lib/, src/: Use getpassa()/passzero() instead of agetpass()/erase_pass()

And getpassa_stdin() instead of agetpass_stdin(). Now all passwords live in the stack, and are never copied into the heap. This introduces a subtle issue: while it's fine to call malloc(3) in a loop, it is dangerous to call alloca(3) in a loop (since there's no way to free that memory). The next commit will fix that. I've addressed it in a separate commit, for readability. Signed-off-by: Alejandro Colomar <[email protected]>
shadow-maint · Jan 28, 2025 · b0343a4 · b0343a4
1 parent fcb5f06
commit b0343a4
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 33 deletions.
diff --git a/lib/pwauth.c b/lib/pwauth.c
@@ -19,8 +19,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
-#include "agetpass.h"
 #include "defines.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "pwauth.h"
 #include "getdef.h"
@@ -144,7 +144,7 @@ int pw_auth (const char *cipher,
 #endif
 
 		SNPRINTF(prompt, cp, user);
-		clear = agetpass(prompt);
+		clear = getpassa(prompt);
 		input = (clear == NULL) ? "" : clear;
 	}
 
@@ -171,8 +171,8 @@ int pw_auth (const char *cipher,
 	 * -- AR 8/22/1999
 	 */
 	if ((0 != retval) && streq(input, "") && use_skey) {
-		erase_pass(clear);
-		clear = agetpass(prompt);
+		passzero(clear);
+		clear = getpassa(prompt);
 		input = (clear == NULL) ? "" : clear;
 	}
 
@@ -187,7 +187,7 @@ int pw_auth (const char *cipher,
 		}
 	}
 #endif
-	erase_pass(clear);
+	passzero(clear);
 
 	return retval;
 }

diff --git a/src/gpasswd.c b/src/gpasswd.c
@@ -20,14 +20,14 @@
 #include <stdio.h>
 #include <sys/types.h>
 
-#include "agetpass.h"
 #include "alloc/x/xmalloc.h"
 #include "attr.h"
 #include "defines.h"
 /*@-exitarg@*/
 #include "exitcodes.h"
 #include "groupio.h"
 #include "nscd.h"
+#include "pass.h"
 #include "prototypes.h"
 #ifdef SHADOWGRP
 #include "sgroupio.h"
@@ -831,25 +831,25 @@ static void change_passwd (struct group *gr)
 	printf (_("Changing the password for group %s\n"), group);
 
 	for (retries = 0; retries < RETRIES; retries++) {
-		cp = agetpass (_("New Password: "));
+		cp = getpassa(_("New Password: "));
 		if (NULL == cp) {
 			exit (1);
 		}
 
 		STRTCPY(pass, cp);
-		erase_pass (cp);
-		cp = agetpass (_("Re-enter new password: "));
+		passzero(cp);
+		cp = getpassa(_("Re-enter new password: "));
 		if (NULL == cp) {
 			MEMZERO(pass);
 			exit (1);
 		}
 
 		if (streq(pass, cp)) {
-			erase_pass (cp);
+			passzero(cp);
 			break;
 		}
 
-		erase_pass (cp);
+		passzero(cp);
 		MEMZERO(pass);
 
 		if (retries + 1 < RETRIES) {

diff --git a/src/newgrp.c b/src/newgrp.c
@@ -16,13 +16,13 @@
 #include <stdio.h>
 #include <sys/types.h>
 
-#include "agetpass.h"
 #include "alloc/x/xmalloc.h"
 #include "chkname.h"
 #include "defines.h"
 /*@-exitarg@*/
 #include "exitcodes.h"
 #include "getdef.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "search/l/lfind.h"
 #include "search/l/lsearch.h"
@@ -167,7 +167,7 @@ static void check_perms (const struct group *grp,
 		 * get the password from her, and set the salt for
 		 * the decryption from the group file.
 		 */
-		cp = agetpass (_("Password: "));
+		cp = getpassa(_("Password: "));
 		if (NULL == cp) {
 			goto failure;
 		}
@@ -178,7 +178,7 @@ static void check_perms (const struct group *grp,
 		 * must match the previously encrypted value in the file.
 		 */
 		cpasswd = pw_encrypt (cp, grp->gr_passwd);
-		erase_pass (cp);
+		passzero(cp);
 
 		if (NULL == cpasswd) {
 			fprintf (stderr,

diff --git a/src/passwd.c b/src/passwd.c
@@ -20,12 +20,12 @@
 #include <sys/types.h>
 #include <time.h>
 
-#include "agetpass.h"
 #include "atoi/a2i/a2s.h"
 #include "chkname.h"
 #include "defines.h"
 #include "getdef.h"
 #include "nscd.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "pwauth.h"
 #include "pwio.h"
@@ -180,7 +180,7 @@ static int new_password (const struct passwd *pw)
 	char *clear;		/* Pointer to clear text */
 	char *cipher;		/* Pointer to cipher text */
 	const char *salt;	/* Pointer to new salt */
-	char *cp;		/* Pointer to agetpass() response */
+	char *cp;		/* Pointer to getpassa() response */
 	char orig[PASS_MAX + 1];	/* Original password */
 	char pass[PASS_MAX + 1];	/* New password */
 	int i;			/* Counter for retries */
@@ -195,15 +195,15 @@ static int new_password (const struct passwd *pw)
 	 */
 
 	if (!amroot && !streq(crypt_passwd, "")) {
-		clear = agetpass (_("Old password: "));
+		clear = getpassa(_("Old password: "));
 		if (NULL == clear) {
 			return -1;
 		}
 
 		cipher = pw_encrypt (clear, crypt_passwd);
 
 		if (NULL == cipher) {
-			erase_pass (clear);
+			passzero(clear);
 			fprintf (stderr,
 			         _("%s: failed to crypt password with previous salt: %s\n"),
 			         Prog, strerror (errno));
@@ -214,7 +214,7 @@ static int new_password (const struct passwd *pw)
 		}
 
 		if (!streq(cipher, crypt_passwd)) {
-			erase_pass (clear);
+			passzero(clear);
 			strzero (cipher);
 			SYSLOG ((LOG_WARN, "incorrect password for %s",
 			         pw->pw_name));
@@ -225,7 +225,7 @@ static int new_password (const struct passwd *pw)
 			return -1;
 		}
 		STRTCPY(orig, clear);
-		erase_pass (clear);
+		passzero(clear);
 		strzero (cipher);
 	} else {
 		strcpy(orig, "");
@@ -279,12 +279,12 @@ static int new_password (const struct passwd *pw)
 		/*
 		 * root is setting the passphrase from stdin
 		 */
-		cp = agetpass_stdin ();
+		cp = getpassa_stdin();
 		if (NULL == cp) {
 			return -1;
 		}
 		ret = STRTCPY (pass, cp);
-		erase_pass (cp);
+		passzero(cp);
 		if (ret == -1) {
 			(void) fputs (_("Password is too long.\n"), stderr);
 			MEMZERO(pass);
@@ -293,7 +293,7 @@ static int new_password (const struct passwd *pw)
 	} else {
 		warned = false;
 		for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
-			cp = agetpass (_("New password: "));
+			cp = getpassa(_("New password: "));
 			if (NULL == cp) {
 				MEMZERO(orig);
 				MEMZERO(pass);
@@ -303,7 +303,7 @@ static int new_password (const struct passwd *pw)
 				warned = false;
 			}
 			ret = STRTCPY (pass, cp);
-			erase_pass (cp);
+			passzero(cp);
 			if (ret == -1) {
 				(void) fputs (_("Password is too long.\n"), stderr);
 				MEMZERO(orig);
@@ -327,17 +327,17 @@ static int new_password (const struct passwd *pw)
 				warned = true;
 				continue;
 			}
-			cp = agetpass (_("Re-enter new password: "));
+			cp = getpassa(_("Re-enter new password: "));
 			if (NULL == cp) {
 				MEMZERO(orig);
 				MEMZERO(pass);
 				return -1;
 			}
 			if (!streq(cp, pass)) {
-				erase_pass (cp);
+				passzero(cp);
 				(void) fputs (_("They don't match; try again.\n"), stderr);
 			} else {
-				erase_pass (cp);
+				passzero(cp);
 				break;
 			}
 		}
@@ -1086,12 +1086,12 @@ main(int argc, char **argv)
 	 */
 	if (!anyflag && use_pam) {
 		if (sflg) {
-			cp = agetpass_stdin ();
+			cp = getpassa_stdin();
 			if (cp == NULL) {
 				exit (E_FAILURE);
 			}
 			do_pam_passwd_non_interactive ("passwd", name, cp);
-			erase_pass (cp);
+			passzero(cp);
 		} else {
 			do_pam_passwd (name, qflg, kflg);
 		}

diff --git a/src/sulogin.c b/src/sulogin.c
@@ -18,10 +18,10 @@
 #include <sys/ioctl.h>
 #include <sys/types.h>
 
-#include "agetpass.h"
 #include "attr.h"
 #include "defines.h"
 #include "getdef.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "pwauth.h"
 /*@-exitarg@*/
@@ -150,7 +150,7 @@ main(int argc, char *argv[])
 "(or give root password for system maintenance):");
 
 		/* get a password for root */
-		pass = agetpass(prompt);
+		pass = getpassa(prompt);
 
 		/*
 		 * XXX - can't enter single user mode if root password is
@@ -159,7 +159,7 @@ main(int argc, char *argv[])
 		 * --marekm
 		 */
 		if ((NULL == pass) || streq(pass, "")) {
-			erase_pass (pass);
+			passzero(pass);
 			(void) puts ("");
 #ifdef	TELINIT
 			execl (PATH_TELINIT, "telinit", RUNLEVEL, (char *) NULL);
@@ -168,7 +168,7 @@ main(int argc, char *argv[])
 		}
 
 		done = valid(pass, &pwent);
-		erase_pass (pass);
+		passzero(pass);
 
 		if (!done) {	/* check encrypted passwords ... */
 			/* ... encrypted passwords did not match */