The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This library is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU Lesser General Public
4 * License as published by the Free Software Foundation; either
5 * version 2.1 of the License, or (at your option) any later version.
6 *
7 * This library is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * Lesser General Public License for more details.
11 *
12 * You should have received a copy of the GNU Lesser General Public
13 * License along with this library; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: f5c2cb98f66b55d54fb54ca4b84db2485a16456f $
19 *
20 * @file protocols/tacacs/encode.c
21 * @brief Low-Level TACACS+ encode functions
22 *
23 * @copyright 2017 The FreeRADIUS server project
24 * @copyright 2017 Network RADIUS SAS (legal@networkradius.com)
25 */
26#include <freeradius-devel/util/net.h>
27#include <freeradius-devel/util/md5.h>
28#include <freeradius-devel/util/struct.h>
29
30#include "tacacs.h"
31#include "attrs.h"
32
33static uint32_t instance_count = 0;
34static bool instantiated = false;
35
36fr_dict_t const *dict_tacacs;
37
38extern fr_dict_autoload_t libfreeradius_tacacs_dict[];
44
45fr_dict_attr_t const *attr_tacacs_accounting_flags;
46fr_dict_attr_t const *attr_tacacs_accounting_status;
47fr_dict_attr_t const *attr_tacacs_action;
48fr_dict_attr_t const *attr_tacacs_authentication_flags;
49fr_dict_attr_t const *attr_tacacs_authentication_continue_flags;
50fr_dict_attr_t const *attr_tacacs_authentication_method;
51fr_dict_attr_t const *attr_tacacs_authentication_service;
52fr_dict_attr_t const *attr_tacacs_authentication_status;
53fr_dict_attr_t const *attr_tacacs_authentication_type;
54fr_dict_attr_t const *attr_tacacs_authorization_status;
55fr_dict_attr_t const *attr_tacacs_argument_list;
56fr_dict_attr_t const *attr_tacacs_client_port;
57fr_dict_attr_t const *attr_tacacs_data;
58fr_dict_attr_t const *attr_tacacs_flags;
59fr_dict_attr_t const *attr_tacacs_length;
60fr_dict_attr_t const *attr_tacacs_packet;
61fr_dict_attr_t const *attr_tacacs_packet_body_type;
62fr_dict_attr_t const *attr_tacacs_packet_type;
63fr_dict_attr_t const *attr_tacacs_privilege_level;
64fr_dict_attr_t const *attr_tacacs_remote_address;
65fr_dict_attr_t const *attr_tacacs_sequence_number;
66fr_dict_attr_t const *attr_tacacs_server_message;
67fr_dict_attr_t const *attr_tacacs_session_id;
68fr_dict_attr_t const *attr_tacacs_user_message;
69fr_dict_attr_t const *attr_tacacs_version_major;
70fr_dict_attr_t const *attr_tacacs_version_minor;
71
72fr_dict_attr_t const *attr_tacacs_user_name;
73fr_dict_attr_t const *attr_tacacs_user_password;
74fr_dict_attr_t const *attr_tacacs_chap_password;
75fr_dict_attr_t const *attr_tacacs_chap_challenge;
76fr_dict_attr_t const *attr_tacacs_mschap_response;
77fr_dict_attr_t const *attr_tacacs_mschap2_response;
78fr_dict_attr_t const *attr_tacacs_mschap_challenge;
79
80extern fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[];
81fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[] = {
82 { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
83 { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
84 { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
85 { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
86 { .out = &attr_tacacs_authentication_continue_flags, .name = "Authentication-Continue-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
87 { .out = &attr_tacacs_authentication_method, .name = "Authentication-Method", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
88 { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
89 { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90 { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
91 { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
92 { .out = &attr_tacacs_argument_list, .name = "Argument-List", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
93 { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
94 { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
95 { .out = &attr_tacacs_flags, .name = "Packet.Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
96 { .out = &attr_tacacs_length, .name = "Packet.Length", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
97 { .out = &attr_tacacs_packet, .name = "Packet", .type = FR_TYPE_STRUCT, .dict = &dict_tacacs },
98 { .out = &attr_tacacs_packet_body_type, .name = "Packet-Body-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
99 { .out = &attr_tacacs_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
100 { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
101 { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
102 { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
103 { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
104 { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
105 { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
106 { .out = &attr_tacacs_version_major, .name = "Packet.Version-Major", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
107 { .out = &attr_tacacs_version_minor, .name = "Packet.Version-Minor", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
108
109 { .out = &attr_tacacs_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
110 { .out = &attr_tacacs_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
111 { .out = &attr_tacacs_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
112 { .out = &attr_tacacs_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
113 { .out = &attr_tacacs_mschap_response, .name = "MS-CHAP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
114 { .out = &attr_tacacs_mschap2_response, .name = "MS-CHAP2-Response", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
115 { .out = &attr_tacacs_mschap_challenge, .name = "MS-CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
116 DICT_AUTOLOAD_TERMINATOR
117};
118
119char const *fr_tacacs_packet_names[FR_TACACS_CODE_MAX] = {
120 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_START] = "Authentication-Start",
121 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_PASS] = "Authentication-Pass",
122 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_FAIL] = "Authentication-Fail",
123 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETDATA] = "Authentication-GetData",
124 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETUSER] = "Authentication-GetUser",
125 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETPASS] = "Authentication-GetPass",
126 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_RESTART] = "Authentication-Restart",
127 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_ERROR] = "Authentication-Error",
128
129 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE] = "Authentication-Continue",
130 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE_ABORT] = "Authentication-Continue-Abort",
131
132 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_REQUEST] = "Authorization-Request",
133 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_ADD] = "Authorization-Pass-Add",
134 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_REPLACE] = "Authorization-Pass-Replace",
135 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_FAIL] = "Authorization-Fail",
136 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_ERROR] = "Authorization-Error",
137
138 [FR_PACKET_TYPE_VALUE_ACCOUNTING_REQUEST] = "Accounting-Request",
139 [FR_PACKET_TYPE_VALUE_ACCOUNTING_SUCCESS] = "Accounting-Success",
140 [FR_PACKET_TYPE_VALUE_ACCOUNTING_ERROR] = "Accounting-Error",
141};
142
143
144/** XOR the body based on the secret key.
145 *
146 * This function encrypts (or decrypts) TACACS+ packets, and sets the "encrypted" flag.
147 */
148int fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len)
149{
150 uint8_t pad[MD5_DIGEST_LENGTH];
151 uint8_t *buf, *end;
152 int pad_offset;
153
154 /*
155 * Do some basic sanity checks.
156 */
157 if (!secret_len) {
158 fr_strerror_const("Failed to encrypt/decrept the packet, as the secret has zero length.");
159 return -1;
160 }
161
162 pad_offset = sizeof(pkt->hdr.session_id) + secret_len + sizeof(pkt->hdr.version) + sizeof(pkt->hdr.seq_no);
163
164 /* MD5_1 = MD5{session_id, key, version, seq_no} */
165 /* MD5_n = MD5{session_id, key, version, seq_no, MD5_n-1} */
166 buf = talloc_array(NULL, uint8_t, pad_offset + MD5_DIGEST_LENGTH);
167 if (!buf) return -1;
168
169 memcpy(&buf[0], &pkt->hdr.session_id, sizeof(pkt->hdr.session_id));
170 memcpy(&buf[sizeof(pkt->hdr.session_id)], secret, secret_len);
171 memcpy(&buf[sizeof(pkt->hdr.session_id) + secret_len], &pkt->hdr.version, sizeof(pkt->hdr.version));
172 memcpy(&buf[sizeof(pkt->hdr.session_id) + secret_len + sizeof(pkt->hdr.version)], &pkt->hdr.seq_no, sizeof(pkt->hdr.seq_no));
173
174 fr_md5_calc(pad, buf, pad_offset);
175
176 end = body + body_len;
177 while (body < end) {
178 size_t i;
179
180 for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
181 *body ^= pad[i];
182
183 if (++body == end) goto done;
184 }
185
186 memcpy(&buf[pad_offset], pad, MD5_DIGEST_LENGTH);
187 fr_md5_calc(pad, buf, pad_offset + MD5_DIGEST_LENGTH);
188 }
189
190done:
191 talloc_free(buf);
192
193 return 0;
194}
195
196/**
197 * Return how long a TACACS+ packet is
198 *
199 * Note that we only look at the 12 byte packet header. We don't
200 * (yet) do validation on authentication / authorization /
201 * accounting headers. The packet may still be determined later
202 * to be invalid.
203 *
204 * @param buffer to check
205 * @param buffer_len length of the buffer
206 * @return
207 * >0 size of the TACACS+ packet. We want. MAY be larger than "buffer_len"
208 * <=0 error, packet should be discarded.
209 */
210ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
211{
212 fr_tacacs_packet_t const *pkt = (fr_tacacs_packet_t const *) buffer;
213 size_t length, want;
214
215 /*
216 * Check that we have a full TACACS+ header before
217 * decoding anything.
218 */
219 if (buffer_len < sizeof(pkt->hdr)) {
220 return sizeof(pkt->hdr);
221 }
222
223 /*
224 * TACACS major / minor version MUST be 12.0 or 12.1
225 */
226 if (!((buffer[0] == 0xc0) || (buffer[0] == 0xc1))) {
227 fr_strerror_printf("Unsupported TACACS+ version %02x", buffer[0]);
228 return -1;
229 }
230
231 /*
232 * There's no reason to accept 64K TACACS+ packets.
233 */
234 if ((buffer[8] != 0) || (buffer[9] != 0)) {
235 fr_strerror_const("Packet is too large. Our limit is 64K");
236 return -1;
237 }
238
239 /*
240 * There are only 3 types of packets which are supported.
241 */
242 if (!((pkt->hdr.type == FR_TAC_PLUS_AUTHEN) ||
243 (pkt->hdr.type == FR_TAC_PLUS_AUTHOR) ||
244 (pkt->hdr.type == FR_TAC_PLUS_ACCT))) {
245 fr_strerror_printf("Unknown packet type %d", pkt->hdr.type);
246 return -1;
247 }
248
249 length = sizeof(pkt->hdr) + ntohl(pkt->hdr.length);
250
251 if (buffer_len < length) return length;
252
253 /*
254 * We want at least the headers for the various packet
255 * types. Note that we do NOT check the lengths in the
256 * headers against buffer / buffer_len. That process is
257 * complex and error-prone. It's best to leave it in one
258 * place: fr_tacacs_decode().
259 */
260 switch (pkt->hdr.type) {
261 default:
262 fr_assert(0); /* should have been caught above */
263 return -1;
264
265 case FR_TAC_PLUS_AUTHEN:
266 if (packet_is_authen_start_request(pkt)) {
267 want = sizeof(pkt->hdr) + sizeof(pkt->authen_start);
268
269 } else if (packet_is_authen_continue(pkt)) {
270 want = sizeof(pkt->hdr) + sizeof(pkt->authen_cont);
271
272 } else {
273 fr_assert(packet_is_authen_reply(pkt));
274 want = sizeof(pkt->hdr) + sizeof(pkt->authen_reply);
275 }
276 break;
277
278 case FR_TAC_PLUS_AUTHOR:
279 if (packet_is_author_request(pkt)) {
280 want = sizeof(pkt->hdr) + sizeof(pkt->author_req);
281 } else {
282 fr_assert(packet_is_author_reply(pkt));
283 want = sizeof(pkt->hdr) + sizeof(pkt->author_reply);
284 }
285 break;
286
287 case FR_TAC_PLUS_ACCT:
288 if (packet_is_acct_request(pkt)) {
289 want = sizeof(pkt->hdr) + sizeof(pkt->acct_req);
290 } else {
291 fr_assert(packet_is_acct_reply(pkt));
292 want = sizeof(pkt->hdr) + sizeof(pkt->acct_reply);
293 }
294 break;
295 }
296
297 if (want > length) {
298 fr_strerror_printf("Packet is too small. Want %zu, got %zu", want, length);
299 return -1;
300 }
301
302 return length;
303}
304
305static void print_hex(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
306{
307 if (!datalen) return;
308
309 fr_log_hex(log, L_DBG, file, line, data, datalen, "%s", prefix);
310}
311
312static void print_ascii(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
313{
314 uint8_t const *p;
315
316 if (!datalen) return;
317
318 if (datalen > 80) {
319 hex:
320 print_hex(log, file, line, prefix, data, datalen);
321 return;
322 }
323
324 for (p = data; p < (data + datalen); p++) {
325 if ((*p < 0x20) || (*p > 0x80)) goto hex;
326 }
327
328 fr_log(log, L_DBG, file, line, "%s %.*s", prefix, (int) datalen, (char const *) data);
329}
330
331#define CHECK(_length) do { \
332 size_t plen = _length; \
333 if ((size_t) (end - p) < plen) { \
334 fr_log_hex(log, L_DBG, file, line, p, end - p, "%s", " TRUNCATED "); \
335 return; \
336 } \
337 data = p; \
338 data_len = plen; \
339 p += plen; \
340 } while (0)
341
342#undef ASCII
343#define ASCII(_prefix, _field) do { \
344 CHECK(_field); \
345 print_ascii(log, file, line, _prefix, data, data_len); \
346 } while (0)
347
348#undef HEXIT
349#define HEXIT(_prefix, _field) do { \
350 CHECK(_field); \
351 print_hex(log, file, line, _prefix, data, data_len); \
352 } while (0)
353
354#define PRINT(_fmt, ...) fr_log(log, L_DBG, file, line, _fmt, ## __VA_ARGS__)
355
356static void print_args(fr_log_t const *log, char const *file, int line, size_t arg_cnt, uint8_t const *argv, uint8_t const *start, uint8_t const *end)
357{
358 size_t i, data_len;
359 uint8_t const *p;
360 uint8_t const *data;
361 char prefix[64];
362
363 if (argv + arg_cnt > end) {
364 PRINT(" ARG cnt overflows packet");
365 return;
366 }
367
368 p = start;
369 for (i = 0; i < arg_cnt; i++) {
370 if (p == end) {
371 PRINT(" ARG[%zu] is at EOF", i);
372 return;
373 }
374
375 if ((end - p) < argv[i]) {
376 PRINT(" ARG[%zu] overflows packet", i);
377 print_hex(log, file, line, " ", p, end - p);
378 return;
379 }
380
381 snprintf(prefix, sizeof(prefix), " arg[%zu] ", i);
382 prefix[21] = '\0';
383
384 ASCII(prefix, argv[i]);
385 }
386}
387
388void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, size_t packet_len, char const *file, int line)
389{
390 size_t length, data_len;
391 uint8_t const *p = (uint8_t const *) packet;
392 uint8_t const *hdr, *end, *args;
393 uint8_t const *data;
394
395 end = ((uint8_t const *) packet) + packet_len;
396
397 if (packet_len < 12) {
398 print_hex(log, file, line, "header ", p, packet_len);
399 return;
400 }
401
402 /*
403 * It has to be at least 12 bytes long.
404 */
405 PRINT(" major %d", (p[0] & 0xf0) >> 4);
406 PRINT(" minor %d", (p[0] & 0x0f));
407
408 PRINT(" type %02x", p[1]);
409 PRINT(" seq_no %02x", p[2]);
410 PRINT(" flags %02x", p[3]);
411
412 PRINT(" sessid %08x", fr_nbo_to_uint32(p + 4));
413 PRINT(" length %08x", fr_nbo_to_uint32(p + 8));
414
415 PRINT(" body");
416 length = fr_nbo_to_uint32(p + 8);
417
418 if ((p[3] & 0x01) == 0) {
419 PRINT(" ... encrypted ...");
420 return;
421 }
422
423 if (length > 65535) {
424 PRINT(" TOO LARGE");
425 return;
426 }
427
428 p += 12;
429 hdr = p;
430
431 if ((p + length) != end) {
432 PRINT("length field does not match input packet length %08lx", packet_len - 12);
433 return;
434 }
435
436#define REQUIRE(_length) do { \
437 size_t plen = _length; \
438 if ((size_t) (end - hdr) < plen) { \
439 print_hex(log, file, line, " TRUNCATED ", hdr, end - hdr); \
440 return; \
441 } \
442 p = hdr + plen; \
443 } while (0)
444
445 switch (packet->hdr.type) {
446 default:
447 print_hex(log, file, line, " data ", p, length);
448 return;
449
450 case FR_TAC_PLUS_AUTHEN:
451 if (packet_is_authen_start_request(packet)) {
452 PRINT(" authentication-start");
453
454 REQUIRE(8);
455
456 PRINT(" action %02x", hdr[0]);
457 PRINT(" priv_lvl %02x", hdr[1]);
458 PRINT(" authen_type %02x", hdr[2]);
459 PRINT(" authen_service %02x", hdr[3]);
460 PRINT(" user_len %02x", hdr[4]);
461 PRINT(" port_len %02x", hdr[5]);
462 PRINT(" rem_addr_len %02x", hdr[6]);
463 PRINT(" data_len %02x", hdr[7]);
464
465 ASCII(" user ", hdr[4]);
466 ASCII(" port ", hdr[5]);
467 ASCII(" rem_addr ", hdr[6]);
468 HEXIT(" data ", hdr[7]); /* common auth flows */
469
470 } else if (packet_is_authen_continue(packet)) {
471 PRINT(" authentication-continue");
472
473 REQUIRE(5);
474
475 PRINT(" user_msg_len %04x", fr_nbo_to_uint16(hdr));
476 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 2));
477 PRINT(" flags %02x", hdr[4]);
478
479 ASCII(" user_msg ", fr_nbo_to_uint16(hdr));
480 HEXIT(" data ", fr_nbo_to_uint16(hdr + 2));
481
482 } else {
483 fr_assert(packet_is_authen_reply(packet));
484
485 PRINT(" authentication-reply");
486
487 REQUIRE(6);
488
489 PRINT(" status %02x", hdr[0]);
490 PRINT(" flags %02x", hdr[1]);
491 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr + 2));
492 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 4));
493
494 ASCII(" server_msg ", fr_nbo_to_uint16(hdr + 2));
495 HEXIT(" data ", fr_nbo_to_uint16(hdr + 4));
496 }
497
498 fr_assert(p == end);
499 break;
500
501 case FR_TAC_PLUS_AUTHOR:
502 if (packet_is_author_request(packet)) {
503 PRINT(" authorization-request");
504 REQUIRE(8);
505
506 PRINT(" auth_method %02x", hdr[0]);
507 PRINT(" priv_lvl %02x", hdr[1]);
508 PRINT(" authen_type %02x", hdr[2]);
509 PRINT(" authen_service %02x", hdr[3]);
510 PRINT(" user_len %02x", hdr[4]);
511 PRINT(" port_len %02x", hdr[5]);
512 PRINT(" rem_addr_len %02x", hdr[6]);
513 PRINT(" arg_cnt %02x", hdr[7]);
514 args = p;
515
516 HEXIT(" argc ", hdr[7]);
517 ASCII(" user ", hdr[4]);
518 ASCII(" port ", hdr[5]);
519 ASCII(" rem_addr ", hdr[6]);
520
521 print_args(log, file, line, hdr[7], args, p, end);
522
523 } else {
524 PRINT(" authorization-reply");
525
526 fr_assert(packet_is_author_reply(packet));
527
528 REQUIRE(6);
529
530 PRINT(" status %02x", hdr[0]);
531 PRINT(" arg_cnt %02x", hdr[1]);
532 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr + 2));
533 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 4));
534 args = p;
535
536 HEXIT(" argc ", hdr[1]);
537 ASCII(" server_msg ", fr_nbo_to_uint16(hdr + 2));
538 ASCII(" data ", fr_nbo_to_uint16(hdr + 4));
539
540 print_args(log, file, line, hdr[1], args, p, end);
541 }
542 break;
543
544 case FR_TAC_PLUS_ACCT:
545 if (packet_is_acct_request(packet)) {
546 PRINT(" accounting-request");
547
548 REQUIRE(9);
549
550 PRINT(" flags %02x", hdr[0]);
551 PRINT(" auth_method %02x", hdr[1]);
552 PRINT(" priv_lvl %02x", hdr[2]);
553 PRINT(" authen_type %02x", hdr[3]);
554 PRINT(" authen_service %02x", hdr[4]);
555 PRINT(" user_len %02x", hdr[5]);
556 PRINT(" port_len %02x", hdr[6]);
557 PRINT(" rem_addr_len %02x", hdr[7]);
558 PRINT(" arg_cnt %02x", hdr[8]);
559 args = p;
560
561 HEXIT(" argc ", hdr[8]);
562 ASCII(" user ", hdr[5]);
563 ASCII(" port ", hdr[6]);
564 ASCII(" rem_addr ", hdr[7]);
565
566 print_args(log, file, line, hdr[8], args, p, end);
567 } else {
568 PRINT(" accounting-reply");
569 fr_assert(packet_is_acct_reply(packet));
570
571 REQUIRE(5);
572
573 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr));
574 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 2));
575 PRINT(" status %02x", hdr[0]);
576
577 ASCII(" server_msg ", fr_nbo_to_uint16(hdr));
578 HEXIT(" data ", fr_nbo_to_uint16(hdr + 2));
579
580 fr_assert(p == end);
581 }
582 break;
583 }
584}
585
586int fr_tacacs_global_init(void)
587{
588 if (instance_count > 0) {
589 instance_count++;
590 return 0;
591 }
592
593 instance_count++;
594
595 if (fr_dict_autoload(libfreeradius_tacacs_dict) < 0) {
596 fail:
597 instance_count--;
598 return -1;
599 }
600
601 if (fr_dict_attr_autoload(libfreeradius_tacacs_dict_attr) < 0) {
602 fr_dict_autofree(libfreeradius_tacacs_dict);
603 goto fail;
604 }
605
606 instantiated = true;
607 return 0;
608}
609
610void fr_tacacs_global_free(void)
611{
612 if (!instantiated) return;
613
614 fr_assert(instance_count > 0);
615
616 if (--instance_count > 0) return;
617
618 fr_dict_autofree(libfreeradius_tacacs_dict);
619 instantiated = false;
620}
621
622static bool attr_valid(fr_dict_attr_t *da)
623{
624 fr_dict_attr_flags_t *flags = &da->flags;
625
626 /*
627 * No arrays in TACACS+
628 */
629 if (flags->array) {
630 fr_strerror_const("Attributes with flag 'array' cannot be used in TACACS+");
631 return false;
632 }
633
634 if ((strcmp(da->name, "Packet") == 0) &&
635 (da->depth == 1)) {
636 if (da->type != FR_TYPE_STRUCT) {
637 fr_strerror_const("The top 'Packet' attribute must of type 'struct'");
638 return false;
639 }
640
641 return true;
642 }
643
644 /*
645 * The top-level Packet is a STRUCT which contains
646 * MEMBERs with defined values.
647 */
648 if (!flags->name_only && (da->parent->type != FR_TYPE_STRUCT)) {
649 fr_strerror_const("Attributes in TACACS+ cannot have assigned values. Use DEFINE, not ATTRIBUTE");
650 return false;
651 }
652
653 switch (da->type) {
654 case FR_TYPE_STRUCTURAL_EXCEPT_GROUP:
655 case FR_TYPE_INTERNAL:
656 fr_strerror_printf("Attributes of type '%s' cannot be used in TACACS+", fr_type_to_str(da->type));
657 return false;
658
659 default:
660 break;
661 }
662
663 return true;
664}
665
666extern fr_dict_protocol_t libfreeradius_tacacs_dict_protocol;
667fr_dict_protocol_t libfreeradius_tacacs_dict_protocol = {
668 .name = "tacacs",
669 .default_type_size = 4,
670 .default_type_length = 4,
671 .attr = {
672 .valid = attr_valid,
673 },
674
675 .init = fr_tacacs_global_init,
676 .free = fr_tacacs_global_free,
677};
buffer
static int const char char buffer[256]
Definition acutest.h:578
file
int const char * file
Definition acutest.h:704
args
va_list args
Definition acutest.h:772
line
int const char int line
Definition acutest.h:704
fr_dict_attr_flags_t::name_only
unsigned int name_only
this attribute should always be referred to by name.
Definition dict.h:102
fr_dict_autofree
#define fr_dict_autofree(_to_free)
Definition dict.h:917
fr_dict_attr_flags_t::array
unsigned int array
Pack multiples into 1 attr.
Definition dict.h:92
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:294
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:307
fr_dict_attr_autoload
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4396
fr_dict_autoload
#define fr_dict_autoload(_to_load)
Definition dict.h:914
DICT_AUTOLOAD_TERMINATOR
#define DICT_AUTOLOAD_TERMINATOR
Definition dict.h:313
fr_dict_protocol_t::name
char const * name
name of this protocol
Definition dict.h:458
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:293
fr_dict_attr_flags_t
Values of the encryption flags.
Definition merged_model.c:139
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:306
fr_dict_protocol_t
Protocol-specific callbacks in libfreeradius-PROTOCOL.
Definition dict.h:457
talloc_free
talloc_free(hp)
instance_count
static uint32_t instance_count
Definition base.c:44
fr_log_hex
void fr_log_hex(fr_log_t const *log, fr_log_type_t type, char const *file, int line, uint8_t const *data, size_t data_len, char const *line_prefix_fmt,...)
Print out hex block.
Definition log.c:778
fr_log
void fr_log(fr_log_t const *log, fr_log_type_t type, char const *file, int line, char const *fmt,...)
Send a server log message to its destination.
Definition log.c:577
L_DBG
@ L_DBG
Only displayed when debugging is enabled.
Definition log.h:59
MD5_DIGEST_LENGTH
#define MD5_DIGEST_LENGTH
Definition merged_model.c:242
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_STRUCT
@ FR_TYPE_STRUCT
like TLV, but without T or L, and fixed-width children
Definition merged_model.c:119
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
fr_md5_calc
void fr_md5_calc(uint8_t out[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen)
Perform a single digest operation on a single input buffer.
Definition merged_model.c:245
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_nbo_to_uint16
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
fr_nbo_to_uint32
static uint32_t fr_nbo_to_uint32(uint8_t const data[static sizeof(uint32_t)])
Read an unsigned 32bit integer from wire format (big endian)
Definition nbo.h:167
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:56
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:73
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition base.c:39
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:70
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:69
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:67
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:57
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:62
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:58
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:59
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:65
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:68
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:54
attr_tacacs_sequence_number
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition base.c:71
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:61
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:63
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:66
instantiated
static bool instantiated
Definition base.c:39
attr_valid
static bool attr_valid(fr_dict_attr_t *da)
Definition base.c:721
fr_tacacs_body_xor
int fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len)
XOR the body based on the secret key.
Definition base.c:148
attr_tacacs_length
fr_dict_attr_t const * attr_tacacs_length
Definition base.c:59
_fr_tacacs_packet_log_hex
void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, size_t packet_len, char const *file, int line)
Definition base.c:388
libfreeradius_tacacs_dict_attr
fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[]
Definition base.c:81
fr_tacacs_length
ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
Definition base.c:210
attr_tacacs_authentication_continue_flags
fr_dict_attr_t const * attr_tacacs_authentication_continue_flags
Definition base.c:49
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:119
print_args
static void print_args(fr_log_t const *log, char const *file, int line, size_t arg_cnt, uint8_t const *argv, uint8_t const *start, uint8_t const *end)
Definition base.c:356
fr_tacacs_global_free
void fr_tacacs_global_free(void)
Definition base.c:610
print_hex
static void print_hex(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
Definition base.c:305
attr_tacacs_argument_list
fr_dict_attr_t const * attr_tacacs_argument_list
Definition base.c:55
attr_tacacs_chap_challenge
fr_dict_attr_t const * attr_tacacs_chap_challenge
Definition base.c:75
fr_tacacs_global_init
int fr_tacacs_global_init(void)
Definition base.c:586
attr_tacacs_user_password
fr_dict_attr_t const * attr_tacacs_user_password
Definition base.c:73
PRINT
#define PRINT(_fmt,...)
Definition base.c:354
attr_tacacs_version_major
fr_dict_attr_t const * attr_tacacs_version_major
Definition base.c:69
HEXIT
#define HEXIT(_prefix, _field)
Definition base.c:349
libfreeradius_tacacs_dict
fr_dict_autoload_t libfreeradius_tacacs_dict[]
Definition base.c:39
attr_tacacs_mschap_challenge
fr_dict_attr_t const * attr_tacacs_mschap_challenge
Definition base.c:78
libfreeradius_tacacs_dict_protocol
fr_dict_protocol_t libfreeradius_tacacs_dict_protocol
Definition base.c:667
attr_tacacs_mschap_response
fr_dict_attr_t const * attr_tacacs_mschap_response
Definition base.c:76
print_ascii
static void print_ascii(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
Definition base.c:312
attr_tacacs_version_minor
fr_dict_attr_t const * attr_tacacs_version_minor
Definition base.c:70
attr_tacacs_mschap2_response
fr_dict_attr_t const * attr_tacacs_mschap2_response
Definition base.c:77
REQUIRE
#define REQUIRE(_length)
attr_tacacs_chap_password
fr_dict_attr_t const * attr_tacacs_chap_password
Definition base.c:74
attr_tacacs_packet
fr_dict_attr_t const * attr_tacacs_packet
Definition base.c:60
attr_tacacs_packet_body_type
fr_dict_attr_t const * attr_tacacs_packet_body_type
Definition base.c:61
ASCII
#define ASCII(_prefix, _field)
Definition base.c:343
attr_tacacs_authentication_method
fr_dict_attr_t const * attr_tacacs_authentication_method
Definition base.c:50
attr_tacacs_user_name
fr_dict_attr_t const * attr_tacacs_user_name
Definition base.c:72
attr_tacacs_flags
fr_dict_attr_t const * attr_tacacs_flags
Definition base.c:58
attr_tacacs_packet_type
fr_dict_attr_t const * attr_tacacs_packet_type
Definition base.c:62
attrs.h
VQP attributes.
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
secret
static char * secret
Definition radclient-ng.c:71
done
static bool done
Definition radclient.c:83
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
fr_log_s
Definition log.h:96
packet_is_authen_reply
#define packet_is_authen_reply(p)
Definition tacacs.h:51
packet_is_authen_continue
#define packet_is_authen_continue(p)
Definition tacacs.h:50
packet_is_acct_reply
#define packet_is_acct_reply(p)
Definition tacacs.h:57
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition tacacs.h:66
packet_is_author_request
#define packet_is_author_request(p)
Definition tacacs.h:53
packet_is_acct_request
#define packet_is_acct_request(p)
Definition tacacs.h:56
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition tacacs.h:277
fr_tacacs_packet_hdr_t::type
fr_tacacs_type_t type
Definition tacacs.h:97
FR_TACACS_CODE_MAX
@ FR_TACACS_CODE_MAX
Definition tacacs.h:317
packet_is_author_reply
#define packet_is_author_reply(p)
Definition tacacs.h:54
fr_tacacs_packet_t
Definition tacacs.h:276
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
FR_TYPE_STRUCTURAL_EXCEPT_GROUP
#define FR_TYPE_STRUCTURAL_EXCEPT_GROUP
Definition types.h:316
FR_TYPE_INTERNAL
#define FR_TYPE_INTERNAL
Definition types.h:320
fr_type_to_str
static char const * fr_type_to_str(fr_type_t type)
Return a static string containing the type name.
Definition types.h:455
data
static fr_slen_t data
Definition value.h:1340
Generated by   doxygen 1.9.8