The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
encode.c
Go to the documentation of this file.
1/*
2 * This library is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU Lesser General Public
4 * License as published by the Free Software Foundation; either
5 * version 2.1 of the License, or (at your option) any later version.
6 *
7 * This library is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * Lesser General Public License for more details.
11 *
12 * You should have received a copy of the GNU Lesser General Public
13 * License along with this library; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 4437212c87c3916b88556e6ff2dd6c0261ffbc7a $
19 *
20 * @file protocols/tacacs/encode.c
21 * @brief Low-Level TACACS+ encode functions
22 *
23 * @copyright 2017 The FreeRADIUS server project
24 * @copyright 2017 Network RADIUS SAS (legal@networkradius.com)
25 */
26
27#include <freeradius-devel/io/test_point.h>
28#include <freeradius-devel/protocol/tacacs/tacacs.h>
29#include <freeradius-devel/util/dbuff.h>
30#include <freeradius-devel/util/rand.h>
31#include <freeradius-devel/util/struct.h>
32
33#include "tacacs.h"
34#include "attrs.h"
35
36int fr_tacacs_code_to_packet(fr_tacacs_packet_t *pkt, uint32_t code)
37{
38 switch (code) {
39 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_START:
40 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
41 pkt->hdr.seq_no = 1;
42 break;
43
44 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_PASS:
45 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
46 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_PASS;
47 break;
48
49 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_FAIL:
50 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
51 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_FAIL;
52 break;
53
54 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETDATA:
55 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
56 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_GETDATA;
57 break;
58
59 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETUSER:
60 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
61 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_GETUSER;
62 break;
63
64 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETPASS:
65 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
66 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_GETPASS;
67 break;
68
69 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_RESTART:
70 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
71 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_RESTART;
72 break;
73
74 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_ERROR:
75 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
76 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_ERROR;
77 break;
78
79 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE:
80 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
81 pkt->authen_cont.flags = FR_TAC_PLUS_CONTINUE_FLAG_UNSET;
82 break;
83
84 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE_ABORT:
85 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
86 pkt->authen_cont.flags = FR_TAC_PLUS_CONTINUE_FLAG_ABORT;
87 break;
88
89 case FR_PACKET_TYPE_VALUE_AUTHORIZATION_REQUEST:
90 pkt->hdr.type = FR_TAC_PLUS_AUTHOR;
91 break;
92
93 case FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_ADD:
94 pkt->hdr.type = FR_TAC_PLUS_AUTHOR;
95 pkt->author_reply.status = FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD;
96 break;
97
98 case FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_REPLACE:
99 pkt->hdr.type = FR_TAC_PLUS_AUTHOR;
100 pkt->author_reply.status = FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL;
101 break;
102
103 case FR_PACKET_TYPE_VALUE_AUTHORIZATION_FAIL:
104 pkt->hdr.type = FR_TAC_PLUS_AUTHOR;
105 pkt->author_reply.status = FR_TAC_PLUS_AUTHOR_STATUS_FAIL;
106 break;
107
108 case FR_PACKET_TYPE_VALUE_ACCOUNTING_REQUEST:
109 pkt->hdr.type = FR_TAC_PLUS_ACCT;
110 break;
111
112 case FR_PACKET_TYPE_VALUE_ACCOUNTING_SUCCESS:
113 pkt->hdr.type = FR_TAC_PLUS_ACCT;
114 pkt->acct_reply.status = FR_TAC_PLUS_ACCT_STATUS_SUCCESS;
115 break;
116
117 case FR_PACKET_TYPE_VALUE_ACCOUNTING_ERROR:
118 pkt->hdr.type = FR_TAC_PLUS_ACCT;
119 pkt->acct_reply.status = FR_TAC_PLUS_ACCT_STATUS_ERROR;
120 break;
121
122 default:
123 fr_strerror_const("Invalid TACACS+ packet type");
124 return -1;
125 }
126
127 return 0;
128}
129
130/**
131 * Encode a TACACS+ 'arg_N' fields.
132 */
133static uint8_t tacacs_encode_body_arg_cnt(fr_pair_list_t *vps, fr_dict_attr_t const *da)
134{
135 int arg_cnt = 0;
136 fr_pair_t *vp;
137
138 for (vp = fr_pair_list_head(vps);
139 vp;
140 vp = fr_pair_list_next(vps, vp)) {
141 if (arg_cnt == 255) break;
142
143 if (vp->da->flags.internal) continue;
144
145 if (vp->da == attr_tacacs_packet) continue;
146
147 /*
148 * Argument-List = "foo=bar"
149 */
150 if (vp->da == da) {
151 if (vp->vp_length > 0xff) continue;
152 arg_cnt++;
153 continue;
154 }
155
156 fr_assert(fr_dict_by_da(vp->da) == dict_tacacs);
157
158 /*
159 * RFC 8907 attributes.
160 */
161 if (vp->da->parent->flags.is_root) {
162 arg_cnt++;
163 continue;
164 }
165
166 /*
167 * Recurse into children.
168 */
169 if (vp->vp_type == FR_TYPE_VENDOR) {
170 arg_cnt += tacacs_encode_body_arg_cnt(&vp->vp_group, NULL);
171 continue;
172 }
173
174 if (vp->da->parent->type != FR_TYPE_VENDOR) continue;
175
176 arg_cnt++;
177 }
178
179 return arg_cnt;
180}
181
182static ssize_t tacacs_encode_body_arg_n(fr_dbuff_t *dbuff, uint8_t arg_cnt, uint8_t *arg_len, fr_pair_list_t *vps, fr_dict_attr_t const *da)
183{
184 fr_pair_t *vp;
185 uint8_t i = 0;
186 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
187
188 for (vp = fr_pair_list_head(vps);
189 vp;
190 vp = fr_pair_list_next(vps, vp)) {
191 int len;
192
193 if (i == 255) break;
194 if (i > arg_cnt) break;
195
196 if (vp->da->flags.internal) continue;
197
198 if (vp->da == attr_tacacs_packet) continue;
199
200 /*
201 * Argument-List = "foo=bar"
202 */
203 if (vp->da == da) {
204 if (vp->vp_length > 0xff) continue;
205
206 /* Append the <arg_N> field */
207 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, vp->vp_strvalue, vp->vp_length);
208
209 FR_PROTO_TRACE("arg[%d] --> %s", i, vp->vp_strvalue);
210 len = vp->vp_length;
211
212 } else if (vp->vp_type == FR_TYPE_VENDOR) {
213 ssize_t slen;
214 uint8_t child_argc;
215
216 /*
217 * Nested attribute: just recurse.
218 */
219 child_argc = fr_pair_list_num_elements(&vp->vp_group);
220 if (child_argc > (arg_cnt - i)) child_argc = arg_cnt - i;
221
222 slen = tacacs_encode_body_arg_n(&work_dbuff, child_argc, &arg_len[i], &vp->vp_group, vp->da);
223 if (slen < 0) return FR_DBUFF_ERROR_OFFSET(slen, fr_dbuff_used(&work_dbuff));
224
225 i += child_argc;
226 continue;
227
228 } else if (!vp->da->parent || (!vp->da->parent->flags.is_root && (vp->da->parent->type != FR_TYPE_VENDOR))) {
229 continue;
230
231 } else {
232 ssize_t slen;
233 fr_sbuff_t sbuff;
234 fr_dbuff_t arg_dbuff = FR_DBUFF_MAX(&work_dbuff, 255);
235 fr_value_box_t box;
236 char buffer[256];
237
238 /*
239 * Print it as "name=value"
240 */
241 FR_DBUFF_IN_MEMCPY_RETURN(&arg_dbuff, vp->da->name, strlen(vp->da->name));
242 FR_DBUFF_IN_BYTES_RETURN(&arg_dbuff, (uint8_t) '=');
243
244 sbuff = FR_SBUFF_OUT(buffer, sizeof(buffer));
245
246 switch (vp->vp_type) {
247 /*
248 * For now, we always print time deltas and dates as integers.
249 *
250 * Because everyone else's date formats are insane.
251 */
252 case FR_TYPE_DATE:
253 case FR_TYPE_TIME_DELTA:
254 fr_value_box_init(&box, FR_TYPE_UINT64, vp->data.enumv, vp->vp_tainted);
255 if (fr_value_box_cast(NULL, &box, FR_TYPE_UINT64, NULL, &vp->data) < 0) {
256 buffer[0] = '\0';
257 slen = 0;
258 break;
259 }
260
261 slen = fr_sbuff_in_sprintf(&sbuff, "%lu", box.vb_uint64);
262 if (slen <= 0) return -1;
263 break;
264
265 default:
266 slen = fr_pair_print_value_quoted(&sbuff, vp, T_BARE_WORD);
267 if (slen <= 0) return -1;
268 }
269
270 FR_DBUFF_IN_MEMCPY_RETURN(&arg_dbuff, buffer, (size_t) slen);
271
272 len = fr_dbuff_used(&arg_dbuff);
273
274 FR_PROTO_TRACE("arg[%d] --> %.*s", i, len, fr_dbuff_start(&arg_dbuff));
275
276 fr_dbuff_set(&work_dbuff, &arg_dbuff);
277 }
278
279 fr_assert(len <= UINT8_MAX);
280
281 FR_PROTO_TRACE("len(arg[%d]) = %d", i, len);
282 arg_len[i++] = len;
283 }
284
285 return fr_dbuff_set(dbuff, &work_dbuff);
286}
287
288/*
289 * Encode a TACACS+ field.
290 */
291static ssize_t tacacs_encode_field(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_dict_attr_t const *da, size_t max_len)
292{
293 fr_pair_t *vp;
294 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
295
296 vp = fr_pair_find_by_da(vps, NULL, da);
297 if (!vp || !vp->vp_length || (vp->vp_length > max_len)) return 0;
298
299 if (da->type == FR_TYPE_STRING) {
300 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, vp->vp_strvalue, vp->vp_length);
301 } else {
302 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, vp->vp_octets, vp->vp_length);
303 }
304
305 FR_PROTO_HEX_DUMP(fr_dbuff_start(&work_dbuff), fr_dbuff_used(&work_dbuff), da->name);
306
307 return fr_dbuff_set(dbuff, &work_dbuff);
308}
309
310static ssize_t tacacs_encode_chap(fr_dbuff_t *dbuff, fr_tacacs_packet_t *packet, fr_pair_list_t *vps, fr_dict_attr_t const *da_chap, fr_dict_attr_t const *da_challenge)
311{
312 fr_pair_t *chap, *challenge;
313 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
314
315 chap = fr_pair_find_by_da(vps, NULL, da_chap);
316 if (!chap) {
317 packet->authen_start.data_len = 0;
318 return 0;
319 }
320
321 challenge = fr_pair_find_by_da(vps, NULL, da_challenge);
322 if (!challenge) {
323 fr_strerror_printf("Packet contains %s but no %s", da_chap->name, da_challenge->name);
324 return -1;
325 }
326
327 if (!challenge->vp_length) {
328 fr_strerror_printf("%s is empty", da_challenge->name);
329 return -1;
330 }
331
332 if (!chap->vp_length) {
333 fr_strerror_printf("%s is empty", da_chap->name);
334 return -1;
335 }
336
337 if ((chap->vp_length + challenge->vp_length) > 255) {
338 fr_strerror_printf("%s and %s are longer than 255 octets", da_chap->name, da_challenge->name);
339 return -1;
340 }
341
342 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, chap->vp_octets, 1);
343 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, challenge->vp_octets, challenge->vp_length);
344 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, chap->vp_octets + 1, chap->vp_length - 1);
345
346 packet->authen_start.data_len = chap->vp_length + challenge->vp_length;
347
348 return fr_dbuff_set(dbuff, &work_dbuff);
349}
350
351/*
352 * Magic macros to keep things happy.
353 *
354 * Note that the various fields are optional. If the caller
355 * doesn't specify them, then they don't get encoded.
356 */
357#define ENCODE_FIELD_UINT8(_field, _da) do { \
358 vp = fr_pair_find_by_da(vps, NULL, _da); \
359 _field = (vp) ? vp->vp_uint8 : 0; \
360} while (0)
361
362#define ENCODE_FIELD_STRING8(_field, _da) _field = tacacs_encode_field(&work_dbuff, vps, _da, 0xff)
363#define ENCODE_FIELD_STRING16(_field, _da) _field = htons(tacacs_encode_field(&work_dbuff, vps, _da, 0xffff))
364
365/**
366 * Encode VPS into a raw TACACS packet.
367 */
368ssize_t fr_tacacs_encode(fr_dbuff_t *dbuff, uint8_t const *original_packet, char const *secret, size_t secret_len,
369 unsigned int code, fr_pair_list_t *vps)
370{
371 fr_pair_t *vp;
372 fr_tacacs_packet_t *packet;
373 fr_dcursor_t cursor;
374 fr_da_stack_t da_stack;
375 ssize_t len = 0;
376 size_t body_len, packet_len;
377 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
378 fr_dbuff_marker_t hdr, body, hdr_io;
379 uint8_t version_byte = 0;
380
381 fr_tacacs_packet_hdr_t const *original = (fr_tacacs_packet_hdr_t const *) original_packet;
382
383 if (!vps) {
384 error:
385 fr_strerror_const("Cannot encode empty packet");
386 return -1;
387 }
388
389 /*
390 * Verify space for the packet...
391 */
392 FR_DBUFF_REMAINING_RETURN(&work_dbuff, sizeof(fr_tacacs_packet_t));
393
394 /*
395 * 3.4. The TACACS+ Packet Header
396 *
397 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
398 * +----------------+----------------+----------------+----------------+
399 * |major | minor | | | |
400 * |version| version| type | seq_no | flags |
401 * +----------------+----------------+----------------+----------------+
402 * | |
403 * | session_id |
404 * +----------------+----------------+----------------+----------------+
405 * | |
406 * | length |
407 * +----------------+----------------+----------------+----------------+
408 */
409
410 /*
411 * Let's keep reference for packet header.
412 */
413 fr_dbuff_marker(&hdr, &work_dbuff);
414 /*
415 * Add marker letting us read/write header bytes without moving hdr.
416 */
417 fr_dbuff_marker(&hdr_io, &work_dbuff);
418
419 /*
420 * Handle the fields in-place.
421 */
422 packet = (fr_tacacs_packet_t *)fr_dbuff_start(&work_dbuff);
423
424 /*
425 * Find the first attribute which is parented by TACACS-Packet.
426 */
427 for (vp = fr_pair_dcursor_init(&cursor, vps);
428 vp;
429 vp = fr_dcursor_next(&cursor)) {
430 if (vp->da == attr_tacacs_packet) break;
431 if (vp->da->parent == attr_tacacs_packet) break;
432 }
433
434 /*
435 * No "Packet" struct to encode. We MUST have an original packet to copy the various fields
436 * from.
437 */
438 if (!vp) {
439 if (!original) {
440 fr_strerror_printf("%s: No TACACS+ %s in the attribute list",
441 __FUNCTION__, attr_tacacs_packet->name);
442 return -1;
443 }
444
445 /*
446 * Initialize the buffer avoiding invalid values.
447 */
448 memset(packet, 0, sizeof(fr_tacacs_packet_t));
449
450 /*
451 * Initialize the reply from the request.
452 *
453 * Make room and fill up the original header. We shouldn't just copy the original packet,
454 * because the fields 'seq_no' and 'length' are not the same.
455 */
456 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(fr_tacacs_packet_hdr_t));
457
458 } else if (vp->da == attr_tacacs_packet) {
459 fr_dcursor_t child_cursor;
460
461 fr_proto_da_stack_build(&da_stack, attr_tacacs_packet);
462 FR_PROTO_STACK_PRINT(&da_stack, 0);
463
464 fr_pair_dcursor_init(&child_cursor, &vp->vp_group);
465
466 /*
467 * Call the struct encoder to do the actual work,
468 * which fills the struct fields with zero if the member VP is not used.
469 */
470 len = fr_struct_to_network(&work_dbuff, &da_stack, 0, &child_cursor, NULL, NULL, NULL);
471 if (len != sizeof(fr_tacacs_packet_hdr_t)) {
472 fr_strerror_printf("%s: Failed encoding %s using fr_struct_to_network()",
473 __FUNCTION__, attr_tacacs_packet->name);
474 return -1;
475 }
476 fr_dcursor_next(&cursor);
477
478 } else {
479 fr_proto_da_stack_build(&da_stack, attr_tacacs_packet);
480 FR_PROTO_STACK_PRINT(&da_stack, 0);
481
482 /*
483 * Call the struct encoder to do the actual work,
484 * which fills the struct fields with zero if the member VP is not used.
485 */
486 len = fr_struct_to_network(&work_dbuff, &da_stack, 0, &cursor, NULL, NULL, NULL);
487 if (len != sizeof(fr_tacacs_packet_hdr_t)) {
488 fr_strerror_printf("%s: Failed encoding %s using fr_struct_to_network()",
489 __FUNCTION__, attr_tacacs_packet->name);
490 return -1;
491 }
492 }
493
494 /*
495 * Ensure that we send a sane reply to a request.
496 */
497 if (original) {
498 packet->hdr.version = original->version;
499 packet->hdr.type = original->type;
500 packet->hdr.flags = original->flags; /* encrypted && single connection */
501 packet->hdr.session_id = original->session_id;
502
503 /*
504 * The client may not set SINGLE_CONNECT flag. So if the administrator has set it in the reply,
505 * we allow setting the flag. This lets the server tell the client that it supports "single
506 * connection" mode.
507 */
508 vp = fr_pair_find_by_da_nested(vps, NULL, attr_tacacs_flags);
509 if (vp) packet->hdr.flags |= (vp->vp_uint8 & FR_TAC_PLUS_SINGLE_CONNECT_FLAG);
510 }
511
512 /*
513 * Starting here is a 'body' that may require encryption.
514 */
515 fr_dbuff_marker(&body, &work_dbuff);
516
517 /*
518 * Encode 8 octets of various fields not members of STRUCT
519 */
520 switch (packet->hdr.type) {
521 case FR_TAC_PLUS_AUTHEN:
522 /*
523 * seq_no
524 *
525 * This is the sequence number of the current packet for the current session.
526 * The first packet in a session MUST have the sequence number 1 and each
527 * subsequent packet will increment the sequence number by one. Thus clients
528 * only send packets containing odd sequence numbers, and TACACS+ servers only
529 * send packets containing even sequence numbers.
530 */
531 if (packet_is_authen_start_request(packet)) { /* Start */
532 /**
533 * 4.1. The Authentication START Packet Body
534 *
535 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
536 * +----------------+----------------+----------------+----------------+
537 * | action | priv_lvl | authen_type | authen_service |
538 * +----------------+----------------+----------------+----------------+
539 * | user_len | port_len | rem_addr_len | data_len |
540 * +----------------+----------------+----------------+----------------+
541 * | user ...
542 * +----------------+----------------+----------------+----------------+
543 * | port ...
544 * +----------------+----------------+----------------+----------------+
545 * | rem_addr ...
546 * +----------------+----------------+----------------+----------------+
547 * | data...
548 * +----------------+----------------+----------------+----------------+
549 */
550
551 /*
552 * Make room for such body request.
553 */
554 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->authen_start));
555
556 /*
557 * Encode 4 octets of various flags.
558 */
559 ENCODE_FIELD_UINT8(packet->authen_start.action, attr_tacacs_action);
560 ENCODE_FIELD_UINT8(packet->authen_start.priv_lvl, attr_tacacs_privilege_level);
561 ENCODE_FIELD_UINT8(packet->authen_start.authen_type, attr_tacacs_authentication_type);
562 ENCODE_FIELD_UINT8(packet->authen_start.authen_service, attr_tacacs_authentication_service);
563
564 /*
565 * Encode 4 mandatory fields.
566 */
567 ENCODE_FIELD_STRING8(packet->authen_start.user_len, attr_tacacs_user_name);
568 ENCODE_FIELD_STRING8(packet->authen_start.port_len, attr_tacacs_client_port);
569 ENCODE_FIELD_STRING8(packet->authen_start.rem_addr_len, attr_tacacs_remote_address);
570
571 /*
572 * No explicit "Data" attribute, try to automatically determine what to do.
573 */
574 if (fr_pair_find_by_da_nested(vps, NULL, attr_tacacs_data)) {
575 ENCODE_FIELD_STRING8(packet->authen_start.data_len, attr_tacacs_data);
576
577 } else switch (packet->authen_start.authen_type) {
578 default:
579 break;
580
581 case FR_AUTHENTICATION_TYPE_VALUE_PAP:
582 ENCODE_FIELD_STRING8(packet->authen_start.data_len, attr_tacacs_user_password);
583 break;
584
585 case FR_AUTHENTICATION_TYPE_VALUE_CHAP:
586 if (tacacs_encode_chap(&work_dbuff, packet, vps, attr_tacacs_chap_password, attr_tacacs_chap_challenge) < 0) return -1;
587 break;
588
589 case FR_AUTHENTICATION_TYPE_VALUE_MSCHAP: {
590 int rcode;
591
592 rcode = tacacs_encode_chap(&work_dbuff, packet, vps, attr_tacacs_mschap_response, attr_tacacs_mschap_challenge);
593 if (rcode < 0) return rcode;
594
595 if (rcode > 0) break;
596
597 if (tacacs_encode_chap(&work_dbuff, packet, vps, attr_tacacs_mschap2_response, attr_tacacs_mschap_challenge) < 0) return -1;
598 }
599 break;
600 }
601
602 goto check_request;
603
604 } else if (packet_is_authen_continue(packet)) {
605 /*
606 * 4.3. The Authentication CONTINUE Packet Body
607 *
608 * This packet is sent from the client to the server following the receipt of
609 * a REPLY packet.
610 *
611 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
612 * +----------------+----------------+----------------+----------------+
613 * | user_msg len | data_len |
614 * +----------------+----------------+----------------+----------------+
615 * | flags | user_msg ...
616 * +----------------+----------------+----------------+----------------+
617 * | data ...
618 * +----------------+
619 */
620
621 /*
622 * Make room for such body request.
623 */
624 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->authen_cont));
625
626 /*
627 * Encode 2 mandatory fields.
628 */
629 ENCODE_FIELD_STRING16(packet->authen_cont.user_msg_len, attr_tacacs_user_message);
630 ENCODE_FIELD_STRING16(packet->authen_cont.data_len, attr_tacacs_data);
631
632 /*
633 * Look at the abort flag after encoding the fields.
634 */
635 ENCODE_FIELD_UINT8(packet->authen_cont.flags, attr_tacacs_authentication_continue_flags);
636
637 goto check_request;
638
639 } else if (packet_is_authen_reply(packet)) {
640 /*
641 * 4.2. The Authentication REPLY Packet Body
642 *
643 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
644 * +----------------+----------------+----------------+----------------+
645 * | status | flags | server_msg_len |
646 * +----------------+----------------+----------------+----------------+
647 * | data_len | server_msg ...
648 * +----------------+----------------+----------------+----------------+
649 * | data ...
650 * +----------------+----------------+
651 */
652
653 /*
654 * Make room for such body request.
655 */
656 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->authen_reply));
657
658 ENCODE_FIELD_UINT8(packet->authen_reply.status, attr_tacacs_authentication_status);
659 ENCODE_FIELD_UINT8(packet->authen_reply.flags, attr_tacacs_authentication_flags);
660
661 /*
662 * Encode 2 mandatory fields.
663 */
664 ENCODE_FIELD_STRING16(packet->authen_reply.server_msg_len, attr_tacacs_server_message);
665 ENCODE_FIELD_STRING16(packet->authen_reply.data_len, attr_tacacs_data);
666
667 goto check_reply;
668 }
669
670 fr_strerror_const("encode: Unknown authentication packet type");
671 return -1;
672
673 case FR_TAC_PLUS_AUTHOR:
674 if (packet_is_author_request(packet)) {
675 /*
676 * 5.1. The Authorization REQUEST Packet Body
677 *
678 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
679 * +----------------+----------------+----------------+----------------+
680 * | authen_method | priv_lvl | authen_type | authen_service |
681 * +----------------+----------------+----------------+----------------+
682 * | user_len | port_len | rem_addr_len | arg_cnt |
683 * +----------------+----------------+----------------+----------------+
684 * | arg_1_len | arg_2_len | ... | arg_N_len |
685 * +----------------+----------------+----------------+----------------+
686 * | user ...
687 * +----------------+----------------+----------------+----------------+
688 * | port ...
689 * +----------------+----------------+----------------+----------------+
690 * | rem_addr ...
691 * +----------------+----------------+----------------+----------------+
692 * | arg_1 ...
693 * +----------------+----------------+----------------+----------------+
694 * | arg_2 ...
695 * +----------------+----------------+----------------+----------------+
696 * | ...
697 * +----------------+----------------+----------------+----------------+
698 * | arg_N ...
699 * +----------------+----------------+----------------+----------------+
700 */
701
702 /*
703 * Make room for such body request.
704 */
705 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->author_req));
706
707 /*
708 * Encode 4 octets of various flags.
709 */
710 ENCODE_FIELD_UINT8(packet->author_req.authen_method, attr_tacacs_authentication_method);
711 ENCODE_FIELD_UINT8(packet->author_req.priv_lvl, attr_tacacs_privilege_level);
712 ENCODE_FIELD_UINT8(packet->author_req.authen_type, attr_tacacs_authentication_type);
713 ENCODE_FIELD_UINT8(packet->author_req.authen_service, attr_tacacs_authentication_service);
714
715 /*
716 * Encode 'arg_N' arguments (horrible format)
717 */
718 packet->author_req.arg_cnt = tacacs_encode_body_arg_cnt(vps, attr_tacacs_argument_list);
719 if (packet->author_req.arg_cnt) FR_DBUFF_MEMSET_RETURN(&work_dbuff, 0, packet->author_req.arg_cnt);
720
721 /*
722 * Encode 3 mandatory fields.
723 */
724 ENCODE_FIELD_STRING8(packet->author_req.user_len, attr_tacacs_user_name);
725 ENCODE_FIELD_STRING8(packet->author_req.port_len, attr_tacacs_client_port);
726 ENCODE_FIELD_STRING8(packet->author_req.rem_addr_len, attr_tacacs_remote_address);
727
728 /*
729 * Append 'args_body' to the end of buffer
730 */
731 if (packet->author_req.arg_cnt > 0) {
732 if (tacacs_encode_body_arg_n(&work_dbuff, packet->author_req.arg_cnt, &packet->author_req.arg_len[0], vps, attr_tacacs_argument_list) < 0) goto error;
733 }
734
735 goto check_request;
736 } else if (packet_is_author_reply(packet)) {
737 /*
738 * 5.2. The Authorization RESPONSE Packet Body
739 *
740 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
741 * +----------------+----------------+----------------+----------------+
742 * | status | arg_cnt | server_msg len |
743 * +----------------+----------------+----------------+----------------+
744 * + data_len | arg_1_len | arg_2_len |
745 * +----------------+----------------+----------------+----------------+
746 * | ... | arg_N_len | server_msg ...
747 * +----------------+----------------+----------------+----------------+
748 * | data ...
749 * +----------------+----------------+----------------+----------------+
750 * | arg_1 ...
751 * +----------------+----------------+----------------+----------------+
752 * | arg_2 ...
753 * +----------------+----------------+----------------+----------------+
754 * | ...
755 * +----------------+----------------+----------------+----------------+
756 * | arg_N ...
757 * +----------------+----------------+----------------+----------------+
758 */
759
760 /*
761 * Make room for such body request.
762 */
763 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->author_reply));
764
765 /*
766 * Encode 1 mandatory field.
767 */
768 ENCODE_FIELD_UINT8(packet->author_reply.status, attr_tacacs_authorization_status);
769
770 /*
771 * Encode 'arg_N' arguments (horrible format)
772 *
773 * For ERRORs, we don't encode arguments.
774 *
775 * 5.2
776 *
777 * A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred
778 * on the server. For the differences between ERROR and FAIL, refer to
779 * section Session Completion (Section 3.4) . None of the arg values
780 * have any relevance if an ERROR is set, and must be ignored.
781 *
782 * When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the
783 * arg_cnt MUST be 0.
784 */
785 if (!((packet->author_reply.status == FR_AUTHORIZATION_STATUS_VALUE_ERROR) ||
786 (packet->author_reply.status == FR_AUTHORIZATION_STATUS_VALUE_FOLLOW))) {
787 packet->author_reply.arg_cnt = tacacs_encode_body_arg_cnt(vps, attr_tacacs_argument_list);
788 if (packet->author_reply.arg_cnt) FR_DBUFF_MEMSET_RETURN(&work_dbuff, 0, packet->author_reply.arg_cnt);
789 } else {
790 packet->author_reply.arg_cnt = 0;
791 }
792
793 /*
794 * Encode 2 mandatory fields.
795 */
796 ENCODE_FIELD_STRING16(packet->author_reply.server_msg_len, attr_tacacs_server_message);
797 ENCODE_FIELD_STRING16(packet->author_reply.data_len, attr_tacacs_data);
798
799 /*
800 * Append 'args_body' to the end of buffer
801 */
802 if (packet->author_reply.arg_cnt > 0) {
803 if (tacacs_encode_body_arg_n(&work_dbuff, packet->author_reply.arg_cnt, &packet->author_reply.arg_len[0], vps, attr_tacacs_argument_list) < 0) goto error;
804 }
805
806 goto check_reply;
807
808 }
809
810 fr_strerror_const("encode: Unknown authorization packet type");
811 return -1;
812
813 case FR_TAC_PLUS_ACCT:
814 if (packet_is_acct_request(packet)) {
815 /**
816 * 6.1. The Account REQUEST Packet Body
817 *
818 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
819 * +----------------+----------------+----------------+----------------+
820 * | flags | authen_method | priv_lvl | authen_type |
821 * +----------------+----------------+----------------+----------------+
822 * | authen_service | user_len | port_len | rem_addr_len |
823 * +----------------+----------------+----------------+----------------+
824 * | arg_cnt | arg_1_len | arg_2_len | ... |
825 * +----------------+----------------+----------------+----------------+
826 * | arg_N_len | user ...
827 * +----------------+----------------+----------------+----------------+
828 * | port ...
829 * +----------------+----------------+----------------+----------------+
830 * | rem_addr ...
831 * +----------------+----------------+----------------+----------------+
832 * | arg_1 ...
833 * +----------------+----------------+----------------+----------------+
834 * | arg_2 ...
835 * +----------------+----------------+----------------+----------------+
836 * | ...
837 * +----------------+----------------+----------------+----------------+
838 * | arg_N ...
839 * +----------------+----------------+----------------+----------------+
840 */
841
842 /*
843 * Make room for such body request.
844 */
845 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->acct_req));
846
847 /*
848 * Encode 5 octets of various flags.
849 */
850 ENCODE_FIELD_UINT8(packet->acct_req.flags, attr_tacacs_accounting_flags);
851 ENCODE_FIELD_UINT8(packet->acct_req.authen_method, attr_tacacs_authentication_method);
852 ENCODE_FIELD_UINT8(packet->acct_req.priv_lvl, attr_tacacs_privilege_level);
853 ENCODE_FIELD_UINT8(packet->acct_req.authen_type, attr_tacacs_authentication_type);
854 ENCODE_FIELD_UINT8(packet->acct_req.authen_service, attr_tacacs_authentication_service);
855
856 /*
857 * Encode 'arg_N' arguments (horrible format)
858 */
859 packet->acct_req.arg_cnt = tacacs_encode_body_arg_cnt(vps, attr_tacacs_argument_list);
860 if (packet->acct_req.arg_cnt) FR_DBUFF_MEMSET_RETURN(&work_dbuff, 0, packet->acct_req.arg_cnt);
861
862 /*
863 * Encode 3 mandatory fields.
864 */
865 ENCODE_FIELD_STRING8(packet->acct_req.user_len, attr_tacacs_user_name);
866 ENCODE_FIELD_STRING8(packet->acct_req.port_len, attr_tacacs_client_port);
867 ENCODE_FIELD_STRING8(packet->acct_req.rem_addr_len, attr_tacacs_remote_address);
868
869 /*
870 * Append 'args_body' to the end of buffer
871 */
872 if (packet->acct_req.arg_cnt > 0) {
873 if (tacacs_encode_body_arg_n(&work_dbuff, packet->acct_req.arg_cnt, &packet->acct_req.arg_len[0], vps, attr_tacacs_argument_list) < 0) goto error;
874 }
875
876 check_request:
877 /*
878 * Just to avoid malformed packet.
879 */
880 fr_dbuff_set(&hdr_io, &hdr);
881 fr_dbuff_out(&version_byte, &hdr_io);
882 if (!version_byte) {
883 version_byte = 0xc1; /* version 12.1 */
884 fr_dbuff_set(&hdr_io, &hdr);
885 FR_DBUFF_IN_RETURN(&hdr_io, version_byte);
886 }
887 /*
888 * If the caller didn't set a session ID, use a random one.
889 */
890 if (!fr_pair_find_by_da_nested(vps, NULL, attr_tacacs_session_id)) {
891 packet->hdr.session_id = fr_rand();
892 }
893
894 /*
895 * Requests have odd sequence numbers.
896 */
897 packet->hdr.seq_no |= 0x01;
898 break;
899
900 } else if (packet_is_acct_reply(packet)) {
901 /**
902 * 6.2. The Accounting REPLY Packet Body
903 *
904 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
905 * +----------------+----------------+----------------+----------------+
906 * | server_msg len | data_len |
907 * +----------------+----------------+----------------+----------------+
908 * | status | server_msg ...
909 * +----------------+----------------+----------------+----------------+
910 * | data ...
911 * +----------------+
912 */
913
914 /*
915 * Make room for such body request.
916 */
917 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->acct_reply));
918
919 /*
920 * Encode 2 mandatory fields.
921 */
922 ENCODE_FIELD_STRING16(packet->acct_reply.server_msg_len, attr_tacacs_server_message);
923 ENCODE_FIELD_STRING16(packet->acct_reply.data_len, attr_tacacs_data);
924
925 /*
926 * And also, the status field.
927 */
928 ENCODE_FIELD_UINT8(packet->acct_reply.status, attr_tacacs_accounting_status);
929
930 check_reply:
931 /*
932 * fr_struct_to_network() fills the struct fields with 0
933 * if there is no matching VP. In the interest of making
934 * things easier for the user, we don't require them to
935 * copy all of the fields from the request to the reply.
936 *
937 * Instead, we copy the fields manually, and ensure that
938 * they have the correct values.
939 */
940 if (original) {
941 fr_dbuff_set(&hdr_io, &hdr);
942 fr_dbuff_out(&version_byte, &hdr_io);
943 if (!version_byte) {
944 packet->hdr.version = original->version;
945 }
946
947 if (!packet->hdr.seq_no) {
948 packet->hdr.seq_no = original->seq_no + 1; /* uint8_t */
949 }
950
951 if (!packet->hdr.session_id) {
952 packet->hdr.session_id = original->session_id;
953 }
954 }
955
956 /*
957 * Replies have even sequence numbers.
958 */
959 packet->hdr.seq_no &= 0xfe;
960 break;
961 }
962
963 fr_strerror_const("encode: Unknown accounting packet type");
964 return -1;
965
966 default:
967 fr_strerror_printf("encode: unknown packet type %d", packet->hdr.type);
968 return -1;
969 }
970
971 /*
972 * Force the correct header type, and randomly-placed
973 * status fields. But only if there's no code field.
974 * Only the unit tests pass a zero code field, as that's
975 * normally invalid. The unit tests ensure that all of
976 * the VPs are passed to encode a packet, and they all
977 * must be correct
978 */
979 if (code && (fr_tacacs_code_to_packet(packet, code) < 0)) return -1;
980
981 /*
982 * The packet length we store in the header doesn't
983 * include the size of the header. But we tell the
984 * caller about the total length of the packet.
985 */
986 packet_len = fr_dbuff_used(&work_dbuff);
987 fr_assert(packet_len >= sizeof(fr_tacacs_packet_hdr_t));
988
989 body_len = (packet_len - sizeof(fr_tacacs_packet_hdr_t));
990 fr_assert(packet_len < FR_MAX_PACKET_SIZE);
991 packet->hdr.length = htonl(body_len);
992
993 /*
994 * If the original packet is encrypted, then the reply
995 * MUST be encrypted too.
996 *
997 * On the other hand, if the request is unencrypted,
998 * we're OK with sending an encrypted reply. Because,
999 * whatever.
1000 */
1001 if (original &&
1002 ((original->flags & FR_TAC_PLUS_UNENCRYPTED_FLAG) == 0)) {
1003 packet->hdr.flags &= ~FR_TAC_PLUS_UNENCRYPTED_FLAG;
1004 }
1005
1006#ifndef NDEBUG
1007 if (fr_debug_lvl >= L_DBG_LVL_4) {
1008 uint8_t flags = packet->hdr.flags;
1009
1010 packet->hdr.flags |= FR_TAC_PLUS_UNENCRYPTED_FLAG;
1011 fr_tacacs_packet_log_hex(&default_log, packet, packet_len);
1012 packet->hdr.flags = flags;
1013 }
1014#endif
1015
1016 /*
1017 * 3.6. Encryption
1018 *
1019 * Packets are encrypted if the unencrypted flag is clear.
1020 */
1021 if (secret) {
1022 if (!secret_len) {
1023 fr_strerror_const("Packet should be decrypted, but the secret has zero length");
1024 return -1;
1025 }
1026
1027 FR_PROTO_HEX_DUMP(fr_dbuff_start(&work_dbuff), packet_len, "fr_tacacs_packet_t (unencrypted)");
1028
1029 if (fr_tacacs_body_xor(packet, fr_dbuff_current(&body), body_len, secret, secret_len) != 0) return -1;
1030
1031 packet->hdr.flags &= ~FR_TAC_PLUS_UNENCRYPTED_FLAG;
1032 } else {
1033 /*
1034 * Packets which have no secret cannot be encrypted.
1035 */
1036 packet->hdr.flags |= FR_TAC_PLUS_UNENCRYPTED_FLAG;
1037
1038 }
1039
1040 FR_PROTO_HEX_DUMP(fr_dbuff_start(&work_dbuff), packet_len, "fr_tacacs_packet_t (encoded)");
1041
1042 return fr_dbuff_set(dbuff, &work_dbuff);
1043}
1044
1045/*
1046 * Test points for protocol encode
1047 */
1048static ssize_t fr_tacacs_encode_proto(UNUSED TALLOC_CTX *ctx, fr_pair_list_t *vps,
1049 uint8_t *data, size_t data_len, void *proto_ctx)
1050{
1051 fr_tacacs_ctx_t *test_ctx = talloc_get_type_abort(proto_ctx, fr_tacacs_ctx_t);
1052
1053 return fr_tacacs_encode(&FR_DBUFF_TMP(data, data_len), NULL, test_ctx->secret,
1054 test_ctx->secret ? talloc_strlen(test_ctx->secret) : 0, 0, vps);
1055}
1056
1057static int _encode_test_ctx(fr_tacacs_ctx_t *test_ctx)
1058{
1059 talloc_const_free(test_ctx->secret);
1060
1061 fr_tacacs_global_free();
1062
1063 return 0;
1064}
1065
1066static int encode_test_ctx(void **out, TALLOC_CTX *ctx, UNUSED fr_dict_t const *dict,
1067 UNUSED fr_dict_attr_t const *root_da)
1068{
1069 fr_tacacs_ctx_t *test_ctx;
1070
1071 if (fr_tacacs_global_init() < 0) return -1;
1072
1073 test_ctx = talloc_zero(ctx, fr_tacacs_ctx_t);
1074 if (!test_ctx) return -1;
1075
1076 test_ctx->root = fr_dict_root(dict_tacacs);
1077 talloc_set_destructor(test_ctx, _encode_test_ctx);
1078
1079 *out = test_ctx;
1080
1081 return 0;
1082}
1083
1084/*
1085 * Test points
1086 */
1087extern fr_test_point_proto_encode_t tacacs_tp_encode_proto;
buffer
static int const char char buffer[256]
Definition acutest.h:576
UNUSED
#define UNUSED
Definition build.h:318
fr_dbuff_used
#define fr_dbuff_used(_dbuff_or_marker)
Return the number of bytes remaining between the start of the dbuff or marker and the current positio...
Definition dbuff.h:775
FR_DBUFF_ADVANCE_RETURN
#define FR_DBUFF_ADVANCE_RETURN(_dbuff_or_marker, _len)
Advance the 'current' position in dbuff or marker by _len bytes returning if _len is out of range.
Definition dbuff.h:1097
fr_dbuff_marker_t
struct fr_dbuff_marker_s fr_dbuff_marker_t
A position marker associated with a dbuff.
Definition dbuff.h:81
fr_dbuff_current
#define fr_dbuff_current(_dbuff_or_marker)
Return the 'current' position of a dbuff or marker.
Definition dbuff.h:919
fr_dbuff_set
#define fr_dbuff_set(_dst, _src)
Set the 'current' position in a dbuff or marker using another dbuff or marker, a char pointer,...
Definition dbuff.h:1012
fr_dbuff_start
#define fr_dbuff_start(_dbuff_or_marker)
Return the 'start' position of a dbuff or marker.
Definition dbuff.h:906
FR_DBUFF_MEMSET_RETURN
#define FR_DBUFF_MEMSET_RETURN(_dbuff_or_marker, _c, _inlen)
Set _inlen bytes of a dbuff or marker to _c returning if there is insufficient space.
Definition dbuff.h:1517
fr_dbuff_marker
static uint8_t * fr_dbuff_marker(fr_dbuff_marker_t *m, fr_dbuff_t *dbuff)
Initialises a new marker pointing to the 'current' position of the dbuff.
Definition dbuff.h:1201
FR_DBUFF_IN_MEMCPY_RETURN
#define FR_DBUFF_IN_MEMCPY_RETURN(_dbuff_or_marker, _in, _inlen)
Copy exactly _inlen bytes into dbuff or marker returning if there's insufficient space.
Definition dbuff.h:1391
FR_DBUFF_ERROR_OFFSET
#define FR_DBUFF_ERROR_OFFSET(_slen, _offset)
Generic wrapper to return an error and an offset from encoding.
Definition dbuff.h:196
FR_DBUFF_REMAINING_RETURN
#define FR_DBUFF_REMAINING_RETURN(_dbuff_or_marker, _len)
Check if _len bytes are available in the dbuff and if not return the number of bytes we'd need.
Definition dbuff.h:769
FR_DBUFF_IN_RETURN
#define FR_DBUFF_IN_RETURN(_dbuff_or_marker, _in)
Copy data from a fixed sized C type into a dbuff returning if there is insufficient space.
Definition dbuff.h:1594
FR_DBUFF
#define FR_DBUFF(_dbuff_or_marker)
Create a new dbuff pointing to the same underlying buffer.
Definition dbuff.h:230
FR_DBUFF_MAX
#define FR_DBUFF_MAX(_dbuff_or_marker, _max)
Limit the maximum number of bytes available in the dbuff when passing it to another function.
Definition dbuff.h:309
fr_dbuff_out
#define fr_dbuff_out(_out, _dbuff_or_marker)
Copy data from a dbuff or marker to a fixed sized C type.
Definition dbuff.h:1808
FR_DBUFF_IN_BYTES_RETURN
#define FR_DBUFF_IN_BYTES_RETURN(_dbuff_or_marker,...)
Copy a byte sequence into a dbuff or marker returning if there's insufficient space.
Definition dbuff.h:1481
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:522
fr_dcursor_next
static void * fr_dcursor_next(fr_dcursor_t *cursor)
Advanced the cursor to the next item.
Definition dcursor.h:288
fr_dcursor_s
Definition dcursor.h:91
fr_dict_by_da
fr_dict_t const * fr_dict_by_da(fr_dict_attr_t const *da)
Attempt to locate the protocol dictionary containing an attribute.
Definition dict_util.c:2871
fr_dict_root
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2665
fr_debug_lvl
int fr_debug_lvl
Definition log.c:40
default_log
fr_log_t default_log
Definition log.c:288
L_DBG_LVL_4
@ L_DBG_LVL_4
4th highest priority debug messages (-xxxx | -Xxx).
Definition log.h:70
FR_TYPE_TIME_DELTA
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
Definition merged_model.c:113
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_DATE
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
Definition merged_model.c:111
FR_TYPE_VENDOR
@ FR_TYPE_VENDOR
Attribute that represents a vendor in the attribute tree.
Definition merged_model.c:122
FR_TYPE_UINT64
@ FR_TYPE_UINT64
64 Bit unsigned integer.
Definition merged_model.c:100
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition merged_model.c:32
fr_dbuff_t
Definition merged_model.c:41
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_sbuff_t
Definition merged_model.c:37
fr_value_box_t
Definition merged_model.c:136
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:784
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:707
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:52
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:69
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:66
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:65
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:63
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:53
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:58
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:54
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:55
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:61
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:64
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:50
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:57
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:59
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:62
fr_proto_da_stack_build
void fr_proto_da_stack_build(fr_da_stack_t *stack, fr_dict_attr_t const *da)
Build a complete DA stack from the da back to the root.
Definition proto.c:118
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition proto_tacacs.c:75
attr_tacacs_user_name
static fr_dict_attr_t const * attr_tacacs_user_name
Definition proto_tacacs.c:85
encode_test_ctx
static int encode_test_ctx(void **out, TALLOC_CTX *ctx, UNUSED fr_dict_t const *dict, UNUSED fr_dict_attr_t const *root_da)
Definition encode.c:165
attr_tacacs_argument_list
HIDDEN fr_dict_attr_t const * attr_tacacs_argument_list
Definition base.c:55
attr_tacacs_chap_password
HIDDEN fr_dict_attr_t const * attr_tacacs_chap_password
Definition base.c:74
attr_tacacs_mschap_challenge
HIDDEN fr_dict_attr_t const * attr_tacacs_mschap_challenge
Definition base.c:78
attr_tacacs_packet
HIDDEN fr_dict_attr_t const * attr_tacacs_packet
Definition base.c:60
attr_tacacs_mschap2_response
HIDDEN fr_dict_attr_t const * attr_tacacs_mschap2_response
Definition base.c:77
attr_tacacs_authentication_continue_flags
HIDDEN fr_dict_attr_t const * attr_tacacs_authentication_continue_flags
Definition base.c:49
attr_tacacs_user_password
HIDDEN fr_dict_attr_t const * attr_tacacs_user_password
Definition base.c:73
attr_tacacs_chap_challenge
HIDDEN fr_dict_attr_t const * attr_tacacs_chap_challenge
Definition base.c:75
attr_tacacs_mschap_response
HIDDEN fr_dict_attr_t const * attr_tacacs_mschap_response
Definition base.c:76
attr_tacacs_authentication_method
HIDDEN fr_dict_attr_t const * attr_tacacs_authentication_method
Definition base.c:50
attr_tacacs_flags
HIDDEN fr_dict_attr_t const * attr_tacacs_flags
Definition base.c:58
fr_tacacs_body_xor
int fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len)
XOR the body based on the secret key.
Definition base.c:148
fr_tacacs_global_free
void fr_tacacs_global_free(void)
Definition base.c:610
fr_tacacs_global_init
int fr_tacacs_global_init(void)
Definition base.c:586
tacacs_encode_chap
static ssize_t tacacs_encode_chap(fr_dbuff_t *dbuff, fr_tacacs_packet_t *packet, fr_pair_list_t *vps, fr_dict_attr_t const *da_chap, fr_dict_attr_t const *da_challenge)
Definition encode.c:310
fr_tacacs_code_to_packet
int fr_tacacs_code_to_packet(fr_tacacs_packet_t *pkt, uint32_t code)
Definition encode.c:36
tacacs_encode_field
static ssize_t tacacs_encode_field(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_dict_attr_t const *da, size_t max_len)
Definition encode.c:291
ENCODE_FIELD_UINT8
#define ENCODE_FIELD_UINT8(_field, _da)
Definition encode.c:357
fr_tacacs_encode
ssize_t fr_tacacs_encode(fr_dbuff_t *dbuff, uint8_t const *original_packet, char const *secret, size_t secret_len, unsigned int code, fr_pair_list_t *vps)
Encode VPS into a raw TACACS packet.
Definition encode.c:368
tacacs_encode_body_arg_cnt
static uint8_t tacacs_encode_body_arg_cnt(fr_pair_list_t *vps, fr_dict_attr_t const *da)
Encode a TACACS+ 'arg_N' fields.
Definition encode.c:133
fr_tacacs_encode_proto
static ssize_t fr_tacacs_encode_proto(UNUSED TALLOC_CTX *ctx, fr_pair_list_t *vps, uint8_t *data, size_t data_len, void *proto_ctx)
Definition encode.c:1048
ENCODE_FIELD_STRING8
#define ENCODE_FIELD_STRING8(_field, _da)
Definition encode.c:362
tacacs_tp_encode_proto
fr_test_point_proto_encode_t tacacs_tp_encode_proto
Definition encode.c:1088
ENCODE_FIELD_STRING16
#define ENCODE_FIELD_STRING16(_field, _da)
Definition encode.c:363
tacacs_encode_body_arg_n
static ssize_t tacacs_encode_body_arg_n(fr_dbuff_t *dbuff, uint8_t arg_cnt, uint8_t *arg_len, fr_pair_list_t *vps, fr_dict_attr_t const *da)
Definition encode.c:182
_encode_test_ctx
static int _encode_test_ctx(UNUSED fr_tftp_ctx_t *proto_ctx)
Definition encode.c:250
attrs.h
VQP attributes.
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:37
secret
static char * secret
Definition radclient-ng.c:68
fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:104
fr_sbuff_in_sprintf
ssize_t fr_sbuff_in_sprintf(fr_sbuff_t *sbuff, char const *fmt,...)
Print using a fmt string to an sbuff.
Definition sbuff.c:1605
FR_SBUFF_OUT
#define FR_SBUFF_OUT(_start, _len_or_end)
vp
fr_pair_t * vp
Definition state_machine.c:2287
fr_struct_to_network
ssize_t fr_struct_to_network(fr_dbuff_t *dbuff, fr_da_stack_t *da_stack, unsigned int depth, fr_dcursor_t *parent_cursor, void *encode_ctx, fr_encode_dbuff_t encode_value, fr_encode_dbuff_t encode_pair)
Definition struct.c:753
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
fr_tacacs_ctx_t::secret
char const * secret
Definition tacacs.h:331
packet_is_authen_reply
#define packet_is_authen_reply(p)
Definition tacacs.h:51
packet_is_authen_continue
#define packet_is_authen_continue(p)
Definition tacacs.h:50
FR_TAC_PLUS_CONTINUE_FLAG_UNSET
@ FR_TAC_PLUS_CONTINUE_FLAG_UNSET
Definition tacacs.h:174
FR_TAC_PLUS_CONTINUE_FLAG_ABORT
@ FR_TAC_PLUS_CONTINUE_FLAG_ABORT
Definition tacacs.h:175
FR_TAC_PLUS_SINGLE_CONNECT_FLAG
@ FR_TAC_PLUS_SINGLE_CONNECT_FLAG
Definition tacacs.h:80
FR_TAC_PLUS_UNENCRYPTED_FLAG
@ FR_TAC_PLUS_UNENCRYPTED_FLAG
Definition tacacs.h:79
fr_tacacs_packet_log_hex
#define fr_tacacs_packet_log_hex(_log, _packet, _size)
Definition tacacs.h:355
fr_tacacs_ctx_t::root
fr_dict_attr_t const * root
Definition tacacs.h:330
FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
Definition tacacs.h:211
FR_TAC_PLUS_AUTHOR_STATUS_FAIL
@ FR_TAC_PLUS_AUTHOR_STATUS_FAIL
Definition tacacs.h:213
FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
Definition tacacs.h:212
packet_is_acct_reply
#define packet_is_acct_reply(p)
Definition tacacs.h:57
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition tacacs.h:66
packet_is_author_request
#define packet_is_author_request(p)
Definition tacacs.h:53
packet_is_acct_request
#define packet_is_acct_request(p)
Definition tacacs.h:56
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition tacacs.h:277
fr_tacacs_packet_hdr_t::flags
fr_tacacs_flags_t flags
Definition tacacs.h:99
fr_tacacs_packet_hdr_t::type
fr_tacacs_type_t type
Definition tacacs.h:97
FR_MAX_PACKET_SIZE
#define FR_MAX_PACKET_SIZE
Definition tacacs.h:27
FR_TAC_PLUS_ACCT_STATUS_SUCCESS
@ FR_TAC_PLUS_ACCT_STATUS_SUCCESS
Definition tacacs.h:255
FR_TAC_PLUS_ACCT_STATUS_ERROR
@ FR_TAC_PLUS_ACCT_STATUS_ERROR
Definition tacacs.h:256
FR_TAC_PLUS_AUTHEN_STATUS_PASS
@ FR_TAC_PLUS_AUTHEN_STATUS_PASS
Definition tacacs.h:151
FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
@ FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
Definition tacacs.h:153
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition tacacs.h:157
FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
@ FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
Definition tacacs.h:154
FR_TAC_PLUS_AUTHEN_STATUS_FAIL
@ FR_TAC_PLUS_AUTHEN_STATUS_FAIL
Definition tacacs.h:152
FR_TAC_PLUS_AUTHEN_STATUS_RESTART
@ FR_TAC_PLUS_AUTHEN_STATUS_RESTART
Definition tacacs.h:156
FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
@ FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
Definition tacacs.h:155
packet_is_author_reply
#define packet_is_author_reply(p)
Definition tacacs.h:54
fr_tacacs_ctx_t
Used as the decoder ctx.
Definition tacacs.h:329
fr_tacacs_packet_hdr_t
Definition tacacs.h:84
fr_tacacs_packet_t
Definition tacacs.h:276
talloc_const_free
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:253
talloc_strlen
static size_t talloc_strlen(char const *s)
Returns the length of a talloc array containing a string.
Definition talloc.h:136
fr_test_point_proto_encode_t::test_ctx
fr_test_point_ctx_alloc_t test_ctx
Allocate a test ctx for the encoder.
Definition test_point.h:76
fr_test_point_proto_encode_t
Entry point for protocol encoders.
Definition test_point.h:75
T_BARE_WORD
@ T_BARE_WORD
Definition token.h:118
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
fr_pair_print_value_quoted
ssize_t fr_pair_print_value_quoted(fr_sbuff_t *out, fr_pair_t const *vp, fr_token_t quote)
Print the value of an attribute to a string.
Definition pair_print.c:59
fr_pair_dcursor_init
#define fr_pair_dcursor_init(_cursor, _list)
Initialises a special dcursor with callbacks that will maintain the attr sublists correctly.
Definition pair.h:604
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:42
fr_pair_list_num_elements
size_t fr_pair_list_num_elements(fr_pair_list_t const *list)
Get the length of a list of fr_pair_t.
Definition pair_inline.c:150
FR_PROTO_HEX_DUMP
#define FR_PROTO_HEX_DUMP(_data, _data_len, _fmt,...)
Definition proto.h:42
FR_PROTO_TRACE
#define FR_PROTO_TRACE(_fmt,...)
Definition proto.h:41
FR_PROTO_STACK_PRINT
#define FR_PROTO_STACK_PRINT(_stack, _depth)
Definition proto.h:44
fr_da_stack_t
Structure for holding the stack of dictionary attributes being encoded.
Definition proto.h:55
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
fr_value_box_cast
int fr_value_box_cast(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_type_t dst_type, fr_dict_attr_t const *dst_enumv, fr_value_box_t const *src)
Convert one type of fr_value_box_t to another.
Definition value.c:3960
data
static fr_slen_t data
Definition value.h:1340
fr_value_box_init
#define fr_value_box_init(_vb, _type, _enumv, _tainted)
Initialise a fr_value_box_t.
Definition value.h:610
out
static size_t char ** out
Definition value.h:1030
Generated by   doxygen 1.9.8