kravietz · akhileshsingh-saithwar · Aug 26, 2020 · kravietz · Aug 27, 2020 · kravietz
diff --git a/libtac/include/libtac.h b/libtac/include/libtac.h
@@ -145,6 +145,9 @@ struct areply {
 #define LIBTAC_STATUS_CONN_ERR        -9
 #define LIBTAC_STATUS_ATTRIB_TOO_LONG -10
 #define LIBTAC_STATUS_ATTRIB_TOO_MANY -11
+#define LIBTAC_STATUS_SERVER_NOT_CONFIGURED     -12
+#define LIBTAC_STATUS_SECRET_KEY_ERR            -13
+#define LIBTAC_STATUS_SEC_KEY_NOT_CONFIGURED    -14
 
 /* Runtime flags */
 
@@ -181,6 +184,7 @@ int tac_cont_send_seq(int, const char *, int);
 #define tac_cont_send(fd, pass) tac_cont_send_seq((fd), (pass), 3)
 HDR *_tac_req_header(unsigned char, int);
 void _tac_crypt(unsigned char *, const HDR *);
+void _tac_string_decrypt(char *key);
 int tac_add_attrib(struct tac_attrib **, char *, char *);
 void tac_free_attrib(struct tac_attrib **);
 char *tac_acct_flag2str(int);

diff --git a/libtac/lib/authen_r.c b/libtac/lib/authen_r.c
@@ -45,6 +45,8 @@ int tac_authen_read(int fd, struct areply *re) {
 
 	memset(re, 0, sizeof(struct areply));
 
+        TACSYSLOG(LOG_ERR, "%s:[timeout] reply timeout %lu secs", __FUNCTION__, tac_timeout);
+
 	/* read the reply header */
 	if (tac_readtimeout_enable
 			&& tac_read_wait(fd, tac_timeout * 1000, TAC_PLUS_HDR_SIZE,
@@ -120,9 +122,9 @@ int tac_authen_read(int fd, struct areply *re) {
 		TACSYSLOG(
 				LOG_ERR, "%s: inconsistent reply body, incorrect key?", __FUNCTION__);
 		re->msg = xstrdup(protocol_err_msg);
-		re->status = LIBTAC_STATUS_PROTOCOL_ERR;
+        	re->status = LIBTAC_STATUS_SECRET_KEY_ERR;
 		free(tb);
-		return re->status;
+        	return LIBTAC_STATUS_SECRET_KEY_ERR;
 	}
 
 	/* save status and clean up */

diff --git a/libtac/lib/authen_s.c b/libtac/lib/authen_s.c
@@ -129,6 +129,8 @@ int tac_authen_send(int fd, const char *user, const char *pass, const char *tty,
 		} else {
 			tb.authen_type = TAC_PLUS_AUTHEN_TYPE_PAP;
 		}
+
+        TACSYSLOG(LOG_ERR, "%s: tac_login : %s auth-type : %x",__FUNCTION__, tac_login, tb.authen_type);
 	}
 
 	/* data field is not used in ASCII login */

diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c
@@ -49,6 +49,8 @@ int tac_author_read(int fd, struct areply *re) {
 	re->msg = NULL;
 	unsigned int r = 0;
 
+        TACSYSLOG(LOG_ERR, "%s:[timeout] reply timeout %lu secs", __FUNCTION__, tac_timeout);
+
 	bzero(re, sizeof(struct areply));
 	if (tac_readtimeout_enable
 			&& tac_read_wait(fd, tac_timeout * 1000, TAC_PLUS_HDR_SIZE,

diff --git a/libtac/lib/connect.c b/libtac/lib/connect.c
@@ -86,8 +86,20 @@ int tac_connect_single(const struct addrinfo *server, const char *key, struct ad
 
     if(server == NULL) {
         TACSYSLOG(LOG_ERR, "%s: no TACACS+ server defined", __FUNCTION__);
+        retval = LIBTAC_STATUS_SERVER_NOT_CONFIGURED; /* not configured */
         goto bomb;
     }
+    // Make sure that "secret=" keyword found and it's value is not null
+    if(key == NULL) {
+         TACSYSLOG(LOG_ERR, "%s: TACACS+ server secret key not configured", __FUNCTION__);
+         retval = LIBTAC_STATUS_SEC_KEY_NOT_CONFIGURED; /* not configured */
+         goto bomb;
+     }
+     else if(*key == '\0') {
+         TACSYSLOG(LOG_ERR, "%s: TACACS+ server secret key not configured", __FUNCTION__);
+         retval = LIBTAC_STATUS_SEC_KEY_NOT_CONFIGURED; /* not configured */
+         goto bomb;
+     }
 
     /* format server address into a string  for use in messages */
     ip = tac_ntop(server->ai_addr);
@@ -131,17 +143,20 @@ int tac_connect_single(const struct addrinfo *server, const char *key, struct ad
         if (bind(fd, srcaddr->ai_addr, srcaddr->ai_addrlen) < 0) {
             TACSYSLOG(LOG_ERR, "%s: Failed to bind source address: %s",
                 __FUNCTION__, strerror(errno));
-            goto bomb;
+            //Don't exit on bind error.
         }
     }
 
     rc = connect(fd, server->ai_addr, server->ai_addrlen);
     /* FIX this..for some reason errno = 0 on AIX... */
     if((rc == -1) && (errno != EINPROGRESS) && (errno != 0)) {
         TACSYSLOG(LOG_ERR,\
-            "%s: connection to %s failed: %m", __FUNCTION__, ip);
+            "%s: connection to %s failed: %m", __FUNCTION__, ip); /* unreachable */
+        retval = LIBTAC_STATUS_CONN_ERR;
         goto bomb;
     }
+    /* set timeout to global variable tac_timeout to be further used for tac_authen_send,  tac_authen_read */
+    tac_timeout = timeout;
 
     /* set fds for select */
     FD_ZERO(&readfds);
@@ -158,7 +173,7 @@ int tac_connect_single(const struct addrinfo *server, const char *key, struct ad
 
     /* timeout */
     if ( rc == 0 ) {
-        retval = LIBTAC_STATUS_CONN_TIMEOUT;
+        retval = LIBTAC_STATUS_CONN_TIMEOUT; /* timeout error*/
         goto bomb;
     }
 

diff --git a/libtac/lib/crypt.c b/libtac/lib/crypt.c
@@ -86,3 +86,18 @@ void _tac_crypt(unsigned char *buf, const HDR *th) {
         TACSYSLOG(LOG_WARNING, "%s: using no TACACS+ encryption", __FUNCTION__);
     }
 }    /* _tac_crypt */
+
+void _tac_string_decrypt(char *key) {
+    unsigned i, j;
+    char buf[64]={0};
+    TACSYSLOG(LOG_WARNING, "%s: Input key %s", __FUNCTION__,(char*)key);
+
+    strcpy(buf,key);
+
+    for(i=0;i<strlen(buf);)
+    {
+      for(j=2;j<=6 && i < strlen(buf);j++)
+            buf[i++]-=j;
+     }
+    strcpy(key,buf);
+}