The FreeRADIUS server $Id: f3670dba8951ca10eb4948feb3dc3db9423a334f $
Loading...
Searching...
No Matches
encode.c
Go to the documentation of this file.
1/*
2 * This library is free software; you can redistribute it and/or
3 * modify it under the terms of the GNU Lesser General Public
4 * License as published by the Free Software Foundation; either
5 * version 2.1 of the License, or (at your option) any later version.
6 *
7 * This library is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * Lesser General Public License for more details.
11 *
12 * You should have received a copy of the GNU Lesser General Public
13 * License along with this library; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: da5b79ab82b0c8b3f61545e588d2f38804a57182 $
19 *
20 * @file protocols/tacacs/encode.c
21 * @brief Low-Level TACACS+ encode functions
22 *
23 * @copyright 2017 The FreeRADIUS server project
24 * @copyright 2017 Network RADIUS SAS (legal@networkradius.com)
25 */
26
27#include <freeradius-devel/io/test_point.h>
28#include <freeradius-devel/protocol/tacacs/tacacs.h>
29#include <freeradius-devel/util/dbuff.h>
30#include <freeradius-devel/util/rand.h>
31#include <freeradius-devel/util/struct.h>
32
33#include "tacacs.h"
34#include "attrs.h"
35
36int fr_tacacs_code_to_packet(fr_tacacs_packet_t *pkt, uint32_t code)
37{
38 switch (code) {
39 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_START:
40 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
41 pkt->hdr.seq_no = 1;
42 break;
43
44 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_PASS:
45 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
46 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_PASS;
47 break;
48
49 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_FAIL:
50 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
51 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_FAIL;
52 break;
53
54 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETDATA:
55 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
56 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_GETDATA;
57 break;
58
59 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETUSER:
60 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
61 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_GETUSER;
62 break;
63
64 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_GETPASS:
65 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
66 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_GETPASS;
67 break;
68
69 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_RESTART:
70 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
71 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_RESTART;
72 break;
73
74 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_ERROR:
75 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
76 pkt->authen_reply.status = FR_TAC_PLUS_AUTHEN_STATUS_ERROR;
77 break;
78
79 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE:
80 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
81 pkt->authen_cont.flags = FR_TAC_PLUS_CONTINUE_FLAG_UNSET;
82 break;
83
84 case FR_PACKET_TYPE_VALUE_AUTHENTICATION_CONTINUE_ABORT:
85 pkt->hdr.type = FR_TAC_PLUS_AUTHEN;
86 pkt->authen_cont.flags = FR_TAC_PLUS_CONTINUE_FLAG_ABORT;
87 break;
88
89 case FR_PACKET_TYPE_VALUE_AUTHORIZATION_REQUEST:
90 pkt->hdr.type = FR_TAC_PLUS_AUTHOR;
91 break;
92
93 case FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_ADD:
94 pkt->hdr.type = FR_TAC_PLUS_AUTHOR;
95 pkt->author_reply.status = FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD;
96 break;
97
98 case FR_PACKET_TYPE_VALUE_AUTHORIZATION_PASS_REPLACE:
99 pkt->hdr.type = FR_TAC_PLUS_AUTHOR;
100 pkt->author_reply.status = FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL;
101 break;
102
103 case FR_PACKET_TYPE_VALUE_AUTHORIZATION_FAIL:
104 pkt->hdr.type = FR_TAC_PLUS_AUTHOR;
105 pkt->author_reply.status = FR_TAC_PLUS_AUTHOR_STATUS_FAIL;
106 break;
107
108 case FR_PACKET_TYPE_VALUE_ACCOUNTING_REQUEST:
109 pkt->hdr.type = FR_TAC_PLUS_ACCT;
110 break;
111
112 case FR_PACKET_TYPE_VALUE_ACCOUNTING_SUCCESS:
113 pkt->hdr.type = FR_TAC_PLUS_ACCT;
114 pkt->acct_reply.status = FR_TAC_PLUS_ACCT_STATUS_SUCCESS;
115 break;
116
117 case FR_PACKET_TYPE_VALUE_ACCOUNTING_ERROR:
118 pkt->hdr.type = FR_TAC_PLUS_ACCT;
119 pkt->acct_reply.status = FR_TAC_PLUS_ACCT_STATUS_ERROR;
120 break;
121
122 default:
123 fr_strerror_const("Invalid TACACS+ packet type");
124 return -1;
125 }
126
127 return 0;
128}
129
130/**
131 * Encode a TACACS+ 'arg_N' fields.
132 */
133static uint8_t tacacs_encode_body_arg_cnt(fr_pair_list_t *vps, fr_dict_attr_t const *da)
134{
135 int arg_cnt = 0;
136 fr_pair_t *vp;
137
138 for (vp = fr_pair_list_head(vps);
139 vp;
140 vp = fr_pair_list_next(vps, vp)) {
141 if (arg_cnt == 255) break;
142
143 if (vp->da->flags.internal) continue;
144
145 if (vp->da == attr_tacacs_packet) continue;
146
147 /*
148 * Argument-List = "foo=bar"
149 */
150 if (vp->da == da) {
151 if (vp->vp_length > 0xff) continue;
152 arg_cnt++;
153 continue;
154 }
155
156 fr_assert(fr_dict_by_da(vp->da) == dict_tacacs);
157
158 /*
159 * Recurse into children.
160 */
161 if (vp->vp_type == FR_TYPE_VENDOR) {
162 arg_cnt += tacacs_encode_body_arg_cnt(&vp->vp_group, NULL);
163 continue;
164 }
165
166 /*
167 * RFC 8907 attributes.
168 */
169 if (vp->da->parent->flags.is_root) {
170 arg_cnt++;
171 continue;
172 }
173
174 if (vp->da->parent->type != FR_TYPE_VENDOR) continue;
175
176 arg_cnt++;
177 }
178
179 return arg_cnt;
180}
181
182static ssize_t tacacs_encode_body_arg_n(fr_dbuff_t *dbuff, uint8_t arg_cnt, uint8_t *arg_len, fr_pair_list_t *vps, fr_dict_attr_t const *da)
183{
184 fr_pair_t *vp;
185 uint8_t i = 0;
186 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
187
188 for (vp = fr_pair_list_head(vps);
189 vp;
190 vp = fr_pair_list_next(vps, vp)) {
191 int len;
192
193 if (i == 255) break;
194 if (i > arg_cnt) break;
195
196 if (vp->da->flags.internal) continue;
197
198 if (vp->da == attr_tacacs_packet) continue;
199
200 /*
201 * Argument-List = "foo=bar"
202 */
203 if (vp->da == da) {
204 if (vp->vp_length > 0xff) continue;
205
206 /* Append the <arg_N> field */
207 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, vp->vp_strvalue, vp->vp_length);
208
209 FR_PROTO_TRACE("arg[%d] --> %s", i, vp->vp_strvalue);
210 len = vp->vp_length;
211
212 } else if (vp->vp_type == FR_TYPE_VENDOR) {
213 ssize_t slen;
214 uint8_t child_argc;
215
216 /*
217 * Nested attribute: just recurse.
218 */
219 child_argc = fr_pair_list_num_elements(&vp->vp_group);
220 if (child_argc > (arg_cnt - i)) child_argc = arg_cnt - i;
221
222 slen = tacacs_encode_body_arg_n(&work_dbuff, child_argc, &arg_len[i], &vp->vp_group, vp->da);
223 if (slen < 0) return FR_DBUFF_ERROR_OFFSET(slen, fr_dbuff_used(&work_dbuff));
224
225 i += child_argc;
226 continue;
227
228 } else if (!vp->da->parent || (!vp->da->parent->flags.is_root && (vp->da->parent->type != FR_TYPE_VENDOR))) {
229 continue;
230
231 } else {
232 ssize_t slen;
233 fr_sbuff_t sbuff;
234 fr_dbuff_t arg_dbuff = FR_DBUFF_MAX(&work_dbuff, 255);
235 fr_value_box_t box;
236 char buffer[256];
237
238 /*
239 * Print it as "name=value"
240 */
241 FR_DBUFF_IN_MEMCPY_RETURN(&arg_dbuff, vp->da->name, strlen(vp->da->name));
242 FR_DBUFF_IN_BYTES_RETURN(&arg_dbuff, (uint8_t) '=');
243
244 sbuff = FR_SBUFF_OUT(buffer, sizeof(buffer));
245
246 switch (vp->vp_type) {
247 /*
248 * For now, we always print time deltas and dates as integers.
249 *
250 * Because everyone else's date formats are insane.
251 */
252 case FR_TYPE_DATE:
253 case FR_TYPE_TIME_DELTA:
254 fr_value_box_init(&box, FR_TYPE_UINT64, vp->data.enumv, vp->vp_tainted);
255 if (fr_value_box_cast(NULL, &box, FR_TYPE_UINT64, NULL, &vp->data) < 0) {
256 buffer[0] = '\0';
257 slen = 0;
258 break;
259 }
260
261 slen = fr_sbuff_in_sprintf(&sbuff, "%lu", box.vb_uint64);
262 if (slen < 0) {
263 error:
264 fr_strerror_printf("Failed encoding %s", vp->da->name);
265 return -1;
266 }
267 break;
268
269 default:
270 slen = fr_pair_print_value_quoted(&sbuff, vp, T_BARE_WORD);
271 if (slen < 0) goto error;
272 }
273
274 FR_DBUFF_IN_MEMCPY_RETURN(&arg_dbuff, buffer, (size_t) slen);
275
276 len = fr_dbuff_used(&arg_dbuff);
277
278 FR_PROTO_TRACE("arg[%d] --> %.*s", i, len, fr_dbuff_start(&arg_dbuff));
279
280 fr_dbuff_set(&work_dbuff, &arg_dbuff);
281 }
282
283 fr_assert(len <= UINT8_MAX);
284
285 FR_PROTO_TRACE("len(arg[%d]) = %d", i, len);
286 arg_len[i++] = len;
287 }
288
289 return fr_dbuff_set(dbuff, &work_dbuff);
290}
291
292/*
293 * Encode a TACACS+ field.
294 */
295static ssize_t tacacs_encode_field(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_dict_attr_t const *da, size_t max_len)
296{
297 fr_pair_t *vp;
298 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
299
300 vp = fr_pair_find_by_da(vps, NULL, da);
301 if (!vp || !vp->vp_length || (vp->vp_length > max_len)) return 0;
302
303 if (da->type == FR_TYPE_STRING) {
304 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, vp->vp_strvalue, vp->vp_length);
305 } else {
306 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, vp->vp_octets, vp->vp_length);
307 }
308
309 FR_PROTO_HEX_DUMP(fr_dbuff_start(&work_dbuff), fr_dbuff_used(&work_dbuff), da->name);
310
311 return fr_dbuff_set(dbuff, &work_dbuff);
312}
313
314static ssize_t tacacs_encode_chap(fr_dbuff_t *dbuff, fr_tacacs_packet_t *packet, fr_pair_list_t *vps, fr_dict_attr_t const *da_chap, fr_dict_attr_t const *da_challenge)
315{
316 fr_pair_t *chap, *challenge;
317 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
318
319 chap = fr_pair_find_by_da(vps, NULL, da_chap);
320 if (!chap) {
321 packet->authen_start.data_len = 0;
322 return 0;
323 }
324
325 challenge = fr_pair_find_by_da(vps, NULL, da_challenge);
326 if (!challenge) {
327 fr_strerror_printf("Packet contains %s but no %s", da_chap->name, da_challenge->name);
328 return -1;
329 }
330
331 if (!challenge->vp_length) {
332 fr_strerror_printf("%s is empty", da_challenge->name);
333 return -1;
334 }
335
336 if (chap->vp_length <= 1) {
337 fr_strerror_printf("%s is too small", da_chap->name);
338 return -1;
339 }
340
341 if ((chap->vp_length + challenge->vp_length) > 255) {
342 fr_strerror_printf("%s and %s are longer than 255 octets", da_chap->name, da_challenge->name);
343 return -1;
344 }
345
346 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, chap->vp_octets, 1);
347 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, challenge->vp_octets, challenge->vp_length);
348 FR_DBUFF_IN_MEMCPY_RETURN(&work_dbuff, chap->vp_octets + 1, chap->vp_length - 1);
349
350 packet->authen_start.data_len = chap->vp_length + challenge->vp_length;
351
352 return fr_dbuff_set(dbuff, &work_dbuff);
353}
354
355/*
356 * Magic macros to keep things happy.
357 *
358 * Note that the various fields are optional. If the caller
359 * doesn't specify them, then they don't get encoded.
360 */
361#define ENCODE_FIELD_UINT8(_field, _da) do { \
362 vp = fr_pair_find_by_da(vps, NULL, _da); \
363 _field = (vp) ? vp->vp_uint8 : 0; \
364} while (0)
365
366#define ENCODE_FIELD_STRING8(_field, _da) _field = tacacs_encode_field(&work_dbuff, vps, _da, 0xff)
367#define ENCODE_FIELD_STRING16(_field, _da) _field = htons(tacacs_encode_field(&work_dbuff, vps, _da, 0xffff))
368
369/**
370 * Encode VPS into a raw TACACS packet.
371 */
372ssize_t fr_tacacs_encode(fr_dbuff_t *dbuff, uint8_t const *original_packet, char const *secret, size_t secret_len,
373 unsigned int code, fr_pair_list_t *vps)
374{
375 fr_pair_t *vp;
376 fr_tacacs_packet_t *packet;
377 fr_dcursor_t cursor;
378 fr_da_stack_t da_stack;
379 ssize_t len = 0;
380 size_t body_len, packet_len;
381 fr_dbuff_t work_dbuff = FR_DBUFF(dbuff);
382 fr_dbuff_marker_t hdr, body, hdr_io;
383 uint8_t version_byte = 0;
384
385 fr_tacacs_packet_hdr_t const *original = (fr_tacacs_packet_hdr_t const *) original_packet;
386
387 if (!vps) {
388 fr_strerror_const("Cannot encode empty packet");
389 return -1;
390 }
391
392 /*
393 * Verify space for the packet...
394 */
395 FR_DBUFF_REMAINING_RETURN(&work_dbuff, sizeof(fr_tacacs_packet_t));
396
397 /*
398 * 3.4. The TACACS+ Packet Header
399 *
400 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
401 * +----------------+----------------+----------------+----------------+
402 * |major | minor | | | |
403 * |version| version| type | seq_no | flags |
404 * +----------------+----------------+----------------+----------------+
405 * | |
406 * | session_id |
407 * +----------------+----------------+----------------+----------------+
408 * | |
409 * | length |
410 * +----------------+----------------+----------------+----------------+
411 */
412
413 /*
414 * Let's keep reference for packet header.
415 */
416 fr_dbuff_marker(&hdr, &work_dbuff);
417 /*
418 * Add marker letting us read/write header bytes without moving hdr.
419 */
420 fr_dbuff_marker(&hdr_io, &work_dbuff);
421
422 /*
423 * Handle the fields in-place.
424 */
425 packet = (fr_tacacs_packet_t *)fr_dbuff_start(&work_dbuff);
426
427 /*
428 * Find the first attribute which is parented by TACACS-Packet.
429 */
430 for (vp = fr_pair_dcursor_init(&cursor, vps);
431 vp;
432 vp = fr_dcursor_next(&cursor)) {
433 if (vp->da == attr_tacacs_packet) break;
434 if (vp->da->parent == attr_tacacs_packet) break;
435 }
436
437 /*
438 * No "Packet" struct to encode. We MUST have an original packet to copy the various fields
439 * from.
440 */
441 if (!vp) {
442 if (!original) {
443 fr_strerror_printf("%s: No TACACS+ %s in the attribute list",
444 __FUNCTION__, attr_tacacs_packet->name);
445 return -1;
446 }
447
448 /*
449 * Initialize the buffer avoiding invalid values.
450 */
451 memset(packet, 0, sizeof(fr_tacacs_packet_t));
452
453 /*
454 * Initialize the reply from the request.
455 *
456 * Make room and fill up the original header. We shouldn't just copy the original packet,
457 * because the fields 'seq_no' and 'length' are not the same.
458 */
459 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(fr_tacacs_packet_hdr_t));
460
461 } else if (vp->da == attr_tacacs_packet) {
462 fr_dcursor_t child_cursor;
463
464 fr_proto_da_stack_build(&da_stack, attr_tacacs_packet);
465 FR_PROTO_STACK_PRINT(&da_stack, 0);
466
467 fr_pair_dcursor_init(&child_cursor, &vp->vp_group);
468
469 /*
470 * Call the struct encoder to do the actual work,
471 * which fills the struct fields with zero if the member VP is not used.
472 */
473 len = fr_struct_to_network(&work_dbuff, &da_stack, 0, &child_cursor, NULL, NULL, NULL);
474 if (len != sizeof(fr_tacacs_packet_hdr_t)) {
475 fr_strerror_printf("%s: Failed encoding %s using fr_struct_to_network()",
476 __FUNCTION__, attr_tacacs_packet->name);
477 return -1;
478 }
479 fr_dcursor_next(&cursor);
480
481 } else {
482 fr_proto_da_stack_build(&da_stack, attr_tacacs_packet);
483 FR_PROTO_STACK_PRINT(&da_stack, 0);
484
485 /*
486 * Call the struct encoder to do the actual work,
487 * which fills the struct fields with zero if the member VP is not used.
488 */
489 len = fr_struct_to_network(&work_dbuff, &da_stack, 0, &cursor, NULL, NULL, NULL);
490 if (len != sizeof(fr_tacacs_packet_hdr_t)) {
491 fr_strerror_printf("%s: Failed encoding %s using fr_struct_to_network()",
492 __FUNCTION__, attr_tacacs_packet->name);
493 return -1;
494 }
495 }
496
497 /*
498 * Ensure that we send a sane reply to a request.
499 */
500 if (original) {
501 packet->hdr.version = original->version;
502 packet->hdr.type = original->type;
503 packet->hdr.flags = original->flags; /* encrypted && single connection */
504 packet->hdr.session_id = original->session_id;
505
506 /*
507 * The client may not set SINGLE_CONNECT flag. So if the administrator has set it in the reply,
508 * we allow setting the flag. This lets the server tell the client that it supports "single
509 * connection" mode.
510 */
511 vp = fr_pair_find_by_da_nested(vps, NULL, attr_tacacs_flags);
512 if (vp) packet->hdr.flags |= (vp->vp_uint8 & FR_TAC_PLUS_SINGLE_CONNECT_FLAG);
513 }
514
515 /*
516 * Starting here is a 'body' that may require encryption.
517 */
518 fr_dbuff_marker(&body, &work_dbuff);
519
520 /*
521 * Encode 8 octets of various fields not members of STRUCT
522 */
523 switch (packet->hdr.type) {
524 case FR_TAC_PLUS_AUTHEN:
525 /*
526 * seq_no
527 *
528 * This is the sequence number of the current packet for the current session.
529 * The first packet in a session MUST have the sequence number 1 and each
530 * subsequent packet will increment the sequence number by one. Thus clients
531 * only send packets containing odd sequence numbers, and TACACS+ servers only
532 * send packets containing even sequence numbers.
533 */
534 if (packet_is_authen_start_request(packet)) { /* Start */
535 /**
536 * 4.1. The Authentication START Packet Body
537 *
538 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
539 * +----------------+----------------+----------------+----------------+
540 * | action | priv_lvl | authen_type | authen_service |
541 * +----------------+----------------+----------------+----------------+
542 * | user_len | port_len | rem_addr_len | data_len |
543 * +----------------+----------------+----------------+----------------+
544 * | user ...
545 * +----------------+----------------+----------------+----------------+
546 * | port ...
547 * +----------------+----------------+----------------+----------------+
548 * | rem_addr ...
549 * +----------------+----------------+----------------+----------------+
550 * | data...
551 * +----------------+----------------+----------------+----------------+
552 */
553
554 /*
555 * Make room for such body request.
556 */
557 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->authen_start));
558
559 /*
560 * Encode 4 octets of various flags.
561 */
562 ENCODE_FIELD_UINT8(packet->authen_start.action, attr_tacacs_action);
563 ENCODE_FIELD_UINT8(packet->authen_start.priv_lvl, attr_tacacs_privilege_level);
564 ENCODE_FIELD_UINT8(packet->authen_start.authen_type, attr_tacacs_authentication_type);
565 ENCODE_FIELD_UINT8(packet->authen_start.authen_service, attr_tacacs_authentication_service);
566
567 /*
568 * Encode 4 mandatory fields.
569 */
570 ENCODE_FIELD_STRING8(packet->authen_start.user_len, attr_tacacs_user_name);
571 ENCODE_FIELD_STRING8(packet->authen_start.port_len, attr_tacacs_client_port);
572 ENCODE_FIELD_STRING8(packet->authen_start.rem_addr_len, attr_tacacs_remote_address);
573
574 /*
575 * No explicit "Data" attribute, try to automatically determine what to do.
576 */
577 if (fr_pair_find_by_da_nested(vps, NULL, attr_tacacs_data)) {
578 ENCODE_FIELD_STRING8(packet->authen_start.data_len, attr_tacacs_data);
579
580 } else switch (packet->authen_start.authen_type) {
581 default:
582 break;
583
584 case FR_AUTHENTICATION_TYPE_VALUE_PAP:
585 ENCODE_FIELD_STRING8(packet->authen_start.data_len, attr_tacacs_user_password);
586 break;
587
588 case FR_AUTHENTICATION_TYPE_VALUE_CHAP:
589 if (tacacs_encode_chap(&work_dbuff, packet, vps, attr_tacacs_chap_password, attr_tacacs_chap_challenge) < 0) return -1;
590 break;
591
592 case FR_AUTHENTICATION_TYPE_VALUE_MSCHAP: {
593 int rcode;
594
595 rcode = tacacs_encode_chap(&work_dbuff, packet, vps, attr_tacacs_mschap_response, attr_tacacs_mschap_challenge);
596 if (rcode < 0) return rcode;
597
598 if (rcode > 0) break;
599
600 if (tacacs_encode_chap(&work_dbuff, packet, vps, attr_tacacs_mschap2_response, attr_tacacs_mschap_challenge) < 0) return -1;
601 }
602 break;
603 }
604
605 goto check_request;
606
607 } else if (packet_is_authen_continue(packet)) {
608 /*
609 * 4.3. The Authentication CONTINUE Packet Body
610 *
611 * This packet is sent from the client to the server following the receipt of
612 * a REPLY packet.
613 *
614 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
615 * +----------------+----------------+----------------+----------------+
616 * | user_msg len | data_len |
617 * +----------------+----------------+----------------+----------------+
618 * | flags | user_msg ...
619 * +----------------+----------------+----------------+----------------+
620 * | data ...
621 * +----------------+
622 */
623
624 /*
625 * Make room for such body request.
626 */
627 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->authen_cont));
628
629 /*
630 * Encode 2 mandatory fields.
631 */
632 ENCODE_FIELD_STRING16(packet->authen_cont.user_msg_len, attr_tacacs_user_message);
633 ENCODE_FIELD_STRING16(packet->authen_cont.data_len, attr_tacacs_data);
634
635 /*
636 * Look at the abort flag after encoding the fields.
637 */
638 ENCODE_FIELD_UINT8(packet->authen_cont.flags, attr_tacacs_authentication_continue_flags);
639
640 goto check_request;
641
642 } else if (packet_is_authen_reply(packet)) {
643 /*
644 * 4.2. The Authentication REPLY Packet Body
645 *
646 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
647 * +----------------+----------------+----------------+----------------+
648 * | status | flags | server_msg_len |
649 * +----------------+----------------+----------------+----------------+
650 * | data_len | server_msg ...
651 * +----------------+----------------+----------------+----------------+
652 * | data ...
653 * +----------------+----------------+
654 */
655
656 /*
657 * Make room for such body request.
658 */
659 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->authen_reply));
660
661 ENCODE_FIELD_UINT8(packet->authen_reply.status, attr_tacacs_authentication_status);
662 ENCODE_FIELD_UINT8(packet->authen_reply.flags, attr_tacacs_authentication_flags);
663
664 /*
665 * Encode 2 mandatory fields.
666 */
667 ENCODE_FIELD_STRING16(packet->authen_reply.server_msg_len, attr_tacacs_server_message);
668 ENCODE_FIELD_STRING16(packet->authen_reply.data_len, attr_tacacs_data);
669
670 goto check_reply;
671 }
672
673 fr_strerror_const("encode: Unknown authentication packet type");
674 return -1;
675
676 case FR_TAC_PLUS_AUTHOR:
677 if (packet_is_author_request(packet)) {
678 /*
679 * 5.1. The Authorization REQUEST Packet Body
680 *
681 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
682 * +----------------+----------------+----------------+----------------+
683 * | authen_method | priv_lvl | authen_type | authen_service |
684 * +----------------+----------------+----------------+----------------+
685 * | user_len | port_len | rem_addr_len | arg_cnt |
686 * +----------------+----------------+----------------+----------------+
687 * | arg_1_len | arg_2_len | ... | arg_N_len |
688 * +----------------+----------------+----------------+----------------+
689 * | user ...
690 * +----------------+----------------+----------------+----------------+
691 * | port ...
692 * +----------------+----------------+----------------+----------------+
693 * | rem_addr ...
694 * +----------------+----------------+----------------+----------------+
695 * | arg_1 ...
696 * +----------------+----------------+----------------+----------------+
697 * | arg_2 ...
698 * +----------------+----------------+----------------+----------------+
699 * | ...
700 * +----------------+----------------+----------------+----------------+
701 * | arg_N ...
702 * +----------------+----------------+----------------+----------------+
703 */
704
705 /*
706 * Make room for such body request.
707 */
708 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->author_req));
709
710 /*
711 * Encode 4 octets of various flags.
712 */
713 ENCODE_FIELD_UINT8(packet->author_req.authen_method, attr_tacacs_authentication_method);
714 ENCODE_FIELD_UINT8(packet->author_req.priv_lvl, attr_tacacs_privilege_level);
715 ENCODE_FIELD_UINT8(packet->author_req.authen_type, attr_tacacs_authentication_type);
716 ENCODE_FIELD_UINT8(packet->author_req.authen_service, attr_tacacs_authentication_service);
717
718 /*
719 * Encode 'arg_N' arguments (horrible format)
720 */
721 packet->author_req.arg_cnt = tacacs_encode_body_arg_cnt(vps, attr_tacacs_argument_list);
722 if (packet->author_req.arg_cnt) FR_DBUFF_MEMSET_RETURN(&work_dbuff, 0, packet->author_req.arg_cnt);
723
724 /*
725 * Encode 3 mandatory fields.
726 */
727 ENCODE_FIELD_STRING8(packet->author_req.user_len, attr_tacacs_user_name);
728 ENCODE_FIELD_STRING8(packet->author_req.port_len, attr_tacacs_client_port);
729 ENCODE_FIELD_STRING8(packet->author_req.rem_addr_len, attr_tacacs_remote_address);
730
731 /*
732 * Append 'args_body' to the end of buffer
733 */
734 if (packet->author_req.arg_cnt > 0) {
735 if (tacacs_encode_body_arg_n(&work_dbuff, packet->author_req.arg_cnt, &packet->author_req.arg_len[0], vps, attr_tacacs_argument_list) < 0) return -1;
736 }
737
738 goto check_request;
739 } else if (packet_is_author_reply(packet)) {
740 /*
741 * 5.2. The Authorization RESPONSE Packet Body
742 *
743 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
744 * +----------------+----------------+----------------+----------------+
745 * | status | arg_cnt | server_msg len |
746 * +----------------+----------------+----------------+----------------+
747 * + data_len | arg_1_len | arg_2_len |
748 * +----------------+----------------+----------------+----------------+
749 * | ... | arg_N_len | server_msg ...
750 * +----------------+----------------+----------------+----------------+
751 * | data ...
752 * +----------------+----------------+----------------+----------------+
753 * | arg_1 ...
754 * +----------------+----------------+----------------+----------------+
755 * | arg_2 ...
756 * +----------------+----------------+----------------+----------------+
757 * | ...
758 * +----------------+----------------+----------------+----------------+
759 * | arg_N ...
760 * +----------------+----------------+----------------+----------------+
761 */
762
763 /*
764 * Make room for such body request.
765 */
766 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->author_reply));
767
768 /*
769 * Encode 1 mandatory field.
770 */
771 ENCODE_FIELD_UINT8(packet->author_reply.status, attr_tacacs_authorization_status);
772
773 /*
774 * Encode 'arg_N' arguments (horrible format)
775 *
776 * For ERRORs, we don't encode arguments.
777 *
778 * 5.2
779 *
780 * A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred
781 * on the server. For the differences between ERROR and FAIL, refer to
782 * section Session Completion (Section 3.4) . None of the arg values
783 * have any relevance if an ERROR is set, and must be ignored.
784 *
785 * When the status equals TAC_PLUS_AUTHOR_STATUS_FOLLOW, then the
786 * arg_cnt MUST be 0.
787 */
788 if (!((packet->author_reply.status == FR_AUTHORIZATION_STATUS_VALUE_ERROR) ||
789 (packet->author_reply.status == FR_AUTHORIZATION_STATUS_VALUE_FOLLOW))) {
790 packet->author_reply.arg_cnt = tacacs_encode_body_arg_cnt(vps, attr_tacacs_argument_list);
791 if (packet->author_reply.arg_cnt) FR_DBUFF_MEMSET_RETURN(&work_dbuff, 0, packet->author_reply.arg_cnt);
792 } else {
793 packet->author_reply.arg_cnt = 0;
794 }
795
796 /*
797 * Encode 2 mandatory fields.
798 */
799 ENCODE_FIELD_STRING16(packet->author_reply.server_msg_len, attr_tacacs_server_message);
800 ENCODE_FIELD_STRING16(packet->author_reply.data_len, attr_tacacs_data);
801
802 /*
803 * Append 'args_body' to the end of buffer
804 */
805 if (packet->author_reply.arg_cnt > 0) {
806 if (tacacs_encode_body_arg_n(&work_dbuff, packet->author_reply.arg_cnt, &packet->author_reply.arg_len[0], vps, attr_tacacs_argument_list) < 0) return -1;
807 }
808
809 goto check_reply;
810
811 }
812
813 fr_strerror_const("encode: Unknown authorization packet type");
814 return -1;
815
816 case FR_TAC_PLUS_ACCT:
817 if (packet_is_acct_request(packet)) {
818 /**
819 * 6.1. The Account REQUEST Packet Body
820 *
821 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
822 * +----------------+----------------+----------------+----------------+
823 * | flags | authen_method | priv_lvl | authen_type |
824 * +----------------+----------------+----------------+----------------+
825 * | authen_service | user_len | port_len | rem_addr_len |
826 * +----------------+----------------+----------------+----------------+
827 * | arg_cnt | arg_1_len | arg_2_len | ... |
828 * +----------------+----------------+----------------+----------------+
829 * | arg_N_len | user ...
830 * +----------------+----------------+----------------+----------------+
831 * | port ...
832 * +----------------+----------------+----------------+----------------+
833 * | rem_addr ...
834 * +----------------+----------------+----------------+----------------+
835 * | arg_1 ...
836 * +----------------+----------------+----------------+----------------+
837 * | arg_2 ...
838 * +----------------+----------------+----------------+----------------+
839 * | ...
840 * +----------------+----------------+----------------+----------------+
841 * | arg_N ...
842 * +----------------+----------------+----------------+----------------+
843 */
844
845 /*
846 * Make room for such body request.
847 */
848 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->acct_req));
849
850 /*
851 * Encode 5 octets of various flags.
852 */
853 ENCODE_FIELD_UINT8(packet->acct_req.flags, attr_tacacs_accounting_flags);
854 ENCODE_FIELD_UINT8(packet->acct_req.authen_method, attr_tacacs_authentication_method);
855 ENCODE_FIELD_UINT8(packet->acct_req.priv_lvl, attr_tacacs_privilege_level);
856 ENCODE_FIELD_UINT8(packet->acct_req.authen_type, attr_tacacs_authentication_type);
857 ENCODE_FIELD_UINT8(packet->acct_req.authen_service, attr_tacacs_authentication_service);
858
859 /*
860 * Encode 'arg_N' arguments (horrible format)
861 */
862 packet->acct_req.arg_cnt = tacacs_encode_body_arg_cnt(vps, attr_tacacs_argument_list);
863 if (packet->acct_req.arg_cnt) FR_DBUFF_MEMSET_RETURN(&work_dbuff, 0, packet->acct_req.arg_cnt);
864
865 /*
866 * Encode 3 mandatory fields.
867 */
868 ENCODE_FIELD_STRING8(packet->acct_req.user_len, attr_tacacs_user_name);
869 ENCODE_FIELD_STRING8(packet->acct_req.port_len, attr_tacacs_client_port);
870 ENCODE_FIELD_STRING8(packet->acct_req.rem_addr_len, attr_tacacs_remote_address);
871
872 /*
873 * Append 'args_body' to the end of buffer
874 */
875 if (packet->acct_req.arg_cnt > 0) {
876 if (tacacs_encode_body_arg_n(&work_dbuff, packet->acct_req.arg_cnt, &packet->acct_req.arg_len[0], vps, attr_tacacs_argument_list) < 0) return -1;
877 }
878
879 check_request:
880 /*
881 * Just to avoid malformed packet.
882 */
883 fr_dbuff_set(&hdr_io, &hdr);
884 fr_dbuff_out(&version_byte, &hdr_io);
885 if (!version_byte) {
886 version_byte = 0xc1; /* version 12.1 */
887 fr_dbuff_set(&hdr_io, &hdr);
888 FR_DBUFF_IN_RETURN(&hdr_io, version_byte);
889 }
890 /*
891 * If the caller didn't set a session ID, use a random one.
892 */
893 if (!fr_pair_find_by_da_nested(vps, NULL, attr_tacacs_session_id)) {
894 packet->hdr.session_id = fr_rand();
895 }
896
897 /*
898 * Requests have odd sequence numbers.
899 */
900 packet->hdr.seq_no |= 0x01;
901 break;
902
903 } else if (packet_is_acct_reply(packet)) {
904 /**
905 * 6.2. The Accounting REPLY Packet Body
906 *
907 * 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
908 * +----------------+----------------+----------------+----------------+
909 * | server_msg len | data_len |
910 * +----------------+----------------+----------------+----------------+
911 * | status | server_msg ...
912 * +----------------+----------------+----------------+----------------+
913 * | data ...
914 * +----------------+
915 */
916
917 /*
918 * Make room for such body request.
919 */
920 FR_DBUFF_ADVANCE_RETURN(&work_dbuff, sizeof(packet->acct_reply));
921
922 /*
923 * Encode 2 mandatory fields.
924 */
925 ENCODE_FIELD_STRING16(packet->acct_reply.server_msg_len, attr_tacacs_server_message);
926 ENCODE_FIELD_STRING16(packet->acct_reply.data_len, attr_tacacs_data);
927
928 /*
929 * And also, the status field.
930 */
931 ENCODE_FIELD_UINT8(packet->acct_reply.status, attr_tacacs_accounting_status);
932
933 check_reply:
934 /*
935 * fr_struct_to_network() fills the struct fields with 0
936 * if there is no matching VP. In the interest of making
937 * things easier for the user, we don't require them to
938 * copy all of the fields from the request to the reply.
939 *
940 * Instead, we copy the fields manually, and ensure that
941 * they have the correct values.
942 */
943 if (original) {
944 fr_dbuff_set(&hdr_io, &hdr);
945 fr_dbuff_out(&version_byte, &hdr_io);
946 if (!version_byte) {
947 packet->hdr.version = original->version;
948 }
949
950 if (!packet->hdr.seq_no) {
951 packet->hdr.seq_no = original->seq_no + 1; /* uint8_t */
952 }
953
954 if (!packet->hdr.session_id) {
955 packet->hdr.session_id = original->session_id;
956 }
957 }
958
959 /*
960 * Replies have even sequence numbers.
961 */
962 packet->hdr.seq_no &= 0xfe;
963 break;
964 }
965
966 fr_strerror_const("encode: Unknown accounting packet type");
967 return -1;
968
969 default:
970 fr_strerror_printf("encode: unknown packet type %d", packet->hdr.type);
971 return -1;
972 }
973
974 /*
975 * Force the correct header type, and randomly-placed
976 * status fields. But only if there's no code field.
977 * Only the unit tests pass a zero code field, as that's
978 * normally invalid. The unit tests ensure that all of
979 * the VPs are passed to encode a packet, and they all
980 * must be correct
981 */
982 if (code && (fr_tacacs_code_to_packet(packet, code) < 0)) return -1;
983
984 /*
985 * The packet length we store in the header doesn't
986 * include the size of the header. But we tell the
987 * caller about the total length of the packet.
988 */
989 packet_len = fr_dbuff_used(&work_dbuff);
990 fr_assert(packet_len >= sizeof(fr_tacacs_packet_hdr_t));
991
992 body_len = (packet_len - sizeof(fr_tacacs_packet_hdr_t));
993 fr_assert(packet_len < FR_MAX_PACKET_SIZE);
994 packet->hdr.length = htonl(body_len);
995
996 /*
997 * If the original packet is encrypted, then the reply
998 * MUST be encrypted too.
999 *
1000 * On the other hand, if the request is unencrypted,
1001 * we're OK with sending an encrypted reply. Because,
1002 * whatever.
1003 */
1004 if (original &&
1005 ((original->flags & FR_TAC_PLUS_UNENCRYPTED_FLAG) == 0)) {
1006 packet->hdr.flags &= ~FR_TAC_PLUS_UNENCRYPTED_FLAG;
1007 }
1008
1009#ifndef NDEBUG
1010 if (fr_debug_lvl >= L_DBG_LVL_4) {
1011 uint8_t flags = packet->hdr.flags;
1012
1013 packet->hdr.flags |= FR_TAC_PLUS_UNENCRYPTED_FLAG;
1014 fr_tacacs_packet_log_hex(&default_log, packet, packet_len);
1015 packet->hdr.flags = flags;
1016 }
1017#endif
1018
1019 /*
1020 * 3.6. Encryption
1021 *
1022 * Packets are encrypted if the unencrypted flag is clear.
1023 */
1024 if (secret) {
1025 if (!secret_len) {
1026 fr_strerror_const("Packet should be decrypted, but the secret has zero length");
1027 return -1;
1028 }
1029
1030 FR_PROTO_HEX_DUMP(fr_dbuff_start(&work_dbuff), packet_len, "fr_tacacs_packet_t (unencrypted)");
1031
1032 if (fr_tacacs_body_xor(packet, fr_dbuff_current(&body), body_len, secret, secret_len) != 0) return -1;
1033
1034 packet->hdr.flags &= ~FR_TAC_PLUS_UNENCRYPTED_FLAG;
1035 } else {
1036 /*
1037 * Packets which have no secret cannot be encrypted.
1038 */
1039 packet->hdr.flags |= FR_TAC_PLUS_UNENCRYPTED_FLAG;
1040
1041 }
1042
1043 FR_PROTO_HEX_DUMP(fr_dbuff_start(&work_dbuff), packet_len, "fr_tacacs_packet_t (encoded)");
1044
1045 return fr_dbuff_set(dbuff, &work_dbuff);
1046}
1047
1048/*
1049 * Test points for protocol encode
1050 */
1051static ssize_t fr_tacacs_encode_proto(UNUSED TALLOC_CTX *ctx, fr_pair_list_t *vps,
1052 uint8_t *data, size_t data_len, void *proto_ctx)
1053{
1054 fr_tacacs_ctx_t *test_ctx = talloc_get_type_abort(proto_ctx, fr_tacacs_ctx_t);
1055
1056 return fr_tacacs_encode(&FR_DBUFF_TMP(data, data_len), NULL, test_ctx->secret,
1057 test_ctx->secret ? talloc_strlen(test_ctx->secret) : 0, 0, vps);
1058}
1059
1060static int _encode_test_ctx(fr_tacacs_ctx_t *test_ctx)
1061{
1062 talloc_const_free(test_ctx->secret);
1063
1064 fr_tacacs_global_free();
1065
1066 return 0;
1067}
1068
1069static int encode_test_ctx(void **out, TALLOC_CTX *ctx, UNUSED fr_dict_t const *dict,
1070 UNUSED fr_dict_attr_t const *root_da)
1071{
1072 fr_tacacs_ctx_t *test_ctx;
1073
1074 if (fr_tacacs_global_init() < 0) return -1;
1075
1076 test_ctx = talloc_zero(ctx, fr_tacacs_ctx_t);
1077 if (!test_ctx) return -1;
1078
1079 test_ctx->root = fr_dict_root(dict_tacacs);
1080 talloc_set_destructor(test_ctx, _encode_test_ctx);
1081
1082 *out = test_ctx;
1083
1084 return 0;
1085}
1086
1087/*
1088 * Test points
1089 */
1090extern fr_test_point_proto_encode_t tacacs_tp_encode_proto;
buffer
static int const char char buffer[256]
Definition acutest.h:576
UNUSED
#define UNUSED
Definition build.h:336
root_da
fr_dict_attr_t const * root_da
Definition common.c:32
fr_dbuff_used
#define fr_dbuff_used(_dbuff_or_marker)
Return the number of bytes remaining between the start of the dbuff or marker and the current positio...
Definition dbuff.h:775
FR_DBUFF_ADVANCE_RETURN
#define FR_DBUFF_ADVANCE_RETURN(_dbuff_or_marker, _len)
Advance the 'current' position in dbuff or marker by _len bytes returning if _len is out of range.
Definition dbuff.h:1097
fr_dbuff_marker_t
struct fr_dbuff_marker_s fr_dbuff_marker_t
A position marker associated with a dbuff.
Definition dbuff.h:81
fr_dbuff_current
#define fr_dbuff_current(_dbuff_or_marker)
Return the 'current' position of a dbuff or marker.
Definition dbuff.h:919
fr_dbuff_set
#define fr_dbuff_set(_dst, _src)
Set the 'current' position in a dbuff or marker using another dbuff or marker, a char pointer,...
Definition dbuff.h:1012
fr_dbuff_start
#define fr_dbuff_start(_dbuff_or_marker)
Return the 'start' position of a dbuff or marker.
Definition dbuff.h:906
FR_DBUFF_MEMSET_RETURN
#define FR_DBUFF_MEMSET_RETURN(_dbuff_or_marker, _c, _inlen)
Set _inlen bytes of a dbuff or marker to _c returning if there is insufficient space.
Definition dbuff.h:1517
fr_dbuff_marker
static uint8_t * fr_dbuff_marker(fr_dbuff_marker_t *m, fr_dbuff_t *dbuff)
Initialises a new marker pointing to the 'current' position of the dbuff.
Definition dbuff.h:1201
FR_DBUFF_IN_MEMCPY_RETURN
#define FR_DBUFF_IN_MEMCPY_RETURN(_dbuff_or_marker, _in, _inlen)
Copy exactly _inlen bytes into dbuff or marker returning if there's insufficient space.
Definition dbuff.h:1391
FR_DBUFF_ERROR_OFFSET
#define FR_DBUFF_ERROR_OFFSET(_slen, _offset)
Generic wrapper to return an error and an offset from encoding.
Definition dbuff.h:196
FR_DBUFF_REMAINING_RETURN
#define FR_DBUFF_REMAINING_RETURN(_dbuff_or_marker, _len)
Check if _len bytes are available in the dbuff and if not return the number of bytes we'd need.
Definition dbuff.h:769
FR_DBUFF_IN_RETURN
#define FR_DBUFF_IN_RETURN(_dbuff_or_marker, _in)
Copy data from a fixed sized C type into a dbuff returning if there is insufficient space.
Definition dbuff.h:1594
FR_DBUFF
#define FR_DBUFF(_dbuff_or_marker)
Create a new dbuff pointing to the same underlying buffer.
Definition dbuff.h:230
FR_DBUFF_MAX
#define FR_DBUFF_MAX(_dbuff_or_marker, _max)
Limit the maximum number of bytes available in the dbuff when passing it to another function.
Definition dbuff.h:309
fr_dbuff_out
#define fr_dbuff_out(_out, _dbuff_or_marker)
Copy data from a dbuff or marker to a fixed sized C type.
Definition dbuff.h:1808
FR_DBUFF_IN_BYTES_RETURN
#define FR_DBUFF_IN_BYTES_RETURN(_dbuff_or_marker,...)
Copy a byte sequence into a dbuff or marker returning if there's insufficient space.
Definition dbuff.h:1481
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:522
fr_dcursor_next
static void * fr_dcursor_next(fr_dcursor_t *cursor)
Advanced the cursor to the next item.
Definition dcursor.h:288
fr_dcursor_s
Definition dcursor.h:91
fr_dict_by_da
fr_dict_t const * fr_dict_by_da(fr_dict_attr_t const *da)
Attempt to locate the protocol dictionary containing an attribute.
Definition dict_util.c:2848
fr_dict_root
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2639
fr_debug_lvl
int fr_debug_lvl
Definition log.c:41
default_log
fr_log_t default_log
Definition log.c:306
L_DBG_LVL_4
@ L_DBG_LVL_4
4th highest priority debug messages (-xxxx | -Xxx).
Definition log.h:70
FR_TYPE_TIME_DELTA
@ FR_TYPE_TIME_DELTA
A period of time measured in nanoseconds.
Definition merged_model.c:113
FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83
FR_TYPE_DATE
@ FR_TYPE_DATE
Unix time stamp, always has value >2^31.
Definition merged_model.c:111
FR_TYPE_VENDOR
@ FR_TYPE_VENDOR
Attribute that represents a vendor in the attribute tree.
Definition merged_model.c:122
FR_TYPE_UINT64
@ FR_TYPE_UINT64
64 Bit unsigned integer.
Definition merged_model.c:100
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
UINT8_MAX
#define UINT8_MAX
Definition merged_model.c:32
fr_dbuff_t
Definition merged_model.c:41
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
fr_sbuff_t
Definition merged_model.c:37
fr_value_box_t
Definition merged_model.c:136
fr_pair_find_by_da_nested
fr_pair_t * fr_pair_find_by_da_nested(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find a pair with a matching fr_dict_attr_t, by walking the nested fr_dict_attr_t tree.
Definition pair.c:784
fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:707
attr_tacacs_authentication_flags
static fr_dict_attr_t const * attr_tacacs_authentication_flags
Definition base.c:53
attr_tacacs_user_message
static fr_dict_attr_t const * attr_tacacs_user_message
Definition base.c:70
attr_tacacs_session_id
static fr_dict_attr_t const * attr_tacacs_session_id
Definition base.c:67
attr_tacacs_server_message
static fr_dict_attr_t const * attr_tacacs_server_message
Definition base.c:66
attr_tacacs_privilege_level
static fr_dict_attr_t const * attr_tacacs_privilege_level
Definition base.c:64
attr_tacacs_authentication_type
static fr_dict_attr_t const * attr_tacacs_authentication_type
Definition base.c:54
attr_tacacs_accounting_status
static fr_dict_attr_t const * attr_tacacs_accounting_status
Definition base.c:59
attr_tacacs_authentication_service
static fr_dict_attr_t const * attr_tacacs_authentication_service
Definition base.c:55
attr_tacacs_authentication_status
static fr_dict_attr_t const * attr_tacacs_authentication_status
Definition base.c:56
attr_tacacs_client_port
static fr_dict_attr_t const * attr_tacacs_client_port
Definition base.c:62
attr_tacacs_remote_address
static fr_dict_attr_t const * attr_tacacs_remote_address
Definition base.c:65
attr_tacacs_action
static fr_dict_attr_t const * attr_tacacs_action
Definition base.c:51
attr_tacacs_authorization_status
static fr_dict_attr_t const * attr_tacacs_authorization_status
Definition base.c:58
attr_tacacs_accounting_flags
static fr_dict_attr_t const * attr_tacacs_accounting_flags
Definition base.c:60
attr_tacacs_data
static fr_dict_attr_t const * attr_tacacs_data
Definition base.c:63
fr_proto_da_stack_build
void fr_proto_da_stack_build(fr_da_stack_t *stack, fr_dict_attr_t const *da)
Build a complete DA stack from the da back to the root.
Definition proto.c:118
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition proto_tacacs.c:75
attr_tacacs_user_name
static fr_dict_attr_t const * attr_tacacs_user_name
Definition proto_tacacs.c:85
encode_test_ctx
static int encode_test_ctx(void **out, TALLOC_CTX *ctx, UNUSED fr_dict_t const *dict, UNUSED fr_dict_attr_t const *root_da)
Definition encode.c:165
attr_tacacs_argument_list
HIDDEN fr_dict_attr_t const * attr_tacacs_argument_list
Definition base.c:55
attr_tacacs_chap_password
HIDDEN fr_dict_attr_t const * attr_tacacs_chap_password
Definition base.c:74
attr_tacacs_mschap_challenge
HIDDEN fr_dict_attr_t const * attr_tacacs_mschap_challenge
Definition base.c:78
attr_tacacs_packet
HIDDEN fr_dict_attr_t const * attr_tacacs_packet
Definition base.c:60
attr_tacacs_mschap2_response
HIDDEN fr_dict_attr_t const * attr_tacacs_mschap2_response
Definition base.c:77
attr_tacacs_authentication_continue_flags
HIDDEN fr_dict_attr_t const * attr_tacacs_authentication_continue_flags
Definition base.c:49
attr_tacacs_user_password
HIDDEN fr_dict_attr_t const * attr_tacacs_user_password
Definition base.c:73
attr_tacacs_chap_challenge
HIDDEN fr_dict_attr_t const * attr_tacacs_chap_challenge
Definition base.c:75
attr_tacacs_mschap_response
HIDDEN fr_dict_attr_t const * attr_tacacs_mschap_response
Definition base.c:76
attr_tacacs_authentication_method
HIDDEN fr_dict_attr_t const * attr_tacacs_authentication_method
Definition base.c:50
attr_tacacs_flags
HIDDEN fr_dict_attr_t const * attr_tacacs_flags
Definition base.c:58
fr_tacacs_body_xor
int fr_tacacs_body_xor(fr_tacacs_packet_t const *pkt, uint8_t *body, size_t body_len, char const *secret, size_t secret_len)
XOR the body based on the secret key.
Definition base.c:148
fr_tacacs_global_free
void fr_tacacs_global_free(void)
Definition base.c:610
fr_tacacs_global_init
int fr_tacacs_global_init(void)
Definition base.c:586
tacacs_encode_chap
static ssize_t tacacs_encode_chap(fr_dbuff_t *dbuff, fr_tacacs_packet_t *packet, fr_pair_list_t *vps, fr_dict_attr_t const *da_chap, fr_dict_attr_t const *da_challenge)
Definition encode.c:314
fr_tacacs_code_to_packet
int fr_tacacs_code_to_packet(fr_tacacs_packet_t *pkt, uint32_t code)
Definition encode.c:36
tacacs_encode_field
static ssize_t tacacs_encode_field(fr_dbuff_t *dbuff, fr_pair_list_t *vps, fr_dict_attr_t const *da, size_t max_len)
Definition encode.c:295
ENCODE_FIELD_UINT8
#define ENCODE_FIELD_UINT8(_field, _da)
Definition encode.c:361
fr_tacacs_encode
ssize_t fr_tacacs_encode(fr_dbuff_t *dbuff, uint8_t const *original_packet, char const *secret, size_t secret_len, unsigned int code, fr_pair_list_t *vps)
Encode VPS into a raw TACACS packet.
Definition encode.c:372
tacacs_encode_body_arg_cnt
static uint8_t tacacs_encode_body_arg_cnt(fr_pair_list_t *vps, fr_dict_attr_t const *da)
Encode a TACACS+ 'arg_N' fields.
Definition encode.c:133
fr_tacacs_encode_proto
static ssize_t fr_tacacs_encode_proto(UNUSED TALLOC_CTX *ctx, fr_pair_list_t *vps, uint8_t *data, size_t data_len, void *proto_ctx)
Definition encode.c:1051
ENCODE_FIELD_STRING8
#define ENCODE_FIELD_STRING8(_field, _da)
Definition encode.c:366
tacacs_tp_encode_proto
fr_test_point_proto_encode_t tacacs_tp_encode_proto
Definition encode.c:1091
ENCODE_FIELD_STRING16
#define ENCODE_FIELD_STRING16(_field, _da)
Definition encode.c:367
tacacs_encode_body_arg_n
static ssize_t tacacs_encode_body_arg_n(fr_dbuff_t *dbuff, uint8_t arg_cnt, uint8_t *arg_len, fr_pair_list_t *vps, fr_dict_attr_t const *da)
Definition encode.c:182
_encode_test_ctx
static int _encode_test_ctx(UNUSED fr_tftp_ctx_t *proto_ctx)
Definition encode.c:250
attrs.h
VQP attributes.
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:37
secret
static char * secret
Definition radclient-ng.c:68
fr_rand
uint32_t fr_rand(void)
Return a 32-bit random number.
Definition rand.c:104
fr_sbuff_in_sprintf
ssize_t fr_sbuff_in_sprintf(fr_sbuff_t *sbuff, char const *fmt,...)
Print using a fmt string to an sbuff.
Definition sbuff.c:1609
FR_SBUFF_OUT
#define FR_SBUFF_OUT(_start, _len_or_end)
vp
fr_pair_t * vp
Definition state_machine.c:2287
fr_struct_to_network
ssize_t fr_struct_to_network(fr_dbuff_t *dbuff, fr_da_stack_t *da_stack, unsigned int depth, fr_dcursor_t *parent_cursor, void *encode_ctx, fr_encode_dbuff_t encode_value, fr_encode_dbuff_t encode_pair)
Definition struct.c:753
pair_list_s
Definition pair.h:52
value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
value_pair_s::da
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
fr_tacacs_ctx_t::secret
char const * secret
Definition tacacs.h:331
packet_is_authen_reply
#define packet_is_authen_reply(p)
Definition tacacs.h:51
packet_is_authen_continue
#define packet_is_authen_continue(p)
Definition tacacs.h:50
FR_TAC_PLUS_CONTINUE_FLAG_UNSET
@ FR_TAC_PLUS_CONTINUE_FLAG_UNSET
Definition tacacs.h:174
FR_TAC_PLUS_CONTINUE_FLAG_ABORT
@ FR_TAC_PLUS_CONTINUE_FLAG_ABORT
Definition tacacs.h:175
FR_TAC_PLUS_SINGLE_CONNECT_FLAG
@ FR_TAC_PLUS_SINGLE_CONNECT_FLAG
Definition tacacs.h:80
FR_TAC_PLUS_UNENCRYPTED_FLAG
@ FR_TAC_PLUS_UNENCRYPTED_FLAG
Definition tacacs.h:79
fr_tacacs_packet_log_hex
#define fr_tacacs_packet_log_hex(_log, _packet, _size)
Definition tacacs.h:355
fr_tacacs_ctx_t::root
fr_dict_attr_t const * root
Definition tacacs.h:330
FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_ADD
Definition tacacs.h:211
FR_TAC_PLUS_AUTHOR_STATUS_FAIL
@ FR_TAC_PLUS_AUTHOR_STATUS_FAIL
Definition tacacs.h:213
FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
@ FR_TAC_PLUS_AUTHOR_STATUS_PASS_REPL
Definition tacacs.h:212
packet_is_acct_reply
#define packet_is_acct_reply(p)
Definition tacacs.h:57
FR_TAC_PLUS_ACCT
@ FR_TAC_PLUS_ACCT
Definition tacacs.h:67
FR_TAC_PLUS_AUTHEN
@ FR_TAC_PLUS_AUTHEN
Definition tacacs.h:65
FR_TAC_PLUS_AUTHOR
@ FR_TAC_PLUS_AUTHOR
Definition tacacs.h:66
packet_is_author_request
#define packet_is_author_request(p)
Definition tacacs.h:53
packet_is_acct_request
#define packet_is_acct_request(p)
Definition tacacs.h:56
packet_is_authen_start_request
#define packet_is_authen_start_request(p)
3.4.
Definition tacacs.h:49
fr_tacacs_packet_t::hdr
fr_tacacs_packet_hdr_t hdr
Definition tacacs.h:277
fr_tacacs_packet_hdr_t::flags
fr_tacacs_flags_t flags
Definition tacacs.h:99
fr_tacacs_packet_hdr_t::type
fr_tacacs_type_t type
Definition tacacs.h:97
FR_MAX_PACKET_SIZE
#define FR_MAX_PACKET_SIZE
Definition tacacs.h:27
FR_TAC_PLUS_ACCT_STATUS_SUCCESS
@ FR_TAC_PLUS_ACCT_STATUS_SUCCESS
Definition tacacs.h:255
FR_TAC_PLUS_ACCT_STATUS_ERROR
@ FR_TAC_PLUS_ACCT_STATUS_ERROR
Definition tacacs.h:256
FR_TAC_PLUS_AUTHEN_STATUS_PASS
@ FR_TAC_PLUS_AUTHEN_STATUS_PASS
Definition tacacs.h:151
FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
@ FR_TAC_PLUS_AUTHEN_STATUS_GETDATA
Definition tacacs.h:153
FR_TAC_PLUS_AUTHEN_STATUS_ERROR
@ FR_TAC_PLUS_AUTHEN_STATUS_ERROR
Definition tacacs.h:157
FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
@ FR_TAC_PLUS_AUTHEN_STATUS_GETUSER
Definition tacacs.h:154
FR_TAC_PLUS_AUTHEN_STATUS_FAIL
@ FR_TAC_PLUS_AUTHEN_STATUS_FAIL
Definition tacacs.h:152
FR_TAC_PLUS_AUTHEN_STATUS_RESTART
@ FR_TAC_PLUS_AUTHEN_STATUS_RESTART
Definition tacacs.h:156
FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
@ FR_TAC_PLUS_AUTHEN_STATUS_GETPASS
Definition tacacs.h:155
packet_is_author_reply
#define packet_is_author_reply(p)
Definition tacacs.h:54
fr_tacacs_ctx_t
Used as the decoder ctx.
Definition tacacs.h:329
fr_tacacs_packet_hdr_t
Definition tacacs.h:84
fr_tacacs_packet_t
Definition tacacs.h:276
talloc_const_free
static int talloc_const_free(void const *ptr)
Free const'd memory.
Definition talloc.h:254
talloc_strlen
static size_t talloc_strlen(char const *s)
Returns the length of a talloc array containing a string.
Definition talloc.h:143
fr_test_point_proto_encode_t::test_ctx
fr_test_point_ctx_alloc_t test_ctx
Allocate a test ctx for the encoder.
Definition test_point.h:76
fr_test_point_proto_encode_t
Entry point for protocol encoders.
Definition test_point.h:75
T_BARE_WORD
@ T_BARE_WORD
Definition token.h:118
fr_pair_list_next
fr_pair_t * fr_pair_list_next(fr_pair_list_t const *list, fr_pair_t const *item))
Get the next item in a valuepair list after a specific entry.
Definition pair_inline.c:69
fr_pair_print_value_quoted
ssize_t fr_pair_print_value_quoted(fr_sbuff_t *out, fr_pair_t const *vp, fr_token_t quote)
Print the value of an attribute to a string.
Definition pair_print.c:59
fr_pair_dcursor_init
#define fr_pair_dcursor_init(_cursor, _list)
Initialises a special dcursor with callbacks that will maintain the attr sublists correctly.
Definition pair.h:604
fr_pair_list_head
fr_pair_t * fr_pair_list_head(fr_pair_list_t const *list)
Get the head of a valuepair list.
Definition pair_inline.c:42
fr_pair_list_num_elements
size_t fr_pair_list_num_elements(fr_pair_list_t const *list)
Get the length of a list of fr_pair_t.
Definition pair_inline.c:150
FR_PROTO_HEX_DUMP
#define FR_PROTO_HEX_DUMP(_data, _data_len, _fmt,...)
Definition proto.h:42
FR_PROTO_TRACE
#define FR_PROTO_TRACE(_fmt,...)
Definition proto.h:41
FR_PROTO_STACK_PRINT
#define FR_PROTO_STACK_PRINT(_stack, _depth)
Definition proto.h:44
fr_da_stack_t
Structure for holding the stack of dictionary attributes being encoded.
Definition proto.h:55
fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64
fr_strerror_const
#define fr_strerror_const(_msg)
Definition strerror.h:223
fr_value_box_cast
int fr_value_box_cast(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_type_t dst_type, fr_dict_attr_t const *dst_enumv, fr_value_box_t const *src)
Convert one type of fr_value_box_t to another.
Definition value.c:3946
data
static fr_slen_t data
Definition value.h:1340
fr_value_box_init
#define fr_value_box_init(_vb, _type, _enumv, _tainted)
Initialise a fr_value_box_t.
Definition value.h:610
out
static size_t char ** out
Definition value.h:1030
Generated by   doxygen 1.9.8