1/*-
2 * Copyright (c) 1998, 2001, Juniper Networks, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 *	$FreeBSD$
27 */
28
29#ifndef TACLIB_PRIVATE_H
30#define TACLIB_PRIVATE_H
31
32#include "taclib.h"
33
34/* Defaults */
35#define PATH_TACPLUS_CONF	"/etc/tacplus.conf"
36#define TACPLUS_PORT		49
37#define TIMEOUT			3	/* In seconds */
38
39/* Limits */
40#define BODYSIZE	8150		/* Maximum message body size */
41#define ERRSIZE		128		/* Maximum error message length */
42#define MAXCONFLINE	1024		/* Maximum config file line length */
43#define MAXSERVERS	10		/* Maximum number of servers to try */
44#define MAXAVPAIRS      255             /* Maximum number of AV pairs */
45
46/* Protocol constants. */
47#define HDRSIZE		12		/* Size of message header */
48
49/* Protocol version number */
50#define TAC_VER_MAJOR		0xc		/* Major version number */
51
52/* Protocol packet types */
53#define TAC_AUTHEN		0x01		/* Authentication */
54#define TAC_AUTHOR		0x02		/* Authorization */
55#define TAC_ACCT		0x03		/* Accouting */
56
57/* Protocol header flags */
58#define TAC_UNENCRYPTED		0x01
59#define TAC_SINGLE_CONNECT	0x04
60
61struct tac_server {
62	struct sockaddr_in addr;	/* Address of server */
63	char		*secret;	/* Shared secret */
64	int		 timeout;	/* Timeout in seconds */
65	int		 flags;
66};
67
68/*
69 * An optional string of bytes specified by the client for inclusion in
70 * a request.  The data is always a dynamically allocated copy that
71 * belongs to the library.  It is copied into the request packet just
72 * before sending the request.
73 */
74struct clnt_str {
75	void		*data;
76	size_t		 len;
77};
78
79/*
80 * An optional string of bytes from a server response.  The data resides
81 * in the response packet itself, and must not be freed.
82 */
83struct srvr_str {
84	const void	*data;
85	size_t		 len;
86};
87
88struct tac_authen_start {
89	u_int8_t	action;
90	u_int8_t	priv_lvl;
91	u_int8_t	authen_type;
92	u_int8_t	service;
93	u_int8_t	user_len;
94	u_int8_t	port_len;
95	u_int8_t	rem_addr_len;
96	u_int8_t	data_len;
97	unsigned char	rest[1];
98};
99
100struct tac_authen_reply {
101	u_int8_t	status;
102	u_int8_t	flags;
103	u_int16_t	msg_len;
104	u_int16_t	data_len;
105	unsigned char	rest[1];
106};
107
108struct tac_authen_cont {
109	u_int16_t	user_msg_len;
110	u_int16_t	data_len;
111	u_int8_t	flags;
112	unsigned char	rest[1];
113};
114
115struct tac_author_request {
116	u_int8_t	authen_meth;
117	u_int8_t	priv_lvl;
118	u_int8_t	authen_type;
119	u_int8_t	service;
120	u_int8_t	user_len;
121	u_int8_t	port_len;
122	u_int8_t	rem_addr_len;
123	u_int8_t	av_cnt;
124	unsigned char	rest[1];
125};
126
127struct tac_author_response {
128	u_int8_t	status;
129	u_int8_t	av_cnt;
130	u_int16_t	msg_len;
131	u_int16_t	data_len;
132	unsigned char	rest[1];
133};
134
135struct tac_acct_start {
136	u_int8_t	action;
137	u_int8_t	authen_action;
138	u_int8_t	priv_lvl;
139	u_int8_t	authen_type;
140	u_int8_t	authen_service;
141	u_int8_t	user_len;
142	u_int8_t	port_len;
143	u_int8_t	rem_addr_len;
144	u_int8_t	av_cnt;
145	unsigned char	rest[1];
146};
147
148struct tac_acct_reply {
149	u_int16_t	msg_len;
150	u_int16_t	data_len;
151	u_int8_t	status;
152	unsigned char	rest[1];
153};
154
155struct tac_msg {
156	u_int8_t	version;
157	u_int8_t	type;
158	u_int8_t	seq_no;
159	u_int8_t	flags;
160	u_int8_t	session_id[4];
161	u_int32_t	length;
162	union {
163		struct tac_authen_start authen_start;
164		struct tac_authen_reply authen_reply;
165		struct tac_authen_cont authen_cont;
166		struct tac_author_request author_request;
167		struct tac_author_response author_response;
168		struct tac_acct_start acct_start;
169		struct tac_acct_reply acct_reply;
170		unsigned char body[BODYSIZE];
171	} u;
172};
173
174struct tac_handle {
175	int		 fd;		/* Socket file descriptor */
176	struct tac_server servers[MAXSERVERS];	/* Servers to contact */
177	int		 num_servers;	/* Number of valid server entries */
178	int		 cur_server;	/* Server we are currently using */
179	int		 single_connect;	/* Use a single connection */
180	int		 last_seq_no;
181	char		 errmsg[ERRSIZE];	/* Most recent error message */
182
183	struct clnt_str	 user;
184	struct clnt_str	 port;
185	struct clnt_str	 rem_addr;
186	struct clnt_str	 data;
187	struct clnt_str	 user_msg;
188	struct clnt_str  avs[MAXAVPAIRS];
189
190	struct tac_msg	 request;
191	struct tac_msg	 response;
192
193	int		 srvr_pos;	/* Scan position in response body */
194	struct srvr_str	 srvr_msg;
195	struct srvr_str	 srvr_data;
196	struct srvr_str  srvr_avs[MAXAVPAIRS];
197};
198
199#endif
200