xref: /netbsd-src/external/bsd/openpam/dist/include/security/openpam.h (revision 0d9d0fd8a30be9a1924e715bbcf67a4a83efd262) 
1 /*	$NetBSD: openpam.h,v 1.12 2023/06/30 21:46:20 christos Exp $	*/
2 
3 /*-
4  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
5  * Copyright (c) 2004-2015 Dag-Erling Smørgrav
6  * All rights reserved.
7  *
8  * This software was developed for the FreeBSD Project by ThinkSec AS and
9  * Network Associates Laboratories, the Security Research Division of
10  * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
11  * ("CBOSS"), as part of the DARPA CHATS research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior written
23  *    permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
29  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35  * SUCH DAMAGE.
36  */
37 
38 #ifndef SECURITY_OPENPAM_H_INCLUDED
39 #define SECURITY_OPENPAM_H_INCLUDED
40 
41 /*
42  * Annoying but necessary header pollution
43  */
44 #include <stdarg.h>
45 
46 #include <security/openpam_attr.h>
47 
48 #ifdef __cplusplus
49 extern "C" {
50 #endif
51 
52 struct passwd;
53 
54 /*
55  * API extensions
56  */
57 int
58 openpam_borrow_cred(pam_handle_t *_pamh,
59 	const struct passwd *_pwd)
60 	OPENPAM_NONNULL((1,2));
61 
62 int
63 openpam_subst(const pam_handle_t *_pamh,
64 	char *_buf,
65 	size_t *_bufsize,
66 	const char *_template);
67 
68 void
69 openpam_free_data(pam_handle_t *_pamh,
70 	void *_data,
71 	int _status);
72 
73 void
74 openpam_free_envlist(char **_envlist);
75 
76 const char *
77 openpam_get_option(pam_handle_t *_pamh,
78 	const char *_option);
79 
80 int
81 openpam_restore_cred(pam_handle_t *_pamh)
82 	OPENPAM_NONNULL((1));
83 
84 int
85 openpam_set_option(pam_handle_t *_pamh,
86 	const char *_option,
87 	const char *_value);
88 
89 int
90 pam_error(const pam_handle_t *_pamh,
91 	const char *_fmt,
92 	...)
93 	OPENPAM_FORMAT ((__syslog__, 2, 3))
94 	OPENPAM_NONNULL((1,2));
95 
96 int
97 pam_get_authtok(pam_handle_t *_pamh,
98 	int _item,
99 	const char **_authtok,
100 	const char *_prompt)
101 	OPENPAM_NONNULL((1,3));
102 
103 int
104 pam_info(const pam_handle_t *_pamh,
105 	const char *_fmt,
106 	...)
107 	OPENPAM_FORMAT ((__syslog__, 2, 3))
108 	OPENPAM_NONNULL((1,2));
109 
110 int
111 pam_prompt(const pam_handle_t *_pamh,
112 	int _style,
113 	char **_resp,
114 	const char *_fmt,
115 	...)
116 	OPENPAM_FORMAT ((__printf__, 4, 5))
117 	OPENPAM_NONNULL((1,4));
118 
119 int
120 pam_setenv(pam_handle_t *_pamh,
121 	const char *_name,
122 	const char *_value,
123 	int _overwrite)
124 	OPENPAM_NONNULL((1,2,3));
125 
126 int
127 pam_vinfo(const pam_handle_t *_pamh,
128 	const char *_fmt,
129 	va_list _ap)
130 	OPENPAM_FORMAT ((__syslog__, 2, 0))
131 	OPENPAM_NONNULL((1,2));
132 
133 int
134 pam_verror(const pam_handle_t *_pamh,
135 	const char *_fmt,
136 	va_list _ap)
137 	OPENPAM_FORMAT ((__syslog__, 2, 0))
138 	OPENPAM_NONNULL((1,2));
139 
140 int
141 pam_vprompt(const pam_handle_t *_pamh,
142 	int _style,
143 	char **_resp,
144 	const char *_fmt,
145 	va_list _ap)
146 	OPENPAM_FORMAT ((__printf__, 4, 0))
147 	OPENPAM_NONNULL((1,4));
148 
149 /*
150  * Read cooked lines.
151  * Checking for _IOFBF is a fairly reliable way to detect the presence
152  * of <stdio.h>, as SUSv3 requires it to be defined there.
153  */
154 #ifdef _IOFBF
155 char *
156 openpam_readline(FILE *_f,
157 	int *_lineno,
158 	size_t *_lenp)
159 	OPENPAM_NONNULL((1));
160 
161 char **
162 openpam_readlinev(FILE *_f,
163 	int *_lineno,
164 	int *_lenp)
165 	OPENPAM_NONNULL((1));
166 
167 char *
168 openpam_readword(FILE *_f,
169 	int *_lineno,
170 	size_t *_lenp)
171 	OPENPAM_NONNULL((1));
172 #endif
173 
174 int
175 openpam_straddch(char **_str,
176 	size_t *_sizep,
177 	size_t *_lenp,
178 	int ch)
179 	OPENPAM_NONNULL((1));
180 
181 /*
182  * Enable / disable optional features
183  */
184 enum {
185 	OPENPAM_RESTRICT_SERVICE_NAME,
186 	OPENPAM_VERIFY_POLICY_FILE,
187 	OPENPAM_RESTRICT_MODULE_NAME,
188 	OPENPAM_VERIFY_MODULE_FILE,
189 	OPENPAM_FALLBACK_TO_OTHER,
190 	OPENPAM_NUM_FEATURES
191 };
192 
193 int
194 openpam_set_feature(int _feature, int _onoff);
195 
196 int
197 openpam_get_feature(int _feature, int *_onoff);
198 
199 /*
200  * Log levels
201  */
202 enum openpam_log_primitives {
203 	PAM_LOG_LIBDEBUG = -1,
204 	PAM_LOG_DEBUG,
205 	PAM_LOG_VERBOSE,
206 	PAM_LOG_NOTICE,
207 	PAM_LOG_ERROR
208 };
209 
210 /*
211  * Log to syslog
212  */
213 void
214 _openpam_log(int _level,
215 	const char *_func,
216 	const char *_fmt,
217 	...)
218 	OPENPAM_FORMAT ((__syslog__, 3, 4))
219 	OPENPAM_NONNULL((3));
220 
221 #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
222 #define openpam_log(lvl, ...) \
223 	_openpam_log((lvl), __func__, __VA_ARGS__)
224 #elif defined(__GNUC__) && (__GNUC__ >= 3)
225 #define openpam_log(lvl, ...) \
226 	_openpam_log((lvl), __func__, __VA_ARGS__)
227 #elif defined(__GNUC__) && (__GNUC__ >= 2) && (__GNUC_MINOR__ >= 95)
228 #define openpam_log(lvl, fmt...) \
229 	_openpam_log((lvl), __func__, ##fmt)
230 #elif defined(__GNUC__) && defined(__func__)
231 #define openpam_log(lvl, fmt...) \
232 	_openpam_log((lvl), __func__, ##fmt)
233 #else
234 void
235 openpam_log(int _level,
236 	const char *_format,
237 	...)
238 	OPENPAM_FORMAT ((__syslog__, 2, 3))
239 	OPENPAM_NONNULL((2));
240 #endif
241 
242 /*
243  * Generic conversation function
244  */
245 struct pam_message;
246 struct pam_response;
247 int openpam_ttyconv(int _n,
248 	const struct pam_message **_msg,
249 	struct pam_response **_resp,
250 	void *_data);
251 
252 extern int openpam_ttyconv_timeout;
253 
254 /*
255  * Null conversation function
256  */
257 int openpam_nullconv(int _n,
258 	const struct pam_message **_msg,
259 	struct pam_response **_resp,
260 	void *_data);
261 
262 /*
263  * PAM primitives
264  */
265 enum openpam_sm_primitives {
266 	PAM_SM_AUTHENTICATE,
267 	PAM_SM_SETCRED,
268 	PAM_SM_ACCT_MGMT,
269 	PAM_SM_OPEN_SESSION,
270 	PAM_SM_CLOSE_SESSION,
271 	PAM_SM_CHAUTHTOK,
272 	/* keep this last */
273 	PAM_NUM_PRIMITIVES
274 };
275 
276 /*
277  * Dummy service module function
278  */
279 #define PAM_SM_DUMMY(type)						\
280 PAM_EXTERN int								\
281 pam_sm_##type(pam_handle_t *pamh, int flags,				\
282     int argc, const char *argv[])					\
283 {									\
284 									\
285 	(void)pamh;							\
286 	(void)flags;							\
287 	(void)argc;							\
288 	(void)argv;							\
289 	return (PAM_IGNORE);						\
290 }
291 
292 /*
293  * PAM service module functions match this typedef
294  */
295 struct pam_handle;
296 typedef int (*pam_func_t)(struct pam_handle *, int, int, const char **);
297 
298 /*
299  * A struct that describes a module.
300  */
301 typedef struct pam_module pam_module_t;
302 struct pam_module {
303 	char		*path;
304 	pam_func_t	 func[PAM_NUM_PRIMITIVES];
305 	void		*dlh;
306 };
307 
308 /*
309  * Source-code compatibility with Linux-PAM modules
310  */
311 #if defined(PAM_SM_AUTH) || defined(PAM_SM_ACCOUNT) || \
312 	defined(PAM_SM_SESSION) || defined(PAM_SM_PASSWORD)
313 # define LINUX_PAM_MODULE
314 #endif
315 
316 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_AUTH)
317 # define _PAM_SM_AUTHENTICATE	0
318 # define _PAM_SM_SETCRED	0
319 #else
320 # undef PAM_SM_AUTH
321 # define PAM_SM_AUTH
322 # define _PAM_SM_AUTHENTICATE	pam_sm_authenticate
323 # define _PAM_SM_SETCRED	pam_sm_setcred
324 #endif
325 
326 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_ACCOUNT)
327 # define _PAM_SM_ACCT_MGMT	0
328 #else
329 # undef PAM_SM_ACCOUNT
330 # define PAM_SM_ACCOUNT
331 # define _PAM_SM_ACCT_MGMT	pam_sm_acct_mgmt
332 #endif
333 
334 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_SESSION)
335 # define _PAM_SM_OPEN_SESSION	0
336 # define _PAM_SM_CLOSE_SESSION	0
337 #else
338 # undef PAM_SM_SESSION
339 # define PAM_SM_SESSION
340 # define _PAM_SM_OPEN_SESSION	pam_sm_open_session
341 # define _PAM_SM_CLOSE_SESSION	pam_sm_close_session
342 #endif
343 
344 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_PASSWORD)
345 # define _PAM_SM_CHAUTHTOK	0
346 #else
347 # undef PAM_SM_PASSWORD
348 # define PAM_SM_PASSWORD
349 # define _PAM_SM_CHAUTHTOK	pam_sm_chauthtok
350 #endif
351 
352 /*
353  * Infrastructure for static modules using GCC linker sets.
354  * You are not expected to understand this.
355  */
356 #if !defined(PAM_SOEXT)
357 # define PAM_SOEXT ".so"
358 #endif
359 
360 #if (defined(__GNUC__) || defined(__PCC__)) && defined(OPENPAM_STATIC_MODULES)
361 # include <sys/cdefs.h>
362 # ifdef __FreeBSD__
363 #  include <linker_set.h>
364 # endif
365 # ifdef __NetBSD__
366 #  define DATA_SET(a, b) __link_set_add_data(a, b)
367 #  define SET_DECLARE(a, b) __link_set_decl(a, b)
368 #  define SET_FOREACH(a, b) __link_set_foreach(a, b)
369 # endif
370 # define PAM_EXTERN static
371 # define PAM_MODULE_ENTRY(name)						\
372 	static char _pam_name[] = name PAM_SOEXT;			\
373 	static struct pam_module _pam_module = {			\
374 		.path = _pam_name,					\
375 		.func = {						\
376 			[PAM_SM_AUTHENTICATE] = _PAM_SM_AUTHENTICATE,	\
377 			[PAM_SM_SETCRED] = _PAM_SM_SETCRED,		\
378 			[PAM_SM_ACCT_MGMT] = _PAM_SM_ACCT_MGMT,		\
379 			[PAM_SM_OPEN_SESSION] = _PAM_SM_OPEN_SESSION,	\
380 			[PAM_SM_CLOSE_SESSION] = _PAM_SM_CLOSE_SESSION, \
381 			[PAM_SM_CHAUTHTOK] = _PAM_SM_CHAUTHTOK		\
382 		},							\
383 	};								\
384 	DATA_SET(openpam_static_modules, _pam_module)
385 #else
386 /* normal case */
387 # define PAM_EXTERN
388 # define PAM_MODULE_ENTRY(name)
389 #endif
390 
391 #ifdef __cplusplus
392 }
393 #endif
394 
395 #endif /* !SECURITY_OPENPAM_H_INCLUDED */
396