lib/agetpass.*: Use alloca(3) to minimize visibility of passwords

The stack should have enough space for PASS_MAX+2 allocations. Signed-off-by: Alejandro Colomar <[email protected]>
shadow-maint · Jan 19, 2025 · 0f1c7c3 · 0f1c7c3
1 parent f7f02f7
commit 0f1c7c3
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/lib/agetpass.h b/lib/agetpass.h
@@ -8,6 +8,7 @@
 
 #include <config.h>
 
+#include <alloca.h>
 #include <errno.h>
 #include <limits.h>
 #include <readpassphrase.h>
@@ -16,17 +17,14 @@
 #include <string.h>
 
 #include "alloc/malloc.h"
-
-#if WITH_LIBBSD == 0
-#include "freezero.h"
-#endif /* WITH_LIBBSD */
+#include "string/memset/memzero.h"
 
 
 // Similar to getpass(3), but free of its problems.
 #define agetpass(prompt)  agetpass_(prompt, RPP_REQUIRE_TTY)
 #define agetpass_stdin()  agetpass_(NULL, RPP_STDIN)
 
-#define agetpass_(...)    getpass_(MALLOC(PASS_MAX + 2, char), __VA_ARGS__)
+#define agetpass_(...)    getpass_(alloca(PASS_MAX + 2), __VA_ARGS__)
 
 
 inline void erase_pass(char *pass);
@@ -62,15 +60,15 @@ getpass_(char pass[PASS_MAX + 2], const char *prompt, int flags)
 	return pass;
 
 fail:
-	freezero(pass, PASS_MAX + 2);
+	memzero(pass, PASS_MAX + 2);
 	return NULL;
 }
 
 
 inline void
 erase_pass(char *pass)
 {
-	freezero(pass, PASS_MAX + 2);
+	memzero(pass, PASS_MAX + 2);
 }