tacppd.kdevelop: Tacacs.h Source File

00001 // This is part of tacppd project (extended tacacs++ daemon)
00002 // (c) Copyright in 2000-2004 by tacppd team and contributors
00003 // see http://tacppd.org for more information
00004 //
00005 // file: Tacacs.h
00006 // description: tacacs+ low-level api
00007 
00008 //  This program is free software; you can redistribute it and/or modify
00009 //  it under the terms of the GNU General Public License as published by
00010 //  the Free Software Foundation; either version 2 of the License, or
00011 //  (at your option) any later version.
00012 //
00013 //  This program is distributed in the hope that it will be useful,
00014 //  but WITHOUT ANY WARRANTY; without even the implied warranty of
00015 //  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00016 //  GNU General Public License for more details.
00017 //
00018 //  You should have received a copy of the GNU General Public License
00019 //  along with this program; if not, write to the Free Software
00020 //  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
00021 
00022 /*
00023 This software have parts of code from Cisco's tac_plus daemon
00024 with next copyright notice:
00025 
00026   Copyright (c) 1995-2000 by Cisco systems, Inc.
00027 
00028   Permission to use, copy, modify, and distribute modified and
00029   unmodified copies of this software for any purpose and without fee is
00030   hereby granted, provided that (a) this copyright and permission notice
00031   appear on all copies of the software and supporting documentation, (b)
00032   the name of Cisco Systems, Inc. not be used in advertising or
00033   publicity pertaining to distribution of the program without specific
00034   prior permission, and (c) notice be given in supporting documentation
00035   that use, modification, copying and distribution is by permission of
00036   Cisco Systems, Inc.
00037 
00038   Cisco Systems, Inc. makes no representations about the suitability
00039   of this software for any purpose.  THIS SOFTWARE IS PROVIDED ``AS
00040   IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
00041   WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
00042   FITNESS FOR A PARTICULAR PURPOSE.
00043 */
00044 
00045 // modifications:
00046 //
00047 
00048 // all comments which start from /**<CR> this is comment for KDoc */
00049 //  for classes
00050 //    @short [short description of the class]
00051 //    @author [class author]
00052 //    @version [class version]
00053 //    @see [references to other classes or methods]
00054 //  for methods
00055 //    @see [references]
00056 //    @return [sentence describing the return value]
00057 //    @exception [list the exeptions that could be thrown]
00058 //    @param [name id] [description]    - can be multiple
00059 
00060 #ifndef __TACACS_H__
00061 #define __TACACS_H__
00062 
00063 #include "global.h"
00064 
00065 namespace tacpp {
00066 
00068 
00069 #define TAC_PLUS_MAX_PACKET   512 //256   // we do not handle bigger packets
00070 
00071 #define ECHO              0     // echo enable (?)
00072 #define NOECHO            1     // echo disable (?)
00073 
00074 #define MSCHAP_DIGEST_LEN     49        // digest length
00075 
00076 #define TAC_PLUS_READ_TIMEOUT     256     // seconds
00077 #define TAC_PLUS_WRITE_TIMEOUT    20      // seconds
00078 
00079 #define NAS_PORT_MAX_LEN          255     // port name length
00080 
00081 // types of authentication
00082 #define TACACS_ENABLE_REQUEST   1     // Enable Requests
00083 #define TACACS_ASCII_LOGIN      2     // Inbound ASCII Login
00084 #define TACACS_PAP_LOGIN        3     // Inbound PAP Login
00085 #define TACACS_CHAP_LOGIN       4     // Inbound CHAP login
00086 #define TACACS_ARAP_LOGIN       5     // Inbound ARAP login
00087 #define TACACS_PAP_OUT          6     // Outbound PAP request
00088 #define TACACS_CHAP_OUT         7     // Outbound CHAP request
00089 #define TACACS_ASCII_ARAP_OUT   8     // Outbound ASCII and ARAP request
00090 #define TACACS_ASCII_CHPASS     9     // ASCII change password request
00091 #define TACACS_PPP_CHPASS       10    // PPP change password request
00092 #define TACACS_ARAP_CHPASS      11    // ARAP change password request
00093 #define TACACS_MSCHAP_LOGIN     12    // MS-CHAP inbound login
00094 #define TACACS_MSCHAP_OUT       13    // MS-CHAP outbound login
00095 #define TACACS_CHAP_PASSWORD    14    // request for CHAP cleartext passwd
00096 #define TACACS_PAP_PASSWORD     15    // request for PAP password
00097 
00098 // services
00099 #define TAC_PLUS_AUTHEN_LOGIN       1
00100 #define TAC_PLUS_AUTHEN_CHPASS      2
00101 #define TAC_PLUS_AUTHEN_SENDPASS    3   // deprecated (no support here)
00102 #define TAC_PLUS_AUTHEN_SENDAUTH    4
00103 
00104 // status of reply packet, that client get from server in authen
00105 #define TAC_PLUS_AUTHEN_STATUS_PASS       1
00106 #define TAC_PLUS_AUTHEN_STATUS_FAIL       2
00107 #define TAC_PLUS_AUTHEN_STATUS_GETDATA    3
00108 #define TAC_PLUS_AUTHEN_STATUS_GETUSER    4
00109 #define TAC_PLUS_AUTHEN_STATUS_GETPASS    5
00110 #define TAC_PLUS_AUTHEN_STATUS_RESTART    6
00111 #define TAC_PLUS_AUTHEN_STATUS_ERROR      7
00112 #define TAC_PLUS_AUTHEN_STATUS_FOLLOW     0x21
00113 
00114 // methods of authorization
00115 #define TAC_PLUS_AUTHEN_METH_NOT_SET      0     // 0x00
00116 #define TAC_PLUS_AUTHEN_METH_NONE         1     // 0x01
00117 #define TAC_PLUS_AUTHEN_METH_KRB5         2     // 0x03
00118 #define TAC_PLUS_AUTHEN_METH_LINE         3     // 0x03
00119 #define TAC_PLUS_AUTHEN_METH_ENABLE       4     // 0x04
00120 #define TAC_PLUS_AUTHEN_METH_LOCAL        5     // 0x05
00121 #define TAC_PLUS_AUTHEN_METH_TACACSPLUS   6     // 0x06   use this?
00122 #define TAC_PLUS_AUTHEN_METH_GUEST        8     // 0x08
00123 #define TAC_PLUS_AUTHEN_METH_RADIUS       16    // 0x10
00124 #define TAC_PLUS_AUTHEN_METH_KRB4         17    // 0x11
00125 #define TAC_PLUS_AUTHEN_METH_RCMD         32    // 0x20
00126 
00127 // priv_levels (don't know why only 4?)
00128 #define TAC_PLUS_PRIV_LVL_MAX             15    // 0x0f
00129 #define TAC_PLUS_PRIV_LVL_ROOT            15    // 0x0f
00130 #define TAC_PLUS_PRIV_LVL_USER            1     // 0x01
00131 #define TAC_PLUS_PRIV_LVL_MIN             0     // 0x00
00132 
00133 // authen types
00134 #define TAC_PLUS_AUTHEN_TYPE_ASCII    1   // 0x01      ascii
00135 #define TAC_PLUS_AUTHEN_TYPE_PAP      2   // 0x02      pap
00136 #define TAC_PLUS_AUTHEN_TYPE_CHAP     3   // 0x03      chap
00137 #define TAC_PLUS_AUTHEN_TYPE_ARAP     4   // 0x04      arap
00138 #define TAC_PLUS_AUTHEN_TYPE_MSCHAP   5   // 0x05      mschap
00139 
00140 // authen services
00141 #define TAC_PLUS_AUTHEN_SVC_NONE      0   // 0x00
00142 #define TAC_PLUS_AUTHEN_SVC_LOGIN     1   // 0x01
00143 #define TAC_PLUS_AUTHEN_SVC_ENABLE    2   // 0x02
00144 #define TAC_PLUS_AUTHEN_SVC_PPP       3   // 0x03
00145 #define TAC_PLUS_AUTHEN_SVC_ARAP      4   // 0x04
00146 #define TAC_PLUS_AUTHEN_SVC_PT        5   // 0x05
00147 #define TAC_PLUS_AUTHEN_SVC_RCMD      6   // 0x06
00148 #define TAC_PLUS_AUTHEN_SVC_X25       7   // 0x07
00149 #define TAC_PLUS_AUTHEN_SVC_NASI      8   // 0x08
00150 #define TAC_PLUS_AUTHEN_SVC_FWPROXY   9   // 0x09
00151 #define TAC_PLUS_AUTHEN_SVC_H323_VSA  10  // 0x0A
00152 
00153 // authorization status
00154 #define TAC_PLUS_AUTHOR_STATUS_PASS_ADD   1     // 0x01
00155 #define TAC_PLUS_AUTHOR_STATUS_PASS_REPL  2     // 0x02
00156 #define TAC_PLUS_AUTHOR_STATUS_FAIL       16    // 0x10
00157 #define TAC_PLUS_AUTHOR_STATUS_ERROR      17    // 0x11
00158 #define TAC_PLUS_AUTHOR_STATUS_FOLLOW     33    // 0x21
00159 
00160 // accounting flag
00161 #define TAC_PLUS_ACCT_FLAG_MORE       0x1   // deprecated
00162 #define TAC_PLUS_ACCT_FLAG_START      0x2
00163 #define TAC_PLUS_ACCT_FLAG_STOP       0x4
00164 #define TAC_PLUS_ACCT_FLAG_WATCHDOG   0x8
00165 
00166 // accounting status
00167 #define TAC_PLUS_ACCT_STATUS_SUCCESS    1   // 0x01
00168 #define TAC_PLUS_ACCT_STATUS_ERROR      2   // 0x02
00169 #define TAC_PLUS_ACCT_STATUS_FOLLOW     33  // 0x21
00170 
00171 // versions
00172 #define TAC_PLUS_MAJOR_VER_MASK     0xf0
00173 #define TAC_PLUS_MAJOR_VER          0xc0
00174 #define TAC_PLUS_MINOR_VER_0        0x0
00175 #define TAC_PLUS_VER_0    (TAC_PLUS_MAJOR_VER | TAC_PLUS_MINOR_VER_0)
00176 #define TAC_PLUS_MINOR_VER_1        0x01
00177 #define TAC_PLUS_VER_1    (TAC_PLUS_MAJOR_VER | TAC_PLUS_MINOR_VER_1)
00178 
00179 // type of packets
00180 #define TAC_PLUS_AUTHEN         1     // authentication
00181 #define TAC_PLUS_AUTHOR         2     // authorization
00182 #define TAC_PLUS_ACCT           3     // accounting
00183 
00184 // crypto flag
00185 #define TAC_PLUS_ENCRYPTED    0x0   // packet is encrypted
00186 #define TAC_PLUS_CLEAR        0x1   // packet is not encrypted
00187 
00188 // hash
00189 #define HASH_TAB_SIZE         157   // user and group hash table sizes
00190 
00191 // type of request
00192 #define TAC_PLUS_AUTHEN_TYPE_ASCII    1
00193 #define TAC_PLUS_AUTHEN_TYPE_PAP      2
00194 #define TAC_PLUS_AUTHEN_TYPE_CHAP     3
00195 #define TAC_PLUS_AUTHEN_TYPE_ARAP     4
00196 #define TAC_PLUS_AUTHEN_TYPE_MSCHAP   5
00197 
00198 // service of request
00199 #define TAC_PLUS_AUTHEN_SVC_LOGIN     1
00200 #define TAC_PLUS_AUTHEN_SVC_ENABLE    2
00201 #define TAC_PLUS_AUTHEN_SVC_PPP       3
00202 #define TAC_PLUS_AUTHEN_SVC_ARAP      4
00203 #define TAC_PLUS_AUTHEN_SVC_PT        5
00204 #define TAC_PLUS_AUTHEN_SVC_RCMD      6
00205 #define TAC_PLUS_AUTHEN_SVC_X25       7
00206 #define TAC_PLUS_AUTHEN_SVC_NASI      8
00207 //
00208 #define TAC_PLUS_AUTHEN_FLAG_NOECHO         0x1
00209 //
00210 #define TAC_PLUS_CONTINUE_FLAG_ABORT        0x1
00211 
00213 
00215 // working with all tacacs+ packets
00217 
00219 
00223 #define TAC_PLUS_HDR_SIZE     12
00224 struct tac_plus_pak_hdr {
00225   unsigned char version;    // 1 byte: version
00226   unsigned char type;       // 1 byte: type
00227   unsigned char seq_no;     // 1 byte: packet sequence number
00228   unsigned char encryption; // 1 byte: packet is encrypted or cleartext
00229   int session_id;           // 4 bytes: session identifier
00230   int datalength;           // 4 bytes: length of encrypted data following header
00231 };
00232 typedef struct tac_plus_pak_hdr HDR;
00233 
00237 #define TAC_AUTHEN_START_FIXED_FIELDS_SIZE    8
00238 struct authen_start {
00239   unsigned char action;
00240   unsigned char priv_lvl;
00241   unsigned char authen_type;
00242   unsigned char service;
00243   unsigned char user_len;
00244   unsigned char port_len;
00245   unsigned char rem_addr_len;
00246   unsigned char data_len;
00247   // <user_len bytes of char data>
00248   // <port_len bytes of char data>
00249   // <rem_addr_len bytes of u_char data>
00250   // <data_len bytes of u_char data>
00251 };
00252 
00256 #define TAC_AUTHEN_REPLY_FIXED_FIELDS_SIZE    6
00257 struct authen_reply {
00258   unsigned char status;           // 1 byte
00259   unsigned char flags;            // 1 byte
00260   unsigned short msg_len;         // 2 bytes
00261   unsigned short data_len;        // 2 bytes
00262   // <msg_len bytes of char data>
00263   // <data_len bytes of u_char data>
00264 };
00265 
00269 #define TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE       5
00270 struct authen_cont {
00271   unsigned short user_msg_len;    // 2 bytes
00272   unsigned short user_data_len;   // 2 bytes
00273   unsigned char flags;            // 1 byte
00274   // <user_msg_len bytes of u_char data>
00275   // <user_data_len bytes of u_char data>
00276 };
00277 
00281 #define TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE      8
00282 struct author {
00283   unsigned char authen_method;    // 1 byte
00284   unsigned char priv_lvl;         // 1 byte
00285   unsigned char authen_type;      // 1 byte
00286   unsigned char service;          // 1 byte
00287   unsigned char user_len;         // 1 byte
00288   unsigned char port_len;         // 1 byte
00289   unsigned char rem_addr_len;     // 1 byte
00290   unsigned char arg_cnt;          // 1 byte: the number of args
00291   // <arg_cnt u_chars containing the lengths of args 1 to arg n>
00292   // <user_len bytes of char data>
00293   // <port_len bytes of char data>
00294   // <rem_addr_len bytes of u_char data>
00295   // <char data for each arg>
00296 };
00297 
00301 const int TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE = 6;
00302 struct author_reply {
00303   unsigned char status;         // 1 byte
00304   unsigned char arg_cnt;        // 1 byte
00305   unsigned short msg_len;       // 2 bytes
00306   unsigned short data_len;      // 2 bytes
00307   // <arg_cnt u_chars containing the lengths of arg 1 to arg n>
00308   // <msg_len bytes of char data>
00309   // <data_len bytes of char data>
00310   // <char data for each arg>
00311 };
00312 
00316 #define TAC_ACCT_REQ_FIXED_FIELDS_SIZE        9
00317 struct acct {
00318   unsigned char flags;            // 1 byte
00319   unsigned char authen_method;    // 1 byte
00320   unsigned char priv_lvl;         // 1 byte
00321   unsigned char authen_type;      // 1 byte
00322   unsigned char authen_service;   // 1 byte
00323   unsigned char user_len;         // 1 byte
00324   unsigned char port_len;         // 1 byte
00325   unsigned char rem_addr_len;     // 1 byte
00326   unsigned char arg_cnt;          // 1 byte: the number of cmd args
00327   // one u_char containing size for each arg
00328   // <user_len bytes of char data>
00329   // <port_len bytes of char data>
00330   // <rem_addr_len bytes of u_char data>
00331   // char data for args 1 ... n
00332 };
00333 
00337 #define TAC_ACCT_REPLY_FIXED_FIELDS_SIZE      5
00338 struct acct_reply {
00339   unsigned short msg_len;         // 2 bytes
00340   unsigned short data_len;        // 2 bytes
00341   unsigned char status;           // 1 byte: status - does server ok
00342 };
00343 
00345 
00347 
00355 class TacacsPacket : public Packet {
00356 //class TacacsPacket : public Packet, public md5 {
00359   pthread_mutex_t mutex_;
00362   void lock();
00365   void unlock();
00368   unsigned int session_id_;
00371   int aborted_;
00374   int seq_no_;
00377   int sock_;
00380   time_t last_exch_;
00383   string key_;
00386   int keyline_;
00389   string peer_;
00392   unsigned char version_;
00393  public:
00396   TacacsPacket(const char*,const char*,int,unsigned int);
00399   ~TacacsPacket();
00402   int selector(unsigned char*);
00405   unsigned int getSessionId();
00408   void setSessionId(unsigned int);
00411   int getAborted();
00414   void setAborted(int);
00417   int getSeqNo();
00420   void setSeqNo(int);
00423   int getSock();
00426   void setSock(int);
00429   time_t getLastExch();
00432   void setLastExch(time_t);
00435   string getKey();
00439   void setKey(string);
00442   int getKeyline();
00445   void setKeyline(int);
00448   string getPeer();
00451   void setPeer(string);
00454   unsigned char getVersion();
00457   void setVersion(unsigned char);
00460 //  void free_avpairs(char **avp);
00463   void create_md5_hash(int, unsigned char,
00464       unsigned char, unsigned char*, unsigned char*);
00467   bool md5_xor(HDR*, unsigned char*);
00470   unsigned char *read_packet();
00473   unsigned char *read_packet(unsigned char*);
00476   bool write_packet(unsigned char *buf);
00477 };
00478 
00479 class TacacsSessionContainer;
00480 
00487 class TacacsPacketReader : public Packet {
00490   pthread_mutex_t mutex_;
00493   void lock();
00496   void unlock();
00499   unsigned char *read_packet_header();
00502   list<TacacsSessionContainer*> tacacsSessionQueue_;
00503  public:
00506   TacacsPacketReader(char*,int);
00509   ~TacacsPacketReader();
00510 };
00511 
00513 
00514 // identify several internal authen errors
00515 class TacErrAuthen {};
00516 
00522 class TacacsServerAuthentication : public AAA {
00525   pthread_mutex_t mutex_;
00528   void lock();
00531   void unlock();
00534   string user_;
00537   string port_;
00540   string rem_addr_;
00543   ipaddr cisco_;
00546   int res_;
00549   string enable_;
00552   int request_;
00553  public:
00556   string getUser();
00559   void setUser(string);
00562   string getPort();
00565   void setPort(string);
00568   string getRemAddr();
00571   void setRemAddr(string);
00574   char data[DATA_LEN];
00577   ipaddr getCisco();
00580   void setCisco(ipaddr);
00583   int getRes();
00586   int setRes(int);
00589   char password[DB_PASSWORD_LEN];
00592   char pwstring[DATA_LEN];
00595   string getEnable();
00598   void setEnable(string);
00601   bool chap;
00604   int en_req;
00607   char *buf_cont;
00610   int getRequest();
00613   void setRequest(int);
00616   int get_start(unsigned char*,unsigned char*,char*);
00619   bool send_reply(const int,const char*,const char*,int,int);
00622   int get_cont(unsigned char*,unsigned char*,char*,char*,int);
00625 //  char loginstring[32];
00628 //  char pwdstring[32];
00631   TacacsPacket *t;
00634   TacacsServerAuthentication(TacacsPacket*);
00637   ~TacacsServerAuthentication();
00638 };
00639 
00645 class TacacsServerAuthorization : public AAA {
00648   pthread_mutex_t mutex_;
00651   void lock();
00654   void unlock();
00655  public:
00658   int method;
00661   int priv_lvl;
00664   int authen_type;
00667   int authen_service;
00670   char user[USERNAME_LEN];
00673   char port[PORT_LEN];
00676   char rem_addr[REM_ADDR_LEN];
00679   db_user dbd;
00682   char *curService;
00685   char *curProtocol;
00688   int added;
00691   int replaced;
00694   int start_av;
00697   char *avpair[MAX_AVP];
00700   char *bavpair[MAX_AVP];
00703   char *nas_avp;
00706   regex_t preg;
00709   size_t nmatch;
00712   regmatch_t pmatch[2];
00715   bool flag1;
00718   bool flag2;
00721   bool flag3;
00724   bool flag4;
00727   int j;
00730   char *avps[MAX_AVP];
00733   bool get_request(unsigned char*,unsigned char*,int*,int*,int*,int*,char*,
00734       char*,char*,char **avpair);
00737   bool send_response(const int,const char*,const char*,char**);
00740   bool optional(char*);
00743   bool mandatory(char*);
00746   bool match_attr(char*,char*);
00749   bool match_value(char*,char*);
00752   char *get_value(char*);
00755   bool def_author;
00758   TacacsPacket *t;
00761   TacacsServerAuthorization(TacacsPacket*, bool);
00764   ~TacacsServerAuthorization();
00765 };
00766 
00773 class TacacsServerAccounting : public AAA {
00776   pthread_mutex_t mutex_;
00779   void lock();
00782   void unlock();
00783  public:
00786   list<string> avpair;
00789   int get_request(unsigned char*,unsigned char*,int*,int*,int*,int*,char*,
00790      char*,char*,char*);
00793   bool send_reply(char*,char*,const int);
00796   TacacsPacket *t;
00799   TacacsServerAccounting(TacacsPacket*);
00802   ~TacacsServerAccounting();
00803 };
00804 
00810 class TacacsSessionContainer {
00813   pthread_mutex_t mutex_;
00816   void lock();
00819   void unlock();
00822   pthread_mutex_t mutex2_;
00825   TacacsServerAuthentication *tac_authen;
00828   TacacsServerAuthorization *tac_author;
00831   TacacsServerAccounting *tac_account;
00834   time_t created_;
00837   string loginstring_;
00840   string pwdstring_;
00843   bool authoriz_;
00846   string key_;
00849   int sock_;
00852   unsigned int session_id_;
00855   ipaddr peer_;
00856  public:
00859   void lock2();
00862   void unlock2();
00865   TacacsPacket *tac;
00868   time_t getCreated();
00869 // /**
00870 //  set created */
00871 //  void setCreated(time_t);
00874   string getLoginstring();
00877   void setLoginstring(string);
00881   string getPwdstring();
00884   void setPwdstring(string);
00887   bool getAuthoriz();
00890   void setAuthoriz(bool);
00893   string getKey();
00896   void setKey(string);
00899   int getSock();
00902   void setSock(int);
00905   unsigned int getSessionId();
00908   void setSessionId(unsigned int);
00911   ipaddr getPeer();
00914   void setPeer(ipaddr);
00917   TacacsSessionContainer(ipaddr,int,int,char*,char*,char*,bool);
00920   ~TacacsSessionContainer();
00923   void process(unsigned char*,unsigned char*);
00924 };
00925 
00927 
00933 class TacacsClient : public TacacsPacket {
00934  public:
00937   bool authen_send_start(const char* port,
00938       const char* username,
00939       const int type,
00940       const char* data);
00943   int authen_get_reply(char* server,
00944       char* datas);
00947   bool authen_send_cont(const char* user_msg,
00948       const char* data);
00951   bool author_send_request(const int method,
00952       const int priv_lvl,
00953       const int authen_type,
00954       const int authen_service,
00955       const char *user,
00956       const char *port,
00957       char **avpair);
00960   int author_get_response(char *server_msg,
00961       char *data,
00962       char **avpair);
00965   bool account_send_request(const int flag,
00966       const int method,
00967       const int priv_lvl,
00968       const int authen_type,
00969       const int authen_service,
00970       const char *user,
00971       const char *port,
00972       char **avpair);
00975   int account_get_reply(char *server_msg,char *data);
00978   TacacsClient(char *k,char *p,int f):TacacsPacket(k,p,f,0) {}
00979 };
00980 
00981 };
00982 
00983 #endif //__TACACS_H__