xref: /netbsd-src/external/bsd/openpam/dist/include/security/openpam.h (revision 82d56013d7b633d116a93943de88e08335357a7c) 
1 /*	$NetBSD: openpam.h,v 1.11 2021/03/08 19:38:10 christos Exp $	*/
2 
3 /*-
4  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
5  * Copyright (c) 2004-2015 Dag-Erling Smørgrav
6  * All rights reserved.
7  *
8  * This software was developed for the FreeBSD Project by ThinkSec AS and
9  * Network Associates Laboratories, the Security Research Division of
10  * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
11  * ("CBOSS"), as part of the DARPA CHATS research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The name of the author may not be used to endorse or promote
22  *    products derived from this software without specific prior written
23  *    permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
29  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35  * SUCH DAMAGE.
36  *
37  * $OpenPAM: openpam.h 938 2017-04-30 21:34:42Z des $
38  */
39 
40 #ifndef SECURITY_OPENPAM_H_INCLUDED
41 #define SECURITY_OPENPAM_H_INCLUDED
42 
43 /*
44  * Annoying but necessary header pollution
45  */
46 #include <stdarg.h>
47 
48 #include <security/openpam_attr.h>
49 
50 #ifdef __cplusplus
51 extern "C" {
52 #endif
53 
54 struct passwd;
55 
56 /*
57  * API extensions
58  */
59 int
60 openpam_borrow_cred(pam_handle_t *_pamh,
61 	const struct passwd *_pwd)
62 	OPENPAM_NONNULL((1,2));
63 
64 int
65 openpam_subst(const pam_handle_t *_pamh,
66 	char *_buf,
67 	size_t *_bufsize,
68 	const char *_template);
69 
70 void
71 openpam_free_data(pam_handle_t *_pamh,
72 	void *_data,
73 	int _status);
74 
75 void
76 openpam_free_envlist(char **_envlist);
77 
78 const char *
79 openpam_get_option(pam_handle_t *_pamh,
80 	const char *_option);
81 
82 int
83 openpam_restore_cred(pam_handle_t *_pamh)
84 	OPENPAM_NONNULL((1));
85 
86 int
87 openpam_set_option(pam_handle_t *_pamh,
88 	const char *_option,
89 	const char *_value);
90 
91 int
92 pam_error(const pam_handle_t *_pamh,
93 	const char *_fmt,
94 	...)
95 	OPENPAM_FORMAT ((__syslog__, 2, 3))
96 	OPENPAM_NONNULL((1,2));
97 
98 int
99 pam_get_authtok(pam_handle_t *_pamh,
100 	int _item,
101 	const char **_authtok,
102 	const char *_prompt)
103 	OPENPAM_NONNULL((1,3));
104 
105 int
106 pam_info(const pam_handle_t *_pamh,
107 	const char *_fmt,
108 	...)
109 	OPENPAM_FORMAT ((__syslog__, 2, 3))
110 	OPENPAM_NONNULL((1,2));
111 
112 int
113 pam_prompt(const pam_handle_t *_pamh,
114 	int _style,
115 	char **_resp,
116 	const char *_fmt,
117 	...)
118 	OPENPAM_FORMAT ((__printf__, 4, 5))
119 	OPENPAM_NONNULL((1,4));
120 
121 int
122 pam_setenv(pam_handle_t *_pamh,
123 	const char *_name,
124 	const char *_value,
125 	int _overwrite)
126 	OPENPAM_NONNULL((1,2,3));
127 
128 int
129 pam_vinfo(const pam_handle_t *_pamh,
130 	const char *_fmt,
131 	va_list _ap)
132 	OPENPAM_FORMAT ((__syslog__, 2, 0))
133 	OPENPAM_NONNULL((1,2));
134 
135 int
136 pam_verror(const pam_handle_t *_pamh,
137 	const char *_fmt,
138 	va_list _ap)
139 	OPENPAM_FORMAT ((__syslog__, 2, 0))
140 	OPENPAM_NONNULL((1,2));
141 
142 int
143 pam_vprompt(const pam_handle_t *_pamh,
144 	int _style,
145 	char **_resp,
146 	const char *_fmt,
147 	va_list _ap)
148 	OPENPAM_FORMAT ((__printf__, 4, 0))
149 	OPENPAM_NONNULL((1,4));
150 
151 /*
152  * Read cooked lines.
153  * Checking for _IOFBF is a fairly reliable way to detect the presence
154  * of <stdio.h>, as SUSv3 requires it to be defined there.
155  */
156 #ifdef _IOFBF
157 char *
158 openpam_readline(FILE *_f,
159 	int *_lineno,
160 	size_t *_lenp)
161 	OPENPAM_NONNULL((1));
162 
163 char **
164 openpam_readlinev(FILE *_f,
165 	int *_lineno,
166 	int *_lenp)
167 	OPENPAM_NONNULL((1));
168 
169 char *
170 openpam_readword(FILE *_f,
171 	int *_lineno,
172 	size_t *_lenp)
173 	OPENPAM_NONNULL((1));
174 #endif
175 
176 int
177 openpam_straddch(char **_str,
178 	size_t *_sizep,
179 	size_t *_lenp,
180 	int ch)
181 	OPENPAM_NONNULL((1));
182 
183 /*
184  * Enable / disable optional features
185  */
186 enum {
187 	OPENPAM_RESTRICT_SERVICE_NAME,
188 	OPENPAM_VERIFY_POLICY_FILE,
189 	OPENPAM_RESTRICT_MODULE_NAME,
190 	OPENPAM_VERIFY_MODULE_FILE,
191 	OPENPAM_FALLBACK_TO_OTHER,
192 	OPENPAM_NUM_FEATURES
193 };
194 
195 int
196 openpam_set_feature(int _feature, int _onoff);
197 
198 int
199 openpam_get_feature(int _feature, int *_onoff);
200 
201 /*
202  * Log levels
203  */
204 enum openpam_log_primitives {
205 	PAM_LOG_LIBDEBUG = -1,
206 	PAM_LOG_DEBUG,
207 	PAM_LOG_VERBOSE,
208 	PAM_LOG_NOTICE,
209 	PAM_LOG_ERROR
210 };
211 
212 /*
213  * Log to syslog
214  */
215 void
216 _openpam_log(int _level,
217 	const char *_func,
218 	const char *_fmt,
219 	...)
220 	OPENPAM_FORMAT ((__syslog__, 3, 4))
221 	OPENPAM_NONNULL((3));
222 
223 #if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
224 #define openpam_log(lvl, ...) \
225 	_openpam_log((lvl), __func__, __VA_ARGS__)
226 #elif defined(__GNUC__) && (__GNUC__ >= 3)
227 #define openpam_log(lvl, ...) \
228 	_openpam_log((lvl), __func__, __VA_ARGS__)
229 #elif defined(__GNUC__) && (__GNUC__ >= 2) && (__GNUC_MINOR__ >= 95)
230 #define openpam_log(lvl, fmt...) \
231 	_openpam_log((lvl), __func__, ##fmt)
232 #elif defined(__GNUC__) && defined(__func__)
233 #define openpam_log(lvl, fmt...) \
234 	_openpam_log((lvl), __func__, ##fmt)
235 #else
236 void
237 openpam_log(int _level,
238 	const char *_format,
239 	...)
240 	OPENPAM_FORMAT ((__syslog__, 2, 3))
241 	OPENPAM_NONNULL((2));
242 #endif
243 
244 /*
245  * Generic conversation function
246  */
247 struct pam_message;
248 struct pam_response;
249 int openpam_ttyconv(int _n,
250 	const struct pam_message **_msg,
251 	struct pam_response **_resp,
252 	void *_data);
253 
254 extern int openpam_ttyconv_timeout;
255 
256 /*
257  * Null conversation function
258  */
259 int openpam_nullconv(int _n,
260 	const struct pam_message **_msg,
261 	struct pam_response **_resp,
262 	void *_data);
263 
264 /*
265  * PAM primitives
266  */
267 enum openpam_sm_primitives {
268 	PAM_SM_AUTHENTICATE,
269 	PAM_SM_SETCRED,
270 	PAM_SM_ACCT_MGMT,
271 	PAM_SM_OPEN_SESSION,
272 	PAM_SM_CLOSE_SESSION,
273 	PAM_SM_CHAUTHTOK,
274 	/* keep this last */
275 	PAM_NUM_PRIMITIVES
276 };
277 
278 /*
279  * Dummy service module function
280  */
281 #define PAM_SM_DUMMY(type)						\
282 PAM_EXTERN int								\
283 pam_sm_##type(pam_handle_t *pamh, int flags,				\
284     int argc, const char *argv[])					\
285 {									\
286 									\
287 	(void)pamh;							\
288 	(void)flags;							\
289 	(void)argc;							\
290 	(void)argv;							\
291 	return (PAM_IGNORE);						\
292 }
293 
294 /*
295  * PAM service module functions match this typedef
296  */
297 struct pam_handle;
298 typedef int (*pam_func_t)(struct pam_handle *, int, int, const char **);
299 
300 /*
301  * A struct that describes a module.
302  */
303 typedef struct pam_module pam_module_t;
304 struct pam_module {
305 	char		*path;
306 	pam_func_t	 func[PAM_NUM_PRIMITIVES];
307 	void		*dlh;
308 };
309 
310 /*
311  * Source-code compatibility with Linux-PAM modules
312  */
313 #if defined(PAM_SM_AUTH) || defined(PAM_SM_ACCOUNT) || \
314 	defined(PAM_SM_SESSION) || defined(PAM_SM_PASSWORD)
315 # define LINUX_PAM_MODULE
316 #endif
317 
318 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_AUTH)
319 # define _PAM_SM_AUTHENTICATE	0
320 # define _PAM_SM_SETCRED	0
321 #else
322 # undef PAM_SM_AUTH
323 # define PAM_SM_AUTH
324 # define _PAM_SM_AUTHENTICATE	pam_sm_authenticate
325 # define _PAM_SM_SETCRED	pam_sm_setcred
326 #endif
327 
328 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_ACCOUNT)
329 # define _PAM_SM_ACCT_MGMT	0
330 #else
331 # undef PAM_SM_ACCOUNT
332 # define PAM_SM_ACCOUNT
333 # define _PAM_SM_ACCT_MGMT	pam_sm_acct_mgmt
334 #endif
335 
336 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_SESSION)
337 # define _PAM_SM_OPEN_SESSION	0
338 # define _PAM_SM_CLOSE_SESSION	0
339 #else
340 # undef PAM_SM_SESSION
341 # define PAM_SM_SESSION
342 # define _PAM_SM_OPEN_SESSION	pam_sm_open_session
343 # define _PAM_SM_CLOSE_SESSION	pam_sm_close_session
344 #endif
345 
346 #if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_PASSWORD)
347 # define _PAM_SM_CHAUTHTOK	0
348 #else
349 # undef PAM_SM_PASSWORD
350 # define PAM_SM_PASSWORD
351 # define _PAM_SM_CHAUTHTOK	pam_sm_chauthtok
352 #endif
353 
354 /*
355  * Infrastructure for static modules using GCC linker sets.
356  * You are not expected to understand this.
357  */
358 #if !defined(PAM_SOEXT)
359 # define PAM_SOEXT ".so"
360 #endif
361 
362 #if (defined(__GNUC__) || defined(__PCC__)) && defined(OPENPAM_STATIC_MODULES)
363 # include <sys/cdefs.h>
364 # ifdef __FreeBSD__
365 #  include <linker_set.h>
366 # endif
367 # ifdef __NetBSD__
368 #  define DATA_SET(a, b) __link_set_add_data(a, b)
369 #  define SET_DECLARE(a, b) __link_set_decl(a, b)
370 #  define SET_FOREACH(a, b) __link_set_foreach(a, b)
371 # endif
372 # define PAM_EXTERN static
373 # define PAM_MODULE_ENTRY(name)						\
374 	static char _pam_name[] = name PAM_SOEXT;			\
375 	static struct pam_module _pam_module = {			\
376 		.path = _pam_name,					\
377 		.func = {						\
378 			[PAM_SM_AUTHENTICATE] = _PAM_SM_AUTHENTICATE,	\
379 			[PAM_SM_SETCRED] = _PAM_SM_SETCRED,		\
380 			[PAM_SM_ACCT_MGMT] = _PAM_SM_ACCT_MGMT,		\
381 			[PAM_SM_OPEN_SESSION] = _PAM_SM_OPEN_SESSION,	\
382 			[PAM_SM_CLOSE_SESSION] = _PAM_SM_CLOSE_SESSION, \
383 			[PAM_SM_CHAUTHTOK] = _PAM_SM_CHAUTHTOK		\
384 		},							\
385 	};								\
386 	DATA_SET(openpam_static_modules, _pam_module)
387 #else
388 /* normal case */
389 # define PAM_EXTERN
390 # define PAM_MODULE_ENTRY(name)
391 #endif
392 
393 #ifdef __cplusplus
394 }
395 #endif
396 
397 #endif /* !SECURITY_OPENPAM_H_INCLUDED */
398