The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
base.c
Go to the documentation of this file.
1/*
2 * This library is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU Lesser General Public
4 * License as published by the Free Software Foundation; either
5 * version 2.1 of the License, or (at your option) any later version.
6 *
7 * This library is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * Lesser General Public License for more details.
11 *
12 * You should have received a copy of the GNU Lesser General Public
13 * License along with this library; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: a3e26881ba66637260e3fc25bb17c58cfb479693 $
19 *
20 * @file protocols/tacacs/encode.c
21 * @brief Low-Level TACACS+ encode functions
22 *
23 * @copyright 2017 The FreeRADIUS server project
24 * @copyright 2017 Network RADIUS SAS (legal@networkradius.com)
25 */
26#include <freeradius-devel/util/net.h>
27#include <freeradius-devel/util/md5.h>
28#include <freeradius-devel/util/struct.h>
29
30#include "tacacs.h"
31#include "attrs.h"
32
33static uint32_t instance_count = 0;
34
35fr_dict_t const *dict_tacacs;
36
37extern fr_dict_autoload_t libfreeradius_tacacs_dict[];
38fr_dict_autoload_t libfreeradius_tacacs_dict[] = {
39 { .out = &dict_tacacs, .proto = "tacacs" },
40
41 { NULL }
42};
43
44fr_dict_attr_t const *attr_tacacs_accounting_flags;
45fr_dict_attr_t const *attr_tacacs_accounting_status;
46fr_dict_attr_t const *attr_tacacs_action;
47fr_dict_attr_t const *attr_tacacs_authentication_flags;
48fr_dict_attr_t const *attr_tacacs_authentication_continue_flags;
49fr_dict_attr_t const *attr_tacacs_authentication_method;
50fr_dict_attr_t const *attr_tacacs_authentication_service;
51fr_dict_attr_t const *attr_tacacs_authentication_status;
52fr_dict_attr_t const *attr_tacacs_authentication_type;
53fr_dict_attr_t const *attr_tacacs_authorization_status;
54fr_dict_attr_t const *attr_tacacs_argument_list;
55fr_dict_attr_t const *attr_tacacs_client_port;
56fr_dict_attr_t const *attr_tacacs_data;
57fr_dict_attr_t const *attr_tacacs_flags;
58fr_dict_attr_t const *attr_tacacs_length;
59fr_dict_attr_t const *attr_tacacs_packet;
60fr_dict_attr_t const *attr_tacacs_packet_body_type;
61fr_dict_attr_t const *attr_tacacs_packet_type;
62fr_dict_attr_t const *attr_tacacs_privilege_level;
63fr_dict_attr_t const *attr_tacacs_remote_address;
64fr_dict_attr_t const *attr_tacacs_sequence_number;
65fr_dict_attr_t const *attr_tacacs_server_message;
66fr_dict_attr_t const *attr_tacacs_session_id;
67fr_dict_attr_t const *attr_tacacs_user_message;
68fr_dict_attr_t const *attr_tacacs_version_major;
69fr_dict_attr_t const *attr_tacacs_version_minor;
70
71fr_dict_attr_t const *attr_tacacs_user_name;
72fr_dict_attr_t const *attr_tacacs_user_password;
73fr_dict_attr_t const *attr_tacacs_chap_password;
74fr_dict_attr_t const *attr_tacacs_chap_challenge;
75fr_dict_attr_t const *attr_tacacs_mschap_response;
76fr_dict_attr_t const *attr_tacacs_mschap2_response;
77fr_dict_attr_t const *attr_tacacs_mschap_challenge;
78
79extern fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[];
80fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[] = {
81 { .out = &attr_tacacs_accounting_flags, .name = "Accounting-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
82 { .out = &attr_tacacs_accounting_status, .name = "Accounting-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
83 { .out = &attr_tacacs_action, .name = "Action", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
84 { .out = &attr_tacacs_authentication_flags, .name = "Authentication-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
85 { .out = &attr_tacacs_authentication_continue_flags, .name = "Authentication-Continue-Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
86 { .out = &attr_tacacs_authentication_method, .name = "Authentication-Method", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
87 { .out = &attr_tacacs_authentication_service, .name = "Authentication-Service", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
88 { .out = &attr_tacacs_authentication_status, .name = "Authentication-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
89 { .out = &attr_tacacs_authentication_type, .name = "Authentication-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
90 { .out = &attr_tacacs_authorization_status, .name = "Authorization-Status", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
91 { .out = &attr_tacacs_argument_list, .name = "Argument-List", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
92 { .out = &attr_tacacs_client_port, .name = "Client-Port", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
93 { .out = &attr_tacacs_data, .name = "Data", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
94 { .out = &attr_tacacs_flags, .name = "Packet.Flags", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
95 { .out = &attr_tacacs_length, .name = "Packet.Length", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
96 { .out = &attr_tacacs_packet, .name = "Packet", .type = FR_TYPE_STRUCT, .dict = &dict_tacacs },
97 { .out = &attr_tacacs_packet_body_type, .name = "Packet-Body-Type", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
98 { .out = &attr_tacacs_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
99 { .out = &attr_tacacs_privilege_level, .name = "Privilege-Level", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
100 { .out = &attr_tacacs_remote_address, .name = "Remote-Address", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
101 { .out = &attr_tacacs_sequence_number, .name = "Packet.Sequence-Number", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
102 { .out = &attr_tacacs_server_message, .name = "Server-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
103 { .out = &attr_tacacs_session_id, .name = "Packet.Session-Id", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
104 { .out = &attr_tacacs_user_message, .name = "User-Message", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
105 { .out = &attr_tacacs_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
106 { .out = &attr_tacacs_version_major, .name = "Packet.Version-Major", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
107 { .out = &attr_tacacs_version_minor, .name = "Packet.Version-Minor", .type = FR_TYPE_UINT8, .dict = &dict_tacacs },
108
109 { .out = &attr_tacacs_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
110 { .out = &attr_tacacs_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_tacacs },
111 { .out = &attr_tacacs_chap_password, .name = "CHAP-Password", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
112 { .out = &attr_tacacs_chap_challenge, .name = "CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
113 { .out = &attr_tacacs_mschap_response, .name = "MS-CHAP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
114 { .out = &attr_tacacs_mschap2_response, .name = "MS-CHAP2-Response", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
115 { .out = &attr_tacacs_mschap_challenge, .name = "MS-CHAP-Challenge", .type = FR_TYPE_OCTETS, .dict = &dict_tacacs },
116 { NULL }
117};
118
119char const *fr_tacacs_packet_names[FR_TACACS_CODE_MAX] = {
120 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_START] = "Authentication-Start",
121 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_PASS] = "Authentication-Pass",
122 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_FAIL] = "Authentication-Fail",
123 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETDATA] = "Authentication-GetData",
124 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETUSER] = "Authentication-GetUser",
125 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETPASS] = "Authentication-GetPass",
126 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_RESTART] = "Authentication-Restart",
127 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_ERROR] = "Authentication-Error",
128
129 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE] = "Authentication-Continue",
130 [FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE_ABORT] = "Authentication-Continue-Abort",
131
132 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_REQUEST] = "Authorization-Request",
133 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_ADD] = "Authorization-Pass-Add",
134 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_REPLACE] = "Authorization-Pass-Replace",
135 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_FAIL] = "Authorization-Fail",
136 [FR_PACKET_TYPE_VALUE_AUTHORIZATION_ERROR] = "Authorization-Error",
137
138 [FR_PACKET_TYPE_VALUE_ACCOUNTING_REQUEST] = "Accounting-Request",
139 [FR_PACKET_TYPE_VALUE_ACCOUNTING_SUCCESS] = "Accounting-Success",
140 [FR_PACKET_TYPE_VALUE_ACCOUNTING_ERROR] = "Accounting-Error",
141};
142
143
144int fr_tacacs_global_init(void)
145{
146 if (instance_count > 0) {
147 instance_count++;
148 return 0;
149 }
150
151 instance_count++;
152
153 if (fr_dict_autoload(libfreeradius_tacacs_dict) < 0) {
154 fail:
155 instance_count--;
156 return -1;
157 }
158
159 if (fr_dict_attr_autoload(libfreeradius_tacacs_dict_attr) < 0) {
160 fr_dict_autofree(libfreeradius_tacacs_dict);
161 goto fail;
162 }
163
164 return 0;
165}
166
167void fr_tacacs_global_free(void)
168{
169 fr_assert(instance_count > 0);
170
171 if (--instance_count > 0) return;
172
173 fr_dict_autofree(libfreeradius_tacacs_dict);
174}
175
176/** XOR the body based on the secret key.
177 *
178 * This function encrypts (or decrypts) TACACS+ packets, and sets the "encrypted" flag.
179 */
180int fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len)
181{
182 uint8_t pad[MD5_DIGEST_LENGTH];
183 uint8_t *buf, *end;
184 int pad_offset;
185
186 /*
187 * Do some basic sanity checks.
188 */
189 if (!secret_len) {
190 fr_strerror_const("Failed to encrypt/decrept the packet, as the secret has zero length.");
191 return -1;
192 }
193
194 pad_offset = sizeof(pkt->hdr.session_id) + secret_len + sizeof(pkt->hdr.version) + sizeof(pkt->hdr.seq_no);
195
196 /* MD5_1 = MD5{session_id, key, version, seq_no} */
197 /* MD5_n = MD5{session_id, key, version, seq_no, MD5_n-1} */
198 buf = talloc_array(NULL, uint8_t, pad_offset + MD5_DIGEST_LENGTH);
199 if (!buf) return -1;
200
201 memcpy(&buf[0], &pkt->hdr.session_id, sizeof(pkt->hdr.session_id));
202 memcpy(&buf[sizeof(pkt->hdr.session_id)], secret, secret_len);
203 memcpy(&buf[sizeof(pkt->hdr.session_id) + secret_len], &pkt->hdr.version, sizeof(pkt->hdr.version));
204 memcpy(&buf[sizeof(pkt->hdr.session_id) + secret_len + sizeof(pkt->hdr.version)], &pkt->hdr.seq_no, sizeof(pkt->hdr.seq_no));
205
206 fr_md5_calc(pad, buf, pad_offset);
207
208 end = body + body_len;
209 while (body < end) {
210 size_t i;
211
212 for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
213 *body ^= pad[i];
214
215 if (++body == end) goto done;
216 }
217
218 memcpy(&buf[pad_offset], pad, MD5_DIGEST_LENGTH);
219 fr_md5_calc(pad, buf, pad_offset + MD5_DIGEST_LENGTH);
220 }
221
222done:
223 talloc_free(buf);
224
225 return 0;
226}
227
228/**
229 * Return how long a TACACS+ packet is
230 *
231 * Note that we only look at the 12 byte packet header. We don't
232 * (yet) do validation on authentication / authorization /
233 * accounting headers. The packet may still be determined later
234 * to be invalid.
235 *
236 * @param buffer to check
237 * @param buffer_len length of the buffer
238 * @return
239 * >0 size of the TACACS+ packet. We want. MAY be larger than "buffer_len"
240 * <=0 error, packet should be discarded.
241 */
242ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
243{
244 fr_tacacs_packet_t const *pkt = (fr_tacacs_packet_t const *) buffer;
245 size_t length, want;
246
247 /*
248 * Check that we have a full TACACS+ header before
249 * decoding anything.
250 */
251 if (buffer_len < sizeof(pkt->hdr)) {
252 return sizeof(pkt->hdr);
253 }
254
255 /*
256 * TACACS major / minor version MUST be 12.0 or 12.1
257 */
258 if (!((buffer[0] == 0xc0) || (buffer[0] == 0xc1))) {
259 fr_strerror_printf("Unsupported TACACS+ version %02x", buffer[0]);
260 return -1;
261 }
262
263 /*
264 * There's no reason to accept 64K TACACS+ packets.
265 */
266 if ((buffer[8] != 0) || (buffer[9] != 0)) {
267 fr_strerror_const("Packet is too large. Our limit is 64K");
268 return -1;
269 }
270
271 /*
272 * There are only 3 types of packets which are supported.
273 */
274 if (!((pkt->hdr.type == FR_TAC_PLUS_AUTHEN) ||
275 (pkt->hdr.type == FR_TAC_PLUS_AUTHOR) ||
276 (pkt->hdr.type == FR_TAC_PLUS_ACCT))) {
277 fr_strerror_printf("Unknown packet type %d", pkt->hdr.type);
278 return -1;
279 }
280
281 length = sizeof(pkt->hdr) + ntohl(pkt->hdr.length);
282
283 if (buffer_len < length) return length;
284
285 /*
286 * We want at least the headers for the various packet
287 * types. Note that we do NOT check the lengths in the
288 * headers against buffer / buffer_len. That process is
289 * complex and error-prone. It's best to leave it in one
290 * place: fr_tacacs_decode().
291 */
292 switch (pkt->hdr.type) {
293 default:
294 fr_assert(0); /* should have been caught above */
295 return -1;
296
297 case FR_TAC_PLUS_AUTHEN:
298 if (packet_is_authen_start_request(pkt)) {
299 want = sizeof(pkt->hdr) + sizeof(pkt->authen_start);
300
301 } else if (packet_is_authen_continue(pkt)) {
302 want = sizeof(pkt->hdr) + sizeof(pkt->authen_cont);
303
304 } else {
305 fr_assert(packet_is_authen_reply(pkt));
306 want = sizeof(pkt->hdr) + sizeof(pkt->authen_reply);
307 }
308 break;
309
310 case FR_TAC_PLUS_AUTHOR:
311 if (packet_is_author_request(pkt)) {
312 want = sizeof(pkt->hdr) + sizeof(pkt->author_req);
313 } else {
314 fr_assert(packet_is_author_reply(pkt));
315 want = sizeof(pkt->hdr) + sizeof(pkt->author_reply);
316 }
317 break;
318
319 case FR_TAC_PLUS_ACCT:
320 if (packet_is_acct_request(pkt)) {
321 want = sizeof(pkt->hdr) + sizeof(pkt->acct_req);
322 } else {
323 fr_assert(packet_is_acct_reply(pkt));
324 want = sizeof(pkt->hdr) + sizeof(pkt->acct_reply);
325 }
326 break;
327 }
328
329 if (want > length) {
330 fr_strerror_printf("Packet is too small. Want %zu, got %zu", want, length);
331 return -1;
332 }
333
334 return length;
335}
336
337static void print_hex(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
338{
339 if (!datalen) return;
340
341 fr_log_hex(log, L_DBG, file, line, data, datalen, "%s", prefix);
342}
343
344static void print_ascii(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
345{
346 uint8_t const *p;
347
348 if (!datalen) return;
349
350 if (datalen > 80) {
351 hex:
352 print_hex(log, file, line, prefix, data, datalen);
353 return;
354 }
355
356 for (p = data; p < (data + datalen); p++) {
357 if ((*p < 0x20) || (*p > 0x80)) goto hex;
358 }
359
360 fr_log(log, L_DBG, file, line, "%s %.*s", prefix, (int) datalen, (char const *) data);
361}
362
363#define CHECK(_length) do { \
364 size_t plen = _length; \
365 if ((size_t) (end - p) < plen) { \
366 fr_log_hex(log, L_DBG, file, line, p, end - p, "%s", " TRUNCATED "); \
367 return; \
368 } \
369 data = p; \
370 data_len = plen; \
371 p += plen; \
372 } while (0)
373
374#undef ASCII
375#define ASCII(_prefix, _field) do { \
376 CHECK(_field); \
377 print_ascii(log, file, line, _prefix, data, data_len); \
378 } while (0)
379
380#undef HEXIT
381#define HEXIT(_prefix, _field) do { \
382 CHECK(_field); \
383 print_hex(log, file, line, _prefix, data, data_len); \
384 } while (0)
385
386#define PRINT(_fmt, ...) fr_log(log, L_DBG, file, line, _fmt, ## __VA_ARGS__)
387
388static void print_args(fr_log_t const *log, char const *file, int line, size_t arg_cnt, uint8_t const *argv, uint8_t const *start, uint8_t const *end)
389{
390 size_t i, data_len;
391 uint8_t const *p;
392 uint8_t const *data;
393 char prefix[64];
394
395 if (argv + arg_cnt > end) {
396 PRINT(" ARG cnt overflows packet");
397 return;
398 }
399
400 p = start;
401 for (i = 0; i < arg_cnt; i++) {
402 if (p == end) {
403 PRINT(" ARG[%zu] is at EOF", i);
404 return;
405 }
406
407 if ((end - p) < argv[i]) {
408 PRINT(" ARG[%zu] overflows packet", i);
409 print_hex(log, file, line, " ", p, end - p);
410 return;
411 }
412
413 snprintf(prefix, sizeof(prefix), " arg[%zu] ", i);
414 prefix[21] = '\0';
415
416 ASCII(prefix, argv[i]);
417 }
418}
419
420void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, size_t packet_len, char const *file, int line)
421{
422 size_t length, data_len;
423 uint8_t const *p = (uint8_t const *) packet;
424 uint8_t const *hdr, *end, *args;
425 uint8_t const *data;
426
427 end = ((uint8_t const *) packet) + packet_len;
428
429 if (packet_len < 12) {
430 print_hex(log, file, line, "header ", p, packet_len);
431 return;
432 }
433
434 /*
435 * It has to be at least 12 bytes long.
436 */
437 PRINT(" major %d", (p[0] & 0xf0) >> 4);
438 PRINT(" minor %d", (p[0] & 0x0f));
439
440 PRINT(" type %02x", p[1]);
441 PRINT(" seq_no %02x", p[2]);
442 PRINT(" flags %02x", p[3]);
443
444 PRINT(" sessid %08x", fr_nbo_to_uint32(p + 4));
445 PRINT(" length %08x", fr_nbo_to_uint32(p + 8));
446
447 PRINT(" body");
448 length = fr_nbo_to_uint32(p + 8);
449
450 if ((p[3] & 0x01) == 0) {
451 PRINT(" ... encrypted ...");
452 return;
453 }
454
455 if (length > 65535) {
456 PRINT(" TOO LARGE");
457 return;
458 }
459
460 p += 12;
461 hdr = p;
462
463 if ((p + length) != end) {
464 PRINT("length field does not match input packet length %08lx", packet_len - 12);
465 return;
466 }
467
468#define REQUIRE(_length) do { \
469 size_t plen = _length; \
470 if ((size_t) (end - hdr) < plen) { \
471 print_hex(log, file, line, " TRUNCATED ", hdr, end - hdr); \
472 return; \
473 } \
474 p = hdr + plen; \
475 } while (0)
476
477 switch (packet->hdr.type) {
478 default:
479 print_hex(log, file, line, " data ", p, length);
480 return;
481
482 case FR_TAC_PLUS_AUTHEN:
483 if (packet_is_authen_start_request(packet)) {
484 PRINT(" authentication-start");
485
486 REQUIRE(8);
487
488 PRINT(" action %02x", hdr[0]);
489 PRINT(" priv_lvl %02x", hdr[1]);
490 PRINT(" authen_type %02x", hdr[2]);
491 PRINT(" authen_service %02x", hdr[3]);
492 PRINT(" user_len %02x", hdr[4]);
493 PRINT(" port_len %02x", hdr[5]);
494 PRINT(" rem_addr_len %02x", hdr[6]);
495 PRINT(" data_len %02x", hdr[7]);
496
497 ASCII(" user ", hdr[4]);
498 ASCII(" port ", hdr[5]);
499 ASCII(" rem_addr ", hdr[6]);
500 HEXIT(" data ", hdr[7]); /* common auth flows */
501
502 } else if (packet_is_authen_continue(packet)) {
503 PRINT(" authentication-continue");
504
505 REQUIRE(5);
506
507 PRINT(" user_msg_len %04x", fr_nbo_to_uint16(hdr));
508 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 2));
509 PRINT(" flags %02x", hdr[4]);
510
511 ASCII(" user_msg ", fr_nbo_to_uint16(hdr));
512 HEXIT(" data ", fr_nbo_to_uint16(hdr + 2));
513
514 } else {
515 fr_assert(packet_is_authen_reply(packet));
516
517 PRINT(" authentication-reply");
518
519 REQUIRE(6);
520
521 PRINT(" status %02x", hdr[0]);
522 PRINT(" flags %02x", hdr[1]);
523 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr + 2));
524 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 4));
525
526 ASCII(" server_msg ", fr_nbo_to_uint16(hdr + 2));
527 HEXIT(" data ", fr_nbo_to_uint16(hdr + 4));
528 }
529 break;
530
531 case FR_TAC_PLUS_AUTHOR:
532 if (packet_is_author_request(packet)) {
533 PRINT(" authorization-request");
534 REQUIRE(8);
535
536 PRINT(" auth_method %02x", hdr[0]);
537 PRINT(" priv_lvl %02x", hdr[1]);
538 PRINT(" authen_type %02x", hdr[2]);
539 PRINT(" authen_service %02x", hdr[3]);
540 PRINT(" user_len %02x", hdr[4]);
541 PRINT(" port_len %02x", hdr[5]);
542 PRINT(" rem_addr_len %02x", hdr[6]);
543 PRINT(" arg_cnt %02x", hdr[7]);
544 args = p;
545
546 HEXIT(" argc ", hdr[7]);
547 ASCII(" user ", hdr[4]);
548 ASCII(" port ", hdr[5]);
549 ASCII(" rem_addr ", hdr[6]);
550
551 print_args(log, file, line, hdr[7], args, p, end);
552
553 } else {
554 PRINT(" authorization-reply");
555
556 fr_assert(packet_is_author_reply(packet));
557
558 REQUIRE(6);
559
560 PRINT(" status %02x", hdr[0]);
561 PRINT(" arg_cnt %02x", hdr[1]);
562 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr + 2));
563 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 4));
564 args = p;
565
566 HEXIT(" argc ", hdr[1]);
567 ASCII(" server_msg ", fr_nbo_to_uint16(hdr + 2));
568 ASCII(" data ", fr_nbo_to_uint16(hdr + 4));
569
570 print_args(log, file, line, hdr[1], args, p, end);
571 }
572 break;
573
574 case FR_TAC_PLUS_ACCT:
575 if (packet_is_acct_request(packet)) {
576 PRINT(" accounting-request");
577
578 REQUIRE(9);
579
580 PRINT(" flags %02x", hdr[0]);
581 PRINT(" auth_method %02x", hdr[1]);
582 PRINT(" priv_lvl %02x", hdr[2]);
583 PRINT(" authen_type %02x", hdr[3]);
584 PRINT(" authen_service %02x", hdr[4]);
585 PRINT(" user_len %02x", hdr[5]);
586 PRINT(" port_len %02x", hdr[6]);
587 PRINT(" rem_addr_len %02x", hdr[7]);
588 PRINT(" arg_cnt %02x", hdr[8]);
589 args = p;
590
591 HEXIT(" argc ", hdr[8]);
592 ASCII(" user ", hdr[5]);
593 ASCII(" port ", hdr[6]);
594 ASCII(" rem_addr ", hdr[7]);
595
596 print_args(log, file, line, hdr[8], args, p, end);
597 } else {
598 PRINT(" accounting-reply");
599 fr_assert(packet_is_acct_reply(packet));
600
601 PRINT(" authentication-reply");
602
603 REQUIRE(5);
604
605 PRINT(" server_msg_len %04x", fr_nbo_to_uint16(hdr));
606 PRINT(" data_len %04x", fr_nbo_to_uint16(hdr + 2));
607 PRINT(" status %02x", hdr[0]);
608
609 ASCII(" server_msg ", fr_nbo_to_uint16(hdr));
610 HEXIT(" data ", fr_nbo_to_uint16(hdr + 2));
611 }
612 break;
613 }
614
615 fr_assert(p == end);
616}
buffer
static int const char char buffer[256]
Definition acutest.h:576
file
int const char * file
Definition acutest.h:702
args
va_list args
Definition acutest.h:770
line
int const char int line
Definition acutest.h:702
fr_dict_autofree
#define fr_dict_autofree(_to_free)
Definition dict.h:853
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:268
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:281
fr_dict_attr_autoload
int fr_dict_attr_autoload(fr_dict_attr_autoload_t const *to_load)
Process a dict_attr_autoload element to load/verify a dictionary attribute.
Definition dict_util.c:4090
fr_dict_autoload
#define fr_dict_autoload(_to_load)
Definition dict.h:850
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:267
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:280
instance_count
static uint32_t instance_count
Definition base.c:44
talloc_free
talloc_free(reap)
fr_log_hex
void fr_log_hex(fr_log_t const *log, fr_log_type_t type, char const *file, int line, uint8_t const *data, size_t data_len, char const *line_prefix_fmt,...)
Print out hex block.
Definition log.c:784
fr_log
void fr_log(fr_log_t const *log, fr_log_type_t type, char const *file, int line, char const *fmt,...)
Send a server log message to its destination.
Definition log.c:583
L_DBG
@ L_DBG
Only displayed when debugging is enabled.
Definition log.h:59
MD5_DIGEST_LENGTH
#define MD5_DIGEST_LENGTH
Definition merged_model.c:248
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_UINT8
@ FR_TYPE_UINT8
8 Bit unsigned integer.
Definition merged_model.c:97
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_STRUCT
@ FR_TYPE_STRUCT
like TLV, but without T or L, and fixed-width children
Definition merged_model.c:119
FR_TYPE_OCTETS
@ FR_TYPE_OCTETS
Raw octets.
Definition merged_model.c:84
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
fr_md5_calc
void fr_md5_calc(uint8_t out[static MD5_DIGEST_LENGTH], uint8_t const *in, size_t inlen)
Perform a single digest operation on a single input buffer.
Definition merged_model.c:251
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_nbo_to_uint16
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
fr_nbo_to_uint32
static uint32_t fr_nbo_to_uint32(uint8_t const data[static sizeof(uint32_t)])
Read an unsigned 32bit integer from wire format (big endian)
Definition nbo.h:167
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:57
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:74
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition base.c:40
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:71
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:70
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:68
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:58
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:63
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:59
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:60
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:66
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:69
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:55
attr_tacacs_sequence_number
static fr_dict_attr_t const * attr_tacacs_sequence_number
Definition base.c:72
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:62
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:64
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:67
fr_tacacs_body_xor
int fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len)
XOR the body based on the secret key.
Definition base.c:180
attr_tacacs_length
fr_dict_attr_t const * attr_tacacs_length
Definition base.c:58
_fr_tacacs_packet_log_hex
void _fr_tacacs_packet_log_hex(fr_log_t const *log, fr_tacacs_packet_t const *packet, size_t packet_len, char const *file, int line)
Definition base.c:420
libfreeradius_tacacs_dict_attr
fr_dict_attr_autoload_t libfreeradius_tacacs_dict_attr[]
Definition base.c:80
fr_tacacs_length
ssize_t fr_tacacs_length(uint8_t const *buffer, size_t buffer_len)
Definition base.c:242
attr_tacacs_authentication_continue_flags
fr_dict_attr_t const * attr_tacacs_authentication_continue_flags
Definition base.c:48
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:119
print_args
static void print_args(fr_log_t const *log, char const *file, int line, size_t arg_cnt, uint8_t const *argv, uint8_t const *start, uint8_t const *end)
Definition base.c:388
fr_tacacs_global_free
void fr_tacacs_global_free(void)
Definition base.c:167
print_hex
static void print_hex(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
Definition base.c:337
attr_tacacs_argument_list
fr_dict_attr_t const * attr_tacacs_argument_list
Definition base.c:54
attr_tacacs_chap_challenge
fr_dict_attr_t const * attr_tacacs_chap_challenge
Definition base.c:74
fr_tacacs_global_init
int fr_tacacs_global_init(void)
Definition base.c:144
attr_tacacs_user_password
fr_dict_attr_t const * attr_tacacs_user_password
Definition base.c:72
PRINT
#define PRINT(_fmt,...)
Definition base.c:386
attr_tacacs_version_major
fr_dict_attr_t const * attr_tacacs_version_major
Definition base.c:68
HEXIT
#define HEXIT(_prefix, _field)
Definition base.c:381
libfreeradius_tacacs_dict
fr_dict_autoload_t libfreeradius_tacacs_dict[]
Definition base.c:38
attr_tacacs_mschap_challenge
fr_dict_attr_t const * attr_tacacs_mschap_challenge
Definition base.c:77
attr_tacacs_mschap_response
fr_dict_attr_t const * attr_tacacs_mschap_response
Definition base.c:75
print_ascii
static void print_ascii(fr_log_t const *log, char const *file, int line, char const *prefix, uint8_t const *data, size_t datalen)
Definition base.c:344
attr_tacacs_version_minor
fr_dict_attr_t const * attr_tacacs_version_minor
Definition base.c:69
attr_tacacs_mschap2_response
fr_dict_attr_t const * attr_tacacs_mschap2_response
Definition base.c:76
REQUIRE
#define REQUIRE(_length)
attr_tacacs_chap_password
fr_dict_attr_t const * attr_tacacs_chap_password
Definition base.c:73
attr_tacacs_packet
fr_dict_attr_t const * attr_tacacs_packet
Definition base.c:59
attr_tacacs_packet_body_type
fr_dict_attr_t const * attr_tacacs_packet_body_type
Definition base.c:60
ASCII
#define ASCII(_prefix, _field)
Definition base.c:375
attr_tacacs_authentication_method
fr_dict_attr_t const * attr_tacacs_authentication_method
Definition base.c:49
attr_tacacs_user_name
fr_dict_attr_t const * attr_tacacs_user_name
Definition base.c:71
attr_tacacs_flags
fr_dict_attr_t const * attr_tacacs_flags
Definition base.c:57
attr_tacacs_packet_type
fr_dict_attr_t const * attr_tacacs_packet_type
Definition base.c:61
attrs.h
VQP attributes.
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
secret
static char * secret
Definition radclient-ng.c:69
done
static bool done
Definition radclient.c:80
snprintf
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
fr_log_s
Definition log.h:96
packet_is_authen_reply
#define packet_is_authen_reply(p)
Definition tacacs.h:51
packet_is_authen_continue
#define packet_is_authen_continue(p)
Definition tacacs.h:50
packet_is_acct_reply
#define packet_is_acct_reply(p)
Definition tacacs.h:57
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition tacacs.h:66
packet_is_author_request
#define packet_is_author_request(p)
Definition tacacs.h:53
packet_is_acct_request
#define packet_is_acct_request(p)
Definition tacacs.h:56
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition tacacs.h:277
fr_tacacs_packet_hdr_t::type
fr_tacacs_type_t type
Definition tacacs.h:97
FR_TACACS_CODE_MAX
@ FR_TACACS_CODE_MAX
Definition tacacs.h:317
packet_is_author_reply
#define packet_is_author_reply(p)
Definition tacacs.h:54
fr_tacacs_packet_t
Definition tacacs.h:276
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
data
static fr_slen_t data
Definition value.h:1265
Generated by   doxygen 1.9.8