diff --git a/lib/pam_authenticate.c b/lib/pam_authenticate.c
index ff70fb6..20c656e 100644
--- a/lib/pam_authenticate.c
+++ b/lib/pam_authenticate.c
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_authenticate.c#8 $
+ * $P4: //depot/projects/openpam/lib/pam_authenticate.c#9 $
  */
 
 #include <sys/param.h>
@@ -53,6 +53,8 @@ pam_authenticate(pam_handle_t *pamh,
 {
 	int pam_err;
 
+	if (flags & ~(PAM_SILENT|PAM_DISALLOW_NULL_AUTHTOK))
+		return (PAM_SYMBOL_ERR);
 	pam_err = openpam_dispatch(pamh, PAM_SM_AUTHENTICATE, flags);
 	pam_set_item(pamh, PAM_AUTHTOK, NULL);
 	return (pam_err);
@@ -65,3 +67,20 @@ pam_authenticate(pam_handle_t *pamh,
  *	=pam_sm_authenticate
  *	!PAM_IGNORE
  */
+
+/**
+ * The =pam_authenticate function attempts to authenticate the user
+ * associated with the pam context specified by the =pamh argument.
+ *
+ * The application is free to call =pam_authenticate as many times as it
+ * wishes, but some modules may maintain an internal retry counter and
+ * return =PAM_MAXTRIES when it exceeds some preset or hardcoded limit.
+ *
+ * The =flags argument is the binary or of zero or more of the following
+ * values:
+ *
+ *	=PAM_SILENT
+ *		Do not emit any messages.
+ *	=PAM_DISALLOW_NULL_AUTHTOK
+ *		Fail if the user's authentication token is null.
+ */
diff --git a/lib/pam_chauthtok.c b/lib/pam_chauthtok.c
index 2699fde..bf56a13 100644
--- a/lib/pam_chauthtok.c
+++ b/lib/pam_chauthtok.c
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#9 $
+ * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#10 $
  */
 
 #include <sys/param.h>
@@ -53,7 +53,7 @@ pam_chauthtok(pam_handle_t *pamh,
 {
 	int pam_err;
 
-	if (flags & PAM_PRELIM_CHECK || flags & PAM_UPDATE_AUTHTOK)
+	if (flags & ~(PAM_SILENT|PAM_CHANGE_EXPIRED_AUTHTOK))
 		return (PAM_SYMBOL_ERR);
 	pam_err = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
 	    flags | PAM_PRELIM_CHECK);
@@ -73,3 +73,17 @@ pam_chauthtok(pam_handle_t *pamh,
  *	!PAM_IGNORE
  *	PAM_SYMBOL_ERR
  */
+
+/**
+ * The =pam_chauthtok function attempts to change the authentication token
+ * for the user associated with the pam context specified by the =pamh
+ * argument.
+ *
+ * The =flags argument is the binary or of zero or more of the following
+ * values:
+ *
+ *	=PAM_SILENT
+ *		Do not emit any messages.
+ *	=PAM_CHANGE_EXPIRED_AUTHTOK
+ *		Change only those authentication tokens that have expired.
+ */