Vendor import of OpenPAM Cantaloupe

author: des <des@FreeBSD.org> 2002-02-23 01:24:02 +0000
committer: des <des@FreeBSD.org> 2002-02-23 01:24:02 +0000
commit: b7924daede5918d4af38aea32dcfe788509d2326 (patch)
tree: ae223d64d0eef9481ac27d428fd4c517fe5427e4 /contrib/openpam/lib
parent: 8f1441cfb24a5778dd1a680f7f9b48ef1560d682 (diff)
download: FreeBSD-src-b7924daede5918d4af38aea32dcfe788509d2326.zip
FreeBSD-src-b7924daede5918d4af38aea32dcfe788509d2326.tar.gz
51 files changed, 1722 insertions, 73 deletions
diff --git a/contrib/openpam/lib/Makefile b/contrib/openpam/lib/Makefile
index 1fd9041..01817c1 100644
--- a/contrib/openpam/lib/Makefile
+++ b/contrib/openpam/lib/Makefile
@@ -45,8 +45,11 @@ CFLAGS		+= -I${.CURDIR}/../include
 SRCS		 =
 SRCS		+= openpam_dispatch.c
 SRCS		+= openpam_findenv.c
+SRCS		+= openpam_get_option.c
 SRCS		+= openpam_load.c
 SRCS		+= openpam_log.c
+SRCS		+= openpam_set_option.c
+SRCS		+= openpam_static.c
 SRCS		+= openpam_ttyconv.c
 SRCS		+= pam_acct_mgmt.c
 SRCS		+= pam_authenticate.c
diff --git a/contrib/openpam/lib/openpam_dispatch.c b/contrib/openpam/lib/openpam_dispatch.c
index 1582edb..b663d5a 100644
--- a/contrib/openpam/lib/openpam_dispatch.c
+++ b/contrib/openpam/lib/openpam_dispatch.c
@@ -47,6 +47,8 @@ static void _openpam_check_error_code(int, int);
 #endif /* !defined(OPENPAM_RELAX_CHECKS) */
 
 /*
+ * OpenPAM internal
+ *
  * Execute a module chain
  */
 
@@ -210,3 +212,9 @@ _openpam_check_error_code(int primitive, int r)
 	    _pam_sm_func_name[primitive], r);
 }
 #endif /* !defined(OPENPAM_RELAX_CHECKS) */
+
+/*
+ * NODOC
+ *
+ * Error codes:
+ */
diff --git a/contrib/openpam/lib/openpam_findenv.c b/contrib/openpam/lib/openpam_findenv.c
index c32dd27..a9fb333 100644
--- a/contrib/openpam/lib/openpam_findenv.c
+++ b/contrib/openpam/lib/openpam_findenv.c
@@ -41,6 +41,8 @@
 #include "openpam_impl.h"
 
 /*
+ * OpenPAM internal
+ *
  * Locate an environment variable
  */
 
@@ -60,3 +62,7 @@ openpam_findenv(pam_handle_t *pamh,
 			return (i);
 	return (-1);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/openpam_get_option.c b/contrib/openpam/lib/openpam_get_option.c
new file mode 100644
index 0000000..c4eeab2
--- /dev/null
+++ b/contrib/openpam/lib/openpam_get_option.c
@@ -0,0 +1,83 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <string.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Returns the value of a module option
+ */
+
+const char *
+openpam_get_option(pam_handle_t *pamh,
+	const char *option)
+{
+	pam_chain_t *cur;
+	size_t len;
+	int i;
+
+	if (pamh == NULL || pamh->current == NULL || option == NULL)
+		return (NULL);
+	cur = pamh->current;
+	len = strlen(option);
+	for (i = 0; i < cur->optc; ++i) {
+		if (strncmp(cur->optv[i], option, len) == 0) {
+			if (cur->optv[i][len] == '\0')
+				return (&cur->optv[i][len]);
+			else if (cur->optv[i][len] == '=')
+				return (&cur->optv[i][len + 1]);
+		}
+	}
+	return (NULL);
+}
+
+/*
+ * NOLIST
+ */
+
+/**
+ * The =openpam_get_option function returns the value of the specified
+ * option in the context of the currently executing service module, or
+ * =NULL if the option is not set or no module is currently executing.
+ */
diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h
index 5988628..6978f54 100644
--- a/contrib/openpam/lib/openpam_impl.h
+++ b/contrib/openpam/lib/openpam_impl.h
@@ -68,8 +68,6 @@ struct pam_chain {
 	pam_chain_t	*next;
 };
 
-#define PAM_NUM_ITEMS	       10
-
 typedef struct pam_data pam_data_t;
 struct pam_data {
 	char		*name;
@@ -103,4 +101,8 @@ int		openpam_add_module(pam_handle_t *, int, int,
 				   const char *, int, const char **);
 void		openpam_clear_chains(pam_handle_t *);
 
+#ifdef OPENPAM_STATIC_MODULES
+pam_module_t   *openpam_static(const char *);
+#endif
+
 #endif
diff --git a/contrib/openpam/lib/openpam_load.c b/contrib/openpam/lib/openpam_load.c
index 1a345ec..057e38f 100644
--- a/contrib/openpam/lib/openpam_load.c
+++ b/contrib/openpam/lib/openpam_load.c
@@ -42,10 +42,6 @@
 
 #include "openpam_impl.h"
 
-#ifdef OPENPAM_STATIC_MODULES
-SET_DECLARE(_openpam_modules, pam_module_t);
-#endif
-
 const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = {
 	"pam_sm_authenticate",
 	"pam_sm_setcred",
@@ -92,14 +88,7 @@ openpam_load_module(const char *path)
 #ifdef OPENPAM_STATIC_MODULES
 	/* look for a static module */
 	if (module == NULL && strchr(path, '/') == NULL) {
-		pam_module_t **modp;
-		
-		SET_FOREACH(modp, _openpam_modules) {
-			if (strcmp((*modp)->path, path) == 0) {
-				module = *modp;
-				break;
-			}
-		}
+		module = openpam_static(path);
 		openpam_log(PAM_LOG_DEBUG, "%s static %s",
 		    (module == NULL) ? "no" : "using", path);
 	}
@@ -225,3 +214,7 @@ openpam_clear_chains(pam_handle_t *pamh)
 	for (i = 0; i < PAM_NUM_CHAINS; ++i)
 		openpam_destroy_chain(pamh->chains[i]);
 }
+
+/*
+ * NOPARSE
+ */
diff --git a/contrib/openpam/lib/openpam_log.c b/contrib/openpam/lib/openpam_log.c
index b15c6e3..493ea33 100644
--- a/contrib/openpam/lib/openpam_log.c
+++ b/contrib/openpam/lib/openpam_log.c
@@ -47,6 +47,8 @@
 #if defined(openpam_log)
 
 /*
+ * OpenPAM extension
+ *
  * Log a message through syslog(3)
  */
 
@@ -121,3 +123,7 @@ openpam_log(int level, const char *fmt, ...)
 }
 
 #endif
+
+/*
+ * NOLIST
+ */
diff --git a/contrib/openpam/lib/openpam_set_option.c b/contrib/openpam/lib/openpam_set_option.c
new file mode 100644
index 0000000..4e2033b
--- /dev/null
+++ b/contrib/openpam/lib/openpam_set_option.c
@@ -0,0 +1,104 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+/*
+ * OpenPAM extension
+ *
+ * Sets the value of a module option
+ */
+
+int
+openpam_set_option(pam_handle_t *pamh,
+	const char *option,
+	const char *value)
+{
+	pam_chain_t *cur;
+	char *opt, **optv;
+	size_t len;
+	int i;
+
+	if (pamh == NULL || pamh->current == NULL || option == NULL)
+		return (PAM_SYSTEM_ERR);
+	cur = pamh->current;
+	for (len = 0; option[len] != '\0'; ++len)
+		if (option[len] == '=')
+			break;
+	for (i = 0; i < cur->optc; ++i) {
+		if (strncmp(cur->optv[i], option, len) == 0 &&
+		    (cur->optv[i][len] == '\0' || cur->optv[i][len] == '='))
+			break;
+	}
+	if ((opt = malloc(len + strlen(value) + 2)) == NULL)
+		return (PAM_BUF_ERR);
+	sprintf(opt, "%.*s=%s", (int)len, option, value);
+	if (i == cur->optc) {
+		optv = realloc(cur->optv, sizeof(char *) * (cur->optc + 2));
+		if (optv == NULL) {
+			free(opt);
+			return (PAM_BUF_ERR);
+		}
+		optv[i] = opt;
+		optv[i + 1] = NULL;
+		cur->optv = optv;
+		++cur->optc;
+	}
+	return (PAM_SUCCESS);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =openpam_set_option function sets the specified option in the
+ * context of the currently executing service module.
+ */
diff --git a/contrib/openpam/lib/openpam_static.c b/contrib/openpam/lib/openpam_static.c
new file mode 100644
index 0000000..907de2f
--- /dev/null
+++ b/contrib/openpam/lib/openpam_static.c
@@ -0,0 +1,69 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <string.h>
+
+#include <security/pam_appl.h>
+
+#include "openpam_impl.h"
+
+#ifdef OPENPAM_STATIC_MODULES
+
+SET_DECLARE(_openpam_static_modules, pam_module_t);
+
+/*
+ * OpenPAM internal
+ *
+ * Locate a statically linked module
+ */
+
+pam_module_t *
+openpam_static(const char *path)
+{
+	pam_module_t **module;
+
+	SET_FOREACH(module, _openpam_static_modules) {
+		if (strcmp((*module)->path, path) == 0)
+			return (*module);
+	}
+	return (NULL);
+}
+
+#endif
+
+/*
+ * NOPARSE
+ */
diff --git a/contrib/openpam/lib/openpam_ttyconv.c b/contrib/openpam/lib/openpam_ttyconv.c
index ac7eecd..261c2d2 100644
--- a/contrib/openpam/lib/openpam_ttyconv.c
+++ b/contrib/openpam/lib/openpam_ttyconv.c
@@ -37,16 +37,98 @@
 #include <sys/types.h>
 
 #include <ctype.h>
+#include <setjmp.h>
+#include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <termios.h>
+#include <unistd.h>
 
 #include <security/pam_appl.h>
 #include <security/openpam.h>
 
+int openpam_ttyconv_timeout = 0;
+static jmp_buf jmpenv;
+static int timed_out;
+
+static void
+timeout(int sig)
+{
+	timed_out = 1;
+	longjmp(jmpenv, sig);
+}
+
+static char *
+prompt(const char *msg)
+{
+	char buf[PAM_MAX_RESP_SIZE];
+	struct sigaction action, saved_action;
+	sigset_t saved_sigset, sigset;
+	unsigned int saved_alarm;
+	size_t len;
+
+	sigemptyset(&sigset);
+	sigaddset(&sigset, SIGINT);
+	sigaddset(&sigset, SIGTSTP);
+	sigprocmask(SIG_SETMASK, &sigset, &saved_sigset);
+	action.sa_handler = &timeout;
+	action.sa_flags = 0;
+	sigemptyset(&action.sa_mask);
+	sigaction(SIGALRM, &action, &saved_action);
+	fputs(msg, stderr);
+	buf[0] = '\0';
+	timed_out = 0;
+	saved_alarm = alarm(openpam_ttyconv_timeout);
+	if (setjmp(jmpenv) == 0)
+		fgets(buf, sizeof buf, stdin);
+	else
+		fputs(" timeout!\n", stderr);
+	alarm(0);
+	sigaction(SIGALRM, &saved_action, NULL);
+	sigprocmask(SIG_SETMASK, &saved_sigset, NULL);
+	alarm(saved_alarm);
+	if (timed_out || ferror(stdin))
+		return (NULL);
+	/* trim trailing whitespace */
+	for (len = strlen(buf); len > 0; --len)
+		if (!isspace(buf[len - 1]))
+			break;
+	buf[len] = '\0';
+	return (strdup(buf));
+}
+
+static char *
+prompt_echo_off(const char *msg)
+{
+	struct termios tattr;
+	tcflag_t lflag;
+	char *ret;
+	int fd;
+
+	fd = fileno(stdin);
+	if (tcgetattr(fd, &tattr) != 0) {
+		openpam_log(PAM_LOG_ERROR, "tcgetattr(): %m");
+		return (NULL);
+	}
+	lflag = tattr.c_lflag;
+	tattr.c_lflag &= ~ECHO;
+	if (tcsetattr(fd, TCSAFLUSH, &tattr) != 0) {
+		openpam_log(PAM_LOG_ERROR, "tcsetattr(): %m");
+		return (NULL);
+	}
+	ret = prompt(msg);
+	tattr.c_lflag = lflag;
+	(void)tcsetattr(fd, TCSANOW, &tattr);
+	if (ret != NULL)
+		fputs("\n", stdout);
+	return (ret);
+}
+
 /*
- * Simple tty-based conversation function.
+ * OpenPAM extension
+ *
+ * Simple tty-based conversation function
  */
 
 int
@@ -55,60 +137,26 @@ openpam_ttyconv(int n,
 	 struct pam_response **resp,
 	 void *data)
 {
-	char buf[PAM_MAX_RESP_SIZE];
-	struct termios tattr;
-	tcflag_t lflag;
-	int fd, err, i;
-	size_t len;
+	int i;
 
 	data = data;
 	if (n <= 0 || n > PAM_MAX_NUM_MSG)
 		return (PAM_CONV_ERR);
 	if ((*resp = calloc(n, sizeof **resp)) == NULL)
 		return (PAM_BUF_ERR);
-	fd = fileno(stdin);
 	for (i = 0; i < n; ++i) {
 		resp[i]->resp_retcode = 0;
 		resp[i]->resp = NULL;
 		switch (msg[i]->msg_style) {
 		case PAM_PROMPT_ECHO_OFF:
-		case PAM_PROMPT_ECHO_ON:
-			if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-				if (tcgetattr(fd, &tattr) != 0) {
-					openpam_log(PAM_LOG_ERROR,
-					    "tcgetattr(): %m");
-					err = PAM_CONV_ERR;
-					goto fail;
-				}
-				lflag = tattr.c_lflag;
-				tattr.c_lflag &= ~ECHO;
-				if (tcsetattr(fd, TCSAFLUSH, &tattr) != 0) {
-					openpam_log(PAM_LOG_ERROR,
-					    "tcsetattr(): %m");
-					err = PAM_CONV_ERR;
-					goto fail;
-				}
-			}
-			fputs(msg[i]->msg, stderr);
-			buf[0] = '\0';
-			fgets(buf, sizeof buf, stdin);
-			if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) {
-				tattr.c_lflag = lflag;
-				(void)tcsetattr(fd, TCSANOW, &tattr);
-				fputs("\n", stderr);
-			}
-			if (ferror(stdin)) {
-				err = PAM_CONV_ERR;
+			resp[i]->resp = prompt_echo_off(msg[i]->msg);
+			if (resp[i]->resp == NULL)
 				goto fail;
-			}
-			for (len = strlen(buf); len > 0; --len)
-				if (!isspace(buf[len - 1]))
-					break;
-			buf[len] = '\0';
-			if ((resp[i]->resp = strdup(buf)) == NULL) {
-				err = PAM_BUF_ERR;
+			break;
+		case PAM_PROMPT_ECHO_ON:
+			resp[i]->resp = prompt(msg[i]->msg);
+			if (resp[i]->resp == NULL)
 				goto fail;
-			}
 			break;
 		case PAM_ERROR_MSG:
 			fputs(msg[i]->msg, stderr);
@@ -117,7 +165,6 @@ openpam_ttyconv(int n,
 			fputs(msg[i]->msg, stdout);
 			break;
 		default:
-			err = PAM_BUF_ERR;
 			goto fail;
 		}
 	}
@@ -127,5 +174,15 @@ openpam_ttyconv(int n,
 		free(resp[--i]);
 	free(*resp);
 	*resp = NULL;
-	return (err);
+	return (PAM_CONV_ERR);
 }
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
diff --git a/contrib/openpam/lib/pam_acct_mgmt.c b/contrib/openpam/lib/pam_acct_mgmt.c
index d88a24e..3187e8d 100644
--- a/contrib/openpam/lib/pam_acct_mgmt.c
+++ b/contrib/openpam/lib/pam_acct_mgmt.c
@@ -54,3 +54,11 @@ pam_acct_mgmt(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_ACCT_MGMT, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_acct_mgmt
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_authenticate.c b/contrib/openpam/lib/pam_authenticate.c
index d98d1df..3524f4e 100644
--- a/contrib/openpam/lib/pam_authenticate.c
+++ b/contrib/openpam/lib/pam_authenticate.c
@@ -54,3 +54,11 @@ pam_authenticate(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_AUTHENTICATE, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_authenticate
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_authenticate_secondary.c b/contrib/openpam/lib/pam_authenticate_secondary.c
index 37a57fe..e1380d2 100644
--- a/contrib/openpam/lib/pam_authenticate_secondary.c
+++ b/contrib/openpam/lib/pam_authenticate_secondary.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 36
+ *
+ * Perform authentication to a secondary domain within the PAM framework
+ */
+
 int
 pam_authenticate_secondary(pam_handle_t *pamh,
 	char *target_username,
@@ -48,3 +55,7 @@ pam_authenticate_secondary(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_chauthtok.c b/contrib/openpam/lib/pam_chauthtok.c
index c35ed49..3248feb 100644
--- a/contrib/openpam/lib/pam_chauthtok.c
+++ b/contrib/openpam/lib/pam_chauthtok.c
@@ -54,3 +54,11 @@ pam_chauthtok(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_CHAUTHTOK, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_chauthtok
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_close_session.c b/contrib/openpam/lib/pam_close_session.c
index 9b2a1ae..5d292f2 100644
--- a/contrib/openpam/lib/pam_close_session.c
+++ b/contrib/openpam/lib/pam_close_session.c
@@ -54,3 +54,11 @@ pam_close_session(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_close_session
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_end.c b/contrib/openpam/lib/pam_end.c
index 0fbfdf8..b7c170f 100644
--- a/contrib/openpam/lib/pam_end.c
+++ b/contrib/openpam/lib/pam_end.c
@@ -82,3 +82,17 @@ pam_end(pam_handle_t *pamh,
 
 	return (PAM_SUCCESS);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ */
+
+/**
+ * The =pam_end function terminates a PAM transaction and destroys the
+ * corresponding PAM context, releasing all resources allocated to it.
+ *
+ * The =status argument should be set to the error code returned by the
+ * last API call before the call to =pam_end.
+ */
diff --git a/contrib/openpam/lib/pam_error.c b/contrib/openpam/lib/pam_error.c
index aded8f1..cbee427 100644
--- a/contrib/openpam/lib/pam_error.c
+++ b/contrib/openpam/lib/pam_error.c
@@ -62,3 +62,21 @@ pam_error(pam_handle_t *pamh,
 	free(rsp); /* ignore response */
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_info function displays an error message through the
+ * intermediary of the given PAM context's conversation function.
+ *
+ * >pam_info
+ * >pam_prompt
+ * >pam_verror
+ */
diff --git a/contrib/openpam/lib/pam_get_authtok.c b/contrib/openpam/lib/pam_get_authtok.c
index 9776fff..c2a933f 100644
--- a/contrib/openpam/lib/pam_get_authtok.c
+++ b/contrib/openpam/lib/pam_get_authtok.c
@@ -53,23 +53,37 @@ pam_get_authtok(pam_handle_t *pamh,
 	const char *prompt)
 {
 	char *p, *resp;
-	int r;
+	int r, style;
 
 	if (pamh == NULL || authtok == NULL)
 		return (PAM_SYSTEM_ERR);
 
-	r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
-	if (r == PAM_SUCCESS && *authtok != NULL)
-		return (PAM_SUCCESS);
-	if (prompt == NULL) {
-		if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
-		    (const void **)&p) != PAM_SUCCESS || p == NULL)
-			prompt = "Password:";
+	if (openpam_get_option(pamh, "try_first_pass") ||
+	    openpam_get_option(pamh, "use_first_pass")) {
+		r = pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
+		if (r == PAM_SUCCESS && *authtok != NULL)
+			return (PAM_SUCCESS);
+		else if (openpam_get_option(pamh, "use_first_pass"))
+			return (r == PAM_SUCCESS ? PAM_AUTH_ERR : r);
 	}
-	r = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp,
-	    "%s", prompt ? prompt : p);
+	if (pam_get_item(pamh, PAM_AUTHTOK_PROMPT,
+	    (const void **)&p) != PAM_SUCCESS || p == NULL)
+		if (prompt == NULL)
+			prompt = "Password:";
+	style = openpam_get_option(pamh, "echo_pass") ?
+	    PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
+	r = pam_prompt(pamh, style, &resp, "%s", p ? p : prompt);
 	if (r != PAM_SUCCESS)
 		return (r);
 	*authtok = resp;
 	return (pam_set_item(pamh, PAM_AUTHTOK, *authtok));
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_get_item
+ *	=pam_prompt
+ *	=pam_set_item
+ *	!PAM_SYMBOL_ERR
+ */
diff --git a/contrib/openpam/lib/pam_get_data.c b/contrib/openpam/lib/pam_get_data.c
index f258de8..b1f8ab3 100644
--- a/contrib/openpam/lib/pam_get_data.c
+++ b/contrib/openpam/lib/pam_get_data.c
@@ -65,3 +65,21 @@ pam_get_data(pam_handle_t *pamh,
 
 	return (PAM_NO_MODULE_DATA);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_NO_MODULE_DATA
+ */
+
+/**
+ * The =pam_get_data function looks up the opaque object associated with
+ * the string specified by the =module_data_name argument, in the PAM
+ * context specified by the =pamh argument.
+ * A pointer to the object is stored in the location pointed to by the
+ * =data argument.
+ *
+ * This function and its counterpart =pam_set_data are useful for managing
+ * data that are meaningful only to a particular service module.
+ */
diff --git a/contrib/openpam/lib/pam_get_item.c b/contrib/openpam/lib/pam_get_item.c
index 7369c48..5767652 100644
--- a/contrib/openpam/lib/pam_get_item.c
+++ b/contrib/openpam/lib/pam_get_item.c
@@ -69,6 +69,51 @@ pam_get_item(pam_handle_t *pamh,
 		*item = pamh->item[item_type];
 		return (PAM_SUCCESS);
 	default:
-		return (PAM_SYSTEM_ERR);
+		return (PAM_SYMBOL_ERR);
 	}
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ */
+
+/**
+ * The =pam_get_item function stores a pointer to the item specified by
+ * the =item_type argument in the location specified by the =item
+ * argument.
+ * The item is retrieved from the PAM context specified by the =pamh
+ * argument.
+ * The following item types are recognized:
+ *
+ *	=PAM_SERVICE:
+ *		The name of the requesting service.
+ *	=PAM_USER:
+ *		The name of the user the application is trying to
+ *		authenticate.
+ *	=PAM_TTY:
+ *		The name of the current terminal.
+ *	=PAM_RHOST:
+ *		The name of the applicant's host.
+ *	=PAM_CONV:
+ *		A =struct pam_conv describing the current conversation
+ *		function.
+ *	=PAM_AUTHTOK:
+ *		The current authentication token.
+ *	=PAM_OLDAUTHTOK:
+ *		The expired authentication token.
+ *	=PAM_RUSER:
+ *		The name of the applicant.
+ *	=PAM_USER_PROMPT:
+ *		The prompt to use when asking the applicant for a user
+ *		name to authenticate as.
+ *	=PAM_AUTHTOK_PROMPT:
+ *		The prompt to use when asking the applicant for an
+ *		authentication token.
+ *
+ * See =pam_start for a description of =struct pam_conv.
+ *
+ * >pam_set_item
+ */
diff --git a/contrib/openpam/lib/pam_get_mapped_authtok.c b/contrib/openpam/lib/pam_get_mapped_authtok.c
index 0050c0e..5d6b0b0 100644
--- a/contrib/openpam/lib/pam_get_mapped_authtok.c
+++ b/contrib/openpam/lib/pam_get_mapped_authtok.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 48
+ *
+ * Get mapped password for the user
+ */
+
 int
 pam_get_mapped_authtok(pam_handle_t *pamh,
 	const char *target_module_username,
@@ -47,3 +54,7 @@ pam_get_mapped_authtok(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_get_mapped_username.c b/contrib/openpam/lib/pam_get_mapped_username.c
index faa78bb..038193f 100644
--- a/contrib/openpam/lib/pam_get_mapped_username.c
+++ b/contrib/openpam/lib/pam_get_mapped_username.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 50
+ *
+ * Get valid matched identity in new domain
+ */
+
 int
 pam_get_mapped_username(pam_handle_t *pamh,
 	const char *src_username,
@@ -48,3 +55,7 @@ pam_get_mapped_username(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_get_user.c b/contrib/openpam/lib/pam_get_user.c
index 17572c4..e8fe0bc 100644
--- a/contrib/openpam/lib/pam_get_user.c
+++ b/contrib/openpam/lib/pam_get_user.c
@@ -74,3 +74,12 @@ pam_get_user(pam_handle_t *pamh,
 	*user = resp;
 	return (pam_set_item(pamh, PAM_USER, *user));
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_get_item
+ *	=pam_prompt
+ *	=pam_set_item
+ *	!PAM_SYMBOL_ERR
+ */
diff --git a/contrib/openpam/lib/pam_getenv.c b/contrib/openpam/lib/pam_getenv.c
index d6bf219..05deb541 100644
--- a/contrib/openpam/lib/pam_getenv.c
+++ b/contrib/openpam/lib/pam_getenv.c
@@ -65,3 +65,13 @@ pam_getenv(pam_handle_t *pamh,
 		return (NULL);
 	return (strdup(pamh->env[i]));
 }
+
+/**
+ * The =pam_getenv function returns the value of an environment variable.
+ * Its semantics are similar to those of =getenv, but it accesses the PAM
+ * context's environment list instead of the application's.
+ *
+ * >pam_getenvlist
+ * >pam_putenv
+ * >pam_setenv
+ */
diff --git a/contrib/openpam/lib/pam_getenvlist.c b/contrib/openpam/lib/pam_getenvlist.c
index 4409a89..fd21faa 100644
--- a/contrib/openpam/lib/pam_getenvlist.c
+++ b/contrib/openpam/lib/pam_getenvlist.c
@@ -40,6 +40,7 @@
 #include <security/pam_appl.h>
 
 #include "openpam_impl.h"
+
 /*
  * XSSO 4.2.1
  * XSSO 6 page 45
@@ -56,15 +57,48 @@ pam_getenvlist(pam_handle_t *pamh)
 	if (pamh == NULL)
 		return (NULL);
 
-	if ((envlist = malloc(sizeof(char *) * (pamh->env_count + 1))) == NULL)
+	envlist = malloc(sizeof(char *) * (pamh->env_count + 1));
+	if (envlist == NULL) {
+		openpam_log(PAM_LOG_ERROR, "%s",
+			pam_strerror(pamh, PAM_BUF_ERR));
 		return (NULL);
+	}
 	for (i = 0; i < pamh->env_count; ++i) {
 		if ((envlist[i] = strdup(pamh->env[i])) == NULL) {
 			while (i)
 				free(envlist[--i]);
 			free(envlist);
+			openpam_log(PAM_LOG_ERROR, "%s",
+				pam_strerror(pamh, PAM_BUF_ERR));
 			return (NULL);
 		}
 	}
+	envlist[i] = NULL;
+	openpam_log(PAM_LOG_DEBUG, "returning %d variables\n", pamh->env_count);
 	return (envlist);
 }
+
+/**
+ * The =pam_getenvlist function returns a copy of the given PAM context's
+ * environment list as a pointer to an array of strings.
+ * The last element in the array is =NULL.
+ * The pointer is suitable for assignment to {Va environ}.
+ *
+ * The array and the strings it lists are allocated using =malloc, and
+ * should be released using =free after use:
+ *
+ *     char **envlist, **env;
+ *     
+ *     envlist = environ;
+ *     environ = pam_getenvlist(pamh);
+ *     \/\* do something nifty \*\/
+ *     for (env = environ; *env != NULL; env++)
+ *         free(*env);
+ *     free(environ);
+ *     environ = envlist;
+ *
+ * >environ 7
+ * >pam_getenv
+ * >pam_putenv
+ * >pam_setenv
+ */
diff --git a/contrib/openpam/lib/pam_info.c b/contrib/openpam/lib/pam_info.c
index ce1d2b8..8752391 100644
--- a/contrib/openpam/lib/pam_info.c
+++ b/contrib/openpam/lib/pam_info.c
@@ -62,3 +62,21 @@ pam_info(pam_handle_t *pamh,
 	free(rsp); /* ignore response */
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_info function displays an informational message through the
+ * intermediary of the given PAM context's conversation function.
+ *
+ * >pam_error
+ * >pam_prompt
+ * >pam_vinfo
+ */
diff --git a/contrib/openpam/lib/pam_open_session.c b/contrib/openpam/lib/pam_open_session.c
index dcbf2b8..0f8f981 100644
--- a/contrib/openpam/lib/pam_open_session.c
+++ b/contrib/openpam/lib/pam_open_session.c
@@ -54,3 +54,11 @@ pam_open_session(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_open_session
+ *	!PAM_IGNORE
+ */
diff --git a/contrib/openpam/lib/pam_prompt.c b/contrib/openpam/lib/pam_prompt.c
index afc4169..5dbde6c 100644
--- a/contrib/openpam/lib/pam_prompt.c
+++ b/contrib/openpam/lib/pam_prompt.c
@@ -60,3 +60,28 @@ pam_prompt(pam_handle_t *pamh,
 	va_end(ap);
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_prompt function constructs a message from the specified format
+ * string and arguments and passes it to the given PAM context's
+ * conversation function.
+ *
+ * A pointer to the response, or =NULL if the conversation function did
+ * not return one, is stored in the location pointed to by the =resp
+ * argument.
+ *
+ * See =pam_vprompt for further details.
+ *
+ * >pam_error
+ * >pam_info
+ * >pam_vprompt
+ */
diff --git a/contrib/openpam/lib/pam_putenv.c b/contrib/openpam/lib/pam_putenv.c
index c8701f3..e1b497e 100644
--- a/contrib/openpam/lib/pam_putenv.c
+++ b/contrib/openpam/lib/pam_putenv.c
@@ -86,3 +86,20 @@ pam_putenv(pam_handle_t *pamh,
 	++pamh->env_count;
 	return (PAM_SUCCESS);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_putenv function sets a environment variable.
+ * Its semantics are similar to those of =putenv, but it modifies the PAM
+ * context's environment list instead of the application's.
+ *
+ * >pam_getenv
+ * >pam_getenvlist
+ * >pam_setenv
+ */
diff --git a/contrib/openpam/lib/pam_set_data.c b/contrib/openpam/lib/pam_set_data.c
index 59d5751..e04de73 100644
--- a/contrib/openpam/lib/pam_set_data.c
+++ b/contrib/openpam/lib/pam_set_data.c
@@ -81,3 +81,22 @@ pam_set_data(pam_handle_t *pamh,
 	pamh->module_data = data;
 	return (PAM_SUCCESS);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_set_data function associates a pointer to an opaque object
+ * with an arbitrary string specified by the =module_data_name argument,
+ * in the PAM context specified by the =pamh argument.
+ *
+ * If not =NULL, the =cleanup argument should point to a function
+ * responsible for releasing the resources associated with the object.
+ *
+ * This function and its counterpart =pam_get_data are useful for managing
+ * data that are meaningful only to a particular service module.
+ */
diff --git a/contrib/openpam/lib/pam_set_item.c b/contrib/openpam/lib/pam_set_item.c
index 5405a4e..038971d 100644
--- a/contrib/openpam/lib/pam_set_item.c
+++ b/contrib/openpam/lib/pam_set_item.c
@@ -88,7 +88,7 @@ pam_set_item(pam_handle_t *pamh,
 		}
 		break;
 	default:
-		return (PAM_SYSTEM_ERR);
+		return (PAM_SYMBOL_ERR);
 	}
 	if (*slot != NULL) {
 		memset(*slot, 0xd0, size);
@@ -97,3 +97,18 @@ pam_set_item(pam_handle_t *pamh,
 	*slot = tmp;
 	return (PAM_SUCCESS);
 }
+
+/*
+ * Error codes:
+ *
+ *	PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_set_item function sets the item specified by the =item_type
+ * argument to a copy of the object pointed to by the =item argument.
+ * The item is stored in the PAM context specified by the =pamh argument.
+ * See =pam_get_item for a list of recognized item types.
+ */
diff --git a/contrib/openpam/lib/pam_set_mapped_authtok.c b/contrib/openpam/lib/pam_set_mapped_authtok.c
index ad066df..36383e6 100644
--- a/contrib/openpam/lib/pam_set_mapped_authtok.c
+++ b/contrib/openpam/lib/pam_set_mapped_authtok.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 62
+ *
+ * Store the password for the username supplied
+ */
+
 int
 pam_set_mapped_authtok(pam_handle_t *pamh,
 	const char *target_module_username,
@@ -47,3 +54,7 @@ pam_set_mapped_authtok(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_set_mapped_username.c b/contrib/openpam/lib/pam_set_mapped_username.c
index fc12989..6ca011f 100644
--- a/contrib/openpam/lib/pam_set_mapped_username.c
+++ b/contrib/openpam/lib/pam_set_mapped_username.c
@@ -36,6 +36,13 @@
 
 #include <security/pam_appl.h>
 
+/*
+ * XSSO 4.2.1
+ * XSSO 6 page 64
+ *
+ * Set a username
+ */
+
 int
 pam_set_mapped_username(pam_handle_t *pamh,
 	char *src_username,
@@ -48,3 +55,7 @@ pam_set_mapped_username(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_setcred.c b/contrib/openpam/lib/pam_setcred.c
index 0ea10ff..1a78498 100644
--- a/contrib/openpam/lib/pam_setcred.c
+++ b/contrib/openpam/lib/pam_setcred.c
@@ -54,3 +54,25 @@ pam_setcred(pam_handle_t *pamh,
 
 	return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags));
 }
+
+/*
+ * Error codes:
+ *
+ *	=openpam_dispatch
+ *	=pam_sm_setcred
+ *	!PAM_IGNORE
+ */
+
+/**
+ * The =pam_setcred function manages the application's credentials.
+ * The operation to perform is specified by the =flags argument:
+ *
+ *	PAM_ESTABLISH_CRED:
+ *		Establish the credentials of the target user.
+ *	PAM_DELETE_CRED:
+ *		Revoke all established credentials.
+ *	PAM_REINITIALISE_CRED:
+ *		Fully reinitialise credentials.
+ *	PAM_REFRESH_CRED:
+ *		Refresh credentials.
+ */
diff --git a/contrib/openpam/lib/pam_setenv.c b/contrib/openpam/lib/pam_setenv.c
index 6165b7c..155835e 100644
--- a/contrib/openpam/lib/pam_setenv.c
+++ b/contrib/openpam/lib/pam_setenv.c
@@ -77,3 +77,21 @@ pam_setenv(pam_handle_t *pamh,
 	free(env);
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_putenv
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_setenv function sets a environment variable.
+ * Its semantics are similar to those of =setenv, but it modifies the PAM
+ * context's environment list instead of the application's.
+ *
+ * >pam_getenv
+ * >pam_getenvlist
+ * >pam_putenv
+ */
diff --git a/contrib/openpam/lib/pam_sm_acct_mgmt.c b/contrib/openpam/lib/pam_sm_acct_mgmt.c
new file mode 100644
index 0000000..692d52e
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_acct_mgmt.c
@@ -0,0 +1,81 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 66
+ *
+ * Service module implementation for pam_acct_mgmt
+ */
+
+int
+pam_sm_acct_mgmt(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_USER_UNKNOWN
+ *	PAM_AUTH_ERR
+ *	PAM_NEW_AUTHTOK_REQD
+ *	PAM_ACCT_EXPIRED
+ */
+
+/**
+ * The =pam_sm_acct_mgmt function is the service module's implementation
+ * of the =pam_acct_mgmt API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_authenticate.c b/contrib/openpam/lib/pam_sm_authenticate.c
new file mode 100644
index 0000000..17c8a76
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_authenticate.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 68
+ *
+ * Service module implementation for pam_authenticate
+ */
+
+int
+pam_sm_authenticate(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_AUTH_ERR
+ *	PAM_CRED_INSUFFICIENT
+ *	PAM_AUTHINFO_UNAVAIL
+ *	PAM_USER_UNKNOWN
+ *	PAM_MAXTRIES
+ */
+
+/**
+ * The =pam_sm_authenticate function is the service module's
+ * implementation of the =pam_authenticate API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_authenticate_secondary.c b/contrib/openpam/lib/pam_sm_authenticate_secondary.c
new file mode 100644
index 0000000..ec56f47
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_authenticate_secondary.c
@@ -0,0 +1,66 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 70
+ *
+ * Service module implementation for pam_authenticate_secondary
+ */
+
+int
+pam_sm_authenticate_secondary(pam_handle_t *pamh,
+	char *target_username,
+	char *target_module_type,
+	char *target_authn_domain,
+	char *target_supp_data,
+	unsigned char *target_module_authtok,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_chauthtok.c b/contrib/openpam/lib/pam_sm_chauthtok.c
new file mode 100644
index 0000000..2edf0d7
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_chauthtok.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 72
+ *
+ * Service module implementation for pam_chauthtok
+ */
+
+int
+pam_sm_chauthtok(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_PERM_DENIED
+ *	PAM_AUTHTOK_ERR
+ *	PAM_AUTHTOK_RECOVERY_ERR
+ *	PAM_AUTHTOK_LOCK_BUSY
+ *	PAM_AUTHTOK_DISABLE_AGING
+ */
+
+/**
+ * The =pam_sm_chauthtok function is the service module's implementation
+ * of the =pam_chauthtok API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_close_session.c b/contrib/openpam/lib/pam_sm_close_session.c
new file mode 100644
index 0000000..7ff7a83
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_close_session.c
@@ -0,0 +1,78 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 75
+ *
+ * Service module implementation for pam_close_session
+ */
+
+int
+pam_sm_close_session(pam_handle_t *pamh,
+	int flags,
+	int args,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_SESSION_ERR
+ */
+
+/**
+ * The =pam_sm_close_session function is the service module's
+ * implementation of the =pam_close_session API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_get_mapped_authtok.c b/contrib/openpam/lib/pam_sm_get_mapped_authtok.c
new file mode 100644
index 0000000..c6a91121
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_get_mapped_authtok.c
@@ -0,0 +1,65 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 77
+ *
+ * Service module implementation for pam_get_mapped_authtok
+ */
+
+int
+pam_sm_get_mapped_authtok(pam_handle_t *pamh,
+	char *target_module_username,
+	char *target_module_type,
+	char *target_authn_domain,
+	size_t *target_authtok_len,
+	unsigned char **target_module_authtok,
+	int argc,
+	char *argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_get_mapped_username.c b/contrib/openpam/lib/pam_sm_get_mapped_username.c
new file mode 100644
index 0000000..0aed26c
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_get_mapped_username.c
@@ -0,0 +1,66 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 79
+ *
+ * Service module implementation for pam_get_mapped_username
+ */
+
+int
+pam_sm_get_mapped_username(pam_handle_t *pamh,
+	char *src_username,
+	char *src_module_type,
+	char *src_authn_domain,
+	char *target_module_type,
+	char *target_authn_domain,
+	char **target_module_username,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_open_session.c b/contrib/openpam/lib/pam_sm_open_session.c
new file mode 100644
index 0000000..7ed7401
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_open_session.c
@@ -0,0 +1,78 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 81
+ *
+ * Service module implementation for pam_open_session
+ */
+
+int
+pam_sm_open_session(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_SESSION_ERR
+ */
+
+/**
+ * The =pam_sm_open_session function is the service module's
+ * implementation of the =pam_open_session API function.
+ */
diff --git a/contrib/openpam/lib/pam_sm_set_mapped_authtok.c b/contrib/openpam/lib/pam_sm_set_mapped_authtok.c
new file mode 100644
index 0000000..35cecaa
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_set_mapped_authtok.c
@@ -0,0 +1,65 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 83
+ *
+ * Service module implementation for pam_set_mapped_authtok
+ */
+
+int
+pam_sm_set_mapped_authtok(pam_handle_t *pamh,
+	char *target_module_username,
+	size_t target_authtok_len,
+	unsigned char *target_module_authtok,
+	char *target_module_type,
+	char *target_authn_domain,
+	int argc,
+	const char *argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_set_mapped_username.c b/contrib/openpam/lib/pam_sm_set_mapped_username.c
new file mode 100644
index 0000000..1911fd8
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_set_mapped_username.c
@@ -0,0 +1,63 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 85
+ *
+ * Service module implementation for pam_set_mapped_username
+ */
+
+int
+pam_sm_set_mapped_username(pam_handle_t *pamh,
+	char *target_module_username,
+	char *target_module_type,
+	char *target_authn_domain,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+/*
+ * NODOC
+ */
diff --git a/contrib/openpam/lib/pam_sm_setcred.c b/contrib/openpam/lib/pam_sm_setcred.c
new file mode 100644
index 0000000..20777ad
--- /dev/null
+++ b/contrib/openpam/lib/pam_sm_setcred.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id$
+ */
+
+#include <sys/param.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+
+/*
+ * XSSO 4.2.2
+ * XSSO 6 page 87
+ *
+ * Service module implementation for pam_setcred
+ */
+
+int
+pam_sm_setcred(pam_handle_t *pamh,
+	int flags,
+	int argc,
+	const char **argv)
+{
+
+	return (PAM_SYSTEM_ERR);
+}
+
+
+/*
+ * NOLIST
+ *
+ * Error codes:
+ *
+ *	PAM_SERVICE_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ *	PAM_PERM_DENIED
+ *	PAM_IGNORE
+ *	PAM_ABORT
+ *
+ *	PAM_CRED_UNAVAIL
+ *	PAM_CRED_EXPIRED
+ *	PAM_USER_UNKNOWN
+ *	PAM_CRED_ERR
+ */
+
+/**
+ * The =pam_sm_setcred function is the service module's implementation of
+ * the =pam_setcred API function.
+ */
diff --git a/contrib/openpam/lib/pam_start.c b/contrib/openpam/lib/pam_start.c
index a059661..1578258 100644
--- a/contrib/openpam/lib/pam_start.c
+++ b/contrib/openpam/lib/pam_start.c
@@ -290,3 +290,37 @@ _pam_configure_service(pam_handle_t *pamh,
 
 	return (PAM_SYSTEM_ERR);
 }
+
+/*
+ * Error codes:
+ *
+ *	=pam_set_item
+ *	!PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ */
+
+/**
+ * The =pam_start function creates and initializes a PAM context.
+ *
+ * The =service argument specifies the name of the policy to apply, and is
+ * stored in the =PAM_SERVICE item in the created context.
+ *
+ * The =user argument specifies the name of the target user - the user the
+ * created context will serve to authenticate.
+ * It is stored in the =PAM_USER item in the created context.
+ *
+ * The =pam_conv argument points to a =struct pam_conv describing the
+ * conversation function to use.
+ * This structure is defined as follows:
+ *
+ *     struct pam_conv {
+ *          int   (*conv)(int, const struct pam_message **,
+ *              struct pam_response **, void *);
+ *          void   *appdata_ptr;
+ *     };
+ *
+ * >pam_get_item
+ * >pam_set_item
+ * >pam_end
+ */
diff --git a/contrib/openpam/lib/pam_strerror.c b/contrib/openpam/lib/pam_strerror.c
index 516374c..2503e4f 100644
--- a/contrib/openpam/lib/pam_strerror.c
+++ b/contrib/openpam/lib/pam_strerror.c
@@ -61,7 +61,7 @@ pam_strerror(pam_handle_t *pamh,
 	case PAM_OPEN_ERR:
 		return ("failed to load module");
 	case PAM_SYMBOL_ERR:
-		return ("symbol not found in module");
+		return ("invalid symbol");
 	case PAM_SERVICE_ERR:
 		return ("error in service module");
 	case PAM_SYSTEM_ERR:
@@ -103,7 +103,7 @@ pam_strerror(pam_handle_t *pamh,
 	case PAM_AUTHTOK_LOCK_BUSY:
 		return ("authentication token lock busy");
 	case PAM_AUTHTOK_DISABLE_AGING:
-		return ("authentication token ageing disabled");
+		return ("authentication token aging disabled");
 	case PAM_NO_MODULE_DATA:
 		return ("module data not found");
 	case PAM_IGNORE:
@@ -121,3 +121,10 @@ pam_strerror(pam_handle_t *pamh,
 		return (unknown);
 	}
 }
+
+/**
+ * The =pam_strerror function returns a pointer to a string containing a
+ * textual description of the error indicated by the =error_number
+ * argument, in the context of the PAM transaction described by the =pamh
+ * argument.
+ */
diff --git a/contrib/openpam/lib/pam_verror.c b/contrib/openpam/lib/pam_verror.c
index feeaa6e..2d8e2ca 100644
--- a/contrib/openpam/lib/pam_verror.c
+++ b/contrib/openpam/lib/pam_verror.c
@@ -58,3 +58,20 @@ pam_verror(pam_handle_t *pamh,
 	free(rsp); /* ignore response */
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_verror function passes its arguments to =pam_vprompt with a
+ * =style argument of =PAM_ERROR_MSG, and discards the response.
+ *
+ * >pam_error
+ * >pam_vinfo
+ */
diff --git a/contrib/openpam/lib/pam_vinfo.c b/contrib/openpam/lib/pam_vinfo.c
index 2484998..6cd4188 100644
--- a/contrib/openpam/lib/pam_vinfo.c
+++ b/contrib/openpam/lib/pam_vinfo.c
@@ -58,3 +58,20 @@ pam_vinfo(pam_handle_t *pamh,
 	free(rsp); /* ignore response */
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_vinfo function passes its arguments to =pam_vprompt with a
+ * =style argument of =PAM_TEXT_INFO, and discards the response.
+ *
+ * >pam_info
+ * >pam_verror
+ */
diff --git a/contrib/openpam/lib/pam_vprompt.c b/contrib/openpam/lib/pam_vprompt.c
index cea56c7..e5eba2e 100644
--- a/contrib/openpam/lib/pam_vprompt.c
+++ b/contrib/openpam/lib/pam_vprompt.c
@@ -77,3 +77,47 @@ pam_vprompt(pam_handle_t *pamh,
 	free(rsp);
 	return (r);
 }
+
+/*
+ * Error codes:
+ *
+ *     !PAM_SYMBOL_ERR
+ *	PAM_SYSTEM_ERR
+ *	PAM_BUF_ERR
+ *	PAM_CONV_ERR
+ */
+
+/**
+ * The =pam_vprompt function constructs a string from the =fmt and =ap
+ * arguments using =vsnprintf, and passes it to the given PAM context's
+ * conversation function.
+ *
+ * The =style argument specifies the type of interaction requested, and
+ * must be one of the following:
+ *
+ *	=PAM_PROMPT_ECHO_OFF:
+ *		Display the message and obtain the user's response without
+ *		displaying it.
+ *	=PAM_PROMPT_ECHO_ON:
+ *		Display the message and obtain the user's response.
+ *	=PAM_ERROR_MSG:
+ *		Display the message as an error message, and do not wait
+ *		for a response.
+ *	=PAM_TEXT_INFO:
+ *		Display the message as an informational message, and do
+ *		not wait for a response.
+ *
+ * A pointer to the response, or =NULL if the conversation function did
+ * not return one, is stored in the location pointed to by the =resp
+ * argument.
+ *
+ * The message and response should not exceed =PAM_MAX_MSG_SIZE or
+ * =PAM_MAX_RESP_SIZE, respectively.
+ * If they do, they may be truncated.
+ *
+ * >pam_error
+ * >pam_info
+ * >pam_prompt
+ * >pam_verror
+ * >pam_vinfo
+ */
author	des <des@FreeBSD.org>	2002-02-23 01:24:02 +0000
committer	des <des@FreeBSD.org>	2002-02-23 01:24:02 +0000
commit	b7924daede5918d4af38aea32dcfe788509d2326 (patch)
tree	ae223d64d0eef9481ac27d428fd4c517fe5427e4 /contrib/openpam/lib
parent	8f1441cfb24a5778dd1a680f7f9b48ef1560d682 (diff)
download	FreeBSD-src-b7924daede5918d4af38aea32dcfe788509d2326.zip FreeBSD-src-b7924daede5918d4af38aea32dcfe788509d2326.tar.gz