shadow-maint · alejandro-colomar · Jan 22, 2025 · Jan 26, 2025 · Jan 22, 2025 · Jan 22, 2025
diff --git a/lib/Makefile.am b/lib/Makefile.am
@@ -27,8 +27,6 @@ libshadow_la_SOURCES = \
 	adds.c \
 	adds.h \
 	age.c \
-	agetpass.c \
-	agetpass.h \
 	alloc/calloc.c \
 	alloc/calloc.h \
 	alloc/malloc.c \
@@ -138,6 +136,8 @@ libshadow_la_SOURCES = \
 	pam_defs.h \
 	pam_pass.c \
 	pam_pass_non_interactive.c \
+	pass.c \
+	pass.h \
 	port.c \
 	port.h \
 	prefix_flag.c \

diff --git a/lib/agetpass.c b/lib/agetpass.c
diff --git a/lib/agetpass.h b/lib/agetpass.h
diff --git a/lib/alloc/malloc.h b/lib/alloc/malloc.h
@@ -8,11 +8,13 @@
 
 #include <config.h>
 
+#include <alloca.h>
 #include <stdlib.h>
 
 #include "attr.h"
 
 
+#define ALLOCA(n, type)  ((type *) alloca(n * sizeof(type)))
 #define MALLOC(n, type)                                                       \
 (                                                                             \
 	(type *) mallocarray(n, sizeof(type))                                 \

diff --git a/lib/defines.h b/lib/defines.h
@@ -198,14 +198,4 @@
 #  define shadow_getenv(name) getenv(name)
 #endif
 
-/*
- * Maximum password length
- *
- * Consider that there is also limit in PAM (PAM_MAX_RESP_SIZE)
- * currently set to 512.
- */
-#if !defined(PASS_MAX)
-#define PASS_MAX  BUFSIZ - 1
-#endif
-
 #endif				/* _DEFINES_H_ */
diff --git a/lib/pass.c b/lib/pass.c
@@ -0,0 +1,61 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#include <config.h>
+
+#include "pass.h"
+
+#include <errno.h>
+#include <readpassphrase.h>
+#include <stddef.h>
+#include <string.h>
+
+#include "sizeof.h"
+#include "string/memset/memzero.h"
+
+
+#define READPASSPHRASE(prompt, buf, flags)                            \
+(                                                                     \
+	readpassphrase(prompt, buf, NITEMS(buf), flags)               \
+)
+
+
+pass_t *
+passzero(pass_t *pass)
+{
+	if (pass == NULL)
+		return NULL;
+
+	return MEMZERO(*pass);
+}
+
+
+// readpassphrase(3), but detect truncation, and memzero() on error.
+pass_t *
+readpass(pass_t *pass, const char *restrict prompt, int flags)
+{
+	size_t  len;
+
+	/*
+	 * Since we want to support passwords upto PASS_MAX, we need
+	 * PASS_MAX bytes for the password itself, and one more byte for
+	 * the terminating '\0'.  We also want to detect truncation, and
+	 * readpassphrase(3) doesn't detect it, so we need some trick.
+	 * Let's add one more byte, and if the password uses it, it
+	 * means the introduced password was longer than PASS_MAX.
+	 */
+	if (READPASSPHRASE(prompt, *pass, flags) == NULL)
+		goto fail;
+
+	len = strlen(*pass);
+	if (len == NITEMS(*pass) - 1) {
+		errno = ENOBUFS;
+		goto fail;
+	}
+
+	return pass;
+fail:
+	MEMZERO(*pass);
+	return NULL;
+}
diff --git a/lib/pass.h b/lib/pass.h
@@ -0,0 +1,46 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#ifndef SHADOW_INCLUDE_LIB_PASS_H_
+#define SHADOW_INCLUDE_LIB_PASS_H_
+
+
+#include <config.h>
+
+#include <limits.h>
+#include <readpassphrase.h>
+#include <stddef.h>
+#include <stdio.h>
+
+#include "alloc/malloc.h"
+#include "attr.h"
+
+
+// There is also a limit in PAM (PAM_MAX_RESP_SIZE), currently set to 512.
+#ifndef  PASS_MAX
+# define PASS_MAX  (BUFSIZ - 1)
+#endif
+
+
+// Similar to getpass(3), but free of its problems, and using alloca(3).
+#define getpassa(prompt)       getpass2(passalloca(), prompt)
+#define getpassa_stdin()       getpass2_stdin(passalloca())
+
+// Similar to getpass(3), but free of its problems, and get the buffer in $1.
+#define getpass2(buf, prompt)  readpass(buf, prompt, RPP_REQUIRE_TTY)
+#define getpass2_stdin(buf)    readpass(buf, NULL, RPP_STDIN)
+
+#define passalloca()           ALLOCA(1, pass_t)
+
+
+typedef typeof(char [PASS_MAX + 2])  pass_t;
+
+
+pass_t *passzero(pass_t *pass);
+
+ATTR_MALLOC(passzero)
+pass_t *readpass(pass_t *pass, const char *restrict prompt, int flags);
+
+
+#endif  // include guard
diff --git a/lib/pwauth.c b/lib/pwauth.c
@@ -19,8 +19,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
-#include "agetpass.h"
 #include "defines.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "pwauth.h"
 #include "getdef.h"
@@ -55,7 +55,7 @@ int pw_auth (const char *cipher,
 {
 	int          retval;
 	char         prompt[1024];
-	char         *clear = NULL;
+	pass_t       *clear = NULL;
 	const char   *cp;
 	const char   *encrypted;
 
@@ -144,8 +144,8 @@ int pw_auth (const char *cipher,
 #endif
 
 		SNPRINTF(prompt, cp, user);
-		clear = agetpass(prompt);
-		input = (clear == NULL) ? "" : clear;
+		clear = getpassa(prompt);
+		input = (clear == NULL) ? "" : *clear;
 	}
 
 	/*
@@ -171,9 +171,9 @@ int pw_auth (const char *cipher,
 	 * -- AR 8/22/1999
 	 */
 	if ((0 != retval) && streq(input, "") && use_skey) {
-		erase_pass(clear);
-		clear = agetpass(prompt);
-		input = (clear == NULL) ? "" : clear;
+		passzero(clear);
+		clear = getpassa(prompt);
+		input = (clear == NULL) ? "" : *clear;
 	}
 
 	if ((0 != retval) && use_skey) {
@@ -187,7 +187,7 @@ int pw_auth (const char *cipher,
 		}
 	}
 #endif
-	erase_pass(clear);
+	passzero(clear);
 
 	return retval;
 }