1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  */
  25 
  26 #ifndef _PAM_IMPL_H
  27 #define _PAM_IMPL_H
  28 
  29 #ifdef __cplusplus
  30 extern "C" {
  31 #endif
  32 
  33 #include <limits.h>
  34 #include <shadow.h>
  35 #include <sys/types.h>
  36 
  37 #define PAMTXD          "SUNW_OST_SYSOSPAM"
  38 
  39 #define PAM_CONFIG      "/etc/pam.conf"
  40 #define PAM_ISA         "/$ISA/"
  41 #define PAM_LIB_DIR     "/usr/lib/security/"
  42 #ifdef  _LP64
  43 #define PAM_ISA_DIR     "/64/"
  44 #else   /* !_LP64 */
  45 #define PAM_ISA_DIR     "/"
  46 #endif  /* _LP64 */
  47 
  48 /* Service Module Types */
  49 
  50 /*
  51  * If new service types are added, they should be named in
  52  * pam_framework.c::pam_snames[] as well.
  53  */
  54 
  55 #define PAM_ACCOUNT_NAME        "account"
  56 #define PAM_AUTH_NAME           "auth"
  57 #define PAM_PASSWORD_NAME       "password"
  58 #define PAM_SESSION_NAME        "session"
  59 
  60 #define PAM_ACCOUNT_MODULE      0
  61 #define PAM_AUTH_MODULE         1
  62 #define PAM_PASSWORD_MODULE     2
  63 #define PAM_SESSION_MODULE      3
  64 
  65 #define PAM_NUM_MODULE_TYPES    4
  66 
  67 /* Control Flags */
  68 
  69 #define PAM_BINDING_NAME        "binding"
  70 #define PAM_INCLUDE_NAME        "include"
  71 #define PAM_OPTIONAL_NAME       "optional"
  72 #define PAM_REQUIRED_NAME       "required"
  73 #define PAM_REQUISITE_NAME      "requisite"
  74 #define PAM_SUFFICIENT_NAME     "sufficient"
  75 
  76 #define PAM_BINDING     0x01
  77 #define PAM_INCLUDE     0x02
  78 #define PAM_OPTIONAL    0x04
  79 #define PAM_REQUIRED    0x08
  80 #define PAM_REQUISITE   0x10
  81 #define PAM_SUFFICIENT  0x20
  82 
  83 #define PAM_REQRD_BIND  (PAM_REQUIRED | PAM_BINDING)
  84 #define PAM_SUFFI_BIND  (PAM_SUFFICIENT | PAM_BINDING)
  85 
  86 /* Function Indicators */
  87 
  88 #define PAM_AUTHENTICATE        1
  89 #define PAM_SETCRED             2
  90 #define PAM_ACCT_MGMT           3
  91 #define PAM_OPEN_SESSION        4
  92 #define PAM_CLOSE_SESSION       5
  93 #define PAM_CHAUTHTOK           6
  94 
  95 /* PAM tracing */
  96 
  97 #define PAM_DEBUG       "/etc/pam_debug"
  98 #define LOG_PRIORITY    "log_priority="
  99 #define LOG_FACILITY    "log_facility="
 100 #define DEBUG_FLAGS     "debug_flags="
 101 #define PAM_DEBUG_NONE          0x0000
 102 #define PAM_DEBUG_DEFAULT       0x0001
 103 #define PAM_DEBUG_ITEM          0x0002
 104 #define PAM_DEBUG_MODULE        0x0004
 105 #define PAM_DEBUG_CONF          0x0008
 106 #define PAM_DEBUG_DATA          0x0010
 107 #define PAM_DEBUG_CONV          0x0020
 108 #define PAM_DEBUG_AUTHTOK       0x8000
 109 
 110 #define PAM_MAX_ITEMS           64      /* Max number of items */
 111 #define PAM_MAX_INCLUDE         32      /* Max include flag recursions */
 112 
 113 /* authentication module functions */
 114 #define PAM_SM_AUTHENTICATE     "pam_sm_authenticate"
 115 #define PAM_SM_SETCRED          "pam_sm_setcred"
 116 
 117 /* session module functions */
 118 #define PAM_SM_OPEN_SESSION     "pam_sm_open_session"
 119 #define PAM_SM_CLOSE_SESSION    "pam_sm_close_session"
 120 
 121 /* password module functions */
 122 #define PAM_SM_CHAUTHTOK                "pam_sm_chauthtok"
 123 
 124 /* account module functions */
 125 #define PAM_SM_ACCT_MGMT                "pam_sm_acct_mgmt"
 126 
 127 /* max # of authentication token attributes */
 128 #define PAM_MAX_NUM_ATTR        10
 129 
 130 /* max size (in chars) of an authentication token attribute */
 131 #define PAM_MAX_ATTR_SIZE       80
 132 
 133 /* utility function prototypes */
 134 
 135 /* source values when calling __pam_get_authtok() */
 136 #define PAM_PROMPT      1       /* prompt user for new password */
 137 #define PAM_HANDLE      2       /* get password from pam handle (item) */
 138 
 139 #if     PASS_MAX >= PAM_MAX_RESP_SIZE
 140 #error  PASS_MAX > PAM_MAX_RESP_SIZE
 141 #endif  /* PASS_MAX >= PAM_MAX_RESP_SIZE */
 142 
 143 extern int
 144 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
 145     char **authtok);
 146 
 147 extern int
 148 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
 149     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp);
 150 
 151 extern void
 152 __pam_log(int priority, const char *format, ...);
 153 
 154 /* file handle for pam.conf */
 155 struct pam_fh {
 156         int     fconfig;        /* file descriptor returned by open() */
 157         char    line[256];
 158         size_t  bufsize;        /* size of the buffer which holds */
 159                                 /* the content of pam.conf */
 160         char   *bufferp;        /* used to process data */
 161         char   *data;           /* contents of pam.conf */
 162 };
 163 
 164 /* items that can be set/retrieved thru pam_[sg]et_item() */
 165 struct  pam_item {
 166         void    *pi_addr;       /* pointer to item */
 167         int     pi_size;        /* size of item */
 168 };
 169 
 170 /* module specific data stored in the pam handle */
 171 struct pam_module_data {
 172         char *module_data_name;         /* unique module data name */
 173         void *data;                     /* the module specific data */
 174         void (*cleanup)(pam_handle_t *pamh, void *data, int pam_status);
 175         struct pam_module_data *next;   /* pointer to next module data */
 176 };
 177 
 178 /* each entry from pam.conf is stored here (in the pam handle) */
 179 typedef struct pamtab {
 180         char    *pam_service;   /* PAM service, e.g. login, rlogin */
 181         int     pam_type;       /* AUTH, ACCOUNT, PASSWORD, SESSION */
 182         int     pam_flag;       /* required, optional, sufficient */
 183         int     pam_err;        /* error if line overflow */
 184         char    *module_path;   /* module library */
 185         int     module_argc;    /* module specific options */
 186         char    **module_argv;
 187         void    *function_ptr;  /* pointer to struct holding function ptrs */
 188         struct pamtab *next;
 189 } pamtab_t;
 190 
 191 /* list of open fd's (modules that were dlopen'd) */
 192 typedef struct fd_list {
 193         void *mh;               /* module handle */
 194         struct fd_list *next;
 195 } fd_list;
 196 
 197 /* list of PAM environment varialbes */
 198 typedef struct env_list {
 199         char *name;
 200         char *value;
 201         struct env_list *next;
 202 } env_list;
 203 
 204 /* pam_inmodule values for pam item checking */
 205 #define RW_OK   0       /* Read Write items OK */
 206 #define RO_OK   1       /* Read Only items OK */
 207 #define WO_OK   2       /* Write Only items/data OK */
 208 
 209 /* the pam handle */
 210 struct pam_handle {
 211         struct  pam_item ps_item[PAM_MAX_ITEMS];        /* array of PAM items */
 212         int     include_depth;
 213         int     pam_inmodule;   /* Protect restricted pam_get_item calls */
 214         char    *pam_conf_name[PAM_MAX_INCLUDE+1];
 215         pamtab_t *pam_conf_info[PAM_MAX_INCLUDE+1][PAM_NUM_MODULE_TYPES];
 216         pamtab_t *pam_conf_modulep[PAM_MAX_INCLUDE+1];
 217         struct  pam_module_data *ssd;           /* module specific data */
 218         fd_list *fd;                            /* module fd's */
 219         env_list *pam_env;                      /* environment variables */
 220 };
 221 
 222 /*
 223  * the function_ptr field in pamtab_t
 224  * will point to one of these modules
 225  */
 226 struct auth_module {
 227         int     (*pam_sm_authenticate)(pam_handle_t *pamh, int flags, int argc,
 228                     const char **argv);
 229         int     (*pam_sm_setcred)(pam_handle_t *pamh, int flags, int argc,
 230                     const char **argv);
 231 };
 232 
 233 struct password_module {
 234         int     (*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, int argc,
 235                     const char **argv);
 236 };
 237 
 238 struct session_module {
 239         int     (*pam_sm_open_session)(pam_handle_t *pamh, int flags, int argc,
 240                     const char **argv);
 241         int     (*pam_sm_close_session)(pam_handle_t *pamh, int flags, int argc,
 242                     const char **argv);
 243 };
 244 
 245 struct account_module {
 246         int     (*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, int argc,
 247                     const char **argv);
 248 };
 249 
 250 #ifdef __cplusplus
 251 }
 252 #endif
 253 
 254 #endif  /* _PAM_IMPL_H */