2 * Routines for cisco tacacs/xtacacs/tacacs+ packet dissection
3 * Copyright 2001, Paul Ionescu <paul@acorp.ro>
5 * Full Tacacs+ parsing with decryption by
6 * Emanuele Caratti <wiz@iol.it>
8 * $Id: packet-tacacs.c,v 1.32 2003/12/19 19:03:13 guy Exp $
10 * Ethereal - Network traffic analyzer
11 * By Gerald Combs <gerald@ethereal.com>
12 * Copyright 1998 Gerald Combs
14 * Copied from old packet-tacacs.c
16 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License
18 * as published by the Free Software Foundation; either version 2
19 * of the License, or (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 /* rfc-1492 for tacacs and xtacacs
33 * draft-grant-tacacs-02.txt for tacacs+ (tacplus)
44 #include <epan/packet.h>
47 #include "crypt-md5.h"
48 #include "packet-tacacs.h"
50 static void md5_xor( guint8 *data, char *key, int data_len, guint8 *session_id, guint8 version, guint8 seq_no );
52 static int proto_tacacs = -1;
53 static int hf_tacacs_version = -1;
54 static int hf_tacacs_type = -1;
55 static int hf_tacacs_nonce = -1;
56 static int hf_tacacs_userlen = -1;
57 static int hf_tacacs_passlen = -1;
58 static int hf_tacacs_response = -1;
59 static int hf_tacacs_reason = -1;
60 static int hf_tacacs_result1 = -1;
61 static int hf_tacacs_destaddr = -1;
62 static int hf_tacacs_destport = -1;
63 static int hf_tacacs_line = -1;
64 static int hf_tacacs_result2 = -1;
65 static int hf_tacacs_result3 = -1;
67 static gint ett_tacacs = -1;
69 static char *tacplus_opt_key;
70 static GSList *tacplus_keys = NULL;
72 #define VERSION_TACACS 0x00
73 #define VERSION_XTACACS 0x80
75 static const value_string tacacs_version_vals[] = {
76 { VERSION_TACACS, "TACACS" },
77 { VERSION_XTACACS, "XTACACS" },
81 #define TACACS_LOGIN 1
82 #define TACACS_RESPONSE 2
83 #define TACACS_CHANGE 3
84 #define TACACS_FOLLOW 4
85 #define TACACS_CONNECT 5
86 #define TACACS_SUPERUSER 6
87 #define TACACS_LOGOUT 7
88 #define TACACS_RELOAD 8
89 #define TACACS_SLIP_ON 9
90 #define TACACS_SLIP_OFF 10
91 #define TACACS_SLIP_ADDR 11
92 static const value_string tacacs_type_vals[] = {
93 { TACACS_LOGIN, "Login" },
94 { TACACS_RESPONSE, "Response" },
95 { TACACS_CHANGE, "Change" },
96 { TACACS_FOLLOW, "Follow" },
97 { TACACS_CONNECT, "Connect" },
98 { TACACS_SUPERUSER, "Superuser" },
99 { TACACS_LOGOUT, "Logout" },
100 { TACACS_RELOAD, "Reload" },
101 { TACACS_SLIP_ON, "SLIP on" },
102 { TACACS_SLIP_OFF, "SLIP off" },
103 { TACACS_SLIP_ADDR, "SLIP Addr" },
106 static const value_string tacacs_reason_vals[] = {
118 static const value_string tacacs_resp_vals[] = {
119 { 0 , "this is not a response" },
125 #define UDP_PORT_TACACS 49
126 #define TCP_PORT_TACACS 49
129 dissect_tacacs(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
131 proto_tree *tacacs_tree;
133 guint8 txt_buff[255+1],version,type,userlen,passlen;
135 if (check_col(pinfo->cinfo, COL_PROTOCOL))
136 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TACACS");
137 if (check_col(pinfo->cinfo, COL_INFO))
138 col_clear(pinfo->cinfo, COL_INFO);
140 version = tvb_get_guint8(tvb,0);
142 if (check_col(pinfo->cinfo, COL_PROTOCOL))
143 col_set_str(pinfo->cinfo, COL_PROTOCOL, "XTACACS");
146 type = tvb_get_guint8(tvb,1);
147 if (check_col(pinfo->cinfo, COL_INFO))
148 col_add_str(pinfo->cinfo, COL_INFO,
149 val_to_str(type, tacacs_type_vals, "Unknown (0x%02x)"));
153 ti = proto_tree_add_protocol_format(tree, proto_tacacs,
154 tvb, 0, -1, version==0?"TACACS":"XTACACS");
155 tacacs_tree = proto_item_add_subtree(ti, ett_tacacs);
157 proto_tree_add_uint(tacacs_tree, hf_tacacs_version, tvb, 0, 1,
159 proto_tree_add_uint(tacacs_tree, hf_tacacs_type, tvb, 1, 1,
161 proto_tree_add_item(tacacs_tree, hf_tacacs_nonce, tvb, 2, 2,
166 if (type!=TACACS_RESPONSE)
168 userlen=tvb_get_guint8(tvb,4);
169 proto_tree_add_uint(tacacs_tree, hf_tacacs_userlen, tvb, 4, 1,
171 passlen=tvb_get_guint8(tvb,5);
172 proto_tree_add_uint(tacacs_tree, hf_tacacs_passlen, tvb, 5, 1,
174 tvb_get_nstringz0(tvb,6,userlen+1,txt_buff);
175 proto_tree_add_text(tacacs_tree, tvb, 6, userlen, "Username: %s",txt_buff);
176 tvb_get_nstringz0(tvb,6+userlen,passlen+1,txt_buff);
177 proto_tree_add_text(tacacs_tree, tvb, 6+userlen, passlen, "Password: %s",txt_buff);
181 proto_tree_add_item(tacacs_tree, hf_tacacs_response, tvb, 4, 1,
183 proto_tree_add_item(tacacs_tree, hf_tacacs_reason, tvb, 5, 1,
189 userlen=tvb_get_guint8(tvb,4);
190 proto_tree_add_uint(tacacs_tree, hf_tacacs_userlen, tvb, 4, 1,
192 passlen=tvb_get_guint8(tvb,5);
193 proto_tree_add_uint(tacacs_tree, hf_tacacs_passlen, tvb, 5, 1,
195 proto_tree_add_item(tacacs_tree, hf_tacacs_response, tvb, 6, 1,
197 proto_tree_add_item(tacacs_tree, hf_tacacs_reason, tvb, 7, 1,
199 proto_tree_add_item(tacacs_tree, hf_tacacs_result1, tvb, 8, 4,
201 proto_tree_add_item(tacacs_tree, hf_tacacs_destaddr, tvb, 12, 4,
203 proto_tree_add_item(tacacs_tree, hf_tacacs_destport, tvb, 16, 2,
205 proto_tree_add_item(tacacs_tree, hf_tacacs_line, tvb, 18, 2,
207 proto_tree_add_item(tacacs_tree, hf_tacacs_result2, tvb, 20, 4,
209 proto_tree_add_item(tacacs_tree, hf_tacacs_result3, tvb, 24, 2,
211 if (type!=TACACS_RESPONSE)
213 tvb_get_nstringz0(tvb,26,userlen+1,txt_buff);
214 proto_tree_add_text(tacacs_tree, tvb, 26, userlen, "Username: %s",txt_buff);
215 tvb_get_nstringz0(tvb,26+userlen,passlen+1,txt_buff);
216 proto_tree_add_text(tacacs_tree, tvb, 26+userlen, passlen, "Password; %s",txt_buff);
223 proto_register_tacacs(void)
225 static hf_register_info hf[] = {
226 { &hf_tacacs_version,
227 { "Version", "tacacs.version",
228 FT_UINT8, BASE_HEX, VALS(tacacs_version_vals), 0x0,
231 { "Type", "tacacs.type",
232 FT_UINT8, BASE_DEC, VALS(tacacs_type_vals), 0x0,
235 { "Nonce", "tacacs.nonce",
236 FT_UINT16, BASE_HEX, NULL, 0x0,
238 { &hf_tacacs_userlen,
239 { "Username length", "tacacs.userlen",
240 FT_UINT8, BASE_DEC, NULL, 0x0,
241 "Username length", HFILL }},
242 { &hf_tacacs_passlen,
243 { "Password length", "tacacs.passlen",
244 FT_UINT8, BASE_DEC, NULL, 0x0,
245 "Password length", HFILL }},
246 { &hf_tacacs_response,
247 { "Response", "tacacs.response",
248 FT_UINT8, BASE_DEC, VALS(tacacs_resp_vals), 0x0,
249 "Response", HFILL }},
251 { "Reason", "tacacs.reason",
252 FT_UINT8, BASE_DEC, VALS(tacacs_reason_vals), 0x0,
254 { &hf_tacacs_result1,
255 { "Result 1", "tacacs.result1",
256 FT_UINT32, BASE_HEX, NULL, 0x0,
257 "Result 1", HFILL }},
258 { &hf_tacacs_destaddr,
259 { "Destination address", "tacacs.destaddr",
260 FT_IPv4, BASE_NONE, NULL, 0x0,
261 "Destination address", HFILL }},
262 { &hf_tacacs_destport,
263 { "Destination port", "tacacs.destport",
264 FT_UINT16, BASE_DEC, NULL, 0x0,
265 "Destination port", HFILL }},
267 { "Line", "tacacs.line",
268 FT_UINT16, BASE_DEC, NULL, 0x0,
270 { &hf_tacacs_result2,
271 { "Result 2", "tacacs.result2",
272 FT_UINT32, BASE_HEX, NULL, 0x0,
273 "Result 2", HFILL }},
274 { &hf_tacacs_result3,
275 { "Result 3", "tacacs.result3",
276 FT_UINT16, BASE_HEX, NULL, 0x0,
277 "Result 3", HFILL }},
280 static gint *ett[] = {
283 proto_tacacs = proto_register_protocol("TACACS", "TACACS", "tacacs");
284 proto_register_field_array(proto_tacacs, hf, array_length(hf));
285 proto_register_subtree_array(ett, array_length(ett));
289 proto_reg_handoff_tacacs(void)
291 dissector_handle_t tacacs_handle;
293 tacacs_handle = create_dissector_handle(dissect_tacacs, proto_tacacs);
294 dissector_add("udp.port", UDP_PORT_TACACS, tacacs_handle);
297 static int proto_tacplus = -1;
298 static int hf_tacplus_response = -1;
299 static int hf_tacplus_request = -1;
300 static int hf_tacplus_majvers = -1;
301 static int hf_tacplus_minvers = -1;
302 static int hf_tacplus_type = -1;
303 static int hf_tacplus_seqno = -1;
304 static int hf_tacplus_flags = -1;
305 static int hf_tacplus_flags_payload_type = -1;
306 static int hf_tacplus_flags_connection_type = -1;
307 static int hf_tacplus_acct_flags = -1;
308 static int hf_tacplus_session_id = -1;
309 static int hf_tacplus_packet_len = -1;
311 static gint ett_tacplus = -1;
312 static gint ett_tacplus_body = -1;
313 static gint ett_tacplus_body_chap = -1;
314 static gint ett_tacplus_flags = -1;
315 static gint ett_tacplus_acct_flags = -1;
317 typedef struct _tacplus_key_entry {
318 address *s; /* Server address */
319 address *c; /* client address */
324 tacplus_decrypted_tvb_setup( tvbuff_t *tvb, tvbuff_t **dst_tvb, packet_info *pinfo, guint32 len, guint8 version, char *key )
327 guint8 session_id[4];
329 /* TODO Check the possibility to use pinfo->decrypted_data */
330 /* session_id is in NETWORK Byte Order, and is used as byte array in the md5_xor */
332 tvb_memcpy(tvb, (guint8*)session_id, 4,4);
334 buff = tvb_memdup(tvb, TAC_PLUS_HDR_SIZE, len);
337 md5_xor( buff, key, len, session_id,version, tvb_get_guint8(tvb,2) );
339 /* Allocate a new tvbuff, referring to the decrypted data. */
340 *dst_tvb = tvb_new_real_data( buff, len, len );
342 /* Arrange that the allocated packet data copy be freed when the
344 tvb_set_free_cb( *dst_tvb, g_free );
346 /* Add the tvbuff to the list of tvbuffs to which the tvbuff we
347 were handed refers, so it'll get cleaned up when that tvbuff
349 tvb_set_child_real_data_tvbuff( tvb, *dst_tvb );
351 /* Add the decrypted data to the data source list. */
352 add_new_data_source(pinfo, *dst_tvb, "TACACS+ Decrypted");
357 dissect_tacplus_args_list( tvbuff_t *tvb, proto_tree *tree, int data_off, int len_off, int arg_cnt )
361 for(i=0;i<arg_cnt;i++){
362 int len=tvb_get_guint8(tvb,len_off+i);
363 proto_tree_add_text( tree, tvb, len_off+i, 1, "Arg[%d] length: %d", i, len );
364 tvb_get_nstringz0(tvb, data_off, len+1, buff);
365 proto_tree_add_text( tree, tvb, data_off, len, "Arg[%d] value: %s", i, buff );
372 proto_tree_add_tacplus_common_fields( tvbuff_t *tvb, proto_tree *tree, int offset, int var_off )
377 proto_tree_add_text( tree, tvb, offset, 1,
378 "Privilege Level: %d", tvb_get_guint8(tvb,offset) );
382 val=tvb_get_guint8(tvb,offset);
383 proto_tree_add_text( tree, tvb, offset, 1,
384 "Authentication type: %s",
385 val_to_str( val, tacplus_authen_type_vals, "Unknown Packet" ) );
389 val=tvb_get_guint8(tvb,offset);
390 proto_tree_add_text( tree, tvb, offset, 1,
392 val_to_str( val, tacplus_authen_service_vals, "Unknown Packet" ) );
395 /* user_len && user */
396 val=tvb_get_guint8(tvb,offset);
397 proto_tree_add_text( tree, tvb, offset, 1, "User len: %d", val );
399 tvb_get_nstringz0(tvb, var_off, val+1, buff);
400 proto_tree_add_text( tree, tvb, var_off, val, "User: %s", buff );
406 /* port_len && port */
407 val=tvb_get_guint8(tvb,offset);
408 proto_tree_add_text( tree, tvb, offset, 1, "Port len: %d", val );
410 tvb_get_nstringz0(tvb, var_off, val+1, buff);
411 proto_tree_add_text( tree, tvb, var_off, val, "Port: %s", buff );
416 /* rem_addr_len && rem_addr */
417 val=tvb_get_guint8(tvb,offset);
418 proto_tree_add_text( tree, tvb, offset, 1, "Remaddr len: %d", val );
420 tvb_get_nstringz0(tvb, var_off, val+1, buff);
421 proto_tree_add_text( tree, tvb, var_off, val, "Remote Address: %s", buff );
428 dissect_tacplus_body_authen_req_login( tvbuff_t* tvb, proto_tree *tree, int var_off )
432 val=tvb_get_guint8( tvb, AUTHEN_S_DATA_LEN_OFF );
434 switch ( tvb_get_guint8(tvb, AUTHEN_S_AUTHEN_TYPE_OFF ) ) { /* authen_type */
436 case TAC_PLUS_AUTHEN_TYPE_ASCII:
437 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "Data: %d (not used)", val );
439 proto_tree_add_text( tree, tvb, var_off, val, "Data" );
442 case TAC_PLUS_AUTHEN_TYPE_PAP:
443 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "Password Length %d", val );
445 tvb_get_nstringz0( tvb, var_off, val+1, buff );
446 proto_tree_add_text( tree, tvb, var_off, val, "Password: %s", buff );
450 case TAC_PLUS_AUTHEN_TYPE_CHAP:
451 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "CHAP Data Length %d", val );
455 guint8 chal_len=val-(1+16); /* Response field alwayes 16 octets */
456 pi = proto_tree_add_text(tree, tvb, var_off, val, "CHAP Data" );
457 pt = proto_item_add_subtree( pi, ett_tacplus_body_chap );
458 val= tvb_get_guint8( tvb, var_off );
459 proto_tree_add_text( pt, tvb, var_off, 1, "ID: %d", val );
461 tvb_get_nstringz0( tvb, var_off, chal_len+1, buff );
462 proto_tree_add_text( pt, tvb, var_off, chal_len, "Challenge: %s", buff );
464 tvb_get_nstringz0( tvb, var_off, 16+1, buff );
465 proto_tree_add_text( pt, tvb, var_off, 16 , "Response: %s", buff );
468 case TAC_PLUS_AUTHEN_TYPE_MSCHAP:
469 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "MSCHAP Data Length %d", val );
473 guint8 chal_len=val-(1+49); /* Response field alwayes 49 octets */
474 pi = proto_tree_add_text(tree, tvb, var_off, val, "MSCHAP Data" );
475 pt = proto_item_add_subtree( pi, ett_tacplus_body_chap );
476 val= tvb_get_guint8( tvb, var_off );
477 proto_tree_add_text( pt, tvb, var_off, 1, "ID: %d", val );
479 tvb_get_nstringz0( tvb, var_off, chal_len+1, buff );
480 proto_tree_add_text( pt, tvb, var_off, chal_len, "Challenge: %s", buff );
482 tvb_get_nstringz0( tvb, var_off, 49+1, buff );
483 proto_tree_add_text( pt, tvb, var_off, 49 , "Response: %s", buff );
486 case TAC_PLUS_AUTHEN_TYPE_ARAP:
487 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "ARAP Data Length %d", val );
491 pi = proto_tree_add_text(tree, tvb, var_off, val, "ARAP Data" );
492 pt = proto_item_add_subtree( pi, ett_tacplus_body_chap );
494 tvb_get_nstringz0( tvb, var_off, 8+1, buff );
495 proto_tree_add_text( pt, tvb, var_off, 8, "Nas Challenge: %s", buff );
497 tvb_get_nstringz0( tvb, var_off, 8+1, buff );
498 proto_tree_add_text( pt, tvb, var_off, 8, "Remote Challenge: %s", buff );
500 tvb_get_nstringz0( tvb, var_off, 8+1, buff );
501 proto_tree_add_text( pt, tvb, var_off, 8, "Remote Response: %s", buff );
506 default: /* Should not be reached */
507 proto_tree_add_text( tree, tvb, AUTHEN_S_DATA_LEN_OFF, 1, "Data: %d", val );
509 proto_tree_add_text( tree, tvb, var_off, val, "Data" );
515 dissect_tacplus_body_authen_req( tvbuff_t* tvb, proto_tree *tree )
518 int var_off=AUTHEN_S_VARDATA_OFF;
521 val=tvb_get_guint8( tvb, AUTHEN_S_ACTION_OFF );
522 proto_tree_add_text( tree, tvb,
523 AUTHEN_S_ACTION_OFF, 1,
525 val_to_str( val, tacplus_authen_action_vals, "Unknown Packet" ) );
527 var_off=proto_tree_add_tacplus_common_fields( tvb, tree , AUTHEN_S_PRIV_LVL_OFF, AUTHEN_S_VARDATA_OFF );
530 case TAC_PLUS_AUTHEN_LOGIN:
531 dissect_tacplus_body_authen_req_login( tvb, tree, var_off );
533 case TAC_PLUS_AUTHEN_SENDAUTH:
539 dissect_tacplus_body_authen_req_cont( tvbuff_t *tvb, proto_tree *tree )
542 int var_off=AUTHEN_C_VARDATA_OFF;
545 val=tvb_get_guint8( tvb, AUTHEN_C_FLAGS_OFF );
546 proto_tree_add_text( tree, tvb,
547 AUTHEN_R_FLAGS_OFF, 1, "Flags: 0x%02x %s",
549 (val&TAC_PLUS_CONTINUE_FLAG_ABORT?"(Abort)":"") );
552 val=tvb_get_ntohs( tvb, AUTHEN_C_USER_LEN_OFF );
553 proto_tree_add_text( tree, tvb, AUTHEN_C_USER_LEN_OFF, 2 , "User length: %d", val );
555 buff=tvb_get_string( tvb, var_off, val );
556 proto_tree_add_text( tree, tvb, var_off, val, "User: %s", buff );
561 val=tvb_get_ntohs( tvb, AUTHEN_C_DATA_LEN_OFF );
562 proto_tree_add_text( tree, tvb, AUTHEN_C_DATA_LEN_OFF, 2 ,
563 "Data length: %d", val );
565 proto_tree_add_text( tree, tvb, var_off, val, "Data" );
572 dissect_tacplus_body_authen_rep( tvbuff_t *tvb, proto_tree *tree )
575 int var_off=AUTHEN_R_VARDATA_OFF;
578 val=tvb_get_guint8( tvb, AUTHEN_R_STATUS_OFF );
579 proto_tree_add_text(tree, tvb,
580 AUTHEN_R_STATUS_OFF, 1, "Status: 0x%01x (%s)", val,
581 val_to_str( val, tacplus_reply_status_vals, "Unknown Packet" ) );
583 val=tvb_get_guint8( tvb, AUTHEN_R_FLAGS_OFF );
584 proto_tree_add_text(tree, tvb,
585 AUTHEN_R_FLAGS_OFF, 1, "Flags: 0x%02x %s",
586 val, (val&TAC_PLUS_REPLY_FLAG_NOECHO?"(NoEcho)":"") );
589 val=tvb_get_ntohs(tvb, AUTHEN_R_SRV_MSG_LEN_OFF );
590 proto_tree_add_text( tree, tvb, AUTHEN_R_SRV_MSG_LEN_OFF, 2 ,
591 "Server message length: %d", val );
593 buff=tvb_get_string(tvb, var_off, val );
594 proto_tree_add_text(tree, tvb, var_off, val, "Server message: %s", buff );
599 val=tvb_get_ntohs(tvb, AUTHEN_R_DATA_LEN_OFF );
600 proto_tree_add_text( tree, tvb, AUTHEN_R_DATA_LEN_OFF, 2 ,
601 "Data length: %d", val );
603 proto_tree_add_text(tree, tvb, var_off, val, "Data" );
608 dissect_tacplus_body_author_req( tvbuff_t* tvb, proto_tree *tree )
613 val=tvb_get_guint8( tvb, AUTHOR_Q_AUTH_METH_OFF ) ;
614 proto_tree_add_text( tree, tvb, AUTHOR_Q_AUTH_METH_OFF, 1,
615 "Auth Method: %s", val_to_str( val, tacplus_authen_method, "Unknown Authen Method" ) );
617 val=tvb_get_guint8( tvb, AUTHOR_Q_ARGC_OFF );
618 var_off=proto_tree_add_tacplus_common_fields( tvb, tree ,
619 AUTHOR_Q_PRIV_LVL_OFF,
620 AUTHOR_Q_VARDATA_OFF + val );
622 proto_tree_add_text( tree, tvb, AUTHOR_Q_ARGC_OFF, 1, "Arg count: %d", val );
624 /* var_off points after rem_addr */
626 dissect_tacplus_args_list( tvb, tree, var_off, AUTHOR_Q_VARDATA_OFF, val );
630 dissect_tacplus_body_author_rep( tvbuff_t* tvb, proto_tree *tree )
632 int offset=AUTHOR_R_VARDATA_OFF;
633 int val=tvb_get_guint8( tvb, AUTHOR_R_STATUS_OFF ) ;
636 proto_tree_add_text( tree, tvb, AUTHOR_R_STATUS_OFF , 1,
637 "Auth Status: 0x%01x (%s)", val,
638 val_to_str( val, tacplus_author_status, "Unknown Authorization Status" ));
640 val=tvb_get_ntohs( tvb, AUTHOR_R_SRV_MSG_LEN_OFF );
642 proto_tree_add_text( tree, tvb, AUTHOR_R_SRV_MSG_LEN_OFF, 2, "Server Msg length: %d", val );
644 val=tvb_get_ntohs( tvb, AUTHOR_R_DATA_LEN_OFF );
646 proto_tree_add_text( tree, tvb, AUTHOR_R_DATA_LEN_OFF, 2, "Data length: %d", val );
648 val=tvb_get_guint8( tvb, AUTHOR_R_ARGC_OFF);
650 proto_tree_add_text( tree, tvb, AUTHOR_R_ARGC_OFF, 1, "Arg count: %d", val );
652 dissect_tacplus_args_list( tvb, tree, offset, AUTHOR_R_VARDATA_OFF, val );
656 dissect_tacplus_body_acct_req( tvbuff_t* tvb, proto_tree *tree )
661 proto_tree *flags_tree;
663 val=tvb_get_guint8( tvb, ACCT_Q_FLAGS_OFF );
664 tf = proto_tree_add_uint( tree, hf_tacplus_acct_flags, tvb, ACCT_Q_FLAGS_OFF, 1, val );
666 flags_tree = proto_item_add_subtree( tf, ett_tacplus_acct_flags );
667 proto_tree_add_text( flags_tree, tvb, ACCT_Q_FLAGS_OFF, 1, "%s",
668 decode_boolean_bitfield( val, TAC_PLUS_ACCT_FLAG_MORE, 8,
669 "More: Set", "More: Not set" ) );
670 proto_tree_add_text( flags_tree, tvb, ACCT_Q_FLAGS_OFF, 1, "%s",
671 decode_boolean_bitfield( val, TAC_PLUS_ACCT_FLAG_START, 8,
672 "Start: Set", "Start: Not set" ) );
673 proto_tree_add_text( flags_tree, tvb, ACCT_Q_FLAGS_OFF, 1, "%s",
674 decode_boolean_bitfield( val, TAC_PLUS_ACCT_FLAG_STOP, 8,
675 "Stop: Set", "Stop: Not set" ) );
676 proto_tree_add_text( flags_tree, tvb, ACCT_Q_FLAGS_OFF, 1, "%s",
677 decode_boolean_bitfield( val, TAC_PLUS_ACCT_FLAG_WATCHDOG, 8,
678 "Watchdog: Set", "Watchdog: Not set" ) );
680 val=tvb_get_guint8( tvb, ACCT_Q_METHOD_OFF );
681 proto_tree_add_text( tree, tvb, ACCT_Q_METHOD_OFF, 1,
682 "Authen Method: 0x%01x (%s)",
683 val, val_to_str( val, tacplus_authen_method, "Unknown Authen Method" ) );
685 val=tvb_get_guint8( tvb, ACCT_Q_ARG_CNT_OFF );
688 var_off=proto_tree_add_tacplus_common_fields( tvb, tree ,
690 ACCT_Q_VARDATA_OFF+val
693 proto_tree_add_text( tree, tvb, ACCT_Q_ARG_CNT_OFF, 1,
694 "Arg Cnt: %d", val );
696 dissect_tacplus_args_list( tvb, tree, var_off, ACCT_Q_VARDATA_OFF, val );
702 dissect_tacplus_body_acct_rep( tvbuff_t* tvb, proto_tree *tree )
704 int val, var_off=ACCT_Q_VARDATA_OFF;
709 val=tvb_get_guint8( tvb, ACCT_R_STATUS_OFF );
710 proto_tree_add_text( tree, tvb, ACCT_R_STATUS_OFF, 1, "Status: 0x%02x (%s)", val,
711 val_to_str( val, tacplus_acct_status, "Bogus status..") );
714 val=tvb_get_ntohs( tvb, ACCT_R_SRV_MSG_LEN_OFF );
715 proto_tree_add_text( tree, tvb, ACCT_R_SRV_MSG_LEN_OFF, 2 ,
716 "Server message length: %d", val );
718 buff=tvb_get_string( tvb, var_off, val );
719 proto_tree_add_text( tree, tvb, var_off,
720 val, "Server message: %s", buff );
726 val=tvb_get_ntohs( tvb, ACCT_R_DATA_LEN_OFF );
727 proto_tree_add_text( tree, tvb, ACCT_R_DATA_LEN_OFF, 2 ,
728 "Data length: %d", val );
730 buff= tvb_get_string( tvb, var_off, val );
731 proto_tree_add_text( tree, tvb, var_off,
732 val, "Data: %s", buff );
740 dissect_tacplus_body(tvbuff_t * hdr_tvb, tvbuff_t * tvb, proto_tree * tree )
742 int type = tvb_get_guint8( hdr_tvb, H_TYPE_OFF );
743 int seq_no = tvb_get_guint8( hdr_tvb, H_SEQ_NO_OFF );
746 case TAC_PLUS_AUTHEN:
747 if ( seq_no & 0x01) {
749 dissect_tacplus_body_authen_req( tvb, tree );
751 dissect_tacplus_body_authen_req_cont( tvb, tree );
753 dissect_tacplus_body_authen_rep( tvb, tree );
757 case TAC_PLUS_AUTHOR:
759 dissect_tacplus_body_author_req( tvb, tree );
761 dissect_tacplus_body_author_rep( tvb, tree );
766 dissect_tacplus_body_acct_req( tvb, tree );
768 dissect_tacplus_body_acct_rep( tvb, tree );
772 proto_tree_add_text( tree, tvb, 0, tvb_length( tvb ), "Bogus..");
777 tacplus_print_key_entry( gpointer data, gpointer user_data )
779 tacplus_key_entry *tacplus_data=(tacplus_key_entry *)data;
781 printf("%s:%s=%s\n", address_to_str( tacplus_data->s ),
782 address_to_str( tacplus_data->c ), tacplus_data->k );
784 printf("%s:%s\n", address_to_str( tacplus_data->s ),
785 address_to_str( tacplus_data->c ) );
790 cmp_conv_address( gconstpointer p1, gconstpointer p2 )
792 tacplus_key_entry *a1=(tacplus_key_entry*)p1;
793 tacplus_key_entry *a2=(tacplus_key_entry*)p2;
797 tacplus_print_key_entry( p1, NULL );
799 tacplus_print_key_entry( p2, NULL );
801 ret=CMP_ADDRESS( a1->s, a2->s );
803 ret=CMP_ADDRESS( a1->c, a2->c );
806 printf("No Client found!"); */
808 /* printf("No Server found!"); */
814 find_key( address *srv, address *cln )
816 tacplus_key_entry data;
821 /* printf("Looking for: ");
822 tacplus_print_key_entry( (gconstpointer)&data, NULL ); */
823 match=g_slist_find_custom( tacplus_keys, (gpointer)&data, cmp_conv_address );
824 /* printf("Finished (%p)\n", match); */
826 return ((tacplus_key_entry*)match->data)->k;
828 return (tacplus_keys?NULL:tacplus_opt_key);
831 int inet_pton(int , const char*, void*);
834 mkipv4_address( address **addr, char *str_addr )
836 *addr=g_malloc( sizeof(address) );
837 (*addr)->type=AT_IPv4;
839 (*addr)->data=g_malloc( 4 );
840 inet_pton( AF_INET, (const char*)str_addr, (void*)(*addr)->data );
843 parse_tuple( char *key_from_option )
846 tacplus_key_entry *tacplus_data=g_malloc( sizeof(tacplus_key_entry) );
848 printf("keys: %s\n", key_from_option );
850 client=strchr(key_from_option,'/');
854 key=strchr(client,'=');
859 printf("%s %s => %s\n", key_from_option, client, key );
861 mkipv4_address( &tacplus_data->s, key_from_option );
862 mkipv4_address( &tacplus_data->c, client );
863 tacplus_data->k=strdup( key );
864 tacplus_keys = g_slist_prepend( tacplus_keys, tacplus_data );
869 free_tacplus_keys( gpointer data, gpointer user_data _U_ )
871 g_free( ((tacplus_key_entry *)data)->k );
876 parse_tacplus_keys( char *keys_from_option )
882 g_slist_foreach( tacplus_keys, free_tacplus_keys, NULL );
883 g_slist_free( tacplus_keys );
887 if( !strchr( keys_from_option, '/' ) ){
888 /* option not in client/server=key format */
891 s=strdup(keys_from_option);
893 keys_from_option = s;
894 while(keys_from_option){
895 if( (s=strchr( keys_from_option, ' ' )) != NULL )
897 parse_tuple( keys_from_option );
902 g_slist_foreach( tacplus_keys, tacplus_print_key_entry, GINT_TO_POINTER(1) );
907 dissect_tacplus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
909 tvbuff_t *new_tvb=NULL;
910 proto_tree *tacplus_tree;
912 guint8 version,flags;
913 proto_tree *flags_tree;
917 gboolean request=( pinfo->destport == TCP_PORT_TACACS );
921 key=find_key( &pinfo->dst, &pinfo->src );
923 key=find_key( &pinfo->src, &pinfo->dst );
925 if (check_col(pinfo->cinfo, COL_PROTOCOL))
926 col_set_str(pinfo->cinfo, COL_PROTOCOL, "TACACS+");
928 if (check_col(pinfo->cinfo, COL_INFO))
930 int type = tvb_get_guint8(tvb,1);
931 col_add_fstr( pinfo->cinfo, COL_INFO, "%s: %s",
933 val_to_str(type, tacplus_type_vals, "Unknown (0x%02x)"));
938 ti = proto_tree_add_protocol_format(tree, proto_tacplus,
939 tvb, 0, -1, "TACACS+");
941 tacplus_tree = proto_item_add_subtree(ti, ett_tacplus);
942 if (pinfo->match_port == pinfo->destport)
944 proto_tree_add_boolean_hidden(tacplus_tree,
945 hf_tacplus_request, tvb, 0, 0, TRUE);
949 proto_tree_add_boolean_hidden(tacplus_tree,
950 hf_tacplus_response, tvb, 0, 0, TRUE);
952 version = tvb_get_guint8(tvb,0);
953 proto_tree_add_uint_format(tacplus_tree, hf_tacplus_majvers, tvb, 0, 1,
956 (version&0xf0)==0xc0?"TACACS+":"Unknown Version");
957 proto_tree_add_uint(tacplus_tree, hf_tacplus_minvers, tvb, 0, 1,
959 proto_tree_add_item(tacplus_tree, hf_tacplus_type, tvb, 1, 1,
961 proto_tree_add_item(tacplus_tree, hf_tacplus_seqno, tvb, 2, 1,
963 flags = tvb_get_guint8(tvb,3);
964 tf = proto_tree_add_uint_format(tacplus_tree, hf_tacplus_flags,
966 "Flags: 0x%02x (%s payload, %s)",
968 (flags&FLAGS_UNENCRYPTED) ? "Unencrypted" :
970 (flags&FLAGS_SINGLE) ? "Single connection" :
971 "Multiple Connections" );
972 flags_tree = proto_item_add_subtree(tf, ett_tacplus_flags);
973 proto_tree_add_boolean(flags_tree, hf_tacplus_flags_payload_type,
975 proto_tree_add_boolean(flags_tree, hf_tacplus_flags_connection_type,
977 proto_tree_add_item(tacplus_tree, hf_tacplus_session_id, tvb, 4, 4,
979 len = tvb_get_ntohl(tvb,8);
980 proto_tree_add_uint(tacplus_tree, hf_tacplus_packet_len, tvb, 8, 4,
983 tmp_pi = proto_tree_add_text(tacplus_tree, tvb, TAC_PLUS_HDR_SIZE, len, "%s%s",
984 ((flags&FLAGS_UNENCRYPTED)?"":"Encrypted "), request?"Request":"Reply" );
986 if( flags&FLAGS_UNENCRYPTED ) {
987 new_tvb = tvb_new_subset( tvb, TAC_PLUS_HDR_SIZE, len, len );
991 tacplus_decrypted_tvb_setup( tvb, &new_tvb, pinfo, len, version, key );
995 /* Check to see if I've a decrypted tacacs packet */
996 if( !(flags&FLAGS_UNENCRYPTED) ){
997 tmp_pi = proto_tree_add_text(tacplus_tree, new_tvb, 0, len, "Decrypted %s",
998 request?"Request":"Reply" );
1000 dissect_tacplus_body( tvb, new_tvb, proto_item_add_subtree( tmp_pi, ett_tacplus_body ));
1006 tacplus_pref_cb(void)
1008 parse_tacplus_keys( tacplus_opt_key );
1012 proto_register_tacplus(void)
1014 static hf_register_info hf[] = {
1015 { &hf_tacplus_response,
1016 { "Response", "tacplus.response",
1017 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1018 "TRUE if TACACS+ response", HFILL }},
1019 { &hf_tacplus_request,
1020 { "Request", "tacplus.request",
1021 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
1022 "TRUE if TACACS+ request", HFILL }},
1023 { &hf_tacplus_majvers,
1024 { "Major version", "tacplus.majvers",
1025 FT_UINT8, BASE_DEC, NULL, 0x0,
1026 "Major version number", HFILL }},
1027 { &hf_tacplus_minvers,
1028 { "Minor version", "tacplus.minvers",
1029 FT_UINT8, BASE_DEC, NULL, 0x0,
1030 "Minor version number", HFILL }},
1032 { "Type", "tacplus.type",
1033 FT_UINT8, BASE_DEC, VALS(tacplus_type_vals), 0x0,
1035 { &hf_tacplus_seqno,
1036 { "Sequence number", "tacplus.seqno",
1037 FT_UINT8, BASE_DEC, NULL, 0x0,
1038 "Sequence number", HFILL }},
1039 { &hf_tacplus_flags,
1040 { "Flags", "tacplus.flags",
1041 FT_UINT8, BASE_HEX, NULL, 0x0,
1043 { &hf_tacplus_flags_payload_type,
1044 { "Unencrypted", "tacplus.flags.unencrypted",
1045 FT_BOOLEAN, 8, TFS(&flags_set_truth), FLAGS_UNENCRYPTED,
1046 "Is payload unencrypted?", HFILL }},
1047 { &hf_tacplus_flags_connection_type,
1048 { "Single Connection", "tacplus.flags.singleconn",
1049 FT_BOOLEAN, 8, TFS(&flags_set_truth), FLAGS_SINGLE,
1050 "Is this a single connection?", HFILL }},
1051 { &hf_tacplus_acct_flags,
1052 { "Flags", "tacplus.acct.flags",
1053 FT_UINT8, BASE_HEX, NULL, 0x0,
1055 { &hf_tacplus_session_id,
1056 { "Session ID", "tacplus.session_id",
1057 FT_UINT32, BASE_DEC, NULL, 0x0,
1058 "Session ID", HFILL }},
1059 { &hf_tacplus_packet_len,
1060 { "Packet length", "tacplus.packet_len",
1061 FT_UINT32, BASE_DEC, NULL, 0x0,
1062 "Packet length", HFILL }}
1064 static gint *ett[] = {
1067 &ett_tacplus_acct_flags,
1069 &ett_tacplus_body_chap,
1071 module_t *tacplus_module;
1073 proto_tacplus = proto_register_protocol("TACACS+", "TACACS+", "tacplus");
1074 proto_register_field_array(proto_tacplus, hf, array_length(hf));
1075 proto_register_subtree_array(ett, array_length(ett));
1076 tacplus_module = prefs_register_protocol (proto_tacplus, tacplus_pref_cb );
1077 prefs_register_string_preference ( tacplus_module, "key",
1078 "TACACS+ Encryption Key", "TACACS+ Encryption Key", &tacplus_opt_key );
1082 proto_reg_handoff_tacplus(void)
1084 dissector_handle_t tacplus_handle;
1086 tacplus_handle = create_dissector_handle(dissect_tacplus,
1088 dissector_add("tcp.port", TCP_PORT_TACACS, tacplus_handle);
1095 md5_xor( guint8 *data, char *key, int data_len, guint8 *session_id, guint8 version, guint8 seq_no )
1098 md5_byte_t *md5_buff;
1099 md5_byte_t hash[MD5_LEN]; /* the md5 hash */
1101 md5_state_t mdcontext;
1103 md5_len = 4 /* sizeof(session_id) */ + strlen(key)
1104 + sizeof(version) + sizeof(seq_no);
1106 md5_buff = (md5_byte_t*)g_malloc(md5_len+MD5_LEN);
1110 *(guint32*)mdp = *(guint32*)session_id;
1112 memcpy(mdp, key, strlen(key));
1118 md5_init(&mdcontext);
1119 md5_append(&mdcontext, md5_buff, md5_len);
1120 md5_finish(&mdcontext,hash);
1122 for (i = 0; i < data_len; i += 16) {
1124 for (j = 0; j < 16; j++) {
1125 if ((i + j) >= data_len) {
1126 i = data_len+1; /* To exit from the external loop */
1129 data[i + j] ^= hash[j];
1131 memcpy(mdp, hash, MD5_LEN);
1132 md5_init(&mdcontext);
1133 md5_append(&mdcontext, md5_buff, md5_len);
1134 md5_finish(&mdcontext,hash);