include/security/openpam.h

91094Sdes/*-
115619Sdes * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
188720Sdes * Copyright (c) 2004-2008 Dag-Erling Sm��rgrav
91094Sdes * All rights reserved.
91094Sdes *
91094Sdes * This software was developed for the FreeBSD Project by ThinkSec AS and
99158Sdes * Network Associates Laboratories, the Security Research Division of
99158Sdes * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
99158Sdes * ("CBOSS"), as part of the DARPA CHATS research program.
91094Sdes *
91094Sdes * Redistribution and use in source and binary forms, with or without
91094Sdes * modification, are permitted provided that the following conditions
91094Sdes * are met:
91094Sdes * 1. Redistributions of source code must retain the above copyright
91094Sdes *    notice, this list of conditions and the following disclaimer.
91094Sdes * 2. Redistributions in binary form must reproduce the above copyright
91094Sdes *    notice, this list of conditions and the following disclaimer in the
91094Sdes *    documentation and/or other materials provided with the distribution.
91094Sdes * 3. The name of the author may not be used to endorse or promote
91094Sdes *    products derived from this software without specific prior written
91094Sdes *    permission.
91094Sdes *
91094Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
91094Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
91094Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
91094Sdes * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
91094Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
91094Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
91094Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
91094Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
91094Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
91094Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
91094Sdes * SUCH DAMAGE.
91094Sdes *
188720Sdes * $Id: openpam.h 418 2008-12-13 22:39:24Z des $
91094Sdes */
91094Sdes
174832Sdes#ifndef SECURITY_OPENPAM_H_INCLUDED
174832Sdes#define SECURITY_OPENPAM_H_INCLUDED
91094Sdes
91094Sdes/*
91094Sdes * Annoying but necessary header pollution
91094Sdes */
91094Sdes#include <stdarg.h>
91094Sdes
174832Sdes#include <security/openpam_attr.h>
174832Sdes
91094Sdes#ifdef __cplusplus
91094Sdesextern "C" {
91094Sdes#endif
91094Sdes
94209Sdesstruct passwd;
94209Sdes
91094Sdes/*
91094Sdes * API extensions
91094Sdes */
94209Sdesint
94209Sdesopenpam_borrow_cred(pam_handle_t *_pamh,
174832Sdes	const struct passwd *_pwd)
174832Sdes	OPENPAM_NONNULL((1,2));
94209Sdes
94209Sdesvoid
94209Sdesopenpam_free_data(pam_handle_t *_pamh,
94209Sdes	void *_data,
94209Sdes	int _status);
94209Sdes
141098Sdesvoid
141098Sdesopenpam_free_envlist(char **_envlist);
141098Sdes
91100Sdesconst char *
91100Sdesopenpam_get_option(pam_handle_t *_pamh,
91100Sdes	const char *_option);
91100Sdes
91094Sdesint
174832Sdesopenpam_restore_cred(pam_handle_t *_pamh)
174832Sdes	OPENPAM_NONNULL((1));
94209Sdes
94209Sdesint
91100Sdesopenpam_set_option(pam_handle_t *_pamh,
91100Sdes	const char *_option,
91100Sdes	const char *_value);
91100Sdes
91100Sdesint
174832Sdespam_error(const pam_handle_t *_pamh,
91094Sdes	const char *_fmt,
174832Sdes	...)
174832Sdes	OPENPAM_FORMAT ((__printf__, 2, 3))
174832Sdes	OPENPAM_NONNULL((1,2));
91094Sdes
91094Sdesint
91094Sdespam_get_authtok(pam_handle_t *_pamh,
93982Sdes	int _item,
91094Sdes	const char **_authtok,
174832Sdes	const char *_prompt)
174832Sdes	OPENPAM_NONNULL((1,3));
91094Sdes
91094Sdesint
174832Sdespam_info(const pam_handle_t *_pamh,
91094Sdes	const char *_fmt,
174832Sdes	...)
174832Sdes	OPENPAM_FORMAT ((__printf__, 2, 3))
174832Sdes	OPENPAM_NONNULL((1,2));
91094Sdes
91094Sdesint
174832Sdespam_prompt(const pam_handle_t *_pamh,
91094Sdes	int _style,
91094Sdes	char **_resp,
91094Sdes	const char *_fmt,
174832Sdes	...)
174832Sdes	OPENPAM_FORMAT ((__printf__, 4, 5))
174832Sdes	OPENPAM_NONNULL((1,4));
91094Sdes
91094Sdesint
91094Sdespam_setenv(pam_handle_t *_pamh,
91094Sdes	const char *_name,
91094Sdes	const char *_value,
174832Sdes	int _overwrite)
174832Sdes	OPENPAM_NONNULL((1,2,3));
91094Sdes
91094Sdesint
174832Sdespam_vinfo(const pam_handle_t *_pamh,
91094Sdes	const char *_fmt,
174832Sdes	va_list _ap)
174832Sdes	OPENPAM_FORMAT ((__printf__, 2, 0))
174832Sdes	OPENPAM_NONNULL((1,2));
91094Sdes
91094Sdesint
174832Sdespam_verror(const pam_handle_t *_pamh,
91094Sdes	const char *_fmt,
174832Sdes	va_list _ap)
174832Sdes	OPENPAM_FORMAT ((__printf__, 2, 0))
174832Sdes	OPENPAM_NONNULL((1,2));
91094Sdes
91094Sdesint
174832Sdespam_vprompt(const pam_handle_t *_pamh,
91094Sdes	int _style,
91094Sdes	char **_resp,
91094Sdes	const char *_fmt,
174832Sdes	va_list _ap)
174832Sdes	OPENPAM_FORMAT ((__printf__, 4, 0))
174832Sdes	OPENPAM_NONNULL((1,4));
91094Sdes
91094Sdes/*
115619Sdes * Read cooked lines.
117610Sdes * Checking for _IOFBF is a fairly reliable way to detect the presence
117610Sdes * of <stdio.h>, as SUSv3 requires it to be defined there.
115619Sdes */
117610Sdes#ifdef _IOFBF
115619Sdeschar *
115619Sdesopenpam_readline(FILE *_f,
115619Sdes	int *_lineno,
174832Sdes	size_t *_lenp)
174832Sdes	OPENPAM_NONNULL((1));
115619Sdes#endif
115619Sdes
115619Sdes/*
91094Sdes * Log levels
91094Sdes */
91094Sdesenum {
91094Sdes	PAM_LOG_DEBUG,
91094Sdes	PAM_LOG_VERBOSE,
91094Sdes	PAM_LOG_NOTICE,
91094Sdes	PAM_LOG_ERROR
91094Sdes};
91094Sdes
91094Sdes/*
91094Sdes * Log to syslog
91094Sdes */
93982Sdesvoid
93982Sdes_openpam_log(int _level,
91094Sdes	const char *_func,
91094Sdes	const char *_fmt,
125647Sdes	...)
174832Sdes	OPENPAM_FORMAT ((__printf__, 3, 4))
174832Sdes	OPENPAM_NONNULL((3));
91094Sdes
97241Sdes#if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
97241Sdes#define openpam_log(lvl, ...) \
97241Sdes	_openpam_log((lvl), __func__, __VA_ARGS__)
97241Sdes#elif defined(__GNUC__) && (__GNUC__ >= 3)
97241Sdes#define openpam_log(lvl, ...) \
97241Sdes	_openpam_log((lvl), __func__, __VA_ARGS__)
93982Sdes#elif defined(__GNUC__) && (__GNUC__ >= 2) && (__GNUC_MINOR__ >= 95)
94562Sdes#define openpam_log(lvl, fmt...) \
94878Sdes	_openpam_log((lvl), __func__, ##fmt)
93982Sdes#elif defined(__GNUC__) && defined(__FUNCTION__)
91094Sdes#define openpam_log(lvl, fmt...) \
93982Sdes	_openpam_log((lvl), __FUNCTION__, ##fmt)
91094Sdes#else
93982Sdesvoid
93982Sdesopenpam_log(int _level,
93982Sdes	const char *_format,
174832Sdes 	...)
174832Sdes 	OPENPAM_FORMAT ((__printf__, 2, 3))
174832Sdes	OPENPAM_NONNULL((2));
91094Sdes#endif
91094Sdes
91094Sdes/*
91094Sdes * Generic conversation function
91094Sdes */
91094Sdesstruct pam_message;
91094Sdesstruct pam_response;
91094Sdesint openpam_ttyconv(int _n,
91094Sdes	const struct pam_message **_msg,
91094Sdes	struct pam_response **_resp,
91094Sdes	void *_data);
91094Sdes
117610Sdesextern int openpam_ttyconv_timeout;
117610Sdes
91094Sdes/*
95908Sdes * Null conversation function
95908Sdes */
95908Sdesint openpam_nullconv(int _n,
95908Sdes	const struct pam_message **_msg,
95908Sdes	struct pam_response **_resp,
95908Sdes	void *_data);
95908Sdes
95908Sdes/*
91094Sdes * PAM primitives
91094Sdes */
91094Sdesenum {
91094Sdes	PAM_SM_AUTHENTICATE,
91094Sdes	PAM_SM_SETCRED,
91094Sdes	PAM_SM_ACCT_MGMT,
91094Sdes	PAM_SM_OPEN_SESSION,
91094Sdes	PAM_SM_CLOSE_SESSION,
91094Sdes	PAM_SM_CHAUTHTOK,
91094Sdes	/* keep this last */
91094Sdes	PAM_NUM_PRIMITIVES
91094Sdes};
91094Sdes
91094Sdes/*
91094Sdes * Dummy service module function
91094Sdes */
91094Sdes#define PAM_SM_DUMMY(type)						\
91094SdesPAM_EXTERN int								\
91094Sdespam_sm_##type(pam_handle_t *pamh, int flags,				\
91094Sdes    int argc, const char *argv[])					\
91094Sdes{									\
174832Sdes									\
174832Sdes	(void)pamh;							\
174832Sdes	(void)flags;							\
174832Sdes	(void)argc;							\
174832Sdes	(void)argv;							\
91094Sdes	return (PAM_IGNORE);						\
91094Sdes}
91094Sdes
91094Sdes/*
91094Sdes * PAM service module functions match this typedef
91094Sdes */
91094Sdesstruct pam_handle;
91094Sdestypedef int (*pam_func_t)(struct pam_handle *, int, int, const char **);
91094Sdes
91094Sdes/*
91094Sdes * A struct that describes a module.
91094Sdes */
91094Sdestypedef struct pam_module pam_module_t;
91094Sdesstruct pam_module {
91684Sdes	char		*path;
91094Sdes	pam_func_t	 func[PAM_NUM_PRIMITIVES];
91094Sdes	void		*dlh;
91094Sdes};
91094Sdes
91094Sdes/*
94532Sdes * Source-code compatibility with Linux-PAM modules
94532Sdes */
94532Sdes#if defined(PAM_SM_AUTH) || defined(PAM_SM_ACCOUNT) || \
94532Sdes	defined(PAM_SM_SESSION) || defined(PAM_SM_PASSWORD)
174832Sdes# define LINUX_PAM_MODULE
94532Sdes#endif
174832Sdes
94532Sdes#if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_AUTH)
174832Sdes# define _PAM_SM_AUTHENTICATE	0
174832Sdes# define _PAM_SM_SETCRED	0
94532Sdes#else
174832Sdes# undef PAM_SM_AUTH
174832Sdes# define PAM_SM_AUTH
174832Sdes# define _PAM_SM_AUTHENTICATE	pam_sm_authenticate
174832Sdes# define _PAM_SM_SETCRED	pam_sm_setcred
94532Sdes#endif
174832Sdes
94532Sdes#if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_ACCOUNT)
174832Sdes# define _PAM_SM_ACCT_MGMT	0
94532Sdes#else
174832Sdes# undef PAM_SM_ACCOUNT
174832Sdes# define PAM_SM_ACCOUNT
174832Sdes# define _PAM_SM_ACCT_MGMT	pam_sm_acct_mgmt
94532Sdes#endif
174832Sdes
94532Sdes#if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_SESSION)
174832Sdes# define _PAM_SM_OPEN_SESSION	0
174832Sdes# define _PAM_SM_CLOSE_SESSION	0
94532Sdes#else
174832Sdes# undef PAM_SM_SESSION
174832Sdes# define PAM_SM_SESSION
174832Sdes# define _PAM_SM_OPEN_SESSION	pam_sm_open_session
174832Sdes# define _PAM_SM_CLOSE_SESSION	pam_sm_close_session
94532Sdes#endif
174832Sdes
94532Sdes#if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_PASSWORD)
174832Sdes# define _PAM_SM_CHAUTHTOK	0
94532Sdes#else
174832Sdes# undef PAM_SM_PASSWORD
174832Sdes# define PAM_SM_PASSWORD
174832Sdes# define _PAM_SM_CHAUTHTOK	pam_sm_chauthtok
94532Sdes#endif
94532Sdes
94532Sdes/*
91094Sdes * Infrastructure for static modules using GCC linker sets.
91094Sdes * You are not expected to understand this.
91094Sdes */
188720Sdes#if !defined(PAM_SOEXT)
174832Sdes# define PAM_SOEXT ".so"
91094Sdes#endif
174832Sdes
188720Sdes#if defined(OPENPAM_STATIC_MODULES)
188720Sdes# if !defined(__GNUC__)
188720Sdes#  error "Don't know how to build static modules on non-GNU compilers"
188720Sdes# endif
91094Sdes/* gcc, static linking */
174832Sdes# include <sys/cdefs.h>
174832Sdes# include <linker_set.h>
174832Sdes# define PAM_EXTERN static
174832Sdes# define PAM_MODULE_ENTRY(name)						\
174832Sdes	static char _pam_name[] = name PAM_SOEXT;			\
174832Sdes	static struct pam_module _pam_module = {			\
174832Sdes		.path = _pam_name,					\
174832Sdes		.func = {						\
174832Sdes			[PAM_SM_AUTHENTICATE] = _PAM_SM_AUTHENTICATE,	\
174832Sdes			[PAM_SM_SETCRED] = _PAM_SM_SETCRED,		\
174832Sdes			[PAM_SM_ACCT_MGMT] = _PAM_SM_ACCT_MGMT,		\
174832Sdes			[PAM_SM_OPEN_SESSION] = _PAM_SM_OPEN_SESSION,	\
174832Sdes			[PAM_SM_CLOSE_SESSION] = _PAM_SM_CLOSE_SESSION, \
174832Sdes			[PAM_SM_CHAUTHTOK] = _PAM_SM_CHAUTHTOK		\
174832Sdes		},							\
174832Sdes	};								\
174832Sdes	DATA_SET(_openpam_static_modules, _pam_module)
91094Sdes#else
91094Sdes/* normal case */
174832Sdes# define PAM_EXTERN
174832Sdes# define PAM_MODULE_ENTRY(name)
91094Sdes#endif
91094Sdes
91094Sdes#ifdef __cplusplus
91094Sdes}
91094Sdes#endif
91094Sdes
174832Sdes#endif /* !SECURITY_OPENPAM_H_INCLUDED */