrypt/decrept the packet, as the secret has zero length.");
196 return -1;
197 }
198
199 pad_offset = sizeof(pkt->hdr.session_id) + secret_len + sizeof(pkt->hdr.version) + sizeof(pkt->hdr.seq_no);
200
201 /* MD5_1 = MD5{session_id, key, version, seq_no} */
202 /* MD5_n = MD5{session_id, key, version, seq_no, MD5_n-1} */
203 buf = talloc_array(NULL, uint8_t, pad_offset + MD5_DIGEST_LENGTH);
204 if (!buf) return -1;
205
206 memcpy(&buf[0], &pkt->hdr.session_id, sizeof(pkt->hdr.session_id));
207 memcpy(&buf[sizeof(pkt->hdr.session_id)], secret, secret_len);
208 memcpy(&buf[sizeof(pkt->hdr.session_id) + secret_len], &pkt->hdr.version, sizeof(pkt->hdr.version));
209 memcpy(&buf[sizeof(pkt->hdr.session_id) + secret_len + sizeof(pkt->hdr.version)], &pkt->hdr.seq_no, sizeof(pkt->hdr.seq_no));
210
211 fr_md5_calc(pad, buf, pad_offset);
212
213 end = body + body_len;
214 while (body < end) {
215 size_t i;
216
217 for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
218 *body ^= pad[i];
219
220 if (++body == end) goto done;
221 }
222
223 memcpy(&buf[pad_offset], pad, MD5_DIGEST_LENGTH);
224 fr_md5_calc(pad, buf, pad_offset + MD5_DIGEST_LENGTH);
225 }
226
227done:
228 talloc_free(buf);
229
230 return 0;
231}
232
233/**
234 * Return how long a TACACS+ packet is
235 *
236 * Note that we only look at the 12 byte packet header. We don't
237 * (yet) do validation on authentication / authorization /
238 * accounting headers. The packet may still be determined later
239 * to be invalid.
240 *
241 * @param buffer to check
242 * @param buffer_len length of the buffer
243 * @return
244 * >0 size of the TACACS+ packet. We want. MAY be larger than "buffer_len"
245 * <=0 error, packet should be discarded.
246 */
247ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
248{
249 fr_tacacs_packet_t const *pkt = (fr_tacacs_packet_t const *) buffer;
250 size_t length, want;
251
252 /*
253 * Check that we have a full TACACS+ header before
254 * decoding anything.
255 */
256 if (buffer_len < sizeof(pkt->hdr)) {
257 return sizeof(pkt->hdr);
258 }
259
260 /*
261 * TACACS major / minor version MUST be 12.0 or 12.1
262 */
263 if (!((buffer[0] == 0xc0) || (buffer[0] == 0xc1))) {
264 fr_strerror_printf("Unsupported TACACS+ version %02x", buffer[0]);
265 return -1;
266 }
267
268 /*
269 * There's no reason to accept 64K TACACS+ packets.
270 */
271 if ((buffer[8] != 0) || (buffer[9] != 0)) {
272 fr_strerror_const("Packet is too large. Our limit is 64K");
273 return -1;
274 }
275
276 /*
277 * There are only 3 types of packets which are supported.
278 */
279 if (!((pkt->hdr.type == FR_TAC_PLUS_AUTHEN) ||
280 (pkt->hdr.type == FR_TAC_PLUS_AUTHOR) ||
281 (pkt->hdr.type == FR_TAC_PLUS_ACCT))) {
282 fr_strerror_printf("Unknown packet type %d", pkt->hdr.type);
283 return -1;
284 }
285
286 length = sizeof(pkt->hdr) + ntohl(pkt->hdr.length);
287
288 if (buffer_len < length) return length;
289
290 /*
291 * We want at least the headers for the various packet
292 * types. Note that we do NOT check the lengths in the
293 * headers against buffer / buffer_len. That process is
294 * complex and error-prone. It's best to leave it in one
295 * place: fr_tacacs_decode().
296 */
297 switch (pkt->hdr.type) {
298 default:
299 fr_assert(0); /* should have been caught above */
300 return -1;
301
302 case FR_TAC_PLUS_AUTHEN:
303 if (packet_is_authen_start_request(pkt)) {
304 want = sizeof(pkt->hdr) + sizeof(pkt->authen_start);
305
306 } else if (packet_is_authen_continue(pkt)) {
307 want = sizeof(pkt->hdr) + sizeof(pkt->authen_cont);
308
309 } else {
310 fr_assert(packet_is_authen_reply(pkt));
311 want = sizeof(pkt->hdr) + sizeof(pkt->authen_reply);
312 }
313 break;
314
315 case FR_TAC_PLUS_AUTHOR:
316 if (packet_is_author_request(pkt)) {
317 want = sizeof(pkt->hdr) + sizeof(pkt->author_req);
318 } else {
319 fr_assert(packet_is_author_reply(pkt));
320 want = sizeof(pkt->hdr) + sizeof(pkt->author_reply);
321 }
322 break;
323
324 case FR_TAC_PLUS_ACCT:
325 if (packet_is_acct_request(pkt)) {
326 want = sizeof(pkt->hdr) + sizeof(pkt->acct_req);
327 } else {
328 fr_assert(packet_is_acct_reply(pkt));
329 want = sizeof(pkt->hdr) + sizeof(pkt->acct_reply);
330 }
331 break;
332 }
333
334 if (want > length) {
335 fr_strerror_printf("Packet is too small. Want %zu, got %zu", want, length);
336 return -1;
337 }
338
339 return length;
340}
341
342static void print_hex(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
343{
344 if (!datalen) return;
345
346 fr_log_hex(log, L_DBG, file, line, data, datalen, "%s", prefix);
347}
348
349static void print_ascii(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
350{
351 uint8_t const *p;
352
353 if (!datalen) return;
354
355 if (datalen > 80) {
356 hex:
357 print_hex(log, file, line, prefix, data, datalen);
358 return;
359 }
360
361 for (p = data; p < (data + datalen); p++) {
362 if ((*p < 0x20) || (*p > 0x80)) goto hex;
363 }
364
365 fr_log(log, L_DBG, file, line, "%s %.*s", prefix, (int) datalen, (char const *) data);
366}
367
368#define CHECK(_length) do { \
369 size_t plen = _length; \
370 if ((size_t) (end - p) < plen) { \
371 fr_log_hex(log, L_DBG, file, line, p, end - p, "%s", " TRUNCATED "); \
372 return; \
373 } \
374 data = p; \
375 data_len = plen; \
376 p += plen; \
377 } while (0)
378
379#undef ASCII
380#define ASCII(_prefix, _field) do { \
381 CHECK(_field); \
382 print_ascii(log, file, line, _prefix, data, data_len); \
383 } while (0)
384
385#undef HEXIT
386#define HEXIT(_prefix, _field) do { \
387 CHECK(_field); \
388 print_hex(log, file, line, _prefix, data, data_len); \
389 } while (0)
390
391#define PRINT(_fmt, ...) fr_log(log, L_DBG, file, line, _fmt, ## __VA_ARGS__)
392
393static void print_args(fr_log_t const *log, char const *file, int line, size_t arg_cnt, uint8_t const *argv, uint8_t const *start, uint8_t const *end)
394{
395 size_t i, data_len;
396 uint8_t const *p;
397 uint8_t const *data;
398 char prefix[64];
399
400 if (argv + arg_cnt > end) {
401 PRINT(" ARG cnt overflows packet");
402 return;
403 }
404
405 p = start;
406 for (i = 0; i < arg_cnt; i++) {
407 if (p == end) {
408 PRINT(" ARG[%zu] is at EOF", i);
409 return;
410 }
411
412 if ((end - p) < argv[i]) {
413 PRINT(" ARG[%zu] overflows packet", i);
414 print_hex(log, file, line, " ", p, end - p);
415 return;
416 }
417
418 snprintf(prefix, sizeof(prefix), " arg[%zu] ", i);
419 prefix[21] = '\0';
420
421 ASCII(prefix, argv[i]);
422 }
423}
424
425void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, size_t packet_len, char const *file, int line)
426{
427 size_t length, data_len;
428 uint8_t const *p = (uint8_t const *) packet;
429 uint8_t const *hdr, *end, *args;
430 uint8_t const *data;
431
432 end = ((uint8_t const *) packet) + packet_len;
433
434 if (packet_len < 12) {
435 print_hex(log, file, line, "header ", p, packet_len);
436 return;
437 }
438
439 /*
440 * It has to be at least 12 bytes long.
441 */
442 PRINT(" major %d", (p[0] & 0xf0) >> 4);
443 PRINT(" minor %d", (p[0] & 0x0f));
444
445 PRINT(" type %02x", p[1]);
446 PRINT(" seq_no %02x", p[2]);
447 PRINT(" flags %02x", p[3]);
448
449 PRINT(" sessid %08x", fr_nbo_to_uint32(p + 4));
450 PRINT(" length %08x", fr_nbo_to_uint32(p + 8));
451
452 PRINT(" body");
453 length = fr_nbo_to_uint32(p + 8);
454
455 if ((p[3] & 0x01) == 0) {
456 PRINT(" ... encrypted ...");
457 return;
458 }
459
460 if (length > 65535) {
461 PRINT(" TOO LARGE");
462 return;
463 }
464
465 p += 12;
466 hdr = p;
467
468 if ((p + length) != end) {
469 PRINT("length field does not match input packet length %08lx", packet_len - 12);
470 return;
471 }
472
473#define REQUIRE(_length) do { \
474 size_t plen = _length; \
475 if ((size_t) (end - hdr) < plen) { \
476 print_hex(log, file, line, " TRUNCATED ", hdr, end - hdr); \
477 return; \
478 } \
479 p = hdr + plen; \
480 } while (0)
481
482 switch (packet->hdr.type) {
483 default:
484 print_hex(log, file, line, " data ", p, length);
485 return;
486
487 case FR_TAC_PLUS_AUTHEN:
488 if (packet_is_authen_start_request(packet)) {
489 PRINT(" authentication-start");
490
491 REQUIRE(8);
492
493 PRINT(" action %02x", hdr[0]);
494 PRINT(" priv_lvl %02x", hdr[1]);
495 PRINT(" authen_type %02x", hdr[2]);
496 PRINT(" authen_service %02x", hdr[3]);
497 PRINT(" user_len %02x", hdr[4]);
498 PRINT(" port_len %02x", hdr[5]);
499 PRINT(" rem_addr_len %02x", hdr[6]);
500 PRINT(" data_len %02x", hdr[7]);
501
502 ASCII(" user ", hdr[4]);
503 ASCII(" port ", hdr[5]);
504 ASCII(" rem_addr ", hdr[6]);
505 HEXIT(" data ", hdr[7]); /* common auth flows */
506
507 } else if (packet_is_authen_continue(packet)) {
508 PRINT(" authentication-continue");
509
510 REQUIRE(5);
511
512 PRINT(" user_msg_len %04x", fr_nbo_to_uint16(hdr));
513 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 2));
514 PRINT(" flags %02x", hdr[4]);
515
516 ASCII(" user_msg ", fr_nbo_to_uint16(hdr));
517 HEXIT(" data ", fr_nbo_to_uint16(hdr + 2));
518
519 } else {
520 fr_assert(packet_is_authen_reply(packet));
521
522 PRINT(" authentication-reply");
523
524 REQUIRE(6);
525
526 PRINT(" status %02x", hdr[0]);
527 PRINT(" flags %02x", hdr[1]);
528 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr + 2));
529 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 4));
530
531 ASCII(" server_msg ", fr_nbo_to_uint16(hdr + 2));
532 HEXIT(" data ", fr_nbo_to_uint16(hdr + 4));
533 }
534 break;
535
536 case FR_TAC_PLUS_AUTHOR:
537 if (packet_is_author_request(packet)) {
538 PRINT(" authorization-request");
539 REQUIRE(8);
540
541 PRINT(" auth_method %02x", hdr[0]);
542 PRINT(" priv_lvl %02x", hdr[1]);
543 PRINT(" authen_type %02x", hdr[2]);
544 PRINT(" authen_service %02x", hdr[3]);
545 PRINT(" user_len %02x", hdr[4]);
546 PRINT(" port_len %02x", hdr[5]);
547 PRINT(" rem_addr_len %02x", hdr[6]);
548 PRINT(" arg_cnt %02x", hdr[7]);
549 args = p;
550
551 HEXIT(" argc ", hdr[7]);
552 ASCII(" user ", hdr[4]);
553 ASCII(" port ", hdr[5]);
554 ASCII(" rem_addr ", hdr[6]);
555
556 print_args(log, file, line, hdr[7], args, p, end);
557
558 } else {
559 PRINT(" authorization-reply");
560
561 fr_assert(packet_is_author_reply(packet));
562
563 REQUIRE(6);
564
565 PRINT(" status %02x", hdr[0]);
566 PRINT(" arg_cnt %02x", hdr[1]);
567 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr + 2));
568 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 4));
569 args = p;
570
571 HEXIT(" argc ", hdr[1]);
572 ASCII(" server_msg ", fr_nbo_to_uint16(hdr + 2));
573 ASCII(" data ", fr_nbo_to_uint16(hdr + 4));
574
575 print_args(log, file, line, hdr[1], args, p, end);
576 }
577 break;
578
579 case FR_TAC_PLUS_ACCT:
580 if (packet_is_acct_request(packet)) {
581 PRINT(" accounting-request");
582
583 REQUIRE(9);
584
585 PRINT(" flags %02x", hdr[0]);
586 PRINT(" auth_method %02x", hdr[1]);
587 PRINT(" priv_lvl %02x", hdr[2]);
588 PRINT(" authen_type %02x", hdr[3]);
589 PRINT(" authen_service %02x", hdr[4]);
590 PRINT(" user_len %02x", hdr[5]);
591 PRINT(" port_len %02x", hdr[6]);
592 PRINT(" rem_addr_len %02x", hdr[7]);
593 PRINT(" arg_cnt %02x", hdr[8]);
594 args = p;
595
596 HEXIT(" argc ", hdr[8]);
597 ASCII(" user ", hdr[5]);
598 ASCII(" port ", hdr[6]);
599 ASCII(" rem_addr ", hdr[7]);
600
601 print_args(log, file, line, hdr[8], args, p, end);
602 } else {
603 PRINT(" accounting-reply");
604 fr_assert(packet_is_acct_reply(packet));
605
606 PRINT(" authentication-reply");
607
608 REQUIRE(5);
609
610 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr));
611 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 2));
612 PRINT(" status %02x", hdr[0]);
613
614 ASCII(" server_msg ", fr_nbo_to_uint16(hdr));
615 HEXIT(" data ", fr_nbo_to_uint16(hdr + 2));
616 }
617 break;
618 }
619
620 fr_assert(p == end);
621}
buffer
static int const char char buffer[256]
Definition acutest.h:576
file
int const char * file
Definition acutest.h:702
args
va_list args
Definition acutest.h:770
line
int const char int line
Definition acutest.h:702
fr_dict_autofree
#define fr_dict_autofree(_to_free)
Definition dict.h:880
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:275
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:288
fr_dict_attr_autoload
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4223
fr_dict_autoload
#define fr_dict_autoload(_to_load)
Definition dict.h:877
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:274
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:287
instance_count
static uint32_t instance_count
Definition base.c:44
talloc_free
talloc_free(reap)
fr_log_hex
void fr_log_hex(fr_log_t const *log, fr_log_type_t type, char const *file, int line, uint8_t const *data, size_t data_len, char const *line_prefix_fmt,...)
Print out hex block.
Definition log.c:778
fr_log
void fr_log(fr_log_t const *log, fr_log_type_t type, char const *file, int line, char const *fmt,...)
Send a server log message to its destination.
Definition log.c:577
L_DBG
@ L_DBG
Only displayed when debugging is enabled.
Definition log.h:59
MD5_DIGEST_LENGTH
#define MD5_DIGEST_LENGTH
Definition merged_model.c:242
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_STRUCT
@ FR_TYPE_STRUCT
like TLV, but without T or L, and fixed-width children
Definition merged_model.c:119
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
fr_md5_calc
void fr_md5_calc(uint8_t out[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen)
Perform a single digest operation on a single input buffer.
Definition merged_model.c:245
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_nbo_to_uint16
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
fr_nbo_to_uint32
static uint32_t fr_nbo_to_uint32(uint8_t const data[static sizeof(uint32_t)])
Read an unsigned 32bit integer from wire format (big endian)
Definition nbo.h:167
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:56
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:73
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition base.c:39
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:70
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:69
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:67
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:57
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:62
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:58
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:59
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:65
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:68
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:54
attr_tacacs_sequence_number
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition base.c:71
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:61
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:63
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:66
instantiated
static bool instantiated
Definition base.c:34
fr_tacacs_body_xor
int fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len)
XOR the body based on the secret key.
Definition base.c:185
attr_tacacs_length
fr_dict_attr_t const * attr_tacacs_length
Definition base.c:59
_fr_tacacs_packet_log_hex
void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, size_t packet_len, char const *file, int line)
Definition base.c:425
libfreeradius_tacacs_dict_attr
fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[]
Definition base.c:81
fr_tacacs_length
ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
Definition base.c:247
attr_tacacs_authentication_continue_flags
fr_dict_attr_t const * attr_tacacs_authentication_continue_flags
Definition base.c:49
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:120
print_args
static void print_args(fr_log_t const *log, char const *file, int line, size_t arg_cnt, uint8_t const *argv, uint8_t const *start, uint8_t const *end)
Definition base.c:393
fr_tacacs_global_free
void fr_tacacs_global_free(void)
Definition base.c:169
print_hex
static void print_hex(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
Definition base.c:342
attr_tacacs_argument_list
fr_dict_attr_t const * attr_tacacs_argument_list
Definition base.c:55
attr_tacacs_chap_challenge
fr_dict_attr_t const * attr_tacacs_chap_challenge
Definition base.c:75
fr_tacacs_global_init
int fr_tacacs_global_init(void)
Definition base.c:145
attr_tacacs_user_password
fr_dict_attr_t const * attr_tacacs_user_password
Definition base.c:73
PRINT
#define PRINT(_fmt,...)
Definition base.c:391
attr_tacacs_version_major
fr_dict_attr_t const * attr_tacacs_version_major
Definition base.c:69
HEXIT
#define HEXIT(_prefix, _field)
Definition base.c:386
libfreeradius_tacacs_dict
fr_dict_autoload_t libfreeradius_tacacs_dict[]
Definition base.c:39
attr_tacacs_mschap_challenge
fr_dict_attr_t const * attr_tacacs_mschap_challenge
Definition base.c:78
attr_tacacs_mschap_response
fr_dict_attr_t const * attr_tacacs_mschap_response
Definition base.c:76
print_ascii
static void print_ascii(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
Definition base.c:349
attr_tacacs_version_minor
fr_dict_attr_t const * attr_tacacs_version_minor
Definition base.c:70
attr_tacacs_mschap2_response
fr_dict_attr_t const * attr_tacacs_mschap2_response
Definition base.c:77
REQUIRE
#define REQUIRE(_length)
attr_tacacs_chap_password
fr_dict_attr_t const * attr_tacacs_chap_password
Definition base.c:74
attr_tacacs_packet
fr_dict_attr_t const * attr_tacacs_packet
Definition base.c:60
attr_tacacs_packet_body_type
fr_dict_attr_t const * attr_tacacs_packet_body_type
Definition base.c:61
ASCII
#define ASCII(_prefix, _field)
Definition base.c:380
attr_tacacs_authentication_method
fr_dict_attr_t const * attr_tacacs_authentication_method
Definition base.c:50
attr_tacacs_user_name
fr_dict_attr_t const * attr_tacacs_user_name
Definition base.c:72
attr_tacacs_flags
fr_dict_attr_t const * attr_tacacs_flags
Definition base.c:58
attr_tacacs_packet_type
fr_dict_attr_t const * attr_tacacs_packet_type
Definition base.c:62
attrs.h
VQP attributes.
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
secret
static char * secret
Definition radclient-ng.c:69
done
static bool done
Definition radclient.c:81
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
fr_log_s
Definition log.h:96
packet_is_authen_reply
#define packet_is_authen_reply(p)
Definition tacacs.h:51
packet_is_authen_continue
#define packet_is_authen_continue(p)
Definition tacacs.h:50
packet_is_acct_reply
#define packet_is_acct_reply(p)
Definition tacacs.h:57
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition tacacs.h:66
packet_is_author_request
#define packet_is_author_request(p)
Definition tacacs.h:53
packet_is_acct_request
#define packet_is_acct_request(p)
Definition tacacs.h:56
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition tacacs.h:277
fr_tacacs_packet_hdr_t::type
fr_tacacs_type_t type
Definition tacacs.h:97
FR_TACACS_CODE_MAX
@ FR_TACACS_CODE_MAX
Definition tacacs.h:317
packet_is_author_reply
#define packet_is_author_reply(p)
Definition tacacs.h:54
fr_tacacs_packet_t
Definition tacacs.h:276
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
data
static fr_slen_t data
Definition value.h:1291
Generated by   doxygen 1.9.8