From owner-svn-src-all@FreeBSD.ORG Fri Dec 11 07:53:44 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3F5F106566B; Fri, 11 Dec 2009 07:53:44 +0000 (UTC) (envelope-from syrinx@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id C21468FC1C; Fri, 11 Dec 2009 07:53:44 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nBB7ritG099423; Fri, 11 Dec 2009 07:53:44 GMT (envelope-from syrinx@svn.freebsd.org) Received: (from syrinx@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id nBB7rib9099418; Fri, 11 Dec 2009 07:53:44 GMT (envelope-from syrinx@svn.freebsd.org) Message-Id: <200912110753.nBB7rib9099418@svn.freebsd.org> From: Shteryana Shopova Date: Fri, 11 Dec 2009 07:53:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r200399 - head/lib/libtacplus X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 07:53:45 -0000 Author: syrinx Date: Fri Dec 11 07:53:44 2009 New Revision: 200399 URL: http://svn.freebsd.org/changeset/base/200399 Log: Add support for TACACS+ accounting to libtacplus(3). Submitted by: Michael Pounov misho@aitbg.com OKed by: emaste Modified: head/lib/libtacplus/libtacplus.3 head/lib/libtacplus/taclib.c head/lib/libtacplus/taclib.h head/lib/libtacplus/taclib_private.h Modified: head/lib/libtacplus/libtacplus.3 ============================================================================== --- head/lib/libtacplus/libtacplus.3 Fri Dec 11 04:14:44 2009 (r200398) +++ head/lib/libtacplus/libtacplus.3 Fri Dec 11 07:53:44 2009 (r200399) @@ -44,6 +44,8 @@ .Fn tac_create_authen "struct tac_handle *h" "int action" "int type" "int service" .Ft int .Fn tac_create_author "struct tac_handle *h" "int method" "int type" "int service" +.Ft int +.Fn tac_create_acct "struct tac_handle *h" "int acct" "int action" "int type" "int service" .Ft char * .Fn tac_get_av "struct tac_handle *h" "u_int index" .Ft char * @@ -59,6 +61,8 @@ .Ft int .Fn tac_send_author "struct tac_handle *h" .Ft int +.Fn tac_send_acct "struct tac_handle *h" +.Ft int .Fn tac_set_av "struct tac_handle *h" "u_int index" "const char *av_pair" .Ft int .Fn tac_set_data "struct tac_handle *h" "const void *data" "size_t data_len" @@ -193,6 +197,20 @@ TACACS+ protocol specification. The .In taclib.h header file contains symbolic constants for these values. +.Sh CREATING A TACACS+ ACCOUNTING REQUEST +To begin constructing a new accounting request, call +.Fn tac_create_acct . +The +.Va acct , +.Va action , +.Va type , +and +.Va service +arguments must be set to appropriate values as defined in the +TACACS+ protocol specification. +The +.In taclib.h +header file contains symbolic constants for these values. .Sh SETTING OPTIONAL PARAMETERS ON A REQUEST After creating a request, various optional parameters may be attached to it through calls to @@ -354,6 +372,29 @@ include: .Pp The number of AV pairs received is obtained using .Fn TAC_AUTHEN_AV_COUNT . +.Sh SENDING THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE +After the TACACS+ authorization request has been constructed, it +is sent by means of +.Fn tac_send_acct . +This function connects to a server if not already connected, sends +the request, and waits for a reply. +On failure, +.Fn tac_send_acct +returns \-1. +Otherwise, it returns the TACACS+ status code +Possible status codes, defined in +.In taclib.h , +include: +.Pp +.Bl -item -compact -offset indent +.It +.Dv TAC_ACCT_STATUS_SUCCESS +.It +.Dv TAC_ACCT_STATUS_ERROR +.It +.Dv TAC_ACCT_STATUS_FOLLOW +.El +.Pp .Sh EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE Like an authentication response packet, an authorization response packet from the @@ -418,10 +459,14 @@ which can be retrieved using .It .Fn tac_create_author .It +.Fn tac_create_acct +.It .Fn tac_send_authen .It .Fn tac_send_author .It +.Fn tac_send_acct +.It .Fn tac_set_av .It .Fn tac_set_data Modified: head/lib/libtacplus/taclib.c ============================================================================== --- head/lib/libtacplus/taclib.c Fri Dec 11 04:14:44 2009 (r200398) +++ head/lib/libtacplus/taclib.c Fri Dec 11 07:53:44 2009 (r200399) @@ -211,6 +211,8 @@ protocol_version(int msg_type, int var, } break; + case TAC_ACCT: + default: minor = 0; break; @@ -967,6 +969,23 @@ tac_create_author(struct tac_handle *h, return 0; } +int +tac_create_acct(struct tac_handle *h, int acct, int action, int type, int service) +{ + struct tac_acct_start *as; + + create_msg(h, TAC_ACCT, action, type); + + as = &h->request.u.acct_start; + as->action = acct; + as->authen_action = action; + as->priv_lvl = TAC_PRIV_LVL_USER; + as->authen_type = type; + as->authen_service = service; + + return 0; +} + static void create_msg(struct tac_handle *h, int msg_type, int var, int type) { @@ -1158,6 +1177,49 @@ tac_send_author(struct tac_handle *h) } int +tac_send_acct(struct tac_handle *h) +{ + register int i, current; + struct tac_acct_start *as = &h->request.u.acct_start; + struct tac_acct_reply *ar = &h->response.u.acct_reply; + + /* start */ + as = &h->request.u.acct_start; + h->request.length = htonl(offsetof(struct tac_acct_start, rest[0])); + for (as->av_cnt = 0, i = 0; i < MAXAVPAIRS; i++) + if (h->avs[i].len && h->avs[i].data) + as->av_cnt++; + h->request.length = ntohl(htonl(h->request.length) + as->av_cnt); + + if (add_str_8(h, &as->user_len, &h->user) == -1 || + add_str_8(h, &as->port_len, &h->port) == -1 || + add_str_8(h, &as->rem_addr_len, &h->rem_addr) == -1) + return -1; + + for (i = current = 0; i < MAXAVPAIRS; i++) + if (h->avs[i].len && h->avs[i].data) + if (add_str_8(h, &as->rest[current++], &(h->avs[i])) == -1) + return -1; + + /* send */ + if (send_msg(h) == -1 || recv_msg(h) == -1) + return -1; + + /* reply */ + h->srvr_pos = offsetof(struct tac_acct_reply, rest[0]); + if (get_srvr_str(h, "msg", &h->srvr_msg, ntohs(ar->msg_len)) == -1 || + get_srvr_str(h, "data", &h->srvr_data, ntohs(ar->data_len)) == -1 || + get_srvr_end(h) == -1) + return -1; + + /* Sanity checks */ + if (!h->single_connect) + close_connection(h); + + return ar->status; +} + +int tac_set_rem_addr(struct tac_handle *h, const char *addr) { return save_str(h, &h->rem_addr, addr, addr != NULL ? strlen(addr) : 0); Modified: head/lib/libtacplus/taclib.h ============================================================================== --- head/lib/libtacplus/taclib.h Fri Dec 11 04:14:44 2009 (r200398) +++ head/lib/libtacplus/taclib.h Fri Dec 11 07:53:44 2009 (r200399) @@ -103,6 +103,17 @@ struct tac_handle; #define TAC_AUTHOR_STATUS_FAIL 0x10 #define TAC_AUTHOR_STATUS_ERROR 0x11 +/* Accounting actions */ +#define TAC_ACCT_MORE 0x1 +#define TAC_ACCT_START 0x2 +#define TAC_ACCT_STOP 0x4 +#define TAC_ACCT_WATCHDOG 0x8 + +/* Accounting status */ +#define TAC_ACCT_STATUS_SUCCESS 0x1 +#define TAC_ACCT_STATUS_ERROR 0x2 +#define TAC_ACCT_STATUS_FOLLOW 0x21 + __BEGIN_DECLS int tac_add_server(struct tac_handle *, const char *, int, const char *, int, int); @@ -127,6 +138,8 @@ int tac_set_av(struct tac_handle *, u char *tac_get_av(struct tac_handle *, u_int); char *tac_get_av_value(struct tac_handle *, const char *); void tac_clear_avs(struct tac_handle *); +int tac_create_acct(struct tac_handle *, int, int, int, int); +int tac_send_acct(struct tac_handle *); __END_DECLS #endif /* _TACLIB_H_ */ Modified: head/lib/libtacplus/taclib_private.h ============================================================================== --- head/lib/libtacplus/taclib_private.h Fri Dec 11 04:14:44 2009 (r200398) +++ head/lib/libtacplus/taclib_private.h Fri Dec 11 07:53:44 2009 (r200399) @@ -132,6 +132,26 @@ struct tac_author_response { unsigned char rest[1]; }; +struct tac_acct_start { + u_int8_t action; + u_int8_t authen_action; + u_int8_t priv_lvl; + u_int8_t authen_type; + u_int8_t authen_service; + u_int8_t user_len; + u_int8_t port_len; + u_int8_t rem_addr_len; + u_int8_t av_cnt; + unsigned char rest[1]; +}; + +struct tac_acct_reply { + u_int16_t msg_len; + u_int16_t data_len; + u_int8_t status; + unsigned char rest[1]; +}; + struct tac_msg { u_int8_t version; u_int8_t type; @@ -145,6 +165,8 @@ struct tac_msg { struct tac_authen_cont authen_cont; struct tac_author_request author_request; struct tac_author_response author_response; + struct tac_acct_start acct_start; + struct tac_acct_reply acct_reply; unsigned char body[BODYSIZE]; } u; };