2 * Routines for cisco tacacs/xtacacs/tacacs+ packet dissection
3 * Copyright 2001, Paul Ionescu <paul@acorp.ro>
5 * Full Tacacs+ parsing with decryption by
6 * Emanuele Caratti <wiz@iol.it>
10 * Wireshark - Network traffic analyzer
11 * By Gerald Combs <gerald@wireshark.org>
12 * Copyright 1998 Gerald Combs
14 * Copied from old packet-tacacs.c
16 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License
18 * as published by the Free Software Foundation; either version 2
19 * of the License, or (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 /* rfc-1492 for tacacs and xtacacs
33 * draft-grant-tacacs-02.txt for tacacs+ (tacplus)
34 * ftp://ftp.cisco.com/pub/rfc/DRAFTS/draft-grant-tacacs-02.txt
44 #include <sys/types.h>
45 #ifdef HAVE_SYS_SOCKET_H
46 #include <sys/socket.h>
48 #ifdef HAVE_NETINET_IN_H
49 # include <netinet/in.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #ifdef HAVE_WINSOCK2_H
56 #include <winsock2.h> /* needed to define AF_ values on Windows */
59 #ifdef NEED_INET_V6DEFS_H
60 # include "inet_v6defs.h"
64 #include <epan/packet.h>
66 #include <epan/prefs.h>
67 #include <epan/crypt/crypt-md5.h>
68 #include <epan/emem.h>
69 #include "packet-tacacs.h"
71 static void md5_xor( guint8 *data, const char *key, int data_len, guint8 *session_id, guint8 version, guint8 seq_no );
73 static int proto_tacacs = -1;
74 static int hf_tacacs_version = -1;
75 static int hf_tacacs_type = -1;
76 static int hf_tacacs_nonce = -1;
77 static int hf_tacacs_userlen = -1;
78 static int hf_tacacs_passlen = -1;
79 static int hf_tacacs_response = -1;
80 static int hf_tacacs_reason = -1;
81 static int hf_tacacs_result1 = -1;
82 static int hf_tacacs_destaddr = -1;
83 static int hf_tacacs_destport = -1;
84 static int hf_tacacs_line = -1;
85 static int hf_tacacs_result2 = -1;
86 static int hf_tacacs_result3 = -1;
88 static gint ett_tacacs = -1;
90 static gboolean tacplus_preference_desegment = TRUE;
92 static const char *tacplus_opt_key;
93 static GSList *tacplus_keys = NULL;
95 #define VERSION_TACACS 0x00
96 #define VERSION_XTACACS 0x80
98 static const value_string tacacs_version_vals[] = {
99 { VERSION_TACACS, "TACACS" },
100 { VERSION_XTACACS, "XTACACS" },
104 #define TACACS_LOGIN 1
105 #define TACACS_RESPONSE 2
106 #define TACACS_CHANGE 3
107 #define TACACS_FOLLOW 4
108 #define TACACS_CONNECT 5
109 #define TACACS_SUPERUSER 6
110 #define TACACS_LOGOUT 7
111 #define TACACS_RELOAD 8
112 #define TACACS_SLIP_ON 9
113 #define TACACS_SLIP_OFF 10
114 #define TACACS_SLIP_ADDR 11
115 static const value_string tacacs_type_vals[] = {
116 { TACACS_LOGIN, "Login" },
117 { TACACS_RESPONSE, "Response" },
118 { TACACS_CHANGE, "Change" },
119 { TACACS_FOLLOW, "Follow" },
120 { TACACS_CONNECT, "Connect" },
121 { TACACS_SUPERUSER, "Superuser" },
122 { TACACS_LOGOUT, "Logout" },
123 { TACACS_RELOAD, "Reload" },
124 { TACACS_SLIP_ON, "SLIP on" },
125 { TACACS_SLIP_OFF, "SLIP off" },
126 { TACACS_SLIP_ADDR, "SLIP Addr" },
129 static const value_string tacacs_reason_vals[] = {
141 static const value_string tacacs_resp_vals[] = {
142 { 0 , "this is not a response" },
148 #define UDP_PORT_TACACS 49
149 #define TCP_PORT_TACACS 49
152 dissect_tacacs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
154 proto_tree *tacacs_tree;
156 guint8 txt_buff[255+1],version,type,userlen,passlen;
158 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TACACS");
159 col_clear(pinfo->cinfo, COL_INFO);
161 version = tvb_get_guint8(tvb,0);
163 col_set_str(pinfo->cinfo, COL_PROTOCOL, "XTACACS");
166 type = tvb_get_guint8(tvb,1);
167 if (check_col(pinfo->cinfo, COL_INFO))
168 col_add_str(pinfo->cinfo, COL_INFO,
169 val_to_str(type, tacacs_type_vals, "Unknown (0x%02x)"));
173 ti = proto_tree_add_protocol_format(tree, proto_tacacs,
174 tvb, 0, -1, version==0?"TACACS":"XTACACS");
175 tacacs_tree = proto_item_add_subtree(ti, ett_tacacs);
177 proto_tree_add_uint(tacacs_tree, hf_tacacs_version, tvb, 0, 1,
179 proto_tree_add_uint(tacacs_tree, hf_tacacs_type, tvb, 1, 1,
181 proto_tree_add_item(tacacs_tree, hf_tacacs_nonce, tvb, 2, 2,
186 if (type!=TACACS_RESPONSE)
188 userlen=tvb_get_guint8(tvb,4);
189 proto_tree_add_uint(tacacs_tree, hf_tacacs_userlen, tvb, 4, 1,
191 passlen=tvb_get_guint8(tvb,5);
192 proto_tree_add_uint(tacacs_tree, hf_tacacs_passlen, tvb, 5, 1,
194 tvb_get_nstringz0(tvb,6,userlen+1,txt_buff);
195 proto_tree_add_text(tacacs_tree, tvb, 6, userlen, "Username: %s",txt_buff);
196 tvb_get_nstringz0(tvb,6+userlen,passlen+1,txt_buff);
197 proto_tree_add_text(tacacs_tree, tvb, 6+userlen, passlen, "Password: %s",txt_buff);
201 proto_tree_add_item(tacacs_tree, hf_tacacs_response, tvb, 4, 1,
203 proto_tree_add_item(tacacs_tree, hf_tacacs_reason, tvb, 5, 1,
209 userlen=tvb_get_guint8(tvb,4);
210 proto_tree_add_uint(tacacs_tree, hf_tacacs_userlen, tvb, 4, 1,
212 passlen=tvb_get_guint8(tvb,5);
213 proto_tree_add_uint(tacacs_tree, hf_tacacs_passlen, tvb, 5, 1,
215 proto_tree_add_item(tacacs_tree, hf_tacacs_response, tvb, 6, 1,
217 proto_tree_add_item(tacacs_tree, hf_tacacs_reason, tvb, 7, 1,
219 proto_tree_add_item(tacacs_tree, hf_tacacs_result1, tvb, 8, 4,
221 proto_tree_add_item(tacacs_tree, hf_tacacs_destaddr, tvb, 12, 4,
223 proto_tree_add_item(tacacs_tree, hf_tacacs_destport, tvb, 16, 2,
225 proto_tree_add_item(tacacs_tree, hf_tacacs_line, tvb, 18, 2,
227 proto_tree_add_item(tacacs_tree, hf_tacacs_result2, tvb, 20, 4,
229 proto_tree_add_item(tacacs_tree, hf_tacacs_result3, tvb, 24, 2,
231 if (type!=TACACS_RESPONSE)
233 tvb_get_nstringz0(tvb,26,userlen+1,txt_buff);
234 proto_tree_add_text(tacacs_tree, tvb, 26, userlen, "Username: %s",txt_buff);
235 tvb_get_nstringz0(tvb,26+userlen,passlen+1,txt_buff);
236 proto_tree_add_text(tacacs_tree, tvb, 26+userlen, passlen, "Password; %s",txt_buff);
243 proto_register_tacacs(void)
245 static hf_register_info hf[] = {
246 { &hf_tacacs_version,
247 { "Version", "tacacs.version",
248 FT_UINT8, BASE_HEX, VALS(tacacs_version_vals), 0x0,
251 { "Type", "tacacs.type",
252 FT_UINT8, BASE_DEC, VALS(tacacs_type_vals), 0x0,
255 { "Nonce", "tacacs.nonce",
256 FT_UINT16, BASE_HEX, NULL, 0x0,
258 { &hf_tacacs_userlen,
259 { "Username length", "tacacs.userlen",
260 FT_UINT8, BASE_DEC, NULL, 0x0,
262 { &hf_tacacs_passlen,
263 { "Password length", "tacacs.passlen",
264 FT_UINT8, BASE_DEC, NULL, 0x0,
266 { &hf_tacacs_response,
267 { "Response", "tacacs.response",
268 FT_UINT8, BASE_DEC, VALS(tacacs_resp_vals), 0x0,
271 { "Reason", "tacacs.reason",
272 FT_UINT8, BASE_DEC, VALS(tacacs_reason_vals), 0x0,
274 { &hf_tacacs_result1,
275 { "Result 1", "tacacs.result1",
276 FT_UINT32, BASE_HEX, NULL, 0x0,
278 { &hf_tacacs_destaddr,
279 { "Destination address", "tacacs.destaddr",
280 FT_IPv4, BASE_NONE, NULL, 0x0,
282 { &hf_tacacs_destport,
283 { "Destination port", "tacacs.destport",
284 FT_UINT16, BASE_DEC, NULL, 0x0,
287 { "Line", "tacacs.line",
288 FT_UINT16, BASE_DEC, NULL, 0x0,
290 { &hf_tacacs_result2,
291 { "Result 2", "tacacs.result2",
292 FT_UINT32, BASE_HEX, NULL, 0x0,
294 { &hf_tacacs_result3,
295 { "Result 3", "tacacs.result3",
296 FT_UINT16, BASE_HEX, NULL, 0x0,
300 static gint *ett[] = {
303 proto_tacacs = proto_register_protocol("TACACS", "TACACS", "tacacs");
304 proto_register_field_array(proto_tacacs, hf, array_length(hf));
305 proto_register_subtree_array(ett, array_length(ett));
309 proto_reg_handoff_tacacs(void)
311 dissector_handle_t tacacs_handle;
313 tacacs_handle = create_dissector_handle(dissect_tacacs, proto_tacacs);
314 dissector_add("udp.port", UDP_PORT_TACACS, tacacs_handle);
317 static int proto_tacplus = -1;
318 static int hf_tacplus_response = -1;
319 static int hf_tacplus_request = -1;
320 static int hf_tacplus_majvers = -1;
321 static int hf_tacplus_minvers = -1;
322 static int hf_tacplus_type = -1;
323 static int hf_tacplus_seqno = -1;
324 static int hf_tacplus_flags = -1;
325 static int hf_tacplus_flags_payload_type = -1;
326 static int hf_tacplus_flags_connection_type = -1;
327 static int hf_tacplus_acct_flags = -1;
328 static int hf_tacplus_session_id = -1;
329 static int hf_tacplus_packet_len = -1;
331 static gint ett_tacplus = -1;
332 static gint ett_tacplus_body = -1;
333 static gint ett_tacplus_body_chap = -1;
334 static gint ett_tacplus_flags = -1;
335 static gint ett_tacplus_acct_flags = -1;
337 typedef struct _tacplus_key_entry {
338 address *s; /* Server address */
339 address *c; /* client address */
344 tacplus_decrypted_tvb_setup( tvbuff_t *tvb, tvbuff_t **dst_tvb, packet_info *pinfo, guint32 len, guint8 version, const char *key )
347 guint8 session_id[4];
349 /* TODO Check the possibility to use pinfo->decrypted_data */
350 /* session_id is in NETWORK Byte Order, and is used as byte array in the md5_xor */
352 tvb_memcpy(tvb, session_id, 4,4);
354 buff = tvb_memdup(tvb, TAC_PLUS_HDR_SIZE, len);
357 md5_xor( buff, key, len, session_id,version, tvb_get_guint8(tvb,2) );
359 /* Allocate a new tvbuff, referring to the decrypted data. */
360 *dst_tvb = tvb_new_child_real_data(tvb, buff, len, len );
362 /* Arrange that the allocated packet data copy be freed when the
364 tvb_set_free_cb( *dst_tvb, g_free );
366 /* Add the decrypted data to the data source list. */
367 add_new_data_source(pinfo, *dst_tvb, "TACACS+ Decrypted");
372 dissect_tacplus_args_list( tvbuff_t *tvb, proto_tree *tree, int data_off, int len_off, int arg_cnt )
376 for(i=0;i<arg_cnt;i++){
377 int len=tvb_get_guint8(tvb,len_off+i);
378 proto_tree_add_text( tree, tvb, len_off+i, 1, "Arg[%d] length: %d", i, len );
379 tvb_get_nstringz0(tvb, data_off, len+1, buff);
380 proto_tree_add_text( tree, tvb, data_off, len, "Arg[%d] value: %s", i, buff );
387 proto_tree_add_tacplus_common_fields( tvbuff_t *tvb, proto_tree *tree, int offset, int var_off )
392 proto_tree_add_text( tree, tvb, offset, 1,
393 "Privilege Level: %d", tvb_get_guint8(tvb,offset) );
397 val=tvb_get_guint8(tvb,offset);
398 proto_tree_add_text( tree, tvb, offset, 1,
399 "Authentication type: %s",
400 val_to_str( val, tacplus_authen_type_vals, "Unknown Packet" ) );
404 val=tvb_get_guint8(tvb,offset);
405 proto_tree_add_text( tree, tvb, offset, 1,
407 val_to_str( val, tacplus_authen_service_vals, "Unknown Packet" ) );
410 /* user_len && user */
411 val=tvb_get_guint8(tvb,offset);
412 proto_tree_add_text( tree, tvb, offset, 1, "User len: %d", val );
414 tvb_get_nstringz0(tvb, var_off, val+1, buff);
415 proto_tree_add_text( tree, tvb, var_off, val, "User: %s", buff );
421 /* port_len && port */
422 val=tvb_get_guint8(tvb,offset);
423 proto_tree_add_text( tree, tvb, offset, 1, "Port len: %d", val );
425 tvb_get_nstringz0(tvb, var_off, val+1, buff);
426 proto_tree_add_text( tree, tvb, var_off, val, "Port: %s", buff );
431 /* rem_addr_len && rem_addr */
432 val=tvb_get_guint8(tvb,offset);
433 proto_tree_add_text( tree, tvb, offset, 1, "Remaddr len: %d", val );
435 tvb_get_nstringz0(tvb, var_off, val+1, buff);
436 proto_tree_add_text( tree, tvb, var_off, val, "Remote Address: %s", buff );
443 dissect_tacplus_body_authen_req_login( tvbuff_t* tvb, proto_tree *tree, int var_off )
447 val=tvb_get_guint8( tvb, AUTHEN_S_DATA_LEN_OFF );
449 switch ( tvb_get_guint8(tvb, AUTHEN_S_AUTHEN_TYPE_OFF ) ) { /* authen_type */
451 case TAC_PLUS_AUTHEN_TYPE_ASCII:
452 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "Data: %d (not used)", val );
454 proto_tree_add_text( tree, tvb, var_off, val, "Data" );
457 case TAC_PLUS_AUTHEN_TYPE_PAP:
458 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "Password Length %d", val );
460 tvb_get_nstringz0( tvb, var_off, val+1, buff );
461 proto_tree_add_text( tree, tvb, var_off, val, "Password: %s", buff );
465 case TAC_PLUS_AUTHEN_TYPE_CHAP:
466 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "CHAP Data Length %d", val );
470 guint8 chal_len=val-(1+16); /* Response field alwayes 16 octets */
471 pi = proto_tree_add_text(tree, tvb, var_off, val, "CHAP Data" );
472 pt = proto_item_add_subtree( pi, ett_tacplus_body_chap );
473 val= tvb_get_guint8( tvb, var_off );
474 proto_tree_add_text( pt, tvb, var_off, 1, "ID: %d", val );
476 tvb_get_nstringz0( tvb, var_off, chal_len+1, buff );
477 proto_tree_add_text( pt, tvb, var_off, chal_len, "Challenge: %s", buff );
479 tvb_get_nstringz0( tvb, var_off, 16+1, buff );
480 proto_tree_add_text( pt, tvb, var_off, 16 , "Response: %s", buff );
483 case TAC_PLUS_AUTHEN_TYPE_MSCHAP:
484 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "MSCHAP Data Length %d", val );
488 guint8 chal_len=val-(1+49); /* Response field alwayes 49 octets */
489 pi = proto_tree_add_text(tree, tvb, var_off, val, "MSCHAP Data" );
490 pt = proto_item_add_subtree( pi, ett_tacplus_body_chap );
491 val= tvb_get_guint8( tvb, var_off );
492 proto_tree_add_text( pt, tvb, var_off, 1, "ID: %d", val );
494 tvb_get_nstringz0( tvb, var_off, chal_len+1, buff );
495 proto_tree_add_text( pt, tvb, var_off, chal_len, "Challenge: %s", buff );
497 tvb_get_nstringz0( tvb, var_off, 49+1, buff );
498 proto_tree_add_text( pt, tvb, var_off, 49 , "Response: %s", buff );
501 case TAC_PLUS_AUTHEN_TYPE_ARAP:
502 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "ARAP Data Length %d", val );
506 pi = proto_tree_add_text(tree, tvb, var_off, val, "ARAP Data" );
507 pt = proto_item_add_subtree( pi, ett_tacplus_body_chap );
509 tvb_get_nstringz0( tvb, var_off, 8+1, buff );
510 proto_tree_add_text( pt, tvb, var_off, 8, "Nas Challenge: %s", buff );
512 tvb_get_nstringz0( tvb, var_off, 8+1, buff );
513 proto_tree_add_text( pt, tvb, var_off, 8, "Remote Challenge: %s", buff );
515 tvb_get_nstringz0( tvb, var_off, 8+1, buff );
516 proto_tree_add_text( pt, tvb, var_off, 8, "Remote Response: %s", buff );
521 default: /* Should not be reached */
522 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "Data: %d", val );
524 proto_tree_add_text( tree, tvb, var_off, val, "Data" );
530 dissect_tacplus_body_authen_req( tvbuff_t* tvb, proto_tree *tree )
533 int var_off=AUTHEN_S_VARDATA_OFF;
536 val=tvb_get_guint8( tvb, AUTHEN_S_ACTION_OFF );
537 proto_tree_add_text( tree, tvb,
538 AUTHEN_S_ACTION_OFF, 1,
540 val_to_str( val, tacplus_authen_action_vals, "Unknown Packet" ) );
542 var_off=proto_tree_add_tacplus_common_fields( tvb, tree , AUTHEN_S_PRIV_LVL_OFF, AUTHEN_S_VARDATA_OFF );
545 case TAC_PLUS_AUTHEN_LOGIN:
546 dissect_tacplus_body_authen_req_login( tvb, tree, var_off );
548 case TAC_PLUS_AUTHEN_SENDAUTH:
554 dissect_tacplus_body_authen_req_cont( tvbuff_t *tvb, proto_tree *tree )
557 int var_off=AUTHEN_C_VARDATA_OFF;
560 val=tvb_get_guint8( tvb, AUTHEN_C_FLAGS_OFF );
561 proto_tree_add_text( tree, tvb,
562 AUTHEN_R_FLAGS_OFF, 1, "Flags: 0x%02x %s",
564 (val&TAC_PLUS_CONTINUE_FLAG_ABORT?"(Abort)":"") );
567 val=tvb_get_ntohs( tvb, AUTHEN_C_USER_LEN_OFF );
568 proto_tree_add_text( tree, tvb, AUTHEN_C_USER_LEN_OFF, 2 , "User length: %d", val );
570 buff=tvb_get_ephemeral_string( tvb, var_off, val );
571 proto_tree_add_text( tree, tvb, var_off, val, "User: %s", buff );
575 val=tvb_get_ntohs( tvb, AUTHEN_C_DATA_LEN_OFF );
576 proto_tree_add_text( tree, tvb, AUTHEN_C_DATA_LEN_OFF, 2 ,
577 "Data length: %d", val );
579 proto_tree_add_text( tree, tvb, var_off, val, "Data" );
586 dissect_tacplus_body_authen_rep( tvbuff_t *tvb, proto_tree *tree )
589 int var_off=AUTHEN_R_VARDATA_OFF;
592 val=tvb_get_guint8( tvb, AUTHEN_R_STATUS_OFF );
593 proto_tree_add_text(tree, tvb,
594 AUTHEN_R_STATUS_OFF, 1, "Status: 0x%01x (%s)", val,
595 val_to_str( val, tacplus_reply_status_vals, "Unknown Packet" ) );
597 val=tvb_get_guint8( tvb, AUTHEN_R_FLAGS_OFF );
598 proto_tree_add_text(tree, tvb,
599 AUTHEN_R_FLAGS_OFF, 1, "Flags: 0x%02x %s",
600 val, (val&TAC_PLUS_REPLY_FLAG_NOECHO?"(NoEcho)":"") );
603 val=tvb_get_ntohs(tvb, AUTHEN_R_SRV_MSG_LEN_OFF );
604 proto_tree_add_text( tree, tvb, AUTHEN_R_SRV_MSG_LEN_OFF, 2 ,
605 "Server message length: %d", val );
607 buff=tvb_get_ephemeral_string(tvb, var_off, val );
608 proto_tree_add_text(tree, tvb, var_off, val, "Server message: %s", buff );
612 val=tvb_get_ntohs(tvb, AUTHEN_R_DATA_LEN_OFF );
613 proto_tree_add_text( tree, tvb, AUTHEN_R_DATA_LEN_OFF, 2 ,
614 "Data length: %d", val );
616 proto_tree_add_text(tree, tvb, var_off, val, "Data" );
621 dissect_tacplus_body_author_req( tvbuff_t* tvb, proto_tree *tree )
626 val=tvb_get_guint8( tvb, AUTHOR_Q_AUTH_METH_OFF ) ;
627 proto_tree_add_text( tree, tvb, AUTHOR_Q_AUTH_METH_OFF, 1,
628 "Auth Method: %s", val_to_str( val, tacplus_authen_method, "Unknown Authen Method" ) );
630 val=tvb_get_guint8( tvb, AUTHOR_Q_ARGC_OFF );
631 var_off=proto_tree_add_tacplus_common_fields( tvb, tree ,
632 AUTHOR_Q_PRIV_LVL_OFF,
633 AUTHOR_Q_VARDATA_OFF + val );
635 proto_tree_add_text( tree, tvb, AUTHOR_Q_ARGC_OFF, 1, "Arg count: %d", val );
637 /* var_off points after rem_addr */
639 dissect_tacplus_args_list( tvb, tree, var_off, AUTHOR_Q_VARDATA_OFF, val );
643 dissect_tacplus_body_author_rep( tvbuff_t* tvb, proto_tree *tree )
645 int offset=AUTHOR_R_VARDATA_OFF;
646 int val=tvb_get_guint8( tvb, AUTHOR_R_STATUS_OFF ) ;
649 proto_tree_add_text( tree, tvb, AUTHOR_R_STATUS_OFF , 1,
650 "Auth Status: 0x%01x (%s)", val,
651 val_to_str( val, tacplus_author_status, "Unknown Authorization Status" ));
653 val=tvb_get_ntohs( tvb, AUTHOR_R_SRV_MSG_LEN_OFF );
655 proto_tree_add_text( tree, tvb, AUTHOR_R_SRV_MSG_LEN_OFF, 2, "Server Msg length: %d", val );
657 val=tvb_get_ntohs( tvb, AUTHOR_R_DATA_LEN_OFF );
659 proto_tree_add_text( tree, tvb, AUTHOR_R_DATA_LEN_OFF, 2, "Data length: %d", val );
661 val=tvb_get_guint8( tvb, AUTHOR_R_ARGC_OFF);
663 proto_tree_add_text( tree, tvb, AUTHOR_R_ARGC_OFF, 1, "Arg count: %d", val );
665 dissect_tacplus_args_list( tvb, tree, offset, AUTHOR_R_VARDATA_OFF, val );
669 dissect_tacplus_body_acct_req( tvbuff_t* tvb, proto_tree *tree )
674 proto_tree *flags_tree;
676 val=tvb_get_guint8( tvb, ACCT_Q_FLAGS_OFF );
677 tf = proto_tree_add_uint( tree, hf_tacplus_acct_flags, tvb, ACCT_Q_FLAGS_OFF, 1, val );
679 flags_tree = proto_item_add_subtree( tf, ett_tacplus_acct_flags );
680 proto_tree_add_text( flags_tree, tvb, ACCT_Q_FLAGS_OFF, 1, "%s",
681 decode_boolean_bitfield( val, TAC_PLUS_ACCT_FLAG_MORE, 8,
682 "More: Set", "More: Not set" ) );
683 proto_tree_add_text( flags_tree, tvb, ACCT_Q_FLAGS_OFF, 1, "%s",
684 decode_boolean_bitfield( val, TAC_PLUS_ACCT_FLAG_START, 8,
685 "Start: Set", "Start: Not set" ) );
686 proto_tree_add_text( flags_tree, tvb, ACCT_Q_FLAGS_OFF, 1, "%s",
687 decode_boolean_bitfield( val, TAC_PLUS_ACCT_FLAG_STOP, 8,
688 "Stop: Set", "Stop: Not set" ) );
689 proto_tree_add_text( flags_tree, tvb, ACCT_Q_FLAGS_OFF, 1, "%s",
690 decode_boolean_bitfield( val, TAC_PLUS_ACCT_FLAG_WATCHDOG, 8,
691 "Watchdog: Set", "Watchdog: Not set" ) );
693 val=tvb_get_guint8( tvb, ACCT_Q_METHOD_OFF );
694 proto_tree_add_text( tree, tvb, ACCT_Q_METHOD_OFF, 1,
695 "Authen Method: 0x%01x (%s)",
696 val, val_to_str( val, tacplus_authen_method, "Unknown Authen Method" ) );
698 val=tvb_get_guint8( tvb, ACCT_Q_ARG_CNT_OFF );
701 var_off=proto_tree_add_tacplus_common_fields( tvb, tree ,
703 ACCT_Q_VARDATA_OFF+val
706 proto_tree_add_text( tree, tvb, ACCT_Q_ARG_CNT_OFF, 1,
707 "Arg Cnt: %d", val );
709 dissect_tacplus_args_list( tvb, tree, var_off, ACCT_Q_VARDATA_OFF, val );
715 dissect_tacplus_body_acct_rep( tvbuff_t* tvb, proto_tree *tree )
717 int val, var_off=ACCT_Q_VARDATA_OFF;
722 val=tvb_get_guint8( tvb, ACCT_R_STATUS_OFF );
723 proto_tree_add_text( tree, tvb, ACCT_R_STATUS_OFF, 1, "Status: 0x%02x (%s)", val,
724 val_to_str( val, tacplus_acct_status, "Bogus status..") );
727 val=tvb_get_ntohs( tvb, ACCT_R_SRV_MSG_LEN_OFF );
728 proto_tree_add_text( tree, tvb, ACCT_R_SRV_MSG_LEN_OFF, 2 ,
729 "Server message length: %d", val );
731 buff=tvb_get_ephemeral_string( tvb, var_off, val );
732 proto_tree_add_text( tree, tvb, var_off,
733 val, "Server message: %s", buff );
738 val=tvb_get_ntohs( tvb, ACCT_R_DATA_LEN_OFF );
739 proto_tree_add_text( tree, tvb, ACCT_R_DATA_LEN_OFF, 2 ,
740 "Data length: %d", val );
742 buff= tvb_get_ephemeral_string( tvb, var_off, val );
743 proto_tree_add_text( tree, tvb, var_off,
744 val, "Data: %s", buff );
751 dissect_tacplus_body(tvbuff_t * hdr_tvb, tvbuff_t * tvb, proto_tree * tree )
753 int type = tvb_get_guint8( hdr_tvb, H_TYPE_OFF );
754 int seq_no = tvb_get_guint8( hdr_tvb, H_SEQ_NO_OFF );
757 case TAC_PLUS_AUTHEN:
758 if ( seq_no & 0x01) {
760 dissect_tacplus_body_authen_req( tvb, tree );
762 dissect_tacplus_body_authen_req_cont( tvb, tree );
764 dissect_tacplus_body_authen_rep( tvb, tree );
767 case TAC_PLUS_AUTHOR:
769 dissect_tacplus_body_author_req( tvb, tree );
771 dissect_tacplus_body_author_rep( tvb, tree );
775 dissect_tacplus_body_acct_req( tvb, tree );
777 dissect_tacplus_body_acct_rep( tvb, tree );
780 proto_tree_add_text( tree, tvb, 0, tvb_length( tvb ), "Bogus..");
787 tacplus_print_key_entry( gpointer data, gpointer user_data )
789 tacplus_key_entry *tacplus_data=(tacplus_key_entry *)data;
791 printf("%s:%s=%s\n", address_to_str( tacplus_data->s ),
792 address_to_str( tacplus_data->c ), tacplus_data->k );
794 printf("%s:%s\n", address_to_str( tacplus_data->s ),
795 address_to_str( tacplus_data->c ) );
800 cmp_conv_address( gconstpointer p1, gconstpointer p2 )
802 const tacplus_key_entry *a1=p1;
803 const tacplus_key_entry *a2=p2;
807 tacplus_print_key_entry( p1, NULL );
809 tacplus_print_key_entry( p2, NULL );
811 ret=CMP_ADDRESS( a1->s, a2->s );
813 ret=CMP_ADDRESS( a1->c, a2->c );
816 printf("No Client found!"); */
818 /* printf("No Server found!"); */
824 find_key( address *srv, address *cln )
826 tacplus_key_entry data;
831 /* printf("Looking for: ");
832 tacplus_print_key_entry( (gconstpointer)&data, NULL ); */
833 match=g_slist_find_custom( tacplus_keys, (gpointer)&data, cmp_conv_address );
834 /* printf("Finished (%p)\n", match); */
836 return ((tacplus_key_entry*)match->data)->k;
838 return (tacplus_keys?NULL:tacplus_opt_key);
842 mkipv4_address( address **addr, const char *str_addr )
846 *addr=g_malloc( sizeof(address) );
847 addr_data=g_malloc( 4 );
848 inet_pton( AF_INET, str_addr, addr_data );
849 (*addr)->type=AT_IPv4;
851 (*addr)->data=(guint8*)addr_data;
854 parse_tuple( char *key_from_option )
857 tacplus_key_entry *tacplus_data=g_malloc( sizeof(tacplus_key_entry) );
859 printf("keys: %s\n", key_from_option );
861 client=strchr(key_from_option,'/');
863 g_free(tacplus_data);
867 key=strchr(client,'=');
869 g_free(tacplus_data);
874 printf("%s %s => %s\n", key_from_option, client, key );
876 mkipv4_address( &tacplus_data->s, key_from_option );
877 mkipv4_address( &tacplus_data->c, client );
878 tacplus_data->k=g_strdup(key);
879 tacplus_keys = g_slist_prepend( tacplus_keys, tacplus_data );
884 parse_tacplus_keys( const char *keys_from_option )
886 char *key_copy,*s,*s1;
890 g_slist_free( tacplus_keys );
894 if( !strchr( keys_from_option, '/' ) ){
895 /* option not in client/server=key format */
898 key_copy=g_strdup(keys_from_option);
901 if( (s1=strchr( s, ' ' )) != NULL )
908 g_slist_foreach( tacplus_keys, tacplus_print_key_entry, GINT_TO_POINTER(1) );
913 dissect_tacplus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
915 tvbuff_t *new_tvb=NULL;
916 proto_tree *tacplus_tree;
917 proto_item *ti, *hidden_item;
918 guint8 version,flags;
919 proto_tree *flags_tree;
923 gboolean request=( pinfo->destport == TCP_PORT_TACACS );
924 const char *key=NULL;
926 len = tvb_get_ntohl(tvb, 8);
928 if(len > (guint)tvb_length_remaining(tvb, 12) &&
929 pinfo->can_desegment && tacplus_preference_desegment) {
930 pinfo->desegment_offset = 0;
931 pinfo->desegment_len = len;
936 key=find_key( &pinfo->dst, &pinfo->src );
938 key=find_key( &pinfo->src, &pinfo->dst );
940 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TACACS+");
942 if (check_col(pinfo->cinfo, COL_INFO))
944 int type = tvb_get_guint8(tvb,1);
945 col_add_fstr( pinfo->cinfo, COL_INFO, "%s: %s",
947 val_to_str(type, tacplus_type_vals, "Unknown (0x%02x)"));
952 ti = proto_tree_add_protocol_format(tree, proto_tacplus,
953 tvb, 0, -1, "TACACS+");
955 tacplus_tree = proto_item_add_subtree(ti, ett_tacplus);
956 if (pinfo->match_port == pinfo->destport)
958 hidden_item = proto_tree_add_boolean(tacplus_tree,
959 hf_tacplus_request, tvb, 0, 0, TRUE);
963 hidden_item = proto_tree_add_boolean(tacplus_tree,
964 hf_tacplus_response, tvb, 0, 0, TRUE);
966 PROTO_ITEM_SET_HIDDEN(hidden_item);
968 version = tvb_get_guint8(tvb,0);
969 proto_tree_add_uint_format(tacplus_tree, hf_tacplus_majvers, tvb, 0, 1,
972 (version&0xf0)==0xc0?"TACACS+":"Unknown Version");
973 proto_tree_add_uint(tacplus_tree, hf_tacplus_minvers, tvb, 0, 1,
975 proto_tree_add_item(tacplus_tree, hf_tacplus_type, tvb, 1, 1,
977 proto_tree_add_item(tacplus_tree, hf_tacplus_seqno, tvb, 2, 1,
979 flags = tvb_get_guint8(tvb,3);
980 tf = proto_tree_add_uint_format(tacplus_tree, hf_tacplus_flags,
982 "Flags: 0x%02x (%s payload, %s)",
984 (flags&FLAGS_UNENCRYPTED) ? "Unencrypted" :
986 (flags&FLAGS_SINGLE) ? "Single connection" :
987 "Multiple Connections" );
988 flags_tree = proto_item_add_subtree(tf, ett_tacplus_flags);
989 proto_tree_add_boolean(flags_tree, hf_tacplus_flags_payload_type,
991 proto_tree_add_boolean(flags_tree, hf_tacplus_flags_connection_type,
993 proto_tree_add_item(tacplus_tree, hf_tacplus_session_id, tvb, 4, 4,
996 if ((gint) len < 1) {
997 proto_tree_add_text(tacplus_tree, tvb, 8, 4,
998 "Invalid length: %u", len);
999 THROW(ReportedBoundsError);
1001 proto_tree_add_uint(tacplus_tree, hf_tacplus_packet_len, tvb, 8, 4,
1004 tmp_pi = proto_tree_add_text(tacplus_tree, tvb, TAC_PLUS_HDR_SIZE, len, "%s%s",
1005 ((flags&FLAGS_UNENCRYPTED)?"":"Encrypted "), request?"Request":"Reply" );
1007 if( flags&FLAGS_UNENCRYPTED ) {
1008 new_tvb = tvb_new_subset( tvb, TAC_PLUS_HDR_SIZE, len, len );
1012 tacplus_decrypted_tvb_setup( tvb, &new_tvb, pinfo, len, version, key );
1016 /* Check to see if I've a decrypted tacacs packet */
1017 if( !(flags&FLAGS_UNENCRYPTED) ){
1018 tmp_pi = proto_tree_add_text(tacplus_tree, new_tvb, 0, len, "Decrypted %s",
1019 request?"Request":"Reply" );
1021 dissect_tacplus_body( tvb, new_tvb, proto_item_add_subtree( tmp_pi, ett_tacplus_body ));
1027 tacplus_pref_cb(void)
1029 parse_tacplus_keys( tacplus_opt_key );
1033 proto_register_tacplus(void)
1035 static hf_register_info hf[] = {
1036 { &hf_tacplus_response,
1037 { "Response", "tacplus.response",
1038 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1039 "TRUE if TACACS+ response", HFILL }},
1040 { &hf_tacplus_request,
1041 { "Request", "tacplus.request",
1042 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1043 "TRUE if TACACS+ request", HFILL }},
1044 { &hf_tacplus_majvers,
1045 { "Major version", "tacplus.majvers",
1046 FT_UINT8, BASE_DEC, NULL, 0x0,
1047 "Major version number", HFILL }},
1048 { &hf_tacplus_minvers,
1049 { "Minor version", "tacplus.minvers",
1050 FT_UINT8, BASE_DEC, NULL, 0x0,
1051 "Minor version number", HFILL }},
1053 { "Type", "tacplus.type",
1054 FT_UINT8, BASE_DEC, VALS(tacplus_type_vals), 0x0,
1056 { &hf_tacplus_seqno,
1057 { "Sequence number", "tacplus.seqno",
1058 FT_UINT8, BASE_DEC, NULL, 0x0,
1060 { &hf_tacplus_flags,
1061 { "Flags", "tacplus.flags",
1062 FT_UINT8, BASE_HEX, NULL, 0x0,
1064 { &hf_tacplus_flags_payload_type,
1065 { "Unencrypted", "tacplus.flags.unencrypted",
1066 FT_BOOLEAN, 8, TFS(&tfs_set_notset), FLAGS_UNENCRYPTED,
1067 "Is payload unencrypted?", HFILL }},
1068 { &hf_tacplus_flags_connection_type,
1069 { "Single Connection", "tacplus.flags.singleconn",
1070 FT_BOOLEAN, 8, TFS(&tfs_set_notset), FLAGS_SINGLE,
1071 "Is this a single connection?", HFILL }},
1072 { &hf_tacplus_acct_flags,
1073 { "Flags", "tacplus.acct.flags",
1074 FT_UINT8, BASE_HEX, NULL, 0x0,
1076 { &hf_tacplus_session_id,
1077 { "Session ID", "tacplus.session_id",
1078 FT_UINT32, BASE_DEC, NULL, 0x0,
1080 { &hf_tacplus_packet_len,
1081 { "Packet length", "tacplus.packet_len",
1082 FT_UINT32, BASE_DEC, NULL, 0x0,
1085 static gint *ett[] = {
1088 &ett_tacplus_acct_flags,
1090 &ett_tacplus_body_chap,
1092 module_t *tacplus_module;
1094 proto_tacplus = proto_register_protocol("TACACS+", "TACACS+", "tacplus");
1095 proto_register_field_array(proto_tacplus, hf, array_length(hf));
1096 proto_register_subtree_array(ett, array_length(ett));
1097 tacplus_module = prefs_register_protocol (proto_tacplus, tacplus_pref_cb );
1099 prefs_register_bool_preference(tacplus_module, "desegment", "Reassemble TACACS+ messages spanning multiple TCP segments.", "Whether the TACACS+ dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", &tacplus_preference_desegment);
1101 prefs_register_string_preference ( tacplus_module, "key",
1102 "TACACS+ Encryption Key", "TACACS+ Encryption Key", &tacplus_opt_key );
1106 proto_reg_handoff_tacplus(void)
1108 dissector_handle_t tacplus_handle;
1110 tacplus_handle = create_dissector_handle(dissect_tacplus,
1112 dissector_add("tcp.port", TCP_PORT_TACACS, tacplus_handle);
1119 md5_xor( guint8 *data, const char *key, int data_len, guint8 *session_id, guint8 version, guint8 seq_no )
1123 md5_byte_t *md5_buff;
1124 md5_byte_t hash[MD5_LEN]; /* the md5 hash */
1126 md5_state_t mdcontext;
1128 md5_len = 4 /* sizeof(session_id) */ + strlen(key)
1129 + sizeof(version) + sizeof(seq_no);
1131 md5_buff = (md5_byte_t*)ep_alloc(md5_len+MD5_LEN);
1135 memcpy(mdp, session_id, 4);
1137 memcpy(mdp, key, strlen(key));
1143 md5_init(&mdcontext);
1144 md5_append(&mdcontext, md5_buff, md5_len);
1145 md5_finish(&mdcontext,hash);
1147 for (i = 0; i < data_len; i += 16) {
1149 for (j = 0; j < 16; j++) {
1150 if ((i + j) >= data_len) {
1151 i = data_len+1; /* To exit from the external loop */
1154 data[i + j] ^= hash[j];
1156 memcpy(mdp, hash, MD5_LEN);
1157 md5_init(&mdcontext);
1158 md5_append(&mdcontext, md5_buff, md5_len);
1159 md5_finish(&mdcontext,hash);