1 /*- 2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 3 * Copyright (c) 2004-2011 Dag-Erling Smørgrav 4 * All rights reserved. 5 * 6 * This software was developed for the FreeBSD Project by ThinkSec AS and 7 * Network Associates Laboratories, the Security Research Division of 8 * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 9 * ("CBOSS"), as part of the DARPA CHATS research program. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. The name of the author may not be used to endorse or promote 20 * products derived from this software without specific prior written 21 * permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * $Id: openpam.h 605 2012-04-20 11:05:10Z des $ 36 */ 37 38 #ifndef SECURITY_OPENPAM_H_INCLUDED 39 #define SECURITY_OPENPAM_H_INCLUDED 40 41 /* 42 * Annoying but necessary header pollution 43 */ 44 #include <stdarg.h> 45 46 #include <security/openpam_attr.h> 47 48 #ifdef __cplusplus 49 extern "C" { 50 #endif 51 52 struct passwd; 53 54 /* 55 * API extensions 56 */ 57 int 58 openpam_borrow_cred(pam_handle_t *_pamh, 59 const struct passwd *_pwd) 60 OPENPAM_NONNULL((1,2)); 61 62 int 63 openpam_subst(const pam_handle_t *_pamh, 64 char *_buf, 65 size_t *_bufsize, 66 const char *_template); 67 68 void 69 openpam_free_data(pam_handle_t *_pamh, 70 void *_data, 71 int _status); 72 73 void 74 openpam_free_envlist(char **_envlist); 75 76 const char * 77 openpam_get_option(pam_handle_t *_pamh, 78 const char *_option); 79 80 int 81 openpam_restore_cred(pam_handle_t *_pamh) 82 OPENPAM_NONNULL((1)); 83 84 int 85 openpam_set_option(pam_handle_t *_pamh, 86 const char *_option, 87 const char *_value); 88 89 int 90 pam_error(const pam_handle_t *_pamh, 91 const char *_fmt, 92 ...) 93 OPENPAM_FORMAT ((__printf__, 2, 3)) 94 OPENPAM_NONNULL((1,2)); 95 96 int 97 pam_get_authtok(pam_handle_t *_pamh, 98 int _item, 99 const char **_authtok, 100 const char *_prompt); 101 102 int 103 pam_info(const pam_handle_t *_pamh, 104 const char *_fmt, 105 ...) 106 OPENPAM_FORMAT ((__printf__, 2, 3)) 107 OPENPAM_NONNULL((1,2)); 108 109 int 110 pam_prompt(const pam_handle_t *_pamh, 111 int _style, 112 char **_resp, 113 const char *_fmt, 114 ...) 115 OPENPAM_FORMAT ((__printf__, 4, 5)) 116 OPENPAM_NONNULL((1,4)); 117 118 int 119 pam_setenv(pam_handle_t *_pamh, 120 const char *_name, 121 const char *_value, 122 int _overwrite); 123 124 int 125 pam_vinfo(const pam_handle_t *_pamh, 126 const char *_fmt, 127 va_list _ap) 128 OPENPAM_FORMAT ((__printf__, 2, 0)) 129 OPENPAM_NONNULL((1,2)); 130 131 int 132 pam_verror(const pam_handle_t *_pamh, 133 const char *_fmt, 134 va_list _ap) 135 OPENPAM_FORMAT ((__printf__, 2, 0)) 136 OPENPAM_NONNULL((1,2)); 137 138 int 139 pam_vprompt(const pam_handle_t *_pamh, 140 int _style, 141 char **_resp, 142 const char *_fmt, 143 va_list _ap) 144 OPENPAM_FORMAT ((__printf__, 4, 0)) 145 OPENPAM_NONNULL((1,4)); 146 147 /* 148 * Read cooked lines. 149 * Checking for _IOFBF is a fairly reliable way to detect the presence 150 * of <stdio.h>, as SUSv3 requires it to be defined there. 151 */ 152 #ifdef _IOFBF 153 char * 154 openpam_readline(FILE *_f, 155 int *_lineno, 156 size_t *_lenp) 157 OPENPAM_NONNULL((1)); 158 159 char ** 160 openpam_readlinev(FILE *_f, 161 int *_lineno, 162 int *_lenp) 163 OPENPAM_NONNULL((1)); 164 165 char * 166 openpam_readword(FILE *_f, 167 int *_lineno, 168 size_t *_lenp) 169 OPENPAM_NONNULL((1)); 170 #endif 171 172 int 173 openpam_straddch(char **_str, 174 size_t *_sizep, 175 size_t *_lenp, 176 int ch) 177 OPENPAM_NONNULL((1)); 178 179 /* 180 * Enable / disable optional features 181 */ 182 enum { 183 OPENPAM_RESTRICT_SERVICE_NAME, 184 OPENPAM_VERIFY_POLICY_FILE, 185 OPENPAM_RESTRICT_MODULE_NAME, 186 OPENPAM_VERIFY_MODULE_FILE, 187 OPENPAM_NUM_FEATURES 188 }; 189 190 int 191 openpam_set_feature(int _feature, int _onoff); 192 193 int 194 openpam_get_feature(int _feature, int *_onoff); 195 196 /* 197 * Log levels 198 */ 199 enum { 200 PAM_LOG_LIBDEBUG = -1, 201 PAM_LOG_DEBUG, 202 PAM_LOG_VERBOSE, 203 PAM_LOG_NOTICE, 204 PAM_LOG_ERROR 205 }; 206 207 /* 208 * Log to syslog 209 */ 210 void 211 _openpam_log(int _level, 212 const char *_func, 213 const char *_fmt, 214 ...) 215 OPENPAM_FORMAT ((__printf__, 3, 4)) 216 OPENPAM_NONNULL((3)); 217 218 #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) 219 #define openpam_log(lvl, ...) \ 220 _openpam_log((lvl), __func__, __VA_ARGS__) 221 #elif defined(__GNUC__) && (__GNUC__ >= 3) 222 #define openpam_log(lvl, ...) \ 223 _openpam_log((lvl), __func__, __VA_ARGS__) 224 #elif defined(__GNUC__) && (__GNUC__ >= 2) && (__GNUC_MINOR__ >= 95) 225 #define openpam_log(lvl, fmt...) \ 226 _openpam_log((lvl), __func__, ##fmt) 227 #elif defined(__GNUC__) && defined(__FUNCTION__) 228 #define openpam_log(lvl, fmt...) \ 229 _openpam_log((lvl), __FUNCTION__, ##fmt) 230 #else 231 void 232 openpam_log(int _level, 233 const char *_format, 234 ...) 235 OPENPAM_FORMAT ((__printf__, 2, 3)) 236 OPENPAM_NONNULL((2)); 237 #endif 238 239 /* 240 * Generic conversation function 241 */ 242 struct pam_message; 243 struct pam_response; 244 int openpam_ttyconv(int _n, 245 const struct pam_message **_msg, 246 struct pam_response **_resp, 247 void *_data); 248 249 extern int openpam_ttyconv_timeout; 250 251 /* 252 * Null conversation function 253 */ 254 int openpam_nullconv(int _n, 255 const struct pam_message **_msg, 256 struct pam_response **_resp, 257 void *_data); 258 259 /* 260 * PAM primitives 261 */ 262 enum { 263 PAM_SM_AUTHENTICATE, 264 PAM_SM_SETCRED, 265 PAM_SM_ACCT_MGMT, 266 PAM_SM_OPEN_SESSION, 267 PAM_SM_CLOSE_SESSION, 268 PAM_SM_CHAUTHTOK, 269 /* keep this last */ 270 PAM_NUM_PRIMITIVES 271 }; 272 273 /* 274 * Dummy service module function 275 */ 276 #define PAM_SM_DUMMY(type) \ 277 PAM_EXTERN int \ 278 pam_sm_##type(pam_handle_t *pamh, int flags, \ 279 int argc, const char *argv[]) \ 280 { \ 281 \ 282 (void)pamh; \ 283 (void)flags; \ 284 (void)argc; \ 285 (void)argv; \ 286 return (PAM_IGNORE); \ 287 } 288 289 /* 290 * PAM service module functions match this typedef 291 */ 292 struct pam_handle; 293 typedef int (*pam_func_t)(struct pam_handle *, int, int, const char **); 294 295 /* 296 * A struct that describes a module. 297 */ 298 typedef struct pam_module pam_module_t; 299 struct pam_module { 300 char *path; 301 pam_func_t func[PAM_NUM_PRIMITIVES]; 302 void *dlh; 303 }; 304 305 /* 306 * Source-code compatibility with Linux-PAM modules 307 */ 308 #if defined(PAM_SM_AUTH) || defined(PAM_SM_ACCOUNT) || \ 309 defined(PAM_SM_SESSION) || defined(PAM_SM_PASSWORD) 310 # define LINUX_PAM_MODULE 311 #endif 312 313 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_AUTH) 314 # define _PAM_SM_AUTHENTICATE 0 315 # define _PAM_SM_SETCRED 0 316 #else 317 # undef PAM_SM_AUTH 318 # define PAM_SM_AUTH 319 # define _PAM_SM_AUTHENTICATE pam_sm_authenticate 320 # define _PAM_SM_SETCRED pam_sm_setcred 321 #endif 322 323 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_ACCOUNT) 324 # define _PAM_SM_ACCT_MGMT 0 325 #else 326 # undef PAM_SM_ACCOUNT 327 # define PAM_SM_ACCOUNT 328 # define _PAM_SM_ACCT_MGMT pam_sm_acct_mgmt 329 #endif 330 331 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_SESSION) 332 # define _PAM_SM_OPEN_SESSION 0 333 # define _PAM_SM_CLOSE_SESSION 0 334 #else 335 # undef PAM_SM_SESSION 336 # define PAM_SM_SESSION 337 # define _PAM_SM_OPEN_SESSION pam_sm_open_session 338 # define _PAM_SM_CLOSE_SESSION pam_sm_close_session 339 #endif 340 341 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_PASSWORD) 342 # define _PAM_SM_CHAUTHTOK 0 343 #else 344 # undef PAM_SM_PASSWORD 345 # define PAM_SM_PASSWORD 346 # define _PAM_SM_CHAUTHTOK pam_sm_chauthtok 347 #endif 348 349 /* 350 * Infrastructure for static modules using GCC linker sets. 351 * You are not expected to understand this. 352 */ 353 #if !defined(PAM_SOEXT) 354 # define PAM_SOEXT ".so" 355 #endif 356 357 #if defined(OPENPAM_STATIC_MODULES) 358 # if !defined(__GNUC__) 359 # error "Don't know how to build static modules on non-GNU compilers" 360 # endif 361 /* gcc, static linking */ 362 # include <sys/cdefs.h> 363 # include <linker_set.h> 364 # define PAM_EXTERN static 365 # define PAM_MODULE_ENTRY(name) \ 366 static char _pam_name[] = name PAM_SOEXT; \ 367 static struct pam_module _pam_module = { \ 368 .path = _pam_name, \ 369 .func = { \ 370 [PAM_SM_AUTHENTICATE] = _PAM_SM_AUTHENTICATE, \ 371 [PAM_SM_SETCRED] = _PAM_SM_SETCRED, \ 372 [PAM_SM_ACCT_MGMT] = _PAM_SM_ACCT_MGMT, \ 373 [PAM_SM_OPEN_SESSION] = _PAM_SM_OPEN_SESSION, \ 374 [PAM_SM_CLOSE_SESSION] = _PAM_SM_CLOSE_SESSION, \ 375 [PAM_SM_CHAUTHTOK] = _PAM_SM_CHAUTHTOK \ 376 }, \ 377 }; \ 378 DATA_SET(_openpam_static_modules, _pam_module) 379 #else 380 /* normal case */ 381 # define PAM_EXTERN 382 # define PAM_MODULE_ENTRY(name) 383 #endif 384 385 #ifdef __cplusplus 386 } 387 #endif 388 389 #endif /* !SECURITY_OPENPAM_H_INCLUDED */ 390