1 /*-
2  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3  * Copyright (c) 2004-2011 Dag-Erling Smørgrav
4  * All rights reserved.
5  *
6  * This software was developed for the FreeBSD Project by ThinkSec AS and
7  * Network Associates Laboratories, the Security Research Division of
8  * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
9  * ("CBOSS"), as part of the DARPA CHATS research program.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  * 3. The name of the author may not be used to endorse or promote
20  *    products derived from this software without specific prior written
21  *    permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  *
35  * $Id: openpam.h 455 2011-10-29 18:31:11Z des $
36  */
37 
38 #ifndef SECURITY_OPENPAM_H_INCLUDED
39 #define SECURITY_OPENPAM_H_INCLUDED
40 
41 /*
42  * Annoying but necessary header pollution
43  */
44 #include <stdarg.h>
45 
46 #include <security/openpam_attr.h>
47 
48 #ifdef __cplusplus
49 extern "C" {
50 #endif
51 
52 struct passwd;
53 
54 /*
55  * API extensions
56  */
57 int
58 openpam_borrow_cred(pam_handle_t *_pamh,
59 	const struct passwd *_pwd)
60 	OPENPAM_NONNULL((1,2));
61 
62 int
63 openpam_subst(const pam_handle_t *_pamh,
64 	char *_buf,
65 	size_t *_bufsize,
66 	const char *_template);
67 
68 void
69 openpam_free_data(pam_handle_t *_pamh,
70 	void *_data,
71 	int _status);
72 
73 void
74 openpam_free_envlist(char **_envlist);
75 
76 const char *
77 openpam_get_option(pam_handle_t *_pamh,
78 	const char *_option);
79 
80 int
81 openpam_restore_cred(pam_handle_t *_pamh)
82 	OPENPAM_NONNULL((1));
83 
84 int
85 openpam_set_option(pam_handle_t *_pamh,
86 	const char *_option,
87 	const char *_value);
88 
89 int
90 pam_error(const pam_handle_t *_pamh,
91 	const char *_fmt,
92 	...)
93 	OPENPAM_FORMAT ((__printf__, 2, 3))
94 	OPENPAM_NONNULL((1,2));
95 
96 int
97 pam_get_authtok(pam_handle_t *_pamh,
98 	int _item,
99 	const char **_authtok,
100 	const char *_prompt)
101 	OPENPAM_NONNULL((1,3));
102 
103 int
104 pam_info(const pam_handle_t *_pamh,
105 	const char *_fmt,
106 	...)
107 	OPENPAM_FORMAT ((__printf__, 2, 3))
108 	OPENPAM_NONNULL((1,2));
109 
110 int
111 pam_prompt(const pam_handle_t *_pamh,
112 	int _style,
113 	char **_resp,
114 	const char *_fmt,
115 	...)
116 	OPENPAM_FORMAT ((__printf__, 4, 5))
117 	OPENPAM_NONNULL((1,4));
118 
119 int
120 pam_setenv(pam_handle_t *_pamh,
121 	const char *_name,
122 	const char *_value,
123 	int _overwrite)
124 	OPENPAM_NONNULL((1,2,3));
125 
126 int
127 pam_vinfo(const pam_handle_t *_pamh,
128 	const char *_fmt,
129 	va_list _ap)
130 	OPENPAM_FORMAT ((__printf__, 2, 0))
131 	OPENPAM_NONNULL((1,2));
132 
133 int
134 pam_verror(const pam_handle_t *_pamh,
135 	const char *_fmt,
136 	va_list _ap)
137 	OPENPAM_FORMAT ((__printf__, 2, 0))
138 	OPENPAM_NONNULL((1,2));
139 
140 int
141 pam_vprompt(const pam_handle_t *_pamh,
142 	int _style,
143 	char **_resp,
144 	const char *_fmt,
145 	va_list _ap)
146 	OPENPAM_FORMAT ((__printf__, 4, 0))
147 	OPENPAM_NONNULL((1,4));
148 
149 /*
150  * Read cooked lines.
151  * Checking for _IOFBF is a fairly reliable way to detect the presence
152  * of <stdio.h>, as SUSv3 requires it to be defined there.
153  */
154 #ifdef _IOFBF
155 char *
156 openpam_readline(FILE *_f,
157 	int *_lineno,
158 	size_t *_lenp)
159 	OPENPAM_NONNULL((1));
160 #endif
161 
162 /*
163  * Log levels
164  */
165 enum {
166 	PAM_LOG_DEBUG,
167 	PAM_LOG_VERBOSE,
168 	PAM_LOG_NOTICE,
169 	PAM_LOG_ERROR
170 };
171 
172 /*
173  * Log to syslog
174  */
175 void
176 _openpam_log(int _level,
177 	const char *_func,
178 	const char *_fmt,
179 	...)
180 	OPENPAM_FORMAT ((__printf__, 3, 4))
181 	OPENPAM_NONNULL((3));
182 
183 #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
184 #define openpam_log(lvl, ...) \
185 	_openpam_log((lvl), __func__, __VA_ARGS__)
186 #elif defined(__GNUC__) && (__GNUC__ >= 3)
187 #define openpam_log(lvl, ...) \
188 	_openpam_log((lvl), __func__, __VA_ARGS__)
189 #elif defined(__GNUC__) && (__GNUC__ >= 2) && (__GNUC_MINOR__ >= 95)
190 #define openpam_log(lvl, fmt...) \
191 	_openpam_log((lvl), __func__, ##fmt)
192 #elif defined(__GNUC__) && defined(__FUNCTION__)
193 #define openpam_log(lvl, fmt...) \
194 	_openpam_log((lvl), __FUNCTION__, ##fmt)
195 #else
196 void
197 openpam_log(int _level,
198 	const char *_format,
199  	...)
200  	OPENPAM_FORMAT ((__printf__, 2, 3))
201 	OPENPAM_NONNULL((2));
202 #endif
203 
204 /*
205  * Generic conversation function
206  */
207 struct pam_message;
208 struct pam_response;
209 int openpam_ttyconv(int _n,
210 	const struct pam_message **_msg,
211 	struct pam_response **_resp,
212 	void *_data);
213 
214 extern int openpam_ttyconv_timeout;
215 
216 /*
217  * Null conversation function
218  */
219 int openpam_nullconv(int _n,
220 	const struct pam_message **_msg,
221 	struct pam_response **_resp,
222 	void *_data);
223 
224 /*
225  * PAM primitives
226  */
227 enum {
228 	PAM_SM_AUTHENTICATE,
229 	PAM_SM_SETCRED,
230 	PAM_SM_ACCT_MGMT,
231 	PAM_SM_OPEN_SESSION,
232 	PAM_SM_CLOSE_SESSION,
233 	PAM_SM_CHAUTHTOK,
234 	/* keep this last */
235 	PAM_NUM_PRIMITIVES
236 };
237 
238 /*
239  * Dummy service module function
240  */
241 #define PAM_SM_DUMMY(type)						\
242 PAM_EXTERN int								\
243 pam_sm_##type(pam_handle_t *pamh, int flags,				\
244     int argc, const char *argv[])					\
245 {									\
246 									\
247 	(void)pamh;							\
248 	(void)flags;							\
249 	(void)argc;							\
250 	(void)argv;							\
251 	return (PAM_IGNORE);						\
252 }
253 
254 /*
255  * PAM service module functions match this typedef
256  */
257 struct pam_handle;
258 typedef int (*pam_func_t)(struct pam_handle *, int, int, const char **);
259 
260 /*
261  * A struct that describes a module.
262  */
263 typedef struct pam_module pam_module_t;
264 struct pam_module {
265 	char		*path;
266 	pam_func_t	 func[PAM_NUM_PRIMITIVES];
267 	void		*dlh;
268 };
269 
270 /*
271  * Source-code compatibility with Linux-PAM modules
272  */
273 #if defined(PAM_SM_AUTH) || defined(PAM_SM_ACCOUNT) || \
274 	defined(PAM_SM_SESSION) || defined(PAM_SM_PASSWORD)
275 # define LINUX_PAM_MODULE
276 #endif
277 
278 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_AUTH)
279 # define _PAM_SM_AUTHENTICATE	0
280 # define _PAM_SM_SETCRED	0
281 #else
282 # undef PAM_SM_AUTH
283 # define PAM_SM_AUTH
284 # define _PAM_SM_AUTHENTICATE	pam_sm_authenticate
285 # define _PAM_SM_SETCRED	pam_sm_setcred
286 #endif
287 
288 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_ACCOUNT)
289 # define _PAM_SM_ACCT_MGMT	0
290 #else
291 # undef PAM_SM_ACCOUNT
292 # define PAM_SM_ACCOUNT
293 # define _PAM_SM_ACCT_MGMT	pam_sm_acct_mgmt
294 #endif
295 
296 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_SESSION)
297 # define _PAM_SM_OPEN_SESSION	0
298 # define _PAM_SM_CLOSE_SESSION	0
299 #else
300 # undef PAM_SM_SESSION
301 # define PAM_SM_SESSION
302 # define _PAM_SM_OPEN_SESSION	pam_sm_open_session
303 # define _PAM_SM_CLOSE_SESSION	pam_sm_close_session
304 #endif
305 
306 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_PASSWORD)
307 # define _PAM_SM_CHAUTHTOK	0
308 #else
309 # undef PAM_SM_PASSWORD
310 # define PAM_SM_PASSWORD
311 # define _PAM_SM_CHAUTHTOK	pam_sm_chauthtok
312 #endif
313 
314 /*
315  * Infrastructure for static modules using GCC linker sets.
316  * You are not expected to understand this.
317  */
318 #if !defined(PAM_SOEXT)
319 # define PAM_SOEXT ".so"
320 #endif
321 
322 #if defined(OPENPAM_STATIC_MODULES)
323 # if !defined(__GNUC__)
324 #  error "Don't know how to build static modules on non-GNU compilers"
325 # endif
326 /* gcc, static linking */
327 # include <sys/cdefs.h>
328 # include <linker_set.h>
329 # define PAM_EXTERN static
330 # define PAM_MODULE_ENTRY(name)						\
331 	static char _pam_name[] = name PAM_SOEXT;			\
332 	static struct pam_module _pam_module = {			\
333 		.path = _pam_name,					\
334 		.func = {						\
335 			[PAM_SM_AUTHENTICATE] = _PAM_SM_AUTHENTICATE,	\
336 			[PAM_SM_SETCRED] = _PAM_SM_SETCRED,		\
337 			[PAM_SM_ACCT_MGMT] = _PAM_SM_ACCT_MGMT,		\
338 			[PAM_SM_OPEN_SESSION] = _PAM_SM_OPEN_SESSION,	\
339 			[PAM_SM_CLOSE_SESSION] = _PAM_SM_CLOSE_SESSION, \
340 			[PAM_SM_CHAUTHTOK] = _PAM_SM_CHAUTHTOK		\
341 		},							\
342 	};								\
343 	DATA_SET(_openpam_static_modules, _pam_module)
344 #else
345 /* normal case */
346 # define PAM_EXTERN
347 # define PAM_MODULE_ENTRY(name)
348 #endif
349 
350 #ifdef __cplusplus
351 }
352 #endif
353 
354 #endif /* !SECURITY_OPENPAM_H_INCLUDED */
355