lib/, src/: Use getpassa()/passzero() instead of agetpass()/erase_pass()

And getpassa_stdin() instead of agetpass_stdin().

Now our passwords live in the stack, and there are less copies in the
heap.  In a few programs, we still copy them into the heap, though.
It's not easy to get rid of all of them.

This alloca(3)-based API means we need to call passalloca() before a
loop.  Calling passalloca() (which is a wrapper around alloca(3)) in a
loop is dangerous, as it can trigger a stack overflow.  Instead,
allocate the buffer before the loop, and run getpass2() within the loop,
which will reuse the buffer.

Also, to avoid deallocator mismatches, use `pass = passzero(pass)` in
those cases, so that the compiler knows that 'pass' has changed, and
we're not using the password after zeroing it; we're only re-using its
storage, which is fine.

Signed-off-by: Alejandro Colomar <[email protected]>

Author: alejandro-colomar

lib/pwauth.c

@@ -19,8 +19,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
-#include "agetpass.h"
 #include "defines.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "pwauth.h"
 #include "getdef.h"
@@ -53,7 +53,7 @@ pw_auth(const char *cipher, const char *user)
 {
 	int          retval;
 	char         prompt[1024];
-	char         *clear;
+	pass_t       *clear;
 	const char   *cp;
 	const char   *encrypted;
 	const char   *input;
@@ -112,8 +112,8 @@ pw_auth(const char *cipher, const char *user)
 #endif
 
 	SNPRINTF(prompt, cp, user);
-	clear = agetpass(prompt);
-	input = (clear == NULL) ? "" : clear;
+	clear = getpassa(prompt);
+	input = (clear == NULL) ? "" : *clear;
 
 	/*
 	 * Convert the cleartext password into a ciphertext string.
@@ -138,9 +138,9 @@ pw_auth(const char *cipher, const char *user)
 	 * -- AR 8/22/1999
 	 */
 	if ((0 != retval) && streq(input, "") && use_skey) {
-		erase_pass(clear);
-		clear = agetpass(prompt);
-		input = (clear == NULL) ? "" : clear;
+		passzero(clear);
+		clear = getpassa(prompt);
+		input = (clear == NULL) ? "" : *clear;
 	}
 
 	if ((0 != retval) && use_skey) {
@@ -154,7 +154,7 @@ pw_auth(const char *cipher, const char *user)
 		}
 	}
 #endif
-	erase_pass(clear);
+	passzero(clear);
 
 	return retval;
 }

src/gpasswd.c

@@ -20,14 +20,14 @@
 #include <stdio.h>
 #include <sys/types.h>
 
-#include "agetpass.h"
 #include "alloc/x/xmalloc.h"
 #include "attr.h"
 #include "defines.h"
 /*@-exitarg@*/
 #include "exitcodes.h"
 #include "groupio.h"
 #include "nscd.h"
+#include "pass.h"
 #include "prototypes.h"
 #ifdef SHADOWGRP
 #include "sgroupio.h"
@@ -820,6 +820,7 @@ static void change_passwd (struct group *gr)
 	char *cp;
 	static char pass[PASS_MAX + 1];
 	int retries;
+	pass_t     *p;
 	const char *salt;
 
 	/*
@@ -830,26 +831,27 @@ static void change_passwd (struct group *gr)
 	 */
 	printf (_("Changing the password for group %s\n"), group);
 
+	p = passalloca();
 	for (retries = 0; retries < RETRIES; retries++) {
-		cp = agetpass (_("New Password: "));
-		if (NULL == cp) {
+		p = getpass2(p, _("New Password: "));
+		if (NULL == p) {
 			exit (1);
 		}
 
-		STRTCPY(pass, cp);
-		erase_pass (cp);
-		cp = agetpass (_("Re-enter new password: "));
-		if (NULL == cp) {
+		STRTCPY(pass, *p);
+		p = passzero(p);
+		p = getpass2(p, _("Re-enter new password: "));
+		if (NULL == p) {
 			MEMZERO(pass);
 			exit (1);
 		}
 
-		if (streq(pass, cp)) {
-			erase_pass (cp);
+		if (streq(pass, *p)) {
+			passzero(p);
 			break;
 		}
 
-		erase_pass (cp);
+		p = passzero(p);
 		MEMZERO(pass);
 
 		if (retries + 1 < RETRIES) {

src/newgrp.c

@@ -16,13 +16,13 @@
 #include <stdio.h>
 #include <sys/types.h>
 
-#include "agetpass.h"
 #include "alloc/x/xmalloc.h"
 #include "chkname.h"
 #include "defines.h"
 /*@-exitarg@*/
 #include "exitcodes.h"
 #include "getdef.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "search/l/lfind.h"
 #include "search/l/lsearch.h"
@@ -123,8 +123,8 @@ static void check_perms (const struct group *grp,
                          const char *groupname)
 {
 	bool needspasswd = false;
+	pass_t      *p;
 	struct spwd *spwd;
-	char *cp;
 	const char *cpasswd;
 
 	/*
@@ -167,8 +167,8 @@ static void check_perms (const struct group *grp,
 		 * get the password from her, and set the salt for
 		 * the decryption from the group file.
 		 */
-		cp = agetpass (_("Password: "));
-		if (NULL == cp) {
+		p = getpassa(_("Password: "));
+		if (NULL == p) {
 			goto failure;
 		}
 
@@ -177,8 +177,8 @@ static void check_perms (const struct group *grp,
 		 * password in the group file. The result of this encryption
 		 * must match the previously encrypted value in the file.
 		 */
-		cpasswd = pw_encrypt (cp, grp->gr_passwd);
-		erase_pass (cp);
+		cpasswd = pw_encrypt(*p, grp->gr_passwd);
+		passzero(p);
 
 		if (NULL == cpasswd) {
 			fprintf (stderr,

src/passwd.c

@@ -20,12 +20,12 @@
 #include <sys/types.h>
 #include <time.h>
 
-#include "agetpass.h"
 #include "atoi/a2i/a2s.h"
 #include "chkname.h"
 #include "defines.h"
 #include "getdef.h"
 #include "nscd.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "pwauth.h"
 #include "pwio.h"
@@ -177,10 +177,11 @@ usage (int status)
  */
 static int new_password (const struct passwd *pw)
 {
-	char *clear;		/* Pointer to clear text */
 	char *cipher;		/* Pointer to cipher text */
+	char       *cp;
 	const char *salt;	/* Pointer to new salt */
-	char *cp;		/* Pointer to agetpass() response */
+	pass_t     *clear;	/* Pointer to clear text */
+	pass_t     *p;		/* Pointer to getpassa() response */
 	char orig[PASS_MAX + 1];	/* Original password */
 	char pass[PASS_MAX + 1];	/* New password */
 	int i;			/* Counter for retries */
@@ -195,15 +196,15 @@ static int new_password (const struct passwd *pw)
 	 */
 
 	if (!amroot && !streq(crypt_passwd, "")) {
-		clear = agetpass (_("Old password: "));
+		clear = getpassa(_("Old password: "));
 		if (NULL == clear) {
 			return -1;
 		}
 
-		cipher = pw_encrypt (clear, crypt_passwd);
+		cipher = pw_encrypt(*clear, crypt_passwd);
 
 		if (NULL == cipher) {
-			erase_pass (clear);
+			passzero(clear);
 			fprintf (stderr,
 			         _("%s: failed to crypt password with previous salt: %s\n"),
 			         Prog, strerror (errno));
@@ -214,7 +215,7 @@ static int new_password (const struct passwd *pw)
 		}
 
 		if (!streq(cipher, crypt_passwd)) {
-			erase_pass (clear);
+			passzero(clear);
 			strzero (cipher);
 			SYSLOG ((LOG_WARN, "incorrect password for %s",
 			         pw->pw_name));
@@ -224,8 +225,8 @@ static int new_password (const struct passwd *pw)
 			                pw->pw_name);
 			return -1;
 		}
-		STRTCPY(orig, clear);
-		erase_pass (clear);
+		STRTCPY(orig, *clear);
+		passzero(clear);
 		strzero (cipher);
 	} else {
 		strcpy(orig, "");
@@ -279,31 +280,32 @@ static int new_password (const struct passwd *pw)
 		/*
 		 * root is setting the passphrase from stdin
 		 */
-		cp = agetpass_stdin ();
-		if (NULL == cp) {
+		p = getpassa_stdin();
+		if (NULL == p) {
 			return -1;
 		}
-		ret = STRTCPY (pass, cp);
-		erase_pass (cp);
+		ret = STRTCPY(pass, *p);
+		passzero(p);
 		if (ret == -1) {
 			(void) fputs (_("Password is too long.\n"), stderr);
 			MEMZERO(pass);
 			return -1;
 		}
 	} else {
 		warned = false;
+		p = passalloca();
 		for (i = getdef_num ("PASS_CHANGE_TRIES", 5); i > 0; i--) {
-			cp = agetpass (_("New password: "));
-			if (NULL == cp) {
+			p = getpass2(p, _("New password: "));
+			if (NULL == p) {
 				MEMZERO(orig);
 				MEMZERO(pass);
 				return -1;
 			}
-			if (warned && !streq(pass, cp)) {
+			if (warned && !streq(pass, *p)) {
 				warned = false;
 			}
-			ret = STRTCPY (pass, cp);
-			erase_pass (cp);
+			ret = STRTCPY(pass, *p);
+			p = passzero(p);
 			if (ret == -1) {
 				(void) fputs (_("Password is too long.\n"), stderr);
 				MEMZERO(orig);
@@ -327,17 +329,17 @@ static int new_password (const struct passwd *pw)
 				warned = true;
 				continue;
 			}
-			cp = agetpass (_("Re-enter new password: "));
-			if (NULL == cp) {
+			p = getpass2(p, _("Re-enter new password: "));
+			if (NULL == p) {
 				MEMZERO(orig);
 				MEMZERO(pass);
 				return -1;
 			}
-			if (!streq(cp, pass)) {
-				erase_pass (cp);
+			if (!streq(*p, pass)) {
+				p = passzero(p);
 				(void) fputs (_("They don't match; try again.\n"), stderr);
 			} else {
-				erase_pass (cp);
+				passzero(p);
 				break;
 			}
 		}
@@ -1086,12 +1088,14 @@ main(int argc, char **argv)
 	 */
 	if (!anyflag && use_pam) {
 		if (sflg) {
-			cp = agetpass_stdin ();
-			if (cp == NULL) {
+			pass_t  *p;
+
+			p = getpassa_stdin();
+			if (p == NULL) {
 				exit (E_FAILURE);
 			}
-			do_pam_passwd_non_interactive ("passwd", name, cp);
-			erase_pass (cp);
+			do_pam_passwd_non_interactive ("passwd", name, *p);
+			passzero(p);
 		} else {
 			do_pam_passwd (name, qflg, kflg);
 		}

src/sulogin.c

@@ -18,10 +18,10 @@
 #include <sys/ioctl.h>
 #include <sys/types.h>
 
-#include "agetpass.h"
 #include "attr.h"
 #include "defines.h"
 #include "getdef.h"
+#include "pass.h"
 #include "prototypes.h"
 #include "pwauth.h"
 /*@-exitarg@*/
@@ -58,6 +58,7 @@ int
 main(int argc, char *argv[])
 {
 	int            err = 0;
+	pass_t         *pass;
 	char           **envp = environ;
 	TERMIO         termio;
 	struct passwd  pwent = {};
@@ -128,8 +129,8 @@ main(int argc, char *argv[])
 	(void) signal (SIGALRM, catch_signals);	/* exit if the timer expires */
 	(void) alarm (ALARM);		/* only wait so long ... */
 
+	pass = passalloca();
 	do {			/* repeatedly get login/password pairs */
-		char        *pass;
 		const char  *prompt;
 
 		if (pw_entry("root", &pwent) == -1) {	/* get entry from password file */
@@ -150,25 +151,25 @@ main(int argc, char *argv[])
 "(or give root password for system maintenance):");
 
 		/* get a password for root */
-		pass = agetpass(prompt);
+		pass = getpass2(pass, prompt);
 
 		/*
 		 * XXX - can't enter single user mode if root password is
 		 * empty.  I think this doesn't happen very often :-). But
 		 * it will work with standard getpass() (no NULL on EOF).
 		 * --marekm
 		 */
-		if ((NULL == pass) || streq(pass, "")) {
-			erase_pass (pass);
+		if (NULL == pass || streq(*pass, "")) {
+			passzero(pass);
 			(void) puts ("");
 #ifdef	TELINIT
 			execl (PATH_TELINIT, "telinit", RUNLEVEL, (char *) NULL);
 #endif
 			exit (0);
 		}
 
-		done = valid(pass, &pwent);
-		erase_pass (pass);
+		done = valid(*pass, &pwent);
+		pass = passzero(pass);
 
 		if (!done) {	/* check encrypted passwords ... */
 			/* ... encrypted passwords did not match */