1 | /* |
2 | * <security/_pam_types.h> |
3 | * |
4 | * This file defines all of the types common to the Linux-PAM library |
5 | * applications and modules. |
6 | * |
7 | * Note, the copyright+license information is at end of file. |
8 | */ |
9 | |
10 | #ifndef _SECURITY__PAM_TYPES_H |
11 | #define _SECURITY__PAM_TYPES_H |
12 | |
13 | /* This is a blind structure; users aren't allowed to see inside a |
14 | * pam_handle_t, so we don't define struct pam_handle here. This is |
15 | * defined in a file private to the PAM library. (i.e., it's private |
16 | * to PAM service modules, too!) */ |
17 | |
18 | typedef struct pam_handle pam_handle_t; |
19 | |
20 | /* ---------------- The Linux-PAM Version defines ----------------- */ |
21 | |
22 | /* Major and minor version number of the Linux-PAM package. Use |
23 | these macros to test for features in specific releases. */ |
24 | #define __LINUX_PAM__ 1 |
25 | #define __LINUX_PAM_MINOR__ 0 |
26 | |
27 | /* ----------------- The Linux-PAM return values ------------------ */ |
28 | |
29 | #define PAM_SUCCESS 0 /* Successful function return */ |
30 | #define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */ |
31 | /* loading a service module */ |
32 | #define PAM_SYMBOL_ERR 2 /* Symbol not found */ |
33 | #define PAM_SERVICE_ERR 3 /* Error in service module */ |
34 | #define PAM_SYSTEM_ERR 4 /* System error */ |
35 | #define PAM_BUF_ERR 5 /* Memory buffer error */ |
36 | #define PAM_PERM_DENIED 6 /* Permission denied */ |
37 | #define PAM_AUTH_ERR 7 /* Authentication failure */ |
38 | #define PAM_CRED_INSUFFICIENT 8 /* Can not access authentication data */ |
39 | /* due to insufficient credentials */ |
40 | #define PAM_AUTHINFO_UNAVAIL 9 /* Underlying authentication service */ |
41 | /* can not retrieve authentication */ |
42 | /* information */ |
43 | #define PAM_USER_UNKNOWN 10 /* User not known to the underlying */ |
44 | /* authenticaiton module */ |
45 | #define PAM_MAXTRIES 11 /* An authentication service has */ |
46 | /* maintained a retry count which has */ |
47 | /* been reached. No further retries */ |
48 | /* should be attempted */ |
49 | #define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */ |
50 | /* This is normally returned if the */ |
51 | /* machine security policies require */ |
52 | /* that the password should be changed */ |
53 | /* beccause the password is NULL or it */ |
54 | /* has aged */ |
55 | #define PAM_ACCT_EXPIRED 13 /* User account has expired */ |
56 | #define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */ |
57 | /* the specified session */ |
58 | #define PAM_CRED_UNAVAIL 15 /* Underlying authentication service */ |
59 | /* can not retrieve user credentials */ |
60 | /* unavailable */ |
61 | #define PAM_CRED_EXPIRED 16 /* User credentials expired */ |
62 | #define PAM_CRED_ERR 17 /* Failure setting user credentials */ |
63 | #define PAM_NO_MODULE_DATA 18 /* No module specific data is present */ |
64 | #define PAM_CONV_ERR 19 /* Conversation error */ |
65 | #define PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */ |
66 | #define PAM_AUTHTOK_RECOVERY_ERR 21 /* Authentication information */ |
67 | /* cannot be recovered */ |
68 | #define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */ |
69 | #define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */ |
70 | #define PAM_TRY_AGAIN 24 /* Preliminary check by password service */ |
71 | #define PAM_IGNORE 25 /* Ignore underlying account module */ |
72 | /* regardless of whether the control */ |
73 | /* flag is required, optional, or sufficient */ |
74 | #define PAM_ABORT 26 /* Critical error (?module fail now request) */ |
75 | #define PAM_AUTHTOK_EXPIRED 27 /* user's authentication token has expired */ |
76 | #define PAM_MODULE_UNKNOWN 28 /* module is not known */ |
77 | |
78 | #define PAM_BAD_ITEM 29 /* Bad item passed to pam_*_item() */ |
79 | #define PAM_CONV_AGAIN 30 /* conversation function is event driven |
80 | and data is not available yet */ |
81 | #define PAM_INCOMPLETE 31 /* please call this function again to |
82 | complete authentication stack. Before |
83 | calling again, verify that conversation |
84 | is completed */ |
85 | |
86 | /* |
87 | * Add new #define's here - take care to also extend the libpam code: |
88 | * pam_strerror() and "libpam/pam_tokens.h" . |
89 | */ |
90 | |
91 | #define _PAM_RETURN_VALUES 32 /* this is the number of return values */ |
92 | |
93 | |
94 | /* ---------------------- The Linux-PAM flags -------------------- */ |
95 | |
96 | /* Authentication service should not generate any messages */ |
97 | #define PAM_SILENT 0x8000U |
98 | |
99 | /* Note: these flags are used by pam_authenticate{,_secondary}() */ |
100 | |
101 | /* The authentication service should return PAM_AUTH_ERROR if the |
102 | * user has a null authentication token */ |
103 | #define PAM_DISALLOW_NULL_AUTHTOK 0x0001U |
104 | |
105 | /* Note: these flags are used for pam_setcred() */ |
106 | |
107 | /* Set user credentials for an authentication service */ |
108 | #define PAM_ESTABLISH_CRED 0x0002U |
109 | |
110 | /* Delete user credentials associated with an authentication service */ |
111 | #define PAM_DELETE_CRED 0x0004U |
112 | |
113 | /* Reinitialize user credentials */ |
114 | #define PAM_REINITIALIZE_CRED 0x0008U |
115 | |
116 | /* Extend lifetime of user credentials */ |
117 | #define PAM_REFRESH_CRED 0x0010U |
118 | |
119 | /* Note: these flags are used by pam_chauthtok */ |
120 | |
121 | /* The password service should only update those passwords that have |
122 | * aged. If this flag is not passed, the password service should |
123 | * update all passwords. */ |
124 | #define PAM_CHANGE_EXPIRED_AUTHTOK 0x0020U |
125 | |
126 | /* ------------------ The Linux-PAM item types ------------------- */ |
127 | |
128 | /* These defines are used by pam_set_item() and pam_get_item(). |
129 | Please check the spec which are allowed for use by applications |
130 | and which are only allowed for use by modules. */ |
131 | |
132 | #define PAM_SERVICE 1 /* The service name */ |
133 | #define PAM_USER 2 /* The user name */ |
134 | #define PAM_TTY 3 /* The tty name */ |
135 | #define PAM_RHOST 4 /* The remote host name */ |
136 | #define PAM_CONV 5 /* The pam_conv structure */ |
137 | #define PAM_AUTHTOK 6 /* The authentication token (password) */ |
138 | #define PAM_OLDAUTHTOK 7 /* The old authentication token */ |
139 | #define PAM_RUSER 8 /* The remote user name */ |
140 | #define PAM_USER_PROMPT 9 /* the prompt for getting a username */ |
141 | /* Linux-PAM extensions */ |
142 | #define PAM_FAIL_DELAY 10 /* app supplied function to override failure |
143 | delays */ |
144 | #define PAM_XDISPLAY 11 /* X display name */ |
145 | #define PAM_XAUTHDATA 12 /* X server authentication data */ |
146 | #define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */ |
147 | |
148 | /* -------------- Special defines used by Linux-PAM -------------- */ |
149 | |
150 | #if defined(__GNUC__) && defined(__GNUC_MINOR__) |
151 | # define PAM_GNUC_PREREQ(maj, min) \ |
152 | ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) |
153 | #else |
154 | # define PAM_GNUC_PREREQ(maj, min) 0 |
155 | #endif |
156 | |
157 | #if PAM_GNUC_PREREQ(2,5) |
158 | # define PAM_FORMAT(params) __attribute__((__format__ params)) |
159 | #else |
160 | # define PAM_FORMAT(params) |
161 | #endif |
162 | |
163 | #if PAM_GNUC_PREREQ(3,3) && !defined(LIBPAM_COMPILE) |
164 | # define PAM_NONNULL(params) __attribute__((__nonnull__ params)) |
165 | #else |
166 | # define PAM_NONNULL(params) |
167 | #endif |
168 | |
169 | /* ---------- Common Linux-PAM application/module PI ----------- */ |
170 | |
171 | extern int PAM_NONNULL((1)) |
172 | pam_set_item(pam_handle_t *pamh, int item_type, const void *item); |
173 | |
174 | extern int PAM_NONNULL((1)) |
175 | pam_get_item(const pam_handle_t *pamh, int item_type, const void **item); |
176 | |
177 | extern const char * |
178 | pam_strerror(pam_handle_t *pamh, int errnum); |
179 | |
180 | extern int PAM_NONNULL((1,2)) |
181 | pam_putenv(pam_handle_t *pamh, const char *name_value); |
182 | |
183 | extern const char * PAM_NONNULL((1,2)) |
184 | pam_getenv(pam_handle_t *pamh, const char *name); |
185 | |
186 | extern char ** PAM_NONNULL((1)) |
187 | pam_getenvlist(pam_handle_t *pamh); |
188 | |
189 | /* ---------- Common Linux-PAM application/module PI ----------- */ |
190 | |
191 | /* |
192 | * here are some proposed error status definitions for the |
193 | * 'error_status' argument used by the cleanup function associated |
194 | * with data items they should be logically OR'd with the error_status |
195 | * of the latest return from libpam -- new with .52 and positive |
196 | * impression from Sun although not official as of 1996/9/4 |
197 | * [generally the other flags are to be found in pam_modules.h] |
198 | */ |
199 | |
200 | #define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */ |
201 | |
202 | /* |
203 | * here we define an externally (by apps or modules) callable function |
204 | * that primes the libpam library to delay when a stacked set of |
205 | * modules results in a failure. In the case of PAM_SUCCESS this delay |
206 | * is ignored. |
207 | * |
208 | * Note, the pam_[gs]et_item(... PAM_FAIL_DELAY ...) can be used to set |
209 | * a function pointer which can override the default fail-delay behavior. |
210 | * This item was added to accommodate event driven programs that need to |
211 | * manage delays more carefully. The function prototype for this data |
212 | * item is |
213 | * void (*fail_delay)(int status, unsigned int delay, void *appdata_ptr); |
214 | */ |
215 | |
216 | #define HAVE_PAM_FAIL_DELAY |
217 | extern int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay); |
218 | |
219 | /* ------------ The Linux-PAM conversation structures ------------ */ |
220 | |
221 | /* Message styles */ |
222 | |
223 | #define PAM_PROMPT_ECHO_OFF 1 |
224 | #define PAM_PROMPT_ECHO_ON 2 |
225 | #define PAM_ERROR_MSG 3 |
226 | #define PAM_TEXT_INFO 4 |
227 | |
228 | /* Linux-PAM specific types */ |
229 | |
230 | #define PAM_RADIO_TYPE 5 /* yes/no/maybe conditionals */ |
231 | |
232 | /* This is for server client non-human interaction.. these are NOT |
233 | part of the X/Open PAM specification. */ |
234 | |
235 | #define PAM_BINARY_PROMPT 7 |
236 | |
237 | /* maximum size of messages/responses etc.. (these are mostly |
238 | arbitrary so Linux-PAM should handle longer values). */ |
239 | |
240 | #define PAM_MAX_NUM_MSG 32 |
241 | #define PAM_MAX_MSG_SIZE 512 |
242 | #define PAM_MAX_RESP_SIZE 512 |
243 | |
244 | /* Used to pass prompting text, error messages, or other informatory |
245 | * text to the user. This structure is allocated and freed by the PAM |
246 | * library (or loaded module). */ |
247 | |
248 | struct pam_message { |
249 | int msg_style; |
250 | const char *msg; |
251 | }; |
252 | |
253 | /* if the pam_message.msg_style = PAM_BINARY_PROMPT |
254 | the 'pam_message.msg' is a pointer to a 'const *' for the following |
255 | pseudo-structure. When used with a PAM_BINARY_PROMPT, the returned |
256 | pam_response.resp pointer points to an object with the following |
257 | structure: |
258 | |
259 | struct { |
260 | u32 length; # network byte order |
261 | unsigned char type; |
262 | unsigned char data[length-5]; |
263 | }; |
264 | |
265 | The 'libpamc' library is designed around this flavor of |
266 | message and should be used to handle this flavor of msg_style. |
267 | */ |
268 | |
269 | /* Used to return the user's response to the PAM library. This |
270 | structure is allocated by the application program, and free()'d by |
271 | the Linux-PAM library (or calling module). */ |
272 | |
273 | struct pam_response { |
274 | char *resp; |
275 | int resp_retcode; /* currently un-used, zero expected */ |
276 | }; |
277 | |
278 | /* The actual conversation structure itself */ |
279 | |
280 | struct pam_conv { |
281 | int (*conv)(int num_msg, const struct pam_message **msg, |
282 | struct pam_response **resp, void *appdata_ptr); |
283 | void *appdata_ptr; |
284 | }; |
285 | |
286 | /* Used by the PAM_XAUTHDATA pam item. Contains X authentication |
287 | data used by modules to connect to the user's X display. Note: |
288 | this structure is intentionally compatible with xcb_auth_info_t. */ |
289 | |
290 | struct pam_xauth_data { |
291 | int namelen; |
292 | char *name; |
293 | int datalen; |
294 | char *data; |
295 | }; |
296 | |
297 | /* ... adapted from the pam_appl.h file created by Theodore Ts'o and |
298 | * |
299 | * Copyright Theodore Ts'o, 1996. All rights reserved. |
300 | * Copyright (c) Andrew G. Morgan <morgan@linux.kernel.org>, 1996-8 |
301 | * |
302 | * Redistribution and use in source and binary forms, with or without |
303 | * modification, are permitted provided that the following conditions |
304 | * are met: |
305 | * 1. Redistributions of source code must retain the above copyright |
306 | * notice, and the entire permission notice in its entirety, |
307 | * including the disclaimer of warranties. |
308 | * 2. Redistributions in binary form must reproduce the above copyright |
309 | * notice, this list of conditions and the following disclaimer in the |
310 | * documentation and/or other materials provided with the distribution. |
311 | * 3. The name of the author may not be used to endorse or promote |
312 | * products derived from this software without specific prior |
313 | * written permission. |
314 | * |
315 | * ALTERNATIVELY, this product may be distributed under the terms of |
316 | * the GNU Public License, in which case the provisions of the GPL are |
317 | * required INSTEAD OF the above restrictions. (This clause is |
318 | * necessary due to a potential bad interaction between the GPL and |
319 | * the restrictions contained in a BSD-style copyright.) |
320 | * |
321 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
322 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
323 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
324 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, |
325 | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
326 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
327 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
328 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
329 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
330 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
331 | * OF THE POSSIBILITY OF SUCH DAMAGE. */ |
332 | |
333 | #endif /* _SECURITY__PAM_TYPES_H */ |
334 | |