1/*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 1998, 2001, Juniper Networks, Inc.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#ifndef TACLIB_PRIVATE_H
30#define TACLIB_PRIVATE_H
31
32#include "taclib.h"
33
34/* Defaults */
35#define PATH_TACPLUS_CONF	"/etc/tacplus.conf"
36#define TACPLUS_PORT		49
37#define TIMEOUT			3	/* In seconds */
38
39/* Limits */
40#define BODYSIZE	8150		/* Maximum message body size */
41#define ERRSIZE		128		/* Maximum error message length */
42#define MAXCONFLINE	1024		/* Maximum config file line length */
43#define MAXSERVERS	10		/* Maximum number of servers to try */
44#define MAXAVPAIRS      255             /* Maximum number of AV pairs */
45
46/* Protocol constants. */
47#define HDRSIZE		12		/* Size of message header */
48
49/* Protocol version number */
50#define TAC_VER_MAJOR		0xc		/* Major version number */
51
52/* Protocol packet types */
53#define TAC_AUTHEN		0x01		/* Authentication */
54#define TAC_AUTHOR		0x02		/* Authorization */
55#define TAC_ACCT		0x03		/* Accouting */
56
57/* Protocol header flags */
58#define TAC_UNENCRYPTED		0x01
59#define TAC_SINGLE_CONNECT	0x04
60
61struct tac_str {
62	char		*data;
63	size_t		 len;
64};
65
66struct tac_authen_start {
67	u_int8_t	action;
68	u_int8_t	priv_lvl;
69	u_int8_t	authen_type;
70	u_int8_t	service;
71	u_int8_t	user_len;
72	u_int8_t	port_len;
73	u_int8_t	rem_addr_len;
74	u_int8_t	data_len;
75	unsigned char	rest[1];
76};
77
78struct tac_authen_reply {
79	u_int8_t	status;
80	u_int8_t	flags;
81	u_int16_t	msg_len;
82	u_int16_t	data_len;
83	unsigned char	rest[1];
84};
85
86struct tac_authen_cont {
87	u_int16_t	user_msg_len;
88	u_int16_t	data_len;
89	u_int8_t	flags;
90	unsigned char	rest[1];
91};
92
93struct tac_author_request {
94	u_int8_t	authen_meth;
95	u_int8_t	priv_lvl;
96	u_int8_t	authen_type;
97	u_int8_t	service;
98	u_int8_t	user_len;
99	u_int8_t	port_len;
100	u_int8_t	rem_addr_len;
101	u_int8_t	av_cnt;
102	unsigned char	rest[1];
103};
104
105struct tac_author_response {
106	u_int8_t	status;
107	u_int8_t	av_cnt;
108	u_int16_t	msg_len;
109	u_int16_t	data_len;
110	unsigned char	rest[1];
111};
112
113struct tac_acct_start {
114	u_int8_t	action;
115	u_int8_t	authen_action;
116	u_int8_t	priv_lvl;
117	u_int8_t	authen_type;
118	u_int8_t	authen_service;
119	u_int8_t	user_len;
120	u_int8_t	port_len;
121	u_int8_t	rem_addr_len;
122	u_int8_t	av_cnt;
123	unsigned char	rest[1];
124};
125
126struct tac_acct_reply {
127	u_int16_t	msg_len;
128	u_int16_t	data_len;
129	u_int8_t	status;
130	unsigned char	rest[1];
131};
132
133struct tac_msg {
134	u_int8_t	version;
135	u_int8_t	type;
136	u_int8_t	seq_no;
137	u_int8_t	flags;
138	u_int8_t	session_id[4];
139	u_int32_t	length;
140	union {
141		struct tac_authen_start authen_start;
142		struct tac_authen_reply authen_reply;
143		struct tac_authen_cont authen_cont;
144		struct tac_author_request author_request;
145		struct tac_author_response author_response;
146		struct tac_acct_start acct_start;
147		struct tac_acct_reply acct_reply;
148		unsigned char body[BODYSIZE];
149	} u;
150};
151
152struct tac_server {
153	struct sockaddr_in addr;	/* Address of server */
154	char		*secret;	/* Shared secret */
155	int		 timeout;	/* Timeout in seconds */
156	int		 flags;
157	unsigned int	 navs;
158	struct tac_str	 avs[MAXAVPAIRS];
159};
160
161struct tac_handle {
162	int		 fd;		/* Socket file descriptor */
163	struct tac_server servers[MAXSERVERS];	/* Servers to contact */
164	int		 num_servers;	/* Number of valid server entries */
165	int		 cur_server;	/* Server we are currently using */
166	int		 single_connect;	/* Use a single connection */
167	int		 last_seq_no;
168	char		 errmsg[ERRSIZE];	/* Most recent error message */
169
170	struct tac_str	 user;
171	struct tac_str	 port;
172	struct tac_str	 rem_addr;
173	struct tac_str	 data;
174	struct tac_str	 user_msg;
175	struct tac_str	 avs[MAXAVPAIRS];
176
177	struct tac_msg	 request;
178	struct tac_msg	 response;
179
180	int		 srvr_pos;	/* Scan position in response body */
181	unsigned int	 srvr_navs;
182	struct tac_str	 srvr_msg;
183	struct tac_str	 srvr_data;
184	struct tac_str	 srvr_avs[MAXAVPAIRS];
185};
186
187#define is_alpha(ch) /* alphabetical */					\
188	(((ch) >= 'A' && (ch) <= 'Z') || ((ch) >= 'a' && (ch) <= 'z'))
189#define is_num(ch) /* numerical */					\
190	((ch) >= '0' && (ch) <= '9')
191#define is_alnum(ch) /* alphanumerical */				\
192	(is_alpha(ch) || is_num(ch))
193#define is_arg(ch) /* valid in an argument name */			\
194	(is_alnum(ch) || (ch) == '_' || (ch) == '-')
195
196#endif
197