shadow-maint · alejandro-colomar · Jan 22, 2025 · Jan 19, 2025 · Jan 22, 2025 · Jan 22, 2025
diff --git a/lib/Makefile.am b/lib/Makefile.am
@@ -27,8 +27,6 @@ libshadow_la_SOURCES = \
 	adds.c \
 	adds.h \
 	age.c \
-	agetpass.c \
-	agetpass.h \
 	alloc/calloc.c \
 	alloc/calloc.h \
 	alloc/malloc.c \
@@ -138,6 +136,15 @@ libshadow_la_SOURCES = \
 	pam_defs.h \
 	pam_pass.c \
 	pam_pass_non_interactive.c \
+	pass/limits.h \
+	pass/getpass2.c \
+	pass/getpass2.h \
+	pass/passalloca.c \
+	pass/passalloca.h \
+	pass/passzero.c \
+	pass/passzero.h \
+	pass/readpass.c \
+	pass/readpass.h \
 	port.c \
 	port.h \
 	prefix_flag.c \

diff --git a/lib/agetpass.c b/lib/agetpass.c
diff --git a/lib/agetpass.h b/lib/agetpass.h
diff --git a/lib/alloc/malloc.h b/lib/alloc/malloc.h
@@ -8,11 +8,13 @@
 
 #include <config.h>
 
+#include <alloca.h>
 #include <stdlib.h>
 
 #include "attr.h"
 
 
+#define ALLOCA(n, type)  ((type *) alloca(n * sizeof(type)))
 #define MALLOC(n, type)                                                       \
 (                                                                             \
 	(type *) mallocarray(n, sizeof(type))                                 \

diff --git a/lib/defines.h b/lib/defines.h
@@ -198,14 +198,4 @@
 #  define shadow_getenv(name) getenv(name)
 #endif
 
-/*
- * Maximum password length
- *
- * Consider that there is also limit in PAM (PAM_MAX_RESP_SIZE)
- * currently set to 512.
- */
-#if !defined(PASS_MAX)
-#define PASS_MAX  BUFSIZ - 1
-#endif
-
 #endif				/* _DEFINES_H_ */
diff --git a/lib/pass/getpass2.c b/lib/pass/getpass2.c
@@ -0,0 +1,7 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#include <config.h>
+
+#include "pass/getpass2.h"
diff --git a/lib/pass/getpass2.h b/lib/pass/getpass2.h
@@ -0,0 +1,27 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#ifndef SHADOW_INCLUDE_LIB_PASS_GETPASS2_H_
+#define SHADOW_INCLUDE_LIB_PASS_GETPASS2_H_
+
+
+#include <config.h>
+
+#include <readpassphrase.h>
+#include <stddef.h>
+
+#include "pass/passalloca.h"
+#include "pass/readpass.h"
+
+
+// Similar to getpass(3), but free of its problems, and get the buffer in $1.
+#define getpass2(buf, prompt)  readpass(buf, prompt, RPP_REQUIRE_TTY)
+#define getpass2_stdin(buf)    readpass(buf, NULL, RPP_STDIN)
+
+// Similar to getpass(3), but free of its problems, and using alloca(3).
+#define getpassa(prompt)  getpass2(passalloca(), prompt)
+#define getpassa_stdin()  getpass2_stdin(passalloca())
+
+
+#endif  // include guard
diff --git a/lib/pass/limits.h b/lib/pass/limits.h
@@ -0,0 +1,21 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#ifndef SHADOW_INCLUDE_LIB_PASS_LIMITS_H_
+#define SHADOW_INCLUDE_LIB_PASS_LIMITS_H_
+
+
+#include <config.h>
+
+#include <limits.h>
+#include <stdio.h>
+
+
+// There is also a limit in PAM (PAM_MAX_RESP_SIZE), currently set to 512.
+#ifndef  PASS_MAX
+# define PASS_MAX  (BUFSIZ - 1)
+#endif
+
+
+#endif  // include guard
diff --git a/lib/pass/passalloca.c b/lib/pass/passalloca.c
@@ -0,0 +1,7 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#include <config.h>
+
+#include "pass/passalloca.h"
diff --git a/lib/pass/passalloca.h b/lib/pass/passalloca.h
@@ -0,0 +1,18 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#ifndef SHADOW_INCLUDE_LIB_PASS_PASSALLOCA_H_
+#define SHADOW_INCLUDE_LIB_PASS_PASSALLOCA_H_
+
+
+#include <config.h>
+
+#include "alloc/malloc.h"
+#include "pass/limits.h"
+
+
+#define passalloca()   ALLOCA(PASS_MAX + 2, char)
+
+
+#endif  // include guard
diff --git a/lib/pass/passzero.c b/lib/pass/passzero.c
@@ -0,0 +1,22 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#include <config.h>
+
+#include "pass/passzero.h"
+
+#include <stddef.h>
+
+#include "pass/limits.h"
+#include "string/memset/memzero.h"
+
+
+char *
+passzero(char pass[PASS_MAX + 2])
+{
+	if (pass == NULL)
+		return NULL;
+
+	return memzero(pass, PASS_MAX + 2);
+}
diff --git a/lib/pass/passzero.h b/lib/pass/passzero.h
@@ -0,0 +1,17 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#ifndef SHADOW_INCLUDE_LIB_PASS_PASSZERO_H_
+#define SHADOW_INCLUDE_LIB_PASS_PASSZERO_H_
+
+
+#include <config.h>
+
+#include "pass/limits.h"
+
+
+char *passzero(char pass[PASS_MAX + 2]);
+
+
+#endif  // include guard
diff --git a/lib/pass/readpass.c b/lib/pass/readpass.c
@@ -0,0 +1,45 @@
+// SPDX-FileCopyrightText: 2022-2025, Alejandro Colomar <[email protected]>
+// SPDX-License-Identifier: BSD-3-Clause
+
+
+#include <config.h>
+
+#include "pass/readpass.h"
+
+#include <errno.h>
+#include <readpassphrase.h>
+#include <stddef.h>
+#include <string.h>
+
+#include "pass/limits.h"
+#include "string/memset/memzero.h"
+
+
+// readpassphrase(3), but detect truncation, and memzero() on error.
+char *
+readpass(char pass[restrict PASS_MAX + 2], const char *restrict prompt, int flags)
+{
+	size_t  len;
+
+	/*
+	 * Since we want to support passwords upto PASS_MAX, we need
+	 * PASS_MAX bytes for the password itself, and one more byte for
+	 * the terminating '\0'.  We also want to detect truncation, and
+	 * readpassphrase(3) doesn't detect it, so we need some trick.
+	 * Let's add one more byte, and if the password uses it, it
+	 * means the introduced password was longer than PASS_MAX.
+	 */
+	if (readpassphrase(prompt, pass, PASS_MAX + 2, flags) == NULL)
+		goto fail;
+
+	len = strlen(pass);
+	if (len == PASS_MAX + 1) {
+		errno = ENOBUFS;
+		goto fail;
+	}
+
+	return pass;
+fail:
+	memzero(pass, PASS_MAX + 2);
+	return NULL;
+}