1 /*-
2  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3  * Copyright (c) 2004-2007 Dag-Erling Smørgrav
4  * All rights reserved.
5  *
6  * This software was developed for the FreeBSD Project by ThinkSec AS and
7  * Network Associates Laboratories, the Security Research Division of
8  * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9  * ("CBOSS"), as part of the DARPA CHATS research program.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  * 3. The name of the author may not be used to endorse or promote
20  *    products derived from this software without specific prior written
21  *    permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  *
35  * $Id: openpam.h 408 2007-12-21 11:36:24Z des $
36  */
37 
38 #ifndef SECURITY_OPENPAM_H_INCLUDED
39 #define SECURITY_OPENPAM_H_INCLUDED
40 
41 /*
42  * Annoying but necessary header pollution
43  */
44 #include <stdarg.h>
45 
46 #include <security/openpam_attr.h>
47 
48 #ifdef __cplusplus
49 extern "C" {
50 #endif
51 
52 struct passwd;
53 
54 /*
55  * API extensions
56  */
57 int
58 openpam_borrow_cred(pam_handle_t *_pamh,
59 	const struct passwd *_pwd)
60 	OPENPAM_NONNULL((1,2));
61 
62 void
63 openpam_free_data(pam_handle_t *_pamh,
64 	void *_data,
65 	int _status);
66 
67 void
68 openpam_free_envlist(char **_envlist);
69 
70 const char *
71 openpam_get_option(pam_handle_t *_pamh,
72 	const char *_option);
73 
74 int
75 openpam_restore_cred(pam_handle_t *_pamh)
76 	OPENPAM_NONNULL((1));
77 
78 int
79 openpam_set_option(pam_handle_t *_pamh,
80 	const char *_option,
81 	const char *_value);
82 
83 int
84 pam_error(const pam_handle_t *_pamh,
85 	const char *_fmt,
86 	...)
87 	OPENPAM_FORMAT ((__printf__, 2, 3))
88 	OPENPAM_NONNULL((1,2));
89 
90 int
91 pam_get_authtok(pam_handle_t *_pamh,
92 	int _item,
93 	const char **_authtok,
94 	const char *_prompt)
95 	OPENPAM_NONNULL((1,3));
96 
97 int
98 pam_info(const pam_handle_t *_pamh,
99 	const char *_fmt,
100 	...)
101 	OPENPAM_FORMAT ((__printf__, 2, 3))
102 	OPENPAM_NONNULL((1,2));
103 
104 int
105 pam_prompt(const pam_handle_t *_pamh,
106 	int _style,
107 	char **_resp,
108 	const char *_fmt,
109 	...)
110 	OPENPAM_FORMAT ((__printf__, 4, 5))
111 	OPENPAM_NONNULL((1,4));
112 
113 int
114 pam_setenv(pam_handle_t *_pamh,
115 	const char *_name,
116 	const char *_value,
117 	int _overwrite)
118 	OPENPAM_NONNULL((1,2,3));
119 
120 int
121 pam_vinfo(const pam_handle_t *_pamh,
122 	const char *_fmt,
123 	va_list _ap)
124 	OPENPAM_FORMAT ((__printf__, 2, 0))
125 	OPENPAM_NONNULL((1,2));
126 
127 int
128 pam_verror(const pam_handle_t *_pamh,
129 	const char *_fmt,
130 	va_list _ap)
131 	OPENPAM_FORMAT ((__printf__, 2, 0))
132 	OPENPAM_NONNULL((1,2));
133 
134 int
135 pam_vprompt(const pam_handle_t *_pamh,
136 	int _style,
137 	char **_resp,
138 	const char *_fmt,
139 	va_list _ap)
140 	OPENPAM_FORMAT ((__printf__, 4, 0))
141 	OPENPAM_NONNULL((1,4));
142 
143 /*
144  * Read cooked lines.
145  * Checking for _IOFBF is a fairly reliable way to detect the presence
146  * of <stdio.h>, as SUSv3 requires it to be defined there.
147  */
148 #ifdef _IOFBF
149 char *
150 openpam_readline(FILE *_f,
151 	int *_lineno,
152 	size_t *_lenp)
153 	OPENPAM_NONNULL((1));
154 #endif
155 
156 /*
157  * Log levels
158  */
159 enum {
160 	PAM_LOG_DEBUG,
161 	PAM_LOG_VERBOSE,
162 	PAM_LOG_NOTICE,
163 	PAM_LOG_ERROR
164 };
165 
166 /*
167  * Log to syslog
168  */
169 void
170 _openpam_log(int _level,
171 	const char *_func,
172 	const char *_fmt,
173 	...)
174 	OPENPAM_FORMAT ((__printf__, 3, 4))
175 	OPENPAM_NONNULL((3));
176 
177 #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
178 #define openpam_log(lvl, ...) \
179 	_openpam_log((lvl), __func__, __VA_ARGS__)
180 #elif defined(__GNUC__) && (__GNUC__ >= 3)
181 #define openpam_log(lvl, ...) \
182 	_openpam_log((lvl), __func__, __VA_ARGS__)
183 #elif defined(__GNUC__) && (__GNUC__ >= 2) && (__GNUC_MINOR__ >= 95)
184 #define openpam_log(lvl, fmt...) \
185 	_openpam_log((lvl), __func__, ##fmt)
186 #elif defined(__GNUC__) && defined(__FUNCTION__)
187 #define openpam_log(lvl, fmt...) \
188 	_openpam_log((lvl), __FUNCTION__, ##fmt)
189 #else
190 void
191 openpam_log(int _level,
192 	const char *_format,
193  	...)
194  	OPENPAM_FORMAT ((__printf__, 2, 3))
195 	OPENPAM_NONNULL((2));
196 #endif
197 
198 /*
199  * Generic conversation function
200  */
201 struct pam_message;
202 struct pam_response;
203 int openpam_ttyconv(int _n,
204 	const struct pam_message **_msg,
205 	struct pam_response **_resp,
206 	void *_data);
207 
208 extern int openpam_ttyconv_timeout;
209 
210 /*
211  * Null conversation function
212  */
213 int openpam_nullconv(int _n,
214 	const struct pam_message **_msg,
215 	struct pam_response **_resp,
216 	void *_data);
217 
218 /*
219  * PAM primitives
220  */
221 enum {
222 	PAM_SM_AUTHENTICATE,
223 	PAM_SM_SETCRED,
224 	PAM_SM_ACCT_MGMT,
225 	PAM_SM_OPEN_SESSION,
226 	PAM_SM_CLOSE_SESSION,
227 	PAM_SM_CHAUTHTOK,
228 	/* keep this last */
229 	PAM_NUM_PRIMITIVES
230 };
231 
232 /*
233  * Dummy service module function
234  */
235 #define PAM_SM_DUMMY(type)						\
236 PAM_EXTERN int								\
237 pam_sm_##type(pam_handle_t *pamh, int flags,				\
238     int argc, const char *argv[])					\
239 {									\
240 									\
241 	(void)pamh;							\
242 	(void)flags;							\
243 	(void)argc;							\
244 	(void)argv;							\
245 	return (PAM_IGNORE);						\
246 }
247 
248 /*
249  * PAM service module functions match this typedef
250  */
251 struct pam_handle;
252 typedef int (*pam_func_t)(struct pam_handle *, int, int, const char **);
253 
254 /*
255  * A struct that describes a module.
256  */
257 typedef struct pam_module pam_module_t;
258 struct pam_module {
259 	char		*path;
260 	pam_func_t	 func[PAM_NUM_PRIMITIVES];
261 	void		*dlh;
262 };
263 
264 /*
265  * Source-code compatibility with Linux-PAM modules
266  */
267 #if defined(PAM_SM_AUTH) || defined(PAM_SM_ACCOUNT) || \
268 	defined(PAM_SM_SESSION) || defined(PAM_SM_PASSWORD)
269 # define LINUX_PAM_MODULE
270 #endif
271 
272 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_AUTH)
273 # define _PAM_SM_AUTHENTICATE	0
274 # define _PAM_SM_SETCRED	0
275 #else
276 # undef PAM_SM_AUTH
277 # define PAM_SM_AUTH
278 # define _PAM_SM_AUTHENTICATE	pam_sm_authenticate
279 # define _PAM_SM_SETCRED	pam_sm_setcred
280 #endif
281 
282 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_ACCOUNT)
283 # define _PAM_SM_ACCT_MGMT	0
284 #else
285 # undef PAM_SM_ACCOUNT
286 # define PAM_SM_ACCOUNT
287 # define _PAM_SM_ACCT_MGMT	pam_sm_acct_mgmt
288 #endif
289 
290 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_SESSION)
291 # define _PAM_SM_OPEN_SESSION	0
292 # define _PAM_SM_CLOSE_SESSION	0
293 #else
294 # undef PAM_SM_SESSION
295 # define PAM_SM_SESSION
296 # define _PAM_SM_OPEN_SESSION	pam_sm_open_session
297 # define _PAM_SM_CLOSE_SESSION	pam_sm_close_session
298 #endif
299 
300 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_PASSWORD)
301 # define _PAM_SM_CHAUTHTOK	0
302 #else
303 # undef PAM_SM_PASSWORD
304 # define PAM_SM_PASSWORD
305 # define _PAM_SM_CHAUTHTOK	pam_sm_chauthtok
306 #endif
307 
308 /*
309  * Infrastructure for static modules using GCC linker sets.
310  * You are not expected to understand this.
311  */
312 #if defined(__FreeBSD__)
313 # define PAM_SOEXT ".so"
314 #else
315 # undef NO_STATIC_MODULES
316 # define NO_STATIC_MODULES
317 #endif
318 
319 #if defined(__GNUC__) && !defined(__PIC__) && !defined(NO_STATIC_MODULES)
320 /* gcc, static linking */
321 # include <sys/cdefs.h>
322 # include <linker_set.h>
323 # define OPENPAM_STATIC_MODULES
324 # define PAM_EXTERN static
325 # define PAM_MODULE_ENTRY(name)						\
326 	static char _pam_name[] = name PAM_SOEXT;			\
327 	static struct pam_module _pam_module = {			\
328 		.path = _pam_name,					\
329 		.func = {						\
330 			[PAM_SM_AUTHENTICATE] = _PAM_SM_AUTHENTICATE,	\
331 			[PAM_SM_SETCRED] = _PAM_SM_SETCRED,		\
332 			[PAM_SM_ACCT_MGMT] = _PAM_SM_ACCT_MGMT,		\
333 			[PAM_SM_OPEN_SESSION] = _PAM_SM_OPEN_SESSION,	\
334 			[PAM_SM_CLOSE_SESSION] = _PAM_SM_CLOSE_SESSION, \
335 			[PAM_SM_CHAUTHTOK] = _PAM_SM_CHAUTHTOK		\
336 		},							\
337 	};								\
338 	DATA_SET(_openpam_static_modules, _pam_module)
339 #else
340 /* normal case */
341 # define PAM_EXTERN
342 # define PAM_MODULE_ENTRY(name)
343 #endif
344 
345 #ifdef __cplusplus
346 }
347 #endif
348 
349 #endif /* !SECURITY_OPENPAM_H_INCLUDED */
350